Chapter 13. Bibliography


The words of the wise are like goads, their collected sayings like firmly embedded nails--given by one Shepherd. Be warned, my son, of anything in addition to them. Of making many books there is no end, and much study wearies the body.

 Ecclesiastes 12:11-12 (NIV)

Note that there is a heavy emphasis on technical articles available on the web, since this is where most of this kind of technical information is available.

[Advosys 2000] Advosys Consulting (formerly named Webber Technical Services). Writing Secure Web Applications.

[Al-Herbish 1999] Al-Herbish, Thamer. 1999. Secure Unix Programming FAQ.

[Aleph1 1996] Aleph1. November 8, 1996. “Smashing The Stack For Fun And Profit”. Phrack Magazine. Issue 49, Article 14. or alternatively

[Anonymous 1999] Anonymous. October 1999. Maximum Linux Security: A Hacker’s Guide to Protecting Your Linux Server and Workstation Sams. ISBN: 0672316706.

[Anonymous 1998] Anonymous. September 1998. Maximum Security : A Hacker’s Guide to Protecting Your Internet Site and Network. Sams. Second Edition. ISBN: 0672313413.

[Anonymous Phrack 2001] Anonymous. August 11, 2001. Once upon a free(). Phrack, Volume 0x0b, Issue 0x39, Phile #0x09 of 0x12.

[AUSCERT 1996] Australian Computer Emergency Response Team (AUSCERT) and O’Reilly. May 23, 1996 (rev 3C). A Lab Engineers Check List for Writing Secure Unix Code.

[Bach 1986] Bach, Maurice J. 1986. The Design of the Unix Operating System. Englewood Cliffs, NJ: Prentice-Hall, Inc. ISBN 0-13-201799-7 025.

[Beattie 2002] Beattie, Steve, Seth Arnold, Crispin Cowan, Perry Wagle, Chris Wright, Adam Shostack. November 2002. Timing the Application of Security Patches for Optimal Uptime. 2002 LISA XVI, November 3-8, 2002, Philadelphia, PA.

[Bellovin 1989] Bellovin, Steven M. April 1989. "Security Problems in the TCP/IP Protocol Suite" Computer Communications Review 2:19, pp. 32-48.

[Bellovin 1994] Bellovin, Steven M. December 1994. Shifting the Odds -- Writing (More) Secure Software. Murray Hill, NJ: AT&T Research.

[Bishop 1996] Bishop, Matt. May 1996. “UNIX Security: Security in Programming”. SANS ’96. Washington DC (May 1996).

[Bishop 1997] Bishop, Matt. October 1997. “Writing Safe Privileged Programs”. Network Security 1997 New Orleans, LA.

[Blaze 1996] Blaze, Matt, Whitfield Diffie, Ronald L. Rivest, Bruce Schneier, Tsutomu Shimomura, Eric Thompson, and Michael Wiener. January 1996. “Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security: A Report by an Ad Hoc Group of Cryptographers and Computer Scientists.” and

[CC 1999] The Common Criteria for Information Technology Security Evaluation (CC). August 1999. Version 2.1. Technically identical to International Standard ISO/IEC 15408:1999.

[CERT 1998] Computer Emergency Response Team (CERT) Coordination Center (CERT/CC). February 13, 1998. Sanitizing User-Supplied Data in CGI Scripts. CERT Advisory CA-97.25.CGI_metachar.

[Cheswick 1994] Cheswick, William R. and Steven M. Bellovin. Firewalls and Internet Security: Repelling the Wily Hacker. Full text at

[Clowes 2001] Clowes, Shaun. 2001. “A Study In Scarlet - Exploiting Common Vulnerabilities in PHP”

[CMU 1998] Carnegie Mellon University (CMU). February 13, 1998 Version 1.4. “How To Remove Meta-characters From User-Supplied Data In CGI Scripts”.

[Cowan 1999] Cowan, Crispin, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole. “Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade”. Proceedings of DARPA Information Survivability Conference and Expo (DISCEX), SANS 2000. For a copy, see

[Cox 2000] Cox, Philip. March 30, 2001. Hardening Windows 2000.

[Crosby 2003] Crosby, Scott A., and Dan S Wallach. "Denial of Service via Algorithmic Complexity Attacks" Usenix Security 2003.

[Dobbertin 1996]. Dobbertin, H. 1996. The Status of MD5 After a Recent Attack. RSA Laboratories’ CryptoBytes. Vol. 2, No. 2.

