- The Shellcoder’s Handbook, Discovering and Exploiting Security Holes, Second Edition
- Chris Anley, John Heasman, Felix “FX” Linder, Gerardo Rircharte
- Wiley Publishing
- Released August 2007
- 717 pages
- ISBN: 978-0-470-08023-8
The $50 cover price of “The Shellcoder’s Handbook” is a real bargain, in the hands of a motivated self-learner, compared with the cost of equivalent training. The real cost of this book, will be in the time and effort you will need to apply for it to really sink in. This is what I discovered when I sat down to read this book: What you get out of it is a function of what you put in. Reading and reviewing this book took much longer than I had expected, but I can say that I really enjoyed it.
This is a book that expects a lot out of the reader, but it turns out to be very rewarding. I would recommend becoming comfortable with reading, writing, and debugging both C and assembly before taking on The Shellcoder’s Handbook. Readers should not expect to progress quickly either. For the concepts to really sink in, some experimentation and following-along is required. Even though the book contains more than 700 pages, it’s not exhaustive, so the references to papers, sites, and documentation are worth taking some time away from the book to follow. In exchange for all of this work, however, the reader is treated to learning a set of skills in a way that can help them follow along with the vulnerabilities disclosed and exploits published every day on lists like Full-Disclosure and sites like milw0rm.
The range of topics is vast. The introductory chapters cover the basics: stack overflows, developing shellcode, format string vulnerabilities, and heap overflows. After this, the pace quickly ramps up, covering exploit development on Windows, Solaris, OS X, and Cisco IOS (the latter two are new to this edition). Workarounds for various stack and heap protection methods are presented, and there are several chapters on the vulnerability discovery and exploit development process. These chapters include discussion on automated discovery through fuzzing, source code auditing, and reverse engineering. I found it useful to skim these chapters before reading some of the material in previous chapters, to keep the larger picture in my mind. Finishing up the book, there are a handful of “Advanced Materials” chapters that have some very interesting examples of different exploit payloads and discussion of kernel vulnerabilities.
While the book does present a lot of great topics to the reader, it does have some problems. In many examples, especially in introductory chapters, it would have helped to have had more information on what distribution and version of Linux had been used. At one point, Redhat 9 was mentioned for an example, although it must have been a custom kernel, as the default kernel from Redhat had a (admittedly simple) form of stack randomization that could not be turned off. I managed to get most examples working in Ubuntu 7.04, after turning off va_randomize, and playing with compiler options. Some simple googling of problems you run into, and taking good notes, will help on this.
While there are fewer errors than I remember there being in the first edition, there are still some that are likely to trip up or confuse the reader that is trying to work through every example. Table 4-1 on writing data with format string exploits comes to mind as a head-scratcher, and a program presented in the same chapter handles command-line arguments in a way that’s different from the examples that use it. Most problems seem to come from attempts to fix errors in the first edition, leaving some references to older material. It is a good exercise (and not impossibly hard) for the reader to do some research and experimentation to work through these errors, but some might find it frustrating. I can only imagine how difficult it must be to do a review of the technical accuracy of such a long book presenting so many in-depth topics.
To sum it up, despite minor issues, The Shellcoder’s Handbook is a must-have. it’s one of the few books on the topic of vulnerability discovery and exploit development, and I would say that it’s the best. If you’re already pretty good at this stuff, I would recommend taking a look at the table of contents, as I bet there’s something in the more advanced material that you would be interested in. If you already have the first edition, there is new content and some “bugfixes”, but it’s not as much of a slam dunk as it would be if you didn’t already have the first one. Take a look at it in a bookstore before buying it to see if it meets your expectations for buying it again. Anyone picking this up needs to be sure they’re ready to put some time and effort into it, and willing to put it down on occasion in order to do some reading and research on background material.
Personally, I love it. Even after reading it for this review, there are plenty of things I need to go back and get a better understanding of, experiment with, and try to get more comfortable with. It’ll have a permanent spot on my shelf as one of my favorite computer security books.