Exploiting Software How to Break Code,9780201786958

Exploiting Software How to Break Code

by ;
Edition: 1st
ISBN13: 9780201786958
ISBN10: 0201786958
Format: Paperback
Pub. Date: 2004-02-17
Publisher(s): Addison-Wesley Professional
List Price: $70.22

Buy New

Special Order. We will make every effort to obtain this item but cannot guarantee stock or timing.
$66.88
Add to Cart

Rent Book

Select for Price
Add to Cart
There was a problem. Please try again later.

Used Book

We're Sorry
Sold Out

eBook

We're Sorry
Not Available

Buy from our Marketplace starting at $2.59

How Marketplace Works:

  • This item is offered by an independent seller and not shipped from our warehouse
  • Item details like edition and cover design may differ from our description; see seller's comments before ordering.
  • Sellers much confirm and ship within two business days; otherwise, the order will be cancelled and refunded.
  • Marketplace purchases cannot be returned to eCampus.com. Contact the seller directly for inquiries; if no response within two days, contact customer service.
  • Additional shipping costs apply to Marketplace purchases. Review shipping costs at checkout.

Summary

Praise for "Exploiting Software ""Exploiting Software highlights the most critical part of the software quality problem. As it turns out, software quality problems are a major contributing factor to computer security problems. Increasingly, companies large and small depend on software to run their businesses every day. The current approach to software quality and security taken by software companies, system integrators, and internal development organizations is like driving a car on a rainy day with worn-out tires and no air bags. In both cases, the odds are that something bad is going to happen, and there is no protection for the occupant/owner. This book will help the reader understand how to make software quality part of the design--a key change from where we are today!" --Tony Scott Chief Technology Officer, IS&S General Motors Corporation "It's about time someone wrote a book to teach the good guys what the bad guys already know. As the computer security industry matures,books like,"Exploiting Software have a critical role to play." --Bruce Schneier Chief Technology Officer Counterpane Author of "Beyond Fear and Secrets and Lies ""Exploiting Software cuts to the heart of the computer security problem, showing why broken software presents a clear and present danger. Getting past the 'worm of the day' phenomenon requires that someone other than the bad guys understands how software is attacked. This book is a wake-up call for computer security." --Elinor Mills Abreu Reuters' correspondent "Police investigators study how criminals think and act. Military strategists learn about the enemy's tactics, as well as their weapons andpersonnel capabilities. Similarly, information security professionals need to study their criminals and enemies, so we can tell the difference between popguns and weapons of mass destruction. This book is a significant advance in

Author Biography

Greg Hoglund has been a pioneer in the area of software security. He is CEO of HBGary, Inc., a leading provider of software security verification services. After writing one of the first network vulnerability scanners (installed in over half of all Fortune 500 companies), he created and documented the first Windows NT-based rootkit, founding rootkit.com in the process. Greg is a frequent speaker at Black Hat, RSA, and other security conferences.

Gary McGraw, Cigital's CTO, is a leading authority on software security. Dr. McGraw is coauthor of the groundbreaking books Building Secure Software and Exploiting Software (both from Addison-Wesley). While consulting for major software producers and consumers, he has published over ninety peer-reviewed technical publications, and functions as principal investigator on grants from DARPA, the National Science Foundation, and NIST's Advanced Technology Program. He serves on the advisory boards of Authentica, Counterpane, and Fortify Software. He is also an advisor to the computer science departments at University of California, Davis, and the University of Virginia, as well as the School of Informatics at Indiana University.



