《中国信息安全年鉴》（以下简称《年鉴》）是由中国信息协会信息安全专业委员会编辑的年刊。《年鉴》通过收录我国信息安全领域各个层面的资料、信息，客观记述我国信息安全领域的主要动向和发展概况，供从事与信息安全相关的管理、科研、生产、教育、系统建设的部门的人员参考。本卷《年鉴》所收录的信息时限是从2005年4月至200年3月。《年鉴》自1998年首版以来，得到了国家各信息安全主管单位、各行业相关部门、企事业单位以及信息安全业内专家学者和各界朋友的热情支持和帮助。国务院信息化工作办公室网络与信息安全组对本《年鉴》的编辑工作做了指导，对文献收集、信息采集工作给予了大力支持。

This book constitutes the refereed proceedings of the International Conference on Privacy in Statistical Databases， PSD 2006， held in December 2006 in Rome， Italy as the main conference of the CENEX-SDC （CENtre of EXcellence for Statistical Disclosure Control） project.The 31 revised full papers presented were carefully reviewed and selected from 45 submissions. The papers are organized in topical sections on methods for tabular protection， utility and risk in tabular protection， methods for microdata protection， utility and risk in microdata protection， protocols for private computation， case studies， and software.

The LNCS series reports state-of-the-art results in computer science research， development， and education， at a high level and in both printed and electronic form. Enjoying tight cooperation with the R&D community， with numerous individuals， as well as with prestigious organizations and Societies， LNCS has grown into the most comprehensive computer science research forum available.The scope of LNCS， including its sub series LNAI， spans the whole range of computer science and information technology including interdisciplinary topics in a variety of application fields. The type of material published traditionally includes- Proceedings（published in time for the respective conference） - Post-proceedings（consisting of thoroughly revised final full papers） -research monographs（which may be based on outstanding PhD work， research projects， technical reports， etc.）

Since the mid 1990s， data hiding has been proposed as an enabling technology for securing multimedia communication， and is now used in various applications including broadcast monitoring， movie fingerprinting， steganography， video indexing and retrieval， and image authentication. Data hiding and cryptographic techniques are often combined to complement each other， thus triggering the development of a new research field in multimedia security. Two related disciplines， steganalysis and data forensics， are also increasingly attracting researchers and forming another new research field in multimedia security. This journal， LNCS Transactions on Data Hiding and Multimedia Security， aims to be a forum for all researchers in these emerging fields， publishing both original and archival research results.This inaugural issue contains five papers dealing with a wide range of topics related to multimedia security. The first paper deals with evaluation criteria for the performance of audio watermarking algorithms. The second provides a survey of problems related to watermark security. The third discusses practical implementations of zero-knowledge watermark detectors and proposes efficient solutions for correlation-based detectors. The fourth introduces the concept of Personal Entertainment Domains （PED） in Digital Rights Management （DRM） schemes. The fifth reports on the use of fusion techniques to improve the detection accuracy of steganalysis.

