Chapter 13. Bibliography
| The words of the wise are like goads, their collected sayings like
firmly embedded nails--given by one Shepherd.
Be warned, my son, of anything in addition to them.
Of making many books there is no end, and much study wearies the body. |
| Ecclesiastes 12:11-12 (NIV) |
Note that there is a heavy
emphasis on technical articles available on the web, since this is where
most of this kind of technical information is available.
[Advosys 2000]
Advosys Consulting
(formerly named Webber Technical Services).
Writing Secure Web Applications.
http://advosys.ca/tips/web-security.html
[Al-Herbish 1999]
Al-Herbish, Thamer.
1999.
Secure Unix Programming FAQ.
http://www.whitefang.com/sup.
[Aleph1 1996]
Aleph1.
November 8, 1996.
``Smashing The Stack For Fun And Profit''.
Phrack Magazine.
Issue 49, Article 14.
http://www.phrack.com/search.phtml?view&article=p49-14
or alternatively
http://www.2600.net/phrack/p49-14.html.
[Anonymous 1999]
Anonymous.
October 1999.
Maximum Linux Security:
A Hacker's Guide to Protecting Your Linux Server and Workstation
Sams.
ISBN: 0672316706.
[Anonymous 1998]
Anonymous.
September 1998.
Maximum Security : A Hacker's Guide to Protecting Your
Internet Site and Network.
Sams.
Second Edition.
ISBN: 0672313413.
[Anonymous Phrack 2001]
Anonymous.
August 11, 2001.
Once upon a free().
Phrack, Volume 0x0b, Issue 0x39, Phile #0x09 of 0x12.
http://phrack.org/show.php?p=57&a=9
[AUSCERT 1996]
Australian Computer Emergency Response Team (AUSCERT) and O'Reilly.
May 23, 1996 (rev 3C).
A Lab Engineers Check List for Writing Secure Unix Code.
ftp://ftp.auscert.org.au/pub/auscert/papers/secure_programming_checklist
[Bach 1986]
Bach, Maurice J.
1986.
The Design of the Unix Operating System.
Englewood Cliffs, NJ: Prentice-Hall, Inc.
ISBN 0-13-201799-7 025.
[Beattie 2002]
Beattie, Steve, Seth Arnold, Crispin Cowan, Perry Wagle, Chris Wright,
Adam Shostack.
November 2002.
Timing the Application of Security Patches for Optimal Uptime.
2002 LISA XVI, November 3-8, 2002, Philadelphia, PA.
[Bellovin 1989]
Bellovin, Steven M.
April 1989.
"Security Problems in the TCP/IP Protocol Suite"
Computer Communications Review 2:19, pp. 32-48.
http://www.research.att.com/~smb/papers/ipext.pdf
[Bellovin 1994]
Bellovin, Steven M.
December 1994.
Shifting the Odds -- Writing (More) Secure Software.
Murray Hill, NJ: AT&T Research.
http://www.research.att.com/~smb/talks
[Bishop 1996]
Bishop, Matt.
May 1996.
``UNIX Security: Security in Programming''.
SANS '96. Washington DC (May 1996).
http://olympus.cs.ucdavis.edu/~bishop/secprog.html
[Bishop 1997]
Bishop, Matt.
October 1997.
``Writing Safe Privileged Programs''.
Network Security 1997
New Orleans, LA.
http://olympus.cs.ucdavis.edu/~bishop/secprog.html
[Blaze 1996]
Blaze, Matt, Whitfield Diffie, Ronald L. Rivest, Bruce Schneier,
Tsutomu Shimomura, Eric Thompson, and Michael Wiener.
January 1996.
``Minimal Key Lengths for Symmetric Ciphers to Provide
Adequate Commercial Security:
A Report by an Ad Hoc Group of Cryptographers and Computer Scientists.''
ftp://ftp.research.att.com/dist/mab/keylength.txt and
ftp://ftp.research.att.com/dist/mab/keylength.ps.
[CC 1999]
The Common Criteria for Information Technology Security Evaluation
(CC).
August 1999.
Version 2.1.