[Felten 1997] Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach. Web Spoofing: An Internet Con Game Technical Report 540-96 (revised Feb. 1997) Department of Computer Science, Princeton University

[Fenzi 1999] Fenzi, Kevin, and Dave Wrenski. April 25, 1999. Linux Security HOWTO. Version 1.0.2.

[FHS 1997] Filesystem Hierarchy Standard (FHS 2.0). October 26, 1997. Filesystem Hierarchy Standard Group, edited by Daniel Quinlan. Version 2.0.

[Filipski 1986] Filipski, Alan and James Hanko. April 1986. “Making Unix Secure.” Byte (Magazine). Peterborough, NH: McGraw-Hill Inc. Vol. 11, No. 4. ISSN 0360-5280. pp. 113-128.

[Flake 2001] Flake, Havlar. Auditing Binaries for Security Vulnerabilities.

[FOLDOC] Free On-Line Dictionary of Computing.

[Forristal 2001] Forristal, Jeff, and Greg Shipley. January 8, 2001. Vulnerability Assessment Scanners. Network Computing.

[FreeBSD 1999] FreeBSD, Inc. 1999. “Secure Programming Guidelines”. FreeBSD Security Information.

[Friedl 1997] Friedl, Jeffrey E. F. 1997. Mastering Regular Expressions. O’Reilly. ISBN 1-56592-257-3.

[FSF 1998] Free Software Foundation. December 17, 1999. Overview of the GNU Project.

[FSF 1999] Free Software Foundation. January 11, 1999. The GNU C Library Reference Manual. Edition 0.08 DRAFT, for Version 2.1 Beta of the GNU C Library. Available at, for example,

[Fu 2001] Fu, Kevin, Emil Sit, Kendra Smith, and Nick Feamster. August 2001. “Dos and Don’ts of Client Authentication on the Web”. Proceedings of the 10th USENIX Security Symposium, Washington, D.C., August 2001.

[Gabrilovich 2002] Gabrilovich, Evgeniy, and Alex Gontmakher. February 2002. “Inside Risks: The Homograph Attack”. Communications of the ACM. Volume 45, Number 2. Page 128.

[Galvin 1998a] Galvin, Peter. April 1998. “Designing Secure Software”. Sunworld.

[Galvin 1998b] Galvin, Peter. August 1998. “The Unix Secure Programming FAQ”. Sunworld.

[Garfinkel 1996] Garfinkel, Simson and Gene Spafford. April 1996. Practical UNIX & Internet Security, 2nd Edition. ISBN 1-56592-148-8. Sebastopol, CA: O’Reilly & Associates, Inc.

[Garfinkle 1997] Garfinkle, Simson. August 8, 1997. 21 Rules for Writing Secure CGI Programs.

[Gay 2000] Gay, Warren W. October 2000. Advanced Unix Programming. Indianapolis, Indiana: Sams Publishing. ISBN 0-67231-990-X.

[Geodsoft 2001] Geodsoft. February 7, 2001. Hardening OpenBSD Internet Servers.

[Graham 1999] Graham, Jeff. May 4, 1999. Security-Audit’s Frequently Asked Questions (FAQ).

[Gong 1999] Gong, Li. June 1999. Inside Java 2 Platform Security. Reading, MA: Addison Wesley Longman, Inc. ISBN 0-201-31000-7.

[Gundavaram Unknown] Gundavaram, Shishir, and Tom Christiansen. Date Unknown. Perl CGI Programming FAQ.

[Hall 1999] Hall, Brian "Beej". Beej’s Guide to Network Programming Using Internet Sockets. 13-Jan-1999. Version 1.5.5.

[Howard 2002] Howard, Michael and David LeBlanc. 2002. Writing Secure Code. Redmond, Washington: Microsoft Press. ISBN 0-7356-1588-8.

[ISO 12207] International Organization for Standardization (ISO). 1995. Information technology -- Software life cycle processes ISO/IEC 12207:1995.

[ISO 13335] International Organization for Standardization (ISO). ISO/IEC TR 13335. Guidelines for the Management of IT Security (GMITS). Note that this is a five-part technical report (not a standard); see also ISO/IEC 17799:2000. It includes:

[ISO 17799] International Organization for Standardization (ISO). December 2000. Code of Practice for Information Security Management. ISO/IEC 17799:2000.

