<HTML ><HEAD ><TITLE >Bibliography</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK REL="HOME" TITLE="Secure Programming for Linux and Unix HOWTO" HREF="index.html"><LINK REL="PREVIOUS" TITLE="Conclusion" HREF="conclusion.html"><LINK REL="NEXT" TITLE="History" HREF="document-history.html"></HEAD ><BODY CLASS="CHAPTER" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><DIV CLASS="NAVHEADER" ><TABLE SUMMARY="Header navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="3" ALIGN="center" >Secure Programming for Linux and Unix HOWTO</TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="bottom" ><A HREF="conclusion.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="80%" ALIGN="center" VALIGN="bottom" ></TD ><TD WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A HREF="document-history.html" ACCESSKEY="N" >Next</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><DIV CLASS="CHAPTER" ><H1 ><A NAME="BIBLIOGRAPHY" ></A >Chapter 13. Bibliography</H1 ><TABLE BORDER="0" WIDTH="100%" CELLSPACING="0" CELLPADDING="0" CLASS="EPIGRAPH" ><TR ><TD WIDTH="45%" > </TD ><TD WIDTH="45%" ALIGN="LEFT" VALIGN="TOP" ><I ><P ><I >The words of the wise are like goads, their collected sayings like firmly embedded nails--given by one Shepherd. Be warned, my son, of anything in addition to them. Of making many books there is no end, and much study wearies the body.</I ></P ></I ></TD ></TR ><TR ><TD WIDTH="45%" > </TD ><TD WIDTH="45%" ALIGN="RIGHT" VALIGN="TOP" ><I ><SPAN CLASS="ATTRIBUTION" >Ecclesiastes 12:11-12 (NIV)</SPAN ></I ></TD ></TR ></TABLE ><P ><EM >Note that there is a heavy emphasis on technical articles available on the web, since this is where most of this kind of technical information is available.</EM ></P ><P >[Advosys 2000] Advosys Consulting (formerly named Webber Technical Services). <EM >Writing Secure Web Applications</EM >. <A HREF="http://advosys.ca/tips/web-security.html" TARGET="_top" >http://advosys.ca/tips/web-security.html</A ></P ><P >[Al-Herbish 1999] Al-Herbish, Thamer. 1999. <EM >Secure Unix Programming FAQ</EM >. <A HREF="http://www.whitefang.com/sup" TARGET="_top" >http://www.whitefang.com/sup</A >.</P ><P >[Aleph1 1996] Aleph1. November 8, 1996. ``Smashing The Stack For Fun And Profit''. <EM >Phrack Magazine</EM >. Issue 49, Article 14. <A HREF="http://www.phrack.com/search.phtml?view&article=p49-14" TARGET="_top" >http://www.phrack.com/search.phtml?view&article=p49-14</A > or alternatively <A HREF="http://www.2600.net/phrack/p49-14.html" TARGET="_top" >http://www.2600.net/phrack/p49-14.html</A >.</P ><P >[Anonymous 1999] Anonymous. October 1999. Maximum Linux Security: A Hacker's Guide to Protecting Your Linux Server and Workstation Sams. ISBN: 0672316706.</P ><P >[Anonymous 1998] Anonymous. September 1998. Maximum Security : A Hacker's Guide to Protecting Your Internet Site and Network. Sams. Second Edition. ISBN: 0672313413.</P ><P >[Anonymous Phrack 2001] Anonymous. August 11, 2001. Once upon a free(). Phrack, Volume 0x0b, Issue 0x39, Phile #0x09 of 0x12. <A HREF="http://phrack.org/show.php?p=57&a=9" TARGET="_top" >http://phrack.org/show.php?p=57&a=9</A ></P ><P >[AUSCERT 1996] Australian Computer Emergency Response Team (AUSCERT) and O'Reilly. May 23, 1996 (rev 3C). <EM >A Lab Engineers Check List for Writing Secure Unix Code</EM >. <A HREF="ftp://ftp.auscert.org.au/pub/auscert/papers/secure_programming_checklist" TARGET="_top" >ftp://ftp.auscert.org.au/pub/auscert/papers/secure_programming_checklist</A ></P ><P >[Bach 1986] Bach, Maurice J. 1986. <EM >The Design of the Unix Operating System</EM >. Englewood Cliffs, NJ: Prentice-Hall, Inc. ISBN 0-13-201799-7 025.</P ><P >[Beattie 2002] Beattie, Steve, Seth Arnold, Crispin Cowan, Perry Wagle, Chris Wright, Adam Shostack. November 2002. Timing the Application of Security Patches for Optimal Uptime. 2002 LISA XVI, November 3-8, 2002, Philadelphia, PA.