Exploiting Software: How to Break Code 1st Edition
Greg Hoglund (Author) Find all the books, read about the author, and more. See search results for this author |
Gary McGraw (Author) Find all the books, read about the author, and more. See search results for this author |



Use the Amazon App to scan ISBNs and compare prices.

**Foreword by Avi Rubin. How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers. This book is studded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out. Learn about: Why software exploit will continue to be a serious problem; When network security mechanisms do not work; Attack patterns; Reverse engineering; Classic attacks against server software; Surprising attacks against client software; Techniques for crafting malicious input; The technical details of buffer overflows; and Rootkits. This information needs to be understood and digested by security professionals so that they know the magnitude of the problem and they can begin to address it properly. Today, all developers should be security-minded. The knowledge here will arm you with a real understanding of the software security problem.
Frequently bought together
- +
- +
Customers who viewed this item also viewed
Editorial Reviews
Amazon.com Review
PHP programmers will take issue with the authors' blanket assessment of their language ("PHP is a study in bad security"), much of which seems based on older versions of the language that had some risky default behaviors--but those programmers will also double-check their servers' register_globals settings. Users of insufficiently patched Microsoft and Oracle products will worry about the detailed attack instructions this book contains. Responsible programmers and administrators will appreciate what amounts to documentation of attackers' rootkits for various operating systems, and will raise their eyebrows at the techniques for writing malicious code to unused EEPROM chips in target systems. --David Wall
Topics covered: How to make software fail, either by doing something it wasn't designed to do, or by denying its use to its rightful users. Techniques--including reverse engineering, buffer overflow, and particularly provision of unexpected input--are covered along with the tools needed to carry them out. A section on hardware viruses is detailed and frightening.
From the Back Cover
Praise for Exploiting Software
“Exploiting Software highlights the most critical part of the software quality problem. As it turns out, software quality problems are a major contributing factor to computer security problems. Increasingly, companies large and small depend on software to run their businesses every day. The current approach to software quality and security taken by software companies, system integrators, and internal development organizations is like driving a car on a rainy day with worn-out tires and no air bags. In both cases, the odds are that something bad is going to happen, and there is no protection for the occupant/owner. This book will help the reader understand how to make software quality part of the design―a key change from where we are today!”
― Tony ScottChief Technology Officer, IS&S
General Motors Corporation
“It’s about time someone wrote a book to teach the good guys what the bad guys already know. As the computer security industry matures, books like Exploiting Software have a critical role to play.”
― Bruce SchneierChief Technology Officer
Counterpane
Author of Beyond Fear and Secrets and Lies
“Exploiting Software cuts to the heart of the computer security problem, showing why broken software presents a clear and present danger. Getting past the ‘worm of the day’ phenomenon requires that someone other than the bad guys understands how software is attacked. This book is a wake-up call for computer security.”
― Elinor Mills AbreuReuters’ correspondent
“Police investigators study how criminals think and act. Military strategists learn about the enemy’s tactics, as well as their weapons and personnel capabilities. Similarly, information security professionals need to study their criminals and enemies, so we can tell the difference between popguns and weapons of mass destruction. This book is a significant advance in helping the ‘white hats’ understand how the ‘black hats’ operate. Through extensive examples and ‘attack patterns,’ this book helps the reader understand how attackers analyze software and use the results of the analysis to attack systems. Hoglund and McGraw explain not only how hackers attack servers, but also how malicious server operators can attack clients (and how each can protect themselves from the other). An excellent book for practicing security engineers, and an ideal book for an undergraduate class in software security.”
― Jeremy EpsteinDirector, Product Security & Performance
webMethods, Inc.
“A provocative and revealing book from two leading security experts and world class software exploiters, Exploiting Software enters the mind of the cleverest and wickedest crackers and shows you how they think. It illustrates general principles for breaking software, and provides you a whirlwind tour of techniques for finding and exploiting soft
About the Author
Greg Hoglund has been a pioneer in the area of software security. He is CEO of HBGary, Inc., a leading provider of software security verification services. After writing one of the first network vulnerability scanners (installed in over half of all Fortune 500 companies), he created and documented the first Windows NT-based rootkit, founding rootkit.com in the process. Greg is a frequent speaker at Black Hat, RSA, and other security conferences.
