As an IT Professional, I most often hear about vulnerabilities being found in software, hardware, or operating systems through patch change logs put out by the company. (Adobe kindly provided us an example with the Reader/Acrobat vulnerability announcement.) The company is able to present their bias in the write-up and also provide a patch at their convenience. The book A Bug Hunter’s Diary by Tobias Klein provided an interesting new look on the situation – from the perspective of the security researcher.
His book is in the format of journal entries to actual bugs he has found and reported to software developers. This isn’t hypothetical “this is how you could search for bugs”, these entries are recollections of bugs painstakingly found and reported. Through its easy reading style, you get to see all the details that go on in the background that make up that one short sentence of credit at the bottom of a patch report.
The paperback A Bug Hunter’s Diary is 8 chapters in 194 pages, which includes an index and appendices that further expand on topics like hints for bug hunting, debugging, and mitigating vulnerabilities. Throughout the writing there are footnotes to further reading if you’d like to expand your knowledge in a particular area. The author uses actual code snippets to illustrate his bug finding endeavors in the software’s source code or even the output of the disassembler. You don’t have to be a programmer to see the points he is illustrating. It’s very clear and direct so there is no noise to get confused with.
Each chapter covers a different bug that Mr. Klein found in various software packages. They include:
- FFmpeg (multimedia library used in many other software packages)
- WebEx’s ActiveX control
- Windows driver for Avast!
- Mac OSX
- iOS on First-gen iPhone
The book explains various approaches to bug hunting like static analysis (reading the source code or disassembly) and dynamic analysis (fuzzing). Most interesting to me, I enjoyed the parts of each chapter where the author explained the follow up to disclosing the bug (coordinated disclosure with the developers or through a vulnerability broker). I’ve written about disclosure controversy before and even Microsoft has adopted the term ‘coordinated disclosure’ over ‘responsible disclosure’ since the old term implied that all other methods were ‘irresponsible disclosure’. At the end of each chapter or journal entry, the author includes a little timeline timestamping when he found the bug, when he reported it, and when a patch was released. Sometimes that can all happen surprisingly quick or take surprisingly long.
Not all exploits are found for evil reasons. Some security researchers do it for fun, some for profit, and some do it just to save the world. A Bug Hunter’s Diary by Tobias Klein from No Starch Press was a quick, easy read that was also incredibly informative. It was a pleasure to read and gain the insight of a security researcher’s world. I highly recommend it to any IT professional, especially those that are getting exhausted from endless patching and security updates.