After an extended delay, we’ve finally reviewed our next book for #TripwireBookClub. This time around, we looked at Practical Binary Analysis written by Dennis Andriesse and published by No Starch Press.
This book is a deep dive into binary analysis, and I think that it’s best just to quote the opening paragraph of the book’s preface: “Binary analysis is one of the most fascinating and challenging topics in hacking and computer science. It’s also one of the most difficult to learn, and this is in no small part because of the lack of available information on the subject.” I couldn’t agree more with this statement. I wish that a book like this had been available when I was getting into computer security. It fills in a lot of the missing pieces of information.
Here’s what others in #TripwireBookClub had to say about this book:
Practical Binary Analysis by Dennis Andriesse explores several topics of binary analysis. Andriesse created a book full of details and allows the reader to follow along with examples. The book starts readers off with an explanation of the ELF format by describing the header and the fields within the header. Readers then will learn about the PE format and some of the differences between the ELF format and the PE format. In chapter four of the book, Andriesse demonstrates the ability to create a binary loader by using the binary file descriptor library. This book covers many aspects of binary analysis and allows a reader to determine the differences between certain analysis methods as well as the benefits of dynamic disassembly over static disassembly. The binary analysis techniques covered in this book are binary instrumentation, dynamic taint analysis, and symbolic execution. This book is definitely worth a read.
– Andrew Swoboda, Senior Security Researcher, Tripwire
There was a lot of great information on a wide array of topics, and for that, I cannot rate this book any less than 3 out of 5. Unfortunately, I felt that some of the examples were poorly selected and ultimately detracted from the value of the book. A great example of this is chapter 10 (Principles of Dynamic Taint Analysis) in which the author gives the example ’10.3 Using DTA to Detect the Heartbleed Bug.’ This is a very intriguing section heading, and it gets more interesting as the author explains that we can use DTA (dynamic taint analysis) in practice “to detect the Heartbleed vulnerability in OpenSSL.” It continued to explain how it is possible to taint the server’s private key and then instrument the send functions to recognize if this memory is sent to the network. This is what was meant by detecting Heartbleed–not discovery of the vulnerability within the binary but rather detection of someone exploiting Heartbleed and managing to recover part of the secret key. From a ‘practical’ perspective, this falls very short since (as the author noted) nobody is going to use this type of instrumented binary in a production system where it might actually be attacked.
Although it is clear that the author has a very strong grasp of the material, this book lost points with me because it is called Practical Binary Analysis. I found it was rather light in terms of showing concrete practical applications of the binary analysis techniques it presents.
– Craig Young, Principal Security Researcher, Tripwire
I recently finished reading the book Practical Binary Analysis written by Dennis Andriesse. If you ever want to know just about every aspect of binary analysis, then this is a book for you. Be forewarned, however; this book is not one of those books you’ll want to read before bed at night. The book is very technical, and you’ll want to tinker with the code and tools Dennis describes as you read the book.
My favorite part of the book was chapter 5. In this chapter, titled ‘Basic Binary Analysis in Linux,’ Dennis introduces various tools and techniques such as using ldd to explore dependencies, using xxd to view binary file contents, using tools to parse files, using tools to trace systems calls and using gdb. The reason I like the chapter so much is because of how the tools where illustrated. Particularly, Dennis introduced the tools and how they work based on a Capture the Flag (CTF) challenge. This was a really cool way to illustrate how to use these tools in a real-world scenario, and it made for some very enjoyable reading.
Overall, I highly recommend this book—it has certainly gained a spot in the reference book section of my personal library.
– Lane Thames, Senior Security Researcher, Tripwire
Overall, I had a positive experience with Practical Binary Analysis by Dennis Andriesse. This book reads like a workshop that teaches readers what tools exist for both Linux and Windows and how to string them together to write tools for reverse engineering binaries.
It is nice having this material in a textbook format. When I took a college course covering this material, a textbook like this did not exist, but it would have been super helpful. Our professor taught us that many of the tools covered in this book exist and when they are practical, but Dennis does a thorough job explaining how to use these tools and how to make your own tools, which you can gear towards specific applications. And he backs up his methods with examples and exercises.
Even though the exercises in this book are written in c, I think they could easily be applied to whatever language you would like to work with. Many of the tools that Dennis talks about using to make your own tools are commonly wrapped or reimplemented in other languages. For example, libbfd is wrapped in the python module pybfd.
This book is fairly new, so I cannot know for sure how it will hold up in 10 years, but I think that if you are well versed in programming, this book will still teach you a good approach at tackling many problems with binary analysis.
– John Skandalakis, Software Engineer, Tripwire
Overall #TripwireBookClub Rating: 4.25/5
At this time, we have no additional reviews planned for #TripwireBookClub. If there’s a book you’d like us to review, let us know by tweeting @tripwireInc.