- •Exploiting Software How to Break Code
- •Table of Contents
- •Copyright
- •Praise for Exploiting Software
- •Attack Patterns
- •Foreword
- •Preface
- •What This Book Is About
- •How to Use This Book
- •But Isn't This Too Dangerous?
- •Acknowledgments
- •Greg's Acknowledgments
- •Gary's Acknowledgments
- •Bad Software Is Ubiquitous
- •The Trinity of Trouble
- •The Future of Software
- •What Is Software Security?
- •Conclusion
- •Chapter 2. Attack Patterns
- •A Taxonomy
- •An Open-Systems View
- •Tour of an Exploit
- •Attack Patterns: Blueprints for Disaster
- •An Example Exploit: Microsoft's Broken C++ Compiler
- •Applying Attack Patterns
- •Attack Pattern Boxes
- •Conclusion
- •Into the House of Logic
- •Should Reverse Engineering Be Illegal?
- •Reverse Engineering Tools and Concepts
- •Approaches to Reverse Engineering
- •Methods of the Reverser
- •Writing Interactive Disassembler (IDA) Plugins
- •Decompiling and Disassembling Software
- •Decompilation in Practice: Reversing helpctr.exe
- •Automatic, Bulk Auditing for Vulnerabilities
- •Writing Your Own Cracking Tools
- •Building a Basic Code Coverage Tool
- •Conclusion
- •Chapter 4. Exploiting Server Software
- •The Trusted Input Problem
- •The Privilege Escalation Problem
- •Finding Injection Points
- •Input Path Tracing
- •Exploiting Trust through Configuration
- •Specific Techniques and Attacks for Server Software
- •Conclusion
- •Chapter 5. Exploiting Client Software
- •Client-side Programs as Attack Targets
- •In-band Signals
- •Cross-site Scripting (XSS)
- •Client Scripts and Malicious Code
- •Content-Based Attacks
- •Conclusion
- •Chapter 6. Crafting (Malicious) Input
- •The Defender's Dilemma
- •Intrusion Detection (Not)
- •Partition Analysis
- •Tracing Code
- •Reversing Parser Code
- •Misclassification
- •Audit Poisoning
- •Conclusion
- •Chapter 7. Buffer Overflow
- •Buffer Overflow 101
- •Injection Vectors: Input Rides Again
- •Buffer Overflows and Embedded Systems
- •Database Buffer Overflows
- •Buffer Overflows and Java?!
- •Content-Based Buffer Overflow
- •Audit Truncation and Filters with Buffer Overflow
- •Causing Overflow with Environment Variables
- •The Multiple Operation Problem
- •Finding Potential Buffer Overflows
- •Stack Overflow
- •Arithmetic Errors in Memory Management
- •Format String Vulnerabilities
- •Heap Overflows
- •Buffer Overflows and C++
- •Payloads
- •Payloads on RISC Architectures
- •Multiplatform Payloads
- •Prolog/Epilog Code to Protect Functions
- •Conclusion
- •Chapter 8. Rootkits
- •Subversive Programs
- •A Simple Windows XP Kernel Rootkit
- •Call Hooking
- •Trojan Executable Redirection
- •Hiding Files and Directories
- •Patching Binary Code
- •The Hardware Virus
- •Low-Level Disk Access
- •Adding Network Support to a Driver
- •Interrupts
- •Key Logging
- •Advanced Rootkit Topics
- •Conclusion
- •References
- •Index
Copyright
Many of the designations used by manufacturers and sellers to distinguish their products are
claimed as trademarks. Where those designations appear in this book, and Addison-Wesley
was aware of a trademark claim, the designations have been printed in initial capital letters |
|
• |
Table of Contents |
or in all capitals. |
|
• |
Index |
Exploiting Software How to Break Code
The authors and publisher have taken care in the preparation of this book, but make no
ByGreg Hoglund,Gary McGraw
expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arisingPubl sher:outAddisonof theWesleyuse of the information or programs contained herein.
Pub Date: February 17, 2004
The publisher offers discounts on this book when ordered in quantity for bulk purchases and
ISBN: 0-201-78695-8
special sales. For more information, please contact:
Pages: 512
U.S. Corporate and Government Sales (800) 382-3419 corpsales@pearsontechgroup.com
For sales outside of the U.S., please contact:
How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
International Sales
What tools can be used to break software? This book provides the answers. (317) 581-3793
international@pearsontechgroup.com
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
Visit Addison-Wesley on the Web: www.awprofessional.com attack, you must first learn how real attacks are really carried out.