Technically identical to International Standard ISO/IEC 15408:1999.
http://csrc.nist.gov/cc/ccv20/ccv2list.htm
[CERT 1998]
Computer Emergency Response Team (CERT) Coordination Center (CERT/CC).
February 13, 1998.
Sanitizing User-Supplied Data in CGI Scripts.
CERT Advisory CA-97.25.CGI_metachar.
http://www.cert.org/advisories/CA-97.25.CGI_metachar.html.
[Cheswick 1994]
Cheswick, William R. and Steven M. Bellovin.
Firewalls and Internet Security: Repelling the Wily Hacker.
Full text at
http://www.wilyhacker.com.
[Clowes 2001]
Clowes, Shaun.
2001.
``A Study In Scarlet - Exploiting Common Vulnerabilities in PHP''
http://www.securereality.com.au/archives.html
[CMU 1998]
Carnegie Mellon University (CMU).
February 13, 1998
Version 1.4.
``How To Remove Meta-characters From User-Supplied Data In CGI Scripts''.
ftp://ftp.cert.org/pub/tech_tips/cgi_metacharacters.
[Cowan 1999]
Cowan, Crispin, Perry Wagle, Calton Pu, Steve Beattie, and
Jonathan Walpole.
``Buffer Overflows: Attacks and Defenses for the Vulnerability
of the Decade''.
Proceedings of DARPA Information Survivability Conference and Expo (DISCEX),
http://schafercorp-ballston.com/discex
SANS 2000.
http://www.sans.org/newlook/events/sans2000.htm.
For a copy, see
http://immunix.org/documentation.html.
[Cox 2000]
Cox, Philip.
March 30, 2001.
Hardening Windows 2000.
http://www.systemexperts.com/win2k/hardenW2K11.pdf.
[Dobbertin 1996].
Dobbertin, H.
1996.
The Status of MD5 After a Recent Attack.
RSA Laboratories' CryptoBytes.
Vol. 2, No. 2.
[Felten 1997]
Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach.
Web Spoofing: An Internet Con Game
Technical Report 540-96 (revised Feb. 1997)
Department of Computer Science, Princeton University
http://www.cs.princeton.edu/sip/pub/spoofing.pdf
[Fenzi 1999]
Fenzi, Kevin, and Dave Wrenski.
April 25, 1999.
Linux Security HOWTO.
Version 1.0.2.
http://www.tldp.org/HOWTO/Security-HOWTO.html
[FHS 1997]
Filesystem Hierarchy Standard (FHS 2.0).
October 26, 1997.
Filesystem Hierarchy Standard Group, edited by Daniel Quinlan.
Version 2.0.
http://www.pathname.com/fhs.
[Filipski 1986]
Filipski, Alan and James Hanko.
April 1986.
``Making Unix Secure.''
Byte (Magazine).
Peterborough, NH: McGraw-Hill Inc.
Vol. 11, No. 4.
ISSN 0360-5280.
pp. 113-128.
[Flake 2001]
Flake, Havlar.
Auditing Binaries for Security Vulnerabilities.
http://www.blackhat.com/html/win-usa-01/win-usa-01-speakers.html.
[FOLDOC]
Free On-Line Dictionary of Computing.
http://foldoc.doc.ic.ac.uk/foldoc/index.html.
[Forristal 2001]
Forristal, Jeff, and Greg Shipley.
January 8, 2001.
Vulnerability Assessment Scanners.
Network Computing.
http://www.nwc.com/1201/1201f1b1.html
[FreeBSD 1999]
FreeBSD, Inc.
1999.
``Secure Programming Guidelines''.
FreeBSD Security Information.
http://www.freebsd.org/security/security.html
[Friedl 1997]
Friedl, Jeffrey E. F.
1997.
Mastering Regular Expressions.
O'Reilly.
ISBN 1-56592-257-3.
[FSF 1998]
Free Software Foundation.
December 17, 1999.
Overview of the GNU Project.
http://www.gnu.ai.mit.edu/gnu/gnu-history.html
[FSF 1999]
Free Software Foundation.
January 11, 1999.
The GNU C Library Reference Manual.
Edition 0.08 DRAFT, for Version 2.1 Beta of the GNU C Library.
