Have you ever been interested in real-world exploitation? The book I’m about to review is going to blow your mind.

 
“Hacking: The Art of Exploitation” is a book explaining the basics of computers so you can exploit them. It contains programming exploits, the faults of protocols and networking, and the basics of cryptography and cryptoanalysis. The book has lots of examples, so you can try them for yourself.

“Chapter 2: 0x200—Programming” is a must read for computer science students because it explains the computer memory in depth. The computer memory consists of a text, data, bss, heap and the stack segment. You can read more about these segments in the book. What I’m interested in as an amateur security enthusiast is the heap and the stack segment. If a programmer builds a program which allocates a certain amount memory without any restrictions, it could be used to overwrite areas of the memory. All the attacker wants to do is to overwrite the return address. This can allow him to write arbitrary code. The programmer doesn’t ever want this to happen, because it can possibly lead to full compromise of the target system. That’s bad, right? 

 

 

This image presents the basic format of a stack segment, where the buffer approaches the return address and the function arguments. The attacker wants to write more bytes than the buffer has space to overwrite the return address. The return address is an address, which the stack uses to remember to return to the code after a function call.



 

 

 

The book is thorough with its contents. I couldn’t understand all of it. It’s not because of my English, but because it’s like the book is challenging you to understand it. And I absolutely love it. My only critique is that the chapter parts are too long, which is probably already fixed in the second edition of the book: “Hacking: The Art of Exploitation, Second Edition”.

 

I recommend this book to everyone who wants to delve deeper into computers and how they actually work behind the scenes. I liked this book and I’m thinking of reading the second edition after. I loved how the book has plenty of examples and they are easy to try. Understanding them is a completely different scenario.  

 

Citations:  

Erickson, J. (2003). Hacking: The art of exploitation. No Starch Press.

Potential security issues

If you have thought about the security issues your app might have, then this post is for you.

Our company ZeroCorp has started to develop an app, which helps students manage time better. Our team just kept a presentation about the backlog, which is basically a list of upcoming tasks. In the presentation I presented our “Motivation System,” which consists of a reward system and a leaderboard system. You might be wondering; how does this have anything to do with security? After presenting, I started wondering about the security aspect of our app. If the security is not good enough, the user could hack as many coins as possible or hack themself on top of the leaderboard.
 
After a long time of thinking, I came up with a brilliant solution. I must implement antihacking software or in other words: an anticheat. It is very easy to implement but molding it superior is another huge problem, which could be hard to tackle.

The anticheat is a very simple program, that is ran aside the full application. It shouldn’t be possible to notice its existence, hopefully. If the user somehow manages to notice it, then it would be safe to assume that they are cheating or at least going to cheat. The program checks if the user is running any weird software on their computer, like the infamous “Cheat Engine”, which many cheaters have used previously in different games.  There’s also a system in place, which checks the total amount of coins earned. If that count doesn’t match with the experience earned: It will detect the tampering with the app and give a permanent ban.
 
Congratulations for reaching the end. I learned many things while making my software. It’s hard to check if the user is cheating or not because some users might be good and have a tremendous number of coins. Sometimes the user might buy coins, which should be considered. My anticheat is still under development, so it might have multiple problems. I am eager to get the full application to the beta phase, so I could see my little program in action, and fix possible issues with it. Thank you and see you in the next post.