</P ><P >[Bellovin 1989] Bellovin, Steven M. April 1989. "Security Problems in the TCP/IP Protocol Suite" Computer Communications Review 2:19, pp. 32-48. <A HREF="http://www.research.att.com/~smb/papers/ipext.pdf" TARGET="_top" >http://www.research.att.com/~smb/papers/ipext.pdf</A ></P ><P >[Bellovin 1994] Bellovin, Steven M. December 1994. <EM >Shifting the Odds -- Writing (More) Secure Software</EM >. Murray Hill, NJ: AT&T Research. <A HREF="http://www.research.att.com/~smb/talks" TARGET="_top" >http://www.research.att.com/~smb/talks</A ></P ><P >[Bishop 1996] Bishop, Matt. May 1996. ``UNIX Security: Security in Programming''. <EM >SANS '96</EM >. Washington DC (May 1996). <A HREF="http://olympus.cs.ucdavis.edu/~bishop/secprog.html" TARGET="_top" >http://olympus.cs.ucdavis.edu/~bishop/secprog.html</A ></P ><P >[Bishop 1997] Bishop, Matt. October 1997. ``Writing Safe Privileged Programs''. <EM >Network Security 1997</EM > New Orleans, LA. <A HREF="http://olympus.cs.ucdavis.edu/~bishop/secprog.html" TARGET="_top" >http://olympus.cs.ucdavis.edu/~bishop/secprog.html</A ></P ><P >[Blaze 1996] Blaze, Matt, Whitfield Diffie, Ronald L. Rivest, Bruce Schneier, Tsutomu Shimomura, Eric Thompson, and Michael Wiener. January 1996. ``Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security: A Report by an Ad Hoc Group of Cryptographers and Computer Scientists.'' <A HREF="ftp://ftp.research.att.com/dist/mab/keylength.txt" TARGET="_top" >ftp://ftp.research.att.com/dist/mab/keylength.txt</A > and <A HREF="ftp://ftp.research.att.com/dist/mab/keylength.ps" TARGET="_top" >ftp://ftp.research.att.com/dist/mab/keylength.ps</A >.</P ><P >[CC 1999] <EM >The Common Criteria for Information Technology Security Evaluation (CC)</EM >. August 1999. Version 2.1. Technically identical to International Standard ISO/IEC 15408:1999. <A HREF="http://csrc.nist.gov/cc/ccv20/ccv2list.htm" TARGET="_top" >http://csrc.nist.gov/cc/ccv20/ccv2list.htm</A ></P ><P >[CERT 1998] Computer Emergency Response Team (CERT) Coordination Center (CERT/CC). February 13, 1998. <EM >Sanitizing User-Supplied Data in CGI Scripts</EM >. CERT Advisory CA-97.25.CGI_metachar. <A HREF="http://www.cert.org/advisories/CA-97.25.CGI_metachar.html" TARGET="_top" >http://www.cert.org/advisories/CA-97.25.CGI_metachar.html</A >.</P ><P >[Cheswick 1994] Cheswick, William R. and Steven M. Bellovin. Firewalls and Internet Security: Repelling the Wily Hacker. Full text at <A HREF="http://www.wilyhacker.com" TARGET="_top" >http://www.wilyhacker.com</A >.</P ><P >[Clowes 2001] Clowes, Shaun. 2001. ``A Study In Scarlet - Exploiting Common Vulnerabilities in PHP'' <A HREF="http://www.securereality.com.au/archives.html" TARGET="_top" >http://www.securereality.com.au/archives.html</A ></P ><P >[CMU 1998] Carnegie Mellon University (CMU). February 13, 1998 Version 1.4. ``How To Remove Meta-characters From User-Supplied Data In CGI Scripts''. <A HREF="ftp://ftp.cert.org/pub/tech_tips/cgi_metacharacters" TARGET="_top" >ftp://ftp.cert.org/pub/tech_tips/cgi_metacharacters</A >.</P ><P >[Cowan 1999] Cowan, Crispin, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole. ``Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade''. Proceedings of DARPA Information Survivability Conference and Expo (DISCEX), <A HREF="http://schafercorp-ballston.com/discex" TARGET="_top" >http://schafercorp-ballston.com/discex</A > SANS 2000. <A HREF="http://www.sans.org/newlook/events/sans2000.htm" TARGET="_top" >http://www.sans.org/newlook/events/sans2000.htm</A >. For a copy, see <A HREF="http://immunix.org/documentation.html" TARGET="_top" >http://immunix.org/documentation.html</A >.</P ><P >[Cox 2000] Cox, Philip. March 30, 2001. Hardening Windows 2000. <A HREF="http://www.systemexperts.com/win2k/hardenW2K11.pdf" TARGET="_top" >http://www.systemexperts.com/win2k/hardenW2K11.pdf</A >.</P ><P >[Dobbertin 1996]. Dobbertin, H. 1996. The Status of MD5 After a Recent Attack. RSA Laboratories' CryptoBytes. Vol. 2, No. 2.</P ><P >[Felten 1997] Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach. Web Spoofing: An Internet Con Game Technical Report 540-96 (revised Feb. 1997) Department of Computer Science, Princeton University <A HREF="http://www.cs.princeton.edu/sip/pub/spoofing.pdf" TARGET="_top" >http://www.cs.princeton.edu/sip/pub/spoofing.pdf</A ></P ><P >[Fenzi 1999] Fenzi, Kevin, and Dave Wrenski. April 25, 1999. <EM >Linux Security HOWTO</EM >. Version 1.0.2. <A HREF="http://www.tldp.org/HOWTO/Security-HOWTO.html" TARGET="_top" >http://www.tldp.org/HOWTO/Security-HOWTO.html</A ></P ><P >[FHS 1997] Filesystem Hierarchy Standard (FHS 2.0). October 26, 1997. Filesystem Hierarchy Standard Group, edited by Daniel Quinlan. Version 2.0. <A HREF="http://www.pathname.com/fhs" TARGET="_top" >http://www.pathname.com/fhs</A >.