<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9"> <TITLE>Secure Programming for Linux HOWTO: $B;29MJ88%(B</TITLE> <LINK HREF="Secure-Programs-HOWTO-12.html" REL=next> <LINK HREF="Secure-Programs-HOWTO-10.html" REL=previous> <LINK HREF="Secure-Programs-HOWTO.html#toc11" REL=contents> </HEAD> <BODY> <A HREF="Secure-Programs-HOWTO-12.html">$B<!$N%Z!<%8(B</A> <A HREF="Secure-Programs-HOWTO-10.html">$BA0$N%Z!<%8(B</A> <A HREF="Secure-Programs-HOWTO.html#toc11">$BL\<!$X(B</A> <HR> <H2><A NAME="s11">11. $B;29MJ88%(B</A></H2> <P><I>$BCm0U$7$FM_$7$$$N$O!"$3$3$G$O(B Web $B%5%$%H$GMxMQ2DG=$J5;=QJ88%$rCf?4$K(B $B$"$2$F$$$k$3$H$G$9!#5;=QE*$J>pJs$N$[$H$s$I$,(B Web $B%5%$%H$+$iF~<j$G$-$k(B $B$+$i$G$9!#(B</I> <P>[Al-Herbish 1999] Al-Herbish, Thamer. 1999. <I>Secure Unix Programming FAQ</I>. <A HREF="http://www.whitefang.com/sup">http://www.whitefang.com/sup</A>. <P>[Aleph1 1996] Aleph1. November 8, 1996. ``Smashing The Stack For Fun And Profit.'' <I>Phrack Magazine</I>. Issue 49, Article 14. <A HREF="http://www.phrack.com/search.phtml?view&article=p49-14">http://www.phrack.com/search.phtml?view&article=p49-14</A> or alternatively <A HREF="http://www.2600.net/phrack/p49-14.html">http://www.2600.net/phrack/p49-14.html</A>. <P>[Anonymous unknown] <I>SETUID(7)</I> <A HREF="http://www.homeport.org/~adam/setuid.7.html">http://www.homeport.org/~adam/setuid.7.html</A>. <P>[AUSCERT 1996] Australian Computer Emergency Response Team (AUSCERT) and O'Reilly. May 23, 1996 (rev 3C). <I>A Lab Engineers Check List for Writing Secure Unix Code</I>. <A HREF="ftp://ftp.auscert.org.au/pub/auscert/papers/secure_programming_checklist">ftp://ftp.auscert.org.au/pub/auscert/papers/secure_programming_checklist</A><P>[Bach 1986] Bach, Maurice J. 1986. <I>The Design of the Unix Operating System</I>. Englewood Cliffs, NJ: Prentice-Hall, Inc. ISBN 0-13-201799-7 025. <P>[Bellovin 1989] Bellovin, Steven M. April 1989. "Security Problems in the TCP/IP Protocol Suite" Computer Communications Review 2:19, pp. 32-48. <A HREF="http://www.research.att.com/~smb/papers/ipext.pdf">http://www.research.att.com/~smb/papers/ipext.pdf</A><P>[Bellovin 1994] Bellovin, Steven M. December 1994. <I>Shifting the Odds -- Writing (More) Secure Software</I>. Murray Hill, NJ: AT&T Research. <A HREF="http://www.research.att.com/~smb/talks">http://www.research.att.com/~smb/talks</A><P>[Bishop 1996] Bishop, Matt. May 1996. ``UNIX Security: Security in Programming.'' <I>SANS '96</I>. Washington DC (May 1996). <A HREF="http://olympus.cs.ucdavis.edu/~bishop/secprog.html">http://olympus.cs.ucdavis.edu/~bishop/secprog.html</A><P>[Bishop 1997] Bishop, Matt. October 1997. ``Writing Safe Privileged Programs.'' <I>Network Security 1997</I> New Orleans, LA. <A HREF="http://olympus.cs.ucdavis.edu/~bishop/secprog.html">http://olympus.cs.ucdavis.edu/~bishop/secprog.html</A><P>[CC 1999] <I>The Common Criteria for Information Technology Security Evaluation (CC)</I>. August 1999. Version 2.1. Technically identical to International Standard ISO/IEC 