Tuesday, November 22, 2011

Book reviews and more...

Recently I was sent review copies of three books from No Starch Press and Addison Wesley. This occasionally happens but I never blog reviews, I'm going to change that...


'A Bug Hunters Diary'
This book by Tobias Klein was the first book I reviewed. I, like many others in the security community, received a review copy a few weeks back and I just finished it up. I was aware of Tobias' public security advisories and tools long before this book was published, so I was eager to read it from the start. The author takes the reader through a tour of bug hunting from start to finish. This includes detailed source and binary analysis of the bugs he has found, the process for triggering them and finally gaining control of EIP. While gaining EIP is great, in 2011 its just the first step to reliable code execution, but exploitation is not the focus of the book. He does not provide full exploits due to the laws in his home country (he makes this point several times), which is a shame but understandable. Each chapter focuses on different applications ranging from media players (VLC) to kernel drivers and on different operating system platforms including iOS, Solaris, Linux and Windows. This sounds like a ton of information to take in but the book is actually quite small and readable. As usual No Starch does a good job of adding side-bar style information and good illustrations to help the reader understand complex technical concepts. There are also three appendices with helpful information for bug hunting, debugging tips and exploit mitigations. I even got a mention in appendix C for a generic RELRO technique I published a number of years ago. I definitely recommend this book for anyone who is just starting out in this field and is interested to know exactly what the process of finding software vulnerabilities is like.


'The CERT Oracle Secure Coding Standard For Java'
I would normally never review a book like this because #1 its a massive technical reference book and #2 I'm not a huge fan of Java. But I saw Robert Seacord was one of the authors and changed my mind. Nothing against the other authors, their names just weren't known to me. To be honest I did not read the entire thing, its a reference book in my opinion and not meant to be read cover to cover. In fact it reads like the cert.org standards websites and thats because its the same text. All of the CERT standards are well researched and tested, I recommend them to developers all the time and this one is no exception. If you are a Java developer then you should definitely have the standards website bookmarked. If you're looking for some light weekend reading then this probably isn't the book for you.
'The Tangled Web'
Last, but certainly not least, Michal Zalewski's newest book is about web security. @lcamtuf is a well known person in the security community. His published work includes tools that range from low level debugging to automated XSS detection. If you work in computer security and you dont know who he is then you don't really work in computer security. My expectations were high for this book for a reason and it doesn't disappoint. The first chapter contains a good overview of why security is difficult and how the web is no exception. Theres also a good browser history lesson mixed in there. I do a lot of research that involves reading browser source code and reversing particular browser components and I am always surprised by quirks I find in each different implementation. It is these subtle differences that make XSS work on one browser and not another. Theres a huge divide between a  web pentester who know how browsers work and one that just pastes JavaScript into every GET parameter. The Tangled Web captures a lot of these nuances between CSS and JavaScript implementations. Each chapter concludes with a great cheat sheet. Overall, I enjoyed the book. If you test or build web apps then you will too.

Sunday, August 07, 2011

Attacking Client Side JIT Compilers

This blog is far from dead! I have been involved in some very interesting research these past few months. Yan Ivnitskiy and I presented at the BlackHat conference in Las Vegas this August. The title of our talk was Attacking Client Side JIT Compilers. We researched everything from incorrect JIT code emission to reusing predictable JIT code sequences.

We have published our slides and our research paper on the Matasano research website. You can find it all here. Feel free to email either Yan or myself if you have any questions about the content.