对于缓冲区溢出，有三件事令我印象深刻：第一次成功地在Linux的imapd上利用一个缓冲区溢出；第一次在本地的Linux中独立发现和利用了缓冲区溢出；第一次通过编写缓冲区溢出成功进入别人的主机。在读过Aleph1的关于缓冲区溢出的重要论文“Buffer overflows for fun and profit”后，大多数人想到的主要是由此带来的好处。因为精通编写缓冲区溢出程序的人在该行业任何一家大公司中做咨询师的年薪都可以达到9～12万美元。但另一方面，许多人对获得这种技能有一个很大的误区，认为学会这种技能，就可以一劳永逸了。确实，在IT领域许多诀窍是可以学会的，一旦了解了这些诀窍，也就拥有这些诀窍了。但是编写缓冲区溢出程序却并不如此，从书本中或者速成班中可以学会基础知识，但是编程的环境总是在变化。一方面，黑客在不停地寻找新的方法来更好的利用漏洞，寻找发现新的漏洞方法；另一方面，微软公司每天都在给它的代码增加保护，如果3个月不写缓冲区溢出代码，原有的技巧也就过时了。编写缓冲区溢出中最难的就是要地根据不断变化的环境给出新对策。用于编写溢出程序的工具也在不断变化着，以前编写溢出程序只需要一份Softice或GDB的拷贝，就可以由某个人单独完成。但是今天，即使是一个简单的缓冲区溢出，Immunity公司也会有相当大的投入。例如，需要有专门的调试器来查询、脚本化正在运行的程序；专门的编译器来创建和调整克服弱点所需求的shellcode；购买或产生用于专门解决各种不同问题的反向工程工具；用Python语言编写的完整的mySQL和SSL库。一个相对复杂的漏洞利用需要整个工作小组协调完成。每种复杂的漏洞利用都会有相应的文章介绍，这些漏洞利用来自于整个团队在不同漏洞利用过程中所得到的经验。最好的缓冲区溢出程序决不会是蠕虫。攻击者定制的漏洞利用会使被攻击者身陷其中。如果一个顶级黑客要攻击某个人，则会完全掌握目标主机的工作环境，目的只有一个，产生一个只使用一次的缓冲区溢出。编写缓冲区溢出程序有几个阶段。本书作者James Foster介绍了一些基础的知识和技巧，对初学者进行基础的训练，确定专攻的方向，然后就可以独自编写缓冲区溢出程序。虽然本书不能使读者站到技术的最前沿，但是能够确信自己掌握了基础知识，能够做出正确的决定。也许读者可能投身于此项工作，致力于编写代码、提高技能。对于选择这一行的读者，请记住下面的座右铭：● 永远不要害怕。微软的销售人员在不停地告诫人们发现微软的新软件的缓冲区溢出漏洞和编写相应的漏洞利用程序是件非常困难的事情。激励自己继续做下去的对策就是想像一旦漏洞利用成功，自己将会如何处理这个漏洞。编写漏洞利用程序需要掌握很多单调枯燥的技术，例如，HP-UX所用的少见的扇形内存访问方式；Irix带有的笨拙的高速缓冲存储器。虽然编写缓冲区溢出程序需要数千条的汇编语句，学起来并不是一件容易的事情，但只要自己觉得能做到，那就一定能做到。● 不要太把自己当回事。无论自己多么优秀，在遥远的地方可能还有一些十五岁的年轻人每天花20小时来争取做得更好。不要把编写缓冲区溢出程序当成一场竞争，否则你不久就会崩溃。● 找一些伙伴。编写缓冲区溢出程序不是独自能不断进步的一个技能，需要别人的帮助，找出自己在哪方面还比较薄弱。● 不管目标是什么，要把这本书当作工作表，而不是一本小说。要一边读一边在电脑上操作。一本缓冲区溢出的书不能造就出一个高明的黑客。在逐章学习的过程中，会发现在漏洞利用不起作用时，自己会去不断地尝试，会废寝忘食，会不惜花金钱来更准确地掌握所学到的知识。● 我的观点是：漏洞利用是事实的复杂陈述，如果你赞同这个观点，将使编写缓冲区溢出程序变得更加美妙。希望有一天能像欣赏艺术品一样欣赏你的代码。—Dave AitelImmunity公司创始人兼CEO

This book constitutes the refereed proceedings of the 5th International Workshop on Digital Watermarking Secure Data Management， IWDW 2006， held in Jeju Island， Korea in November 2006.The 34 revised full papers presented together with 3 invited lectures were carefully reviewed and selected from 76 submissions. The papers cover both theoretical and practical issues in digital watermarking and they feature such topics as steganography and steganalysis， data forensics， digital right management， secure watermarking， and their applications.

