Innovative Rootkits: The Ultimate Weapon? (PDF)
G. McGraw
Network Magazine, January 1, 2005.
Backdoor Attacks on Black-Box Ciphers Exploiting Low-Entropy Plaintexts
A. Young, M. Yung
Eighth Australasian Conference on Information Security and Privacy (ACISP), Lecture Notes in Computer Science (LNCS), July 9-11, Springer-Verlag, 2003.
Non-Zero Sum Games and Survivable Malware
A. Young
Proceedings of the 4th Annual IEEE Information Assurance Workshop, June 18-20, United States Military Academy, West Point, New York, 2003.
Protecting Data from Malicious Software (PDF)
M. Schmid, F. Hill, A. Ghosh
Annual Computer Security Applications Conference (ACSAC'02), Las Vegas, NV, December, 2002.
A Toolkit for Detecting and Analyzing Malicious Software (PDF)
M. Weber, M. Schmid, D. Geyer, M. Schatz
Annual Computer Security Applications Conference (ACSAC'02), Las Vegas, NV, December, 2002.
Controlling the Execution of Unauthorized Software (PS / PDF / Word)
M. Schmid, J.T. Bloch, F. Hill, A. Ghosh
To appear in the Proceedings of the 2001 DARPA Information Survivability Conference & Exposition, June 2001, Anaheim, CA.
Bandwidth-Optimal Kleptographic Attacks
A. Young, M. Yung
Cryptographic Hardware and Embedded Systems (CHES), 2001.
Execution Control Lists: An Approach to Defending Against New and Unknown Malicious Software (PS / PDF)
A.K. Ghosh, M. Schmid
In Proceedings of the Information Survivability Workshop 2000, October 24-26, 2000, Boston, MA.
NetHose: A Tool for Finding Vulnerabilities in Network Stacks (PS / PDF)
A. Ghosh, F. Hill, M. Schmid
Short talk at the 1999 IEEE Security and Privacy Symposium, Oakland, CA, 1999.
Towards Fault-Tolerant Mobile Agents (PS / PDF)
L. Kassab, J. Voas
Workshop on Distributed Computing on the Web, June, 1998, Rostock, Germany.
Black-Box Symmetric Ciphers Designed for Monopolizing Keys
A. Young, M. Yung
Fast Software Encryption Workshop, 1998.
Encryption Tools for Mobile Agents: Sliding Encryption
A. Young, M. Yung
Fast Software Encryption Workshop.
Kleptography: Using Cryptography against Cryptography
A. Young, M. Yung
Advances in Cryptology, Eurocrypt '97, pages 62-74, Springer, 1997.
Deniable Password Snatching: On the Possibility of Evasive Electronic Espionage
A. Young, M. Yung
IEEE Symposium on Security and Privacy, pages 224-235, 1997.
The Prevalence of Kleptographic Attacks on Discrete-Log Based Cryptosystems
A. Young, M. Yung
Advances in Cryptology, CRYPTO '97, pages 264-276, Springer, 1997.
The Dark Side of 'Black-Box' Cryptography or: Should We Trust Capstone?
A. Young, M. Yung
Advances in Cryptology, CRYPTO '96, pages 89-103, Springer, 1996.
Cryptovirology: Extortion-Based Security Threats and Countermeasures
A. Young, M. Yung
IEEE Symposium on Security and Privacy, pages 129-140, 1996.
Using Attack Graphs to Design Systems (PDF)
S. Gupta, J. Winstead
IEEE Security & Privacy (Nov/Dec 2007)
Online Games and Security (PDF)
G. McGraw, G. Hoglund
IEEE Security & Privacy (Sep/Oct 2007)
Defining Misuse Within the Development Process (PDF)
G. Petersen, J. Steven
IEEE Security & Privacy (Nov/Dec 2006)
Essential Factors for Successful Software Security Awareness Training (PDF)
K. Van Wyk, J. Steven
IEEE Security & Privacy (Sep/Oct 2006)
Essential Factors for Successful Software Security Awareness Training (PDF)
K. VanWyk, J. Steven
IEEE Security & Privacy (Sep/Oct 2006)
Introduction to Identity Management Risk Metrics (PDF)
G. Peterson
IEEE Security & Privacy (Jul/Aug 2006)
Introduction to Identity Management Risk Metrics (PDF)
G. Petersen (ed. J. Steven)
IEEE Security & Privacy (Jul/Aug 2006)
Putting the Tools to Work: How to Succeed with Source Code Analysis (PDF)
P. Chandra, B. Chess, J. Steven
IEEE Security & Privacy (May/Jun 2006)
Putting the Tools to Work: How to Succeed with Source Code Analysis (PDF)
P. Chandra, B. Chess, J. Steven
IEEE Security & Privacy (May/Jun 2006)
Adopting an Enterprise Software Security Framework (PDF)
J. Steven
IEEE Security & Privacy (Mar/Apr 2006)
How Flawed is Microsoft? (PDF)
G. McGraw
IT Architect Magazine, March 1, 2006.
