LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/Secure-Programs-HOWTO/bibliography.html

1580 lines
34 KiB
HTML
Raw Permalink Blame History

<HTML
><HEAD
><TITLE
>Bibliography</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="Secure Programming for Linux and Unix HOWTO"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="Conclusion"
HREF="conclusion.html"><LINK
REL="NEXT"
TITLE="History"
HREF="document-history.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Secure Programming for Linux and Unix HOWTO</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="conclusion.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="document-history.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="CHAPTER"
><H1
><A
NAME="BIBLIOGRAPHY"
></A
>Chapter 13. Bibliography</H1
><TABLE
BORDER="0"
WIDTH="100%"
CELLSPACING="0"
CELLPADDING="0"
CLASS="EPIGRAPH"
><TR
><TD
WIDTH="45%"
>&nbsp;</TD
><TD
WIDTH="45%"
ALIGN="LEFT"
VALIGN="TOP"
><I
><P
><I
>The words of the wise are like goads, their collected sayings like
firmly embedded nails--given by one Shepherd.
Be warned, my son, of anything in addition to them.
Of making many books there is no end, and much study wearies the body.</I
></P
></I
></TD
></TR
><TR
><TD
WIDTH="45%"
>&nbsp;</TD
><TD
WIDTH="45%"
ALIGN="RIGHT"
VALIGN="TOP"
><I
><SPAN
CLASS="ATTRIBUTION"
>Ecclesiastes 12:11-12 (NIV)</SPAN
></I
></TD
></TR
></TABLE
><P
><EM
>Note that there is a heavy
emphasis on technical articles available on the web, since this is where
most of this kind of technical information is available.</EM
></P
><P
>[Advosys 2000]
Advosys Consulting
(formerly named Webber Technical Services).
<EM
>Writing Secure Web Applications</EM
>.
<A
HREF="http://advosys.ca/tips/web-security.html"
TARGET="_top"
>http://advosys.ca/tips/web-security.html</A
></P
><P
>[Al-Herbish 1999]
Al-Herbish, Thamer.
1999.
<EM
>Secure Unix Programming FAQ</EM
>.
<A
HREF="http://www.whitefang.com/sup"
TARGET="_top"
>http://www.whitefang.com/sup</A
>.</P
><P
>[Aleph1 1996]
Aleph1.
November 8, 1996.
``Smashing The Stack For Fun And Profit''.
<EM
>Phrack Magazine</EM
>.
Issue 49, Article 14.
<A
HREF="http://www.phrack.com/search.phtml?view&article=p49-14"
TARGET="_top"
>http://www.phrack.com/search.phtml?view&#38;article=p49-14</A
>
or alternatively
<A
HREF="http://www.2600.net/phrack/p49-14.html"
TARGET="_top"
>http://www.2600.net/phrack/p49-14.html</A
>.</P
><P
>[Anonymous 1999]
Anonymous.
October 1999.
Maximum Linux Security:
A Hacker's Guide to Protecting Your Linux Server and Workstation
Sams.
ISBN: 0672316706.</P
><P
>[Anonymous 1998]
Anonymous.
September 1998.
Maximum Security : A Hacker's Guide to Protecting Your
Internet Site and Network.
Sams.
Second Edition.
ISBN: 0672313413.</P
><P
>[Anonymous Phrack 2001]
Anonymous.
August 11, 2001.
Once upon a free().
Phrack, Volume 0x0b, Issue 0x39, Phile #0x09 of 0x12.
<A
HREF="http://phrack.org/show.php?p=57&a=9"
TARGET="_top"
>http://phrack.org/show.php?p=57&#38;a=9</A
></P
><P
>[AUSCERT 1996]
Australian Computer Emergency Response Team (AUSCERT) and O'Reilly.
May 23, 1996 (rev 3C).
<EM
>A Lab Engineers Check List for Writing Secure Unix Code</EM
>.
<A
HREF="ftp://ftp.auscert.org.au/pub/auscert/papers/secure_programming_checklist"
TARGET="_top"
>ftp://ftp.auscert.org.au/pub/auscert/papers/secure_programming_checklist</A
></P
><P
>[Bach 1986]
Bach, Maurice J.
1986.
<EM
>The Design of the Unix Operating System</EM
>.
Englewood Cliffs, NJ: Prentice-Hall, Inc.
ISBN 0-13-201799-7 025.</P
><P
>[Beattie 2002]
Beattie, Steve, Seth Arnold, Crispin Cowan, Perry Wagle, Chris Wright,
Adam Shostack.
November 2002.
Timing the Application of Security Patches for Optimal Uptime.
2002 LISA XVI, November 3-8, 2002, Philadelphia, PA.</P
><P
>[Bellovin 1989]
Bellovin, Steven M.
April 1989.
"Security Problems in the TCP/IP Protocol Suite"
Computer Communications Review 2:19, pp. 32-48.
<A
HREF="http://www.research.att.com/~smb/papers/ipext.pdf"
TARGET="_top"
>http://www.research.att.com/~smb/papers/ipext.pdf</A
></P
><P
>[Bellovin 1994]
Bellovin, Steven M.
December 1994.
<EM
>Shifting the Odds -- Writing (More) Secure Software</EM
>.
Murray Hill, NJ: AT&#38;T Research.
<A
HREF="http://www.research.att.com/~smb/talks"
TARGET="_top"
>http://www.research.att.com/~smb/talks</A
></P
><P
>[Bishop 1996]
Bishop, Matt.
May 1996.
``UNIX Security: Security in Programming''.
<EM
>SANS '96</EM
>. Washington DC (May 1996).
