A.2 Papers and Articles

Advosys Consulting. "Preventing HTML Form Tampering." 2001. See http://advosys.ca/tips/form-tampering.html. Lots of good technical tips.

Advosys Consulting. "Writing Secure Web Applications." 2001. See http://advosys.ca/tips/web-security.html. As above, many sound technical tips.

Aleph1. "Smashing the Stack for Fun and Profit." Phrack Magazine. 49-14. 1996. See http://www.phrack.org/phrack/49/P49-14. Detailed, accurate, and deadly.

Al-Herbish, Thamer. "Secure Unix Programming FAQ." 1999. See http://www.whitefang.com/sup. Excellent and detailed, with good technical detail.

Anderson, Robert H. and Anthony C. Hearn. "An Exploration of Cyberspace Security R&D Investment Strategies for DARPA: The Day After... in Cyberspace II." Rand Corporation. MR-797-DARPA. 1996. Abstract available online at http://www.rand.org/cgi-bin/Abstracts/e-getabbydoc.pl?MR-797. A discussion of security retrofitting as part of a strategy for critical infrastructure protection.

Anonymous. "SETUID(7), the SETUID Man Page." Date unknown. Available online at http://www.homeport.org/~adam/setuid.7.html. Perhaps the earliest discussion of the security issues involved with Unix setuid programming, and certainly one of the best.

AusCERT. "A Lab Engineers Check List for Writing Secure Unix Code." Australian Computer Emergency Response Team. 1996. Available online at ftp://ftp.auscert.org.au/pub/auscert/papers/secure_programming_checklist. One of the first such formulations. It was one of the primary inspirations for our own book. Still quite valuable.

Bellovin, Steven M. "Shifting the Odds?Writing (More) Secure Software." Murray Hill, NJ: AT&T Research. 1994. Available online from Dr. Bellovin's site at http://www.research.att.com/~smb/talks/odds.pdf. A clear and accurate discussion of good secure coding techniques by an authority on the subject.

Bishop, Matt. "Race Conditions, Files, and Security Flaws; or the Tortoise and the Hare Redux." Course lecture notes from CSE 95-08. 1995. Available online at http://seclab.cs.ucdavis.edu/projects/vulnerabilities/scriv/ucd-ecs-95-08.pdf. An early and definitive discussion of race condition vulnerabilities by a leading academic researcher.

Bishop, Matt. "UNIX Security: Security in Programming." SANS. 1996. See http://olympus.cs.ucdavis.edu/~bishop/secprog.html. An excellent set of recommendations.

Bishop, Matt. "Writing Safe Privileged Programs." Network Security Conference. 1997. See http://olympus.cs.ucdavis.edu/~bishop/secprog.html. An early and excellent set of comprehensive recommendations.

Bishop, Matt. "Vulnerabilities Analysis." Presentation slides. 1997. Available online at http://nob.cs.ucdavis.edu/~bishop/talks/Pdf/vulclass-raid1999.pdf. A comprehensive overview.

Bishop, Matt, and Michael Dilger. "Checking for Race Conditions in File Accesses." 1996. Not available at press time from the UC Davis archives. See http://milliways.stanford.edu/~radoshi/summaries/Bishop_Dilger_Checking_for_Race_Conditions_in_File_Access.html. Overall, the best analysis of race conditions we have seen to date.

CERT/CC. "CERT Survivability Project Report" Computer Emergency Response Team Coordination Center (CERT/CC). 1996. Available online at http://www.ieee-security.org/Cipher/Newsbriefs/1996/960223.kerbbug.html. Good material on building robust systems.

CERT/CC. "How To Remove Meta-characters From User-Supplied Data In CGI Scripts." Computer Emergency Response Team Coordination Center. 1999. Available online from the CERT/CC repository. See http://www.cert.org/tech_tips/cgi_metacharacters.html. Expert advice on a common problem.

Cowan, Crispin, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole. "Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade." Proceedings of DARPA Information Survivability Conference and Expo (DISCEX). 1999. See http://www.immunix.org/StackGuard/discex00.pdf. A detailed explanation by leading analysts.

Cowan, Crispin, Steve Beattie, Ryab Finnin Day, Calton Pu, Perry Wagle, and Erik Walthinsen. "Protecting Systems from Stack Smashing Attacks with StackGuard." Proceedings of the 1998 Usenix Security Conference. Available online at http://www.immunix.org/StackGuard/usenixsc98.pdf. The paper that introduced StackGuard. Very clear explanation of buffer overflow vulnerabilities, the stack smashing attack, and one technique to stop it.

Daemon9. "Project Neptune." Phrack Magazine, 48-13. 1996. Available online at http://www.phrack.org/phrack/48/P48-13. The first article about SYN flooding to get wide distribution.

Dole, Bryn, Steve Lodin, and Eugene Spafford. "Misplaced Trust: Kerberos 4 Session Keys." Proceedings of the 1997 ISOC Conference. 1997. Available online at http://www.isoc.org/isoc/conferences/ndss/97/dole_sl.pdf. Details of the "non-random random numbers" vulnerability in Kerberos 4 by the people who found it.

