Setuid Demystified

Access control in Unix systems is mainly based on user IDs, yet the system calls that modify user IDs (uid-setting system calls), such as setuid, are poorly designed, …

More Enforceable Security Policies

We analyze the space of security policies that can be enforced by monitoring programs at runtime. Our program monitors are automata that examine the sequence of program …

PGP Outlook Encryption Plug-in Vulnerability

eEye staffers Marc Maiffret and Riley Hassell, were again busy on finding the bugs, so a new advisory hit the “streets” today. This time, there is a remote …

DSL Security Whitepaper

This contribution provides an overview of some of the security aspects of DSL-based corporate networks. With the expansion of the Internet and the increasing use of Internet …

(more) Advanced SQL Injection

This paper addresses the subject of SQL Injection in a Microsoft SQL Server/IIS/Active Server Pages environment, but most of the techniques discussed have equivalents in other …