Software Security and SOA: Danger, Will Robinson! (PDF)
J. Epstein, S. Matsuomoto, G. McGraw
IEEE Security & Privacy (Jan/Feb 2006)
Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors (PDF)
K. Tsipenyuk, B. Chess, G. McGraw
IEEE Security & Privacy (Nov/Dec 2005)
Bridging the Gap Between Software Development and Information Security (PDF)
K.R. van Wyk, G. McGraw
IEEE Security & Privacy (Sep/Oct 2005)
A Portal for Software Security (PDF)
N.R. Mead and G. McGraw
IEEE Security & Privacy (Jul/Aug 2005)
How Does Security Fit With Engineering? (PDF)
G. McGraw
Network Magazine, May 1, 2005.
Adopting a Software Security Improvement Program (PDF)
D. Taylor and G. McGraw
IEEE Security & Privacy (May/Jun 2005)
Software Penetration Testing (PDF)
B. Arkin, S. Stender, G. McGraw
IEEE Security & Privacy (Jan/Feb 2005)
Who Should Do Security? (PDF)
G. McGraw
Network Magazine, October 1, 2004.
Risk Analysis in Software Design (PDF)
D. Verdon, G. McGraw
IEEE Security & Privacy (July/August 2004; pp. 32-37) (Building Security In)
Misuse and Abuse Cases: Getting Past the Positive (PDF)
P. Hope, G. McGraw, A. Anton
IEEE Security & Privacy (May/Jun 2004)
Dire Straits (HTML)
G. McGraw, G. Hoglund
Information Security (April 2004)
Software Security (PDF)
G. McGraw
IEEE Security & Privacy (March/April 2004; Volume 2, Number 2, pp. 32-35)
Building Secure Software: Better than Protecting Bad Software (PDF)
G. McGraw
IEEE Software (November/December 2002; Vol. 19, No. 6, pp. 57-59) (Point/Counterpoint with Greg Hoglund)
Choosing a programming language and a distributed object platform (HTML)
G. McGraw, J. Viega
IBM developerWorks (Feb 1, 2002)
Protecting passwords: Part 2 (HTML)
G. McGraw, J. Viega
IBM developerWorks (September 2000)
Protecting passwords: Part 1 (HTML)
G. McGraw, J. Viega
IBM developerWorks (August 2000)
Make your software behave: Cryptography essentials (HTML)
G. McGraw, T. O'Connor
IBM developerWorks (July 2000)
Make your software behave: Tried and true encryption (HTML)
G. McGraw, J. Viega
IBM developerWorks (Jun 1, 2000)
Make your software behave: Playing the numbers (HTML)
G. McGraw, J. Viega
IBM developerWorks (Apr 4, 2000)
Software security principles, Part 4: Keep it simple; keep it private (HTML)
G. McGraw, J. Viega
IBM developerWorks (December 2000)
Software security principles, Part 3: Controlling access: Least privilege and compartmentalization (HTML)
G. McGraw, J. Viega
IBM developerWorks (November 2000)
Software security principles: Part 2: Defense in depth and secure failure (HTML)
G. McGraw, J. Viega
IBM developerWorks (November 2000)
Software security principles: Part 1: The chain is only as strong as its weakest link (HTML)
G. McGraw, J. Viega
IBM developerWorks (October 2000)
Make your software behave: Security by obscurity (HTML)
G. McGraw, J. Viega
IBM developerWorks (October 2000)
Statically Scanning Java Code: Finding Security Vulnerabilities
G. McGraw, J. Viega
IEEE Software (September/October 2000)
Make your software behave: Brass tacks and smash attacks (HTML)
G. McGraw, J. Viega
IBM developerWorks (Mar 14, 2000)
Make your software behave: Preventing buffer overflows (HTML)
G. McGraw, J. Viega
IBM developerWorks (Mar 7, 2000)
Make your software behave: Learning the basics of buffer overflows (HTML)
G. McGraw, J. Viega
IBM developerWorks (Mar 1, 2000)
Make your software behave: Assuring your software is secure (HTML)
G. McGraw, J. Viega
IBM developerWorks (Feb 28, 2000)
Java 2 security and stack inspection (HTML)
G. McGraw
Gamelan.com, May 12, 1999.
