Security book reviews from inside the infosec industry.

Hacking: The Art of Exploitation, 2nd Edition Review



Hacking: The Art of Exploitation 2nd Edition is a well thought out and expanded update to the original similarly named book. It's often considered to be a must read. Having read the 1st edition some years ago I thought I'd dust off the 2nd edition copy that I never got round to reading and have a sit down with it. Here are my thoughts.

Hacking: The Art of Exploitation, 2nd Edition

It's an ambitious book, covering everything from networking to cryptography through to low level memory corruption bugs. In many respects the book tries to be a one-stop shop - almost a metasploit of books but ultimately the book hasn't aged well and needs an update to stay relevant.

The book starts with an introduction in which Erickson provides his definition of hacking followed by a chapter on what starts out as basic programming concepts before going straight into some C and assembly. Personally I prefer AT&T assembly syntax to Intel, but that's just a personal preference. Intel's probably easier for the beginner to wrap their head around but does limit the utility of the book. The book also shows it's age here a little, there's not so many 32-bit x86 systems left, with most people running 64-bit OSes these days and should there be a third edition I'd like to see some 64-bit Intel and possibly a little ARM assembly in there, but that's just me being picky.

After a crash course in GDB and a whistle stop tour of x86 Linux memory management we move on to some basic buffer overflows. Again, the age of the book comes into play here, with people probably having to disable things like ASLR if they're using their own distros. A handy Live CD is provided, although I seem to have lost mine so I didn't get the chance to play with it. It's not the fault of the author at all, and it's a great intro but as with most technical books it's aged.

Chapter 4 introduces us to networking, mainly from a programmatic point of view before moving on to Shellcode. Again, a minor gripe would be that the book jumps around a bit while trying to cover such a broad area and personally I felt the shellcode chapter would've been better following the exploitation chapter instead of networking, which could've been a lot shorter by stripping out things like port scanning and arp spoofing. I can see the rationale (in that there's shellcode for different network functions) though, but that might have fed into the networking chapter better.

Chapter 6 talks about countermeasures. This chapter hasn't aged well, and looks a little out of place in the book. There's a little about ASLR but as you'd expect more modern techniques such as those used in the grsecurity patches don't get a look in. Chapter 7 introduces cryptography with a good run-through on theory and some practical applications using SSH key fingerprints, Crypt and WEP cracking. It doesn't quite feel like it belongs in the book, this may be due to the jumping around.

Hacking: The Art of Exploitation is a well researched and well put together book that suffers from the same problems all technical books do - age. The jumping around while not a major flaw make for some slightly disjointed reading that might confuse people not familiar with the concepts. On their own though, the chapters provide an excellent introduction to their relative subjects, if a little out of date.

So the big question: should you buy this book? If you want to learn about the state of sofware security in 2008 on x86, it's either this or the ShellCoder's Handbook 2nd Edition (which came out in 2007 but also covers different OSes). An unfair but valid comparison would be Vivek Ramachandran's Exploit Research Megaprimer or Corelan's Tutorials and I'd have to say that it's probably worth having a look at those first. It's an excellently written book and is informative, but I feel it tries to do too much and is in desperate need of an update. In 2008 this book would be a no brainer and an instant 5/5, but five years on unless you're into vulnerability history it's probably a no buy. I'd love to give it a 4, but ultimately the age knocks it down to a 3.

Hacking: The Art of Exploitation, 2nd Edition review score: 3/5.

Hacking: The Art of Exploitation, 2nd Edition* is available from Amazon. (What's the *?)

If you like what you've read, please feel free to tip me in bitcoin at 17zNBi3CDhuoaqHJmfyCMNzQcjttiD7e7W

Creative Commons License
Security Book Reviews is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.