Exploiting Software : How to Break Code (Paperback)

Greg Hoglund, Gary McGraw

  • 出版商: Addison Wesley
  • 出版日期: 2004-02-17
  • 售價: $2,275
  • 貴賓價: 9.5$2,161
  • 語言: 英文
  • 頁數: 512
  • 裝訂: Paperback
  • ISBN: 0201786958
  • ISBN-13: 9780201786958
  • 相關分類: 資訊安全軟體工程
  • 立即出貨 (庫存=1)

買這商品的人也買了...

商品描述

Using attack patterns, real code, and example exploits, students learn techniques that are used by real malicious hackers against software. The author team show to break code—if students want to protect software from attack, they must first learn how real attacks are really carried out.

Table of Contents:

Attack Patterns.
Foreword.

Preface.

What This Book Is About.

How to Use This Book.

But Isn't This Too Dangerous?

Acknowledgments.



1. Software—The Root of the Problem.

A Brief History of Software.

Bad Software Is Ubiquitous.

The Trinity of Trouble.

The Future of Software.

What Is Software Security?

Conclusion.



2. Attack Patterns.

A Taxonomy.

An Open-Systems View.

Tour of an Exploit.

Attack Patterns: Blueprints for Disaster.

An Example Exploit: Microsoft's Broken C++ Compiler.

Applying Attack Patterns.

Attack Pattern Boxes.

Conclusion.



3. Reverse Engineering and Program Understanding.

Into the House of Logic.

Should Reverse Engineering Be Illegal?

Reverse Engineering Tools and Concepts.

Methods of the Reverser.

Writing Interactive Disassembler (IDA) Plugins.

Decompiling and Disassembling Software.

Decompilation in Practice: Reversing helpctr.exe.

Automatic, Bulk Auditing for Vulnerabilities.

Writing Your Own Cracking Tools.

Building a Basic Code Coverage Tool.

Conclusion.



4. Exploiting Server Software.

The Trusted Input Problem.

The Privilege Escalation Problem.

Finding Injection Points.

Input Path Tracing.

Exploiting Trust through Configuration.

Specific Techniques and Attacks for Server Software.

Conclusion.



5. Exploiting Client Software.

Client-side Programs as Attack Targets.

In-band Signals.

Cross-site Scripting (XSS).

Clients Scripts and Malicious Code.

Content-Based Attacks.

Backwash Attacks: Leveraging Client-side Buffer.

Conclusion.



6. Crafting (Malicious) Input.

The Defender's Dilemma.

Intrusion Detection (Not).

Partition Analysis.

Tracing Code.

Reversing Parser Code.

Example: Reversing I-Planet Server 6.0 through the Front Door.

Misclassification.

Building “Equivalent" Requests.

Audit Poisoning.

Conclusion.



7. Buffer Overflow.

Buffer Overflow 101.

Injection Vectors: Input Rides Again.

Buffer Overflows and Embedded Systems.

Database Buffer Overflows.

Buffer Overflows and Java?!

Content-Based Buffer Overflow.

Audit Truncation and Filters with Buffer Overflow.

Causing Overflow and Environment Variables.

The Multiple Operation Problem.

Finding Potential Buffer Overflows.

Stack Overflow.

Arithmetic Errors in Memory Management.

Format String Vulnerabilities.

Heap Overflows.

Buffer Overflows and C++.

Payloads.

Payloads on RISC Architectures.

Multiplatform Payloads.

Prolog/Epilog Code to Protect Functions.

Conclusion.



8. Rootkits.

Subversive Programs.

A Simple Windows XP Kernel Rootkit.

Call Hooking.

Trojan Executable Redirection.

Hiding Files and Directories.

Patching Binary Code.

The Hardware Virus.

Low-Level Disk Access.

Adding Network Support to a Driver.

Interrupts.

Key Logging.

Advanced Rootkit Topics.

Conclusion.



References.


Index.

商品描述(中文翻譯)

使用攻擊模式、真實程式碼和實際範例攻擊,學生將學習到真正惡意駭客對軟體使用的技術。作者團隊展示了如何破解程式碼,如果學生想要保護軟體免受攻擊,他們必須首先了解真正的攻擊是如何進行的。

目錄:
攻擊模式。
前言。
前言。
本書內容。
如何使用本書。
但這不是太危險了嗎?
致謝。
第一章 軟體-問題的根源。
軟體的簡要歷史。
糟糕的軟體無所不在。
問題的三位一體。
軟體的未來。
什麼是軟體安全?
結論。
第二章 攻擊模式。
一個分類法。
開放系統觀點。
攻擊的導覽。
攻擊模式:災難的藍圖。
一個範例攻擊:微軟的破碎C++編譯器。
應用攻擊模式。
攻擊模式框。
結論。
第三章 逆向工程和程式理解。
進入邏輯之家。
逆向工程是否應該是非法的?
逆向工程工具和概念。
逆向工程師的方法。
編寫交互式反組譯器(IDA)插件。
反編譯和反組譯軟體。
實踐中的反編譯:反向helpctr.exe。
自動、批量的漏洞審計。
編寫自己的破解工具。
建立基本的程式碼覆蓋工具。
結論。
第四章 利用伺服器軟體。
可信輸入問題。
特權升級問題。
尋找注入點。
輸入路徑追蹤。
通過配置利用信任。
伺服器軟體的特定技術和攻擊。
結論。
第五章 利用用戶端軟體。
用戶端程式作為攻擊目標。
帶內信號。
跨站腳本(XSS)。
```