SecureProgramming.com
Login
Username: 
Password: 
Forgot your password?
Create a new account
Group By:Show Categories:Show Languages

Anti-Tampering

  • About Anti-SoftICE Tricks [View Detail]
    http://www.crackstore.com/003.htm
    A discussion of SoftICE detection tricks that crackers are good at removing.

  • CrackStore [View Detail]
    http://www.crackstore.com/
    A collection of resources for software crackers. Knowing what they know can help you devise your own techniques to slow them down.

  • The Anti-Cracking FAQ [View Detail]
    http://www.inner-smile.com/nocrack.phtml
    A good discussion of common techniques for raising the bar that software crackers must jump. Remember that these techniques often come at great cost, particularly to code maintainability.

  • Win32 Antidebugging Tricks [View Detail]
    http://library.succurit.com/virus/ANTIDEBG.TXT
    Another good anti-tampering resource for Win32 developers.

Authentication

  • SASL: the Simple Authentication and Security Layer [View Detail]
    http://asg.web.cmu.edu/sasl/
    "SASL is the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. To use SASL, a protocol includes a command for identifying and authenticating a user to a server and for optionally negotiating protection of subsequent protocol interactions. If its use is negotiated, a security layer is inserted between the protocol and the connection."


    The CMU SASL page includes links to their SASL implementation, Cyrus SASL.


  • The Kerberos home page [View Detail]
    http://web.mit.edu/kerberos/www/
    Kerberos is a network authentication protocol that avoids Public Key Infrastructure. It is implemented for a large number of platforms, and even comes integrated with modern Windows systems. This page is the Kerberos home page at MIT, which contains a variety of Kerberos-related resources, including the MIT Kerberos distribution.

Code Auditing

  • Lexical analysis in source code scanning [View Detail]
    http://monkey.org/~jose/presentations/czech-rubicon02.d/
    A presentation explaining why tools like RATS and flawfinder are unlikely to perform sophisticated analysis with their language understanding strategy.

  • Linux Security Analysis Tools at IBM [View Detail]
    http://www.research.ibm.com/vali/
    "The Linux Security Analysis Tools project team is looking at how to improve Linux security by building analysis tools for verifying Linux kernel source properties and access control policies. Based on our initial findings, we are optimistic that such tools are useful and usable for improving our confidence in Linux security."

  • Meta-Level Compilation [View Detail]
    http://metacomp.stanford.edu/
    The Meta-level Compilation project is a research group at Stanford that builds static analyses for finding kernel-level bugs.

  • The Open Source Quality project [View Detail]
    http://osq.cs.berkeley.edu/
    The group at Berkeley is focused on designing and building tools to improve the quality of Open Source software. They produce many code auditing tools for C, several of which check security properties.

General / Miscellaneous

  • The Cyclone programming language (a safer C dialect)5 stars [View Detail]
    http://www.research.att.com/projects/cyclone/
    This research project is a C-like language that is type safe, meaning not only are buffer overflow problems not an issue, but also there's not much of a performance hit, because many problems are found at compile-time instead of run-time.

    One good thing about Cyclone is that it's pretty easy to port legacy C applications over to it. This language definitely can help C programmers realize much of the advantages of C, while freeing them to worry about more mundane security problems that all developers should be worrying about!

  • A Secure Architecture for Internet and Wireless Services [View Detail]
    http://www.openlight.com/secarch/book1.html
    This whitepaper presents a general architecture for secure Internet and Wireless services. Many aspects of the problem are discussed, including choices of hardware, operating system, programming languages and so on. In addition, an approach to integrating security functions (such as user authentication and input validation) with the core logic of the application is discussed. The paper does recommend certain languages (such as Python and C++ for the server) but the architecture discussion is applicable to any programming language.

    The security content is not a huge part of this work. Currently, it doesn't cover things like encryption well.

  • Guidelines for Writing RFC Text on Security Considerations [View Detail]
    http://www.ietf.org/rfc/rfc3552.txt
    "All RFCs are required to have a Security Considerations section. Historically, such sections have been relatively weak. This document provides guidelines to RFC authors on how to write a good Security Considerations section."

  • IBM DeveloperWorks Security area [View Detail]
    http://www-106.ibm.com/developerworks/views/security/articles.jsp
    A collection of articles, many on secure programming.

  • Java Security Research at IBM [View Detail]
    http://www.research.ibm.com/javasec/
    A variety of projects from IBM research, including static security analysis for Java.

  • Security Code Guidelines [View Detail]
    http://java.sun.com/security/seccodeguide.html
    Sun's guidelines for writing secure applications, with sections for Java and C. The Java guidelines are more interesting, and as with many checklists of this nature, focuses on common pitfalls to avoid, and doesn't provide a complete picture on how to write secure programs (so use with caution).

  • The Common Criteria for IT Security Evaluation [View Detail]
    http://csrc.nist.gov/cc/
    The Common Criteria provides criteria for evaluating the security of information technology systems. While it is certainly more about certification of process and essentially ignores secure coding practices, it still provides a lot of value. See also www.commoncriteria.org

  • The jGuru Java Security FAQ [View Detail]
    http://www.jguru.com/faq/topicindex.jsp?topic=Security
    jGuru is a resource for Java developers. Their FAQ is an extensive list of questions and answers on security topics. Anyone is free to submit questions.

