Issue No.01 - January-February (2005 vol.3)
Published by the IEEE Computer Society
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2005.25
A review of Greg Hodlund and Gary McGraw's book, <em>Exploiting Software: How to Break Code</em>.
The book Exploiting Software: How to Break Code is a superbly written, in-depth study of techniques and methodologies hackers use to break into and exploit application software. Plentiful examples of attack code, coupled with the discussion of the execution of various attacks and their supporting technologies, make the book a significant asset for experienced software security practitioners as well as an effective introduction to software security and software exploits for those new to the field. But whatever your level of expertise, this book provides a unique and valuable discussion of software attacks and exploits and the correlated problem of software security. Exploiting Software: How to Break Code will improve your understanding of the topic, its complexities, and the corresponding difficulties faced when formulating defensives to prevent software attacks.
The book has three parts divided into eight chapters. The first part introduces the topic of exploiting software and presents the authors' motivation for writing the book and their assessment for future computing trends.
The second part provides a foundation for the remainder of the book with an introduction to the field of software attack. It also introduces the authors' taxonomy of attacks and attack patterns, and describes the basic tools and logic of the reverse engineer or attacker.
The third part describes in detail attack exploits in various environments and techniques that hackers use to exploit a system once an attack has succeeded. This part is the heart of the work because it demonstrates how easy it is to misuse a system once its defenses are breached. The authors delve deeply into the techniques used to attack and exploit servers and clients, the composition of malicious input for an exploit, buffer-overflow-based exploits, and the use and misuse of rootkits.
The discussion clearly and logically interweaves background material with practical and implementation information. The background material lays the necessary foundation for understanding the examples, which thoroughly illustrate how principles move from theory to practice. The authors clearly worked hard to strike a balance between theory and practice and have succeeded admirably.
Beyond any doubt, Exploting Software: How to Break Code is a thorough and important exposition on the process and practice of attacking and exploiting software. Although the authors don't present every possible exploit (and indeed they couldn't), they present enough material for serious students to acquire a deeper understanding of the book's subject matter and of software exploitation's complexities and nuances. They definitely wrote this with the broadest possible audience in mind, although it would be a challenging read for anyone without a solid background in application security or the basics of computer operation and program execution. The only shortfall, and a minor one, is that the list of references is quite short and narrowly focused—a broader bibliography would prove helpful for readers wanting to increase their knowledge of the book's subject. Nevertheless, Exploting Software: How to Break Code is an excellent book and the time devoted to reading it is time well spent.
Martin R. Stytz is on the research staff at the Institute for Defense Analyses. He received his PhD from the University of Michigan and conducts research in a variety of security and privacy arenas. Contact him at email@example.com.