Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

How Do Real Bad Guys Break Software?

Most of the people attacking our computer systems today are software people. While script kiddies are part of the problem, the real threat comes from those who use hard-core software tools to take apart programs, write malicious code, and create the attacks that exploit our software.

In this column, we'll focus our attention on attack tools that require a copy of the target software. We're not really limiting ourselves by this constraint, however. Today, we have copies of all kinds of targets that can be exploited, from the OS running on our laptops (the binaries are all there) to the ubiquitous Web server software that can be downloaded for free. Real attackers usually get a copy of their target into the lab, where they wield various surgical tools to dissect it.

Attackers have a well-developed toolkit, with components that run the gamut from standard analysis and testing tools to rootkits and payload collections with no other legitimate use. (We'll look at rootkits and payload collections in another column.)

The first and most important category of these tools works against binary executables. Both decompilers and disassemblers allow humans to understand and analyze target binary code. This means that despite the occasional "big security story" about source code finding its way onto the Internet, source code isn't required for software exploit. Though source code makes an attacker's job easier, it's in no way a necessity. Most attackers use disassemblers and decompilers in concert with other tools to test inputs to the target. They then watch what happens and take things apart as necessary.

Debuggers also make excellent tools for understanding how programs work. The most common debuggers used by attackers are the kernel-level variety, which intercepts all the calls a target program makes to and from the OS. These debuggers allow a program to be meticulously observed, stopped, rewound, started, changed, and so on--all in real time.

  • 1