J. P. Anderson. Computer Security Technology Planning Study (Vol. I and II, “Anderson report”). James P. Anderson and Co., Fort Washington, PA, USA, Oct 1972.
S. M. Bellovin. Thinking Security: Stopping Next Year’s Hackers. Addison-Wesley, 2016.
H. Chen, D. Wagner, and D. Dean. Setuid demystified. In USENIX Security, 2002.
D. A. Curry. UNIX System Security: A Guide for Users and System Administrators. Addison-Wesley, 1992.
R. C. Daley and P. G. Neumann. A general-purpose file system for secondary storage. In AFIPS Fall Joint Computer Conference, pages 213–229, Nov 1965.
J. B. Dennis. Segmentation and the design of multiprogrammed computer systems. Journal of the ACM, 12(4):589–602, 1965.
M. S. Dittmer and M. V. Tripunitara. The UNIX process identity crisis: A standards-driven approach to setuid. In ACM Comp. & Comm. Security (CCS), pages 1391–1402, 2014.
M. Dowd, J. McDonald, and J. Schuh. The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. Addison-Wesley, 2006.
D. Ferraiolo and R. Kuhn. Role-based access controls. In National Computer Security Conf. (NCSC), pages 554–563, Oct. 1992.
D. F. Ferraiolo, R. S. Sandhu, S. I. Gavrila, D. R. Kuhn, and R. Chandramouli. Proposed NIST standard for role-based access control. ACM Trans. Inf. Systems and Security, 4(3):224–274, 2001.
W. Ford and M. J. Wiener. A key distribution method for object-based protection. In ACM Comp. & Comm. Security (CCS), pages 193–197, 1994.
M. Gasser. Building a Secure Computer System. Van Nostrand Reinhold, 1988. PDF available online.
G. S. Graham and P. J. Denning. Protection—principles and practice. In AFIPS Spring Joint Computer Conference, pages 417–429, May 1972.
R. M. Graham. Protection in an information processing utility. Comm. ACM, 11(5):365–369, 1968. Appeared as the first paper, pp. 1–5, first ACM Symposium on Operating System Principles, 1967.
A. Gruenbacher. POSIX access control lists on LINUX. In USENIX Annual Technical Conf., pages 259–272, 2003.
T. Jaeger. Operating System Security. Morgan and Claypool, 2008.
P.-H. Kamp and R. N. M. Watson. Jails: Confining the omnipotent root. In System Admin. and Networking
Conf. (SANE), 2000. Cf. “Building systems to be shared, securely”, ACM Queue, Aug 2004.
B. W. Lampson. A note on the confinement problem. Comm. ACM, 16(10):613–615, 1973.
B. W. Lampson. Protection. ACM Operating Sys. Review, 8(1):18–24, 1974. Originally published in Proc. 5th Princeton Conf. on Information Sciences and Systems, 1971.
H. Lee, C. Song, and B. B. Kang. Lord of the x86 rings: A portable user mode privilege separation architecture on x86. In ACM Comp. & Comm. Security (CCS), pages 1441–1454, 2018.
T. Linden. Security Analysis and Enhancements of Computer Operating Systems (“RISOS report”),
Apr 1976. NBSIR 76-1041, The RISOS Project, Lawrence Livermore Laboratory, Livermore, CA.
P. Loscocco and S. Smalley. Integrating flexible support for security policies into the Linux operating
system. In USENIX Annual Technical Conf., pages 29–42, 2001. FREENIX Track. Full technical report,
62 pages, available online.
P. A. Loscocco, S. D. Smalley, P. A. Muckelbauer, R. C. Taylor, S. J. Turner, and J. F. Farrell. The
inevitability of failure: The flawed assumption of security in modern computing environments. In
National Info. Systems Security Conf. (NISSC), pages 303–314, 1998.
B. McCarty. SELinux: NSA’s Open Source Security Enhanced Linux. O’Reilly Media, 2004.
E. I. Organick. The Multics System: An Examination of Its Structure. MIT Press (5th printing, 1985),
D. M. Ritchie and K. Thompson. The UNIX time-sharing system. Comm. ACM, 17(7):365–375, 1974.
J. H. Saltzer. Protection and the control of information sharing in Multics. Comm. ACM, 17(7):388–402,
J. H. Saltzer and M. F. Kaashoek. Principles of Computer System Design. Morgan Kaufmann, 2010.
J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. Proceedings of
the IEEE, 63(9):1278–1308, September 1975.
R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. IEEE
Computer, 29(2):38–47, 1996.
M. D. Schroeder and J. H. Saltzer. A hardware architecture for implementing protection rings. Comm.
ACM, 15(3):157–170, 1972. Earlier version in ACM SOSP, pages 42–54, 1971.
A. Silberschatz, P. B. Galvin, and G. Gagne. Operating System Concepts (seventh edition). John Wiley
and Sons, 2005.
S. Smalley and R. Craig. Security Enhanced (SE) Android: Bringing Flexible MAC to Android. In
Netw. Dist. Sys. Security (NDSS), 2013.
R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen, and J. Lepreau. The Flask security
architecture: System support for diverse security policies. In USENIX Security, 1999.
A. S. Tanenbaum. Modern Operating Systems (3rd edition). Pearson Prentice Hall, 2008.
K. Thompson. Reflections on trusting trust. Comm. ACM, 27(8):761–763, 1984.
W. H. Ware (Chair). Security Controls for Computer Systems: Report of Defense Science Board Task
Force on Computer Security. RAND Report R-609-1 (“Ware report”), 11 Feb 1970. Office of Director
of Defense Research and Engineering, Wash., D.C. Confidential; declassified 10 Oct 1975.
R. N. M. Watson and 14 others. CHERI: A hybrid capability-system architecture for scalable software
compartmentalization. In IEEE Symp. Security and Privacy, pages 20–37, 2015.
R. N. M. Watson, J. Anderson, B. Laurie, and K. Kennaway. Capsicum: Practical capabilities for UNIX.
In USENIX Security, pages 29–46, 2010.
C. Wright, C. Cowan, S. Smalley, J. Morris, and G. Kroah-Hartman. Linux security modules: General
security support for the Linux kernel. In USENIX Security, pages 17–31, 2002.