Gary McGraw, Cigital's CTO, is a leading authority on software security. Dr. McGraw is coauthor of the groundbreaking books Building Secure Software and Exploiting Software (both from Addison-Wesley). While consulting for major software producers and consumers, he has published over ninety peer-reviewed technical publications, and functions as principal investigator on grants from DARPA, the National Science Foundation, and NIST's Advanced Technology Program. He serves on the advisory boards of Authentica, Counterpane, and Fortify Software. He is also an advisor to the computer science departments at University of California, Davis, and the University of Virginia, as well as the School of Informatics at Indiana University.
I'd like to read this book on Kindle
Don't have a Kindle? Get your Kindle here, or download a FREE Kindle Reading App.
Product details
- Publisher : Addison-Wesley Professional; 1st edition (February 17, 2004)
- Language : English
- Paperback : 512 pages
- ISBN-10 : 0201786958
- ISBN-13 : 978-0201786958
- Item Weight : 1.95 pounds
- Dimensions : 9.26 x 7.1 x 1.24 inches
- Best Sellers Rank: #1,333,692 in Books (See Top 100 in Books)
- #174 in CompTIA Certification Guides
- #562 in Software Testing
- #663 in Computer Systems Analysis & Design (Books)
- Customer Reviews:
About the authors
Gary McGraw is co-founder of the Berryville Institute of Machine Learning. He is a globally recognized authority on software security and the author of eight best selling books on this topic. His titles include Software Security, Exploiting Software, Building Secure Software, Java Security, Exploiting Online Games, and 6 other books; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 100 peer-reviewed scientific publications. Gary serves on the Advisory Boards of Maxmyinterest, NTrepid, Ravenwhite, and Secure Code Warrior. He has also served as a Board member of Cigital and Codiscope (acquired by Synopsys) and as Advisor to Black Duck (acquired by Synopsys), Dasient (acquired by Twitter), Fortify Software (acquired by HP), and Invotas (acquired by FireEye). Gary produced the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine for thirteen years. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean’s Advisory Council for the School of Informatics, Computing, and Engineering.
https://garymcgraw.com
https://berryvilleiml.com/
@cigitalgem
Discover more of the author’s books, see similar authors, read author blogs and more
Customer reviews
Customer Reviews, including Product Star Ratings help customers to learn more about the product and decide whether it is the right product for them.
To calculate the overall star rating and percentage breakdown by star, we don’t use a simple average. Instead, our system considers things like how recent a review is and if the reviewer bought the item on Amazon. It also analyzed reviews to verify trustworthiness.
Learn more how customers reviews work on AmazonTop reviews from the United States
There was a problem filtering reviews right now. Please try again later.
I find myself deeply conflicted by this book: it's hard to square how genuinely useful and informative it is with how atrociously it is written. While it is chock full of concrete nuggets for analyzing code and developing exploits, the good bits are embedded in pages and pages of repetitive, sometimes irrelevant, sometimes even contradictory padding.
Techies frequently dismiss "word-smithing" as frivolous. But if you have trouble making sense of a book, or if it misinforms - if it lacks clarity, accuracy, succinctness, and readability - then why bother with it? Not including the references and index, my edition is 445 pages. I would love to read the worthwhile content extracted from the surrounding cruft, which I imagine would be a booklet of about 50 pages.
On a minor note, the book is now a bit long in the tooth. At the time it was written, the authors referred to 2010 as "the far future", a point where predictions would be hazardous. Yet despite the frequent references to "NT", I think that the approaches it shows to software cracking remain viable.
So, with these reservations, I think that this is a book that should be read by black hats and white hats alike. My advice is to skim through it quickly until a concrete example is found. Work through that, then skim on to the next example.
Top reviews from other countries