[ISO 9000] International Organization for Standardization (ISO). 2000. Quality management systems - Fundamentals and vocabulary. ISO 9000:2000. See

[ISO 9001] International Organization for Standardization (ISO). 2000. Quality management systems - Requirements ISO 9001:2000

[Jones 2000] Jones, Jennifer. October 30, 2000. “Banking on Privacy”. InfoWorld, Volume 22, Issue 44. San Mateo, CA: International Data Group (IDG). pp. 1-12.

[Kelsey 1998] Kelsey, J., B. Schneier, D. Wagner, and C. Hall. March 1998. "Cryptanalytic Attacks on Pseudorandom Number Generators." Fast Software Encryption, Fifth International Workshop Proceedings (March 1998), Springer-Verlag, 1998, pp. 168-188.

[Kernighan 1988] Kernighan, Brian W., and Dennis M. Ritchie. 1988. The C Programming Language. Second Edition. Englewood Cliffs, NJ: Prentice-Hall. ISBN 0-13-110362-8.

[Kim 1996] Kim, Eugene Eric. 1996. CGI Developer’s Guide. Publishing. ISBN: 1-57521-087-8

[Kiriansky 2002] Kiriansky, Vladimir, Derek Bruening, Saman Amarasinghe. "Secure Execution Via Program Shepherding". Proceedings of the 11th USENIX Security Symposium, San Francisco, California, August 2002.

Kolsek [2002] Kolsek, Mitja. December 2002. Session Fixation Vulnerability in Web-based Applications

[Kuchling 2000]. Kuchling, A.M. 2000. Restricted Execution HOWTO.

[Kuhn 2002] Kuhn, Markus G. Optical Time-Domain Eavesdropping Risks of CRT displays. Proceedings of the 2002 IEEE Symposium on Security and Privacy, Oakland, CA, May 12-15, 2002.

[Landau 2004] Landau, Susan. Polynomials in the Nation’s Service: Using Algebra to Design the Advanced Encryption Standard. 2004. American Mathematical Monthly.

[LSD 2001] The Last Stage of Delirium. July 4, 2001. UNIX Assembly Codes Development for Vulnerabilities Illustration Purposes.

[McClure 1999] McClure, Stuart, Joel Scambray, and George Kurtz. 1999. Hacking Exposed: Network Security Secrets and Solutions. Berkeley, CA: Osbourne/McGraw-Hill. ISBN 0-07-212127-0.

[McKusick 1999] McKusick, Marshall Kirk. January 1999. “Twenty Years of Berkeley Unix: From AT&T-Owned to Freely Redistributable.” Open Sources: Voices from the Open Source Revolution.

[McGraw 1999] McGraw, Gary, and Edward W. Felten. December 1998. Twelve Rules for developing more secure Java code. Javaworld.

[McGraw 1999] McGraw, Gary, and Edward W. Felten. January 25, 1999. Securing Java: Getting Down to Business with Mobile Code, 2nd Edition John Wiley & Sons. ISBN 047131952X.

[McGraw 2000a] McGraw, Gary and John Viega. March 1, 2000. Make Your Software Behave: Learning the Basics of Buffer Overflows.

[McGraw 2000b] McGraw, Gary and John Viega. April 18, 2000. Make Your Software Behave: Software strategies In the absence of hardware, you can devise a reasonably secure random number generator through software.

[Miller 1995] Miller, Barton P., David Koski, Cjin Pheow Lee, Vivekananda Maganty, Ravi Murthy, Ajitkumar Natarajan, and Jeff Steidl. 1995. Fuzz Revisited: A Re-examination of the Reliability of UNIX Utilities and Services.

[Miller 1999] Miller, Todd C. and Theo de Raadt. “strlcpy and strlcat -- Consistent, Safe, String Copy and Concatenation” Proceedings of Usenix ’99. and

[Mookhey 2002] Mookhey, K. K. The Unix Auditor’s Practical Handbook.

[MISRA 1998] Guidelines for the use of the C language in Vehicle Based Software April 1998 The Motor Industry Software Reliability Association (MISRA)

[Mudge 1995] Mudge. October 20, 1995. How to write Buffer Overflows. l0pht advisories.

[Murhammer 1998] Murhammer, Martin W., Orcun Atakan, Stefan Bretz, Larry R. Pugh, Kazunari Suzuki, and David H. Wood. October 1998. TCP/IP Tutorial and Technical Overview IBM International Technical Support Organization.

