A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security

A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security

Tobias Klein

Language: English

Pages: 208

ISBN: 1593273851

Format: PDF / Kindle (mobi) / ePub

"This is one of the most interesting infosec books to come out in the last several years."
–Dino Dai Zovi, Information Security Professional

"Give a man an exploit and you make him a hacker for a day; teach a man to exploit bugs and you make him a hacker for a lifetime."
–Felix 'FX' Lindner

Seemingly simple bugs can have drastic consequences, allowing attackers to compromise systems, escalate local privileges, and otherwise wreak havoc on a system.

A Bug Hunter's Diary follows security expert Tobias Klein as he tracks down and exploits bugs in some of the world's most popular software, like Apple's iOS, the VLC media player, web browsers, and even the Mac OS X kernel. In this one-of-a-kind account, you'll see how the developers responsible for these flaws patched the bugs—or failed to respond at all. As you follow Klein on his journey, you'll gain deep technical knowledge and insight into how hackers approach difficult problems and experience the true joys (and frustrations) of bug hunting.

Along the way you'll learn how to:

  • Use field-tested techniques to find bugs, like identifying and tracing user input data and reverse engineering
  • Exploit vulnerabilities like NULL pointer dereferences, buffer overflows, and type conversion flaws
  • Develop proof of concept code that verifies the security flaw
  • Report bugs to vendors or third party brokers

A Bug Hunter's Diary is packed with real-world examples of vulnerable code and the custom programs used to find and test bugs. Whether you're hunting bugs for fun, for profit, or to make the world a safer place, you'll learn valuable new skills by looking over the shoulder of a professional bug hunter in action.

An Introduction to Functional Programming Through Lambda Calculus (International Computer Science Series)

Genetic Programming Theory and Practice XI (Genetic and Evolutionary Computation)

Network Information Theory

CUDA Programming: A Developer's Guide to Parallel Computing with GPUs (Applications of GPU Computing Series)

An Introduction to Quantum Computing

Ontologies for Software Engineering and Software Technology





















below (see ntddk.h of the Windows Driver Kit): [..] typedef struct _IO_STACK_LOCATION { UCHAR MajorFunction; UCHAR MinorFunction; UCHAR Flags; UCHAR Control; [..] // // System service parameters for: NtDeviceIoControlFile // // Note that the user's output buffer is stored in the // UserBuffer field // and the user's input buffer is stored in the SystemBuffer // field. // struct { ULONG OutputBufferLength; ULONG POINTER_ALIGNMENT InputBufferLength; ULONG POINTER_ALIGNMENT IoControlCode; PVOID

4 0xff byte values is converted into a signed int. See Section A.3 for more information on type conversions and the associated security problems. If t is negative, the check in line 1093 of the kernel code will return FALSE because the signed int variable nlinesw has a value greater than zero. If that happens, the user-supplied value of t gets further processing. In line 1098, the value of t is used as an index into an array of function pointers. Since I could control the index into that array,

: mov %ecx,(%esp,1) 0x35574c : call *0x456860(%eax) Note Note that the disassembly is in AT&T style. At address 0x35573d, the value of EBX is copied into EAX. The next instruction modifies this value by a left shift of 5 bits. At address 0x35574c, the value is used to calculate the operand of the call instruction. So where did the value of EBX come from? A quick look at the register values revealed that EBX was holding the value 0xff000000, the value

Command Description t Executes a single instruction or source line and, optionally, displays the resulting values of all registers and flags. Will step into subfunctions. p Executes a single instruction or source line and, optionally, displays the resulting values of all registers and flags. Will not enter subfunctions. Examining Data Command Description dd address Displays the contents of address as double-word values (4 bytes). du address Displays the contents of

process simply doesn’t opt in to DEP. There are different ways to opt a process in to DEP. For example, you could use the appropriate linker switch (/NXCOMPAT) at compile time, or you could use the SetProcessDEPPolicy API to allow an application to opt in to DEP programmatically. To get an overview of the security-relevant compile-time options used by VLC, I scanned the executable files of the media player with LookingGlass (see Figure 2-9).[16] Note In 2009, Microsoft released a tool

Download sample