Recently on the SC-L
mailing list a discussion on some of the topic good security papers has
insued. As you know, on the right side of my blog I have some of my
personal favorites. Those are papers that at the time of reading,
actually “changed” my thinking in some way. What it doesn't truly
reflect is what are GOOD papers for OTHER security software engineers.
To rectify that, let me give you a list (in no particular order) of
my favorite “security papers” that have interesting components. Please
note this is FAR from an exhaustive list, but merely papers that I read
that I enjoyed at the time.
- The Protection of Information in Computer Systems
- Smashing the Stack for Fun and Profit
- Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure
- A Guide to Understanding Covert Channel Analysis of Trusted Systems
- Department of Defense Trusted Computer System Evaluation Criteria
- Reflections on Trusting Trust
- Preliminary Notes on the Design of Secure Military Computer Systems
- Secure Programming for Linux and Unix HOWTO
- Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade
- Secure Computer System: Unified Exposition and Multics Interpretation
- A Taxonomy of Computer Program Security Flaws
- Computer Security Threat Monitoring and Surveillance
- Subversion: The Neglected Aspect of Computer Security
- A Provably Secure Operating System
Funny thing is, most of these are over 20 years old! What
does that say for our industry, when many of the issues in infosec have
foundations we could have learned from so many years ago?
Anyways, if you have the time, consider reading some (or all) of these papers. Good stuff.