<A
HREF="http://olympus.cs.ucdavis.edu/~bishop/secprog.html"
TARGET="_top"
>http://olympus.cs.ucdavis.edu/~bishop/secprog.html</A
></P
><P
>[Bishop 1997]
Bishop, Matt.
October 1997.
``Writing Safe Privileged Programs''.
<EM
>Network Security 1997</EM
>
New Orleans, LA.
<A
HREF="http://olympus.cs.ucdavis.edu/~bishop/secprog.html"
TARGET="_top"
>http://olympus.cs.ucdavis.edu/~bishop/secprog.html</A
></P
><P
>[Blaze 1996]
Blaze, Matt, Whitfield Diffie, Ronald L. Rivest, Bruce Schneier,
Tsutomu Shimomura, Eric Thompson, and Michael Wiener.
January 1996.
``Minimal Key Lengths for Symmetric Ciphers to Provide
Adequate Commercial Security:
A Report by an Ad Hoc Group of Cryptographers and Computer Scientists.''
<A
HREF="ftp://ftp.research.att.com/dist/mab/keylength.txt"
TARGET="_top"
>ftp://ftp.research.att.com/dist/mab/keylength.txt</A
> and
<A
HREF="ftp://ftp.research.att.com/dist/mab/keylength.ps"
TARGET="_top"
>ftp://ftp.research.att.com/dist/mab/keylength.ps</A
>.</P
><P
>[CC 1999]
<EM
>The Common Criteria for Information Technology Security Evaluation
(CC)</EM
>.
August 1999.
Version 2.1.
Technically identical to International Standard ISO/IEC 15408:1999.
<A
HREF="http://csrc.nist.gov/cc/ccv20/ccv2list.htm"
TARGET="_top"
>http://csrc.nist.gov/cc/ccv20/ccv2list.htm</A
></P
><P
>[CERT 1998]
Computer Emergency Response Team (CERT) Coordination Center (CERT/CC).
February 13, 1998.
<EM
>Sanitizing User-Supplied Data in CGI Scripts</EM
>.
CERT Advisory CA-97.25.CGI_metachar.
<A
HREF="http://www.cert.org/advisories/CA-97.25.CGI_metachar.html"
TARGET="_top"
>http://www.cert.org/advisories/CA-97.25.CGI_metachar.html</A
>.</P
><P
>[Cheswick 1994]
Cheswick, William R. and Steven M. Bellovin.
Firewalls and Internet Security: Repelling the Wily Hacker.
Full text at
<A
HREF="http://www.wilyhacker.com"
TARGET="_top"
>http://www.wilyhacker.com</A
>.</P
><P
>[Clowes 2001]
Clowes, Shaun.
2001.
``A Study In Scarlet - Exploiting Common Vulnerabilities in PHP''
<A
HREF="http://www.securereality.com.au/archives.html"
TARGET="_top"
>http://www.securereality.com.au/archives.html</A
></P
><P
>[CMU 1998]
Carnegie Mellon University (CMU).
February 13, 1998
Version 1.4.
``How To Remove Meta-characters From User-Supplied Data In CGI Scripts''.
<A
HREF="ftp://ftp.cert.org/pub/tech_tips/cgi_metacharacters"
TARGET="_top"
>ftp://ftp.cert.org/pub/tech_tips/cgi_metacharacters</A
>.</P
><P
>[Cowan 1999]
Cowan, Crispin, Perry Wagle, Calton Pu, Steve Beattie, and
Jonathan Walpole.
``Buffer Overflows: Attacks and Defenses for the Vulnerability
of the Decade''.
Proceedings of DARPA Information Survivability Conference and Expo (DISCEX),
<A
HREF="http://schafercorp-ballston.com/discex"
TARGET="_top"
>http://schafercorp-ballston.com/discex</A
>
SANS 2000.
<A
HREF="http://www.sans.org/newlook/events/sans2000.htm"
TARGET="_top"
>http://www.sans.org/newlook/events/sans2000.htm</A
>.
For a copy, see
<A
HREF="http://immunix.org/documentation.html"
TARGET="_top"
>http://immunix.org/documentation.html</A
>.</P
><P
>[Cox 2000]
Cox, Philip.
March 30, 2001.
Hardening Windows 2000.
<A
HREF="http://www.systemexperts.com/win2k/hardenW2K11.pdf"
TARGET="_top"
>http://www.systemexperts.com/win2k/hardenW2K11.pdf</A
>.</P
><P
>[Dobbertin 1996].
Dobbertin, H.
1996.
The Status of MD5 After a Recent Attack.
RSA Laboratories' CryptoBytes.
Vol. 2, No. 2.</P
><P
>[Felten 1997]
Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach.
Web Spoofing: An Internet Con Game
Technical Report 540-96 (revised Feb. 1997)
Department of Computer Science, Princeton University
<A
HREF="http://www.cs.princeton.edu/sip/pub/spoofing.pdf"
TARGET="_top"
>http://www.cs.princeton.edu/sip/pub/spoofing.pdf</A
></P
><P
>[Fenzi 1999]
Fenzi, Kevin, and Dave Wrenski.
April 25, 1999.
<EM
>Linux Security HOWTO</EM
>.
Version 1.0.2.
<A
HREF="http://www.tldp.org/HOWTO/Security-HOWTO.html"
TARGET="_top"
>http://www.tldp.org/HOWTO/Security-HOWTO.html</A
></P
><P
>[FHS 1997]
Filesystem Hierarchy Standard (FHS 2.0).
October 26, 1997.
Filesystem Hierarchy Standard Group, edited by Daniel Quinlan.
Version 2.0.
<A
HREF="http://www.pathname.com/fhs"
TARGET="_top"
>http://www.pathname.com/fhs</A
>.</P
><P
>[Filipski 1986]
Filipski, Alan and James Hanko.
