*The abstract refers to "these two models" when no mention of the
Epsilon-Gamma-Pi model or PD-Requires-Provides model is made. This was
the result of last-minute editing.
*We said that Cohen pointed out that Fenton had showed precise
information flow marking to be NP-complete, when Cohen only cited Fenton
for precise information flow and said that it is known to be
NP-complete. There is no NP-completeness proof in Fenton's thesis or
anywhere else in the literature, that we know of.
*In figure 2 for the Springer Lecture Notes version (not the pdf on
Jed's website) epsilon and gamma are switched.
*The exploit we called an "ASN.1 exploit" is not an exploit for one of
the half dozen ASN.1 vulnerabilities in Microsoft Windows but is
actually an exploit for the "Microsoft Windows Workstation Service
Remote Buffer Overflow Vulnerability" with bugtraq id 9011
(http://www.securityfocus.com/bid/9011/). It was
misidentified because the inital SMB and NTLM requests were identical to
a publicly available ASN.1 exploit.
*We correctly stated that the register springs in table 3 were an
underestimate, but then we underestimated the underestimation. There
are actually 11,006 EBX register springs, not 386*6=2316 for Blaster on
Windows XP with no service packs. The Service Pack 1 number for EBX is
2183, more typical of EBX (and closer to our estimate although the
estimate was for no service packs). ESP numbers are usually in the
100s. Blaster, in fact, could have as easily used ESP or EDI as a
register spring instead of EBX.
*We would have liked to have thanked the Bochs developers and the DIMVA
reviewers in the Acknowledgements but accidently left them out.
*Our description of the LOMAC paper  is not complete so we encourage
interested readers to read the entire LOMAC paper for themselves. The
revokation problems of Biba's low-water-mark policy are addressed in the
LOMAC paper while our description leaves a different impression.
*The citation of Suh et al.'s Information Flow Tracking paper is missing
an author: David Zhang.
*We talk about 2 policies in Suh et al. , but we were referencing a
memo publicly available on the web when in fact the camera ready version
of their paper for ASPLOS has only a single policy which is more similar
*We never actually implemented the sync()ing of ELF files for a newly
compiled binary but instead implemented a different scheme which does
not work properly and is not as secure. Implementing the sync() would
be straightforward, however.
*The paper states that the establishment time requirement applies to mmap()ed files, but does not explain how this is implemented. Our implementation achieves this by copying each mmap()ed page onto itself before it is mapped and forcing it low integrity, which is not the best implementation option in terms of performance (though the disk read should dominate the time it takes to fetch and map a page).
*The AS/400's 64-bit address space may not be big enough to nullify the
need to reuse virtual memory spaces. The AS/400 specification has
128-bit pointers but most implementations have a 64-bit limit. We are
not sure whether or not virtual memory reuse is required in
either the AS/400's specification or implementation.
*We speculated that reads and writes for the do_brk() exploit could be
done through the file system read() and write() system calls, but this
is not possible. For correct details on how the do_brk() exploit works
go to http://isec.pl.
Just for the record, the md5sum of "youresonosey" without a -n is: