Books & Videos

Table of Contents

  1. Chapter 1 Safe Initialization

    1. Sanitizing the Environment

    2. Restricting Privileges on Windows

    3. Dropping Privileges in setuid Programs

    4. Limiting Risk with Privilege Separation

    5. Managing File Descriptors Safely

    6. Creating a Child Process Securely

    7. Executing External Programs Securely

    8. Executing External Programs Securely

    9. Disabling Memory Dumps in the Event of a Crash

  2. Chapter 2 Access Control

    1. Understanding the Unix Access Control Model

    2. Understanding the Windows Access Control Model

    3. Determining Whether a User Has Access to a File on Unix

    4. Determining Whether a Directory Is Secure

    5. Erasing Files Securely

    6. Accessing File Information Securely

    7. Restricting Access Permissions for New Files on Unix

    8. Locking Files

    9. Synchronizing Resource Access Across Processes on Unix

    10. Synchronizing Resource Access Across Processes on Windows

    11. Creating Files for Temporary Use

    12. Restricting Filesystem Access on Unix

    13. Restricting Filesystem and Network Access on FreeBSD

  3. Chapter 3 Input Validation

    1. Understanding Basic Data Validation Techniques

    2. Preventing Attacks on Formatting Functions

    3. Preventing Buffer Overflows

    4. Using the SafeStr Library

    5. Preventing Integer Coercion and Wrap-Around Problems

    6. Using Environment Variables Securely

    7. Validating Filenames and Paths

    8. Evaluating URL Encodings

    9. Validating Email Addresses

    10. Preventing Cross-Site Scripting

    11. Preventing SQL Injection Attacks

    12. Detecting Illegal UTF-8 Characters

    13. Preventing File Descriptor Overflows When Using select( )

  4. Chapter 4 Symmetric Cryptography Fundamentals

    1. Representing Keys for Use in Cryptographic Algorithms

    2. Generating Random Symmetric Keys

    3. Representing Binary Keys (or Other Raw Data) as Hexadecimal

    4. Turning ASCII Hex Keys (or Other ASCII Hex Data) into Binary

    5. Performing Base64 Encoding

    6. Performing Base64 Decoding

    7. Representing Keys (or Other Binary Data) as English Text

    8. Converting Text Keys to Binary Keys

    9. Using Salts, Nonces, and Initialization Vectors

    10. Deriving Symmetric Keys from a Password

    11. Algorithmically Generating Symmetric Keys from One Base Secret

    12. Encrypting in a Single Reduced Character Set

    13. Managing Key Material Securely

    14. Timing Cryptographic Primitives

  5. Chapter 5 Symmetric Encryption

    1. Deciding Whether to Use Multiple Encryption Algorithms

    2. Figuring Out Which Encryption Algorithm Is Best

    3. Selecting an Appropriate Key Length

    4. Selecting a Cipher Mode

    5. Using a Raw Block Cipher

    6. Using a Generic CBC Mode Implementation

    7. Using a Generic CFB Mode Implementation

    8. Using a Generic OFB Mode Implementation

    9. Using a Generic CTR Mode Implementation

    10. Using CWC Mode

    11. Manually Adding and Checking Cipher Padding

    12. Precomputing Keystream in OFB, CTR, CCM, or CWC Modes (or with Stream Ciphers)

    13. Parallelizing Encryption and Decryption in Modes That Allow It (Without Breaking Compatibility)

    14. Parallelizing Encryption and Decryption in Arbitrary Modes (Breaking Compatibility)

    15. Performing File or Disk Encryption

    16. Using a High-Level, Error-Resistant Encryption and Decryption API

    17. Performing Block Cipher Setup (for CBC, CFB, OFB, and ECB Modes) in OpenSSL

    18. Using Variable Key-Length Ciphers in OpenSSL

    19. Disabling Cipher Padding in OpenSSL in CBC Mode

    20. Performing Additional Cipher Setup in OpenSSL

    21. Querying Cipher Configuration Properties in OpenSSL

    22. Performing Low-Level Encryption and Decryption with OpenSSL

    23. Setting Up and Using RC4

    24. Using One-Time Pads

    25. Using Symmetric Encryption with Microsoft's CryptoAPI

    26. Creating a CryptoAPI Key Object from Raw Key Data

    27. Extracting Raw Key Data from a CryptoAPI Key Object

  6. Chapter 6 Hashes and Message Authentication

    1. Understanding the Basics of Hashes and MACs

    2. Deciding Whether to Support Multiple Message Digests or MACs

    3. Choosing a Cryptographic Hash Algorithm

    4. Choosing a Message Authentication Code

    5. Incrementally Hashing Data

    6. Hashing a Single String

    7. Using a Cryptographic Hash

    8. Using a Nonce to Protect Against Birthday Attacks

    9. Checking Message Integrity

    10. Using HMAC

    11. Using OMAC (a Simple Block Cipher-Based MAC)

    12. Using HMAC or OMAC with a Nonce

    13. Using a MAC That's Reasonably Fast in Software and Hardware

    14. Using a MAC That's Optimized for Software Speed

    15. Constructing a Hash Function from a Block Cipher

    16. Using a Block Cipher to Build a Full-Strength Hash Function

    17. Using Smaller MAC Tags

    18. Making Encryption and Message Integrity Work Together

    19. Making Your Own MAC

    20. Encrypting with a Hash Function

    21. Securely Authenticating a MAC (Thwarting Capture Replay Attacks)

    22. Parallelizing MACs

  7. Chapter 7 Public Key Cryptography

    1. Determining When to Use Public Key Cryptography

    2. Selecting a Public Key Algorithm

    3. Selecting Public Key Sizes

    4. Manipulating Big Numbers

    5. Generating a Prime Number (Testing for Primality)

    6. Generating an RSA Key Pair