对于缓冲区溢出，有三件事令我印象深刻：第一次成功地在Linux的imapd上利用一个缓冲区溢出；第一次在本地的Linux中独立发现和利用了缓冲区溢出；第一次通过编写缓冲区溢出成功进入别人的主机。在读过Aleph1的关于缓冲区溢出的重要论文“Buffer overflows for fun and profit”后，大多数人想到的主要是由此带来的好处。因为精通编写缓冲区溢出程序的人在该行业任何一家大公司中做咨询师的年薪都可以达到9～12万美元。但另一方面，许多人对获得这种技能有一个很大的误区，认为学会这种技能，就可以一劳永逸了。确实，在IT领域许多诀窍是可以学会的，一旦了解了这些诀窍，也就拥有这些诀窍了。但是编写缓冲区溢出程序却并不如此，从书本中或者速成班中可以学会基础知识，但是编程的环境总是在变化。一方面，黑客在不停地寻找新的方法来更好的利用漏洞，寻找发现新的漏洞方法；另一方面，微软公司每天都在给它的代码增加保护，如果3个月不写缓冲区溢出代码，原有的技巧也就过时了。编写缓冲区溢出中最难的就是要地根据不断变化的环境给出新对策。用于编写溢出程序的工具也在不断变化着，以前编写溢出程序只需要一份Softice或GDB的拷贝，就可以由某个人单独完成。但是今天，即使是一个简单的缓冲区溢出，Immunity公司也会有相当大的投入。例如，需要有专门的调试器来查询、脚本化正在运行的程序；专门的编译器来创建和调整克服弱点所需求的shellcode；购买或产生用于专门解决各种不同问题的反向工程工具；用Python语言编写的完整的mySQL和SSL库。一个相对复杂的漏洞利用需要整个工作小组协调完成。每种复杂的漏洞利用都会有相应的文章介绍，这些漏洞利用来自于整个团队在不同漏洞利用过程中所得到的经验。最好的缓冲区溢出程序决不会是蠕虫。攻击者定制的漏洞利用会使被攻击者身陷其中。如果一个顶级黑客要攻击某个人，则会完全掌握目标主机的工作环境，目的只有一个，产生一个只使用一次的缓冲区溢出。编写缓冲区溢出程序有几个阶段。本书作者James Foster介绍了一些基础的知识和技巧，对初学者进行基础的训练，确定专攻的方向，然后就可以独自编写缓冲区溢出程序。虽然本书不能使读者站到技术的最前沿，但是能够确信自己掌握了基础知识，能够做出正确的决定。也许读者可能投身于此项工作，致力于编写代码、提高技能。对于选择这一行的读者，请记住下面的座右铭：● 永远不要害怕。微软的销售人员在不停地告诫人们发现微软的新软件的缓冲区溢出漏洞和编写相应的漏洞利用程序是件非常困难的事情。激励自己继续做下去的对策就是想像一旦漏洞利用成功，自己将会如何处理这个漏洞。编写漏洞利用程序需要掌握很多单调枯燥的技术，例如，HP-UX所用的少见的扇形内存访问方式；Irix带有的笨拙的高速缓冲存储器。虽然编写缓冲区溢出程序需要数千条的汇编语句，学起来并不是一件容易的事情，但只要自己觉得能做到，那就一定能做到。● 不要太把自己当回事。无论自己多么优秀，在遥远的地方可能还有一些十五岁的年轻人每天花20小时来争取做得更好。不要把编写缓冲区溢出程序当成一场竞争，否则你不久就会崩溃。● 找一些伙伴。编写缓冲区溢出程序不是独自能不断进步的一个技能，需要别人的帮助，找出自己在哪方面还比较薄弱。● 不管目标是什么，要把这本书当作工作表，而不是一本小说。要一边读一边在电脑上操作。一本缓冲区溢出的书不能造就出一个高明的黑客。在逐章学习的过程中，会发现在漏洞利用不起作用时，自己会去不断地尝试，会废寝忘食，会不惜花金钱来更准确地掌握所学到的知识。● 我的观点是：漏洞利用是事实的复杂陈述，如果你赞同这个观点，将使编写缓冲区溢出程序变得更加美妙。希望有一天能像欣赏艺术品一样欣赏你的代码。—Dave AitelImmunity公司创始人兼CEO

This book constitutes the refereed proceedings of the 5th International Workshop on Digital Watermarking Secure Data Management， IWDW 2006， held in Jeju Island， Korea in November 2006.The 34 revised full papers presented together with 3 invited lectures were carefully reviewed and selected from 76 submissions. The papers cover both theoretical and practical issues in digital watermarking and they feature such topics as steganography and steganalysis， data forensics， digital right management， secure watermarking， and their applications.

This book constitutes the thoroughly refereed post-proceedings of the 6th International Workshop on Privacy Enhancing Technologies， PET 2006， held in Cambridge， UK， in June 2006 co-located with WEIS 2006， the Workshop on the Economics of Information Security， and WOTE 2006， the IAVoSS Workshop On Trustworthy Elections.The 24 revised full papers presented were carefully selected from 91 submissions during two rounds of reviewing and improvement. The papers both from academia and industry present novel research on all theoretical and practical aspects of privacy technologies， as well as experimental studies of fielded systems.

This book constitutes the refereed proceedings of the 11th European Symposium on Research in Computer Security， ESORICS 2006， held in Hamburg， Germany， in September 2006.The 32 revised full papers presented were carefully reviewed and selected from 160 submissions. ESORICS is confirmed as the European research event in computer security; it presents original research contributions， case studies and implementation experiences addressing any aspect of computer security - in theory， mechanisms， applications， or practical experience.

This book constitutes the refereed proceedings of the 8th International Symposium on Stabilization， Safety， and Security of Distributed Systems （formerly Symposium on Self-Stabilizing Systems）， SSS 2006， held in Dallas， TX， USA in November 2006.The 36 revised full papers and 12 revised short papers presented together with the extended abstracts of 2 invited lectures were carefully reviewed and selected from 155 submissions. The papers address all aspects of self-stabilization， safety and security， recovery oriented systems and programing， from theoretical contributions， to reports of the actual experience of applying the principles of self-stabilization to static and dynamic systems.

This book constitutes the refereed proceedings of the 8th International Workshop on Cryptographic Hardware and Embedded Systems， CHES 2006， held in Yokohama， Japan in October 2006.The 32 revised full papers presented together with 3 invited talks were carefullyreviewed and selected from 112 submissions. The papers are organized in topical sections on side channels， low resources， hardware attacks and countermeasures， special purpose hardware， efficient algorithms for embedded processors， side channels， hardware attacks and countermeasures， efficient hardware， trusted computing， side channels， hardware attacks and countermeasures， as well as efficient hardware.