</P ><P >[Filipski 1986] Filipski, Alan and James Hanko. April 1986. ``Making Unix Secure.'' Byte (Magazine). Peterborough, NH: McGraw-Hill Inc. Vol. 11, No. 4. ISSN 0360-5280. pp. 113-128.</P ><P >[Flake 2001] Flake, Havlar. Auditing Binaries for Security Vulnerabilities. <A HREF="http://www.blackhat.com/html/win-usa-01/win-usa-01-speakers.html" TARGET="_top" >http://www.blackhat.com/html/win-usa-01/win-usa-01-speakers.html</A >.</P ><P >[FOLDOC] Free On-Line Dictionary of Computing. <A HREF="http://foldoc.doc.ic.ac.uk/foldoc/index.html" TARGET="_top" >http://foldoc.doc.ic.ac.uk/foldoc/index.html</A >.</P ><P >[Forristal 2001] Forristal, Jeff, and Greg Shipley. January 8, 2001. Vulnerability Assessment Scanners. Network Computing. <A HREF="http://www.nwc.com/1201/1201f1b1.html" TARGET="_top" >http://www.nwc.com/1201/1201f1b1.html</A ></P ><P >[FreeBSD 1999] FreeBSD, Inc. 1999. ``Secure Programming Guidelines''. <EM >FreeBSD Security Information</EM >. <A HREF="http://www.freebsd.org/security/security.html" TARGET="_top" >http://www.freebsd.org/security/security.html</A ></P ><P >[Friedl 1997] Friedl, Jeffrey E. F. 1997. Mastering Regular Expressions. O'Reilly. ISBN 1-56592-257-3.</P ><P >[FSF 1998] Free Software Foundation. December 17, 1999. <EM >Overview of the GNU Project</EM >. <A HREF="http://www.gnu.ai.mit.edu/gnu/gnu-history.html" TARGET="_top" >http://www.gnu.ai.mit.edu/gnu/gnu-history.html</A ></P ><P >[FSF 1999] Free Software Foundation. January 11, 1999. <EM >The GNU C Library Reference Manual</EM >. Edition 0.08 DRAFT, for Version 2.1 Beta of the GNU C Library. Available at, for example, <A HREF="http://www.netppl.fi/~pp/glibc21/libc_toc.html" TARGET="_top" >http://www.netppl.fi/~pp/glibc21/libc_toc.html</A ></P ><P >[Fu 2001] Fu, Kevin, Emil Sit, Kendra Smith, and Nick Feamster. August 2001. ``Dos and Don'ts of Client Authentication on the Web''. Proceedings of the 10th USENIX Security Symposium, Washington, D.C., August 2001. <A HREF="http://cookies.lcs.mit.edu/pubs/webauth.html" TARGET="_top" >http://cookies.lcs.mit.edu/pubs/webauth.html</A >.</P ><P >[Gabrilovich 2002] Gabrilovich, Evgeniy, and Alex Gontmakher. February 2002. ``Inside Risks: The Homograph Attack''. Communications of the ACM. Volume 45, Number 2. Page 128. </P ><P >[Galvin 1998a] Galvin, Peter. April 1998. ``Designing Secure Software''. <EM >Sunworld</EM >. <A HREF="http://www.sunworld.com/swol-04-1998/swol-04-security.html" TARGET="_top" >http://www.sunworld.com/swol-04-1998/swol-04-security.html</A >.</P ><P >[Galvin 1998b] Galvin, Peter. August 1998. ``The Unix Secure Programming FAQ''. <EM >Sunworld</EM >. <A HREF="http://www.sunworld.com/sunworldonline/swol-08-1998/swol-08-security.html" TARGET="_top" >http://www.sunworld.com/sunworldonline/swol-08-1998/swol-08-security.html</A ></P ><P >[Garfinkel 1996] Garfinkel, Simson and Gene Spafford. April 1996. <EM >Practical UNIX & Internet Security, 2nd Edition</EM >. ISBN 1-56592-148-8. Sebastopol, CA: O'Reilly & Associates, Inc. <A HREF="http://www.oreilly.com/catalog/puis" TARGET="_top" >http://www.oreilly.com/catalog/puis</A ></P ><P >[Garfinkle 1997] Garfinkle, Simson. August 8, 1997. 21 Rules for Writing Secure CGI Programs. <A HREF="http://webreview.com/wr/pub/97/08/08/bookshelf" TARGET="_top" >http://webreview.com/wr/pub/97/08/08/bookshelf</A ></P ><P >[Gay 2000] Gay, Warren W. October 2000. Advanced Unix Programming. Indianapolis, Indiana: Sams Publishing. ISBN 0-67231-990-X.</P ><P >[Geodsoft 2001] Geodsoft. February 7, 2001. Hardening OpenBSD Internet Servers. <A HREF="http://www.geodsoft.com/howto/harden" TARGET="_top" >http://www.geodsoft.com/howto/harden</A >.</P ><P >[Graham 1999] Graham, Jeff. May 4, 1999. <EM >Security-Audit's Frequently Asked Questions (FAQ)</EM >. <A HREF="http://lsap.org/faq.txt" TARGET="_top" >http://lsap.org/faq.txt</A ></P ><P >[Gong 1999] Gong, Li. June 1999. <EM >Inside Java 2 Platform Security</EM >. Reading, MA: Addison Wesley Longman, Inc. ISBN 0-201-31000-7.