[hcs-d] Vulnerability Research

Dan Rosenberg dan.j.rosenberg at gmail.com
Tue Mar 29 07:13:19 EDT 2011


Hey all,

Thanks again for having me last night, I really enjoyed the
opportunity to speak about security.  I know I promised some links and
reference materials in case any of you are interested in learning more
about this stuff, so here goes:

=====
Books
=====

For learning code auditing, I highly recommend The Art of Software
Security Assessment, by Mark Dowd, Justin Schuh, and John McDonald:

http://www.amazon.com/Art-Software-Security-Assessment-Vulnerabilities/dp/0321444426/ref=sr_1_1?ie=UTF8&qid=1301393685&sr=8-1

If you're interested in kernel security, A Guide to Kernel
Exploitation is excellent:

http://www.amazon.com/Guide-Kernel-Exploitation-Attacking-Core/dp/1597494860/ref=sr_1_1?ie=UTF8&s=books&qid=1301393758&sr=1-1

The Mac Hacker's Handbox is, well, the Mac hacker's handbook:

http://www.amazon.com/Mac-Hackers-Handbook-Charles-Miller/dp/0470395362/ref=sr_1_1?ie=UTF8&s=books&qid=1301393822&sr=1-1

Finally, a pretty decent overview of memory corruption and
exploitation can be found in the Shellcoder's Handbook (but it's
getting a bit older):

http://www.amazon.com/Shellcoders-Handbook-Discovering-Exploiting-Security/dp/047008023X/ref=sr_1_1?ie=UTF8&s=books&qid=1301393878&sr=1-1

==========
Mailing Lists
==========

In terms of mailing lists, I subscribe to Full-Disclosure (warning,
some crap here), Bugtraq, and the Dailydave:

https://lists.grok.org.uk/mailman/listinfo/full-disclosure
http://www.securityfocus.com/archive
https://lists.immunitysec.com/mailman/listinfo/dailydave

For open source software, there's the oss-security mailing list,
although it's primarily used for researchers and vendors to request
CVE identifiers for vulnerabilities in open source software:

http://oss-security.openwall.org/wiki/mailing-lists/oss-security

If you dare, you can subscribe to the Linux kernel mailing list, which
is where new patches to the Linux kernel are proposed and accepted.
It's incredibly high volume (seriously, you don't want to do this
unless you work on Linux kernel development every day).  I usually
just read the archives from time to time:

http://marc.info/?l=linux-kernel

=====
Tools
=====

In terms of fuzzing, I recommend zzuf (http://caca.zoy.org/wiki/zzuf)
for "dumb" (random byte) fuzzing, and either Sulley
(http://code.google.com/p/sulley/) or Peach (http://peachfuzzer.com/)
for "smart" (protocol-aware) fuzzing.  All three are pretty well
documented.

I use gdb (and various other tools like strace, objdump, etc.) for
debugging on Linux.  On Windows, I use Immunity Debugger
(http://debugger.immunityinc.com/).  Other people prefer WinDbg
(http://msdn.microsoft.com/en-us/windows/hardware/gg463009).

For reverse engineering, IDA Pro (http://www.hex-rays.com/idapro/) is
the way to go, but its licensing is expensive.  I've also used Radare
(http://radare.nopcode.org/y/) a bit, and it's pretty cool too.

For exploit development (and penetration testing in general), I
recommend checking out the Metasploit Framework
(http://www.metasploit.com/framework/download/) - they have some
awesome tools.  It's also a great place to learn about what modern
exploits look like - feel free to pick random exploits included in the
framework and study them.

If you're more interested in the penetration testing side of things,
Backtrack (http://www.backtrack-linux.org/) is a Linux distribution
that comes bundled with a whole bunch (read: dozens, if not hundreds)
of tools.

========
Websites
========

I check up on Reddit every once in awhile, especially /r/netsec
(http://www.reddit.com/r/netsec/).

As I mentioned, Twitter is a great way to stay plugged into current
research and news.  You can follow me at @djrbliss.  Feel free to
snoop around among the people I'm following...there may be a few
personal friends of mine, but I use Twitter almost exclusively for
security stuff, so you can find some people worth following in there.

Exploit-DB (http://www.exploit-db.com/) typically has recent exploits,
but there are a whole bunch of crappy exploits for crappy products
you've never heard of.  Take everything with a grain of salt.

=========
Wargames
=========

I think wargames are a great way to learn bug hunting and
exploitation.  I admin at SmashTheStack
(http://www.smashthestack.org).  I especially recommend the IO
wargame.

OverTheWire (http://www.overthewire.org/wargames/) is also pretty
good, especially the Vortex game.

====
IRC
====

I'm almost always on IRC (handle "drosenbe" on irc.freenode.net).
Feel free to ping me any time to chat (or shoot me an email at this
address).  #metasploit on Freenode is pretty decent.  ##security on
Freenode is ok, but there's not usually much good discussion.

To be honest, the best channel to start out in is probably #io at
irc.smashthestack.org (my handle is "bliss").  It's technically the
support channel for the IO wargame, but there's often good
conversations in there about security in general, and it's a very
welcoming community towards beginners and pros alike.

=====
Talks
=====

Dino Dai Zovi's work on return-oriented programming is a good
introduction to the subject (much better than my rushed
approximation):
http://www.youtube.com/watch?v=loy0FOHhzjI

Tavis Ormandy and Julien Tinnes (both from Google security) gave an
awesome talk on kernel security:
http://www.youtube.com/watch?v=BCavCemZPoI&feature=related

Aaron Portnoy from TippingPoint (he runs the Zero Day Initiative) has
some good talks up on an introduction to reverse engineering for
vulnerabilities:
http://vimeo.com/6764570
http://www.securitytube.net/video/1232

SecurityTube (http://www.securitytube.net) is worth checking once in
awhile for good talks.

---

Vulnerability research is a huge field.  If you're interested in
anything more specific, feel free to drop me a line.  I'm always happy
to help people get started, or talk shop with those of you who are
already into it.  You can follow my stuff at my website,
www.vulnfactory.org, or on Twitter at @djrbliss .

Hope this is useful to someone.  Thanks again for having me, good luck
with the rest of the semester!

-Dan


More information about the hcs-discuss mailing list