Hacking: The Art of Exploitation, 2nd Edition
Ed Schaefer reviews the newest edition of Hacking: The Art of Exploitation.
Members of the Hacking world are known by the color of their hat – white for good, black for bad, and gray for those who aren't too sure. By writing Hacking: The Art of Exploitation, Jon Erickson proves his hat color is "mother of pearl." Don't let the title mislead you: Erickson isn't exploiting or vandalizing – he's instructing.
In 2004, I reviewed the book's first edition. In my reviews, I typically like to compare the differences between editions. Erickson beat me to it. At the publisher's web site, you can compare the first and second editions of the book; view excerpts from the Exploitation, Networking, and Countermeasures chapters; and download the book's source. Erickson also bundles the source in a CD included with the book, but more on that later.
Expanded Concepts Introduction
In my first review, I recommended this book for the programming chapter alone. I can no longer do that because the programming chapter is now an "Expanded introduction to fundamental programming concepts for beginners." But it's like no introduction I've ever seen. In one chapter, Erickson takes us from basic Control Structures to Function Pointers. Think of it as Kernighan and Ritchie in 100 pages.
Erickson covers other introductory topics in a hurry, such as his network sockets description in the Networking section (Chapter 4), and his "Crash Course in Signals" in the Countermeasures section (Chapter 6).
It's not that I don't like the author's introductions – I do. I just want to warn you that the introductions might be above the true beginner's head. This book is code intensive and if you don't have a programming background – preferably in Linux "C" – then this book may be of limited value. If you aren't into hacking Linux, or at least wanting to learn, then this book just might gather dust on your book shelf.
Should You Buy the Book?
Because the programming chapter is now an introduction, I now recommend this book for the Exploitations chapter alone. This chapter covers buffer and function overflows and the format string vulnerability. Buy the book and discover why strings should be formated like this:
and never like this:
What's on the CD?
For readers with no access to a Linux box, Erickson bundles his source with a bootable Ubuntu Linux Live CD. The Live CD requires "an x86-based PC with at least 64MB of system memory and a BIOS that is configured to boot from a CD-ROM." I successfully booted the Live CD with both an IBM T43 laptop and a HP dv9000t laptop.
Paperback, 488 pages
No Starch Press, January, 2008