</P ><P >[Gundavaram Unknown] Gundavaram, Shishir, and Tom Christiansen. Date Unknown. <EM >Perl CGI Programming FAQ</EM >. <A HREF="http://language.perl.com/CPAN/doc/FAQs/cgi/perl-cgi-faq.html" TARGET="_top" >http://language.perl.com/CPAN/doc/FAQs/cgi/perl-cgi-faq.html</A ></P ><P >[Hall 1999] Hall, Brian "Beej". Beej's Guide to Network Programming Using Internet Sockets. 13-Jan-1999. Version 1.5.5. <A HREF="http://www.ecst.csuchico.edu/~beej/guide/net" TARGET="_top" >http://www.ecst.csuchico.edu/~beej/guide/net</A ></P ><P >[Howard 2002] Howard, Michael and David LeBlanc. 2002. Writing Secure Code. Redmond, Washington: Microsoft Press. ISBN 0-7356-1588-8.</P ><P >[ISO 12207] International Organization for Standardization (ISO). 1995. Information technology -- Software life cycle processes ISO/IEC 12207:1995.</P ><P >[ISO 13335] International Organization for Standardization (ISO). ISO/IEC TR 13335. Guidelines for the Management of IT Security (GMITS). Note that this is a five-part technical report (not a standard); see also ISO/IEC 17799:2000. It includes: <P ></P ><UL ><LI ><P > ISO 13335-1: Concepts and Models for IT Security</P ></LI ><LI ><P > ISO 13335-2: Managing and Planning IT Security</P ></LI ><LI ><P > ISO 13335-3: Techniques for the Management of IT Security</P ></LI ><LI ><P > ISO 13335-4: Selection of Safeguards</P ></LI ><LI ><P > ISO 13335-5: Safeguards for External Connections</P ></LI ></UL ></P ><P >[ISO 17799] International Organization for Standardization (ISO). December 2000. Code of Practice for Information Security Management. ISO/IEC 17799:2000.</P ><P >[ISO 9000] International Organization for Standardization (ISO). 2000. Quality management systems - Fundamentals and vocabulary. ISO 9000:2000. See <A HREF="http://www.iso.ch/iso/en/iso9000-14000/iso9000/selection_use/iso9000family.html" TARGET="_top" >http://www.iso.ch/iso/en/iso9000-14000/iso9000/selection_use/iso9000family.html</A ></P ><P >[ISO 9001] International Organization for Standardization (ISO). 2000. Quality management systems - Requirements ISO 9001:2000</P ><P >[Jones 2000] Jones, Jennifer. October 30, 2000. ``Banking on Privacy''. InfoWorld, Volume 22, Issue 44. San Mateo, CA: International Data Group (IDG). pp. 1-12.</P ><P >[Kelsey 1998] Kelsey, J., B. Schneier, D. Wagner, and C. Hall. March 1998. "Cryptanalytic Attacks on Pseudorandom Number Generators." Fast Software Encryption, Fifth International Workshop Proceedings (March 1998), Springer-Verlag, 1998, pp. 168-188. <A HREF="http://www.counterpane.com/pseudorandom_number.html" TARGET="_top" >http://www.counterpane.com/pseudorandom_number.html</A >.</P ><P >[Kernighan 1988] Kernighan, Brian W., and Dennis M. Ritchie. 1988. <EM >The C Programming Language</EM >. Second Edition. Englewood Cliffs, NJ: Prentice-Hall. ISBN 0-13-110362-8.</P ><P >[Kim 1996] Kim, Eugene Eric. 1996. <EM >CGI Developer's Guide</EM >. SAMS.net Publishing. ISBN: 1-57521-087-8 <A HREF="http://www.eekim.com/pubs/cgibook" TARGET="_top" >http://www.eekim.com/pubs/cgibook</A ></P ><P >Kolsek [2002] Kolsek, Mitja. December 2002. Session Fixation Vulnerability in Web-based Applications <A HREF="http://www.acros.si/papers/session_fixation.pdf" TARGET="_top" >http://www.acros.si/papers/session_fixation.pdf</A >.</P ><P >[Kuchling 2000]. Kuchling, A.M. 2000. Restricted Execution HOWTO. <A HREF="http://www.python.org/doc/howto/rexec/rexec.html" TARGET="_top" >http://www.python.org/doc/howto/rexec/rexec.html</A ></P ><P >[Kuhn 2002] Kuhn, Markus G. Optical Time-Domain Eavesdropping Risks of CRT displays. Proceedings of the 2002 IEEE Symposium on Security and Privacy, Oakland, CA, May 12-15, 2002. <A HREF="http://www.cl.cam.ac.uk/~mgk25/ieee02-optical.pdf" TARGET="_top" >http://www.cl.cam.ac.uk/~mgk25/ieee02-optical.pdf</A ></P ><P >[LSD 2001] The Last Stage of Delirium. July 4, 2001. <EM >UNIX Assembly Codes Development for Vulnerabilities Illustration Purposes.</EM > <A HREF="http://lsd-pl.net/papers.html#assembly" TARGET="_top" >http://lsd-pl.net/papers.html#assembly</A >.</P ><P >[McClure 1999] McClure, Stuart, Joel Scambray, and George Kurtz. 1999. <EM >Hacking Exposed: Network Security Secrets and Solutions</EM >. Berkeley, CA: Osbourne/McGraw-Hill. ISBN 0-07-212127-0.