Table of Contents

Attack Patterns xxxiii
Foreword xxv
Preface xxix
What This Book Is About
xxx
How to Use This Book
xxxi
But Isn't This Too Dangerous?
xxxii
Acknowledgments xxxiii
1 Software-The Root of the Problem 1(36)
A Brief History of Software
2(8)
Software and the Information Warrior
5(1)
Digital Tradecraft
6(4)
Bad Software Is Ubiquitous
10(4)
NASA Mars Lander
11(1)
Denver Airport Baggage
11(1)
MV-22 Osprey
11(1)
The US Vicennes
12(1)
Microsoft and the Love Bug
12(2)
The Trinity of Trouble
14(9)
Complexity
14(2)
More Lines, More Bugs
16(2)
Extensibility
18(3)
Connectivity
21(2)
The Upshot
23(1)
The Future of Software
23(10)
Short-Term Future: 2003-2004
24(4)
Medium-Term Future: 2005-2007
28(2)
Long-Term Future: 2008-2010
30(2)
Ten Threads Emerge
32(1)
What Is Software Security?
33(1)
Conclusion
34(3)
2 Attack Patterns 37(34)
A Taxonomy
38(4)
Bugs
39(1)
Flaws
39(1)
Vulnerabilities
39(2)
Design Vulnerabilities
41(1)
An Open-Systems View
42(6)
Risk
44(1)
Damage Potential
45(1)
Exposure and Potency
46(1)
Actual Risk
47(1)
Tour of an Exploit
48(7)
The Attacker's Viewpoint
48(1)
Why Trusting Users Is Bad
49(1)
Like a Lock Pick
50(1)
A Simple Example
51(4)
Attack Patterns: Blueprints for Disaster
55(2)
Exploit, Attack, and Attacker
55(1)
Attack Pattern
56(1)
Injection Vector
56(1)
Activation Zone
57(1)
Output Event
57(1)
Feedback Event
57(1)
An Example Exploit: Microsoft's Broken C++ Compiler
57(8)
Technical Details of the Attack
59(2)
An Overview of Microsoft's Port of StackGuard
61(1)
Bypassing the Microsoft Feature
61(2)
Solutions
63(1)
An Exploit in Retrospect
64(1)
Applying Attack Patterns
65(5)
Network Scanning
65(1)
OS Stack Identification
66(1)
Port Scans
67(1)
Traceroute and Zone Transfers
67(1)
Target Components
67(1)
Choosing Attack Patterns
68(1)
Leveraging Faults in the Environment
68(1)
Using Indirection
68(1)
Planting Backdoors
69(1)
Attack Pattern Boxes
70(1)
Attack Pattern: Target Programs That Write to Privileged OS Resources
70(1)
Conclusion
70(1)
3 Reverse Engineering and Program Understanding 71(76)
Into the House of Logic
72(3)
Reverse Engineering
72(1)
Why Reverse Engineer?
73(2)
Should Reverse Engineering Be Illegal?
75(2)
Reverse Engineering Tools and Concepts
77(2)
The Debugger
77(1)
Fault Injection Tools
78(1)
The Disassembler
78(1)
The Reverse Compiler or Decompiler
79(1)
Approaches to Reverse Engineering
79(5)
White Box Analysis
79(1)
Black Box Analysis
80(1)
Gray Box Analysis
81(1)
Using Gray Box Techniques to Find Vulnerabilities in Microsoft SQL Server 7
82(2)
Methods of the Reverser
84(8)
Tracing Input
84(2)
Exploiting Version Differences
86(1)
Making Use of Code Coverage
87(1)
Accessing the Kernel
88(2)
Leaking Data in Shared Buffers
Auditing for Access Requirement Screwups
90(1)
Using Your API Resources
90(2)
Writing Interactive Disassembler (IDA) Plugins
92(12)
Decompiling and Disassembling Software
104(1)
Decompilation in Practice: Reversing helpctr.exe
105(6)
Bug Report
106(1)
The Debug Log
107(4)
Automatic, Bulk Auditing for Vulnerabilities
111(10)
Batch Analysis with IDA-Pro
114(7)
Writing Your Own Cracking Tools
121(18)
x86 Tools
121(1)
The Basic x86 Debugger
121(2)
On Breakpoints
123(3)
Reading and Writing Memory
126(1)
Debugging Multithreaded Programs
127(2)
Enumerate Threads or Processes
129(1)
Single Stepping
130(2)
Patching
132(1)
Fault Injection
132(1)
Process Snapshots
133(5)
Disassembling Machine Code
138(1)
Building a Basic Code Coverage Tool
139(6)
Checking for Boron Tags
144(1)
Conclusion
145(2)
4 Exploiting Server Software 147(54)
The Trusted Input Problem
149(2)
Attack Pattern: Make the Client Invisible
150(1)
The Privilege Escalation Problem
151(3)