Du, Wenliang. "Categorization of Software Errors That Led to Security Breaches." Proceedings of the 1998 NISSC. 1998. Available online at http://csrc.nist.gov/nissc/1998/proceedings/paperF9.pdf. A good discussion of security vulnerability taxonomy schemes.

Galvin, Peter. "Designing Secure Software." SunWorld. 1998. Available online at http://www.sunworld.com/swol-04-1998/swol-04-security.html. Brief but clear description of some fundamental issues.

Garfinkel, Simson. "21 Rules for Writing Secure CGI Programs." 1997. See http://www.webreview.com/1997/08_08/developers/08_08_97_3.shtml. Good sound clear advice.

Gong, Li. "Java Security Model." Sun Microsystems. 1998. Available online at http://java.sun.com/products/jdk/1.2/docs/guide/security/spec/security-spec.doc.html. A general description by the principal architect.

Graff, Mark G. "Sun Security Bulletin 122." Sun Microsystems. 1993. See http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=secbull/122. The Sun security bulletin that talks about the "tarball" vulnerability.

Graff, Mark G. "Sun Security Bulletin 134." Sun Microsystems. 1996. See http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=secbull/134. The Sun security bulletin that talks about the Java "classloader" vulnerability.

Graham, Jeff. "Security-Audit's Frequently Asked Questions (FAQ)." 1999. See http://lsap.org/faq.txt. Brief but informative.

Gundavaram, Shishir, and Tom Christiansen. Perl CGI Programming FAQ. Date unknown. See http://language.perl.com/CPAN/doc/FAQs/cgi/perl-cgi-faq.html. Some good material on avoiding Perl CGI security vulnerabilities.

Hardin, Garrett, "The Tragedy of the Commons." Science. (162) 1968. An uncommon insight with wide application.

Krsul, Ivan, Eugene Spafford, and Mahesh Tripunitara. "An Analysis of Some Software Vulnerabilities." 1998. See http://widsard.sourceforge.net/doc/03.pdf. An outstanding, highly technical analysis of several vulnerability types.

Kuperman, Benjamin A., and Eugene Spafford. "Generation of Application Level Audit Data via Library Interposition." CERIAS Tech Report TR-99-11. 1999. An excellent example of modern security analysis techniques.

McGraw, Gary and John Viega. "Make Your Software Behave: Learning the Basics of Buffer Overflows." 2000. See http://www-4.ibm.com/software/developer/library/overflows/index.html. Clear, accurate description of what causes buffer overflows and how to avoid coding them.

Miller, Barton P. "An Empirical Study of the Reliability Of UNIX Utilities." Communications of the ACM, 33-12. 1990. Miller's original article about the Fuzz program. Entertaining, brilliant, seminal discussion of black-box testing.

Miller, Barton P., David Koski, Cjin Pheow Lee, Vivekananda Maganty, Ravi Murthy, Ajitkumar Natarajan, and Jeff Steidl. "Fuzz Revisited: A Re-examination of the Reliability of UNIX Utilities and Services." 1995. See http://www.opensource.org/advocacy/fuzz-revisited.pdf. A worthy follow-up to the original.

Miller, Todd C. and Theo de Raadt. "strlcpy and strlcat?Consistent, Safe, String Copy and Concatenation." Proceedings of Usenix. 1999. See http://www.courtesan.com/todd/papers/strlcpy.html. Introduces new "tamper-resistant" versions of two Unix system calls.

Mudge. "How to Write Buffer Overflows." 1995. Available online at http://www.insecure.org/stf/mudge_buffer_overflow_tutorial.html. Extremely technical and deadly accurate.

NCSA. "NCSA Secure Programming Guidelines." 1997. Available online. See http://www.ncsa.uiuc.edu/General/Grid/ACES/security/programming. Brief but clear discussion of C, CGI, Perl, and some Unix shell scripting languages.

NCSA. "Writing Secure CGI Scripts." 1997. Available online from the National Center for Supercomputer Applications (NCSA) repository. See http://hoohoo.ncsa.uiuc.edu/cgi/security.html. Excellent overview.

Phillips, Paul. "Safe CGI Programming." Last updated in 1997. See http://www.go2net.com/people/paulp/cgi-security/safe-cgi.txt. Slightly dated but still useful.

Rain Forest Puppy. "Perl CGI problems." Phrack Magazine. 55-07. 1999. See http://www.insecure.org/news/P55-07.txt. A discussion of CGI security vulnerabilities.

Ranum, Marcus J. "Security-critical coding for programmers?A C and UNIX-Centric Full-Day Tutorial." 1998. Available online from Mr. Ranum's repository. See http://www.ranum.com/pubs/pdf/security-for-developers.pdf. Very worthwhile.

