When I first decided to start a blog, I never did think that book reviews would appear on it. However, after reading part of the second edition of the critically acclaimed book titled “Hacking: The Art of Exploitation” by Jon Erickson, I decided that I should weigh in on it here. Those thinking of whether or not they should buy the book may want to know as many details about the book as possible, and so I decided to write an entry here in which I would give my opinions of this book. I have read many reviews of this book, and nearly all of them were positive. In this review, I will attempt to avoid stating what has already been stated many times about this book. In addition, this review will be somewhat unusual, in that it is a review that covers only the first two chapters of the book. In one review of the first edition of this book, it was said that this book was recommended for the programming section of it alone. And as I found it difficult to put off saying what I wanted to say about this book after reading this first part of the book (which included this section on programming) I decided to write this review of this part of the book.
I should begin by noting that as you may have assumed, I have knowledge of the C programming language. I also had prior knowledge of some of the concepts mentioned in this section of the book, and reading about these concepts refreshed my memory about them. This book, however, assumes no prior knowledge of programming in any language at all, as it describes the concept of programming at first. Then the fundamentals of programming with C are explained. These concepts are covered in much detail, and the explanations of them are quite lucid. I believe that individuals new to the concept of programming would find that the explanations of these fundamentals are given about as well as they can be given.
Many of those who will read this book may already have knowledge of C, and those individuals can skip reading several of the first pages of the book. These individuals will want to skip ahead to where what actually happens when code is compiled is described, as that is where the more advanced concepts that are the basis for later sections of the book are described. When readers see the disassembly of the source code and other information that can be viewed via the GNU debugger, they will truly begin to understand what happens when code is compiled. Many books on C do not cover material such as this. One may not need to know what is done with C code after it is compiled in order to write C code correctly. However, the importance of not viewing programs written in C as a series of statements written in C is noted in this book. Many hackers take advantage of the fact that many programmers see C code as the instructions executed by the computer, when it is the machine language that is ultimately derived from that C code that actually is executed. And this section on programming gives readers an idea of what is actually happening when a program is running. That is what makes this section of the book the introduction to C programming that I wish I had when I first started learning C.
After the obligatory “Hello World” program is given and the assembly code of it is described in detail, concepts about C programming that are beyond the basics are mentioned. And these concepts are not described without giving much information about what goes on “behind the scenes” when code examples illustrating these concepts are described. The reader will see what kind of assembly code is used when a function is called, the importance of the EBP, ESP, and EIP registers, and other details I would have liked to have seen before I started reading this book. I took a course in university titled “Foundations of Sequential Programs” in which it was said by the best professor that I ever had that there would be no mysteries as to what happens when code is compiled after taking that course. In that course, concepts like those taught in the book were taught, although not in C and x86 assembly language. To be able to learn about concepts such as frames on the stack, sections of memory, and what data is stored in certain registers in the context of C and actual x86 assembly language was something that I wanted to do for a long time.
In addition, I liked the way that the book subtly pointed out common errors made by C programmers. As an example, the importance of type casting to avoid a certain “gotcha” in C programming can be seen in a code example. More importantly, the way the book is written rewards the reader for paying attention to detail. There are a number of sentences that include the phrase “as you may have noticed” or something similar after code examples are given. It is noted in the first chapter of the book that hackers tend to fully understand rules and the details about these rules. When one reads through the book, one should pay attention to details such as exactly what is contained in assembly language statements as well as why memory addresses are what they are. One should always be an active reader when trying to learn new material. However, when reading this book on hacking, it is highly important to pay more attention to detail. And the importance of hands-on experience of course, cannot be overemphasized. Therefore, it would not have made much sense for there to not be a CD included with the book with a full Linux environment in which one could experiment and reinforce knowledge of concepts explained in the book.
There were other aspects of the book that I liked. In the example program at the end of the chapter that uses the concepts of C programming that were covered in the chapter on programming is a set of games. In the last blog entry here, I mentioned the “Find the Ace” game and how it illustrates the sometimes counterintuitive concept of conditional probability. Despite the fact that it says in the book incorrectly that the probability of winning when one changes which card to select is 50% (as mentioned in the book errata here) I thought this was interesting. Another game in that program seems to try to illustrate another topic of interest to hackers, which is the birthday paradox, which is important to know about when considering a security issue known as the birthday attack.
Knowledge of hacking begins with much knowledge of fundamental concepts. And this chapter on programming gives lucid and detailed information about those concepts. The first part of the book also teaches why these concepts matter. If more C programmers read this part of the book, there would be fewer security holes in software. This book does well in teaching what hackers need to know and why they need to know the concepts taught in it. This book truly underscores the fact that hacking is what tends to happen when depth and breadth of knowledge meet creativity. And I also consider the programming section alone worth the price I had to pay for the book. I look forward to reading later sections of this book. And I may review these sections at a later time, even though I suggest buying the book for only the section of it that I reviewed.