</P ><P >[McKusick 1999] McKusick, Marshall Kirk. January 1999. ``Twenty Years of Berkeley Unix: From AT&T-Owned to Freely Redistributable.'' <EM >Open Sources: Voices from the Open Source Revolution</EM >. <A HREF="http://www.oreilly.com/catalog/opensources/book/kirkmck.html" TARGET="_top" >http://www.oreilly.com/catalog/opensources/book/kirkmck.html</A >.</P ><P >[McGraw 1999] McGraw, Gary, and Edward W. Felten. December 1998. Twelve Rules for developing more secure Java code. Javaworld. <A HREF="http://www.javaworld.com/javaworld/jw-12-1998/jw-12-securityrules.html" TARGET="_top" >http://www.javaworld.com/javaworld/jw-12-1998/jw-12-securityrules.html</A >.</P ><P >[McGraw 1999] McGraw, Gary, and Edward W. Felten. January 25, 1999. Securing Java: Getting Down to Business with Mobile Code, 2nd Edition John Wiley & Sons. ISBN 047131952X. <A HREF="http://www.securingjava.com" TARGET="_top" >http://www.securingjava.com</A >.</P ><P >[McGraw 2000a] McGraw, Gary and John Viega. March 1, 2000. Make Your Software Behave: Learning the Basics of Buffer Overflows. <A HREF="http://www-4.ibm.com/software/developer/library/overflows/index.html" TARGET="_top" >http://www-4.ibm.com/software/developer/library/overflows/index.html</A >.</P ><P >[McGraw 2000b] McGraw, Gary and John Viega. April 18, 2000. Make Your Software Behave: Software strategies In the absence of hardware, you can devise a reasonably secure random number generator through software. <A HREF="http://www-106.ibm.com/developerworks/library/randomsoft/index.html?dwzone=security" TARGET="_top" >http://www-106.ibm.com/developerworks/library/randomsoft/index.html?dwzone=security</A >.</P ><P >[Miller 1995] Miller, Barton P., David Koski, Cjin Pheow Lee, Vivekananda Maganty, Ravi Murthy, Ajitkumar Natarajan, and Jeff Steidl. 1995. Fuzz Revisited: A Re-examination of the Reliability of UNIX Utilities and Services. <A HREF="ftp://grilled.cs.wisc.edu/technical_papers/fuzz-revisited.pdf" TARGET="_top" >ftp://grilled.cs.wisc.edu/technical_papers/fuzz-revisited.pdf</A >.</P ><P >[Miller 1999] Miller, Todd C. and Theo de Raadt. ``strlcpy and strlcat -- Consistent, Safe, String Copy and Concatenation'' <EM >Proceedings of Usenix '99</EM >. <A HREF="http://www.usenix.org/events/usenix99/millert.html" TARGET="_top" >http://www.usenix.org/events/usenix99/millert.html</A > and <A HREF="http://www.usenix.org/events/usenix99/full_papers/millert/PACKING_LIST" TARGET="_top" >http://www.usenix.org/events/usenix99/full_papers/millert/PACKING_LIST</A ></P ><P >[Mookhey 2002] Mookhey, K. K. The Unix Auditor's Practical Handbook. <A HREF="http://www.nii.co.in/tuaph.html" TARGET="_top" >http://www.nii.co.in/tuaph.html</A >.</P ><P >[Mudge 1995] Mudge. October 20, 1995. <EM >How to write Buffer Overflows</EM >. l0pht advisories. <A HREF="http://www.l0pht.com/advisories/bufero.html" TARGET="_top" >http://www.l0pht.com/advisories/bufero.html</A >.</P ><P >[Murhammer 1998] Murhammer, Martin W., Orcun Atakan, Stefan Bretz, Larry R. Pugh, Kazunari Suzuki, and David H. Wood. October 1998. TCP/IP Tutorial and Technical Overview IBM International Technical Support Organization. <A HREF="http://www.redbooks.ibm.com/pubs/pdfs/redbooks/gg243376.pdf" TARGET="_top" >http://www.redbooks.ibm.com/pubs/pdfs/redbooks/gg243376.pdf</A ></P ><P >[NCSA] NCSA Secure Programming Guidelines. <A HREF="http://www.ncsa.uiuc.edu/General/Grid/ACES/security/programming" TARGET="_top" >http://www.ncsa.uiuc.edu/General/Grid/ACES/security/programming</A >.</P ><P >[Neumann 2000] Neumann, Peter. 2000. "Robust Nonproprietary Software." Proceedings of the 2000 IEEE Symposium on Security and Privacy (the ``Oakland Conference''), May 14-17, 2000, Berkeley, CA. Los Alamitos, CA: IEEE Computer Society. pp.122-123.</P ><P >[NSA 2000] National Security Agency (NSA). September 2000. Information Assurance Technical Framework (IATF). <A HREF="http://www.iatf.net" TARGET="_top" >http://www.iatf.net</A >.</P ><P >[Open Group 1997] The Open Group. 1997. <EM >Single UNIX Specification, Version 2 (UNIX 98)</EM >. <A HREF="http://www.opengroup.org/online-pubs?DOC=007908799" TARGET="_top" >http://www.opengroup.org/online-pubs?DOC=007908799</A >.