Summary

A Bug Hunter’s Diary describes the technical details of how the author identified and analyzed software security bugs. It doesn’t get into exploiting the bugs because, as the author points out at the end of every chapter, it’s illegal to publish exploits in Germany.

I expected a light treatment based on the cute title and cover, but it was mostly C code, debuggers and assembly. I was a little out of my element, but it was interesting. The appendices explaining how stack overflows, etc. can occur and how they can be exploited (roughly) were helpful and interesting. The bug diaries were a little repetitive, but they at least covered a range of platforms.

Other Notes

The book is lacking one major piece of the puzzle: details on exploiting these security bugs. After all the work understanding the bug and the details, it was always a bit of a letdown when their was no working exploit as a payoff. According to the author, his home country, Germany, passed a law making it illegal to publish exploits for bugs. Given the ease of finding that information on the internet, I’d guess that the single major effect of that law is to make this book less useful, which is a real shame.

In addition to the technical details, the author outlines the process of reporting and resolving bugs. It was interesting to see that commercial software vendors seem to be consistently orders of magnitude slower in releasing patches for security issues. I suppose one could argue that means that open-source software is safer, but at the end of the day, it’s always up to the end user to keep their software updated and patched.

Bottom Line

You’ll need some understanding of assembly, c, and how memory allocation works. But that background, the book and a bit of Googling to learn more about how the exploits work make for a solid, entertaining overview of the life cycle of security bugs.