From owner-freebsd-security Tue Dec 17 10:52:37 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id KAA11786 for security-outgoing; Tue, 17 Dec 1996 10:52:37 -0800 (PST) Received: from relay.nuxi.com (nuxi.cs.ucdavis.edu [128.120.56.38]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id KAA11781 for ; Tue, 17 Dec 1996 10:52:34 -0800 (PST) Received: (from obrien@localhost) by relay.nuxi.com (8.7.5/8.6.12) id KAA11580; Tue, 17 Dec 1996 10:52:37 -0800 (PST) Message-ID: Date: Tue, 17 Dec 1996 10:52:36 -0800 From: obrien@NUXI.com (David E. O'Brien) To: craig@progroup.com (Craig Shaver) Cc: security@FreeBSD.ORG Subject: Re: crontab security hole exploit References: <199612161654.IAA19864@seabass.progroup.com> X-Mailer: Mutt 0.53 Mime-Version: 1.0 X-PGP-Fingerprint: B7 4D 3E E9 11 39 5F A3 90 76 5D 69 58 D9 98 7A X-Pgp-Keyid: 34F9F9D5 In-Reply-To: <199612161654.IAA19864@seabass.progroup.com>; from Craig Shaver on Dec 16, 1996 08:54:26 -0800 Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Craig Shaver writes: > Is there someplace or some book that someone who is writing new software can > refer to for learning how to write secure code in the first place? I > certainly don't want to ask some whiny security cop for each and every > little detail.... :) Yes. The problem is getting such papers accepted to journals. Which one(s) are approapiate? And then getting people to read them. Matt Bishop has writen two simular papers on the topic: "How to Write a Setuid Program", ;login: 12(1) [jan/feb 1987] pp.5-11 Marcus Ranum offers a tutorial on this topic. It will be offered at the USENIX technical conference in Jan 1997. -- David (obrien@cs.ucdavis.edu) P.S. If you want Bishop's papers, I can try to field requests.