by Peikari, Cyrus and Anton Chuvakin
ISBN 0-596-00545-8, 531 pages. $44.95 Index, appendix, end of chapter references
Reviewed by Robert Bruen March 12, 2004
This book is not for the faint of heart. Although the script kiddies ought to read it, they will most likely not understand it. Security books are gradually moving from the "how to hack" mentality to the region of expertise of how things work. The knowledge required to write real code goes deep. For example, the Security Warrior starts out with lessons in assembly language. If you know assembler, then this is a straightforward description of registers and opcodes. If you are a Visual Basic kind of person who is willing to put in the effort, this is a good place to start learning about the lower levels. The reason for the low level code explanation is that the rest of this section is about reverse engineering.
There is some work on reverse engineering (e.g., see the HoneyNet site and their challenge results), but not much. Reverse engineering software takes some work and understanding, so fewer people do it. However, if you are an antivirus professional, you will be doing this almost daily to get into the latest worm or whatever. Besides this obvious legitimate use of reverse engineering, there are other uses by some people, such as researchers (academic or otherwise) or those looking for holes in proprietary code released in binary only form. Whatever your motivation, the reverse engineering software is a part of the expertise required in by software security professionals.
The tools for reverse engineering come from several sources. There is a commercial version from IDA, some individual's websites (Flavia) and there are many helpful tools built in *nix, many from GNU. The authors proclaim that the tools for reversing Windows code are at the highest level because Windows is proprietary. The need to write tools for Linux has been less because anyone can read the source code. An example of built in tools for any OS is the debugger, and often a disassembler. A simple learning technique is to write a "Hello World" program in a high level language, then use the debugger. A minor change in the program, followed by the debugger again, can be instructive by finding the change.
Lest you think that this book is only about reverse engineering, the other three parts of the book are just as helpful: Network Stalking, Platform Attacks and Advanced Defense. SQL injection is explained very nicely with code, as are topics such as binary log modifications for covering tracks, timestamp fixes and the details on maintaining covert access.
I highly recommend this book for anyone who is serious about software security. It goes hand in hand with books like "Exploiting Software," "Building Secure Software," and the Honeypot work.