November 18, 2011
Book Review: A Bug Hunter’s Diary by Tobias Klein
This book is good, but it is good in a very particular way. What follows is a read-through review, I didn’t work through all the code examples.
Word Count: ~670
If you’ve ever read a successful pen-test report for a gig you weren’t on and found it both satisfying and fascinating, this book will give you that same experience. Mr. Klein does not set out to write a book which is a tutorial or an exhaustive manual on the processes of finding security bugs in software. He does not spend much time talking about all the code he read that was secure and chasing intuitions that proved to be wrong, which is part and parcel of being a bug hunter. What he does do, and does very well, is draw a straight line from source or assembly to the beginning stages of a viable exploit. It is a very satisfying book to read and there are great bits of knowledge to be had.
In the introduction the author makes clear that in Germany publishing exploit code (even for dead bugs) is illegal, so we can not fault him for not including any. What is included at the end of each section is just enough code to gain control of EIP or its equivalent. While control of EIP is necessary and in modern exploit development it’s still one of the first milestones towards a shell but there can now be so many steps afterwards too. I would have enjoyed the complete path from bug to shell; it’s unfortunate that the laws are what they are.
If you view exploit development as a puzzle to be solved then the tidy solutions in this book are pretty cool. And if you have any interest in hands on bug hunting the author’s experiences and methods will probably help inform your practice. I don’t spend all my time in a debugger or disassembler but I’m familiar enough to know what options they come with and what they allow you to do. Mr. Klein included just enough detail to let the reader know how he was using those tools but didn’t dwell on explanations from the ground up. This same economy of detail applies to memory management mechanics as well.
All in all I thought the author’s choice of bugs was good, from the very straight forward VLC .ty overflow through some of the work in kernel land. They all provided good case examples and demonstrated that there are still bugs of all levels of difficulty out there. Even implementing a dumb fuzzer (for the iPhone exploit) can find serious bugs. You don’t have to be Charlie Miller or Ben Nagy to get good results from fuzzing.
One of the most intriguing things for me was looking at his timelines for finding a bug, reporting it and when a patch is issued. Particularly the Solaris local (CVE-2008-0568) which he had for 471 days prior to Sun releasing a patch, over one and a quarter years. There were a lot of vendors/teams who released patches quickly CVE-2009-0385 was patched by the FFmpeg team in 2 hours. But the long lasting bugs, the operating system bugs, those are good food for thought. Who else had this? Where would they have likely used it? Where would I have used it?
In summary, the book is good. The author’s experiences are enjoyable, the technical detail clear, the tools and methods explained in enough depth. It’s good reading and a good addition to a technical library. The price is a little steep for a brief book but that’s balanced somewhat by the density of the content. If you’re on the fence about the price, browse this book at your local brick and mortar before committing to a purchase.
Full Disclosure: I received a review copy of this book from the publisher via my employer. I have no financial interest in the book and no personal ties to the author. Though he does seem like a swell guy.