More errata than sendmail
jm February 26th, 2007
A couple of interesting errata, courtesy of Herr Doktor Professor rCs:
Continue Reading »
- Errata , Unix , Auditing , C/C++
- Comments(2)
Archive for the 'Errata' Category
HANDLE with care
justin December 5th, 2006
I made a very poorly conceived last minute change to the description of object handles on page 632; this mistake can be blamed primarily on a lack of sleep and a broken test environment. Basically, I wrote that you can use NtQuerySystemInformation() to retrieve unnamed object handles with weak permissions. The truth is that permissions don’t apply when duplicating open handles, which I explained properly elsewhere in the chapter. The crux of this error is really that I failed to address the PROCESS_DUP_HANDLE permission and how it prevents exactly that attack vector.
Essentially, duplicating handles between processes requires PROCESS_DUP_HANDLE permissions for both the source and destination processes; otherwise the call to DuplicateHandle() will fail with access denied. This is important to note because having PROCESS_DUP_HANDLE permission for another process allows you to duplicate that process’ pseudo-handle for itself. The resulting handle grants full rights to the target process, including arbitrary manipulation of memory.
In the end, I think we’ve all learned a really valuable lesson about trusting judgment calls when under the influence of deadlines.
Copy editors are scary
jm December 5th, 2006
We were blessed with an excellent copy-editor, and we have no idea how she kept her sanity. That said, there were a few things that we should have vetoed her on, but we didn’t. Mostly because we didn’t know any better due to it being our first book. Also, editing this book was a Sisyphean task and we had to pick our battles. Anyway, here’s a quick list of stuff we know is a little off:
"twos complement" - This should be "two’s complement."
"UNIX" - We wrote those chapters referring to it as "Unix." We should have stuck to that.
"Web" - It should be capitalized based on context.
By “synonymous,” I meant “I’m an idiot”
jm December 5th, 2006
So, on page 224, in a note, I wrote:
You might see type conversions referred to as "type coercions" in programming-language literature; the terms are synonymous.
Well, I guess you can tell I got my CS degree from a public school. So, there’s two types of type conversions: explicit type conversions and implicit type conversions. Explicit ones are ones that the programmer explicitly invokes, via type-casts. Implicit conversions are the ones that the compiler does behind the scenes to make everything work. "Type coercions" are the implicit type conversions, not the explicit ones, so the above statement is wrong. While it’s rather fun being wrong while stating things authoritatively, I really hope they don’t revoke my ACM privileges. I still haven’t used my free kill.
Zalewski-vision
jm December 3rd, 2006
You might have noticed that Michal Zalewski was one of the most referenced researchers in our book, since he’s basically published something cool with just about every technology we cover. Unfortunately, you also might have noticed that we refer to him throughout the book as Michael Zalewski. Crap. We’re sorry Michal.
In recompense, we’ll now refer to all badass “Michaels” in security as “Michal.” Our apologies in advance to Michal Howard.