Available at, for example,
http://www.netppl.fi/~pp/glibc21/libc_toc.html
[Fu 2001]
Fu, Kevin, Emil Sit, Kendra Smith, and Nick Feamster.
August 2001.
``Dos and Don'ts of Client Authentication on the Web''.
Proceedings of the 10th USENIX Security Symposium,
Washington, D.C., August 2001.
http://cookies.lcs.mit.edu/pubs/webauth.html.
[Gabrilovich 2002]
Gabrilovich, Evgeniy, and Alex Gontmakher.
February 2002.
``Inside Risks: The Homograph Attack''.
Communications of the ACM.
Volume 45, Number 2.
Page 128.
[Galvin 1998a]
Galvin, Peter.
April 1998.
``Designing Secure Software''.
Sunworld.
http://www.sunworld.com/swol-04-1998/swol-04-security.html.
[Galvin 1998b]
Galvin, Peter.
August 1998.
``The Unix Secure Programming FAQ''.
Sunworld.
http://www.sunworld.com/sunworldonline/swol-08-1998/swol-08-security.html
[Garfinkel 1996]
Garfinkel, Simson and Gene Spafford.
April 1996.
Practical UNIX & Internet Security, 2nd Edition.
ISBN 1-56592-148-8.
Sebastopol, CA: O'Reilly & Associates, Inc.
http://www.oreilly.com/catalog/puis
[Garfinkle 1997]
Garfinkle, Simson.
August 8, 1997.
21 Rules for Writing Secure CGI Programs.
http://webreview.com/wr/pub/97/08/08/bookshelf
[Gay 2000]
Gay, Warren W.
October 2000.
Advanced Unix Programming.
Indianapolis, Indiana: Sams Publishing.
ISBN 0-67231-990-X.
[Geodsoft 2001]
Geodsoft.
February 7, 2001.
Hardening OpenBSD Internet Servers.
http://www.geodsoft.com/howto/harden.
[Graham 1999]
Graham, Jeff.
May 4, 1999.
Security-Audit's Frequently Asked Questions (FAQ).
http://lsap.org/faq.txt
[Gong 1999]
Gong, Li.
June 1999.
Inside Java 2 Platform Security.
Reading, MA: Addison Wesley Longman, Inc.
ISBN 0-201-31000-7.
[Gundavaram Unknown]
Gundavaram, Shishir, and Tom Christiansen.
Date Unknown.
Perl CGI Programming FAQ.
http://language.perl.com/CPAN/doc/FAQs/cgi/perl-cgi-faq.html
[Hall 1999]
Hall, Brian "Beej".
Beej's Guide to Network Programming Using Internet Sockets.
13-Jan-1999.
Version 1.5.5.
http://www.ecst.csuchico.edu/~beej/guide/net
[Howard 2002]
Howard, Michael and David LeBlanc.
2002.
Writing Secure Code.
Redmond, Washington: Microsoft Press.
ISBN 0-7356-1588-8.
[ISO 12207]
International Organization for Standardization (ISO).
1995.
Information technology -- Software life cycle processes
ISO/IEC 12207:1995.
[ISO 13335]
International Organization for Standardization (ISO).
ISO/IEC TR 13335.
Guidelines for the Management of IT Security (GMITS).
Note that this is a five-part technical report (not a standard); see also
ISO/IEC 17799:2000.
It includes:
ISO 13335-1: Concepts and Models for IT Security
ISO 13335-2: Managing and Planning IT Security
ISO 13335-3: Techniques for the Management of IT Security
ISO 13335-4: Selection of Safeguards
ISO 13335-5: Safeguards for External Connections
[ISO 17799]
International Organization for Standardization (ISO).
December 2000.
Code of Practice for Information Security Management.
ISO/IEC 17799:2000.
[ISO 9000]
International Organization for Standardization (ISO).
2000.
Quality management systems - Fundamentals and vocabulary.
ISO 9000:2000.
See
http://www.iso.ch/iso/en/iso9000-14000/iso9000/selection_use/iso9000family.html
[ISO 9001]
International Organization for Standardization (ISO).
2000.
Quality management systems - Requirements
ISO 9001:2000
[Jones 2000]
Jones, Jennifer.
October 30, 2000.
``Banking on Privacy''.