Reshef, Eran and Izhar Bar-Gad. "Web Application Security." See http://www.sanctuminc.com/pdf/Web_Application_Security_TISC.pdf. The paper that introduced the AppShield product, an advance in web application testing.

Saltzer, J.H., and M.D. Schroeder, "The Protection of Information in Computer Systems." Proceedings of the IEEE. 63-9. 1975. An early analysis of computer security architecture principles that is still perfectly accurate.

SecuriTeam. "Sendmail smrsh Bypass Vulnerabilities." SecuriTeam security bulletin. 2002. Available in the SecuriTeam online repository. See http://www.securiteam.com/unixfocus/6F0030A5PG.html. Bulletin that pointed out security vulnerabilities in smrsh, the Sendmail wrapper program.

Shostack, Adam. "Security Code Review Guidelines." 1999. Available online at http://www.homeport.org/~adam/review.html. Good technical description of how to avoid coding in several kinds of vulnerabilities.

Sibert, W. Olin. "Malicious Data and Computer Security." NISSC. 1996. Available online at http://www.fish.com/security/maldata.html. Clearly written yet detailed look at vulnerabilities arising from malicious data, and how to avoid them.

Sitaker, Kragen. "How to Find Security Holes." 1999. Available online at http://www.canonical.org/~kragen/security-holes.html. Accurate and useful look at both high-level and low-level design problems.

Soo Hoo, Kevin, Andrew W. Sudbury, and Andrew R. Jaquith. "Tangible ROI through Secure Software Engineering." Secure Business Quarterly. 1-2. 2001. Available online at http://www.sbq.com/sbq/rosi/sbq_rosi_software_engineering.pdf. An economic analysis of the cost of fixing security vulnerabilities at various stages in the software development cycle.

Spafford, Eugene H. "Crisis and Aftermath." Communications of the ACM. 32-6. 1989. An analysis of the 1988 Internet (Morris) worm.

Spafford, Eugene H. "UNIX and Security: The Influences of History." Information Systems Security. Auerbach Publications. 4-3. 1995. Describes how Unix utilities were developed at Berkeley, and explores the security implications.

Spafford, Eugene H. "One View of A Critical National Need: Support for Information Security Education and Research." Purdue University document COAST TR 97-8. 1997. See http://www.cerias.purdue.edu/homes/spaf/misc/edu.pdf. Congressional testimony identifying what Dr. Spafford called a "national crisis" in information security education.

Stein, Lincoln D., and John N. Stewart. "The World Wide Web Security FAQ." Various versions. See http://www.w3.org/Security/Faq/www-security-faq.html. Good detailed technical treatment of many web security issues.

Stephenson, Peter. "Book Review: Information Security Architecture," SC Magazine. 2001. See http://www.scmagazine.com/scmagazine/sc-online/2001/review/005/product_book.html. A short but helpful view of enterprise security architecture.

Strickland, Karl. "Re: A plea for calm Re: [8lgm]-Advisory-6.UNIX.mail2.2-May-1994." Comment on comp.security.unix discussion thread. 1994. An exchange about how hard (or easy) it is for a large software vendor to fix several security vulnerabilities at the same time.

Sun Microsystems. "Secure Code Guidelines." 2000. Available online from http://www.java.sun.com/security/seccodeguide.html. Gives tips in three areas: privileged code, Java, and C.

Swanson, Marianne, and Barbara Guttman. "Generally Accepted Principles and Practices for Securing Information Technology Systems." National Institute of Standards and Guidelines Computer Security Special Publication 800-14. 1996. See http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf. This report of the GASSP committee is one of the best summaries of sound security architecture and design principles.

Thompson, Ken. "Reflections on Trusting Trust." Communications of the ACM. 27-8. 1984. Chilling, authoritative discussion of the chain of trust.

Van Biesbrouck, Michael. "CGI Security Tutorial." 1996. See http://www.thinkage.on.ca/~mlvanbie/cgisec/. Contains many good CGI-specific technical tips.

Venema, Wietse. "Murphy's law and computer security." 1996. Available from from Dr. Venema's site at ftp://ftp.porcupine.org/pub/security/murphy.txt.gz. An expert and highly readable exposition of several types of common implementation errors, including not-truly-random numbers (e.g., the Kerberos 4 bug) and race condition troubles.

Venema, Wietse. "TCP Wrappers." 1997. Available from ftp://ftp.porcupine.org/pub/security/tcp_wrapper.txt.Z. Entertaining article about the genesis of TCP Wrappers.

World Wide Web Consortium. "The World Wide Web Security FAQ." 1997. See http://www.w3.org/Security/Faq/wwwsf5.html. Useful and accurate technical advice on safe CGI scripts and other similar topics.

Yoder, Joseph and Jeffrey Barcalow. "Architectural Patterns for Enabling Application Security." Proceedings of the 1997 Pattern Languages of Programming Conference (Plop 1997). 1998. Available online at http://st-www.cs.uiuc.edu/~hanmer/PLoP-97/Proceedings/yoder.pdf. Presents a strong set of architectural principles for secure coding.