Why COTS Software Increases Security Risks (PS / PDF)
G. McGraw, J. Viega
ICSE Workshop on Testing Distributed Component-Based Systems, May 1999.
Software Assurance for Security (PDF / Word)
G. McGraw
IEEE Computer 32(4), pages 103-105. April 1999.
Software Assurance for Security (PDF / Word)
G. McGraw
IEEE Computer 32(4), pages 103-105. April 1999.
Twelve Rules for Developing More Secure Java Code (HTML)
G. McGraw, E. Felten
Java World, December 1998.
Third-Party Java Security Vendors: Solutions or Snake Oil? (Word)
G. McGraw, E. Felten
Java Report, December 1998.
Privileged code in Java: Why the API changed from JDK1.2beta3 to JDK1.2beta4 (HTML)
G. McGraw
developer.com, August 31, 1998.
E-Commerce Security: No Silver Bullet
A.K. Ghosh
In Proceedings of the IFIP WG 11.3 Working Conference on Database Security, July 15-17, 1998, Chalkidiki, GR.
Testing for Security During Development: Why we should scrap penetrate-and-patch. (PS / PDF)
G. McGraw
IEEE Aerospace and Electronic Systems, April 1998.
Implementing Assertions for Java (HTML)
J. Payne, M. Schatz, M. Schmid
Dr. Dobb's Journal, January 1998.
Testing for Security During Development: Why We Should Scrap Penetrate-and-Patch (PS)
G. McGraw
In Proceedings of 12th Annual Conference on Computer Assurance, June 16-20, 1997, Gaithersburg, MD.
A framework for creating custom rules for static analysis tools (PDF)
E. Dalci, J. Steven
Static Analysis Summit at NIST (June 29, 2006)
Is Your Mac Really More Secure? (PDF)
G. McGraw
Network Magazine, April 1, 2005.
Knowledge for Software Security (PDF)
S. Barnum, G. McGraw
IEEE Security & Privacy (Mar/Apr 2005)
Are We In a Computer Security Renaissance? (PDF)
G. McGraw
Network Magazine, February 1, 2005.
How Do Real Bad Guys Break Software? (PDF)
G. McGraw
Network Magazine, December 1, 2004.
Application Security Testing Tools: Worth the Money? (PDF)
G. McGraw
Network Magazine, November 1, 2004.
Risk Analysis in Software Design (PDF)
D. Verdon, G. McGraw
IEEE Security & Privacy (July/August 2004; pp. 32-37) (Building Security In)
Exploiting Software: The Achilles' Heel of CyberDefense (PDF / HTML)
G. McGraw, G. Hoglund
CyberDefense Magazine (June 2004)
Regulation and Information Security: Can Y2K Lessons Help Us? (PDF)
J. Payne
IEEE Security & Privacy (March/April 2004; Vol. 2, No. 2, pp. 32-35) (On the Horizon)
Putting Software Terminology To the Test (PDF)
J. Steven
IEEE Software (May/June 2002)
Operating systems and authentication technologies (HTML)
G. McGraw, J. Viega
IBM developerWorks (Feb 1, 2002)
Make your software behave: Brass tacks and smash attacks (HTML)
G. McGraw, J. Viega
IBM developerWorks (Mar 14, 2000)
Make your software behave: Preventing buffer overflows (HTML)
G. McGraw, J. Viega
IBM developerWorks (Mar 7, 2000)
Make your software behave: Learning the basics of buffer overflows (HTML)
G. McGraw, J. Viega
IBM developerWorks (Mar 1, 2000)
How We Learned to Cheat in Online Poker: A Study in Software Security (PDF / HTML)
B. Arkin, F. Hill, S. Marks, M. Schmid, T.J. Walls, G. McGraw
Developer.Com, 09/28/99.
Mobile Code Security (HTML)
G. McGraw and E. Felten
Editors, IEEE Internet Computing, November/December 1998.
An Approach for Certifying Security in Software Components (PS / PDF)
A. Ghosh, G. McGraw
Proceedings of the 21st National Information Systems Security Conference, October 5-8, 1998, Crystal City, VA.
Agent Trustworthiness (PS / PDF)
L. Kassab, J. Voas
Workshop on Mobile Object Systems: Secure Internet Mobile, July, 1998, Brussels, Belgium.
An Automated Approach for Identifying Potential Vulnerabilities in Software (PS / PDF)
A. Ghosh, T. O'Connor, G. McGraw
Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA. May 3-6, 1998, pp. 104-114.