InfoWorld, Volume 22, Issue 44.
San Mateo, CA: International Data Group (IDG).
pp. 1-12.
[Kelsey 1998]
Kelsey, J., B. Schneier, D. Wagner, and C. Hall.
March 1998.
"Cryptanalytic Attacks on Pseudorandom Number Generators."
Fast Software Encryption, Fifth International Workshop Proceedings
(March 1998), Springer-Verlag, 1998, pp. 168-188.
http://www.counterpane.com/pseudorandom_number.html.
[Kernighan 1988]
Kernighan, Brian W., and Dennis M. Ritchie.
1988.
The C Programming Language.
Second Edition.
Englewood Cliffs, NJ: Prentice-Hall.
ISBN 0-13-110362-8.
[Kim 1996]
Kim, Eugene Eric.
1996.
CGI Developer's Guide.
SAMS.net Publishing.
ISBN: 1-57521-087-8
http://www.eekim.com/pubs/cgibook
Kolsek [2002]
Kolsek, Mitja. December 2002.
Session Fixation Vulnerability in Web-based Applications
http://www.acros.si/papers/session_fixation.pdf.
[Kuchling 2000].
Kuchling, A.M.
2000.
Restricted Execution HOWTO.
http://www.python.org/doc/howto/rexec/rexec.html
[Kuhn 2002]
Kuhn, Markus G.
Optical Time-Domain Eavesdropping Risks
of CRT displays.
Proceedings of the 2002 IEEE Symposium on Security and Privacy,
Oakland, CA, May 12-15, 2002.
http://www.cl.cam.ac.uk/~mgk25/ieee02-optical.pdf
[LSD 2001]
The Last Stage of Delirium.
July 4, 2001.
UNIX Assembly Codes Development
for Vulnerabilities Illustration Purposes.
http://lsd-pl.net/papers.html#assembly.
[McClure 1999]
McClure, Stuart, Joel Scambray, and George Kurtz.
1999.
Hacking Exposed: Network Security Secrets and Solutions.
Berkeley, CA: Osbourne/McGraw-Hill.
ISBN 0-07-212127-0.
[McKusick 1999]
McKusick, Marshall Kirk.
January 1999.
``Twenty Years of Berkeley Unix: From AT&T-Owned to
Freely Redistributable.''
Open Sources: Voices from the Open Source Revolution.
http://www.oreilly.com/catalog/opensources/book/kirkmck.html.
[McGraw 1999]
McGraw, Gary, and Edward W. Felten.
December 1998.
Twelve Rules for developing more secure Java code.
Javaworld.
http://www.javaworld.com/javaworld/jw-12-1998/jw-12-securityrules.html.
[McGraw 1999]
McGraw, Gary, and Edward W. Felten.
January 25, 1999.
Securing Java: Getting Down to Business with Mobile Code, 2nd Edition
John Wiley & Sons.
ISBN 047131952X.
http://www.securingjava.com.
[McGraw 2000a]
McGraw, Gary and John Viega.
March 1, 2000.
Make Your Software Behave: Learning the Basics of Buffer Overflows.
http://www-4.ibm.com/software/developer/library/overflows/index.html.
[McGraw 2000b]
McGraw, Gary and John Viega.
April 18, 2000.
Make Your Software Behave: Software strategies
In the absence of hardware,
you can devise a reasonably secure random number generator through software.
http://www-106.ibm.com/developerworks/library/randomsoft/index.html?dwzone=security.
[Miller 1995]
Miller, Barton P.,
David Koski, Cjin Pheow Lee, Vivekananda Maganty,
Ravi Murthy, Ajitkumar Natarajan, and Jeff Steidl.
1995.
Fuzz Revisited: A Re-examination of the Reliability of
UNIX Utilities and Services.
ftp://grilled.cs.wisc.edu/technical_papers/fuzz-revisited.pdf.
[Miller 1999]
Miller, Todd C. and Theo de Raadt.
``strlcpy and strlcat -- Consistent, Safe, String Copy and Concatenation''
Proceedings of Usenix '99.
http://www.usenix.org/events/usenix99/millert.html and
http://www.usenix.org/events/usenix99/full_papers/millert/PACKING_LIST
[Mookhey 2002]
Mookhey, K. K.
