,
16 tweets,
5 min read
Read on Twitter
Thread.
I was recently privy to a conversation in which some really smart people in security shared their favorite papers or articles. Security engineering, like other disciplines, has a rich history worth learning from.
I'm going to list some of these papers in this thread.
I was recently privy to a conversation in which some really smart people in security shared their favorite papers or articles. Security engineering, like other disciplines, has a rich history worth learning from.
I'm going to list some of these papers in this thread.
New Directions in Cryptography - Whitfield Diffie and Martin Hellman (1976)
It's hard to emphasize just how revolutionary the concept of public key cryptography is. This paper started it all, introducing D-H key agreement and digital signatures.
ee.stanford.edu/~hellman/publi…
It's hard to emphasize just how revolutionary the concept of public key cryptography is. This paper started it all, introducing D-H key agreement and digital signatures.
ee.stanford.edu/~hellman/publi…
Reflections on Trusting Trust - Ken Thompson (1984)
This paper succinctly describes the concept that it's not enough to trust software, you also need to trust the software that compiles the software, and the software that compiles the compiler, and so on
archive.ece.cmu.edu/~ganger/712.fa…
This paper succinctly describes the concept that it's not enough to trust software, you also need to trust the software that compiles the software, and the software that compiles the compiler, and so on
archive.ece.cmu.edu/~ganger/712.fa…
Lest We Remember: Cold Boot Attacks on Encryption Keys - J. Alex Halderman et al. (2008)
Another security paper that explores the reasons why good encryption software can be insufficient in the face of physical attacks.
jhalderm.com/pub/papers/col…
Another security paper that explores the reasons why good encryption software can be insufficient in the face of physical attacks.
jhalderm.com/pub/papers/col…
Improving SSL Warnings: Comprehension and Adherence - Adrienne Porter Felt et al. (2015)
A data-driven study of how well/poorly user interfaces express security features to users in web browsers.
dl.acm.org/citation.cfm?i…
A data-driven study of how well/poorly user interfaces express security features to users in web browsers.
dl.acm.org/citation.cfm?i…
This World of Ours - James Mickens (2014)
A comedic article that helps emphasize the difference between targeted attacks by well-resourced adversaries and the more pedestrian threats faced by the general populace.
usenix.org/system/files/1…
A comedic article that helps emphasize the difference between targeted attacks by well-resourced adversaries and the more pedestrian threats faced by the general populace.
usenix.org/system/files/1…
Return-Oriented Programming - Solar Designer (1997)
A new attack methodology that revolutionized offensive security.
seclists.org/bugtraq/1997/A…
A new attack methodology that revolutionized offensive security.
seclists.org/bugtraq/1997/A…
Format String Attacks - Tim Newsham (2000)
Still one of the most pervasive security issues, format string vulnerabilities demonstrate the dangers of mixing abstractions.
forum.ouah.org/FormatString.P…
Still one of the most pervasive security issues, format string vulnerabilities demonstrate the dangers of mixing abstractions.
forum.ouah.org/FormatString.P…
Ceremony Design and Analysis - Carl Ellison (2007)
This paper introduces the idea of a ceremony as a generalization of a security protocol, formalizing the often overlooked human element.
eprint.iacr.org/2007/399.pdf
This paper introduces the idea of a ceremony as a generalization of a security protocol, formalizing the often overlooked human element.
eprint.iacr.org/2007/399.pdf
Programming Satan’s Computer - Ross Anderson and Roger Needham (1995)
An exploration of the adversarial models needed to build secure software.
cl.cam.ac.uk/~rja14/Papers/…
An exploration of the adversarial models needed to build secure software.
cl.cam.ac.uk/~rja14/Papers/…
Survivable Key Compromise in Software Update Systems - Justin Samuel, Nick Mathewson, Justin Cappos, Roger Dingledine (2010)
This paper introduces The Update Framework (TUF) for secure software updates.
justinsamuel.com/papers/surviva…
This paper introduces The Update Framework (TUF) for secure software updates.
justinsamuel.com/papers/surviva…
Validation of Elliptic Curve Public Keys - Adrian Antipa et al. (2003)
The first of many papers exploring some of the subtle risks of elliptic curve cryptography.
iacr.org/archive/pkc200…
The first of many papers exploring some of the subtle risks of elliptic curve cryptography.
iacr.org/archive/pkc200…
Some thoughts on security after ten years of qmail 1.0 - Daniel J. Bernstein (2007)
A retrospective of a popular mail transfer agent by the author with best practices learned.
cr.yp.to/qmail/qmailsec…
A retrospective of a popular mail transfer agent by the author with best practices learned.
cr.yp.to/qmail/qmailsec…
Straight Talk: New Yorkers on Mobile Messaging and Implications for Privacy - Ame Elliott, Sara Brody (2016)
A revealing field study about security, privacy and surveillance.
simplysecure.org/resources/tech…
A revealing field study about security, privacy and surveillance.
simplysecure.org/resources/tech…
Singularity - Microsoft Research (2003)
A series of works derived from the Midori advanced development OS project.
microsoft.com/en-us/research…
A series of works derived from the Midori advanced development OS project.
microsoft.com/en-us/research…
That's it for now. This is not a comprehensive reading list, but hopefully anyone working or studying security engineering can find something useful.
