The internet worm program: an analysis
ACM SIGCOMM Computer Communication Review
Modeling software design diversity: a review
ACM Computing Surveys (CSUR)
CCured: type-safe retrofitting of legacy code
POPL '02 Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Security Engineering: A Guide to Building Dependable Distributed Systems
Security Engineering: A Guide to Building Dependable Distributed Systems
Protection in Programming-Language Translations
ICALP '98 Proceedings of the 25th International Colloquium on Automata, Languages and Programming
ATEC '02 Proceedings of the General Track of the annual conference on USENIX Annual Technical Conference
Secure Execution via Program Shepherding
Proceedings of the 11th USENIX Security Symposium
Building Diverse Computer Systems
HOTOS '97 Proceedings of the 6th Workshop on Hot Topics in Operating Systems (HotOS-VI)
Countering code-injection attacks with instruction-set randomization
Proceedings of the 10th ACM conference on Computer and communications security
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns
IEEE Security and Privacy
On the effectiveness of address-space randomization
Proceedings of the 11th ACM conference on Computer and communications security
The Blaster Worm: Then and Now
IEEE Security and Privacy
Proceedings of the 12th ACM conference on Computer and communications security
Formal certification of a compiler back-end or: programming a compiler with a proof assistant
Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Independence From Obfuscation: A Semantic Framework for Dive
CSFW '06 Proceedings of the 19th IEEE workshop on Computer Security Foundations
The Security Development Lifecycle
The Security Development Lifecycle
Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research
Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research
Securing the .NET programming model
Theoretical Computer Science - Applied semantics
Proceedings of the 2007 ACM symposium on Applied computing
FormatGuard: automatic protection from printf format string vulnerabilities
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
PointguardTM: protecting pointers from buffer overflow vulnerabilities
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Non-control-data attacks are realistic threats
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Using web application construction frameworks to protect against code injection attacks
Proceedings of the 2007 workshop on Programming languages and analysis for security
SafeDrive: safe and recoverable extensions using language-based techniques
OSDI '06 Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation - Volume 7
Securing software by enforcing data-flow integrity
OSDI '06 Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation - Volume 7
StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
A tool for constructing safe extensible C++ systems
COOTS'97 Proceedings of the 3rd conference on USENIX Conference on Object-Oriented Technologies (COOTS) - Volume 3
The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)
Proceedings of the 14th ACM conference on Computer and communications security
A theory of secure control flow
ICFEM'05 Proceedings of the 7th international conference on Formal Methods and Software Engineering
Formal verification of a c compiler front-end
FM'06 Proceedings of the 14th international conference on Formal Methods
Return-Oriented Programming: Systems, Languages, and Applications
ACM Transactions on Information and System Security (TISSEC) - Special Issue on Computer and Communications Security
On Protection by Layout Randomization
ACM Transactions on Information and System Security (TISSEC)
Proceedings of the 2012 ACM conference on Computer and communications security
On layout randomization for arrays and functions
POST'13 Proceedings of the Second international conference on Principles of Security and Trust
Layout Randomization and Nondeterminism
Electronic Notes in Theoretical Computer Science (ENTCS)
Hi-index | 0.02 |
This tutorial paper considers the issues of low-level software security from a language-based perspective, with the help of concrete examples. Four examples of low-level software attacks are covered in full detail; these examples are representative of the major types of attacks on C and C++ software that is compiled into machine code. Six examples of practical defenses against those attacks are also covered in detail; these defenses are selected because of their effectiveness, wide applicability, and low enforcement overhead.