Library of Congress Cataloging-in-Publication Data
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about Hoglund, Greg.
Exploiting software : how to break code / Greg Hoglund, Gary McGraw.
p. cm.
Why software exploit will continue to be a serious problem ISBN 0-201-78695-8 (pbk. : alk. paper)
1.WhenComputern tworksecuritysecurity.2. Computermechanismssoftwaredo not—Testingwork. 3. Computer hackers. I. McGraw, Gary, 1966– II. Title.
Attack patterns
QA76.9.A25H635 2004 |
|
Reverse engineering |
2003025556 |
005.8—dc22 |
Classic attacks against server software
Copyright © 2004 by Pearson Education, Inc.
Surprising attacks against client software
All rights reserved. No part of this publication may be reproduced, stored in a retrieval
system, or transmitted, in any form or by any means, electronic, mechanical, photocopying,
Techniques for crafting malicious input
recording, or otherwise, without the prior consent of the publisher. Printed in the United
States of America. Published simultaneously in Canada.
The technical details of buffer overflows
Dr. McGraw's work is partially supported by DARPA contract no. F30602-99-C-0172 (An
Rootkits
Investigation of Extensible System Security for Highly Resource-Constrained Wireless Devices )
and AFRL Wright-Patterson grant no. F33615-02-C-1295 (Protection Against Reverse Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
Engineering: State of the Art in Disassembly and Decompilation). The views and conclusions software.
contained in this book are those of the authors and should not be interpreted as representing
the official policies, either expressed or implied, of DARPA, the US Air Force, or the US
government.
For information on obtaining permission for use of material from this work, please submit a
written request to:
Pearson Education, Inc.
Rights and Contracts Department
75 Arlington Street, Suite 300
Boston, MA 02116
Fax: (617) 848-7047
Text printed on recycled paper
1 2 3 4 5 6 7 8 9 10—CRS—0807060504
• Table of Contents
First printing, February 2004
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Dedication
Publisher: Addison Wesley
In memory of Nancy Simone McGraw (1939–2003).
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Bye, Mom.
Pages: 512
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
Praise for Exploiting Software
|
"Exploiting Software highlights the most critical part of the software quality problem. As |
|
it turns out, software quality problems are a major contributing factor to computer |
• |
security problems. Increasingly, companies large and small depend on software to run |
Table of Contents |
|
• |
their businesses every day. The current approach to software quality and security taken |
Index |
by software companies, system integrators, and internal development organizations is
Exploiting Software How to Break Code
like driving a car on a rainy day with worn-out tires and no air bags. In both cases, the
ByGreg Hoglund,Gary McGraw
odds are that something bad is going to happen, and there is no protection for the
occupant/owner.
Publisher: Addison Wesley
This book will help the reader understand how to make software quality part of the
Pub Date: February 17, 2004
design—a key change from where we are today!"
ISBN: 0-201-78695-8
Pages: 512
—Tony Scott Chief Technology Officer, IS&S General Motors Corporation
"It's about time someone wrote a book to teach the good guys what the bad guys already know. As the computer security industry matures, books like Exploiting Software have a critical role to play."
How does software break? How do attackers make software break on purpose? Why are
—Bruce Schneier Chief Technology Officer Counterpane Author of Beyond Fear and firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
Secrets and Lies
What tools can be used to break software? This book provides the answers.
"Exploiting Software cuts to the heart of the computer security problem, showing why Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
broken software presents a clear and present danger. Getting past the 'worm of the day' techniques used by bad guys to break software. If you want to protect your software from
phenomenon requires that someone other than the bad guys understands how software attack, you must first learn how real attacks are really carried out.
is attacked.
This must-have book may shock you—and it will certainly educate you.Getting beyond the
This booktreatmentis wake-up call for computer security."
script kiddie found in many hacking books, you will learn about
—Elinor Mills Abreu Reuters' correspondent
Why software exploit will continue to be a serious problem
"Police investigators study how criminals think and act. Military strategists learn about theWhenenemy'snetworktactisecs,urityas wellmechanismsas their weaponsdonot workand personnel capabilities. Similarly,
information security professionals need to study their criminals and enemies, so we can
Attack patterns
tell the difference between popguns and weapons of mass destruction. This book is a
significant advance in helping the 'white hats' understand how the 'black hats' operate. Reverse engineering
Through extensive examples and 'attack patterns,' this book helps the reader
Classic attacks against server software
understand how attackers analyze software and use the results of the analysis to attack
systems. Hoglund and McGraw explain not only how hackers attack servers, but also
Surprising attacks against client software
how malicious server operators can attack clients (and how each can protect themselves
from the other). An excellent book for practicing security engineers, and an ideal book Techniques for crafting malicious input
for an undergraduate class in software security."