    7. Disentangling the Public and Private Keys in OpenSSL

    8. Converting Binary Strings to Integers for Use with RSA

    9. Converting Integers into Binary Strings for Use with RSA

    10. Performing Raw Encryption with an RSA Public Key

    11. Performing Raw Decryption Using an RSA Private Key

    12. Signing Data Using an RSA Private Key

    13. Verifying Signed Data Using an RSA Public Key

    14. Securely Signing and Encrypting with RSA

    15. Using the Digital Signature Algorithm (DSA)

    16. Representing Public Keys and Certificates in Binary (DER Encoding)

    17. Representing Keys and Certificates in Plaintext (PEM Encoding)

  8. Chapter 8 Authentication and Key Exchange

    1. Choosing an Authentication Method

    2. Getting User and Group Information on Unix

    3. Getting User and Group Information on Windows

    4. Restricting Access Based on Hostname or IP Address

    5. Generating Random Passwords and Passphrases

    6. Testing the Strength of Passwords

    7. Prompting for a Password

    8. Throttling Failed Authentication Attempts

    9. Performing Password-Based Authentication with crypt( )

    10. Performing Password-Based Authentication with MD5-MCF

    11. Performing Password-Based Authentication with PBKDF2

    12. Authenticating with PAM

    13. Authenticating with Kerberos

    14. Authenticating with HTTP Cookies

    15. Performing Password-Based Authentication and Key Exchange

    16. Performing Authenticated Key Exchange Using RSA

    17. Using Basic Diffie-Hellman Key Agreement

    18. Using Diffie-Hellman and DSA Together

    19. Minimizing the Window of Vulnerability When Authenticating Without a PKI

    20. Providing Forward Secrecy in a Symmetric System

    21. Ensuring Forward Secrecy in a Public Key System

    22. Confirming Requests via Email

  9. Chapter 9 Networking

    1. Creating an SSL Client

    2. Creating an SSL Server

    3. Using Session Caching to Make SSL Servers More Efficient

    4. Securing Web Communication on Windows Using the WinInet API

    5. Enabling SSL without Modifying Source Code

    6. Using Kerberos Encryption

    7. Performing Interprocess Communication Using Sockets

    8. Performing Authentication with Unix Domain Sockets

    9. Performing Session ID Management

    10. Securing Database Connections

    11. Using a Virtual Private Network to Secure Network Connections

    12. Building an Authenticated Secure Channel Without SSL

  10. Chapter 10 Public Key Infrastructure

    1. Understanding Public Key Infrastructure (PKI)

    2. Obtaining a Certificate

    3. Using Root Certificates

    4. Understanding X.509 Certificate Verification Methodology

    5. Performing X.509 Certificate Verification with OpenSSL

    6. Performing X.509 Certificate Verification with CryptoAPI

    7. Verifying an SSL Peer's Certificate

    8. Adding Hostname Checking to Certificate Verification

    9. Using a Whitelist to Verify Certificates

    10. Obtaining Certificate Revocation Lists with OpenSSL

    11. Obtaining CRLs with CryptoAPI

    12. Checking Revocation Status via OCSP with OpenSSL

  11. Chapter 11 Random Numbers

    1. Determining What Kind of Random Numbers to Use

    2. Using a Generic API for Randomness and Entropy

    3. Using the Standard Unix Randomness Infrastructure

    4. Using the Standard Windows Randomness Infrastructure

    5. Using an Application-Level Generator

    6. Reseeding a Pseudo-Random Number Generator

    7. Using an Entropy Gathering Daemon-Compatible Solution

    8. Getting Entropy or Pseudo-Randomness Using EGADS

    9. Using the OpenSSL Random Number API

    10. Getting Random Integers

    11. Getting a Random Integer in a Range

    12. Getting a Random Floating-Point Value with Uniform Distribution

    13. Getting Floating-Point Values with Nonuniform Distributions

    14. Getting a Random Printable ASCII String

    15. Shuffling Fairly

    16. Compressing Data with Entropy into a Fixed-Size Seed

    17. Getting Entropy at Startup

    18. Statistically Testing Random Numbers

    19. Performing Entropy Estimation and Management

    20. Gathering Entropy from the Keyboard

    21. Gathering Entropy from Mouse Events on Windows

    22. Gathering Entropy from Thread Timings

    23. Gathering Entropy from System State

  12. Chapter 12 Anti-Tampering

    1. Understanding the Problem of Software Protection

    2. Detecting Modification

    3. Obfuscating Code

    4. Performing Bit and Byte Obfuscation

    5. Performing Constant Transforms on Variables

    6. Merging Scalar Variables

    7. Splitting Variables

    8. Disguising Boolean Values

    9. Using Function Pointers

    10. Restructuring Arrays

    11. Hiding Strings

    12. Detecting Debuggers

    13. Detecting Unix Debuggers

    14. Detecting Windows Debuggers

    15. Detecting SoftICE

    16. Countering Disassembly

    17. Using Self-Modifying Code

  13. Chapter 13 Other Topics

    1. Performing Error Handling

    2. Erasing Data from Memory Securely

    3. Preventing Memory from Being Paged to Disk

    4. Using Variable Arguments Properly

    5. Performing Proper Signal Handling

    6. Protecting against Shatter Attacks on Windows

    7. Guarding Against Spawning Too Many Threads

    8. Guarding Against Creating Too Many Network Sockets

    9. Guarding Against Resource Starvation Attacks on Unix

    10. Guarding Against Resource Starvation Attacks on Windows

    11. Following Best Practices for Audit Logging

  1. Colophon