March 01, 2008

Book Review: Hacking: The Art of Exploitation

In the preface to his book Hacking: The Art of Exploitation, author Jon Erikson does a crisp job laying out the counter argument to letting the art of hacking flourish unfettered by artificial legalities. "There's nothing good or bad about knowledge itself; morality lies in the application of knowledge". Being unfamiliar with actual hacking techniques (beyond what I chuckled at in Die Hard 4), this happened to be a really good way to begin the book.

Its important to understand what this book tries to cover. Erikson covers specific hacking techniques. He stays close to Linux and C to illustrate the techniques and he exploits a lot of open source software. The goal is to familiarize the reader with the different modes of exploitations.

Later in the book (Chapter 6), he explains: "The state of computer security is a constantly changing landscape...if you understand the concepts of the core hacking techniques explained in this book, you can apply them in new and inventive ways to solve the problem du jour. Like LEGO bricks, these techniques can be used in millions nof different combinations and configurations. As with art, the more you practice these techniques, the better you'll understand them." Clearly, Erickson is passionate about the subject matter he covers in his book.

Any ability to exploit vulnerabilities requires a thorough understanding of the underlying subject. Here Erikson's book offers a number of quick primers on topics such as C programming and network protocols. These introductions are valuable because they introduce the subject and give you deep dives into specifics. They give you some sense of how hacking can lead to a greater understanding of the system under exploit. For example in Chapter 4, Erikson goes from introducing us to the OSI model to socket programming in four pages. But because of a very engaging writing style, it doesn't feel like a hurried course.

After the introduction in which he covers C programming language basics, Erikson introduces us to exploitation via a buffer overflow example. He covers network hacking techniques such as denial of service, TCP/IP hijacking and port scanning. He delves into the more involved topic of spawning shell code to gain control of a system. And in a very entertaining Chapter 6, he shows you how to bypass security measures that detect and track hackers. In the final chapter, he covers hacking techniques for cryptography.

Given its structure, Hacking is part introduction, part handbook. If there is one recommendation I would make, it would be to embellish the source code with figures. The issue here is that you have to read through reams of code to understand how the hack works. Which is as it should be, but when you are reading about a particular hack, it breaks the flow of thought considerably.

Instead if the code could have been explained with a flowchart or pseudocode and the hack shown with a diagram, the reader would get a quick understanding of how the hack worked and would be better positioned to work through the code. In addition, the book could address a wider audience - especially those that are interested in learning more about hacking without necessarily being hackers themselves.