[NCSA] NCSA Secure Programming Guidelines.

[Neumann 2000] Neumann, Peter. 2000. "Robust Nonproprietary Software." Proceedings of the 2000 IEEE Symposium on Security and Privacy (the “Oakland Conference”), May 14-17, 2000, Berkeley, CA. Los Alamitos, CA: IEEE Computer Society. pp.122-123.

[NSA 2000] National Security Agency (NSA). September 2000. Information Assurance Technical Framework (IATF).

[Open Group 1997] The Open Group. 1997. Single UNIX Specification, Version 2 (UNIX 98).

[OSI 1999] Open Source Initiative. 1999. The Open Source Definition.

[Opplinger 1998] Oppliger, Rolf. 1998. Internet and Intranet Security. Norwood, MA: Artech House. ISBN 0-89006-829-1.

[Paulk 1993a] Mark C. Paulk, Bill Curtis, Mary Beth Chrissis, and Charles V. Weber. Capability Maturity Model for Software, Version 1.1. Software Engineering Institute, CMU/SEI-93-TR-24. DTIC Number ADA263403, February 1993.

[Paulk 1993b] Mark C. Paulk, Charles V. Weber, Suzanne M. Garcia, Mary Beth Chrissis, and Marilyn W. Bush. Key Practices of the Capability Maturity Model, Version 1.1. Software Engineering Institute. CMU/SEI-93-TR-25, DTIC Number ADA263432, February 1993.

[Peteanu 2000] Peteanu, Razvan. July 18, 2000. Best Practices for Secure Web Development.

[Pfleeger 1997] Pfleeger, Charles P. 1997. Security in Computing. Upper Saddle River, NJ: Prentice-Hall PTR. ISBN 0-13-337486-6.

[Phillips 1995] Phillips, Paul. September 3, 1995. Safe CGI Programming.

[Quintero 1999] Quintero, Federico Mena, Miguel de Icaza, and Morten Welinder GNOME Programming Guidelines

[Raymond 1997] Raymond, Eric. 1997. The Cathedral and the Bazaar.

[Raymond 1998] Raymond, Eric. April 1998. Homesteading the Noosphere.

[Ranum 1998] Ranum, Marcus J. 1998. Security-critical coding for programmers - a C and UNIX-centric full-day tutorial.

[RFC 822] August 13, 1982 Standard for the Format of ARPA Internet Text Messages. IETF RFC 822.

[rfp 1999] rain.forest.puppy. 1999. “Perl CGI problems”. Phrack Magazine. Issue 55, Article 07. or

[Rijmen 2000] Rijmen, Vincent. " Speaks With AES Winner".

[Rochkind 1985]. Rochkind, Marc J. Advanced Unix Programming. Englewood Cliffs, NJ: Prentice-Hall, Inc. ISBN 0-13-011818-4.

[Sahu 2002] Sahu, Bijaya Nanda, Srinivasan S. Muthuswamy, Satya Nanaji Rao Mallampalli, and Venkata R. Bonam. July 2002 “Is your Java code secure -- or exposed? Build safer applications now to avoid trouble later”

[St. Laurent 2000] St. Laurent, Simon. February 2000. XTech 2000 Conference Reports. “When XML Gets Ugly”.

[Saltzer 1974] Saltzer, J. July 1974. “Protection and the Control of Information Sharing in MULTICS”. Communications of the ACM. v17 n7. pp. 388-402.

[Saltzer 1975] Saltzer, J., and M. Schroeder. September 1975. “The Protection of Information in Computing Systems”. Proceedings of the IEEE. v63 n9. pp. 1278-1308. Summarized in [Pfleeger 1997, 286].

[Schneider 2000] Schneider, Fred B. 2000. "Open Source in Security: Visting the Bizarre." Proceedings of the 2000 IEEE Symposium on Security and Privacy (the “Oakland Conference”), May 14-17, 2000, Berkeley, CA. Los Alamitos, CA: IEEE Computer Society. pp.126-127.

[Schneier 1996] Schneier, Bruce. 1996. Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in C. New York: John Wiley and Sons. ISBN 0-471-12845-7.

[Schneier 1998] Schneier, Bruce and Mudge. November 1998. Cryptanalysis of Microsoft’s Point-to-Point Tunneling Protocol (PPTP) Proceedings of the 5th ACM Conference on Communications and Computer Security, ACM Press.