Process-Permissions Equal Trust
151(1)
If We Don't Run as Administrator, Everything Breaks!
152(1)
Attack Pattern: Target Programs That Write to Privileged OS Resources
152(1)
Elevated Processes That Read Data from Untrusted Sources
153(1)
Attack Pattern: Use a User-Supplied Configuration File to Run Commands That Elevate Privilege
153(1)
Processes That Use Elevated Components
153(1)
Finding Injection Points
154(2)
Watching Input Files
155(1)
Attack Pattern: Make Use of Configuration File Search Paths
156(1)
Input Path Tracing
156(5)
Using GDB and IDA-Pro Together on a Solaris SPARC Binary
156(1)
Setting Breakpoints and Expressions
156(1)
Mapping Runtime Memory Addresses from IDA
157(1)
Attaching to a Running Process
158(1)
Using Truss to Model the Target on Solaris
159(2)
Exploiting Trust through Configuration
161(6)
Attack Pattern: Direct Access to Executable Files
162(1)
Auditing for Directly Executable Files
162(1)
Know the Current Working Directory (CWD)
163(1)
What If the Web Server Won't Execute cgi Programs?
163(1)
Attack Pattern: Embedding Scripts within Scripts
164(1)
What About Nonexecutable Files?
165(1)
Attack Pattern: Leverage Executable Code in Nonexecutable Files
165(1)
Playing with Policy
166(1)
Specific Techniques and Attacks for Server Software
167(32)
Technique: Shell Command Injection
167(2)
Attack Pattern: Argument Injection
169(3)
Attack Pattern: Command Delimiters
172(1)
Attack Pattern: Multiple Parsers and Double Escapes
173(8)
Technique: Plumbing Pipes, Ports, and Permissions
181(3)
Technique: Exploring the File System
184(1)
Attack Pattern: User-Supplied Variable Passed to File System Calls
185(1)
Attack Pattern: Postfix NULL Terminator
186(1)
Attack Pattern: Postfix, Null Terminate, and Backslash
186(1)
Attack Pattern: Relative Path Traversal
187(2)
Technique: Manipulating Environment Variables
189(1)
Attack Pattern: Client-Controlled Environment Variables
189(1)
Technique: Leveraging Extraneous Variables
190(1)
Attack Pattern: User-Supplied Global Variables (DEBUG=1, PHP Globals, and So Forth)
190(2)
Technique: Leveraging Poor Session Authentication
192(1)
Attack Pattern: Session ID, Resource ID, and Blind Trust
192(1)
Technique: Brute Forcing Session IDs
193(5)
Technique: Multiple Paths of Authentication
198(1)
Technique: Failure to Ckeck Error Codes
199(1)
Conclusion
199(2)
5 Exploiting Client Software 201(32)
Client-side Programs as Attack Targets
201(3)
The Server Controls the Client
202(1)
Software Honeypots
203(1)
In-band Signals
204(8)
Ancient (But Relevant) History
204(1)
Attack Pattern: Analog In-Band Switching Signals (aka "Blue Boxing")
205(2)
Basic In-band Data Use
207(1)
In-band Fun with Printers
208(1)
In-band Terminal Character Injection in Linux
209(1)
Attack Pattern Fragment: Manipulating Terminal Devices
210(1)
The Reflection Problem
211(1)
Cross-site Scripting (XSS)
212(5)
Using Reflection against Trusted Sites
213(1)
Attack Pattern: Simple Script Injection
214(1)
Attack Pattern: Embedding Script in Nonscript Elements
215(1)
Attack Pattern: XSS in HTTP Headers
216(1)
Attack Pattern: HTTP Query Strings
216(1)
Attack Pattern: User-Controlled Filename
217(1)
Clients Scripts and Malicious Code
217(12)
Auditing for Weak Local Calls
219(5)
Web Browsers and ActiveX
224(1)
Attack Pattern: Passing Local Filenames to Functions That Expect a URL
225(1)
E-mail Injection
226(1)
Attack Pattern: Meta-characters in E-mail Header
226(3)
Content-Based Attacks
229(1)
Attack Pattern: File System Function Injection, Content Based
229(1)
Backwash Attacks: Leveraging Client-side Buffer Overflows
230(2)
Attack Pattern: Client-side Injection, Buffer Overflow
231(1)
Conclusion
232(1)
6 Crafting (Malicious) Input 233(44)
