Exploit Development 01 — Terminology
Everything has a beginning and has an end. Isn’t it? If you want to learn something or doing some stuff, it’s always recommended start it from basic concepts / principles and then progress to advanced and very complicated concepts.
Nevertheless, If you start from middle of a road-map and then progress in the way, probably you will get caught in the future just because of misunderstanding or missing fundamental things.
However, when someone decide to learn Binary Analysis / Exploit Development and Malware Analysis on different platform, there are tons of information out there which teach them but not very carefully.
All of them says what is stack, what is heap and then show you some very basic sample about how someone can exploit them in the wild but you know, in practical environment, those information isn’t useful any more.
Prerequisites of this tutorial
In these series of Binary Analysis and Exploit Development articles, I want to teach you and share my information about Binary Analysis and Exploit Development/Writing but before I start to teach you these kinda of things in practical environment, I expect you to know following things very carefully because I am not focusing/discussing about these basic things:
- Basic OS Internals Concepts — Process, Threads, Kernel, APIs …
- C, C++, Python and Ruby(Metasploit Journey) Programming
- Intel and Arm Assembly Programming
These prerequisite helps you understand everything in these series without any struggle and problem. I start this series of articles with terminology and analysis of PE file format of Windows and ELF file format of Linux Specification. After that I will discuss about COM Programming and other fundamental concepts of operating systems internals and programming.
After reviewing very fundamental concept of operating system and also system programming, I will discuss about advanced topics and practical exploit development.
I think writing of these series of articles take one or two years, but I decided to create most self-contained articles and tutorial about binary analysis and exploit development. I hope, I wish, I can do it. If you find out these articles useful, you can donate it because it’s a huge task.
System Security Terminology
In this section, I have to explain some terminology that we encounter frequently in the way. for example what is a vulnerability and what kind of these vulnerabilities exist in software or hardware industry? what is an exploit code and what types of these exploit code are available for us?
What is a Vulnerability? Vulnerability is a weakness in software or hardware of computer systems which allows to break into/compromise a system’s security.
What is an CVE? The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. The Security Content Automation Protocol uses CVE, and CVE IDs are listed on MITRE’s system as well as in the US National Vulnerability Database.
What is a CVSS? The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing respondents to prioritize responses and resources according to threat.
What is an Exploit? Exploit is a code which allows an attacker to take advantage of a vulnerable system and to break into/compromise a system’s security.
What is a Payload/Shellcode? Payload is actual code which runs on the system after exploitation. It’s written with machine language because it has to run directly on the machine.
What is an Exploit Mitigation? Techniques that protects systems from things like buffer overflow, heap overwrite and exploit payloads called exploit mitigation techniques.
What is a Malicious Software? Malicious software, commonly known as malware, is any software that brings harm to a computer system. Malware can be in the form of worms, viruses, Trojans, spyware, adware, ransomware, bootkits and rootkits, etc., which steal protected data, delete documents or add software not approved by a user.
What is a Firewall? Firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted, secure internal network and another outside network, such as the Internet, that is assumed not to be secure or trusted.
What is an IDS and IPS? An intrusion detection system is a device or software application that monitors a network or systems for malicious activity or policy violations. Any detected activity or violation is typically reported either to an administrator or collected centrally using a security information and event management system. Some IDS have the ability to respond to detected intrusions. Systems with response capabilities are typically referred to as an intrusion prevention system.
What is an UTM? Unified threat management (UTM) or unified security management (USM), is the evolution of the traditional firewall into an all-inclusive security product able to perform multiple security functions within one single system: network firewalling, network intrusion detection/prevention (IDS/IPS), gateway antivirus (AV), gateway anti-spam, VPN, content filtering, load balancing, data loss prevention, and on-appliance reporting.
What is a SIEM? ≈In the field of computer security, security information and event management software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by network hardware and applications. Vendors sell SIEM as software, as appliances or as managed services; these products are also used to log security data and generate reports for compliance purposes.
In the next article, I will discuss about PE Specification. If you have any ideas and comments about these articles please send your message to m.kahsari@gmail.com.
