Links
- Running with Scissors
- Strings
- Pointer Subterfuge
- Dynamic Memory Management
- Integer Security
- Formatted Output
- File I/O
- Recommended Practices
Preface
Linux distributions
http://www.linux.org/dist/list.html
Chapter 1 : Running with Scissors
Microsoft Security Bulletin MS03-026
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
LSD special report
http://lsd-pl.net/special.html
Society for Competitive Intelligence Professionals (SCIP)
http://www.scip.org/
Network Definition
http://www.webopedia.com/TERM/n/network.html
Status of C99 features in GCC
http://gcc.gnu.org/c99status.html
Chapter 2: Strings
Buffer Overflow in Apache 1.3.xx fixed on Bugtraq
http://blogs.msdn.com/michael_howard/archive/2004/10/29/249713.aspx
XXL v1.0.1
http://www.zork.org/xxl
Herman ten Brugge Home Page
http://web.inter.nl.net/hcc/Haj.Ten.Brugge/
Projects: Libsafe
http://www.research.avayalabs.com/project/libsafe
Kerberos: The Network Authentication Protocol
http://web.mit.edu/kerberos/www/
Buffer Overrun Vulnerabilities in Kerberos
http://web.mit.edu/kerberos/www/advisories/krb4buf.txt
Metamail Message Parsing System Compromise Vulnerabilities
http://secunia.com/advisories/10908/
Chapter 3: Pointer Subterfuge
Chapter 4: Dynamic Memory Management
MIT krb5 Security Advisory 2004-002
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-002-dblfree.txt
e-matters Security Advisory 07/2004
http://security.e-matters.de/advisories/072004.html
Microsoft Security Bulletin MS02-065
http://www.microsoft.com/technet/security/bulletin/MS02-065.mspx
e-matters Security Advisory 01/2003
http://security.e-matters.de/advisories/012003.html
MIT krb5 Security Advisory 2004-002
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-002-dblfree.txt
Chapter 5: Integer Security
Data Type Ranges
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vclang/html/_langref_Data_Type_Ranges.asp
Windows Data Types
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winprog/winprog/windows_data_types.asp
Flaw in calloc and similar routines
http://cert.uni-stuttgart.de/advisories/calloc.php
SunRPC xdr_array buffer overflow
http://www.iss.net/security_center/static/9170.php
Sun(sm)Alert Notification ID: 46122
http://sunsolve.sun.com/search/document.do?assetkey=1-26-46122-1
eEye Digital Security advisory AD20030723
http://www.eeye.com/html/Research/Advisories/AD20030723.html
Microsoft Advisory MS03-030
http://www.microsoft.com/technet/security/bulletin/ms03-030.mspx
Chapter 6: Formatted Output
The Single UNIX® Specification, Version 2
http://www.opengroup.org/onlinepubs/007908799
AL-1999.005 -- Buffer overflow in qpopper
http://www.auscert.org.au/render.html?it=81
Cqual
http://www.cs.umd.edu/~jfoster/cqual
AusCERT Advisory AA-2000.02
http://ciac.llnl.gov/ciac/bulletins/k-054.shtml
SecurityFocus bugtraq ID 1387
http://www.securityfocus.com/bid/1387
Internet Security Systems Security Advisory
http://xforce.iss.net/xforce/alerts/id/advise98
Chapter 7: File I/O
StarOffice /tmp Directory Symbolic Link Vulnerability
http://www.securityfocus.com/bid/1922
Chapter 8: Recommended Practices
Systrace - Interactive Policy Generation for System Calls
http://www.citi.umich.edu/u/provos/systrace/
Free Software Security Tools
http://www.securesoftware.com/resources/tools.html
Flawfinder
http://www.dwheeler.com/flawfinder/
ITS4: Software Security Tool
http://www.cigital.com/its4/
Meta-Level Compilation
http://metacomp.stanford.edu/
Fuzz Testing of Application Reliability
http://www.cs.wisc.edu/~bart/fuzz/fuzz.html
Index of Checklists
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod96.asp