The Defender's Dilemma
235(2)
Filters
236(1)
Communicating Systems
237(1)
Intrusion Detection (Not)
237(5)
Signature-Based versus Anomaly-Based IDSs
238(1)
IDSs as a Reactive Subscription Service
239(1)
The Effect of Alternate Encoding on IDSs
240(2)
Partition Analysis
242(2)
APISPY for Windows Revisited
243(1)
Red Pointing
243(1)
Tracing Code
244(10)
Backtracing from Vulnerable Locations
245(2)
Dead Ends and Runouts
247(1)
Runtime Tracing
247(3)
Speedbreaks
250(1)
Tracing a Buffer
251(1)
Leapfrogging
251(2)
Memory Page Break Points
253(1)
Boron Tagging
253(1)
Reversing Parser Code
254(4)
Character Conversion
255(1)
Byte Operations
255(1)
Pointer Operations
256(1)
NULL Terminators
257(1)
Example: Reversing I-Planet Server 6.0 through the Front Door
258(5)
Misclassification
263(1)
Attack Pattern: Cause Web Server Misclassification
263(1)
Building "Equivalent" Requests
264(11)
Mapping the API Layer
264(2)
Ghost Characters
266(1)
Attack Pattern: Alternate Encoding the Leading Ghost Characters
267(1)
Equivalent Meta-characters
268(1)
Attack Pattern: Using Slashes in Alternate Encoding
268(1)
Escaped Meta-characters
269(1)
Attack Pattern: Using Escaped Slashes in Alternate Encoding
270(1)
Character Conversion
271(1)
Attack Pattern: Unicode Encoding
271(2)
Attack Pattern: UTF-8 Encoding
273(1)
Attack Pattern: URL Encoding
273(1)
Attack Pattern: Alternative IP Addresses
274(1)
Combined Attacks
274(1)
Attack Pattern: Slashes and URL Encoding Combined
274(1)
Audit Poisoning
275(1)
Attack Pattern: Web Logs
275(1)
Conclusion
276(1)
7 Buffer Overflow 277(90)
Buffer Overflow 101
277(3)
Smashing the Stack (for Fun and Profit)
279(1)
Corrupting State
279(1)
Injection Vectors: Input Rides Again
280(6)
Where Injection Stops and Payload Begins
282(1)
Choosing the Correct Code Address to Target
282(1)
Highland and Lowland Addresses
283(1)
Big Endian and Little Endian Representation
284(1)
Using Registers
285(1)
Using Existing Code or Data Blocks in Memory
286(1)
Buffer Overflows and Embedded Systems
286(3)
Embedded Systems in Military and Commercial Use
287(2)
Database Buffer Overflows
289(2)
Stored Procedures
290(1)
Command-Line Applications
290(1)
Clients of the Database
290(1)
Buffer Overflows and Java?!
291(2)
sing Java and C/C++ Together
292(1)
Stored Procedures and DLLs
293(1)
Content-Based Buffer Overflow
293(3)
Attack Pattern: Overflow Binary Resource File
293(1)
Attack Pattern: Overflow Variables and Tags
294(1)
Attack Pattern: Overflow Symbolic Links
294(1)
Attack Pattern: MIME Conversion
295(1)
Attack Pattern: HTTP Cookies
295(1)
Audit Truncation and Filters with Buffer Overflow
296(1)
Attack Pattern: Filter Failure through Buffer Overflow
296(1)
Causing Overflow and Environment Variables
296(2)
Attack Pattern: Buffer Overflow with Environment Variables
297(1)
Attack Pattern: Buffer Overflow in an API Call
297(1)
Attack Pattern: Buffer Overflow in Local Command-Line Utilities
297(1)
The Multiple Operation Problem
298(1)
Attack Pattern: Parameter Expansion
298(1)
Finding Potential Buffer Overflows
298(2)
Exception Handling Hides Errors
299(1)
Using a Disassembler
299(1)
Stack Overflow
300(9)
Fixed-Size Buffers
301(1)
Functions That Do Not Automatically NULL Terminate
302(2)
Functions with Off-By-One NULL Termination
304(4)
Overwriting Exception Handler Frames
308(1)
Arithmetic Errors in Memory Management
309(8)
Negative Values Equal Large Values
309(1)
Signed/Unsigned Mismatch
310(5)
Signed Values and Memory Management
315(2)
Format String Vulnerabilities
317(7)
Printing Data from Anywhere in Memory
319(5)
Detecting the Problem in Code
324(1)
Attack Pattern: String Format Overflow in syslog()
324(1)