Smart Cards, Java Cards and Security (HTML)
G. McGraw
developer.com, January 19, 1998.
Developing Expertise in Software Security: An Outsider's Perspective (PS / PDF)
G. McGraw, A.K. Ghosh
In working notes of the Invitational Workshop on Computer Vulnerability Data Sharing, NIST, June 1996.
Two State-Based Approaches to Program-based Anomaly Detection (PS / PDF)
C. Michael, A. Ghosh
Proceedings of ACSAC 2000, December 2000.
A Real-Time Intrusion Detection System Based on Learning Program Behavior (PS / PDF)
A.K. Ghosh, C.C. Michael, and M.A. Schatz
Recent Advances in Intrusion Detection; Third International Workshop, RAID 2000.
Learning Program Behavior Profiles for Intrusion Detection (PS / PDF)
A.K. Ghosh, A. Schwartzbard, M. Schatz
To appear in Proceedings of the 1st USENIX Workshop on Intrusion Detection and Network Monitoring, April 9-12, 1999, Santa Clara, CA.
Using Program Behavior Profiles for Intrusion Detection (PS / PDF)
A.K. Ghosh, A. Schwartzbard, M. Schatz
SANS Conference and Workshop on Intrusion Detection and Response, Technical Conference, Workshop on the State of the Art and Future Directions of Intrusion Detection and Response, February 12-13, San Diego, CA, pp. 1-20 -- 1-26.
Detecting Anomalous and Unknown Intrusions Against Programs (PS / PDF)
A.K. Ghosh, J. Wanken, F. Charron
Proceedings of Annual Computer Security Applications Conference (ACSAC'98), December 7-11, 1998, Scottsdale, AZ.
A Subliminal Channel in Secret Block Ciphers
A. Young, M. Yung
Selected Areas in Cryptography, August 9-10, 2004.
A Key Recovery System as Secure as Factoring
A. Young, M. Yung
CT-RSA Conference, 2004.
Relationships Between Diffie-Hellman and Index Oracles
A. Young, M. Yung
Fourth Conference on Security in Communication Networks '04, 2004.
A Weakness in Smart-Card PKI Certification
A. Young
Proceedings of the 4th Annual IEEE Information Assurance Workshop, June 18-20, United States Military Academy, West Point, New York, 2003.
A PVSS as Hard as Discrete Log and Shareholder Separability
A. Young, M. Yung
PKC 2001 (Public Key Crypto).
Secure mobile gambling
M. Jakobsson, D. Pointcheval, A. Young
CT-RSA Conference 2001.
Make your software behave: Cryptography essentials (HTML)
G. McGraw, T. O'Connor
IBM developerWorks (July 2000)
Make your software behave: Tried and true encryption (HTML)
G. McGraw, J. Viega
IBM developerWorks (Jun 1, 2000)
Preliminary Cryptanalysis of Reduced-Round Serpent (PS / PDF)
T. Kohno, J. Kelsey, and B. Schneier
Third AES Candidate Conference, April 13-14, 2000.
Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent (PS / PDF)
J. Kelsey, T. Kohno, B. Schneier
Seventh Fast Software Encryption Workshop, Springer-Verlag, April 10-12, 2000.
Towards Signature-Only Signature Schemes
A. Young, M. Yung
Asiacrypt 2000.
RSA Based Auto-Recoverable Cryptosystems
A. Young, M. Yung
Proceedings of Public Key Cryptography (PKC), 2000.
Hash to the Rescue: Space Minimization for PKI Directories
A. Young, M. Yung
ICISC 2000 (International Conf. on Info. Sec. and Crypto).
Auto-Recoverable Cryptosystems with Faster Initialization and the Escrow Hierarchy
A. Young, M. Yung
Proceedings of Public Key Cryptography (PKC), 1999.
Auto-Recoverable Auto-Certifiable Cryptosystems (a survey)
A. Young, M. Yung
CQRE, Springer-Verlag, LNCS, 1999.
Non-Interactive CryptoComputing for NC1
T. Sander, A. Young, M. Yung
40th Annual Symposium on Foundations of Computer Science (FOCS), IEEE Computer Society, pages 554-566, '99.
Auto-Recoverable Auto-Certifiable Cryptosystems
A. Young, M. Yung
Advances in Cryptology, Eurocrypt '98.
Finding Length-3 Positive Cunningham Chains and their Cryptographic Significance
A. Young, M. Yung
Algorithmic Number Theory III (ANTS), LNCS vol. 1423, 1998.