[Schneier 1999] Schneier, Bruce. September 15, 1999. “Open Source and Security”. Crypto-Gram. Counterpane Internet Security, Inc.

[Seifried 1999] Seifried, Kurt. October 9, 1999. Linux Administrator’s Security Guide.

[Seifried 2001] Seifried, Kurt. September 2, 2001. WWW Authentication

[Shankland 2000] Shankland, Stephen. “Linux poses increasing threat to Windows 2000”. CNET.

[Shostack 1999] Shostack, Adam. June 1, 1999. Security Code Review Guidelines.

[Sibert 1996] Sibert, W. Olin. Malicious Data and Computer Security. (NIST) NISSC ’96.

[Sitaker 1999] Sitaker, Kragen. Feb 26, 1999. How to Find Security Holes and

[SSE-CMM 1999] SSE-CMM Project. April 1999. Systems Security Engineering Capability Maturity Model (SSE CMM) Model Description Document. Version 2.0.

[Stallings 1996] Stallings, William. Practical Cryptography for Data Internetworks. Los Alamitos, CA: IEEE Computer Society Press. ISBN 0-8186-7140-8.

[Stein 1999]. Stein, Lincoln D. September 13, 1999. The World Wide Web Security FAQ. Version 2.0.1

[Swan 2001] Swan, Daniel. January 6, 2001. FAQ. Version 1.0.

[Swanson 1996] Swanson, Marianne, and Barbara Guttman. September 1996. Generally Accepted Principles and Practices for Securing Information Technology Systems. NIST Computer Security Special Publication (SP) 800-14.

[Thompson 1974] Thompson, K. and D.M. Richie. July 1974. “The UNIX Time-Sharing System”. Communications of the ACM Vol. 17, No. 7. pp. 365-375.

[Torvalds 1999] Torvalds, Linus. February 1999. “The Story of the Linux Kernel”. Open Sources: Voices from the Open Source Revolution. Edited by Chris Dibona, Mark Stone, and Sam Ockman. O’Reilly and Associates. ISBN 1565925823.

[TruSecure 2001] TruSecure. August 2001. Open Source Security: A Look at the Security Benefits of Source Code Access.

[Unknown] SETUID(7)

[Van Biesbrouck 1996] Van Biesbrouck, Michael. April 19, 1996.

[van Oorschot 1994] van Oorschot, P. and M. Wiener. November 1994. “Parallel Collision Search with Applications to Hash Functions and Discrete Logarithms”. Proceedings of ACM Conference on Computer and Communications Security.

[Venema 1996] Venema, Wietse. 1996. Murphy’s law and computer security.

[Viega 2002] Viega, John, and Gary McGraw. 2002. Building Secure Software. Addison-Wesley. ISBN 0201-72152-X.

[Watters 1996] Watters, Arron, Guido van Rossum, James C. Ahlstrom. 1996. Internet Programming with Python. NY, NY: Henry Hold and Company, Inc.

[Wheeler 1996] Wheeler, David A., Bill Brykczynski, and Reginald N. Meeson, Jr. Software Inspection: An Industry Best Practice. 1996. Los Alamitos, CA: IEEE Computer Society Press. IEEE Copmuter Society Press Order Number BP07340. Library of Congress Number 95-41054. ISBN 0-8186-7340-0.

[Witten 2001] September/October 2001. Witten, Brian, Carl Landwehr, and Michael Caloyannides. “Does Open Source Improve System Security?” IEEE Software. pp. 57-61.

[Wood 1985] Wood, Patrick H. and Stephen G. Kochan. 1985. Unix System Security. Indianapolis, Indiana: Hayden Books. ISBN 0-8104-6267-2.

[Wreski 1998] Wreski, Dave. August 22, 1998. Linux Security Administrator’s Guide. Version 0.98.

[Yoder 1998] Yoder, Joseph and Jeffrey Barcalow. 1998. Architectural Patterns for Enabling Application Security. PLoP ’97

[Zalewski 2001] Zalewski, Michael. May 16-17, 2001. Delivering Signals for Fun and Profit: Understanding, exploiting and preventing signal-handling related vulnerabilities. Bindview Corporation.

[Zoebelein 1999] Zoebelein, Hans U. April 1999. The Internet Operating System Counter.