Book Review: Java Coding Guidelines

I’m back with another book review. This time I’ll be reviewing Java Coding Guidelines by Fred Long, et al. This is sort of the 2nd edition of The CERT Oracle Secure Coding Standard for Java. I had previously done a review on the “1st edition” and was asked to follow up with a review on this latest edition. I must say, I enjoyed this version much more. It’s substantially shorter, better organized, and to the point.

TL;DR » Java has had a bad rap for security lately (particularly around it’s ancient Applet technology).

Read chapter 1 to learn how to become a more secure Java Developer. Read the remaining chapters to learn how to become a better Java developer overall.

About the Book: Audience, Skill Level, Prerequisites

The subtitle for this book is

"75 Recommendations for Reliable and Secure Program."

It’s an accurate description with one chapter on security and the remaining three chapters on reliability. This book is geared towards professional Java developers and goes through many of the idiosyncrasies of Java that you have to watch out for. Some of those idiosyncrasies can lead to catastrophic bugs and vulnerabilities, others may just lead to many hours of annoying-debugging-only-to-find-out-that-you’ve-done-something-really-really-stupid™ ;). I’d recommend that you’ve had experience programming Java for 1 to 2 years before you read this as anything before that and you might not fully grasp the importance of some of the recommendations.

Thoughts on the book

I think a better name for this book would have been, “How to be a Extremely Paranoid, Secure, and Awesome Java Developer.”

This book is all about dotting your i’s and crossing your t’s. Similar to how I mentioned that the previous edition was like Josh Bloch’s Effective Java, this book is all about teaching you how to a be a better Java developer and how to avoid mistakes that only a seasoned Java developer would know. Given that my day job is being a Software Engineer, programing in Java, I plan to hold on to this book at my desk for a couple of reasons.

  1. Whenever I need to teach a junior developer about “a bad way of doing things,” I can pull out this book and refer them to an example, along with a compliant solution.
  2. I can lend it to junior developers looking to improve and learn more.

Side note: Shout out to the Authors for using Utah (my home state) in their #8 recommendation: Prevent XPath Injection. Come visit and hit the slopes some time ;)

Applicability to Security

Given that the focus of this blog is on computer security, I’ll touch on the security points throughout the book.

Chapter 1 is all about security. Many of the recommendations are general security advice with an example of how they’d apply in Java. There are some interesting recommendations that are more Java specific though.

Recommendation #18: "Do not expose methods that use reduced-security checks to unstrusted code,"

is particularly interesting as this recommendation actually has real applicability. Failure to follow this recommendation resulted in a couple of CVE’s (CVE-2012-4681, CVE-2013-0422).

Outside of the explicit chapter on security, you actually might be amazed at how a seemingly minor bug or action can result in a serious security vulnerability. There are a couple of examples worth mentioning.

Recommendation #46: "Do not serialize direct handles to system resources."

In retrospect, this one seems glaringly obvious, however, I had never given any thought to it. Essentially, if you serialize a Java object, that opens a file, to disk, you can edit the bytes representing the object to change what file is accessed when the file is deserialized. The first thing that comes to mind with this is Minecraft. It’d be interesting to see if anyone has ever leveraged this for exploitation.

The other interesting recommendation is

Recommendation #52: "Avoid in-band error indicators."

At first, this one doesn’t seem like it’s that big of a deal, however, it has resulted in many security vulnerabilities over the years. What it recommends, is to not return values that represent an error, and instead throw an Exception. The reason for this is that calling code often does not check for failing return values resulting in the succeeding code accessing a file or data that may be in an inconsistent state. This type of vulnerability is leftover from the earlier languages like ‘C’ which would return -1 or other negative values to indicate an error.

Conclusion

Overall, great book and easy book to read if you’re familiar with Java. Final rating, 4.5 out of 5. Dustin

Book Review: Practical Malware Analysis

I’ve been dying to get this review out for a while now. There’s so much good and deep content in this book, that reading it on nights after work and weekends took longer than expected! I’ll tell you now that if you’re into computers and computer security, this book won’t let you down. This book is like having your very own personal malware analysis teacher without the expensive training costs.

About the Book

The book material is exhaustingly complete with 21 chapters + appendices covering everything from static analysis, environment setup, x86 assembly to anti-disassembly and anti-virtual machine practices. Total book content, minus lab solutions comes in at an enormous 475 pages (with lab solutions, 732 pages) . Let’s just say that you better be prepared to eat, breathe, and live malware analysis for quite some time.

The skill level for the book is targeted at someone with experience in programming and security although an ambitious beginner should do fine.

My Review & Recommendation

The authors, Michael Sikorski and Andrew Honig, do a great job of teaching the concepts and not just the tools. They want you to develop the skills necessary to think on your own as a malware analyst so that when new techniques come out that aren’t in the book, you’ll have the mental tools to figure out the challenges. Don’t worry though, this book isn’t filled with boring theory like those books you read back in school, the concepts taught have actual practical uses.

Better yet, the book gives you the opportunity to apply the concepts with labs at the end of each chapter. You’ll actually be dissecting “real malware” written by the authors for the purposes of this book.

Equally as awesome is that each lab comes with a “quick solution” and a “detailed solution.” I learn best when I can fight through a tough problem and check with the solution when I’m stuck.