</P ><P >[OSI 1999] Open Source Initiative. 1999. <EM >The Open Source Definition</EM >. <A HREF="http://www.opensource.org/osd.html" TARGET="_top" >http://www.opensource.org/osd.html</A >.</P ><P >[Opplinger 1998] Oppliger, Rolf. 1998. Internet and Intranet Security. Norwood, MA: Artech House. ISBN 0-89006-829-1.</P ><P >[Paulk 1993a] Mark C. Paulk, Bill Curtis, Mary Beth Chrissis, and Charles V. Weber. Capability Maturity Model for Software, Version 1.1. Software Engineering Institute, CMU/SEI-93-TR-24. DTIC Number ADA263403, February 1993. <A HREF="http://www.sei.cmu.edu/activities/cmm/obtain.cmm.html" TARGET="_top" >http://www.sei.cmu.edu/activities/cmm/obtain.cmm.html</A >.</P ><P >[Paulk 1993b] Mark C. Paulk, Charles V. Weber, Suzanne M. Garcia, Mary Beth Chrissis, and Marilyn W. Bush. Key Practices of the Capability Maturity Model, Version 1.1. Software Engineering Institute. CMU/SEI-93-TR-25, DTIC Number ADA263432, February 1993. </P ><P >[Peteanu 2000] Peteanu, Razvan. July 18, 2000. Best Practices for Secure Web Development. <A HREF="http://members.home.net/razvan.peteanu" TARGET="_top" >http://members.home.net/razvan.peteanu</A ></P ><P >[Pfleeger 1997] Pfleeger, Charles P. 1997. <EM >Security in Computing.</EM > Upper Saddle River, NJ: Prentice-Hall PTR. ISBN 0-13-337486-6.</P ><P >[Phillips 1995] Phillips, Paul. September 3, 1995. <EM >Safe CGI Programming</EM >. <A HREF="http://www.go2net.com/people/paulp/cgi-security/safe-cgi.txt" TARGET="_top" >http://www.go2net.com/people/paulp/cgi-security/safe-cgi.txt</A ></P ><P >[Quintero 1999] Quintero, Federico Mena, Miguel de Icaza, and Morten Welinder GNOME Programming Guidelines <A HREF="http://developer.gnome.org/doc/guides/programming-guidelines/book1.html" TARGET="_top" >http://developer.gnome.org/doc/guides/programming-guidelines/book1.html</A ></P ><P >[Raymond 1997] Raymond, Eric. 1997. <EM >The Cathedral and the Bazaar</EM >. <A HREF="http://www.catb.org/~esr/writings/cathedral-bazaar" TARGET="_top" >http://www.catb.org/~esr/writings/cathedral-bazaar</A ></P ><P >[Raymond 1998] Raymond, Eric. April 1998. <EM >Homesteading the Noosphere</EM >. <A HREF="http://www.catb.org/~esr/writings/homesteading/homesteading.html" TARGET="_top" >http://www.catb.org/~esr/writings/homesteading/homesteading.html</A ></P ><P >[Ranum 1998] Ranum, Marcus J. 1998. <EM >Security-critical coding for programmers - a C and UNIX-centric full-day tutorial</EM >. <A HREF="http://www.clark.net/pub/mjr/pubs/pdf/" TARGET="_top" >http://www.clark.net/pub/mjr/pubs/pdf/</A >.</P ><P >[RFC 822] August 13, 1982 <EM >Standard for the Format of ARPA Internet Text Messages</EM >. IETF RFC 822. <A HREF="http://www.ietf.org/rfc/rfc0822.txt" TARGET="_top" >http://www.ietf.org/rfc/rfc0822.txt</A >.</P ><P >[rfp 1999] rain.forest.puppy. 1999. ``Perl CGI problems''. <EM >Phrack Magazine</EM >. Issue 55, Article 07. <A HREF="http://www.phrack.com/search.phtml?view&article=p55-7" TARGET="_top" >http://www.phrack.com/search.phtml?view&article=p55-7</A > or <A HREF="http://www.insecure.org/news/P55-07.txt" TARGET="_top" >http://www.insecure.org/news/P55-07.txt</A >.</P ><P >[Rijmen 2000] Rijmen, Vincent. "LinuxSecurity.com Speaks With AES Winner". <A HREF="http://www.linuxsecurity.com/feature_stories/interview-aes-3.html" TARGET="_top" >http://www.linuxsecurity.com/feature_stories/interview-aes-3.html</A >.</P ><P >[Rochkind 1985]. Rochkind, Marc J. <EM >Advanced Unix Programming</EM >. Englewood Cliffs, NJ: Prentice-Hall, Inc. ISBN 0-13-011818-4.</P ><P >[Sahu 2002] Sahu, Bijaya Nanda, Srinivasan S. Muthuswamy, Satya Nanaji Rao Mallampalli, and Venkata R. Bonam. July 2002 ``Is your Java code secure -- or exposed? Build safer applications now to avoid trouble later'' <A HREF="http://www-106.ibm.com/developerworks/java/library/j-staticsec.html?loc=dwmain" TARGET="_top" >http://www-106.ibm.com/developerworks/java/library/j-staticsec.html?loc=dwmain</A ></P ><P >[St. Laurent 2000] St. Laurent, Simon. February 2000. <EM >XTech 2000 Conference Reports</EM >. ``When XML Gets Ugly''. <A HREF="http://www.xml.com/pub/2000/02/xtech/megginson.html" TARGET="_top" >http://www.xml.com/pub/2000/02/xtech/megginson.html</A >.