The Unix Auditor's Practical Handbook.
http://www.nii.co.in/tuaph.html.
[Mudge 1995]
Mudge.
October 20, 1995.
How to write Buffer Overflows.
l0pht advisories.
http://www.l0pht.com/advisories/bufero.html.
[Murhammer 1998]
Murhammer, Martin W., Orcun Atakan, Stefan Bretz,
Larry R. Pugh, Kazunari Suzuki, and David H. Wood.
October 1998.
TCP/IP Tutorial and Technical Overview
IBM International Technical Support Organization.
http://www.redbooks.ibm.com/pubs/pdfs/redbooks/gg243376.pdf
[NCSA]
NCSA Secure Programming Guidelines.
http://www.ncsa.uiuc.edu/General/Grid/ACES/security/programming.
[Neumann 2000]
Neumann, Peter.
2000.
"Robust Nonproprietary Software."
Proceedings of the 2000 IEEE Symposium on Security and Privacy
(the ``Oakland Conference''), May 14-17, 2000, Berkeley, CA.
Los Alamitos, CA: IEEE Computer Society.
pp.122-123.
[NSA 2000]
National Security Agency (NSA).
September 2000.
Information Assurance Technical Framework (IATF).
http://www.iatf.net.
[Open Group 1997]
The Open Group.
1997.
Single UNIX Specification, Version 2 (UNIX 98).
http://www.opengroup.org/online-pubs?DOC=007908799.
[OSI 1999]
Open Source Initiative.
1999.
The Open Source Definition.
http://www.opensource.org/osd.html.
[Opplinger 1998]
Oppliger, Rolf.
1998.
Internet and Intranet Security.
Norwood, MA: Artech House.
ISBN 0-89006-829-1.
[Paulk 1993a]
Mark C. Paulk, Bill Curtis, Mary Beth Chrissis, and Charles V. Weber.
Capability Maturity Model for Software, Version 1.1.
Software Engineering Institute, CMU/SEI-93-TR-24.
DTIC Number ADA263403, February 1993.
http://www.sei.cmu.edu/activities/cmm/obtain.cmm.html.
[Paulk 1993b]
Mark C. Paulk, Charles V. Weber, Suzanne M. Garcia, Mary Beth Chrissis, and Marilyn W. Bush.
Key Practices of the Capability Maturity Model, Version 1.1.
Software Engineering Institute.
CMU/SEI-93-TR-25, DTIC Number ADA263432, February 1993.
[Peteanu 2000]
Peteanu, Razvan.
July 18, 2000.
Best Practices for Secure Web Development.
http://members.home.net/razvan.peteanu
[Pfleeger 1997]
Pfleeger, Charles P.
1997.
Security in Computing.
Upper Saddle River, NJ: Prentice-Hall PTR.
ISBN 0-13-337486-6.
[Phillips 1995]
Phillips, Paul.
September 3, 1995.
Safe CGI Programming.
http://www.go2net.com/people/paulp/cgi-security/safe-cgi.txt
[Quintero 1999]
Quintero, Federico Mena,
Miguel de Icaza, and Morten Welinder
GNOME Programming Guidelines
http://developer.gnome.org/doc/guides/programming-guidelines/book1.html
[Raymond 1997]
Raymond, Eric.
1997.
The Cathedral and the Bazaar.
http://www.catb.org/~esr/writings/cathedral-bazaar
[Raymond 1998]
Raymond, Eric.
April 1998.
Homesteading the Noosphere.
http://www.catb.org/~esr/writings/homesteading/homesteading.html
[Ranum 1998]
Ranum, Marcus J.
1998.
Security-critical coding for programmers -
a C and UNIX-centric full-day tutorial.
http://www.clark.net/pub/mjr/pubs/pdf/.
[RFC 822]
August 13, 1982
Standard for the Format of ARPA Internet Text Messages.
IETF RFC 822.
http://www.ietf.org/rfc/rfc0822.txt.
[rfp 1999]
rain.forest.puppy.
1999.
``Perl CGI problems''.
Phrack Magazine.
