diff options
author | Eduardo Julian | 2022-02-18 17:37:21 -0400 |
---|---|---|
committer | Eduardo Julian | 2022-02-18 17:37:21 -0400 |
commit | e3986e8a7b9a997441477cdb333d3a8537dc49fb (patch) | |
tree | ad3823d894f75dfbda2140242902239ade8775dd /documentation/bookmark/security | |
parent | 99361f07e4dd5724611e13a91ba8f14f039cdf0c (diff) |
Yet more fixes for JVM interop.
Diffstat (limited to '')
-rw-r--r-- | documentation/bookmark/security.md | 145 |
1 files changed, 73 insertions, 72 deletions
diff --git a/documentation/bookmark/security.md b/documentation/bookmark/security.md index 7cfd9bc2a..619a182d7 100644 --- a/documentation/bookmark/security.md +++ b/documentation/bookmark/security.md @@ -1,131 +1,132 @@ # Anti-Debugging -1. [JavaScript AntiDebugging Tricks](https://x-c3ll.github.io/posts/javascript-antidebugging/) +0. [JavaScript AntiDebugging Tricks](https://x-c3ll.github.io/posts/javascript-antidebugging/) # Supply chain -1. [chainguard](https://chainguard.dev/) +0. [chainguard](https://chainguard.dev/) # Restraint | Sand-boxing -1. [JavaScript Restrictor](https://polcak.github.io/jsrestrictor/) +0. [JavaScript Restrictor](https://polcak.github.io/jsrestrictor/) # Memory -1. [Provably Safe Pointers for a Parallel World](https://www.youtube.com/watch?v=ugf58HNd7Rg) +0. [Provably Safe Pointers for a Parallel World](https://www.youtube.com/watch?v=ugf58HNd7Rg) # User/human-level -1. [Securing your development environment](https://stsewd.dev/posts/securing-your-dev-environment/) -1. [Security Checklist: Tools and resources designed to improve your online privacy, safety, and security.](https://brianlovin.com/security) +0. [Securing your development environment](https://stsewd.dev/posts/securing-your-dev-environment/) +0. [Security Checklist: Tools and resources designed to improve your online privacy, safety, and security.](https://brianlovin.com/security) # Secrets | Confidentiality -1. [ConfLLVM: A Compiler for Enforcing Data Confidentiality in Low-level Code](https://www.microsoft.com/en-us/research/publication/an-instrumenting-compiler-for-enforcing-confidentiality-in-low-level-code/) -1. [How to Handle Secrets on the Command Line](https://smallstep.com/blog/command-line-secrets/) +0. [ConfLLVM: A Compiler for Enforcing Data Confidentiality in Low-level Code](https://www.microsoft.com/en-us/research/publication/an-instrumenting-compiler-for-enforcing-confidentiality-in-low-level-code/) +0. [How to Handle Secrets on the Command Line](https://smallstep.com/blog/command-line-secrets/) # Capability -1. [A Comparison of the Capability Systems of Encore, Pony and Rust](https://uu.diva-portal.org/smash/get/diva2:1363822/FULLTEXT01.pdf) +0. [A Comparison of the Capability Systems of Encore, Pony and Rust](https://uu.diva-portal.org/smash/get/diva2:1363822/FULLTEXT01.pdf) # Homomorphic encryption -1. https://github.com/Microsoft/SEAL +0. https://github.com/Microsoft/SEAL # Privacy -1. [Programming Differential Privacy](https://uvm-plaid.github.io/programming-dp/intro.html) -1. https://privacypatterns.org/ +0. [Programming Differential Privacy](https://uvm-plaid.github.io/programming-dp/intro.html) +0. https://privacypatterns.org/ # Inspiration -1. [Kasm: Desktop and Browser Isolation Platform](https://www.kasmweb.com/) -1. https://www.mailvelope.com +0. [Kasm: Desktop and Browser Isolation Platform](https://www.kasmweb.com/) +0. https://www.mailvelope.com # Finger-printing -1. [How Browser Fingerprinting Works](https://kevq.uk/how-browser-fingerprinting-works/) -1. https://github.com/Valve/fingerprintjs2 +0. [How Browser Fingerprinting Works](https://kevq.uk/how-browser-fingerprinting-works/) +0. https://github.com/Valve/fingerprintjs2 # Access Control List -1. [Capirca: Multi-platform ACL generation system](https://github.com/google/capirca) +0. [Capirca: Multi-platform ACL generation system](https://github.com/google/capirca) # Return-oriented programming -1. https://github.com/immunant/selfrando +0. https://github.com/immunant/selfrando # Static analysis -1. [Cam Tenny - Beyond the Paper - End-to-End Program Analysis](https://www.youtube.com/watch?v=hmDz0Rv6hKI) -1. https://www.curry-on.org/2019/sessions/beyond-the-paper-end-to-end-program-analysis.html +0. [Cam Tenny - Beyond the Paper - End-to-End Program