From Day Zero to Zero Day,
Eugene Lim
No Starch Press, 2025.
ISBN ISBN-13: 978-1-7185-0394-6 (print), ISBN-13: 978-1-7185-0395-3 (ebook)
319 pages + xxv, first edition, June 2025
Reviewed by Sven Dietrich Sep 21, 2025
Recent software supply chain attacks on npm (Node Package Manager) repositories for JavaScript/Node.js code have brought upon us references to Frank Herbert's 1965 science-fiction novel "Dune" with its "Shai-Hulud" worms. "Shai-Hulud" is what security analysts have named this campaign in connection with the npm attacks. As we seek some projects for the upcoming shorter days (at least in the Northern Hemisphere now), we could of course consider re-reading the "Dune" novel or watching the corresponding movie(s)... Why not also consider reading about vulnerability discovery and reverse engineering? The continued challenges of new cybersecurity threats require constant recalibrating of our abilities to analyze malware or regular software applications, especially when we have to deal with zero-day vulnerabilities.
To help with this process, Eugene Lim wrote "From Day Zero to Zero Day," a 340+ pages book to cover the various phases of vulnerability discovery and analysis.
This book focuses on three major techniques in vulnerability research: code review, reverse engineering, and fuzzing.
The author takes a practitioner-centric and hands-on approach for describing the various techniques, focusing on examples of actual (often C) code, screenshots, and web links (URLs). The book is divided into three parts, with each containing several chapters. Each chapter begins with a quote and concludes with a summary. There are no formal literature references other than perhaps URLs, but the book does have a companion website with downloads. The focus of the book is on the Linux operating system environment, with some stray MS Windows mentions. The main hardware focus concerns the Intel x86/x64 hardware architecture. Those on ARM architectures should be warned that some of the code may not run for them, or at least not natively or without a proper emulation layer.
In the Introduction, the author sets the stage for the reader, identifies who the book is for, identifies the online resources, and recommends other books to complement the reading of his book. Some of those books the author mentions have been reviewed in this book review column.
The author starts with - no surprise there - with a "Chapter 0," as the Day Zero. Here the reader learns about the basic terminology and how to navigate the various parts of the book, covering what a vulnerability is, what vulnerability research is, in particular zero-day vulnerability research, and how to approach any potential projects. The chapter actually starts with a quote about rapid learning from - you guessed it - Frank Herbert's "Dune."
In Part I 'Code Review,' the reader is introduced to Taint Analysis in Chapter 1, 'Mapping Code to Attack Surface' in Chapter 2, and 'Automated Variant Analysis' in Chapter 3. Each chapter is structured in such a manner that simple examples are expanded into mini projects that the reader can try on their own. Command lines and configuration settings are clearly outlined and easy to follow.
In Part II 'Reverse Engineering,' the topic shifts to something that is sometimes considered more an art than a science: reverse engineering of code. In Chapter 4 'Binary Taxonomy,' the discussion starts with Node.js Electron applications to be reverse engineered, switches to Intermediate Representations (a halfway point of sorts between source code and machine code), and eventually shifts to Machine Code. Chapter 5 'Source and Sink Discovery' delves into the free tool Ghidra (developed and maintained by NSA) for static analysis, discusses dynamic analysis, and explores exploitability of the vulnerabilities. Chapter 6 'Hybrid Analysis in Reverse Engineering' goes into code coverage, emulation, and symbolic analysis. In each of these chapters, examples of tools to achieve the various tasks are presented.
In Part III 'Fuzzing,' the author shifts gears to discovering vulnerabilities by the techniques known as fuzzing, where various inputs are tried on programs to trigger errors and possibly crashes. In Chapter 7 'Quick and Dirty Fuzzing,' a few simple fuzzing techniques are shown for a protocol (e.g. the MQTT protocol, used for IoT) and there is also a reference to OSS-Fuzz, commonly used by Google on open-source software for vulnerability discovery. Chapter 8 'Coverage-Guided Fuzzing' shifts to tools such as American Fuzzing Lop (AFL) and its variants, as well as those and can measure how much of the code was covered by the fuzzing tool(s). In Chapter 9 'Fuzzing Everything' there is an expansion to other languages (e.g. Go) and different binary models. In the end, Chapter 10 'Beyond Day Zero,' the book wraps up with a more procedural tone and elaborates on vulnerability disclosure, CVE assignment, and integrating vulnerability discovery into the software development lifecycle. The summary at the end of Chapter 10 functions as the conclusion of the book, as it goes over all the parts with their respective chapters and ties all the pieces together.
This book, written by the competent and accomplished Eugene Lim, is aimed at a practitioner security analyst/engineer audience or perhaps university students seeking more practical exploration. It does provide technical details for those wishing to explore the topic further, not just the "simple" examples discussed in the book. While there are no formal literature references, the URLs provided in the book and the companion code site give the reader ample opportunities to "play" with the techniques outlined in the book. As a caveat, many of the techniques are tied to contemporary operating systems and associated command lines. Time will tell how this seemingly more tutorial-oriented book will age. Nevertheless, the general principles and techniques will give the reader a solid introduction to the field, or perhaps fill a few gaps along the way for those who are already more or less versed in it.
I enjoyed reading this book. It will find its place on my bookshelf for any unsuspecting student to discover should they ask about vulnerability discovery or zero days.