[TriLUG] [ISN] Experts publish 'how to' book for software exploits (fwd)
trilug at daijin.nulluser.com
Tue Mar 16 09:33:45 EST 2004
I'm not sure I'd call Sun's Solaris and HP's Tru64 'obscure' but the book
------------ Forwarded Message ------------
Date: Tuesday, March 16, 2004 01:41:57 AM -0600
From: InfoSec News <isn at c4i.org>
To: isn at attrition.org
Subject: [ISN] Experts publish 'how to' book for software exploits
By Paul Roberts
IDG News Service
A new book by leading security researchers on writing code to exploit
security flaws in software, including Microsoft's Windows operating
system, has caused some raised eyebrows in the technical community for
publishing "zero day," or previously unknown, techniques for
exploiting vulnerable systems.
"The Shellcoder's Handbook: Discovering and Exploiting Security
Holes,"  is an advanced guide to writing software exploits. The
book is intended as a resource for network administrators who are
interested in closing security holes. However, the book also contains
working examples of code for exploiting vulnerable systems and
previously unpublished techniques for launching attacks such as heap
overflows and kernel attacks, according to two of the book's authors.
Shellcode is a term that describes small pieces of computer code that
launch operating system "shells," or command interfaces such as the
common "C:\" command line interface on Microsoft DOS (Disk Operating
System). Shellcode is often a component of attacks in which malicious
hackers use software exploits to get control of vulnerable systems.
The new book is published by John Wiley & Sons and is scheduled to be
released on March 22, 2004. It contains chapters on a variety of
attack types, including stack overflows, heap overflows and format
string bugs. Authors discuss everything from how to write Windows
shellcode to exploiting security holes in HP's Tru64 operating system,
according to a description of the book published on the Wiley Web
Also contained in the new guide are fully-functional examples of
software exploits, according to co-author Dave Aitel, founder of
Immunity of New York, a security consulting company.
"The book is trying to teach you how to write exploits, so of course
there are exploits," he said.
Aitel contributed chapters on heap overflows and Windows exploits to
the book, as well a technique for finding flaws in network
communications protocols called "fuzzing," he said.
The information contained in the new book is essential to
administrators who want to secure the computer systems under their
management, he said.
"It's hard to get context on a (software) vulnerability if you don't
know how to exploit it. People who know how to write exploits make
better strategic decisions," he said.
Co-author Chris Anley agreed and said the Shellcoder's Handbook is not
a cookbook for hackers.
"This isn't a collection of exploits. It's a book that tells you how
to find the bugs and understand what the impact of the bugs is," said
Anley, a director at Next Generation Security Software Ltd.
(NGSSoftware) in Surrey, U.K.
"We wanted to make a book that describes from basic through advanced
level what exploits can do," he said.
The book is structured like a primer. Early chapters focus on basic
concepts like stack overflows and use examples written for the open
source Linux platform. Later chapters focus on more complicated
problems and obscure operating systems such as Sun's Solaris and HP's
Tru64, Anley said.
The book pulls together information that could be obtained from
security discussion groups on the Internet or from a university-level
network security administration course, say Anley and co-author David
Litchfield, also of NGSSoftware.
However, The Shellcoder's Handbook also delves into more arcane
exploit writing topics that are not commonly discussed, such as format
string bugs, which concern vulnerabilities in the way some programs
written in the C programming language output data. Another chapter
titled "Alternative Payload Strategies" discusses ways in which an
exploit writer can subtly manipulate a compromised machine other than
to produce a shell prompt, such as extracting data from a database or
tampering with cryptographic services, Anley said.
The Shellcoder's Handbook and other books like it stir up controversy
within the information technology security community about whether
researchers should publicly disclose holes in software products, said
Alan Paller, director of research at The SANS Institute.
Authors who publish software exploits walk a fine line between
informing the public and lowering the bar for malicious hackers, he
"You don't want to make writing an exploit as easy as fixing a car,"
However, Paller believes that those defending networks from attack
benefit more from books like The Shellcoder's Handbook, than do
"In the security world there's lots of advice, and a lot of it doesn't
make much sense. So if you understand why you have to do certain
things and can connect the defense back to an actual attack, that
helps," he said.
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo at attrition.org with 'unsubscribe isn'
in the BODY of the mail.
---------- End Forwarded Message ----------
More information about the TriLUG