[ <a href="#syscall">System Calls</a>
| <a href="#sandbox">Sandbox</a>
| <a href="#ibm-references">References from IBM</a>
| <a href="#phrack">Phrack</a>
]

<ul>
<li><a name="current"><h3>Currently reading</h3>
<ol>
  <li>Detecting intrusions using system calls: Alternative data models<br>C. Warrender, Stephanie Forrest, B. Pearlmutter, IEEE Oakland '99<br><a href="http://citeseer.nj.nec.com/christina99detecting.html">cite</a>, <a href="http://www.cs.unm.edu/~forrest/abstracts.htm#oakland-with-cite">abstract</a><p>
  <li>Synthesizing Fast Intrusion Prevention/Detection Systems from High-Level Specifications<br>R. Sekar, P. Uppuluri, USENIX '99<br><a href="http://citeseer.nj.nec.com/sekar99synthesizing.html">cite</a><p>
  <li>Intrusion Detection Using Variable-Length Audit Trail Patterns<br>Andreas Wespi, Marc Dacier, Hervé Debar, RAID '00<br><a href="http://citeseer.nj.nec.com/context/1896164/0">cite</a>, <a href="http://domino.watson.ibm.com/library/cyberdig.nsf/0/02a4ec9d5b79ae14852567da0034838f?OpenDocument">abstract</a>, <a href="http://www.cs.fit.edu/~pkc/id/related/wespi-raid00.pdf">paper</a><p>
  <li>Intrusion Detection via Static Analysis<br>David Wagner, Drew Dean, IEEE Oakland '01<br><a href="http://citeseer.nj.nec.com/wagner01intrusion.html">cite</a><p>
  <li>Mimicry Attacks on Host-Based Intrusion Detection Systems<br>David Wagner, Paolo Soto, ACM CCS '02<br><a href="http://citeseer.nj.nec.com/wagner02mimicry.html">cite</a><p>
  <li>Mitigating Buffer Overflows By Operating System Randomization<br>Monica Chew, Dawn Song, CMU Technical Report '02<br><a href="http://www.ece.cmu.edu/~dawnsong/papers/syscall-tr.ps">paper</a><p>
  <li><b>Anomaly Detection Using Call Stack Information</b><br>Henry Hanping Feng, Oleg M. Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong, IEEE Oakland '03<br><a href="http://citeseer.nj.nec.com/573548.html">cite</a><!--<br>The call stack of a program execution can be a very good information source for intrusion detection. There is no prior work on dynamically extracting information from call stack and effectively using it to detect exploits. In this paper, we propose a new method to do anomaly detection using call stack information. The basic idea is to extract return addresses from the call stack, and generate abstract execution path between two program execution points. Experiments show that our method can detect some attacks that cannot be detected by other approaches, while its convergence and false positive performance is comparable to or better than the other approaches. We compare our method with other approaches by analyzing their underlying principles and thus achieve a better characterization of their performance, in particular, on what and why attacks will be missed by the various approaches.--><p>
  <li>Cassyopia: Compiler Assisted System Optimization<br>Mohan Rajagopalan, Saumya K. Debray, Matti A. Hiltunen, Richard D. Schlichting, HotOS '03<br><a href="http://www.usenix.org/events/hotos03/tech/rajagopalan.html">abstract</a>, <a href="http://www.usenix.org/events/hotos03/tech/full_papers/rajagopalan/rajagopalan.pdf">paper</a><p>
  <li>Preventing Privilege Escalation<br>Niels Provos, USENIX Security '03<br><a href="http://www.citi.umich.edu/techreports/reports/citi-tr-02-2.pdf">tech.paper</a>, <a href="http://www.usenix.org/publications/library/proceedings/sec03/tech/provos_et_al.html">paper</a>, <a href="http://citeseer.nj.nec.com/539716.html">cite</a><p>
  <hr>
  <li>Detecting Manipulated Remote Call Streams<br>J.T. Gin, S. Jha, B.P. Miller, USENIX Security '02<br><a href="http://www.usenix.org/events/sec02/giffin.html">abstract</a><p>
  <li>A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors<br>R. Sekar, M. Bendre, D. Dhurjati, P. Bollineni, IEEE Oakland '01<br><a href="http://citeseer.nj.nec.com/sekar01fast.html">cite</a><p>
</ol>

