News

Authors provide black-hat insights into security

• By John K. Waters
• April 14, 2004

Since 1996, security guru Dr. Gary McGraw has been admonishing software developers to consider threats and vulnerabilities early in the development cycle. For attackers, it's all about getting to exploitable code, McGraw believes, which ultimately puts the security onus on programmers.

In his September 2001 book "Building Secure Software: How to Avoid Security Problems the Right Way" (Addison-Wesley Pub. Co.), McGraw and co-author John Viega laid out what they believe are the most important objectives developers should keep in mind when designing and building secure systems. The cover of that book featured a white hat.

The cover of McGraw's new book, "Exploiting Software: How to Break Code" (Addison-Wesley/Pearson Higher Education, February 2004), features a black hat. In it, McGraw and co-author Greg Hoglund lay out the actual techniques used by malicious hackers. The book takes specific examples from the black-hat world and generalizes them to demonstrate 48 attack patterns. It is a know-your-enemy approach that provides real code and example exploits to show software developers what they are truly up against.

McGraw says he is not worried about publishing what is essentially a map of the behaviors and strategies of the bad guys. If you want to protect your software from attack, he told Programmers Report during a recent interview, you must first understand how real attacks are carried out. And besides, he added, his first book is the antidote to the second.

"When I first started thinking about the software security space," McGraw said, "I actually planned out the two books. I knew that I would have to follow up the first one with a book that shows the people who are building software what they're really up against. Basically, we felt we had to write it to help them do a better job of thinking about attacks."

The biggest challenge the authors faced in writing "Exploiting Software," McGraw said, was generalizing the real-world hacking examples into attack patterns. And there were a few eye-openers along the way, even for McGraw. His "favorite cool thing" in the book was also the scariest.

"It turns out that on the motherboard of a typical PC there are many megabytes of unused EPROMM memory sitting around," he explained. "And if you rewrite interrupt tables properly, you can place malicious code on the motherboard that will never go away way down there. I found working on that fascinating and downright scary. If you get rooted by somebody who's really serious about it, they could hide the rootkit so low that, unless you replace the motherboard, you're owned forever."

"Exploiting Software" offers a combination of insider perspective and academic analysis. McGraw is CTO at Cigital Inc., a Dulles, Va.-based provider of software quality management solutions, and he has a Ph.D. in cognitive and computer science; Hoglund is the black-hat security expert who created and documented the first Windows NT-based rootkit. "Greg has dabbled in the dark side," McGraw said. "He brought an actual hacker mentality to this project, so it's hacker plus science equals this book."

With this combination, "Exploiting Software" pulls no punches in its detailed discussion of how malicious hackers break software systems. The book describes why classic network security mechanisms such as firewalls, intrusion detection systems and antivirus engines can never solve the computer security problem.

"My theory is that security has been, by and large, about operations -- about infrastructure and the people who keep the network going," McGraw said. "And so we see firewalls and antivirus stuff and intrusion detection stuff, [which is] an operating infrastructure approach. But the problem is not being caused by the operators. They get this broken software and they have to install it on their pristine networks. They know that the software is broken, but they don't know how to fix it because they're not software guys, so they just put something around it, like an application firewall, or maybe they poke it a couple times to see how broken it really is with some black-box testing. And if you're an operations guy, that's a natural way to approach it. Unfortunately, operations cannot solve this problem. The only people who can solve it are the software builders of the world."

The book seeks to present deep technical coverage of advanced topics such as rootkits and disassembly, showing why access to source code is not necessary for software exploit. But it's not a "script kiddie" book, McGraw said.

"This book is for people who are interested in how stuff works and how stuff fails, more than it is for people interested in wreaking havoc on the 'Net," he said. "Havoc wreakers tend to be script kiddies, and script kiddies can press 'Return' like there's no tomorrow, but they couldn't write a 'sploit' to save their lives. I don't think they'll have the patience for a book like this."

McGraw emphasized that the information contained in the book is already widely known. "A good attacker is not going to learn a lot from this book," he said. "But security vendors frankly don't understand software exploits very well at all. I'm hoping that they learn something."