15408:1999. <A HREF="http://csrc.nist.gov/cc/ccv20/ccv2list.htm">http://csrc.nist.gov/cc/ccv20/ccv2list.htm</A><P> <P>[CERT 1998] Computer Emergency Response Team (CERT) Coordination Center (CERT/CC). February 13, 1998. <I>Sanitizing User-Supplied Data in CGI Scripts</I>. CERT Advisory CA-97.25.CGI_metachar. <A HREF="http://www.cert.org/advisories/CA-97.25.CGI_metachar.html">http://www.cert.org/advisories/CA-97.25.CGI_metachar.html</A>. <P>[CMU 1998] Carnegie Mellon University (CMU). February 13, 1998 Version 1.4. ``How To Remove Meta-characters From User-Supplied Data In CGI Scripts.'' <A HREF="ftp://ftp.cert.org/pub/tech_tips/cgi_metacharacters">ftp://ftp.cert.org/pub/tech_tips/cgi_metacharacters</A>. <P>[Cowan 1999] Cowan, Crispin, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole. ``Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade.'' Proceedings of DARPA Information Survivability Conference and Expo (DISCEX), <A HREF="http://schafercorp-ballston.com/discex">http://schafercorp-ballston.com/discex</A> To appear at SANS 2000, <A HREF="http://www.sans.org/newlook/events/sans2000.htm">http://www.sans.org/newlook/events/sans2000.htm</A>. For a copy, see <A HREF="http://immunix.org/documentation.html">http://immunix.org/documentation.html</A>. <P>[Fenzi 1999] Fenzi, Kevin, and Dave Wrenski. April 25, 1999. <I>Linux Security HOWTO</I>. Version 1.0.2. <A HREF="http://www.linuxdoc.org/HOWTO/Security-HOWTO.html">http://www.linuxdoc.org/HOWTO/Security-HOWTO.html</A><P>[FreeBSD 1999] FreeBSD, Inc. 1999. ``Secure Programming Guidelines.'' <I>FreeBSD Security Information</I>. <A HREF="http://www.freebsd.org/security/security.html">http://www.freebsd.org/security/security.html</A><P>[FSF 1998] Free Software Foundation. December 17, 1999. <I>Overview of the GNU Project</I>. <A HREF="http://www.gnu.ai.mit.edu/gnu/gnu-history.html">http://www.gnu.ai.mit.edu/gnu/gnu-history.html</A><P>[Galvin 1998a] Galvin, Peter. April 1998. ``Designing Secure Software''. <I>Sunworld</I>. <A HREF="http://www.sunworld.com/swol-04-1998/swol-04-security.html">http://www.sunworld.com/swol-04-1998/swol-04-security.html</A>. <P>[Galvin 1998b] Galvin, Peter. August 1998. ``The Unix Secure Programming FAQ''. <I>Sunworld</I>. <A HREF="http://www.sunworld.com/sunworldonline/swol-08-1998/swol-08-security.html">http://www.sunworld.com/sunworldonline/swol-08-1998/swol-08-security.html</A><P>[Garfinkel 1996] Garfinkel, Simson and Gene Spafford. April 1996. <I>Practical UNIX & Internet Security, 2nd Edition</I>. ISBN 1-56592-148-8. Sebastopol, CA: O'Reilly & Associates, Inc. <A HREF="http://www.oreilly.com/catalog/puis">http://www.oreilly.com/catalog/puis</A><P>[Gong 1999] Gong, Li. June 1999. <I>Inside Java 2 Platform Security</I>. Reading, MA: Addison Wesley Longman, Inc. ISBN 0-201-31000-7. <P>[Gundavaram Unknown] Gundavaram, Shishir, and Tom Christiansen. Date Unknown. <I>Perl CGI Programming FAQ</I>. <A HREF="http://language.perl.com/CPAN/doc/FAQs/cgi/perl-cgi-faq.html">http://language.perl.com/CPAN/doc/FAQs/cgi/perl-cgi-faq.html</A><P>[Kim 1996] Kim, Eugene Eric. 1996. <I>CGI Developer's Guide</I>. SAMS.net Publishing. ISBN: 1-57521-087-8 <A HREF="http://www.eekim.com/pubs/cgibook">http://www.eekim.com/pubs/cgibook</A><P>[McClure 1999] McClure, Stuart, Joel Scambray, and George Kurtz. 