Issue 55, Article 07.
http://www.phrack.com/search.phtml?view&article=p55-7 or
http://www.insecure.org/news/P55-07.txt.
[Rijmen 2000]
Rijmen, Vincent.
"LinuxSecurity.com Speaks With AES Winner".
http://www.linuxsecurity.com/feature_stories/interview-aes-3.html.
[Rochkind 1985].
Rochkind, Marc J.
Advanced Unix Programming.
Englewood Cliffs, NJ: Prentice-Hall, Inc.
ISBN 0-13-011818-4.
[Sahu 2002]
Sahu, Bijaya Nanda,
Srinivasan S. Muthuswamy,
Satya Nanaji Rao Mallampalli, and
Venkata R. Bonam.
July 2002
``Is your Java code secure -- or exposed?
Build safer applications now to avoid trouble later''
http://www-106.ibm.com/developerworks/java/library/j-staticsec.html?loc=dwmain
[St. Laurent 2000]
St. Laurent, Simon.
February 2000.
XTech 2000 Conference Reports.
``When XML Gets Ugly''.
http://www.xml.com/pub/2000/02/xtech/megginson.html.
[Saltzer 1974]
Saltzer, J.
July 1974.
``Protection and the Control of Information Sharing in MULTICS''.
Communications of the ACM.
v17 n7.
pp. 388-402.
[Saltzer 1975]
Saltzer, J., and M. Schroeder.
September 1975.
``The Protection of Information in Computing Systems''.
Proceedings of the IEEE.
v63 n9.
pp. 1278-1308.
http://www.mediacity.com/~norm/CapTheory/ProtInf.
Summarized in [Pfleeger 1997, 286].
[Schneider 2000]
Schneider, Fred B.
2000.
"Open Source in Security: Visting the Bizarre."
Proceedings of the 2000 IEEE Symposium on Security and Privacy
(the ``Oakland Conference''), May 14-17, 2000, Berkeley, CA.
Los Alamitos, CA: IEEE Computer Society.
pp.126-127.
[Schneier 1996]
Schneier, Bruce.
1996.
Applied Cryptography, Second Edition:
Protocols, Algorithms, and Source Code in C.
New York: John Wiley and Sons.
ISBN 0-471-12845-7.
[Schneier 1998]
Schneier, Bruce and Mudge.
November 1998.
Cryptanalysis of Microsoft's Point-to-Point Tunneling Protocol (PPTP)
Proceedings of the 5th ACM Conference on Communications and Computer Security,
ACM Press.
http://www.counterpane.com/pptp.html.
[Schneier 1999]
Schneier, Bruce.
September 15, 1999.
``Open Source and Security''.
Crypto-Gram.
Counterpane Internet Security, Inc.
http://www.counterpane.com/crypto-gram-9909.html
[Seifried 1999]
Seifried, Kurt.
October 9, 1999.
Linux Administrator's Security Guide.
http://www.securityportal.com/lasg.
[Seifried 2001]
Seifried, Kurt.
September 2, 2001.
WWW Authentication
http://www.seifried.org/security/www-auth/index.html.
[Shankland 2000]
Shankland, Stephen.
``Linux poses increasing threat to Windows 2000''.
CNET.
http://news.cnet.com/news/0-1003-200-1549312.html
[Shostack 1999]
Shostack, Adam.
June 1, 1999.
Security Code Review Guidelines.
http://www.homeport.org/~adam/review.html.
[Sibert 1996]
Sibert, W. Olin.
Malicious Data and Computer Security.
(NIST) NISSC '96.
http://www.fish.com/security/maldata.html
[Sitaker 1999]
Sitaker, Kragen.
Feb 26, 1999.
How to Find Security Holes
http://www.pobox.com/~kragen/security-holes.html and
http://www.dnaco.net/~kragen/security-holes.html
[SSE-CMM 1999]
SSE-CMM Project.
April 1999.
Systems Security Engineering Capability Maturity Model (SSE CMM)
Model Description Document.
Version 2.0.
http://www.sse-cmm.org
[Stallings 1996]
Stallings, William.
Practical Cryptography for Data Internetworks.
Los Alamitos, CA: IEEE Computer Society Press.
ISBN 0-8186-7140-8.