The book is entirely centered around Windows based malware, particularly malware written for Windows XP. This was a good learning experience for me because I’m not familiar with the internal Windows APIs and features. It’d actually be very interesting if the authors included a section on Linux-based and/or Mac-based malware. On that note, I did actually try to run some of the lab malware on Windows 7 32 and 64 bit thinking that it would be no big deal but I received an APPCRASH error every time. I spoke with one of the authors over email and he was very helpful. He said that the malware was designed for Windows XP for teaching purposes that will be revealed when reading the book. With this slight limitation comes some positive: it leaves room for a 2nd edition of the book focused on the newer Vista/7 features as malware becomes more prominent on these machines.

Book content aside, the physical paperback book itself is a pleasant surprise. NoStarch Press is one of my favorite publishers because they use the “lay-flat” type binding (they also published one of my other favorite books: Hacking the Art of Exploitation. You’ll be praising this when you want to set the book down and copy some code.

The book does also come in digital formats. I used a combination of both for the review. You won’t be an expert in malware analysis when you’re done with this book but it sure as hell will give you the information you need to get there.

This book is broad, covering a ton of topics. Each Chapter could have likely been a book in and of itself. As I’ve said in a previous post, this book will become the de facto standard for learning about malware analysis.

Thanks to No Starch Press for the review copy, this book is awesome!

Book Review: Malware Analyst's Cookbook and DVD

Here is my book review of the Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code by Michael Hale Ligh, Steven Adair, Blake Hartstein, and Matthew Richard.

About the Book

The book is a huge compilation of short how-to articles called recipes on the “tools and techniques for fighting malicious code.” In addition, the book comes with a number of very useful custom written tools for automating or speeding up the process. The book is divided into several chapters which specialize on a specific topic. Some of the book’s topics include: Honeypots, Malware Classification, Malware Labs, Malware Forensics, Debugging Malware, Kernel Debugging, Memory Forensics (4 chapters of this)

Initial Impression

I had very high expectations for this book based on the fact that there aren’t many books out there on this subject and it’s something I’m particularly interested in. When I first received the book, I was pleasantly surprised at the literal size and the amount of content: this book is LOADED with information coming in at right close to 700 pages! A quick flip through the book told me that this book covers everything from very basic topics (e.g. using dig) to very advance topics (e.g. kernel debugging). I couldn’t wait to start the book!

The Audience/Skill Level

In the introductory part of the book, it has a small break down of “Who Should Read This Book.” Generally, I would sum it up as anyone and everyone that is interested in security would find this book interesting and entertaining. The book supports a wide range of skills levels from beginners to advanced. A basic knowledge of C/C++ and some Windows API’s is helpful but not required. Likewise, a basic knowledge of Python is not required but would help if you’d like to better understand the scripts that the book provides.

The Book

This isn’t your typical “take-a-seat-and-read” type book. Get your laptop, your desktop, and even some old machines and be prepared to dive right in.

The book focuses mainly on investigating Windows-based malware using tools mainly on Unix/Linux-based OS’es (Ubuntu, Mac OS X, etc) but there are some equivalent Windows based tools which the authors mention if available.

The recipe style of the book makes it very flexible to read and supports a wide range of audiences without confusing the newcomers and boring the advanced. Each recipe is self contained, well written, and easy to read. If you’re not interested in a specific recipe, you can never read it and you’ll have no problems following along in the rest of the book. Where applicable, a recipe provides links to additional information if you would like to take a deeper dive on the topic.

There are basically two approaches to reading this book.

  1. If you’re new to malware analysis, you can start from the beginning and progress to the end, skipping anything you already know or are not interested in, just like you would with any other book.
  2. The other approach would to be use the book as a shelf reference using the table of contents and index to search for what you’re trying to do. The progression of the book is from basic to advanced, so if you’re intermediate or advanced, you can easily skip to the later sections right from the beginning, although in my case I did find some new information, tips, and tools in the basic section that I wasn’t aware of so the basic sections may be worth a quick skim.

The included DVD does prove to be useful unlike other books, not just for following along and understanding a concept, but more importantly, it contains a number of custom Python scripts all geared towards improving and easing your malware analysis. You can easily add these scripts to your toolkits.

No book review would be complete without listing some of it’s downsides. Luckily for this book, there are very few downsides. The first downside is completely unrelated to the content and has to do with the actual book itself. The soft cover binding of the book is somewhat cheap and wears pretty quickly due to the size and weight of the book. A hardcover edition with a solid, strong binding would be a great enhancement. The other downside has to do with the content. While I think the authors make a great effort to minimize the specifics of a tool and focus more generally on the purpose of the tool, there are a few sections of the book which might get outdated quickly if a tool changes. However, I think this is the nature of the beast with technical books so it shouldn’t be something to worry about or prevent you from buying the book!

The Punchline

Whatever topic it is your looking for related to analyzing malware, with The Malware Analyst’s Cookbook: “There’s a recipe for that.”

Interested in analyzing the memory of a rootkit? There’s a recipe for that!

Interested in setting up a malware lab? There’s a recipe for that!

All in all, I would highly recommend this book to anyone interested in security as well as those who want to learn more about malware analysis. I’d also highly recommend this book to professionals in the security field - keep a copy of this book right next to your computer, I guarantee you’ll find it useful!