Minos/DACODA papers errata

CCS paper

*The abstract refers to "these two models" when no mention of the Epsilon-Gamma-Pi model or PD-Requires-Provides model is made. This was the result of last-minute editing.

*We said that Cohen pointed out that Fenton had showed precise information flow marking to be NP-complete, when Cohen only cited Fenton for precise information flow and said that it is known to be NP-complete. There is no NP-completeness proof in Fenton's thesis or anywhere else in the literature, that we know of.

DIMVA paper

*In figure 2 for the Springer Lecture Notes version (not the pdf on Jed's website) epsilon and gamma are switched.

*The exploit we called an "ASN.1 exploit" is not an exploit for one of the half dozen ASN.1 vulnerabilities in Microsoft Windows but is actually an exploit for the "Microsoft Windows Workstation Service Remote Buffer Overflow Vulnerability" with bugtraq id 9011 (http://www.securityfocus.com/bid/9011/). It was misidentified because the inital SMB and NTLM requests were identical to a publicly available ASN.1 exploit.

*We correctly stated that the register springs in table 3 were an underestimate, but then we underestimated the underestimation. There are actually 11,006 EBX register springs, not 386*6=2316 for Blaster on Windows XP with no service packs. The Service Pack 1 number for EBX is 2183, more typical of EBX (and closer to our estimate although the estimate was for no service packs). ESP numbers are usually in the 100s. Blaster, in fact, could have as easily used ESP or EDI as a register spring instead of EBX.

*We would have liked to have thanked the Bochs developers and the DIMVA reviewers in the Acknowledgements but accidently left them out.

MICRO paper

*Our description of the LOMAC paper [15] is not complete so we encourage interested readers to read the entire LOMAC paper for themselves. The revokation problems of Biba's low-water-mark policy are addressed in the LOMAC paper while our description leaves a different impression.

*The citation of Suh et al.'s Information Flow Tracking paper is missing an author: David Zhang.

*We talk about 2 policies in Suh et al. [30], but we were referencing a memo publicly available on the web when in fact the camera ready version of their paper for ASPLOS has only a single policy which is more similar to Minos.

*We never actually implemented the sync()ing of ELF files for a newly compiled binary but instead implemented a different scheme which does not work properly and is not as secure. Implementing the sync() would be straightforward, however.

*The paper states that the establishment time requirement applies to mmap()ed files, but does not explain how this is implemented. Our implementation achieves this by copying each mmap()ed page onto itself before it is mapped and forcing it low integrity, which is not the best implementation option in terms of performance (though the disk read should dominate the time it takes to fetch and map a page).

*The AS/400's 64-bit address space may not be big enough to nullify the need to reuse virtual memory spaces. The AS/400 specification has 128-bit pointers but most implementations have a 64-bit limit. We are not sure whether or not virtual memory reuse is required in either the AS/400's specification or implementation.

WASSA paper

*We speculated that reads and writes for the do_brk() exploit could be done through the file system read() and write() system calls, but this is not possible. For correct details on how the do_brk() exploit works go to http://isec.pl.

Just for the record, the md5sum of "youresonosey" without a -n is: b09677bb22fceaf300e4bc9523b50bbb