<li><a name="syscall"><h3>System calls (Interposition, Interception)</h3>
<ul>
  <li>Automated Detection of Vulnerabilities in Privileged Programs by Execution Monitoring<br>Calvin Ko, George Fink, Karl Levitt<br><p>
  <li>A Sense of Self for Unix Processes<br>Stephanie Forrest, Steven A. Hofmeyr, Anil Somayaji, Thomas A. Longstaff<br><a href="http://citeseer.nj.nec.com/forrest96sense.html">cite</a><p>
  <li>Intrusion Detection Using Sequences of System Calls<br>Steven A. Hofmeyr, Stephanie Forrest, Anil Somayaji<br><a href="http://www.cs.unm.edu/~forrest/abstracts.htm#forrest/int_decssc">abstract</a>, <a href="http://citeseer.nj.nec.com/hofmeyr98intrusion.html">cite</a><p>
  <li>Improving Host Security with System Call Policies<br>Niels Provos, USENIX Security '03<br><a href="http://www.citL:\researchi.umich.edu/u/provos/papers/systrace.pdf">paper</a>, <a href="http://citeseer.nj.nec.com/provos02improving.html">cite</a><p>
  <li>Traps And Pitfalls: Practical Problems in System Call Interposition Based Security Tools<br><a href="http://www.stanford.edu/~talg/">Tal Garfinkel</a><br><a href="http://citeseer.nj.nec.com/garfinkel03traps.html">cite</a>. <a href="http://www.stanford.edu/~talg/papers/traps/abstract.html">paper</a><p>
  <li>Operating system enhancements to prevent the misuse of system calls<br>Massimo Bernaschi, Emanuele Gabrielli, Luigi V. Mancini<br><a href="http://portal.acm.org/citation.cfm?id=352624&jmp=cit&dl=portal&dl=ACM">paper</a><p>
  <li>Remus: a security-enhanced operating system<br>Massimo Bernaschi, Emanuele Gabrielli, Luigi V. Mancini<br><a href="http://portal.acm.org/citation.cfm?id=504911&jmp=references&dl=GUIDE&dl=ACM">tissec</a><p>
</ul>

<hr><li><a name="sandbox"><h3>Sandbox</h3>
<ul>
  <li>A Flexible Containment Mechanism for Executing Untrusted Code<br>David Patterson, Matt Bishop, Raju Pandey<p>
  <h3>Misc</h3><hr>
  <li>Security enhanced mobile agents<br>Vijay Varadharajan, ACM CCS '00<br><a href="http://portal.acm.org/citation.cfm?id=352600.352632&dl=portal&dl=ACM&type=series&idx=SERIES320&part=Proceedings&WantType=Proceedings&title=Conference%20on%20Computer%20and%20Communications%20Security">paper</a><p>
  <li>LOMAC: MAC You Can Live With<br>Timothy Fraser, Freenix '01<br><a href="http://www.usenix.org/events/usenix01/freenix01/fraser.html">paper</a><p>
  <li>Managing access control policies using access control spaces<br>Trent Jaeger, Antony Edwards, Xiaolan Zhang, ACM SACMAT '02<br><a href="http://portal.acm.org/citation.cfm?id=507713&jmp=abstract&dl=GUIDE&dl=ACM">paper</a><p>
  <li>Linux Security Modules: General Security Support for the Linux Kernel<br>Chris Wright, Crispin Cowan, James Morris, USENIX Security '02<br><a href="http://citeseer.nj.nec.com/wright02linux.html">cite</a><p>
  <li>Specification-based anomaly detection: a new approach for detecting network intrusions<br>R. Sekar, A. Gupta, J. Frullo, ACM CCS '02<br><a href="http://portal.acm.org/citation.cfm?id=586110.586146&dl=portal&dl=ACM&type=series&idx=SERIES320&part=Proceedings&WantType=Proceedings&title=Conference%20on%20Computer%20and%20Communications%20Security">paper</a><p>
  <li>Model-Carrying Code: A Practical Approach for Safe Execution of Untrusted Applications<br> R. Sekar, V.N. Venkatakrishnan, Samik Basu, Sandeep Bhatkar, Daniel C. DuVarney, ACM SOSP '03<br><a href="http://www.cs.rochester.edu/sosp2003/papers/p214-sekar.pdf">paper</a><p>
  <li>Terra: A Virtual-Machine Based Platform for Trusted Computing<br>Tal Garfinkel, Ben Pfaff, Jim Chow, Mendel Rosenblum, Dan Boneh, ACM SOSP '03<br><a href="http://www.cs.rochester.edu/sosp2003/papers/p199-garfinkel.pdf">paper</a><p>
</ul>

