REVIEW: "Buffer Overflow Attacks", James C. Foster et al

Skip to first unread message

Rob, grandpa of Ryan, Trevor, Devon & Hannah

Jul 27, 2006, 4:02:42 PM7/27/06

"Buffer Overflow Attacks", James C. Foster et al, 2005, 1-932266-67-4,
%A James C. Foster
%A Vitaly Osipov
%A Nish Bhalla
%A Niels Heinen
%C 800 Hingham Street, Rockland, MA 02370
%D 2005
%G 1-932266-67-4
%I Syngress Media, Inc.
%O U$34.95/C$50.95 781-681-5151 fax: 781-681-3585
%O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P 497 p.
%T "Buffer Overflow Attacks: Detect, Exploit, Prevent"

As an antivirus researcher, I got used to reading the various blackhat
"zines." It was instructive to note that there were, occasionally,
cute discoveries or tricks to be found therein, but also that much of
the material was rather banal. It was also annoying to have to plow
through the turgid prose of these posturing self-proclaimed experts,
full of attitude (of the keepers of the secret, sacred knowledge),
devoid of structure, and without any consideration of the reader's
needs or probable technical background.

Reading this book rather took me back.

I can fully sympathize with the statement that "[b]uffer overflows are
proof that the computer science, or software programming, community
still does not have an understanding (or, more importantly, firm
knowledge) of how to design, create, and implement secure code." More
and more, we are seeing evidence that software errors are responsible
for huge security problems in our information systems, and buffer
overflows are possibly the largest single class of instances that we
see on a regular basis. Moreover, buffer overflows, while they have
been around since the first time someone tried to punch 81 characters
onto an 80 character card, are something that we do know how to

But this book does not address the topic effectively.

Part one is supposed to be about buffer overflows fundamentals.
Chapter one, rather ironically entitled "Buffer Overflows: the
Essentials," is a confused aggregation of random information,
contradictory statistics, and a glossary of some programming related
terms. Chapter two purports to give us an understanding of shellcode,
but doesn't give us any proper definition other than that this is the
type of code that gets used *after* a buffer overflow vulnerability
has been exploited. As such, this material is more relevant to a
possible discussion of rootkits, rather than buffer overflows. More
miscellaneous assembly language background, without much depth or
pedagogical value, is provided in chapter three. The very terse
chapter four mentions, but does not fully explain, stacks and heaps,
and then refers to registers without illustrating them at all. At
this point in the book there is the first section of "case studies,"
which are little more than pages of various types of exploit code.

Part two purports to cover the exploiting of buffer overflows.
Chapter five presents a basic (but inferior) explanation of stack
overflows, and then provides (but does not illuminate) lots of C code
(specific to Linux). Rather than untangling heap corruption, as the
title promises, chapter six lists a variety of C language functions
without demonstrating much about their relevance. Format string
attacks, in chapter seven, are very poorly defined, although the text
seems to indicate that the authors are referring to a special case of
malformed data that is pertinent only to programs written in C. Much
of the material that has been presented up to this point is simply
repeated in chapter eight's alleged review of Windows buffer

Part three, about finding buffer overflows, consists solely of chapter
nine, which lists various tools for alerting developers to potential
flaws in source code.

Software security has been neglected for too long, and buffer
overflows are an important topic. However, this work, while it does
have some points to make, is extremely poorly written, and those who
wish to learn about the topic would have a hard time with it. Even
though they are not specific to the subject, the more general
references of "How to Break Web Software" (Andrews and Whittaker, cf.
BKHTBWSW.RVW) and "Software Security: Building Security In" (Gary
McGraw, cf. BKSWSBSI.RVW) are more helpful in this regard, and
particularly "Exploiting Software" by Hoglund and McGraw (cf.
BKEXPLSW.RVW). If you want code examples more than explanation you
might want to look at "Building Secure Software" by Viega and McGraw

copyright Robert M. Slade, 2006 BKBUOVAT.RVW 20060705

====================== (quote inserted randomly by Pegasus Mailer)
There is no such thing as `computer illiteracy;'
only illiteracy itself - Slade's Law of Computer Literacy
Dictionary of Information Security

Reply all
Reply to author
0 new messages