Forgot your password?
typodupeerror
Book Reviews Books Media

Hacking: The Art of Exploitation 59

Posted by samzenpus
from the protect-ya-neck dept.
David Martinjak writes "Hacking: The Art of Exploitation is authored by Jon Erickson and published by No Starch Press. It is the anticipated second edition of Erickson's earlier publication of the same title. I can't think of a way to summarize it without being over-dramatic, so it will just be said: I really liked it. The book, which will be referred to as simply Hacking, starts by introducing the author's description of hacking. Erickson takes a great approach by admitting that the common perception of hacking is rather negative, and unfortunately accurate in some cases. However, he smoothly counters this antagonistic misunderstanding by presenting a simple arithmetic problem. A bit of creativity is needed to arrive at the correct solution, but creativity and problem-solving are two integral aspects of hacking, at least to Erickson. The introduction chapter sets an acceptable tone and proper frame of mind for proceeding with the technical material." Below you'll find the rest of David's review.
Hacking: The Art of Exploitation, 2nd Edition
author Jon Erickson
pages 472
publisher No Starch Press
rating 9
reviewer David Martinjak
ISBN 1-59327-144-1
summary An informative, and authoritative source on hacking and exploit techniques.
Chapter 2 enters the subject of programming. The first few sections in the chapter may feel a bit slow to readers who have been coding for any legitimate length of time. Erickson explains some fundamental, yet essential, concepts of programming before finally moving into some actual code. Some readers may choose to skip these few pages, but they are necessary for brave new adventurers in the dark realm of development. The remainder of the chapter certainly compensates for any perceived slow-start. Each of the remaining sections presents a sufficient quantity of technical information, accompanied by descriptive, yet straightforward explanations.

I don't mean to disrupt the chronological progression of the book review, but it is important to highlight the excellence of the explanations provided in Hacking. Throughout the book, the writing provides adequate details and the content is to the point. Many sources on exploit techniques supply sparse information, or are too wordy and often miss the relevant and important concepts. Erickson does a phenomenal job in Hacking of explaining each subject in just the right manner.

The third chapter is the staple of the book. This chapter covers buffer overflows in both the stack and the heap, demonstrates a few different ways that bash can aid in successfully exploiting a process, and provides an essentially all-encompassing elaboration of format string vulnerabilities and exploits. As I said, this is the main portion of the book so I don't want to give away too much material here. Undoubtedly, though, this chapter has the best explanation of format string attacks that I have ever read. The explanations in Chapter 3, like the rest of the book, are of substantial value.

Chapter 4 focuses on a range of network-related subjects. At first I wondered why the chapter starts with rather basic concepts like the OSI model, sockets, etc. Then I realized it was consistent with the earlier chapters. Hacking presents some core concepts, then moves on to utilizing them in exploits. In this case, these specific concepts and techniques just hadn't been covered yet. The exploit toward the end of this chapter includes some of the concepts in the previous chapter, which also helps to cement the reader's understanding.

I will mention two main shortcomings. First, the material in the "Denial of Service" section of the Networking chapter was unnecessary for this book. Attacks like the Ping of Death, and smurfing were interesting developments when they were first discovered, and effective on a large scale. Now in 2008, almost all of the items in the "Denial of Service" section are either outdated or have been covered to an excessive extent. Rather than denial of service, I would have preferred to see a section on integer attacks. This would have fit perfectly with the book's theme as there are several issues surrounding numeric types in C of which many programmers are unaware. Considering the fact that the book is about hacking and much of the code is in C; integer attacks seem like a natural component to include. The second pitfall in this review is through a fault of my own. I cannot compare this second edition of Hacking with its original, first edition release as I unfortunately do not own the first edition. Hacking finishes out the second half of the book with chapters on shellcode, countermeasures, and cryptology. The chapter on cryptology is especially interesting as it contains a good mix of information without being too hardcore on the mathematics involved. There are plenty of gems in the shellcode and countermeasures chapters, as well. Specifically, Erickson does a stellar job of explaining return-(in)to-libc attacks, and dealing with the address space layout randomization in Linux. He covers the exploit technique for linux-gate.so in a randomized memory space before it was fixed in 2.6.18, then proceeds to demonstrate a different technique for successful exploitation on kernels at 2.6.18 and later.

Undeniably, Hacking: The Art of Exploitation is one of the quintessential books for its subject. A book this good is a rare find, and certainly worth the read for any individual interested in security.

David Martinjak is a programmer, GNU/Linux addict, and the director of 2600 in Cincinnati, Ohio. He can be reached at david.martinjak@gmail.com.

You can purchase Hacking: The Art of Exploitation, 2nd Edition from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
This discussion has been archived. No new comments can be posted.

Hacking: The Art of Exploitation

Comments Filter:
  • Inappropriate Title? (Score:1, Interesting)

    by Anonymous Coward on Wednesday February 20, 2008 @03:24PM (#22492226)
    The title would be better if it read "Cracking: The Art of Exploitation," notwithstanding any introduction and definition that attempts to skirt the issue.
  • Pet Peeves (Score:5, Interesting)

    by cromar (1103585) on Wednesday February 20, 2008 @03:34PM (#22492348)
    Hey, good review.

    I don't mean to disrupt the chronological progression of the book review
    Explaining the chapters in order is rarely the best idea. As in any essay, the order of ideas presented should be geared towards explaining the main idea. In fact, you often don't need to summarize chapters (a common source of redundancy). Eh. It's one of my pet peeves :)

    I definitely wanna check this book out.
  • by ZiakII (829432) on Wednesday February 20, 2008 @03:35PM (#22492362)

    The title would be better if it read "Cracking: The Art of Exploitation," notwithstanding any introduction and definition that attempts to skirt the issue.
    To my understanding cracking meant simply using a tool/program to exploit a bug in a program that someone else written (usually having no idea how and why it works), while hacking was looking for those exploits and understanding how they work and developing your own tools. If the second case is correct, then this book's title lives up to it's name by explaining to the reader on why and how these exploits work, and what they can do to prevent these flaws in their programing.
  • Re:Good Book (Score:3, Interesting)

    by ChromeAeonium (1026952) on Wednesday February 20, 2008 @08:49PM (#22496790)
    If I may ask a dumb question, what sort of prerequisite knowledge would you recommend learning before reading this book?

"Our vision is to speed up time, eventually eliminating it." -- Alex Schure

Working...