</P ><P >[Saltzer 1974] Saltzer, J. July 1974. ``Protection and the Control of Information Sharing in MULTICS''. <EM >Communications of the ACM</EM >. v17 n7. pp. 388-402.</P ><P >[Saltzer 1975] Saltzer, J., and M. Schroeder. September 1975. ``The Protection of Information in Computing Systems''. <EM >Proceedings of the IEEE</EM >. v63 n9. pp. 1278-1308. <A HREF="http://www.mediacity.com/~norm/CapTheory/ProtInf" TARGET="_top" >http://www.mediacity.com/~norm/CapTheory/ProtInf</A >. Summarized in [Pfleeger 1997, 286].</P ><P >[Schneider 2000] Schneider, Fred B. 2000. "Open Source in Security: Visting the Bizarre." Proceedings of the 2000 IEEE Symposium on Security and Privacy (the ``Oakland Conference''), May 14-17, 2000, Berkeley, CA. Los Alamitos, CA: IEEE Computer Society. pp.126-127.</P ><P >[Schneier 1996] Schneier, Bruce. 1996. <EM >Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in C</EM >. New York: John Wiley and Sons. ISBN 0-471-12845-7.</P ><P >[Schneier 1998] Schneier, Bruce and Mudge. November 1998. <EM >Cryptanalysis of Microsoft's Point-to-Point Tunneling Protocol (PPTP)</EM > Proceedings of the 5th ACM Conference on Communications and Computer Security, ACM Press. <A HREF="http://www.counterpane.com/pptp.html" TARGET="_top" >http://www.counterpane.com/pptp.html</A >.</P ><P >[Schneier 1999] Schneier, Bruce. September 15, 1999. ``Open Source and Security''. <EM >Crypto-Gram</EM >. Counterpane Internet Security, Inc. <A HREF="http://www.counterpane.com/crypto-gram-9909.html" TARGET="_top" >http://www.counterpane.com/crypto-gram-9909.html</A ></P ><P >[Seifried 1999] Seifried, Kurt. October 9, 1999. <EM >Linux Administrator's Security Guide</EM >. <A HREF="http://www.securityportal.com/lasg" TARGET="_top" >http://www.securityportal.com/lasg</A >.</P ><P >[Seifried 2001] Seifried, Kurt. September 2, 2001. WWW Authentication <A HREF="http://www.seifried.org/security/www-auth/index.html" TARGET="_top" >http://www.seifried.org/security/www-auth/index.html</A >.</P ><P >[Shankland 2000] Shankland, Stephen. ``Linux poses increasing threat to Windows 2000''. CNET. <A HREF="http://news.cnet.com/news/0-1003-200-1549312.html" TARGET="_top" >http://news.cnet.com/news/0-1003-200-1549312.html</A ></P ><P >[Shostack 1999] Shostack, Adam. June 1, 1999. <EM >Security Code Review Guidelines</EM >. <A HREF="http://www.homeport.org/~adam/review.html" TARGET="_top" >http://www.homeport.org/~adam/review.html</A >.</P ><P >[Sibert 1996] Sibert, W. Olin. Malicious Data and Computer Security. (NIST) NISSC '96. <A HREF="http://www.fish.com/security/maldata.html" TARGET="_top" >http://www.fish.com/security/maldata.html</A ></P ><P >[Sitaker 1999] Sitaker, Kragen. Feb 26, 1999. <EM >How to Find Security Holes</EM > <A HREF="http://www.pobox.com/~kragen/security-holes.html" TARGET="_top" >http://www.pobox.com/~kragen/security-holes.html</A > and <A HREF="http://www.dnaco.net/~kragen/security-holes.html" TARGET="_top" >http://www.dnaco.net/~kragen/security-holes.html</A ></P ><P >[SSE-CMM 1999] SSE-CMM Project. April 1999. <EM >Systems Security Engineering Capability Maturity Model (SSE CMM) Model Description Document</EM >. Version 2.0. <A HREF="http://www.sse-cmm.org" TARGET="_top" >http://www.sse-cmm.org</A ></P ><P >[Stallings 1996] Stallings, William. Practical Cryptography for Data Internetworks. Los Alamitos, CA: IEEE Computer Society Press. ISBN 0-8186-7140-8.</P ><P >[Stein 1999]. Stein, Lincoln D. September 13, 1999. <EM >The World Wide Web Security FAQ</EM >. Version 2.0.1 <A HREF="http://www.w3.org/Security/Faq/www-security-faq.html" TARGET="_top" >http://www.w3.org/Security/Faq/www-security-faq.html</A ></P ><P >[Swan 2001] Swan, Daniel. January 6, 2001. comp.os.linux.security FAQ. Version 1.0. <A HREF="http://www.linuxsecurity.com/docs/colsfaq.html" TARGET="_top" >http://www.linuxsecurity.com/docs/colsfaq.html</A >.</P ><P >[Swanson 1996] Swanson, Marianne, and Barbara Guttman. September 1996. Generally Accepted Principles and Practices for Securing Information Technology Systems. NIST Computer Security Special Publication (SP) 800-14. <A HREF="http://csrc.nist.gov/publications/nistpubs/index.html" TARGET="_top" >http://csrc.nist.gov/publications/nistpubs/index.html</A >.