Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Buffer Overflow Attacks", James C. Foster et al

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKBUOVAT.RVW 20060705 Buffer Overflow Attacks , James C. Foster et al, 2005, 1-932266-67-4, U$34.95/C$50.95 %A James C. Foster %A Vitaly Osipov %A
    Message 1 of 1 , Jul 27, 2006
    • 0 Attachment
      BKBUOVAT.RVW 20060705

      "Buffer Overflow Attacks", James C. Foster et al, 2005, 1-932266-67-4,
      U$34.95/C$50.95
      %A James C. Foster
      %A Vitaly Osipov
      %A Nish Bhalla
      %A Niels Heinen
      %C 800 Hingham Street, Rockland, MA 02370
      %D 2005
      %G 1-932266-67-4
      %I Syngress Media, Inc.
      %O U$34.95/C$50.95 781-681-5151 fax: 781-681-3585 www.syngress.com
      %O http://www.amazon.com/exec/obidos/ASIN/1932266674/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/1932266674/robsladesinte-21
      %O http://www.amazon.ca/exec/obidos/ASIN/1932266674/robsladesin03-20
      %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
      %P 497 p.
      %T "Buffer Overflow Attacks: Detect, Exploit, Prevent"

      As an antivirus researcher, I got used to reading the various blackhat
      "zines." It was instructive to note that there were, occasionally,
      cute discoveries or tricks to be found therein, but also that much of
      the material was rather banal. It was also annoying to have to plow
      through the turgid prose of these posturing self-proclaimed experts,
      full of attitude (of the keepers of the secret, sacred knowledge),
      devoid of structure, and without any consideration of the reader's
      needs or probable technical background.

      Reading this book rather took me back.

      I can fully sympathize with the statement that "[b]uffer overflows are
      proof that the computer science, or software programming, community
      still does not have an understanding (or, more importantly, firm
      knowledge) of how to design, create, and implement secure code." More
      and more, we are seeing evidence that software errors are responsible
      for huge security problems in our information systems, and buffer
      overflows are possibly the largest single class of instances that we
      see on a regular basis. Moreover, buffer overflows, while they have
      been around since the first time someone tried to punch 81 characters
      onto an 80 character card, are something that we do know how to
      prevent.

      But this book does not address the topic effectively.

      Part one is supposed to be about buffer overflows fundamentals.
      Chapter one, rather ironically entitled "Buffer Overflows: the
      Essentials," is a confused aggregation of random information,
      contradictory statistics, and a glossary of some programming related
      terms. Chapter two purports to give us an understanding of shellcode,
      but doesn't give us any proper definition other than that this is the
      type of code that gets used *after* a buffer overflow vulnerability
      has been exploited. As such, this material is more relevant to a
      possible discussion of rootkits, rather than buffer overflows. More
      miscellaneous assembly language background, without much depth or
      pedagogical value, is provided in chapter three. The very terse
      chapter four mentions, but does not fully explain, stacks and heaps,
      and then refers to registers without illustrating them at all. At
      this point in the book there is the first section of "case studies,"
      which are little more than pages of various types of exploit code.

      Part two purports to cover the exploiting of buffer overflows.
      Chapter five presents a basic (but inferior) explanation of stack
      overflows, and then provides (but does not illuminate) lots of C code
      (specific to Linux). Rather than untangling heap corruption, as the
      title promises, chapter six lists a variety of C language functions
      without demonstrating much about their relevance. Format string
      attacks, in chapter seven, are very poorly defined, although the text
      seems to indicate that the authors are referring to a special case of
      malformed data that is pertinent only to programs written in C. Much
      of the material that has been presented up to this point is simply
      repeated in chapter eight's alleged review of Windows buffer
      overflows.

      Part three, about finding buffer overflows, consists solely of chapter
      nine, which lists various tools for alerting developers to potential
      flaws in source code.

      Software security has been neglected for too long, and buffer
      overflows are an important topic. However, this work, while it does
      have some points to make, is extremely poorly written, and those who
      wish to learn about the topic would have a hard time with it. Even
      though they are not specific to the subject, the more general
      references of "How to Break Web Software" (Andrews and Whittaker, cf.
      BKHTBWSW.RVW) and "Software Security: Building Security In" (Gary
      McGraw, cf. BKSWSBSI.RVW) are more helpful in this regard, and
      particularly "Exploiting Software" by Hoglund and McGraw (cf.
      BKEXPLSW.RVW). If you want code examples more than explanation you
      might want to look at "Building Secure Software" by Viega and McGraw
      (cf. BKBUSCSW.RVW).

      copyright Robert M. Slade, 2006 BKBUOVAT.RVW 20060705


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      If you write in an amusing manner, even the bitter truth will be
      consumed and digested. - Martin Luther
      Dictionary of Information Security www.syngress.com/catalog/?pid=4150
      http://victoria.tc.ca/techrev/rms.htm
    Your message has been successfully submitted and would be delivered to recipients shortly.