[TUHS] Off topic: Books on Unix security?

[TUHS] Off topic: Books on Unix security?

[Aharon Robbins]

Hi All.

In a book I'm updating, I have the following references for
Unix security.

1. Practical UNIX & Internet Security, 3rd edition, by Simson Garfinkel,
Gene Spafford, and Alan Schwartz, O’Reilly & Associates, Sebastopol,
CA, USA, 2003. ISBN-10: 0-596-00323-4, ISBN-13: 978-0596003234.

2. Building Secure Software: How to Avoid Security Problems the Right Way,
by John Viega and Gary McGraw. Addison-Wesley, Reading, Massachusetts,
USA, 2001. ISBN- 10: 0-201-72152-X, ISBN-13: 978-0201721522.

3. “Setuid Demystified,” by Hao Chen, David Wagner, and Drew
Dean. Proceedings of the 11th USENIX Security Symposium, August 5–9,
2002. http://www.cs.berkeley.  edu/~daw/papers/setuid-usenix02.pdf.

One of my reviewers asked if these weren't "dusty references".
So, before I just refer to them as "classics", can anyone recommend
more recent books?  Feel free to answer in private.

Thanks,

Arnold

[TUHS] Re: Off topic: Books on Unix security?

[Kevin Bowling]

[-- Attachment #1: Type: text/plain, Size: 1706 bytes --]

On Fri, May 2, 2025 at 5:21 AM Aharon Robbins <arnold@skeeve.com> wrote:

> Hi All.
>
> In a book I'm updating, I have the following references for
> Unix security.
>
> 1. Practical UNIX & Internet Security, 3rd edition, by Simson Garfinkel,
> Gene Spafford, and Alan Schwartz, O’Reilly & Associates, Sebastopol,
> CA, USA, 2003. ISBN-10: 0-596-00323-4, ISBN-13: 978-0596003234.
>
> 2. Building Secure Software: How to Avoid Security Problems the Right Way,
> by John Viega and Gary McGraw. Addison-Wesley, Reading, Massachusetts,
> USA, 2001. ISBN- 10: 0-201-72152-X, ISBN-13: 978-0201721522.
>
> 3. “Setuid Demystified,” by Hao Chen, David Wagner, and Drew
> Dean. Proceedings of the 11th USENIX Security Symposium, August 5–9,
> 2002. http://www.cs.berkeley.  edu/~daw/papers/setuid-usenix02.pdf.
>
> One of my reviewers asked if these weren't "dusty references".
> So, before I just refer to them as "classics", can anyone recommend
> more recent books?  Feel free to answer in private.
>

I’d have to rummage around for a definitive answer but I think things have
fractured a bit and OS level security is either a chapter or section in
academic or professional books.  That is mostly survey or long standing
information, the edge is all in open source code and/or
papers/presentations.

There are several recent cryptography books aimed at a more practitioner
level I can recommend if that is relevant to your quest.

The main book that comes to mind 0321822137 is a C and C++ security survey
that is worthwhile but not OS specific.

I’d also like to know your title so I can add it to my collection when it
is ready!


> Thanks,
>
> Arnold
>

[-- Attachment #2: Type: text/html, Size: 2580 bytes --]

[TUHS] Re: Off topic: Books on Unix security?

[Rich Salz]

[-- Attachment #1: Type: text/plain, Size: 171 bytes --]

The Bellovin and Cheswick book(s) although it's more about network security
and firewalls.
The OWASP guides.
Practical UNIX and Internet security Book by Simson Garfinkel

[-- Attachment #2: Type: text/html, Size: 235 bytes --]

[TUHS] Re: Off topic: Books on Unix security?

[arnold]

norman@oclsc.org (Norman Wilson) wrote:

> Aharon Robbins:
>
>   So, before I just refer to them as "classics", can anyone recommend
>   more recent books?  Feel free to answer in private.
>
> ===
>
> `Unix security' is not the most-specific of terms.  Can
> you give more context?
>
> Norman Wilson
> Toronto ON

Classic things like setuid programs, writing daemons, as well
as general secure coding practices for C and C++ in a *nix context.

Thanks,

Arnold

[TUHS] Re: Off topic: Books on Unix security?

[Rik Farrow]

[-- Attachment #1: Type: text/plain, Size: 469 bytes --]

Paul von Oorschot's Tools and Jewels:

https://people.scs.carleton.ca/~paulv/toolsjewels.html

This was designed as a textbook for security, and includes very good
coverage of cryptography.

Rik

On Sun, May 4, 2025 at 5:06 AM Rich Salz <rich.salz@gmail.com> wrote:

> The Bellovin and Cheswick book(s) although it's more about network
> security and firewalls.
> The OWASP guides.
> Practical UNIX and Internet security Book by Simson Garfinkel
>
>

[-- Attachment #2: Type: text/html, Size: 933 bytes --]

[TUHS] Re: Off topic: Books on Unix security?

