Experts publish 'how to' book for software exploits

[InfoSec News <isn () c4i org>]

http://www.nwfusion.com/news/2004/0315experpubli.html

By Paul Roberts
IDG News Service
03/15/04

A new book by leading security researchers on writing code to exploit 
security flaws in software, including Microsoft's Windows operating 
system, has caused some raised eyebrows in the technical community for 
publishing "zero day," or previously unknown, techniques for 
exploiting vulnerable systems. 

"The Shellcoder's Handbook: Discovering and Exploiting Security
Holes," [1] is an advanced guide to writing software exploits. The
book is intended as a resource for network administrators who are
interested in closing security holes. However, the book also contains
working examples of code for exploiting vulnerable systems and
previously unpublished techniques for launching attacks such as heap
overflows and kernel attacks, according to two of the book's authors.

Shellcode is a term that describes small pieces of computer code that 
launch operating system "shells," or command interfaces such as the 
common "C:\" command line interface on Microsoft DOS (Disk Operating 
System). Shellcode is often a component of attacks in which malicious 
hackers use software exploits to get control of vulnerable systems. 

The new book is published by John Wiley & Sons and is scheduled to be 
released on March 22, 2004. It contains chapters on a variety of 
attack types, including stack overflows, heap overflows and format 
string bugs. Authors discuss everything from how to write Windows 
shellcode to exploiting security holes in HP's Tru64 operating system, 
according to a description of the book published on the Wiley Web 
page. 

Also contained in the new guide are fully-functional examples of 
software exploits, according to co-author Dave Aitel, founder of 
Immunity of New York, a security consulting company. 

"The book is trying to teach you how to write exploits, so of course 
there are exploits," he said.

Aitel contributed chapters on heap overflows and Windows exploits to 
the book, as well a technique for finding flaws in network 
communications protocols called "fuzzing," he said. 

The information contained in the new book is essential to 
administrators who want to secure the computer systems under their 
management, he said. 

"It's hard to get context on a (software) vulnerability if you don't 
know how to exploit it. People who know how to write exploits make 
better strategic decisions," he said. 

Co-author Chris Anley agreed and said the Shellcoder's Handbook is not 
a cookbook for hackers.

"This isn't a collection of exploits. It's a book that tells you how 
to find the bugs and understand what the impact of the bugs is," said 
Anley, a director at Next Generation Security Software Ltd. 
(NGSSoftware) in Surrey, U.K. 

"We wanted to make a book that describes from basic through advanced 
level what exploits can do," he said.

The book is structured like a primer. Early chapters focus on basic 
concepts like stack overflows and use examples written for the open 
source Linux platform. Later chapters focus on more complicated 
problems and obscure operating systems such as Sun's Solaris and HP's 
Tru64, Anley said. 

The book pulls together information that could be obtained from 
security discussion groups on the Internet or from a university-level 
network security administration course, say Anley and co-author David 
Litchfield, also of NGSSoftware. 

However, The Shellcoder's Handbook also delves into more arcane 
exploit writing topics that are not commonly discussed, such as format 
string bugs, which concern vulnerabilities in the way some programs 
written in the C programming language output data. Another chapter 
titled "Alternative Payload Strategies" discusses ways in which an 
exploit writer can subtly manipulate a compromised machine other than 
to produce a shell prompt, such as extracting data from a database or 
tampering with cryptographic services, Anley said. 

The Shellcoder's Handbook and other books like it stir up controversy 
within the information technology security community about whether 
researchers should publicly disclose holes in software products, said 
Alan Paller, director of research at The SANS Institute. 

Authors who publish software exploits walk a fine line between 
informing the public and lowering the bar for malicious hackers, he 
said. 

"You don't want to make writing an exploit as easy as fixing a car," 
Paller said.

However, Paller believes that those defending networks from attack 
benefit more from books like The Shellcoder's Handbook, than do 
attackers. 

"In the security world there's lots of advice, and a lot of it doesn't 
make much sense. So if you understand why you have to do certain 
things and can connect the defense back to an actual attack, that 
helps," he said. 

[1] http://www.amazon.com/exec/obidos/ASIN/0764544683/c4iorg



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.