</P ><P >[Thompson 1974] Thompson, K. and D.M. Richie. July 1974. ``The UNIX Time-Sharing System''. <EM >Communications of the ACM</EM > Vol. 17, No. 7. pp. 365-375.</P ><P >[Torvalds 1999] Torvalds, Linus. February 1999. ``The Story of the Linux Kernel''. <EM >Open Sources: Voices from the Open Source Revolution</EM >. Edited by Chris Dibona, Mark Stone, and Sam Ockman. O'Reilly and Associates. ISBN 1565925823. <A HREF="http://www.oreilly.com/catalog/opensources/book/linus.html" TARGET="_top" >http://www.oreilly.com/catalog/opensources/book/linus.html</A ></P ><P >[TruSecure 2001] TruSecure. August 2001. Open Source Security: A Look at the Security Benefits of Source Code Access. <A HREF="http://www.trusecure.com/html/tspub/whitepapers/open_source_security5.pdf" TARGET="_top" >http://www.trusecure.com/html/tspub/whitepapers/open_source_security5.pdf</A ></P ><P >[Unknown] <EM >SETUID(7)</EM > <A HREF="http://www.homeport.org/~adam/setuid.7.html" TARGET="_top" >http://www.homeport.org/~adam/setuid.7.html</A >.</P ><P >[Van Biesbrouck 1996] Van Biesbrouck, Michael. April 19, 1996. <A HREF="http://www.csclub.uwaterloo.ca/u/mlvanbie/cgisec" TARGET="_top" >http://www.csclub.uwaterloo.ca/u/mlvanbie/cgisec</A >.</P ><P >[van Oorschot 1994] van Oorschot, P. and M. Wiener. November 1994. ``Parallel Collision Search with Applications to Hash Functions and Discrete Logarithms.'' Proceedings of ACM Conference on Computer and Communications Security.</P ><P >[Venema 1996] Venema, Wietse. 1996. Murphy's law and computer security. <A HREF="http://www.fish.com/security/murphy.html" TARGET="_top" >http://www.fish.com/security/murphy.html</A ></P ><P >[Viega 2002] Viega, John, and Gary McGraw. 2002. Building Secure Software. Addison-Wesley. ISBN 0201-72152-X.</P ><P >[Watters 1996] Watters, Arron, Guido van Rossum, James C. Ahlstrom. 1996. Internet Programming with Python. NY, NY: Henry Hold and Company, Inc.</P ><P >[Wheeler 1996] Wheeler, David A., Bill Brykczynski, and Reginald N. Meeson, Jr. Software Inspection: An Industry Best Practice. 1996. Los Alamitos, CA: IEEE Computer Society Press. IEEE Copmuter Society Press Order Number BP07340. Library of Congress Number 95-41054. ISBN 0-8186-7340-0.</P ><P >[Witten 2001] September/October 2001. Witten, Brian, Carl Landwehr, and Michael Caloyannides. ``Does Open Source Improve System Security?'' IEEE Software. pp. 57-61. <A HREF="http://www.computer.org/software" TARGET="_top" >http://www.computer.org/software</A > </P ><P >[Wood 1985] Wood, Patrick H. and Stephen G. Kochan. 1985. <EM >Unix System Security</EM >. Indianapolis, Indiana: Hayden Books. ISBN 0-8104-6267-2.</P ><P >[Wreski 1998] Wreski, Dave. August 22, 1998. <EM >Linux Security Administrator's Guide</EM >. Version 0.98. <A HREF="http://www.nic.com/~dave/SecurityAdminGuide/index.html" TARGET="_top" >http://www.nic.com/~dave/SecurityAdminGuide/index.html</A ></P ><P >[Yoder 1998] Yoder, Joseph and Jeffrey Barcalow. 1998. Architectural Patterns for Enabling Application Security. PLoP '97 <A HREF="http://st-www.cs.uiuc.edu/~hanmer/PLoP-97/Proceedings/yoder.pdf" TARGET="_top" >http://st-www.cs.uiuc.edu/~hanmer/PLoP-97/Proceedings/yoder.pdf</A ></P ><P >[Zalewski 2001] Zalewski, Michael. May 16-17, 2001. Delivering Signals for Fun and Profit: Understanding, exploiting and preventing signal-handling related vulnerabilities. Bindview Corporation. <A HREF="http://razor.bindview.com/publish/papers/signals.txt" TARGET="_top" >http://razor.bindview.com/publish/papers/signals.txt</A ></P ><P >[Zoebelein 1999] Zoebelein, Hans U. April 1999. The Internet Operating System Counter. <A HREF="http://www.leb.net/hzo/ioscount" TARGET="_top" >http://www.leb.net/hzo/ioscount</A >.</P ></DIV ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE SUMMARY="Footer navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="conclusion.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" ACCESSKEY="H" >Home</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="document-history.html" ACCESSKEY="N" >Next</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >Conclusion</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" > </TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >History</TD ></TR ></TABLE ></DIV ></BODY ></HTML >