A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security

By Tobias Klein

"This is without doubt one of the best infosec books to return out within the final a number of years."
–Dino Dai Zovi, details safeguard Professional

"Give a guy an make the most and also you make him a hacker for an afternoon; educate a guy to use insects and also you make him a hacker for a lifetime."
–Felix 'FX' Lindner

Seemingly uncomplicated insects may have drastic effects, permitting attackers to compromise structures, improve neighborhood privileges, and differently wreak havoc on a system.

A malicious program Hunter's Diary follows safeguard specialist Tobias Klein as he tracks down and exploits insects in many of the world's most well liked software program, like Apple's iOS, the VLC media participant, net browsers, or even the Mac OS X kernel. during this exceptional account, you will see how the builders chargeable for those flaws patched the bugs—or didn't reply in any respect. As you persist with Klein on his trip, you will achieve deep technical wisdom and perception into how hackers technique tough difficulties and event the real joys (and frustrations) of trojan horse hunting.

Along the way in which you are going to learn the way to:

  • Use field-tested strategies to discover insects, like picking and tracing consumer enter information and opposite engineering
  • Exploit vulnerabilities like NULL pointer dereferences, buffer overflows, and kind conversion flaws
  • Develop facts of idea code that verifies the safety flaw
  • Report insects to owners or 3rd get together brokers

A computer virus Hunter's Diary is full of real-world examples of weak code and the customized courses used to discover and try insects. even if you are searching insects for enjoyable, for revenue, or to make the area a more secure position, you will examine priceless new abilities by means of taking a look over the shoulder of a pro malicious program hunter in action.

Show description

Quick preview of A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security PDF

Similar Computer Science books

Database Systems Concepts with Oracle CD

The Fourth version of Database method innovations has been generally revised from the third variation. the hot version offers more advantageous insurance of options, broad assurance of recent instruments and strategies, and up-to-date assurance of database method internals. this article is meant for a primary path in databases on the junior or senior undergraduate, or first-year graduate point.

Distributed Computing Through Combinatorial Topology

Allotted Computing via Combinatorial Topology describes innovations for reading disbursed algorithms in response to award profitable combinatorial topology study. The authors current a pretty good theoretical beginning suitable to many actual platforms reliant on parallelism with unpredictable delays, resembling multicore microprocessors, instant networks, allotted structures, and web protocols.

Platform Ecosystems: Aligning Architecture, Governance, and Strategy

Platform Ecosystems is a hands-on consultant that provides an entire roadmap for designing and orchestrating vivid software program platform ecosystems. not like software program items which are controlled, the evolution of ecosystems and their myriad members needs to be orchestrated via a considerate alignment of structure and governance.

Database Concepts (7th Edition)

For undergraduate database administration scholars or enterprise execs   Here’s sensible aid for knowing, growing, and handling small databases—from of the world’s top database gurus. Database thoughts through David Kroenke and David Auer supplies undergraduate database administration scholars and enterprise pros alike a company knowing of the strategies at the back of the software program, utilizing entry 2013 to demonstrate the options and methods.

Additional resources for A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security

Show sample text content

Those values are additional jointly, and their sum represents the deal with of the invoked technique. thus, the 1st line (L1) of the method’s disassembly is outlined to the reveal (u poi(result of the computation)), and the execution of the regulate is resumed (gc). I then all started net Explorer with the g (Go) command of WinDbg and navigated to http://www. webex. com/ back. As anticipated, the breakpoint caused in WinDbg confirmed the reminiscence tackle of the referred to as NewObject() approach in atucfobj. dll. As illustrated in determine 5-5, the reminiscence handle of the NewObject() process was once 0x01d5767f during this instance.

Nine. 4\modules\demux\Ty. c of VLC). the 1st correct functionality that’s referred to as is Demux(): [.. ] 386 static int Demux( demux_t *p_demux ) 387 { 388 demux_sys_t *p_sys = p_demux->p_sys; 389 ty_rec_hdr_t *p_rec; 390 block_t *p_block_in = NULL; 391 392 /*msg_Dbg(p_demux, "ty demux processing" );*/ 393 394 /* did we hit EOF past? */ 395 if( p_sys->eof ) 396 go back zero; 397 398 /* 399 * what we do (1 checklist now.. perhaps extra later): four hundred * - use stream_Read() to learn the bite header & checklist headers 401 * - discard complete chew whether it is a component header bite 402 * - parse the entire headers into list header array 403 * - maintain a pointer of which checklist we are on 404 * - use stream_Block() to fetch every one checklist 405 * - parse out PTS from PES headers 406 * - set PTS for facts packets 407 * - go the information directly to the correct codec through es_out_Send() 408 409 * if this is often the 1st time or 410 * if we are on the finish of this chew, begin a brand new one 411 */ 412 /* parse the subsequent chunk's checklist headers */ 413 if( p_sys->b_first_chunk || p_sys->i_cur_rec >= p_sys->i_num_recs ) 414 { 415 if( get_chunk_header(p_demux) == zero ) [..

I selected the straightforward alternative and wrote the subsequent software: instance 4-1. Little helper software to exploit brute strength to discover the right price for current_track (addr_brute_force. c) 01 #include 02 03 // obtained access tackle of memalign() 04 #define MEMALIGN_GOT_ADDR 0x08560204 05 06 // Min and max price for 'current_track' 07 #define SEARCH_START 0x80000000 08 #define SEARCH_END 0xFFFFFFFF 09 10 int eleven major (void) 12 { thirteen unsigned int a, b = zero; 14 15 for (a = SEARCH_START; a < SEARCH_END; a++) { sixteen b = (a * 20) + 0x10; 17 if (b == MEMALIGN_GOT_ADDR) { 18 printf ("Value for 'current_track': %08x\n", a); 19 go back zero; 20 } 21 } 22 23 printf ("No legitimate worth for 'current_track' chanced on.

The crash was once attributable to the guideline movq 0x8(%r13),%r14 at tackle ip_sioctl_tunparam+0x5c. The guide attempted to reference the price pointed to through check in r13. because the debugger output of the ::msgbuf command exhibits, r13 had the worth zero on the time of the crash. So the assembler guideline is comparable to the NULL pointer dereference that occurs in ip_sioctl_tunparam() (see line 9432 within the following code snippet). resource code dossier uts/common/inet/ip/ip_if. c functionality ip_sioctl_tunparam() [..

I now had an inventory of IOCTLs supported via the XNU kernel. to discover the resource records that enforce the IOCTLs, I searched the full kernel resource for every IOCTL identify from the checklist. Here’s an instance of the BIOCGRSIG IOCTL: osx$ grep --include=*. c -rn BIOCGRSIG * xnu-792. thirteen. 8/bsd/net/bpf. c:1143: case BIOCGRSIG: Step 2: establish the enter info to spot the user-supplied enter info of an IOCTL request, I took a glance at the various kernel features that approach the requests. i found that such services normally anticipate a controversy known as cmd of variety u_long and a moment argument referred to as information of style caddr_t.

Download PDF sample

Rated 4.23 of 5 – based on 12 votes