April 1986.
``Making Unix Secure.''
Byte (Magazine).
Peterborough, NH: McGraw-Hill Inc.
Vol. 11, No. 4.
ISSN 0360-5280.
pp. 113-128.</P
><P
>[Flake 2001]
Flake, Havlar.
Auditing Binaries for Security Vulnerabilities.
<A
HREF="http://www.blackhat.com/html/win-usa-01/win-usa-01-speakers.html"
TARGET="_top"
>http://www.blackhat.com/html/win-usa-01/win-usa-01-speakers.html</A
>.</P
><P
>[FOLDOC]
Free On-Line Dictionary of Computing.
<A
HREF="http://foldoc.doc.ic.ac.uk/foldoc/index.html"
TARGET="_top"
>http://foldoc.doc.ic.ac.uk/foldoc/index.html</A
>.</P
><P
>[Forristal 2001]
Forristal, Jeff, and Greg Shipley.
January 8, 2001.
Vulnerability Assessment Scanners.
Network Computing.
<A
HREF="http://www.nwc.com/1201/1201f1b1.html"
TARGET="_top"
>http://www.nwc.com/1201/1201f1b1.html</A
></P
><P
>[FreeBSD 1999]
FreeBSD, Inc.
1999.
``Secure Programming Guidelines''.
<EM
>FreeBSD Security Information</EM
>.
<A
HREF="http://www.freebsd.org/security/security.html"
TARGET="_top"
>http://www.freebsd.org/security/security.html</A
></P
><P
>[Friedl 1997]
Friedl, Jeffrey E. F.
1997.
Mastering Regular Expressions.
O'Reilly.
ISBN 1-56592-257-3.</P
><P
>[FSF 1998]
Free Software Foundation.
December 17, 1999.
<EM
>Overview of the GNU Project</EM
>.
<A
HREF="http://www.gnu.ai.mit.edu/gnu/gnu-history.html"
TARGET="_top"
>http://www.gnu.ai.mit.edu/gnu/gnu-history.html</A
></P
><P
>[FSF 1999]
Free Software Foundation.
January 11, 1999.
<EM
>The GNU C Library Reference Manual</EM
>.
Edition 0.08 DRAFT, for Version 2.1 Beta of the GNU C Library.
Available at, for example,
<A
HREF="http://www.netppl.fi/~pp/glibc21/libc_toc.html"
TARGET="_top"
>http://www.netppl.fi/~pp/glibc21/libc_toc.html</A
></P
><P
>[Fu 2001]
Fu, Kevin, Emil Sit, Kendra Smith, and Nick Feamster.
August 2001.
``Dos and Don'ts of Client Authentication on the Web''.
Proceedings of the 10th USENIX Security Symposium,
Washington, D.C., August 2001.
<A
HREF="http://cookies.lcs.mit.edu/pubs/webauth.html"
TARGET="_top"
>http://cookies.lcs.mit.edu/pubs/webauth.html</A
>.</P
><P
>[Gabrilovich 2002]
Gabrilovich, Evgeniy, and Alex Gontmakher.
February 2002.
``Inside Risks: The Homograph Attack''.
Communications of the ACM.
Volume 45, Number 2.
Page 128.&#13;</P
><P
>[Galvin 1998a]
Galvin, Peter.
April 1998.
``Designing Secure Software''.
<EM
>Sunworld</EM
>.
<A
HREF="http://www.sunworld.com/swol-04-1998/swol-04-security.html"
TARGET="_top"
>http://www.sunworld.com/swol-04-1998/swol-04-security.html</A
>.</P
><P
>[Galvin 1998b]
Galvin, Peter.
August 1998.
``The Unix Secure Programming FAQ''.
<EM
>Sunworld</EM
>.
<A
HREF="http://www.sunworld.com/sunworldonline/swol-08-1998/swol-08-security.html"
TARGET="_top"
>http://www.sunworld.com/sunworldonline/swol-08-1998/swol-08-security.html</A
></P
><P
>[Garfinkel 1996]
Garfinkel, Simson and Gene Spafford.
April 1996.
<EM
>Practical UNIX &#38; Internet Security, 2nd Edition</EM
>.
ISBN 1-56592-148-8.
Sebastopol, CA: O'Reilly &#38; Associates, Inc.
<A
HREF="http://www.oreilly.com/catalog/puis"
TARGET="_top"
>http://www.oreilly.com/catalog/puis</A
></P
><P
>[Garfinkle 1997]
Garfinkle, Simson.
August 8, 1997.
21 Rules for Writing Secure CGI Programs.
<A
HREF="http://webreview.com/wr/pub/97/08/08/bookshelf"
TARGET="_top"
>http://webreview.com/wr/pub/97/08/08/bookshelf</A
></P
><P
>[Gay 2000]
Gay, Warren W.
October 2000.
Advanced Unix Programming.
Indianapolis, Indiana: Sams Publishing.
ISBN 0-67231-990-X.</P
><P
>[Geodsoft 2001]
Geodsoft.
February 7, 2001.
Hardening OpenBSD Internet Servers.
<A
HREF="http://www.geodsoft.com/howto/harden"
TARGET="_top"
>http://www.geodsoft.com/howto/harden</A
>.</P
><P
>[Graham 1999]
Graham, Jeff.
May 4, 1999.
<EM
>Security-Audit's Frequently Asked Questions (FAQ)</EM
>.
<A
HREF="http://lsap.org/faq.txt"
TARGET="_top"
>http://lsap.org/faq.txt</A
></P
><P
>[Gong 1999]
Gong, Li.
June 1999.