1999. <I>Hacking Exposed: Network Security Secrets and Solutions</I>. Berkeley, CA: Osbourne/McGraw-Hill. ISBN 0-07-212127-0. <P>[Miller 1999] Miller, Todd C. and Theo de Raadt. ``strlcpy and strlcat -- Consistent, Safe, String Copy and Concatenation'' <I>Proceedings of Usenix '99</I>. <A HREF="http://www.usenix.org/events/usenix99/millert.html">http://www.usenix.org/events/usenix99/millert.html</A> and <A HREF="http://www.usenix.org/events/usenix99/full_papers/millert/PACKING_LIST">http://www.usenix.org/events/usenix99/full_papers/millert/PACKING_LIST</A><P>[Mudge 1995] Mudge. October 20, 1995. <I>How to write Buffer Overflows</I>. l0pht advisories. <A HREF="http://www.l0pht.com/advisories/bufero.html">http://www.l0pht.com/advisories/bufero.html</A>. <P>[OSI 1999]. Open Source Initiative. 1999. <I>The Open Source Definition</I>. <A HREF="http://www.opensource.org/osd.html">http://www.opensource.org/osd.html</A>. <P>[Pfleeger 1997] Pfleeger, Charles P. 1997. <I>Security in Computing.</I> Upper Saddle River, NJ: Prentice-Hall PTR. ISBN 0-13-337486-6. <P>[Phillips 1995] Phillips, Paul. September 3, 1995. <I>Safe CGI Programming</I>. <A HREF="http://www.go2net.com/people/paulp/cgi-security/safe-cgi.txt">http://www.go2net.com/people/paulp/cgi-security/safe-cgi.txt</A><P>[Raymond 1997] Raymond, Eric. 1997. <I>The Cathedral and the Bazaar</I>. <A HREF="http://www.tuxedo.org/~esr/writings/cathedral-bazaar">http://www.tuxedo.org/~esr/writings/cathedral-bazaar</A><P>[Raymond 1998] Raymond, Eric. April 1998. <I>Homesteading the Noosphere</I>. <A HREF="http://www.tuxedo.org/~esr/writings/homesteading/homesteading.html">http://www.tuxedo.org/~esr/writings/homesteading/homesteading.html</A><P>[Ranum 1998] Ranum, Marcus J. 1998. <I>Security-critical coding for programmers - a C and UNIX-centric full-day tutorial</I>. <A HREF="http://www.clark.net/pub/mjr/pubs/pdf/">http://www.clark.net/pub/mjr/pubs/pdf/</A>. <P>[RFC 822] August 13, 1982 <I>Standard for the Format of ARPA Internet Text Messages</I>. IETF RFC 822. <A HREF="http://www.ietf.org/rfc/rfc0822.txt">http://www.ietf.org/rfc/rfc0822.txt</A>. <P>[rfp 1999]. rain.forest.puppy. ``Perl CGI problems.'' <I>Phrack Magazine</I>. Issue 55, Article 07. <A HREF="http://www.phrack.com/search.phtml?view&article=p55-7">http://www.phrack.com/search.phtml?view&article=p55-7</A>. <P>[Saltzer 1974] Saltzer, J. July 1974. ``Protection and the Control of Information Sharing in MULTICS.'' <I>Communications of the ACM</I>. v17 n7. pp. 388-402. <P>[Saltzer 1975] Saltzer, J., and M. Schroeder. September 1975. ``The Protection of Information in Computing Systems.'' <I>Proceedings of the IEEE</I>. v63 n9. pp. 1278-1308. Summarized in [Pfleeger 1997, 