Exploiting Software: How to Break Code

It’s an old (by Infosec standards) book. But it’s still relevant. I lost my original copy when we moved. Bought a new copy just recently to keep around as a reference. Worthwhile book.

This book is a great review of software security and deserves to be on any security professional's bookshelf. The chapter on Rootkits (Chapter 8) is well worth the price of the book. While the book isn't too long (at just over 400 pages) it does deliver in a concise, easy to read format that makes the book a rewarding read.

I work in IT, for 22 years as a computer programmer ("software engineer") and now in IT Security as an Application Security Engineer (focusing on Web applications, thanks..) so this book is near and dear to me in both capacities. I highly recommend it. Highly technical, profoundly educational... relevant, intelligently written... just a great book. Buy it.

Still in chapter one, but so far so good! I'll come back and update my review once I get through the book. Thx.

The one major strength of this book, from a computer science viewpoint, is its emphasis on "attack patterns". This systemization of these issues really differentiates this book from many of its competitors (which tend to be either the latest 500 hacks or descriptions of standards). Put simply CS is the study of algorithms, and this book fits nicely into that tradition.

Excellent!! Good Deal, Very Fast Shipping. 5 Stars Seller. Thank You Very Much.

Exploiting Software is a great reference both for reverse engineering beginners and for coders who have done some reversing. The book includes some great example code very helpful for explaining the concepts and as a starting point for exploit development.

Chapter 1 - Software - The Root of the Problem Software is indeed the root of the problem and this chapter makes that case and point. This chapter is a good introduction to software vulnerabilities (which make up all CERT advisories) and why this book is relevant. Chapter 2 - Attack Patterns This chapter provides and overview of types of attacks. It includes history of vulnerability types and predictions of future vulnerabilities. Chapter 3 - Reverse Engineering and Program Understanding This chapter begins with a good introduction to reverse engineering tools and techniquies. It then zooms into writing plugins for the IDA disassembler along with batch analysis with IDA disassembler. It also discusses writing your own cracking tools. Chapter 4 - Exploiting Server Software This chapter provides and over view of techniques for exploiting any server software. It is filled with real examples and loads of fun. Many attack patterns are covered in various levels of detail. Numerous tools are highlighted for finding injection points. Chapter 5 - Exploiting Client Software The logic of exploiting client software is different than exploiting server software, so there's and extra chapter. Again the focus is on techniques to look for exploitable bugs. Chapter 6 - Crafting (Malicious) Input This chapter discusses many different methods for crafing input to locate bugs. Many tools and professional techniques are highlighted. I didn't know a lot of this stuff was out there. Chapter 7 - Buffer Overflows It starts with a high level overview of traditional buffer overflows, then some non tradiditional buffer overflows are discussed. This chapter also covers format strings. One of the longer chapters in the book, it highlighes a lot of problem areas. Chapter 8 - Rootkits One of the authors is the creator of the first rootkit for windows, and he details some of his techniques here. Not only does he discuss root kit techniques, but he also discusses techniques that apply to malware in general. On the positive side: The writing is enjoyable, and the technical concepts are explained clearly. This is a good book for anyone interested in vulnerability research. I found chapters 4-6 to be the best. This book has a decent index. I've used it for reference a couple of times since I finished reading it which is always a measure of a worthwhile book. On the downside, I have a few minor complaints: Some of the tools mentioned in the book were no where to be found. Many were named without references, and Google searches revealed little about them or how to find them. Another tool was supposed to be available at one of the authors website, but I couldn't find it. The authors cover some material at a high level while other material is covered in depth without any apparent reason for the disparity. A good book for those interested in vulnerabiltiy research and software security. I also suggest the sister book "Building Secure Software" to compliment this one.

Like others have said, it's an oldie but a goodie. Just like the shellcoders handbook and some other books by the same author, the knowledge contained here is still valuable. For me chapters 2, 7 and 8 were enough to convince me to buy it. The only downside is that I had a hard time finding some of the exploits mentioned in the book. For instance, chapter 2 mentions a vulnerability in StackGuard and there's even a link to the exploit but the site is down. In the end though the author does such a good job of explaining the attack that even without the exploit you are able to understand what's actually happening

Sicuramente un libro non per tutti, ma solo per esperti del settore, però è molto utile per studiare la sicurezza