<EM
>Inside Java 2 Platform Security</EM
>.
Reading, MA: Addison Wesley Longman, Inc.
ISBN 0-201-31000-7.</P
><P
>[Gundavaram Unknown]
Gundavaram, Shishir, and Tom Christiansen.
Date Unknown.
<EM
>Perl CGI Programming FAQ</EM
>.
<A
HREF="http://language.perl.com/CPAN/doc/FAQs/cgi/perl-cgi-faq.html"
TARGET="_top"
>http://language.perl.com/CPAN/doc/FAQs/cgi/perl-cgi-faq.html</A
></P
><P
>[Hall 1999]
Hall, Brian "Beej".
Beej's Guide to Network Programming Using Internet Sockets.
13-Jan-1999.
Version 1.5.5.
<A
HREF="http://www.ecst.csuchico.edu/~beej/guide/net"
TARGET="_top"
>http://www.ecst.csuchico.edu/~beej/guide/net</A
></P
><P
>[Howard 2002]
Howard, Michael and David LeBlanc.
2002.
Writing Secure Code.
Redmond, Washington: Microsoft Press.
ISBN 0-7356-1588-8.</P
><P
>[ISO 12207]
International Organization for Standardization (ISO).
1995.
Information technology -- Software life cycle processes
ISO/IEC 12207:1995.</P
><P
>[ISO 13335]
International Organization for Standardization (ISO).
ISO/IEC TR 13335.
Guidelines for the Management of IT Security (GMITS).
Note that this is a five-part technical report (not a standard); see also
ISO/IEC 17799:2000.
It includes:
<P
></P
><UL
><LI
><P
> ISO 13335-1: Concepts and Models for IT Security</P
></LI
><LI
><P
> ISO 13335-2: Managing and Planning IT Security</P
></LI
><LI
><P
> ISO 13335-3: Techniques for the Management of IT Security</P
></LI
><LI
><P
> ISO 13335-4: Selection of Safeguards</P
></LI
><LI
><P
> ISO 13335-5: Safeguards for External Connections</P
></LI
></UL
></P
><P
>[ISO 17799]
International Organization for Standardization (ISO).
December 2000.
Code of Practice for Information Security Management.
ISO/IEC 17799:2000.</P
><P
>[ISO 9000]
International Organization for Standardization (ISO).
2000.
Quality management systems - Fundamentals and vocabulary.
ISO 9000:2000.
See
<A
HREF="http://www.iso.ch/iso/en/iso9000-14000/iso9000/selection_use/iso9000family.html"
TARGET="_top"
>http://www.iso.ch/iso/en/iso9000-14000/iso9000/selection_use/iso9000family.html</A
></P
><P
>[ISO 9001]
International Organization for Standardization (ISO).
2000.
Quality management systems - Requirements
ISO 9001:2000</P
><P
>[Jones 2000]
Jones, Jennifer.
October 30, 2000.
``Banking on Privacy''.
InfoWorld, Volume 22, Issue 44.
San Mateo, CA: International Data Group (IDG).
pp. 1-12.</P
><P
>[Kelsey 1998]
Kelsey, J., B. Schneier, D. Wagner, and C. Hall.
March 1998.
"Cryptanalytic Attacks on Pseudorandom Number Generators."
Fast Software Encryption, Fifth International Workshop Proceedings
(March 1998), Springer-Verlag, 1998, pp. 168-188.
<A
HREF="http://www.counterpane.com/pseudorandom_number.html"
TARGET="_top"
>http://www.counterpane.com/pseudorandom_number.html</A
>.</P
><P
>[Kernighan 1988]
Kernighan, Brian W., and Dennis M. Ritchie.
1988.
<EM
>The C Programming Language</EM
>.
Second Edition.
Englewood Cliffs, NJ: Prentice-Hall.
ISBN 0-13-110362-8.</P
><P
>[Kim 1996]
Kim, Eugene Eric.
1996.
<EM
>CGI Developer's Guide</EM
>.
SAMS.net Publishing.
ISBN: 1-57521-087-8
<A
HREF="http://www.eekim.com/pubs/cgibook"
TARGET="_top"
>http://www.eekim.com/pubs/cgibook</A
></P
><P
>Kolsek [2002]
Kolsek, Mitja. December 2002.
Session Fixation Vulnerability in Web-based Applications
<A
HREF="http://www.acros.si/papers/session_fixation.pdf"
TARGET="_top"
>http://www.acros.si/papers/session_fixation.pdf</A
>.</P
><P
>[Kuchling 2000].
Kuchling, A.M.
2000.
Restricted Execution HOWTO.
<A
HREF="http://www.python.org/doc/howto/rexec/rexec.html"
TARGET="_top"
>http://www.python.org/doc/howto/rexec/rexec.html</A
></P
><P
>[Kuhn 2002]
Kuhn, Markus G.
Optical Time-Domain Eavesdropping Risks
of CRT displays.
Proceedings of the 2002 IEEE Symposium on Security and Privacy,
Oakland, CA, May 12-15, 2002.
<A
HREF="http://www.cl.cam.ac.uk/~mgk25/ieee02-optical.pdf"
TARGET="_top"
>http://www.cl.cam.ac.uk/~mgk25/ieee02-optical.pdf</A
></P
><P
>[LSD 2001]
The Last Stage of Delirium.
July 4, 2001.
<EM
>UNIX Assembly Codes Development
for Vulnerabilities Illustration Purposes.</EM
>
<A
HREF="http://lsd-pl.net/papers.html#assembly"
TARGET="_top"
>http://lsd-pl.net/papers.html#assembly</A
>.</P
><P
>[McClure 1999]
McClure, Stuart, Joel Scambray, and George Kurtz.
