Despite the topic the title implies, Designing BSD Rootkits is actually more of an introductory FreeBSD kernel developer's guide than it is a text on operating system security. If you're okay with that, it's a decent -- if somewhat short -- book.

Writing analysis

My initial opinion of Designing BSD Rootkits was that it was inconsistent. The introduction states that the book is aimed at programmers who have an interest in FreeBSD kernel hacking, and that the goal is to enable readers to "theoretically" rewrite the entire FreeBSD operating system from scratch. The back cover says that the point is to teach people how to write and defend against rootkits, and to explore FreeBSD as a side-effect. Which is it? As it turns out, it's really more of a method of teaching people how to change and develop FreeBSD through showing how it can be exploited. It's an interesting concept that is not properly communicated through the title.

This is a short book, at 136 pages -- and most of it is code samples or program output. Chapter 1 introduces readers to kernel modules and system calls; chapter 2 talks mostly about how to intercept system calls through call hooking; chapter 3 is about hiding processes and ports through hacking kernel objects; the four page long chapter 4 briefly covers kernel object hooking; chapter 5 outlines kernel memory patching; chapter 6 is about combining the previous 5 chapters' information to produce a basic rootkit that will bypass host-based intrusion-detection systems, including an example that defeats Tripwire; chapter 7 closes the book by offering advice and tips on how to detect a running rootkit in FreeBSD.

In terms of writing quality, it's hard to gauge Designing BSD Rootkits because there are so few words in it that aren't code, results, or captions. What you can read in plain English is decently written and easy enough to understand, assuming you meet the technical prerequisites.

Putting the book to the test

This book will be way over your head if you're not a competent, fluent C programmer. You don't have to be familiar with FreeBSD, or even any BSD or Unix SVR4 derivative, but you do have to be able to write C code without having to think about it. Most of Designing BSD Rootkits is C code, not explanatory text, so you will get lost quickly if you can't read and follow a C program.

Though this book focuses specifically on FreeBSD, most of its techniques (and all of its concepts) apply just as well to most other operating systems, including Windows. So if you're inspired by the notion of learning kernel hacking through rootkit development, you don't have to let its FreeBSD theme get in the way of your dream.

It would be difficult to write an actual rootkit using Designing BSD Rootkits because it doesn't cover the most challenging hurdle of remote system cracking: Breaking into a computer and gaining root access for a meaningful length of time. The information included in this book will most definitely show you how to develop your own rootkit, but it also spends a chapter explaining how you as a programmer or sysadmin can detect a rootkit on your system, so it's not entirely evil, if you're of a mind to think that way about such books.

Conclusions

Designing BSD Rootkits is not a title appropriate to this book's subject matter. It is as much a guide to theoretical rootkit development as it is an introductory text on developing the FreeBSD operating system. I don't think I have seen any book that so quickly and effectively gets readers involved with FreeBSD kernel hacking. At the same time, I feel like I've been misled as to the book's true subject matter.

I'm sure some less scrupulous programmers will use Designing FreeBSD Rootkits for nefarious purposes, but since the book does not contain substantial, working code samples, a malicious reader would need to have a great deal of skill in order to implement any of the techniques in this book. So don't worry, FreeBSD admins -- this book does not mean that you are in greater danger of remote attacks. It does mean, however, that you have an interesting way to get started with FreeBSD kernel programming, should you be interested in it.

Discuss this article or get technical support on our forum.

Copyright 2007 JEM Electronic Media, Inc. No reprints without written permission.