I originally found all of these links while researching "computer security topics". You can't fully understand or protect against security vulnerabilities without understanding how the underlying system works. I never had a reason to peek so far under the hood before this. I present the following links together for anyone interested. Also, it's nice not to have all of these open in tabs anymore. -- MrGreen
Understanding the Low Level
Linux HeadQuarters: Kernel Module Programming is a collection of links on kernel programming. Most of it is quite obsolete, but there are still things to learn from the links.
The Linux Kernel Module Programming Guide by Peter Jay Salzman (2001) is just what it says. It was written in the days of linux 2.2, but is probably still quite relevant.
Kernel Analysis HOWTO. "This document tries to explain some things about the Linux Kernel, such as the most important components, how they work, and so on. This HOWTO should help prevent the reader from needing to browse all the kernel source files searching for the "right function," declaration, and definition, and then linking each to the other."
- Two well-known books on the linux kernel design:
Weakening the Linux Kernel (Phrack Magazine, Issue 52, article 18, published in 1998) describes how to write a kernel module for root-kitting Linux 2.0. Though the code examples are now obsolete, it gives you an idea of what's possible and what objectives one should strive for in a modern rootkit kernel module.
Low-Level Memory Management
- This series of blog entires by Gustavo Duarte is excellent. I recommend it. The articles include very pretty graphics.
Cache: a place for concealment and safekeeping describes how caches work in modern intel processors.
Getting Physical With Memory describes the processor interacting with system memory.
Anatomy of a Program in Memory describes the layout of a user-mode program in virtual memory.
How The Kernel Manages Your Memory describes how the kernel sees system memory and manages virtual memory maps for user processes.
Page Cache, the Affair Between Memory and Files describes how the kernel manages memory with respect to disk writes and reads.
What Every Programmer Should Know About Memory by Ulrich Drepper
Outline of the Linux Memory Management System is a detailed description of how the linux kernel manages memory.
http://linux-mm.org/LinuxMMDocumentation is included here for completeness, but I haven't read much on that wiki yet.
I really need to find a quality explanation for how exactly dynamic linking works. These links give you an idea of how one portion of it works, but are not the complete picture.
Dynamic linking and loading is the manuscript for Chapter 10 of the book Linkers and Loaders by John Levine. This is the best explanation I've found, but there have to be better ones. You may be interested in the rest of the manuscript here.
Program Loading and Dynamic Linking is part of some documentation that is published by HP, but I failed to discover what document the page is a part of. It targets the alpha architecture, not x86 or amd64, but the principles should be the same.
Linkers and the ELF format
Understanding ELF using readelf and objdump is not a great article, but it does help out a newb by showing how to use several standard utilities to poke around inside of binaries.
Intel x86 Function-call Conventions (This includes info on windows calling conventions.)
Linux System Call table is a quick reference to the interface between usermode and kernelmode.
I've discovered that one can learn a great deal by trying to break other people's software.
Shame on you if your software has overflowable buffers.
Smashing The Stack For Fun And Profit (Phrack Magazine, issue 49, article 14, published in 1996) is the canonical article on exploiting stack buffer overflows. The technique is quite dated and you'd be exceedingly lucky to find this kind of vulnerability in recent versions of anything.
JPEG COM Marker Processing Vulnerability in Netscape Browsers by Alexander Peslyak a.k.a. Solar Designer is one of the first public announcements of a general heap overflow exploit. He pointed out problems with Netscape's JPEG-handling code that could "allow a malicious web site to execute arbitrary assembly code in the context of the web browser," though not 100% reliably.
Once upon a free()... (Phrack Magazine, issue 57, article 9, published in 2001) is the first in a pair of canonical articles on exploiting heap buffer overflows.
Vudo malloc tricks (Phrack Magazine, issue 57, article 8, published in 2001) is the second in a pair of canonical articles on exploiting heap buffer overflows. This articles includes working code to exploit a heap overflow in the then-current version of sudo to execute arbitrary commands as superuser.
Advanced Doug lea's malloc exploits (Phrack Magazine, issue 61, article 6, published in 2003) describes techniques for reliably exploiting processes "without any prior knowledge, even in presence of memory layout randomization schemes."
