===================
Reference materials
===================

------------
Cryptography
------------

- *Applied Cryptography* by Bruce Schneier. John Wiley & Sons, 1996. ISBN 0-471-11709-9.
- `Handbook of Applied Cryptography <http://www.cacr.math.uwaterloo.ca/hac/>`__ by Menezes, van Oorschot, and Vanstone.
- *Introduction to Cryptography* by Johannes Buchmann. Springer, 2004. ISBN 978-0-387-21156-5.
- Cryptographic libraries:
  
   - `KeyCzar <http://www.keyczar.org/>`__ by Google.
   - `GPGME <http://www.gnupg.org/gpgme.html>`__ by GnuPG.
   - `OpenSSL <http://www.openssl.org/>`__.
   - `NaCl: Networking and Cryptography library <http://nacl.cace-project.eu/>`__ by Tanja Lange and Daniel J. Bernstein.

-------------------------
Control hijacking attacks
-------------------------

- `Smashing The Stack For Fun And Profit <http://www.phrack.com/issues.html?issue=49&id=14#article>`__, Aleph One.
- `Bypassing non-executable-stack during exploitation using return-to-libc <readings/return-to-libc.pdf>`__ by c0ntex.
- `Basic Integer Overflows <http://www.phrack.com/issues.html?issue=60&id=10#article>`__, blexim.
- *The C programming language (second edition)* by Kernighan and Ritchie. Prentice Hall, Inc., 1988. ISBN 0-13-110362-8, 1998.
- `Intel Memory Protection Extensions <http://software.intel.com/en-us/articles/using-intel-mpx-with-the-intel-software-development-emulator>`__.
- `Intel 80386 Programmer's Reference Manual <readings/i386/toc.htm>`__, 1987. Alternatively, in `PDF format <readings/i386.pdf>`__. Much shorter than the full current Intel architecture manuals below, but often sufficient.
- `Intel Architecture Software Developer Manuals <http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html>`__.

------------
Web security
------------

- `Browser Security Handbook <http://code.google.com/p/browsersec/wiki/Main>`__, Michael Zalewski, Google.
- `Browser attack vectors <http://code.google.com/p/google-caja/wiki/AttackVectors>`__.
- `Google Caja <http://code.google.com/p/google-caja/>`__ (capabilities for Javascript).
- `Google Native Client <http://code.google.com/p/nativeclient/>`__ allows web applications to safely run x86 code in browsers.
- `Myspace.com - Intricate Script Injection Vulnerability <readings/advisory4.5.06.html>`__, Justin Lavoie, 2006.
- `The Security Architecture of the Chromium Browser <readings/chromium.pdf>`__ by Adam Barth, Collin Jackson, Charles Reis, and the Google Chrome Team.
- `Why Phishing Works <readings/why_phishing_works.pdf>`__ by Rachna Dhamija, J. D. Tygar, and Marti Hearst.

-----------
OS security
-----------

- `Secure Programming for Linux and Unix HOWTO <http://www.dwheeler.com/secure-programs/>`__, David Wheeler.
- `setuid demystified <readings/setuid.pdf>`__ by Hao Chen, David Wagner, and Drew Dean.
- `Some thoughts on security after ten years of qmail 1.0 <readings/qmail.pdf>`__ by Daniel J. Bernstein.
- `Wedge: Splitting Applications into Reduced-Privilege Compartments <readings/wedge.pdf>`__ by Andrea Bittau, Petr Marchenko, Mark Handley, and Brad Karp.
- `KeyKOS source code <readings/keykos/>`__.

------------------------
Exploiting hardware bugs
------------------------

- `Bug Attacks <readings/rsa-bug-attacks.pdf>`__ on RSA, by Eli Biham, Yaniv Carmeli, and Adi Shamir.
- `Using Memory Errors to Attack a Virtual Machine <readings/java-memerr.pdf>`__ by Sudhakar Govindavajhala and Andrew Appel.

--------------
Mobile devices
--------------

- `iOS security <readings/ios-security-may12.pdf>`__