  • The Shmoo Secure Coding Page [View Detail]
    http://www.shmoo.com/securecode/
    This is a static list of secure programming resources. Most of the items are repeated on this site, are dead links, or are otherwise outdated.

  • UW/MSR/CMU Summer Institute Conference on Software Security (2003) [View Detail]
    http://research.microsoft.com/projects/SWSecInstitute/
    A conference on software security held in June, 2003. The web site contains links to papers and presentations from the conference.

General Cryptography

  • Cryptix: Open-source Cryptography Library for Java4 stars [View Detail]
    http://cryptix.org/
    I don't know if you have ever used Cryptix, I think it's a cool software package for Java. It includes symmetric and asymmetric algorithms, several classes for encoding/decoding the PKCS file formats, etc. They have PGP implementations on Java. I've used it in some projects and it's really useful.

    Anyway, I think it's a valuable resource for Java programmers (kind of like OpenSSL for Java)

  • CDSA - Apple [View Detail]
    http://developer.apple.com/darwin/projects/security/
    The Apple CDSA framework contains an expandable set of cryptographic algorithms to perform code signing and encryption operations while maintaining the security of the cryptographic keys. It also contains libraries which allow the interpretation of X.509 certificates.
    The CDSA code is used by MacOSX features such as Keychain and URL Access for protection of login data. Many cryptographic algorithms are available in the Apple CSP (Cryptographic Service Provider) module.

  • CDSA - Intel [View Detail]
    http://www.intel.com/labs/archive/cdsa.htm
    Intel Common Data Security Architecture (CDSA) is a security middleware specification and reference implementation that is open source, cross-platform, interoperable, and extensible. The Open Group (TOG) has adopted CDSA as an Open Group technical standard that successfully completed TOG formal consensus process for member acceptance and approval. CDSA was developed by the Intel research and development network.

  • Open Group - CDSA [View Detail]
    http://www.opengroup.org/security/l2-cdsa.htm
    The Common Data Security Architecture (CDSA) is a set of layered security services and cryptographic framework that provide an infrastructure for creating cross-platform, interoperable, security-enabled applications for client-server environments. CDSA covers all the essential components of security capability, to equip applications for electronic commerce and other business applications with security services that provide facilities for cryptography, certificate management, trust policy management, and key recovery.

  • The NIST Cryptographic Module Validation Program [View Detail]
    http://csrc.nist.gov/cryptval/
    The Computer Security Division at NIST maintains a number of cryptographic standards, and coordinates validation programs for many of those standards. The Cryptographic Module Validation Program encompasses validation testing for cryptographic modules and algorithms.

Input Validation

  • Bounds checking patch for gcc5 stars [View Detail]
    http://web.inter.nl.net/hcc/Haj.Ten.Brugge/
    This will get rid of all your buffer overflows statically, but will also slow down your code a bit more than less comprehensive techniques. The original web site contains some useful information, but has an out of date distribution.

Mailing Lists

Public Key Cryptography

Public Key Infrastructure

Random Numbers

  • David Wagner's Randomness Links [View Detail]
    http://www.cs.berkeley.edu/~daw/rnd/
    Links to many excellent resources on random numbers, including copies of interesting Usenet posts. As of this writing, many links are outdated / dead, however.

  • Diceware: a technique for passphrase generation [View Detail]
    http://world.std.com/~reinhold/diceware.page.html
    This page shows how to generate passphrases with high entropy manually... by rolling dice. There really is no reason to have a low entropy passphrase.


    One could consider having software recommend this page to users for apps that may be high security.


  • Diehard statistical tests [View Detail]
    http://stat.fsu.edu/~geo/diehard.html
    Statistical tests to gauge the quality of randomness that is produced by a random number generator. The Diehard tests are significantly better than FIPS-140 tests.

  • Measuring clock skew as a randomness source [View Detail]
    http://www.cs.berkeley.edu/~daw/rnd/mab-rand
    The truerand() call implemented in this newsgroup posting harvest entropy by measuring skew between multiple clocks on one machine. There's a lot of worry that this technique doesn't provide as much entropy as originally thought, particularly on more modern machines.

  • NIST Random Number Generation and Testing page [View Detail]
    http://csrc.nist.gov/rng/
    Randomness resources from the US National Institute of Standards and Technology.

  • The passphrase FAQ [View Detail]
    http://www.stack.nl/~galactus/remailers/passphrase-faq.html
    A good resource discussing how to generate passphrases securely.

Symmetric Cryptography

  • The NIST AES home page [View Detail]
    http://csrc.nist.gov/CryptoToolkit/aes/
    This is the home page for AES (the Advanced Encryption Standard) run by the US Governmental organization that is responsible for standardization. It contains links to working code, specifications and other valuable resources.

  • The SNOW Stream Cipher [View Detail]
    http://www.it.lth.se/cryptology/snow/
    The SNOW stream cipher is a very fast stream cipher that is patent-free and seems to have a very high security margin.

Unix Programming

Windows Programming

[Python Powered]