1999.
<EM
>Hacking Exposed: Network Security Secrets and Solutions</EM
>.
Berkeley, CA: Osbourne/McGraw-Hill.
ISBN 0-07-212127-0.</P
><P
>[McKusick 1999]
McKusick, Marshall Kirk.
January 1999.
``Twenty Years of Berkeley Unix: From AT&#38;T-Owned to
Freely Redistributable.''
<EM
>Open Sources: Voices from the Open Source Revolution</EM
>.
<A
HREF="http://www.oreilly.com/catalog/opensources/book/kirkmck.html"
TARGET="_top"
>http://www.oreilly.com/catalog/opensources/book/kirkmck.html</A
>.</P
><P
>[McGraw 1999]
McGraw, Gary, and Edward W. Felten.
December 1998.
Twelve Rules for developing more secure Java code.
Javaworld.
<A
HREF="http://www.javaworld.com/javaworld/jw-12-1998/jw-12-securityrules.html"
TARGET="_top"
>http://www.javaworld.com/javaworld/jw-12-1998/jw-12-securityrules.html</A
>.</P
><P
>[McGraw 1999]
McGraw, Gary, and Edward W. Felten.
January 25, 1999.
Securing Java: Getting Down to Business with Mobile Code, 2nd Edition
John Wiley &#38; Sons.
ISBN 047131952X.
<A
HREF="http://www.securingjava.com"
TARGET="_top"
>http://www.securingjava.com</A
>.</P
><P
>[McGraw 2000a]
McGraw, Gary and John Viega.
March 1, 2000.
Make Your Software Behave: Learning the Basics of Buffer Overflows.
<A
HREF="http://www-4.ibm.com/software/developer/library/overflows/index.html"
TARGET="_top"
>http://www-4.ibm.com/software/developer/library/overflows/index.html</A
>.</P
><P
>[McGraw 2000b]
McGraw, Gary and John Viega.
April 18, 2000.
Make Your Software Behave: Software strategies
In the absence of hardware,
you can devise a reasonably secure random number generator through software.
<A
HREF="http://www-106.ibm.com/developerworks/library/randomsoft/index.html?dwzone=security"
TARGET="_top"
>http://www-106.ibm.com/developerworks/library/randomsoft/index.html?dwzone=security</A
>.</P
><P
>[Miller 1995]
Miller, Barton P.,
David Koski, Cjin Pheow Lee, Vivekananda Maganty,
Ravi Murthy, Ajitkumar Natarajan, and Jeff Steidl.
1995.
Fuzz Revisited: A Re-examination of the Reliability of
UNIX Utilities and Services.
<A
HREF="ftp://grilled.cs.wisc.edu/technical_papers/fuzz-revisited.pdf"
TARGET="_top"
>ftp://grilled.cs.wisc.edu/technical_papers/fuzz-revisited.pdf</A
>.</P
><P
>[Miller 1999]
Miller, Todd C. and Theo de Raadt.
``strlcpy and strlcat -- Consistent, Safe, String Copy and Concatenation''
<EM
>Proceedings of Usenix '99</EM
>.
<A
HREF="http://www.usenix.org/events/usenix99/millert.html"
TARGET="_top"
>http://www.usenix.org/events/usenix99/millert.html</A
> and
<A
HREF="http://www.usenix.org/events/usenix99/full_papers/millert/PACKING_LIST"
TARGET="_top"
>http://www.usenix.org/events/usenix99/full_papers/millert/PACKING_LIST</A
></P
><P
>[Mookhey 2002]
Mookhey, K. K.
The Unix Auditor's Practical Handbook.
<A
HREF="http://www.nii.co.in/tuaph.html"
TARGET="_top"
>http://www.nii.co.in/tuaph.html</A
>.</P
><P
>[Mudge 1995]
Mudge.
October 20, 1995.
<EM
>How to write Buffer Overflows</EM
>.
l0pht advisories.
<A
HREF="http://www.l0pht.com/advisories/bufero.html"
TARGET="_top"
>http://www.l0pht.com/advisories/bufero.html</A
>.</P
><P
>[Murhammer 1998]
Murhammer, Martin W., Orcun Atakan, Stefan Bretz,
Larry R. Pugh, Kazunari Suzuki, and David H. Wood.
October 1998.
TCP/IP Tutorial and Technical Overview
IBM International Technical Support Organization.
<A
HREF="http://www.redbooks.ibm.com/pubs/pdfs/redbooks/gg243376.pdf"
TARGET="_top"
>http://www.redbooks.ibm.com/pubs/pdfs/redbooks/gg243376.pdf</A
></P
><P
>[NCSA]
NCSA Secure Programming Guidelines.
<A
HREF="http://www.ncsa.uiuc.edu/General/Grid/ACES/security/programming"
TARGET="_top"
>http://www.ncsa.uiuc.edu/General/Grid/ACES/security/programming</A
>.</P
><P
>[Neumann 2000]
Neumann, Peter.
2000.
"Robust Nonproprietary Software."
Proceedings of the 2000 IEEE Symposium on Security and Privacy
(the ``Oakland Conference''), May 14-17, 2000, Berkeley, CA.
Los Alamitos, CA: IEEE Computer Society.
pp.122-123.</P
><P
>[NSA 2000]
National Security Agency (NSA).
September 2000.
Information Assurance Technical Framework (IATF).
<A
HREF="http://www.iatf.net"
TARGET="_top"
>http://www.iatf.net</A
>.</P
><P
>[Open Group 1997]
The Open Group.
1997.
<EM
>Single UNIX Specification, Version 2 (UNIX 98)</EM
>.
