Tuesday, January 17, 2012

Book Review: A Bug Hunter's Diary

As an InfoSec professional, I frequently hear about insecure systems and vulnerabilities that are found in software packages. Bugs for software are rampant and seem to come from all sides. These bugs or errors in the coding of the programs, require proper identification in order to protect systems against and mitigate the software security vulnerabilities.

This month I read A Bug Hunter's Diary, a book published by No Starch Press and written by Tobias Klein. It provided me an often sought after, but rarely found look inside the mind and processes of a security researcher looking for software vulnerabilities.

This book made me feel like I was sitting down with Mr. Klein personally, pouring over code, gleaning the nuggets of wisdom and information that come from his in-depth understanding of software design and debugging. This book is really a diary in that one sits and shares in the experiences of Mr. Klein's entries for each chapter. Throughout the entirety, we are taken though his thought various methodologies and processes while being introduced to countless tools of the trade.

Chapter One takes you through the basics of what bug hunting is and why is is needed. Tactics, terminology and tools of the trade are discussed as a primer for those with little or no exposure to this practice.

Chapter Two introduces us to a 'stack buffer overflow' by looking at VideoLAN's VLC media player. We are taken step by step through the bug discovery process from vulnerability discovery to exploitation and then to remediation and how one should handle the knowledge of the exploit once found as well as a nice summary of lessons learned.

Chapter Three takes a different approach and looks at Operating System (OS) kernels, specifically Sun/Oracle Solaris 10 and the way that it handles error conditions. Once again, we are taken through the steps from discovery to remediation and lessons learned.

Chapter Four covers NULL pointer dereferrences from a type conversion vulnerability that affects the FFmpeg multimedia library used by various software packages such as Google Chrome and VLC media player.

Chapter Five looks at web browser add-ons, specifically WebEx and looking at cross-site scripting and ActiveX to find a stack overflow. In looking at remediating this bug, Mr. Klein show us that in addition to simply notifying the software vendor, that we have the option selling the bug to a vulnerability broker, in this case, Verisign's iDefense Lab.

Chapter Six takes a look at Microsoft Windows drivers and the possibility of finding a vulnerability there, specifically with the anti-virus software 'AWIL/avast! Professional'. The approach taken in this chapter was a little different since the source code is for the AV program is not Open Source.

In Chapter Seven we are given a chance to examine the OS X kernel, looking for an exploit and validating input data while developing a debugger on a remote Linux host connected via cross-over cable. Whew!
Chapter Eight begins by looking at the iPhone and pouring over applications and libraries that are assumed to most likely have bugs in them, including the Mobile Safari browser, the Mobile mail app and the audio libraries. Mr. Klein takes us through fuzzing (providing invalid, unexpected, or random data to the inputs of a program), to look for obvious bugs, in this case, untrusted media files.

Just when you thought that the book was over and that there was nothing left to discuss, Mr. Klein gives us three appendices that provide a plethora of valuable information. Appendix A is a handy, in-depth reference to vulnerably classes, exploitation techniques and some common issues that lead to certain bugs. Appendix B details information about debuggers and how one goes about the debugging process. Appendix C gives the reader a summary of mitigation techniques from Address Space Layout Randomization (ASLR) to Data Execution prevention (DEP). All of these appendices help to neatly tie up any loose ends that the reader may have after exhausting the resources found throughout the book.

In the reading this book, one gains ideas and insight to help to explain alternate thought processes of software vulnerabilities to others. In addition, the material contained in the book would be a good source for a series of departmental workshops within any security minded organization or their customers.

While an understanding of structured programming languages, Unix, and a sense of adventure and wonder are a must to get the most out of this book, the amount of knowledge that is contained therein is truly staggering and definitely worth the read.

No comments:

Post a Comment