BKBUOVAT.RVW 20060705 "Buffer Overflow Attacks", James C. Foster et al, 2005, 1-932266-67-4, U$34.95/C$50.95 %A James C. Foster %A Vitaly Osipov %A Nish Bhalla %A Niels Heinen %C 800 Hingham Street, Rockland, MA 02370 %D 2005 %G 1-932266-67-4 %I Syngress Media, Inc. %O U$34.95/C$50.95 781-681-5151 fax: 781-681-3585 www.syngress.com %O http://www.amazon.com/exec/obidos/ASIN/1932266674/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1932266674/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1932266674/robsladesin03-20 %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 497 p. %T "Buffer Overflow Attacks: Detect, Exploit, Prevent" As an antivirus researcher, I got used to reading the various blackhat "zines." It was instructive to note that there were, occasionally, cute discoveries or tricks to be found therein, but also that much of the material was rather banal. It was also annoying to have to plow through the turgid prose of these posturing self-proclaimed experts, full of attitude (of the keepers of the secret, sacred knowledge), devoid of structure, and without any consideration of the reader's needs or probable technical background. Reading this book rather took me back. I can fully sympathize with the statement that "[b]uffer overflows are proof that the computer science, or software programming, community still does not have an understanding (or, more importantly, firm knowledge) of how to design, create, and implement secure code." More and more, we are seeing evidence that software errors are responsible for huge security problems in our information systems, and buffer overflows are possibly the largest single class of instances that we see on a regular basis. Moreover, buffer overflows, while they have been around since the first time someone tried to punch 81 characters onto an 80 character card, are something that we do know how to prevent. But this book does not address the topic effectively. Part one is supposed to be about buffer overflows fundamentals. Chapter one, rather ironically entitled "Buffer Overflows: the Essentials," is a confused aggregation of random information, contradictory statistics, and a glossary of some programming related terms. Chapter two purports to give us an understanding of shellcode, but doesn't give us any proper definition other than that this is the type of code that gets used *after* a buffer overflow vulnerability has been exploited. As such, this material is more relevant to a possible discussion of rootkits, rather than buffer overflows. More miscellaneous assembly language background, without much depth or pedagogical value, is provided in chapter three. The very terse chapter four mentions, but does not fully explain, stacks and heaps, and then refers to registers without illustrating them at all. At this point in the book there is the first section of "case studies," which are little more than pages of various types of exploit code. Part two purports to cover the exploiting of buffer overflows. Chapter five presents a basic (but inferior) explanation of stack overflows, and then provides (but does not illuminate) lots of C code (specific to Linux). Rather than untangling heap corruption, as the title promises, chapter six lists a variety of C language functions without demonstrating much about their relevance. Format string attacks, in chapter seven, are very poorly defined, although the text seems to indicate that the authors are referring to a special case of malformed data that is pertinent only to programs written in C. Much of the material that has been presented up to this point is simply repeated in chapter eight's alleged review of Windows buffer overflows. Part three, about finding buffer overflows, consists solely of chapter nine, which lists various tools for alerting developers to potential flaws in source code. Software security has been neglected for too long, and buffer overflows are an important topic. However, this work, while it does have some points to make, is extremely poorly written, and those who wish to learn about the topic would have a hard time with it. Even though they are not specific to the subject, the more general references of "How to Break Web Software" (Andrews and Whittaker, cf. BKHTBWSW.RVW) and "Software Security: Building Security In" (Gary McGraw, cf. BKSWSBSI.RVW) are more helpful in this regard, and particularly "Exploiting Software" by Hoglund and McGraw (cf. BKEXPLSW.RVW). If you want code examples more than explanation you might want to look at "Building Secure Software" by Viega and McGraw (cf. BKBUSCSW.RVW). copyright Robert M. Slade, 2006 BKBUOVAT.RVW 20060705