<hr><li><a name="ibm-references"><h3>References from IBM</h3>
<ul>
  <li>Access Rights Analysis for Java<br>Koved, Pistoia, Kershenbaum<br><a href="http://pag.lcs.mit.edu/reading-group/koved02access.pdf">paper</a><p>
  <li>Practical Extraction Techniques for Java<br><a href="http://www.research.ibm.com/people/t/tip/abstracts/jax-toplas.html">abstract</a>, <a href="http://portal.acm.org/citation.cfm?id=586088.586090&dl=GUIDE&dl=ACM&idx=J783&part=periodical&WantType=periodical&title=ACM%20Transactions%20on%20Programming%20Languages%20and%20Systems%20(TOPLAS)">paper</a><p>
  <li>Meta-level Compilation<br><a href="http://www.stanford.edu/~engler/">Dawson Engler</a><br><a href="http://metacomp.stanford.edu/">MC group</a><p>
  <li>MOPS Project<br><a href="http://www.cs.berkeley.edu/~daw/">David Wagner</a><p>
  <li>CCured Project<br><a href="http://www.cs.berkeley.edu/~necula/">George Necula</a><p>
  <li>BlueBoX: A Policy-driven, Host-Based Intrusion Detection system<br>Suresh N. Chari, Pau-Chen Cheng<br><a href="http://www.seclib.com/seclib/ids.general/chari.pdf">paper</a>, <a href="http://portal.acm.org/citation.cfm?id=762476.762477&dl=GUIDE&dl=ACM&idx=J789&part=periodical&WantType=periodical&title=ACM%20Transactions%20on%20Information%20and%20System%20Security%20(TISSEC)">tissec</a><p>
  <li>Using Registers to Optimize Cross-Domain Call Performance<br>Paul A. Karger<p>
  <li>Limiting the Damage Potential of Discretionary Trojan Horses<br>Paul A. Karger<p>
</ul>

<hr><li><a name="phrack"><h3>Phrack</h3>
<ul><li><a href="http://www.phrack.org/show.php?p=49&a=14">49, 14</a> Smashing The Stack For Fun And Profit<p>
<li><a href="http://www.phrack.org/show.php?p=55&a=8">55, 8</a> Frame Pointer Overwriting<p>
<li><a href="http://www.phrack.org/show.php?p=56&a=5">56, 5</a> Bypassing StackGuard and StackShield<p>
<li><a href="http://www.phrack.org/show.php?p=56&a=7">56, 7</a> Shared Library Call Redirection via ELF PLT Infection<p>
<li><a href="http://www.phrack.org/show.php?p=56&a=8">56. 8</a> Smashing C++ VPTRs<p>
<li><a href="http://www.phrack.org/show.php?p=58&a=4">58, 4</a> Advanced return-into-lib(c) exploits (PaX case study)<p>
<li><a href="http://www.phrack.org/show.php?p=59&a=7">59, 7</a> Advances in format string exploitation<p>
<li><a href="http://www.phrack.org/show.php?p=59&a=9">59, 9</a> Bypassing PaX ASLR protection<p>
<li><a href="http://www.phrack.org/show.php?p=60&a=6">60, 6</a> Smashing The Kernel Stack For Fun And Profit<p>
</ul>

<hr><li><a name="misc"><h3>Newsgroups/Forums</h3>
<ul>
  <li>Stanford University<br><a href="http://forum.stanford.edu/events/security-workshop-03.html">Security Workshop</a><p>
</ul>
</ul>
<!-- 
vim:tw=0:syntax=html:
  <li>xxx<br>xxx<br><a href="xxx">xxx</a><p>
-->