<A
HREF="http://www.opengroup.org/online-pubs?DOC=007908799"
TARGET="_top"
>http://www.opengroup.org/online-pubs?DOC=007908799</A
>.</P
><P
>[OSI 1999]
Open Source Initiative.
1999.
<EM
>The Open Source Definition</EM
>.
<A
HREF="http://www.opensource.org/osd.html"
TARGET="_top"
>http://www.opensource.org/osd.html</A
>.</P
><P
>[Opplinger 1998]
Oppliger, Rolf.
1998.
Internet and Intranet Security.
Norwood, MA: Artech House.
ISBN 0-89006-829-1.</P
><P
>[Paulk 1993a]
Mark C. Paulk, Bill Curtis, Mary Beth Chrissis, and Charles V. Weber.
Capability Maturity Model for Software, Version 1.1.
Software Engineering Institute, CMU/SEI-93-TR-24.
DTIC Number ADA263403, February 1993.
<A
HREF="http://www.sei.cmu.edu/activities/cmm/obtain.cmm.html"
TARGET="_top"
>http://www.sei.cmu.edu/activities/cmm/obtain.cmm.html</A
>.</P
><P
>[Paulk 1993b]
Mark C. Paulk, Charles V. Weber, Suzanne M. Garcia, Mary Beth Chrissis, and Marilyn W. Bush.
Key Practices of the Capability Maturity Model, Version 1.1.
Software Engineering Institute.
CMU/SEI-93-TR-25, DTIC Number ADA263432, February 1993. </P
><P
>[Peteanu 2000]
Peteanu, Razvan.
July 18, 2000.
Best Practices for Secure Web Development.
<A
HREF="http://members.home.net/razvan.peteanu"
TARGET="_top"
>http://members.home.net/razvan.peteanu</A
></P
><P
>[Pfleeger 1997]
Pfleeger, Charles P.
1997.
<EM
>Security in Computing.</EM
>
Upper Saddle River, NJ: Prentice-Hall PTR.
ISBN 0-13-337486-6.</P
><P
>[Phillips 1995]
Phillips, Paul.
September 3, 1995.
<EM
>Safe CGI Programming</EM
>.
<A
HREF="http://www.go2net.com/people/paulp/cgi-security/safe-cgi.txt"
TARGET="_top"
>http://www.go2net.com/people/paulp/cgi-security/safe-cgi.txt</A
></P
><P
>[Quintero 1999]
Quintero, Federico Mena,
Miguel de Icaza, and Morten Welinder
GNOME Programming Guidelines
<A
HREF="http://developer.gnome.org/doc/guides/programming-guidelines/book1.html"
TARGET="_top"
>http://developer.gnome.org/doc/guides/programming-guidelines/book1.html</A
></P
><P
>[Raymond 1997]
Raymond, Eric.
1997.
<EM
>The Cathedral and the Bazaar</EM
>.
<A
HREF="http://www.catb.org/~esr/writings/cathedral-bazaar"
TARGET="_top"
>http://www.catb.org/~esr/writings/cathedral-bazaar</A
></P
><P
>[Raymond 1998]
Raymond, Eric.
April 1998.
<EM
>Homesteading the Noosphere</EM
>.
<A
HREF="http://www.catb.org/~esr/writings/homesteading/homesteading.html"
TARGET="_top"
>http://www.catb.org/~esr/writings/homesteading/homesteading.html</A
></P
><P
>[Ranum 1998]
Ranum, Marcus J.
1998.
<EM
>Security-critical coding for programmers -
a C and UNIX-centric full-day tutorial</EM
>.
<A
HREF="http://www.clark.net/pub/mjr/pubs/pdf/"
TARGET="_top"
>http://www.clark.net/pub/mjr/pubs/pdf/</A
>.</P
><P
>[RFC 822]
August 13, 1982
<EM
>Standard for the Format of ARPA Internet Text Messages</EM
>.
IETF RFC 822.
<A
HREF="http://www.ietf.org/rfc/rfc0822.txt"
TARGET="_top"
>http://www.ietf.org/rfc/rfc0822.txt</A
>.</P
><P
>[rfp 1999]
rain.forest.puppy.
1999.
``Perl CGI problems''.
<EM
>Phrack Magazine</EM
>.
Issue 55, Article 07.
<A
HREF="http://www.phrack.com/search.phtml?view&article=p55-7"
TARGET="_top"
>http://www.phrack.com/search.phtml?view&#38;article=p55-7</A
> or
<A
HREF="http://www.insecure.org/news/P55-07.txt"
TARGET="_top"
>http://www.insecure.org/news/P55-07.txt</A
>.</P
><P
>[Rijmen 2000]
Rijmen, Vincent.
"LinuxSecurity.com Speaks With AES Winner".
<A
HREF="http://www.linuxsecurity.com/feature_stories/interview-aes-3.html"
TARGET="_top"
>http://www.linuxsecurity.com/feature_stories/interview-aes-3.html</A
>.</P
><P
>[Rochkind 1985].
Rochkind, Marc J.
<EM
>Advanced Unix Programming</EM
>.
Englewood Cliffs, NJ: Prentice-Hall, Inc.
ISBN 0-13-011818-4.</P
><P
>[Sahu 2002]
Sahu, Bijaya Nanda,
Srinivasan S. Muthuswamy,
Satya Nanaji Rao Mallampalli, and
Venkata R. Bonam.
July 2002
``Is your Java code secure -- or exposed?
Build safer applications now to avoid trouble later''
<A
HREF="http://www-106.ibm.com/developerworks/java/library/j-staticsec.html?loc=dwmain"
TARGET="_top"
>http://www-106.ibm.com/developerworks/java/library/j-staticsec.html?loc=dwmain</A
></P
><P
>[St. Laurent 2000]
St. Laurent, Simon.
