Adventure with security, C and computers in general

[beiroot]

Dear Community,
Please help. I have this adventure I need to go on.

I would like to move on with my knowledge in IT security towards such goals: write secure code, find bugs in kernel, protocols, software, exploit them.

My specific goal is to learn C (and perhaps some ASM).

My general goal is to get a better understanding of how computers work. Anything from physical hardware, through kernel, operating systems, protocols up to the application level. Not that I don't know any of that stuff, but I want to be five again. Knowing how stuff works makes my inner child happy and I'm more that sure, it helps in every aspect of IT.

And my journey is not specific-skill-to-market-oriented, I always wanted to do that, but never had guts to keep moving on (there were other things in life that kept me postponing this + my god damn procrastination). For me, it's a matter of a lifetime journey rather than skills needed to move from job A to job B.

Why I chose you to join me on this journey? According to what Henning said in this article:
"not knowing very much C has its advantages" and "OpenBSD is the best community to learn C". But I'm addressing this to a wider group since although I've been here only for a short time, from the quality of posts on this forum, I know you're the people I should be asking this.

I did my job browsing through the forum (Programming, General software and network, General Hardware, Book reviews, Guides and Off-Topic) and found this threads useful:

http://daemonforums.org/showthread.php?t=8124
http://daemonforums.org/showthread.php?t=2521
http://daemonforums.org/showthread.php?t=2746
http://daemonforums.org/showthread.php?t=5361

...along with many other articles/posts online.

I think I know some of the answers, but I'd like to hear your opinion and advice.

I hardly know any C or details on how computers work, but I want to learn it the proper way. Only from materials worth reading and repeating. I'd like to acquire as broad security-oriented knowledge as I can in the shortest time possible. It's not that I'm impatient wise guy, but I rather need something to inspire me for lurking moar and finding my spot! Think of it as a bootcamp -
short and intensive. Security is the leitmotiv and C is the main exercise

My type of learning could be compared to climbing the highest mountain to see what's on the horizon and choose a place to go. All I need is path to follow and a mentor to ask for directions. I start late, so I don't have time to make mistakes, but believe me I am a humble student and I treat this adventure as a lifetime journey.

So, can you join me on this journey? From what I saw browsing through this forum, there are other padawans like me looking for programming-, security-, computer- oriented material. I hope this thread may become useful to others.

What, how, why would you recommend to see, read, do? Please keep in mind that it should be:
- security-oriented
- mountain view perspective
- digestible in reasonable time

Thank you in advance for all opinions, answers, criticism.

P.S: Sorry for my poetic language, but when it comes to important decisions I always become that romantic :P

[hanzer]

I recommend that you approach it from an engineering perspective rather than a programming perspective. Secondly, rather than a focus on security, you might get more from research into fault-tolerant and high-reliability design principles and methods.

To get started, I suggest that you acquire three books. Find the most clear, concise, and insightful books that represent these three domains:

1. Digital Systems Design
2. Computer Architecture
3. Operating Systems

And browse them for the fundamental ideas.

From there, you may find value in studying Joe Armstrong's thesis on fault-tolerant software concepts, and the core papers it references. (He is one of the primary Erlang guys - the thesis is concurrent-distributed system centric).

Another source of foundation and insight might be gleaned from the Ada community. This video is a very accessible introduction. The entire sequence of requirements documents that are mentioned in the video can be found here. And there may be some value in looking at the latest efforts of that community's high-reliability technology - http://www.spark-2014.org/about - and it's application in embedded systems - http://www.inspirel.com/articles/Ada_On_Cortex.html

With an understanding of the principles and methods of fault-tolerant, high-reliability systems engineering, the issues of security can probably be addressed in a more robust way.

Finally, I suggest that anyone taking on such a research project be very careful not to assume that the current-off-the-shelf computing systems are representative of mature best practices, or even good decisions. What currently exists is largely the product of rapid market-driven evolution and frontier pioneering rather than fully conscious, fully comprehending, and deliberating design. A re-factoring and revolution is in order, IMnsHO.

[beiroot]

Thank you very much for your answer

Quote:

To get started, I suggest that you acquire three books. Find the most clear, concise, and insightful books that represent these three domains:
Digital Systems Design
Computer Architecture
Operating Systems
And browse them for the fundamental ideas.

any suggestions?

I've studied the fault-tolerant software concepts from the thesis you pointed and it was very educating. Interesting concept of software design. I'm moving onto the ADA community materials

[hanzer]

Quote:

Originally Posted by beiroot

any suggestions?

It depends upon what is available to you. I prefer open resources.

This is in my library and it seems okay:
Digital Electronics: A Practical Approach with VHDL (9th Edition): William Kleitz

And there are freely available video lectures:
Video Instruction for Digital Electronics with VHDL 9th edition textbook

There may be some value in looking at the RISC-V Instruction Set Architecture Specification.

I thought Practical File System Design was a well written and thoughtful document.

Be creative and innovative - become an education and research process hacker.

[beiroot]

@hanzer, I know there are hunderds of books on this. Even in the sticky here you have a decent list. I was asking for a suggestion the same way you would ask for a good mystery, detective, fantasy book.

Thank you very much for the books and videos (especially) you pointed.

[e1-531g]

I am not an expert, but I have been listening to a few talks at security conferences (I mean watching videos published via webpages) and there almost always been a little of assembly code to understand what is going on. I think that somebody interested in security of C programs should have skill to write at least small programs in assembly.
Easiest way to gain practical assembly skills is to practice writing software for 8-bit microcontrollers (AVR ATmega-s or μc-s based on the 8051 instruction set), but they are very different environment than PCs. They don't have operating systems. Physical separation of instruction and data memory.

[paulr]

In my view, the best way to learn about Programm security is to learn how Programms work.

I would suggest to learn the Assembler for your CPU first and the software interface Basics about your hardware.
So you basicly would be able to Play around with Firmware.
Then you could dig into the OS's programming Interfaces and try to reverse and edit Ring 3 applications with disassemblers and Debuggers (CrackMes are a good Training before you try to exploit functions). You could also do this step first, but since many Assembler books for X86 concentrate on 16bit realmode programming, this step mighte be a bit harder at first, if you own a X86 CPU.
After you got enough Knowledge on the Topics: Firmware and OS, you probably could start kernel Debugging.

There are many good exploitation tutorials on the web, at least for Windows.
But i think that taking a look at this would also help a lot to understand how to find and use security flaws, even if it is another Software platform.

!Take in mind, im only beginner Level in this stuff (and i hardly hv any Knowledge about BSD-OS's and BSD-OS's programming, so some suggestions might by far not be perfect!

+excuse my english skills