CSC 495 — More Information
Stories from Lecture 1 (Jan. 13)
Heartbleed links
Related to Lecture 2 (Jan. 15)
-
Guidelines for Security Vulnerability Reporting and Response - from the Organization for Internet Safety, Sept. 1, 2004
Mailing lists and feeds for vulnerability announcements and security news
-
SecurityFocus mailing lists, including Bugtraq
-
US-CERT feeds - includes alerts and weekly bulletins
-
Open Source Security group
News sites and blogs
A few more high-quality blogs that are not in the slides
-
A Few Thoughts on Cryptographic Engineering - Matthew Green’s blog
Related to Lecture 3 (Jan 22)
Note: Several other links in the lecture notes
-
Software Insecurity: The Problem with the White House Cybersecurity Proposals - Steve Bellovin’s blog post
-
Shopping for Zero-Days: A Price List for Hackers' Secret Software Exploits - by Andy Greenberg (Forbes)
-
Cards Stolen in Target Breach Flood Underground Markets - Krebs on Security article with info about underground card shops (markets for stolen credit cards)
-
Before we knew it: an empirical study of zero-day attacks in the real world by Leyla Bilge and Tudor Dumitras. 2012 ACM Conference on Computer and Communications Security (CCS). Full paper at the link from UNCG hosts, or this link from anywhere
-
The NSA hacks other countries by buying millions of dollars' worth of computer vulnerabilities - The Washington Post
-
Bug Bounty and Responsible Disclosure Programs
-
The Known Unknowns: Empirical Analysis of Publicly Unknown Security Vulnerabilities, by Stefan Frei (NSS Labs)
-
Meet the Hackers Who Sell Spies the Tools To Crack Your PC (And Get Paid Six-figure Fees) - by Andy Greenberg (Forbes) - a particularly good story on the Vupen "vulnerability vendor"
Related to Systems Review Lectures (Jan 29 and Feb 3)
-
GDB Cheat Sheet - PDF version - this "cheatsheet" is focused on GDB commands that are often used in reverse engineering rather than source-level debugging
Related to Feb. 5 lecture
-
Recent vulnerability story: The GHOST Vulnerability - from the Qualys Blog
Related to Assignment 2
grep
is a very powerful tool that is integral to Assignment 2, and everyone who works with Unix systems in a technical way should become comfortable with this tool. The following tutorials get you started using grep
— there’s a whole lot more to it than just this, however!
-
Drew’s grep tutorial - an excellent introduction to the basics of grep (with a link to a more extensive tutorial on regular expressions)
-
How To Search Your Source With Grep - a few examples specifically oriented at search source code
-
15 Practical Grep Command Examples in Linux/Unix - examples, example, examples!
Related to Static Analysis
-
A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World - CACM article by Al Bessey, Ken Block, Ben Chelf, Andy Chou, Bryan Fulton, Seth Hallem, Charles Henri-Gros, Asya Kamsky, Scott McPeak, and Dawson Engler. Amusing tales of the challenges of taking a Stanford research project and turning it into a commercial product (the Coverity Static Analysis tool).