Computer and Network Security
CS494/594            Class 14   11/28/06

Topics

• writing secure code
• crypto APIs
• secure applications
• lecture slides

Required reading

• securing memory
• CERT's secure coding and their secure coding standards
• Boehm software defect reduction

Additional reading

• Cert's secure coding
• SANS top 25 coding errors
• Saltzer/Schroeder The protection of information in computer systems 1975
• Books: Secure Coding and website or Writing Secure code or Software Security or Building Secure Software or Secure Coding in C and C++ or 19 Deadly Sins of Software Security or The Security Development Lifecycle or Secure Programming with Static Analysis
• Secure Software begins in the Development Process
• attack tress and CERT's attack modeling
• inspection vs testing and security review vs code review
• a process for security code reviews
• corrrect vs secure
• AppSIC and crash test ratings for software and Information security: How liable should vendors be?
• Cyclone a safer dialect of C
• C safe string or strlcpy strlcat or CERT's managed string library
• OpenBSD's software security
• famous software bugs
• insecure programming by example
• Brook's No Silver Bullet: Essence and Accidents of Software Engineering or pdf
• Boehm software defect reduction and software design (ppt)
• static analysis and here and see Coverity's white papers and klocwork product and fortify and book Secure Programming with Static Analysis
• microsoft vista address space randomization and white paper
• pax and here
• nx bit

  cyrpto APIs

• GSS (Generic Security Service API) RFC's RFC2078 v2 and SPKM or older RFC1508 and RFC1509
• GSS api v2 C bindings
• GSS API overview
• SSLeay ftp and FAQ and programmer ref
• OpenSSL and OpenSSL book and OpenSSL how to
• BSAFE crypto lib
• LibTomCrypt crypto lib
• IETF CAPI info
• RSAREF 2.0 info
• CryptoLib info from Bell Labs
• Java kerberos API and GSS API and Java GSS client and server
• Crypto++ C++ API cryptlib
• Microsoft's CAPI crypto API or here or here
• PCKS 11 cryptoki -- crypto card api
• Verisign USB OTP/PKI dongle or FORTEZZA card or DoD common access smart card
• IBM 4758 PCI Cryptographic Coprocessor
• OATH open reference architecture for strong authentication
• java 1.4.2 crypto architecture API and specs examples
• java 1.4.2 java.security or java.security tree and java.security.interfaces and the jce 1.4 cryptography extension and jce api
• Java JSSE SSL
• Java's SecureRandom PRNG
• how Java JCE was made exportable
• cryptix Java API
• Java code signing and Microsoft authenticode code signing and Vista code signing driver code
• Gutmann's cryptlib
• comparison of crypto libs
• Stanford's SRP
• nautilus secure net phone or speakfreely
• zfone encrypted voice over IP versus vomit
• CFS and ESM Cryptographic File System (CFS) paper and Encrypting Session Manager (ESM) paper
• bestcrypt windows/linux disk encryption
• Window's 2000 EFS encrypting file system or here
• EFS resources
• Windows bitlocker drive encryption and encryption techniques
• pointsec media encryption
• Linux disk encryption and truecrypt
• MAC filevault
• snmp security and RFC 3414 and here or snmp v3 security
• getting crypto wrong GSM flaws or pptp Microsoft's implementation flaws or Netscape's random number problems
• as always, cruise the security page