coursera上的软件安全课程的课后阅读补充
在coursera选修了一门软件安全的课程。下面是教授列出来的阅读:
Week 1
Readings
Required reading
The only required reading this week is the following:
- Common vulnerabilities guide for C programmers. Take note of the unsafe C library functions listed here, and how they are the source of buffer overflow vulnerabilities. This list will be relevant for the project and this week's quiz.
- (Reference) Memory layout. Explains a C program's memory layout, replicating the discussion in the second lecture.
Supplemental readings
The following readings are optional: They are meant to supplement the material you are getting in the videos. Check them out if you are interested in learning more, or if you just want to see it all explained in a different way.
- (Reference/refresher) PC Assembly Language, by Paul Carter. This free book introduces x86 assembly, and should complement ideas seen in the lectures.
- Smashing the Stack for Fun and Profit - original article on the topic by Aleph One, in 1996
- Exploiting Format String Vulnerabilities - report describing these format string attacks when they were first recognized
- Basic Integer Overflows - discussion of how overflowing integers can be a vector of attack
WEEK2
Required Readings
The following two blog posts cover the topics of memory safety and type safety in somewhat greater depth
- What is memory safety?
- What is type safety?
Supplemental readings and links
The following readings are optional: Check them out if you are interested in learning more about material we've covered in lecture (many were explicitly linked in the lecture slides).
Attacks and modern defenses, generally
- On the effectiveness of Address Space Randomization, by Shacham, Page, Pfaff, Goh, Modadugu, and Boneh - showed how ASLR implementations on 32-bit systems can be defeated relatively easily
- Smashing the Stack in 2011 - Paul Makowski revisits the 1996 Aleph One article (on the supplemental reading list from last week), considering modern defenses
- Low-level software security by example, by Erlingsson, Younan, Piessens, describes several low-level attacks and modern defenses.
Return-oriented Programming (ROP)
- Geometry of Innocent Flesh on the Bone: Return to libc without Function Calls (on the x86), by Hovav Shacham - introduced the idea, and the term, return oriented programming
- Q: Exploit Hardening Made Easy, by Schwartz, Avgerinos, and Brumley - explains how to automatically generate ROP exploits
- Blind ROP - return-oriented programming without source code, automatically
Control-flow integrity (CFI)
- Control Flow Integrity, by Abadi, Budiu, Erlingsson, and Ligatti - paper that introduced CFI
- Enforcing Forward-Edge Control Flow Integrity, by Tice, Roeder, Collingbourne, Checkoway, Erlingsson, Lozano, and Pike, describing a partial CFI implementation now available in LLVM and gcc
- MoCFI, by Niu and Tan - modular CFI that has low overhead
- See also the paper Low-level software security by example, above
Secure coding
These are a few references linked in the lecture slides. We will cover secure coding and design in more depth during week 4.
- CERT C coding standard
- Secure Programming HOWTO by David Wheeler
- Robust Programming by Matt Bishop
- DieHard project - drop-in replacement for
malloc
that uses randomization to defend against heap-based exploits
coursera上的软件安全课程的课后阅读补充的更多相关文章
- Andrew Ng在coursera上的ML课程_知识点笔记_(1)
1.Feature Scaling(特征缩放): 如上图所示,x1是房屋面积,x2是房间个数,若不进行特征缩放,则代价函数J的曲线近似为一个瘦长的椭圆(我暂时这么理解,θ1和θ2分别是x1和x2的权值 ...
- 关于Coursera上的斯坦福机器学习课程的编程作业提交问题
学习Coursera上的斯坦福机器学习课程的时候,需要向其服务器提交编程作业,我遇到如下问题: 'Submission failed: unexpected error: urlread: Peer ...
- 对于coursera上三门北大网课的评测
今年暑假开始就选了coursera上三门北大的网课——C++程序设计.算法基础.数据结构基础,它们属于一个项目的,上的话每个月249块钱,项目里包括这三门一共有七门课.因为一开始是三门课同时上的,数据 ...
