Re: Top security papers

[Crispin Cowan <crispin () immunix com>]

Matt Setzer wrote:


It's been kind of quiet around here lately - hopefully just because everyone
is off enjoying a well deserved summer (or winter, for those of you in the
opposite hemisphere) break.  In an effort to stir things up a bit, I thought
I'd try to get some opinions about good foundational materials for security
professionals.  (I'm relatively new to the field, and would like to broaden
my background knowledge.)  Specifically, what are the top five or ten
security papers that you'd recommend to anyone wanting to learn more about
security?  What are the papers that you keep printed copies of and reread
every few years just to get a new perspective on them?  
 


Here's my top 5. Things to note:

  1. It is more like 1 + 4. The first paper (Saltzer and Schroeder)
     should be *required* reading for everyone who claims to have the
     slightest clue about security. Everything of significance in
     computer security is in this article in some form. The only
     significant technology missing is public key crypto, and that is
     because it had not been invented yet.
  2. The other 4 are quick & dirty skim through my bibliographic
     database. I could easily have missed some papers that are more
     seminal than these, but these 4 are very good, readable, and
     important.
  3. I excluded my own papers from consideration, but if you want to
     see them  ... :) http://immunix.com/~crispin/

Crispin

@article
 (
   salt75,
   author = "Jerome H. Saltzer and Michael D. Schroeder",
   title = "{The Protection of Information in Computer Systems}",
   journal = "Proceedings of the IEEE",
   volume = 63,
   number = 9,
   month = "November",
   year = 1975
 )

@article
 (
   one96,
   author = "``Aleph One''",
   title = "{Smashing The Stack For Fun And Profit}",
   journal = "Phrack",
   volume = 7,
   number = 49,
   month = "November",
   year = 1996
 )

@article
 (
   miller90,
   author = "B.P. Miller and L. Fredrikson and B. So",
   title = "{An Empirical Study of the Reliability of {\sc Unix}
       Utilities}",
   journal = "Communications of the ACM",
   pages = "33-44",
   volume = 33,
   number = 12,
   month = "December",
   year = 1990,
   lcindex = "QA76.A772"
 )

@inproceedings{
   badger95,
   author = "Lee Badger and Daniel F. Sterne and et al",
   title = "{Practical Domain and Type Enforcement for UNIX}",
   booktitle = "Proceedings of the IEEE Symposium on Security and Privacy",
   address = "Oakland, CA",
   month = "May",
   year = 1995
}

@article
 (
   land94,
   author = "Carl E. Landwehr and Alan R. Bull and John P. McDermott
       and William S. Choi",
   title = "{A Taxonomy of Computer Program Security Flaws}",
   journal = "ACM Computing Surveys",
   volume = 26,
   number = 3,
   month = "September",
   pages = "211-254",
   year = 1994
 )