More details in "Once upon a free()" by 'anonymous' in Phrack 57 article 9 http://www.phrack.org/show.php?p=57&a=9 and in my master thesis, page 48, http://fort-knox.org/thesis.php.
I liked your theses very much, actually I was more interested in how to detect the vulnerabilities than the vulnerabilities it self. It's fun to play around with buffers to run shell code and such, but it is harder to device tools or knowledge to detect these errors.
I found your references really interesting, here are some links, some of them not included in the thesis.
Frank Piessens, <http://www.cs.kuleuven.ac.be/~frank/publications.htm>
A Buffer Overflow Study Attacks & Defenses by Pierre-Alain Fayolle, Vincent Glaume http://www.securityfocus.com/data/library/report.pdf
Practical Code Auditing Lurene A. Grenier <http://www.daemonkitty.net/lurene/papers/Audit.pdf>
Regards,
Mads