[Stein 1999].
Stein, Lincoln D.
September 13, 1999.
The World Wide Web Security FAQ.
Version 2.0.1
http://www.w3.org/Security/Faq/www-security-faq.html
[Swan 2001]
Swan, Daniel.
January 6, 2001.
comp.os.linux.security FAQ.
Version 1.0.
http://www.linuxsecurity.com/docs/colsfaq.html.
[Swanson 1996]
Swanson, Marianne, and Barbara Guttman.
September 1996.
Generally Accepted Principles and Practices for Securing
Information Technology Systems.
NIST Computer Security Special Publication (SP) 800-14.
http://csrc.nist.gov/publications/nistpubs/index.html.
[Thompson 1974]
Thompson, K. and D.M. Richie.
July 1974.
``The UNIX Time-Sharing System''.
Communications of the ACM
Vol. 17, No. 7.
pp. 365-375.
[Torvalds 1999]
Torvalds, Linus.
February 1999.
``The Story of the Linux Kernel''.
Open Sources: Voices from the Open Source Revolution.
Edited by Chris Dibona, Mark Stone, and Sam Ockman.
O'Reilly and Associates.
ISBN 1565925823.
http://www.oreilly.com/catalog/opensources/book/linus.html
[TruSecure 2001]
TruSecure.
August 2001.
Open Source Security: A Look at the Security Benefits of Source Code Access.
http://www.trusecure.com/html/tspub/whitepapers/open_source_security5.pdf
[Unknown]
SETUID(7)
http://www.homeport.org/~adam/setuid.7.html.
[Van Biesbrouck 1996]
Van Biesbrouck, Michael.
April 19, 1996.
http://www.csclub.uwaterloo.ca/u/mlvanbie/cgisec.
[van Oorschot 1994]
van Oorschot, P. and M. Wiener.
November 1994.
``Parallel Collision Search with Applications to Hash Functions
and Discrete Logarithms.''
Proceedings of ACM Conference on Computer and Communications Security.
[Venema 1996]
Venema, Wietse.
1996.
Murphy's law and computer security.
http://www.fish.com/security/murphy.html
[Viega 2002]
Viega, John, and Gary McGraw.
2002.
Building Secure Software.
Addison-Wesley.
ISBN 0201-72152-X.
[Watters 1996]
Watters, Arron, Guido van Rossum, James C. Ahlstrom.
1996.
Internet Programming with Python.
NY, NY: Henry Hold and Company, Inc.
[Wheeler 1996]
Wheeler, David A., Bill Brykczynski, and Reginald N. Meeson, Jr.
Software Inspection: An Industry Best Practice.
1996.
Los Alamitos, CA: IEEE Computer Society Press.
IEEE Copmuter Society Press Order Number BP07340.
Library of Congress Number 95-41054.
ISBN 0-8186-7340-0.
[Witten 2001]
September/October 2001.
Witten, Brian, Carl Landwehr, and Michael Caloyannides.
``Does Open Source Improve System Security?''
IEEE Software.
pp. 57-61.
http://www.computer.org/software
[Wood 1985]
Wood, Patrick H. and Stephen G. Kochan.
1985.
Unix System Security.
Indianapolis, Indiana: Hayden Books.
ISBN 0-8104-6267-2.
[Wreski 1998]
Wreski, Dave.
August 22, 1998.
Linux Security Administrator's Guide.
Version 0.98.
http://www.nic.com/~dave/SecurityAdminGuide/index.html
[Yoder 1998]
Yoder, Joseph and Jeffrey Barcalow.
1998.
Architectural Patterns for Enabling Application Security.
PLoP '97
http://st-www.cs.uiuc.edu/~hanmer/PLoP-97/Proceedings/yoder.pdf
[Zalewski 2001]
Zalewski, Michael.
May 16-17, 2001.
Delivering Signals for Fun and Profit:
Understanding, exploiting and preventing signal-handling related
vulnerabilities.
Bindview Corporation.
http://razor.bindview.com/publish/papers/signals.txt
[Zoebelein 1999]
Zoebelein, Hans U.
April 1999.
The Internet Operating System Counter.
http://www.leb.net/hzo/ioscount.