February 2000.
<EM
>XTech 2000 Conference Reports</EM
>.
``When XML Gets Ugly''.
<A
HREF="http://www.xml.com/pub/2000/02/xtech/megginson.html"
TARGET="_top"
>http://www.xml.com/pub/2000/02/xtech/megginson.html</A
>.</P
><P
>[Saltzer 1974]
Saltzer, J.
July 1974.
``Protection and the Control of Information Sharing in MULTICS''.
<EM
>Communications of the ACM</EM
>.
v17 n7.
pp. 388-402.</P
><P
>[Saltzer 1975]
Saltzer, J., and M. Schroeder.
September 1975.
``The Protection of Information in Computing Systems''.
<EM
>Proceedings of the IEEE</EM
>.
v63 n9.
pp. 1278-1308.
<A
HREF="http://www.mediacity.com/~norm/CapTheory/ProtInf"
TARGET="_top"
>http://www.mediacity.com/~norm/CapTheory/ProtInf</A
>.
Summarized in [Pfleeger 1997, 286].</P
><P
>[Schneider 2000]
Schneider, Fred B.
2000.
"Open Source in Security: Visting the Bizarre."
Proceedings of the 2000 IEEE Symposium on Security and Privacy
(the ``Oakland Conference''), May 14-17, 2000, Berkeley, CA.
Los Alamitos, CA: IEEE Computer Society.
pp.126-127.</P
><P
>[Schneier 1996]
Schneier, Bruce.
1996.
<EM
>Applied Cryptography, Second Edition:
Protocols, Algorithms, and Source Code in C</EM
>.
New York: John Wiley and Sons.
ISBN 0-471-12845-7.</P
><P
>[Schneier 1998]
Schneier, Bruce and Mudge.
November 1998.
<EM
>Cryptanalysis of Microsoft's Point-to-Point Tunneling Protocol (PPTP)</EM
>
Proceedings of the 5th ACM Conference on Communications and Computer Security,
ACM Press.
<A
HREF="http://www.counterpane.com/pptp.html"
TARGET="_top"
>http://www.counterpane.com/pptp.html</A
>.</P
><P
>[Schneier 1999]
Schneier, Bruce.
September 15, 1999.
``Open Source and Security''.
<EM
>Crypto-Gram</EM
>.
Counterpane Internet Security, Inc.
<A
HREF="http://www.counterpane.com/crypto-gram-9909.html"
TARGET="_top"
>http://www.counterpane.com/crypto-gram-9909.html</A
></P
><P
>[Seifried 1999]
Seifried, Kurt.
October 9, 1999.
<EM
>Linux Administrator's Security Guide</EM
>.
<A
HREF="http://www.securityportal.com/lasg"
TARGET="_top"
>http://www.securityportal.com/lasg</A
>.</P
><P
>[Seifried 2001]
Seifried, Kurt.
September 2, 2001.
WWW Authentication
<A
HREF="http://www.seifried.org/security/www-auth/index.html"
TARGET="_top"
>http://www.seifried.org/security/www-auth/index.html</A
>.</P
><P
>[Shankland 2000]
Shankland, Stephen.
``Linux poses increasing threat to Windows 2000''.
CNET.
<A
HREF="http://news.cnet.com/news/0-1003-200-1549312.html"
TARGET="_top"
>http://news.cnet.com/news/0-1003-200-1549312.html</A
></P
><P
>[Shostack 1999]
Shostack, Adam.
June 1, 1999.
<EM
>Security Code Review Guidelines</EM
>.
<A
HREF="http://www.homeport.org/~adam/review.html"
TARGET="_top"
>http://www.homeport.org/~adam/review.html</A
>.</P
><P
>[Sibert 1996]
Sibert, W. Olin.
Malicious Data and Computer Security.
(NIST) NISSC '96.
<A
HREF="http://www.fish.com/security/maldata.html"
TARGET="_top"
>http://www.fish.com/security/maldata.html</A
></P
><P
>[Sitaker 1999]
Sitaker, Kragen.
Feb 26, 1999.
<EM
>How to Find Security Holes</EM
>
<A
HREF="http://www.pobox.com/~kragen/security-holes.html"
TARGET="_top"
>http://www.pobox.com/~kragen/security-holes.html</A
> and
<A
HREF="http://www.dnaco.net/~kragen/security-holes.html"
TARGET="_top"
>http://www.dnaco.net/~kragen/security-holes.html</A
></P
><P
>[SSE-CMM 1999]
SSE-CMM Project.
April 1999.
<EM
>Systems Security Engineering Capability Maturity Model (SSE CMM)
Model Description Document</EM
>.
Version 2.0.
<A
HREF="http://www.sse-cmm.org"
TARGET="_top"
>http://www.sse-cmm.org</A
></P
><P
>[Stallings 1996]
Stallings, William.
Practical Cryptography for Data Internetworks.
Los Alamitos, CA: IEEE Computer Society Press.
ISBN 0-8186-7140-8.</P
><P
>[Stein 1999].
Stein, Lincoln D.
September 13, 1999.
<EM
>The World Wide Web Security FAQ</EM
>.
Version 2.0.1
<A
HREF="http://www.w3.org/Security/Faq/www-security-faq.html"
TARGET="_top"
>http://www.w3.org/Security/Faq/www-security-faq.html</A
></P
><P
>[Swan 2001]
Swan, Daniel.
January 6, 2001.
comp.os.linux.security FAQ.
Version 1.0.