Heap Overflows
324(5)
Malloc and the Heap
327(2)
Buffer Overflows and C++
329(1)
Vtables
329(1)
Payloads
329(7)
Getting Your Bearings
331(1)
Payload Size
332(1)
Using Hard-Coded Function Calls
332(1)
Using a Dynamic Jump Table
333(1)
Locating the Data Section
334(1)
XOR Protection
335(1)
Checksum/Hash Loading
335(1)
Payloads on RISC Architectures
336(22)
"Branch Delay" or "Delay Slot"
337(1)
MIPS-Based Payload Construction
337(1)
MIPS Instructions
337(1)
Getting Bearings
338(1)
Avoiding NULL Bytes in MIPS Opcodes
339(1)
Syscalls on MIPS
340(1)
SPARC Payload Construction
340(1)
SPARC Register Window
341(1)
Walking the Stack on SPARC
342(2)
Function Call Nesting in SPARC
344(1)
PA-RISC Payload Construction
345(2)
Walking the Stack on PA-RISC
347(2)
Stack Overflow on HPUX PA-RISC
349(1)
Inter-space Branching on the PA-RISC
349(2)
Inter-space Trampolines
351(1)
Getting Bearings
351(2)
Self-Decrypting Payload on HPUX
353(3)
AIX/PowerPC Payload Construction
356(1)
Getting Bearings
356(1)
Active Armor for the PowerPC Shell Code
356(2)
Removing the NULL Characters
358(1)
Multiplatform Payloads
358(2)
Multiplatform nop Sled
360(1)
Prolog/Epilog Code to Protect Functions
360(6)
Defeating Canary Values (aka Stack Guard)
361(3)
Defeating Nonexecutable Stacks
364(2)
Conclusion
366(1)
8 Rootkits 367(82)
Subversive Programs
367(2)
What Is a Rootkit?
368(1)
What Is a Kernel Rootkit?
368(1)
Kernel Rootkits and the Trusted Computing Base
369(1)
A Simple Windows XP Kernel Rootkit
369(11)
Writing a Rootkit
369(1)
The Checked Build Environment
369(1)
Files in the Rootkit Source
370(1)
Building Things
370(1)
Kernel Drivers
370(1)
The Basic Structure of a Driver
371(1)
When Programs Use a Driver
372(1)
Allowing the Driver to Be Unloaded
373(2)
Registering the Driver
375(2)
Using SysystemLoadAndCallImage
377(3)
Call Hooking
380(6)
Hiding a Process
381(1)
Hooking a System Call
381(1)
Structure of Our Basic Call Hook
381(1)
Removing a Process Record
382(4)
Process Injection Alternative
386(1)
Trojan Executable Redirection
386(6)
Redirection and the Problem with Tripwire
386(1)
The Redirection Driver
387(5)
Hiding Files and Directories
392(2)
Patching Binary Code
394(14)
Peephole Patches
395(2)
Patching the NT Kernel to Remove All Security
397(11)
The Hardware Virus
408(21)
Reading and Writing Hardware Memory
410(1)
Example: Read/Write to the Keyboard Hardware
411(6)
Enable Read/Write from EEPROM
417(1)
CIH
417(4)
EEPROM and Timing
421(1)
The Ethernet EEPROM
421(3)
Serial EEPROM versus Parallel EEPROM
424(1)
Burning Out Hardware
425(1)
Manufacturers
425(1)
Detecting Chips via Common Flash Interface (CFI)
426(1)
Example: Detect a Flash RAM Chip
427(1)
Detecting Chips via ID Mode or JEDEC ID
427(2)
Low-Level Disk Access
429(1)
Reading/Writing the Master Boot Record (MBR)
429(1)
Infecting CD-ROM Images
429(1)
Adding Network Support to a Driver
430(9)
Using the NDIS Library
430(2)
Putting the Interface in Promiscuous Mode
432(1)
Finding the Correct Network Card
433(5)
Using boron Tags for Security
438(1)
Adding an Interactive Shell
438(1)
Interrupts
439(4)
Intel Interrupt Request (IRQ) Architecture
439(2)
Hooking the Interrupt Descriptor Table (IDT)
441(1)
The Mystery of the Programmable Interrupt Controller (PIC)
441(2)
Key Logging
443(1)
Linux Key Logger
443(1)
Windows NT/2000/XP Key Logger
443(1)
The Keyboard Controller Chip
444(1)
Advanced Rootkit Topics
444(2)
Using a Rootkit as a Debugger
445(1)
Disabling Windows System File Protection
445(1)
Writing Directly to Physical Memory
445(1)
Kernal Buffer Overflows
445(1)
Infecting the Kernel Image
446(1)
Execute Redirection 446 Detecting Rootkits
446(1)
Conclusion
446(3)
References 449(4)
Index 453