[arnold]

Thanks to everyone who responded.  Besides the original three in
my quoted email, here are the additional ones I was recommended
and have added to the list in my book.

Some were recommended by more than one person. In any case,
thank you all!

4. Secure Coding in C and C++, 2nd Edition, by Robert Seacord. ISBN-10:
0321822137, ISBN-13: 978-0321822130, Addison-Wesley Professional, Reading,
Massachusetts, USA, 2013.

5. Secure Coding: Principles and Practices, by Mark G. Graff,
Kenneth R. Van Wyk, and Debby Russell. ISBN-10: 0596002424, ISBN-13:
978-0596002428. O’Reilly Media, Inc., USA, 2003.

6. Writing Secure Code, 2nd Edition, by Michael Howard and David
LeBlanc. ISBN-10: 0735617228, ISBN-13: 978-0735617223. Microsoft Press,
USA, 2003.

7. Computer Security and the Internet—Tools and Jewels from
Malware to Bitcoin, 2nd Edition, by Paul C. van Oorschot. ISBN-13:
978-3-030-83410-4. Springer Nature Switzerland AG, 2021.

8. Thinking Security: Stopping Next Year’s Hackers by Steven
M. Bellovin. ISBN-10: 0134277546, ISBN-13: 978-0134277547. Addison-Wesley
Professional, Reading, Mas- sachusetts, USA, 2015.

9. Security Engineering: A Guide to Building Dependable Distributed
Systems, 3rd Edi- tion, by Ross Anderson. ISBN-10: 1119642787, ISBN-13:
978-1119642787. Wiley, USA, 2020.

10. Designing Secure Software: A Guide for Developers, by Loren
Kohnfelder. ISBN-10: 1718501927, ISBN-13: 978-1718501928. No Starch Press,
USA, 2021.

11. Building Secure and Reliable Systems: Best Practices for
Designing, Implementing, and Maintaining Systems, by Heather Adkins,
Betsy Beyer, Paul Blankinship, Piotr Lewandowski, Ana Oprea, and Adam
Stubblefield. ISBN-10: 1492083127, ISBN-13: 978-1492083122. O’Reilly
Media, USA, 2020.

12. Secure By Design, by Daniel Deogun, Dan Bergh Johnsson, and Daniel
Sawano. ISBN-10: 1617294357, ISBN-13: 978-1617294358. Manning, USA, 2019.


Aharon Robbins <arnold@skeeve.com> wrote:

> Hi All.
>
> In a book I'm updating, I have the following references for
> Unix security.
>
> 1. Practical UNIX & Internet Security, 3rd edition, by Simson Garfinkel,
> Gene Spafford, and Alan Schwartz, O’Reilly & Associates, Sebastopol,
> CA, USA, 2003. ISBN-10: 0-596-00323-4, ISBN-13: 978-0596003234.
>
> 2. Building Secure Software: How to Avoid Security Problems the Right Way,
> by John Viega and Gary McGraw. Addison-Wesley, Reading, Massachusetts,
> USA, 2001. ISBN- 10: 0-201-72152-X, ISBN-13: 978-0201721522.
>
> 3. “Setuid Demystified,” by Hao Chen, David Wagner, and Drew
> Dean. Proceedings of the 11th USENIX Security Symposium, August 5–9,
> 2002. http://www.cs.berkeley.  edu/~daw/papers/setuid-usenix02.pdf.
>
> One of my reviewers asked if these weren't "dusty references".
> So, before I just refer to them as "classics", can anyone recommend
> more recent books?  Feel free to answer in private.
>
> Thanks,
>
> Arnold

[TUHS] Re: Off topic: Books on Unix security?

[Grant Taylor via TUHS]

On 5/2/25 7:21 AM, Aharon Robbins wrote:
> 1. Practical UNIX & Internet Security, 3rd edition, by Simson 
> Garfinkel, Gene Spafford, and Alan Schwartz, O’Reilly & Associates, 
> Sebastopol, CA, USA, 2003. ISBN-10: 0-596-00323-4, ISBN-13: 
> 978-0596003234.
...
> One of my reviewers asked if these weren't "dusty references".  So, 
> before I just refer to them as "classics", can anyone recommend more 
> recent books?  Feel free to answer in private.

Having read (most of) Practical UNIX & Internet Security, 3rd edition, 
and other similar texts...

I've come to the realization that we as an industry haven't really moved 
beyond all of the problems taught to us in the '90s.  It's really 
amazing to me how much of the advice given in those "classic" tombs is 
still as germane today as it was 30 years ago.