This book constitutes the thoroughly refereed post-proceedings of the 6th International Workshop on Privacy Enhancing Technologies， PET 2006， held in Cambridge， UK， in June 2006 co-located with WEIS 2006， the Workshop on the Economics of Information Security， and WOTE 2006， the IAVoSS Workshop On Trustworthy Elections.The 24 revised full papers presented were carefully selected from 91 submissions during two rounds of reviewing and improvement. The papers both from academia and industry present novel research on all theoretical and practical aspects of privacy technologies， as well as experimental studies of fielded systems.

This book constitutes the refereed proceedings of the International Conference on Emerging Trends in Information and Communication Security， ETRICS 2006， held in Freiburg， Germany， in June 2006.The 36 revised full papers presented were carefully reviewed and selected from around 180 submissions. The papers are organized in topical sections on multilateral security; security in service-oriented computing， secure mobile applications; enterprise privacy; privacy， identity， and anonymity; security engineering; security policies; security protocols; intrusion detection; and cryptographic security.

This book constitutes the refereed proceedings of the 11th European Symposium on Research in Computer Security， ESORICS 2006， held in Hamburg， Germany， in September 2006.The 32 revised full papers presented were carefully reviewed and selected from 160 submissions. ESORICS is confirmed as the European research event in computer security; it presents original research contributions， case studies and implementation experiences addressing any aspect of computer security - in theory， mechanisms， applications， or practical experience.

This book constitutes the refereed proceedings of the 8th International Symposium on Stabilization， Safety， and Security of Distributed Systems （formerly Symposium on Self-Stabilizing Systems）， SSS 2006， held in Dallas， TX， USA in November 2006.The 36 revised full papers and 12 revised short papers presented together with the extended abstracts of 2 invited lectures were carefully reviewed and selected from 155 submissions. The papers address all aspects of self-stabilization， safety and security， recovery oriented systems and programing， from theoretical contributions， to reports of the actual experience of applying the principles of self-stabilization to static and dynamic systems.

This book constitutes the refereed proceedings of the 8th International Workshop on Cryptographic Hardware and Embedded Systems， CHES 2006， held in Yokohama， Japan in October 2006.The 32 revised full papers presented together with 3 invited talks were carefullyreviewed and selected from 112 submissions. The papers are organized in topical sections on side channels， low resources， hardware attacks and countermeasures， special purpose hardware， efficient algorithms for embedded processors， side channels， hardware attacks and countermeasures， efficient hardware， trusted computing， side channels， hardware attacks and countermeasures， as well as efficient hardware.

The fun and easy way（r） to pass the CISSP exam and get certifiedCramming for the CISSP exam？ This friendly test-prep guide makes studying a snap！ Prepared by two CISSP-certified experts， it gets you up to speed on the latest changes to the exam and gives you proven test-taking tips. You&'ll find complete coverage of all ten domains of the （ISC）² Common Body of knowledge to help you pass with flying colors.

This book constitutes the refereed proceedings of the Third International Conference on Trust and Privacy in Digital Business， TrustBus 2006， held in Krakow， Poland in September 2006 in conjunction with DEXA 2006.The 24 revised full papers presented were carefully reviewed and selected from 70 submissions. The papers are organized in topical sections on privacy and identity management， security and risk management， security requirements and development， privacy enhancing technologies and privacy management， access control models， trust and reputation， security protocols， and security and privacy in mobile environments.

This book constitutes the refereed proceedings of the Third VLDB 2006 International Workshop on Secure Data Management， SDM 2006， held in Seoul， Korea in September 2006 in conjunction with VLDB 2006.The 13 revised full papers presented were carefully reviewed and selected from 33 submissions. The papers are organized in topical sections on privacy protection， privacy preserving data management， access control， and database security.