A call to action look beyond the horizon

Today's attacks exploit code-level flaws such as buffer overruns and type-invalid input. Now we should turn to tomorrow's attacks, and think beyond buffer overruns, code levels, and the horizon. This article is a call to arms to the research community to look toward the future.

[1]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[2]  Ken Frazer,et al.  Building secure software: how to avoid security problems the right way , 2002, SOEN.

[3]  Yang Meng Tan,et al.  LCLint: a tool for using specifications to check code , 1994, SIGSOFT '94.

[4]  Gary McGraw,et al.  From the Ground Up: The DIMACS Software Security Workshop , 2003, IEEE Secur. Priv..

[5]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[6]  Gary McGraw,et al.  ITS4: a static vulnerability scanner for C and C++ code , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[7]  Dawson R. Engler,et al.  Using programmer-written compiler extensions to catch security holes , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[8]  Gary McGraw,et al.  Attacking Malicious Code: A Report to the Infosec Research Council , 2000, IEEE Software.

[9]  Gary McGraw,et al.  Statically Scanning Java Code: Finding Security Vulnerabilities , 2000, IEEE Software.

[10]  David Evans,et al.  Statically Detecting Likely Buffer Overflow Vulnerabilities , 2001, USENIX Security Symposium.

[11]  Morrie Gasser,et al.  Building a Secure Computer System , 1988 .

[12]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[13]  Paul Dourish,et al.  Unpacking "privacy" for a networked world , 2003, CHI '03.

[14]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[15]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[16]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[17]  Paul Jones,et al.  Secrets and Lies: Digital Security in a Networked World , 2002 .

[18]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[19]  Matt Bishop,et al.  Checking for Race Conditions in File Accesses , 1996, Comput. Syst..

[20]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[21]  FrazerKen Building secure software , 2002 .

[22]  Dan S. Wallach,et al.  Java security: from HotJava to Netscape and beyond , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[23]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[24]  Barton P. Miller,et al.  Fuzz Revisited: A Re-examination of the Reliability of UNIX Utilities and Services , 1995 .

[25]  Dawson R. Engler,et al.  Checking system rules using system-specific, programmer-written compiler extensions , 2000, OSDI.

[26]  William R. Bush,et al.  A static analyzer for finding dynamic programming errors , 2000, Softw. Pract. Exp..

[27]  Gary McGraw,et al.  Securing Java: getting down to business with mobile code , 1999 .

[28]  Gary McGraw,et al.  An automated approach for identifying potential vulnerabilities in software , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).