Sure, some things have fallen off the bottom.  But mostly, we've just 
added things on top.

Fundamentals may get old, but they usually don't become wrong.



-- 
Grant. . . .

[TUHS] Re: Off topic: Books on Unix security?

[arnold]

Hi.

Grant Taylor via TUHS <tuhs@tuhs.org> wrote:

> Having read (most of) Practical UNIX & Internet Security, 3rd edition, 
> and other similar texts...
>
> I've come to the realization that we as an industry haven't really moved 
> beyond all of the problems taught to us in the '90s.

Sad, but true.

> It's really 
> amazing to me how much of the advice given in those "classic" tombs is 

Um, "tomes" is what I think you meant. :-)

> still as germane today as it was 30 years ago.
>
> Sure, some things have fallen off the bottom.  But mostly, we've just 
> added things on top.
>
> Fundamentals may get old, but they usually don't become wrong.

This last statement is exactly right. And in fact, it is my book on the
fundamental *nix APIs that I'm updating....

Feel free to ping me privately if you want more info.

Much thanks,

Arnold

P.S. Can I quote your statement?

[TUHS] Re: Off topic: Books on Unix security?

[steffen via TUHS]

[TUHS] Re: Off topic: Books on Unix security?

[Rik Farrow via TUHS]

I don't know of any recent, good books on Unix security. I wrote one, but
that was in 1990. Simpson and Spafford's book was last updated in 2003, and
had become somewhat of a monster by then at 986 pages:

https://www.oreilly.com/library/view/practical-unix-and/0596003234/

Paul Von Oorschot's security book second edition came out in 2021, and
while not focused on Unix, is more of a college textbook, but also provides
in-depth coverage. Here's a book review I wrote about it:

https://www.usenix.org/publications/loginonline/computer-security-and-internet

Rik


On Sat, Nov 15, 2025 at 6:14 PM steffen via TUHS <tuhs@tuhs.org> wrote:

>

[TUHS] Re: Off topic: Books on Unix security?

[Lynn Grant via TUHS]

This is probably not what you are looking for (especially since it is
dusty), but yet it might be of some interest. It is a semi-formal
mathematical model implementing the Bell-LaPadula security model for
Mandatory Access Control.

Although it has Multics in the title, it was being used in Orange Book
security evaluations of Unix systems in the late 1980s.

ESD-TR-75-306 / MTR-2997 Rev. 1 Secure Computer System: Unified Exposition
and Multics Interpretation

https://csrc.nist.gov/files/pubs/conference/1998/10/08/proceedings-of-the-21st-nissc-1998/final/docs/early-cs-papers/bell76.pdf

Lynn


On Sun, Nov 16, 2025 at 5:02 PM Rik Farrow via TUHS <tuhs@tuhs.org> wrote:

> I don't know of any recent, good books on Unix security. I wrote one, but
> that was in 1990. Simpson and Spafford's book was last updated in 2003, and
> had become somewhat of a monster by then at 986 pages:
>
> https://www.oreilly.com/library/view/practical-unix-and/0596003234/
>
> Paul Von Oorschot's security book second edition came out in 2021, and
> while not focused on Unix, is more of a college textbook, but also provides
> in-depth coverage. Here's a book review I wrote about it:
>
>
> https://www.usenix.org/publications/loginonline/computer-security-and-internet
>
> Rik
>
>
> On Sat, Nov 15, 2025 at 6:14 PM steffen via TUHS <tuhs@tuhs.org> wrote:
>
> >
>

[TUHS] Re: Off topic: Books on Unix security?

[Steffen Nurpmeso via TUHS]

Aaaah, apologies, apologies,

Rik Farrow wrote in
 <CACY3YMGHPXAWAZkWYCJLcqwqt1dgT_Sz7x-DTRxyhGG=xxeDKg@mail.gmail.com>:
 |I don't know of any recent, good books on Unix security. I wrote one, but
 |that was in 1990. Simpson and Spafford's book was last updated in 2003, and
 |had become somewhat of a monster by then at 986 pages:
 |
 |https://www.oreilly.com/library/view/practical-unix-and/0596003234/
 |
 |Paul Von Oorschot's security book second edition came out in 2021, and
 |while not focused on Unix, is more of a college textbook, but also provides
 |in-depth coverage. Here's a book review I wrote about it:
 |
 |https://www.usenix.org/publications/loginonline/computer-security-and-in\
 |ternet

Thank you!!

"But", you know, my email was an accident, i had (and still have)
Aharon Robbins' email (as below) in my $MAIL for all this time
because i wanted to have a deeper (now: "depper", German ;) look
at his list of books.