Exploiting the Wilderness (published in 2004) describes a method of exploiting glibc2.2-based systems "in situations where an overflowable buffer is contiguous to the wilderness." ("The wilderness" is the top-most chunk in allocated memory.)
The Malloc Maleficarum by Phantasmal Phantasmagoria (published in 2005) describes five new techniques that work around the checks that glibc developers added to fend off the known heap overflow attack. One attack vector in particular (the so-called House of Mind) has remained unpatched for a ridiculously long time until glibc 2.11 in June, 2009. From the introduction:
- In late 2001, "Vudo Malloc Tricks" and "Once Upon A free()" defined the exploitation of overflowed dynamic memory chunks on Linux. In late 2004, a series of patches to GNU libc malloc implemented over a dozen mandatory integrity assertions, effectively rendering the existing techniques obsolete. It is for this reason, a small suggestion of impossiblity, that I present the Malloc Maleficarum.
The House of Mind (.aware eZine Alpha, article 4, published in 2007) provides some source code using the House of Mind technique described in the Malloc Maleficarum. (No working demonstrations were included in the Malloc Maleficarum.)
Yet another free() exploitation technique (Phrack Magazine, issue 66, article 6, published in 2009) describes revised techniques for heap overflow exploits and applies them in real-life to vulnerabilities in ClamAV, an antivirus scanner.
How To Run Your Shellcode
Once you have the ability to write sizeof(void*) contiguous bytes anywhere you chose, what should you overwrite?
Return-to-libc attack is the wikipedia article on the subject. It seemed simple enough that I didn't go searching for any more info on it.
Manipulating the .dtors section tells how to manipulate the destructor that is run when the main() function exits.
- Personally, I like the idea of overwriting an entry in the procedure lookup table (PLT) that executes your code the next time a particular shared library function is called.
Super Clever Shit
Writing ia32 alphanumeric shellcodes (Phrack Magazine, Issue 57, article 15) tackles the problem of writing assembly using only the alphanumeric characters [A-Za-z0-9] to bypass sanity filters. It's some hot shit.
Not Computer Topics
EVERYTHING A HACKER NEEDS TO KNOW ABOUT GETTING BUSTED BY THE FEDS (Phrack Magazine, Issue 52, article 05, published in 1998) is a list of legal advice and anecdotes provided by Justin Tanner Petersen a.k.a. Agent Steal with regards to what one should do when one gets caught. Some of the advice itself is undoubtedly wildly outdated by now, considering he was convicted of crimes in the early-to-mid 1990s and went to prison 1995-1998. I list it here because I found it extremely useful for understanding the bravado and attitude that is hackerdom.
Forensics and Anti-Forensics
A paper (here) uses "cold reboots to mount attacks on popular disk encryption systems - BitLocker, FileVault, dm-crypt, and TrueCrypt - using no special devices or materials". The technique takes advantage of the fact that RAM is not as volatile as is commonly though; data persists for up to several minutes after a loss of power.
Anonymity and Privacy
Use tor where appropriate.
Use public key encryption/signing software, such as gpg, where appropriate. (Remember that email headers are never encrypted or signed, so include enough context in the body that your message cannot be hijacked for other purposes.)
A very disorganized post to Full-disclosure which describes some problems and some solutions for anonymous internet access. He gets quite paranoid in parts.
Valgrind analysis tool
Wireshark is a network protocol analyzer.
nmap is everyone's favorite scanner.
tor is for thwarting traffic analysis.
The GNU Privacy Guard is for encrypting and cryptographically signing information.
Schneier on Security blog
The Metasploit Framework "is the open source penetration testing framework with the world's largest database of public, tested exploits."
http://www.milw0rm.com/ is an archive of exploits, shellcode, and papers.
http://www.beginningtoseethelight.org/ has some interesting high-quality info.
Phrack Magazine the longest-running and highest-quality phreaker-turned-hacker electronic magazine out there.
http://www.awarenetwork.org/home/outlaw/ezines/ archives several ezines, but I haven't been through them enough to tell which ones are worth reading.
blackopsecurity.net wiki has some good introductory level material on being ninja