Analysis](https://www.youtube.com/watch?v=hmDz0Rv6hKI) +0. https://www.curry-on.org/2019/sessions/beyond-the-paper-end-to-end-program-analysis.html # Programming language -1. [Secure Compilation](https://blog.sigplan.org/2019/07/01/secure-compilation/) +0. [Secure Compilation](https://blog.sigplan.org/2019/07/01/secure-compilation/) # Cautionary tale -1. [Thou Shalt Not Depend on Me: A look at JavaScript libraries in the wild](https://queue.acm.org/detail.cfm?id=3205288) -1. https://medium.com/@nodepractices/were-under-attack-23-node-js-security-best-practices-e33c146cb87d +0. [Thou Shalt Not Depend on Me: A look at JavaScript libraries in the wild](https://queue.acm.org/detail.cfm?id=3205288) +0. https://medium.com/@nodepractices/were-under-attack-23-node-js-security-best-practices-e33c146cb87d # Surface area -1. [Towards Automated Application-Specific Software Stacks](https://arxiv.org/pdf/1907.01933.pdf) +0. [Towards Automated Application-Specific Software Stacks](https://arxiv.org/pdf/1907.01933.pdf) # Vulnerability -1. [SAML is insecure by design](https://joonas.fi/2021/08/saml-is-insecure-by-design/) -1. [Against Cipher Agility in Cryptography Protocols](https://paragonie.com/blog/2019/10/against-agility-in-cryptography-protocols) -1. [Padding the struct: How a compiler optimization can disclose stack memory](https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/october/padding-the-struct-how-a-compiler-optimization-can-disclose-stack-memory/) -1. [PCG generators are easily “crackable”](https://news.ycombinator.com/item?id=21475210) -1. [Safely Creating And Using Temporary Files](https://www.netmeister.org/blog/mktemp.html) -1. [CSS Injection Primitives](https://x-c3ll.github.io/posts/CSS-Injection-Primitives/) -1. https://medium.com/@shnatsel/how-rusts-standard-library-was-vulnerable-for-years-and-nobody-noticed-aebf0503c3d6 -1. [ACLs don’t](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.406.4684&rep=rep1&type=pdf) -1. https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf -1. https://pwnedkeys.com/ -1. [What Spectre Means for Lanugage Implementers - Ben Titzer - PLISS 2019](https://www.youtube.com/watch?v=FGX-KD5Nh2g) -1. https://rambleed.com/ -1. https://browserleaks.com/ +0. [SAML is insecure by design](https://joonas.fi/2021/08/saml-is-insecure-by-design/) +0. [Against Cipher Agility in Cryptography Protocols](https://paragonie.com/blog/2019/10/against-agility-in-cryptography-protocols) +0. [Padding the struct: How a compiler optimization can disclose stack memory](https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/october/padding-the-struct-how-a-compiler-optimization-can-disclose-stack-memory/) +0. [PCG generators are easily “crackable”](https://news.ycombinator.com/item?id=21475210) +0. [Safely Creating And Using Temporary Files](https://www.netmeister.org/blog/mktemp.html) +0. [CSS Injection Primitives](https://x-c3ll.github.io/posts/CSS-Injection-Primitives/) +0. https://medium.com/@shnatsel/how-rusts-standard-library-was-vulnerable-for-years-and-nobody-noticed-aebf0503c3d6 +0. [ACLs don’t](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.406.4684&rep=rep1&type=pdf) +0. https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf +0. https://pwnedkeys.com/ +0. [What Spectre Means for Lanugage Implementers - Ben Titzer - PLISS 2019](https://www.youtube.com/watch?v=FGX-KD5Nh2g) +0. https://rambleed.com/ +0. https://browserleaks.com/ # Reference -1. [Secure By Design](https://www.amazon.com/Secure-Design-Daniel-Deogun/dp/1617294357) -1. [Intro to Just-In-Time Access](https://compliance.dev/2021/04/29/introduction-to-just-in-time-access/) -1. https://www.nomoreransom.org/en/index.html -1. [Open Source Security Foundation (OpenSSF)](https://openssf.org/) -1. [Don't get pwned: practicing the principle of least privilege](https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege) -1. [Good Practices for Capability URLs](https://www.w3.org/TR/capability-urls/) -1. [Secure Socket API](https://securesocketapi.org/) -1. [Mind your Language(s): A discussion about languages and security](https://www.ssi.gouv.fr/uploads/IMG/pdf/Mind_Your_Languages_-_version_longue.pdf) -1. https://www.microsoft.com/en-us/research/blog/scaling-the-everest-of-software-security-with-dr-jonathan-protzenko/ -1. https://www.owasp.org/index.php/Main_Page -1. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project -1. https://wiki.sei.cmu.edu/confluence/display/seccode/Top+10+Secure+Coding+Practices -1. https://www.archive.ece.cmu.edu/~grey/ -1. http://www.cs.umd.edu/projects/PL/selinks/ -1. http://www.cis.upenn.edu/~stevez/sol/related.html -1. https://www.bsimm.com/ -1. https://www.microsoft.com/en-us/securityengineering/sdl/ -1. https://www.engineeringtrustworthysystems.com/ -1. http://www.ats-lang.org/ -1. http://www.cis.upenn.edu/~stevez/papers/publications.html -1. http://collingreene.com/6_buckets_of_prodsec.html -1. [On Post-Compromise Security](https://eprint.iacr.org/2016/221.pdf) -1. https://messaginglayersecurity.rocks/ -1. https://github.blog/2019-05-23-introducing-new-ways-to-keep-your-code-secure/ -1. [RustBelt](https://plv.mpi-sws.org/rustbelt/popl18/) -1. https://github.com/dckc/awesome-ocap -1. https://projects.csail.mit.edu/jeeves/ -1. https://www.sans.org/top25-software-errors/ -1. https://www.owasp.org/index.php/Top_10_2013-Top_10 -1. https://nvd.nist.gov/cwe.cfm -1. https://en.wikipedia.org/wiki/Software_Development_Security -1. http://gigi.nullneuron.net/gigilabs/the-sorry-state-of-the-web-in-2016/ -1. http://www.ranum.com/security/computer_security/editorials/dumb/index.html -1. [Information Technology — Programming languages — Guidance to avoiding vulnerabilities in programming languages](http://www.open-std.org/jtc1/sc22/wg23/docs/ISO-IECJTC1-SC22-WG23_N0751-tr24772-1-after-pre-meeting-51-webex-20171016.pdf) +0. [CS 253 Web Security](https://web.stanford.edu/class/cs253/) +0. [Secure By Design](https://www.amazon.com/Secure-Design-Daniel-Deogun/dp/1617294357) +0. [Intro to Just-In-Time Access](https://compliance.dev/2021/04/29/introduction-to-just-in-time-access/) +0. https://www.nomoreransom.org/en/index.html +0. [Open Source Security Foundation (OpenSSF)](https://openssf.org/) +0. [Don't get pwned: practicing the principle of least privilege](https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege) +0. [Good Practices for Capability URLs](https://www.w3.org/TR/capability-urls/) +0. [Secure Socket API](https://securesocketapi.org/) +0. [Mind your Language(s): A discussion about languages and security](https://www.ssi.gouv.fr/uploads/IMG/pdf/Mind_Your_Languages_-_version_longue.pdf) +0. https://www.microsoft.com/en-us/research/blog/scaling-the-everest-of-software-security-with-dr-jonathan-protzenko/ +0. https://www.owasp.org/index.php/Main_Page +0. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project +0. https://wiki.sei.cmu.edu/confluence/display/seccode/Top+10+Secure+Coding+Practices +0. https://www.archive.ece.cmu.edu/~grey/ +0. http://www.cs.umd.edu/projects/PL/selinks/ +0. http://www.cis.upenn.edu/~stevez/sol/related.html +0. https://www.bsimm.com/ +0. https://www.microsoft.com/en-us/securityengineering/sdl/ +0. https://www.engineeringtrustworthysystems.com/ +0. http://www.ats-lang.org/ +0. http://www.cis.upenn.edu/~stevez/papers/publications.html +0. http://collingreene.com/6_buckets_of_prodsec.html +0. [On Post-Compromise Security](https://eprint.iacr.org/2016/221.pdf) +0. https://messaginglayersecurity.rocks/ +0. https://github.blog/2019-05-23-introducing-new-ways-to-keep-your-code-secure/ +0. [RustBelt](https://plv.mpi-sws.org/rustbelt/popl18/) +0. https://github.com/dckc/awesome-ocap +0. https://projects.csail.mit.edu/jeeves/ +0. https://www.sans.org/top25-software-errors/ +0. https://www.owasp.org/index.php/Top_10_2013-Top_10 +0. https://nvd.nist.gov/cwe.cfm +0. https://en.wikipedia.org/wiki/Software_Development_Security +0. http://gigi.nullneuron.net/gigilabs/the-sorry-state-of-the-web-in-2016/ +0. http://www.ranum.com/security/computer_security/editorials/dumb/index.html +0. [Information Technology — Programming languages — Guidance to avoiding vulnerabilities in programming languages](http://www.open-std.org/jtc1/sc22/wg23/docs/ISO-IECJTC1-SC22-WG23_N0751-tr24772-1-after-pre-meeting-51-webex-20171016.pdf) # Control-flow integrity -1. [On the Effectiveness of Type-based Control Flow Integrity](https://sajjadium.github.io/files/acsac2018typecfi_paper.pdf) +0. [On the Effectiveness of Type-based Control Flow Integrity](https://sajjadium.github.io/files/acsac2018typecfi_paper.pdf) |