  Then a Debian bug report (for the MUA i maintain) came along,
  and i tested locally; to get clean config etc i use -:/ command
  line args for that, but *that* then cannot easily access the
  encrypted real storage of emails, instead it goes for $MAIL aka
  /var/mail/$LOGNAME, so we ended with that message; now i do say
  "set mta=test norecord", like this sent messages are not saved
  and go to standard output.  Yet.  *Either* i did "local reply"
  or i did "~:local set ..", or whatever i did, anyhow, the
  *second* reply test did *not* have mta=test (but did have
  *norecord*), and thus it left the box!!  I already apologised to
  Arnold in private, but .. it went over to TUHS even :-( *And*
  Warren waved it through!!

The best i can do to sidekick your pointer is thus quoting
Arnold's message:

arnold@skeeve.com wrote in
 <202505061501.546F10gs1802134@freefriends.org>:
 |Thanks to everyone who responded.  Besides the original three in
 |my quoted email, here are the additional ones I was recommended
 |and have added to the list in my book.
 |
 |Some were recommended by more than one person. In any case,
 |thank you all!
 |
 |4. Secure Coding in C and C++, 2nd Edition, by Robert Seacord. ISBN-10:
 |0321822137, ISBN-13: 978-0321822130, Addison-Wesley Professional, Reading,
 |Massachusetts, USA, 2013.
 |
 |5. Secure Coding: Principles and Practices, by Mark G. Graff,
 |Kenneth R. Van Wyk, and Debby Russell. ISBN-10: 0596002424, ISBN-13:
 |978-0596002428. O’Reilly Media, Inc., USA, 2003.
 |
 |6. Writing Secure Code, 2nd Edition, by Michael Howard and David
 |LeBlanc. ISBN-10: 0735617228, ISBN-13: 978-0735617223. Microsoft Press,
 |USA, 2003.
 |
 |7. Computer Security and the Internet—Tools and Jewels from
 |Malware to Bitcoin, 2nd Edition, by Paul C. van Oorschot. ISBN-13:
 |978-3-030-83410-4. Springer Nature Switzerland AG, 2021.
 |
 |8. Thinking Security: Stopping Next Year’s Hackers by Steven
 |M. Bellovin. ISBN-10: 0134277546, ISBN-13: 978-0134277547. Addison-Wesley
 |Professional, Reading, Mas- sachusetts, USA, 2015.
 |
 |9. Security Engineering: A Guide to Building Dependable Distributed
 |Systems, 3rd Edi- tion, by Ross Anderson. ISBN-10: 1119642787, ISBN-13:
 |978-1119642787. Wiley, USA, 2020.
 |
 |10. Designing Secure Software: A Guide for Developers, by Loren
 |Kohnfelder. ISBN-10: 1718501927, ISBN-13: 978-1718501928. No Starch Press,
 |USA, 2021.
 |
 |11. Building Secure and Reliable Systems: Best Practices for
 |Designing, Implementing, and Maintaining Systems, by Heather Adkins,
 |Betsy Beyer, Paul Blankinship, Piotr Lewandowski, Ana Oprea, and Adam
 |Stubblefield. ISBN-10: 1492083127, ISBN-13: 978-1492083122. O’Reilly
 |Media, USA, 2020.
 |
 |12. Secure By Design, by Daniel Deogun, Dan Bergh Johnsson, and Daniel
 |Sawano. ISBN-10: 1617294357, ISBN-13: 978-1617294358. Manning, USA, 2019.
 |
 |Aharon Robbins <arnold@skeeve.com> wrote:
 |
 |> Hi All.
 |>
 |> In a book I'm updating, I have the following references for
 |> Unix security.
 |>
 |> 1. Practical UNIX & Internet Security, 3rd edition, by Simson Garfinkel,
 |> Gene Spafford, and Alan Schwartz, O’Reilly & Associates, Sebastopol,
 |> CA, USA, 2003. ISBN-10: 0-596-00323-4, ISBN-13: 978-0596003234.
 |>
 |> 2. Building Secure Software: How to Avoid Security Problems the Right \
 |> Way,
 |> by John Viega and Gary McGraw. Addison-Wesley, Reading, Massachusetts,
 |> USA, 2001. ISBN- 10: 0-201-72152-X, ISBN-13: 978-0201721522.
 |>
 |> 3. “Setuid Demystified,” by Hao Chen, David Wagner, and Drew
 |> Dean. Proceedings of the 11th USENIX Security Symposium, August 5–9,
 |> 2002. http://www.cs.berkeley.  edu/~daw/papers/setuid-usenix02.pdf.
 |>
 |> One of my reviewers asked if these weren't "dusty references".
 |> So, before I just refer to them as "classics", can anyone recommend
 |> more recent books?  Feel free to answer in private.
 |>
 |> Thanks,
 |>
 |> Arnold
 --End of <202505061501.546F10gs1802134@freefriends.org>

Greetings.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)