- Coursera台大机器学习课程笔记5 -- Theory of Generalization
本章思路: 根据之前的总结,如果M很大,那么无论假设泛化能力差的概率多小,都无法忽略,所以问题转化为证明M不大,然后上章将其转化为证明成长函数:mh(N)为多项式级别.直接证明似乎很困难,本章继续利用 ...
- Coursera上的machine learning学完啦
Coursera上的第一门公开课最终要结束啦-- 全部的代码http://download.csdn.net/detail/abcd1992719g/7306053 老师的Octave代码很赞.框架打 ...
- 范仁义html+css课程---11、html补充知识
范仁义html+css课程---11.html补充知识 一.总结 一句话总结: 小于号(<):< 大于号(>):> 空格: 二.html 字符实体 1.小于号(<)和大 ...
- 一些我推荐的和想上的网络课程(Coursera, edX, Udacity)
从面向找工作的角度出发,我觉得以下课程有很大帮助: 首推Robert Sedgewick,也是我觉得对我帮助最大的老师,讲课特点是能把复杂的算法讲解清楚(典型例子:红黑树,KMP算法) 他在Cours ...
- 在coursera上有哪些值得推荐的课程
来自知乎 https://www.zhihu.com/question/22436320/answer/224996328
- 无责任共享 Coursera、Udacity 等课程视频
本文转载自网络,原作者不详. (本文是用 markdown 写的,访问 https://www.zybuluo.com/illuz/note/71868 获得更佳体验) 程序语言 interactiv ...
随机推荐
- cf435C Cardiogram
C. Cardiogram time limit per test 1 second memory limit per test 256 megabytes input standard input ...
- lua面向对象封装及元表(metatable)性能测试
Lua本身是没有面向对象支持的,但面向对象编程在逻辑复杂的大型工程却很有用.于是很多人用Lua本身的数据结构table来模拟面向对象.最简单的一种方法是把对象的方法.成员都放到table中.如: -- ...
- 一、spark 数据类型(Data Types)
Data Types - MLlib(数据类型) MLlib支持存储在单机上的局部向量和局部矩阵,也可以支持通过一个或多个RDD(可伸缩数据集)表示的分布式矩阵.局部向量和局部矩阵是用作公 ...
- 替换IMG
<?php $str = '<img src="http://img01.feiniu.com/images/show/detail/image/20141031/9b3bbc3 ...
- [置顶] Extjs4 异步刷新书的情况下 保持树的展开状态
前言:首先我觉得搞IT不管你是菜鸟还是特种兵,最重要的品质就是分享知识,因为可能在你这,这点知识不算什么,可是对于像我这样的菜鸟来说,无疑就可能会从中得到一点启发,甚至更大!此段代码,是我在某个网站上 ...
- 手势触摸定位(UIPanGestureRecognizer)
/** 1.相对于父坐标系而言,表示当前触摸点所在的位置 */ CGPoint locationPoint = [panGestureRecognizer locationInView:panGest ...
- WinXP 无线提示“区域中找不到无线网络”的一种可能原因!
貌似WinXP还是无限经典,我也一直还在用,不知道哪天才会放弃.这次遇见的问题,或许也有XP爱好者也遇得见,记下点文字备忘.----------------------- 单调的切割线 ------- ...
- openflow tutorial 开始openflow的学习(一)
首先不废话介绍openflow了,自己也还搞不清楚究竟是个什么玩意儿,概括不出什么内容来,先做试验,有个大体的感性了解回来再总结吧. 第一步,搭建环境,这一步就是安装工具,不同的系统环境搭建不一致,我 ...
- JSTL配合正则表达式在JSP中的应用
<%@ page language="java" import="java.util.*,cn.com.Person" pageEncoding=&quo ...
- ExtJS4.2学习(11)——高级组件之Grid
大纲: 1.首先,搭建起来一个最基础的Grid组件: 2.其次,利用前边MVC架构将代码重构: 3.再者,介绍下Grid的一些特性. 一.搭建基础的Grid组件 在文章的开始,我们首先简单的搭建一个G ...