<A
HREF="http://www.linuxsecurity.com/docs/colsfaq.html"
TARGET="_top"
>http://www.linuxsecurity.com/docs/colsfaq.html</A
>.</P
><P
>[Swanson 1996]
Swanson, Marianne, and Barbara Guttman.
September 1996.
Generally Accepted Principles and Practices for Securing
Information Technology Systems.
NIST Computer Security Special Publication (SP) 800-14.
<A
HREF="http://csrc.nist.gov/publications/nistpubs/index.html"
TARGET="_top"
>http://csrc.nist.gov/publications/nistpubs/index.html</A
>.</P
><P
>[Thompson 1974]
Thompson, K. and D.M. Richie.
July 1974.
``The UNIX Time-Sharing System''.
<EM
>Communications of the ACM</EM
>
Vol. 17, No. 7.
pp. 365-375.</P
><P
>[Torvalds 1999]
Torvalds, Linus.
February 1999.
``The Story of the Linux Kernel''.
<EM
>Open Sources: Voices from the Open Source Revolution</EM
>.
Edited by Chris Dibona, Mark Stone, and Sam Ockman.
O'Reilly and Associates.
ISBN 1565925823.
<A
HREF="http://www.oreilly.com/catalog/opensources/book/linus.html"
TARGET="_top"
>http://www.oreilly.com/catalog/opensources/book/linus.html</A
></P
><P
>[TruSecure 2001]
TruSecure.
August 2001.
Open Source Security: A Look at the Security Benefits of Source Code Access.
<A
HREF="http://www.trusecure.com/html/tspub/whitepapers/open_source_security5.pdf"
TARGET="_top"
>http://www.trusecure.com/html/tspub/whitepapers/open_source_security5.pdf</A
></P
><P
>[Unknown]
<EM
>SETUID(7)</EM
>
<A
HREF="http://www.homeport.org/~adam/setuid.7.html"
TARGET="_top"
>http://www.homeport.org/~adam/setuid.7.html</A
>.</P
><P
>[Van Biesbrouck 1996]
Van Biesbrouck, Michael.
April 19, 1996.
<A
HREF="http://www.csclub.uwaterloo.ca/u/mlvanbie/cgisec"
TARGET="_top"
>http://www.csclub.uwaterloo.ca/u/mlvanbie/cgisec</A
>.</P
><P
>[van Oorschot 1994]
van Oorschot, P. and M. Wiener.
November 1994.
``Parallel Collision Search with Applications to Hash Functions
and Discrete Logarithms.''
Proceedings of ACM Conference on Computer and Communications Security.</P
><P
>[Venema 1996]
Venema, Wietse.
1996.
Murphy's law and computer security.
<A
HREF="http://www.fish.com/security/murphy.html"
TARGET="_top"
>http://www.fish.com/security/murphy.html</A
></P
><P
>[Viega 2002]
Viega, John, and Gary McGraw.
2002.
Building Secure Software.
Addison-Wesley.
ISBN 0201-72152-X.</P
><P
>[Watters 1996]
Watters, Arron, Guido van Rossum, James C. Ahlstrom.
1996.
Internet Programming with Python.
NY, NY: Henry Hold and Company, Inc.</P
><P
>[Wheeler 1996]
Wheeler, David A., Bill Brykczynski, and Reginald N. Meeson, Jr.
Software Inspection: An Industry Best Practice.
1996.
Los Alamitos, CA: IEEE Computer Society Press.
IEEE Copmuter Society Press Order Number BP07340.
Library of Congress Number 95-41054.
ISBN 0-8186-7340-0.</P
><P
>[Witten 2001]
September/October 2001.
Witten, Brian, Carl Landwehr, and Michael Caloyannides.
``Does Open Source Improve System Security?''
IEEE Software.
pp. 57-61.
<A
HREF="http://www.computer.org/software"
TARGET="_top"
>http://www.computer.org/software</A
>&#13;</P
><P
>[Wood 1985]
Wood, Patrick H. and Stephen G. Kochan.
1985.
<EM
>Unix System Security</EM
>.
Indianapolis, Indiana: Hayden Books.
ISBN 0-8104-6267-2.</P
><P
>[Wreski 1998]
Wreski, Dave.
August 22, 1998.
<EM
>Linux Security Administrator's Guide</EM
>.
Version 0.98.
<A
HREF="http://www.nic.com/~dave/SecurityAdminGuide/index.html"
TARGET="_top"
>http://www.nic.com/~dave/SecurityAdminGuide/index.html</A
></P
><P
>[Yoder 1998]
Yoder, Joseph and Jeffrey Barcalow.
1998.
Architectural Patterns for Enabling Application Security.
PLoP '97
<A
HREF="http://st-www.cs.uiuc.edu/~hanmer/PLoP-97/Proceedings/yoder.pdf"
TARGET="_top"
>http://st-www.cs.uiuc.edu/~hanmer/PLoP-97/Proceedings/yoder.pdf</A
></P
><P
>[Zalewski 2001]
Zalewski, Michael.
May 16-17, 2001.
Delivering Signals for Fun and Profit:
Understanding, exploiting and preventing signal-handling related
vulnerabilities.
Bindview Corporation.
<A
HREF="http://razor.bindview.com/publish/papers/signals.txt"
TARGET="_top"
>http://razor.bindview.com/publish/papers/signals.txt</A
></P
><P
>[Zoebelein 1999]
Zoebelein, Hans U.
April 1999.
The Internet Operating System Counter.
<A
HREF="http://www.leb.net/hzo/ioscount"
TARGET="_top"
>http://www.leb.net/hzo/ioscount</A
>.</P
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="conclusion.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="document-history.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Conclusion</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>History</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
Reference in New Issue View Git Blame Copy Permalink