286]. <P>[Schneier 1998] Schneier, Bruce and Mudge. November 1998. <I>Cryptanalysis of Microsoft's Point-to-Point Tunneling Protocol (PPTP)</I> Proceedings of the 5th ACM Conference on Communications and Computer Security, ACM Press. <A HREF="http://www.counterpane.com/pptp.html">http://www.counterpane.com/pptp.html</A>. <P>[Schneier 1999] Schneier, Bruce. September 15, 1999. ``Open Source and Security.'' <I>Crypto-Gram</I>. Counterpane Internet Security, Inc. <A HREF="http://www.counterpane.com/crypto-gram-9909.html">http://www.counterpane.com/crypto-gram-9909.html</A><P>[Seifried 1999] Seifried, Kurt. October 9, 1999. <I>Linux Administrator's Security Guide</I>. <A HREF="http://www.securityportal.com/lasg">http://www.securityportal.com/lasg</A>. <P>[Shostack 1999] Shostack, Adam. June 1, 1999. <I>Security Code Review Guidelines</I>. <A HREF="http://www.homeport.org/~adam/review.html">http://www.homeport.org/~adam/review.html</A>. <P>[Sitaker 1999] Sitaker, Kragen. Feb 26, 1999. <I>How to Find Security Holes</I> <A HREF="http://www.pobox.com/~kragen/security-holes.html">http://www.pobox.com/~kragen/security-holes.html</A> and <A HREF="http://www.dnaco.net/~kragen/security-holes.html">http://www.dnaco.net/~kragen/security-holes.html</A><P>[SSE-CMM 1999] SSE-CMM Project. April 1999. <I>System Security Engineering Capability Maturity Model (SSE CMM) Model Description Document</I>. Version 2.0. <A HREF="http://www.sse-cmm.org">http://www.sse-cmm.org</A><P>[Stein 1999]. Stein, Lincoln D. September 13, 1999. <I>The World Wide Web Security FAQ</I>. Version 2.0.1 <A HREF="http://www.w3.org/Security/Faq/www-security-faq.html">http://www.w3.org/Security/Faq/www-security-faq.html</A><P>[Thompson 1974] Thompson, K. and D.M. Richie. July 1974. ``The UNIX Time-Sharing System.'' <I>Communications of the ACM</I> Vol. 17, No. 7. pp. 365-375. <P>[Torvalds 1999] Torvalds, Linus. February 1999. ``The Story of the Linux Kernel.'' <I>Open Sources: Voices from the Open Source Revolution</I>. Edited by Chris Dibona, Mark Stone, and Sam Ockman. O'Reilly and Associates. ISBN 1565925823. <A HREF="http://www.oreilly.com/catalog/opensources/book/linus.html">http://www.oreilly.com/catalog/opensources/book/linus.html</A><P>[Webber 1999] Webber Technical Services. February 26, 1999. <I>Writing Secure Web Applications</I>. <A HREF="http://www.webbertech.com/tips/web-security.html">http://www.webbertech.com/tips/web-security.html</A>. <P>[Wood 1985] Wood, Patrick H. and Stephen G. Kochan. 1985. <I>Unix System Security</I>. Indianapolis, Indiana: Hayden Books. ISBN 0-8104-6267-2. <P>[Wreski 1998] Wreski, Dave. August 22, 1998. <I>Linux Security Administrator's Guide</I>. Version 0.98. <A HREF="http://www.nic.com/~dave/SecurityAdminGuide/index.html">http://www.nic.com/~dave/SecurityAdminGuide/index.html</A><P> <HR> <A HREF="Secure-Programs-HOWTO-12.html">$B<!$N%Z!<%8(B</A> <A HREF="Secure-Programs-HOWTO-10.html">$BA0$N%Z!<%8(B</A> <A HREF="Secure-Programs-HOWTO.html#toc11">$BL\<!$X(B</A> </BODY> </HTML>