Excerpts

Software security is gaining momentum as security professionals realize that computer security is really all about making software behave. The publication ofBuilding Secure Softwarein 2001 (Viega and McGraw) unleashed a number of related books that have crystallized software security as a critical field. Already, security professionals, software developers, and business leaders are resonating with the message and asking for more. Building Secure Software(co-authored by McGraw) is intended for software professionals ranging from developers to managers, and is aimed at helping people develop more secure code.Exploiting Softwareis useful to the same target audience, but is really intended for security professionals interested in how to find new flaws in software. This book should be of particular interest to security practitioners working to beef up their software security skills, including red teams and ethical hackers. Exploiting Softwareis about how to break code. Our intention is to provide a realistic view of the technical issues faced by security professionals. This book is aimed directly toward software security as opposed to network security. As security professionals come to grips with the software security problem, they need to understand how software systems break. Solutions to each of the problems discussed inExploiting Softwarecan be found in Building Secure Software. The two books are mirror images of each other. We believe that software security and application security practitioners are in for a reality check. The problem is that simple and popular approaches being hawked by upstart "application security" vendors as solutions--such as canned black box testing tools--barely scratch the surface. This book aims to cut directly through the hype to the heart of the matter. We need to get real about what we're up against. This book describes exactly that. What This Book Is About This book closely examines many real-world software exploits, explaining how and why they work, the attack patterns they are based on, and in some cases how they were discovered. Along the way, this book also shows how to uncover new software vulnerabilities and how to use them to break machines. Chapter 1 describes why software is the root of the computer security problem. We introduce the trinity of trouble--complexity, extensibility, and connectivity--and describe why the software security problem is growing. We also describe the future of software and its implications for software exploit. Chapter 2 describes the difference between implementation bugs and architectural flaws. We discuss the problem of securing an open system, and explain why risk management is the only sane approach. Two real-world exploits are introduced: one very simple and one technically complex. At the heart of Chapter 2 is a description of attack patterns. We show how attack patterns fit into the classic network security paradigm and describe the role that attack patterns play in the rest of the book. The subject of Chapter 3 is reverse engineering. Attackers disassemble, decompile, and deconstruct programs to understand how they work and how they can be made not to. Chapter 3 describes common gray box analysis techniques, including the idea of using a security patch as an attack map. We discuss Interactive Disassembler (IDA), the state-of-the-art tool used by hackers to understand programs. We also discuss in detail how real cracking tools are built and used. In Chapters 4, 5, 6, and 7, we discuss particular attack examples that provide instances of attack patterns. These examples are marked with an asterisk. Chapters 4 and 5 cover the two ends of the client-server model. Chapter 4 begins where the bookHacking ExposedMcClure et al., 1999 leaves off, discussing trusted input, privilege escalation, injection, path tracing, exploiting trust, and other attack t

An electronic version of this book is available through VitalSource.

This book is viewable on PC, Mac, iPhone, iPad, iPod Touch, and most smartphones.

By purchasing, you will be able to view this book online, as well as download it, for the chosen number of days.

Digital License

You are licensing a digital product for a set duration. Durations are set forth in the product description, with "Lifetime" typically meaning five (5) years of online access and permanent download to a supported device. All licenses are non-transferable.

More details can be found here.

A downloadable version of this book is available through the eCampus Reader or compatible Adobe readers.

Applications are available on iOS, Android, PC, Mac, and Windows Mobile platforms.

Please view the compatibility matrix prior to purchase.