Announcements

Center for Information Protection
UC Davis is planning to join the NSF I/UCRC Center for Information Protection. We are looking for companies to join our Industrial Advisory Board.
Find out more here!

Conferences and Workshops

• CSET ’09 (due 5/15)
• ISGIG 2009 (due 5/22)
• ACSAC 25 (due 6/1)

Scholarships and Such

• I3P Scholar Program (due 5/15)

My Links

• My Home Page
• Books
• Classes
• Papers
• Reports and Notes
• Research
• Security in Programming
• Service
• Students
• Talks
• Miscellaneous
• My Family
• About Me (CV and such)

Other Links

• MyUCDavis
• Computer Security Lab
• Dept. of Computer Science
• College of Engineering
• University of California, Davis
• City of Davis
• County of Yolo
• State of California
• United States of America

This Quarter’s Classes

Office Hours for This Quarter

Contacting Me

Writing Safe Setuid Programs

Writing safe privileged programs (defined as programs that run with extra privileges but do not compromise security) is difficult. Here are some of the papers and talks I’ve given about this.

Talks and Tutorials

• “Adapting Formal Methods for Informal Use”, M. Bishop SANS Network Security 2000, San Diego, CA (Nov. 2000).
  This talks about formal methods and how to apply them in a highly informal way.
• “Writing Safe Secure Programs,” M. Bishop, SANS Network Security 1997, New Orleans, LA (Nov. 1997). [HTML] [PDF] [PS]
  From the New Orleans NS Conference; it is a short (1 hour) talk but hits lots of the highlights.
• “How Attackers Break Programs, and How to Write Programs More Securely”, M. Bishop, SANS 2002, Baltimore, MD (May 2002). [HTML] [PDF] [PS]
  My setuid programming tutorial. I used to give it occasionally at NS and SANS (from where this version came). This is the tutorial book that was handed out at the 2002 SANS. I haven’t given it since.

Papers and Technical Reports

• “Robust Programming,” M. Bishop, handout for ECS 153, Computer Security, Department of Computer Science, University of California at Davis, Davis, CA 95616-8562. [HTML] [PDF] [ Postscript]
• “How to Write a Setuid Program,” M. Bishop, :login; 12(1) (Jan./Feb. 1986), [PDF] [PS]
  My original paper. It still wears pretty well, but is somewhat dated.

As soon as we started programming, we found to our surprise that it wasn’t as easy to get programs right as we had thought. Debugging had to be discovered. I can remember the exact instant when I realized that a large part of my life from then on was going to be spent in finding mistakes in my own programs.
    — Maurice Wilkes, designer of EDSAC, on programming, 1949