The technical details of buffer overflows
—Jeremy Epstein Director, Product Security & Performance webMethods, Inc.
Rootkits
"A provocative and revealing book from two leading security experts and world class
software exploiters, Exploiting Software enters the mind of the cleverest and wickedest Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
crackers and shows you how they think. It illustrates general principles for breaking software.
software, and provides you a whirlwind tour of techniques for finding and exploiting
software vulnerabilities, along with detailed examples from real software exploits.
Exploiting Software is essential reading for anyone responsible for placing software in a
hostile environment—that is, everyone who writes or installs programs that run on the
Internet."
—Dave Evans, Ph.D. Associate Professor of Computer Science University of Virginia
"The root cause for most of today's Internet hacker exploits and malicious software outbreaks are buggy software and faulty security software deployment. In Exploiting Software, Greg Hoglund and Gary McGraw help us in an interesting and provocative way to better defend ourselves against malicious hacker attacks on those software loopholes.
The information in this book is an essential reference that needs to be understood, digested, and aggressively addressed by IT and information security professionals
•Table of Contents
everywhere."
•Index
Exploiting Software How to Break Code
—Ken Cutler, CISSP, CISA Vice President, Curriculum Development & Professional
ByGregServices,Hoglund GaryMISMcGrawTraining Institute
"This book describes the threats to software in concrete, understandable, and frightening detail. It also discusses how to find these problems before the bad folks do.
A valuable addition to every programmer's and security person's library!"
ISBN: 0-201-78695-8
—Pages:Matt512Bishop, Ph.D. Professor of Computer Science University of California at Davis Author of Computer Security: Art and Science
"Whether we slept through software engineering classes or paid attention, those of us who build things remain responsible for achieving meaningful and measurable
vulnerability reductions. If you can't afford to stop all software manufacturing to teach How does software break? How do attackers make software break on purpose? Why are
your engineers how to build secure software from the ground up, you should at least firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
increase awareness in your organization by demanding that they read Exploiting What tools can be used to break software? This book provides the answers.
Software. This book clearly demonstrates what happens to broken software in the wild."
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
—Ron Moritz, CISSP Senior Vice President, Chief Security Strategist Computer techniques used by bad guys to break software. If you want to protect your software from
Associates
attack, you must first learn how real attacks are really carried out.
"Exploiting Software is the most up-to-date technical treatment of software security I This must-have book may shock you—and it will certainly educate you.Getting beyond the
have seen. If you worry about software and application vulnerability, Exploiting script kiddie treatment found in many hacking books, you will learn about
Software is a must-read. This book gets at all the timely and important issues
surrounding software security in a technical, but still highly readable and engaging,
way.
Why software exploit will continue to be a serious problem
Hoglund and McGraw havemechanismsdone excellent job of picking out the major ideas in When network security do not work
software exploit and nicely organizing them to make sense of the software security
jungleAttack."patterns
—RevGeorgerse engineeringCybenko, Ph.D. Dorothy and Walter Gramm Professor of Engineering,
Dartmouth Founding Editor-in-Chief, IEEE Security and Privacy
Classic attacks against server software
"This is a seductive book. It starts with a simple story, telling about hacks and cracks. It
Surprising attacks against client software
draws you in with anecdotes, but builds from there. In a few chapters you find yourself
deep in the intimate details of software security. It is the rare technical book that is a
Techniques for crafting malicious input
readable and enjoyable primer but has the substance to remain on your shelf as a
reference. Wonderful stuff."
The technical details of buffer overflows
—Craig Miller, Ph.D. Chief Technology Officer for North America Dimension Data
Rootkits
"It's hard to protect yourself if you don't know what you're up against. This book has the
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break details you need to know about how attackers find software holes and exploit
software.
them—details that will help you secure your own systems."
—Ed Felten, Ph.D. Professor of Computer Science Princeton University