Cost Reduction With Guarantees: Formal Reasoning Applied To Blockchain Technologies

Blockchain technologies are moving fast and their distributed nature as well as their high-stake (financial) applications make it crucial to “get things right”. Moreover, blockchain technologies often come with a high cost for maintaining blockchain infrastructure and for running applications. In this thesis formal reasoning is used for guaranteeing correctness while reducing the cost of (i) maintaining the infrastructure by optimising blockchain protocols, and (ii) running applications by optimising blockchain programs—so called smart contracts. Both have a clear cost measure: for protocols the amount of exchanged messages, and for smart contracts the monetary cost of execution. In the first result for blockchain protocols starting from a proof of correctness for an abstract blockchain consensus protocol using infinitely many messages and infinite state, a refinement proof transfers correctness to a concrete implementation of the protocol reducing the cost to finite resources. In the second result I move from a blockchain to a block graph. This block graph embeds the run of a deterministic byzantine fault tolerant protocol, thereby getting parallelism “for free” and reducing the exchanged messages to the point of omission. For blockchain programs, I optimise programs executed on the Ethereum blockchain. As a first result, I use superoptimisation and encode the search for cheaper, but observationally equivalent, program as a search problem for an automated theorem prover. Since solving this search problem is in itself expensive, my second result is an efficient encoding of the search problem. Finally for reusing found optimisations, my third results gives a framework to generate peephole optimisation rules for a smart contract compiler

Complete spatial safety for C and C++ using CHERI capabilities

Lack of memory safety in commonly used systems-level languages such as C and C++ results in a constant stream of new exploitable software vulnerabilities and exploit techniques. Many exploit mitigations have been proposed and deployed over the years, yet none address the root issue: lack of memory safety. Most C and C++ implementations assume a memory model based on a linear array of bytes rather than an object-centric view. Whilst more efficient on contemporary CPU architectures, linear addresses cannot encode the target object, thus permitting memory errors such as spatial safety violations (ignoring the bounds of an object). One promising mechanism to provide memory safety is CHERI (Capability Hardware Enhanced RISC Instructions), which extends existing processor architectures with capabilities that provide hardware-enforced checks for all accesses and can be used to prevent spatial memory violations. This dissertation prototypes and evaluates a pure-capability programming model (using CHERI capabilities for all pointers) to provide complete spatial memory protection for traditionally unsafe languages. As the first step towards memory safety, all language-visible pointers can be implemented as capabilities. I analyse the programmer-visible impact of this change and refine the pure-capability programming model to provide strong source-level compatibility with existing code. Second, to provide robust spatial safety, language-invisible pointers (mostly arising from program linkage) such as those used for functions calls and global variable accesses must also be protected. In doing so, I highlight trade-offs between performance and privilege minimization for implicit and programmer-visible pointers. Finally, I present CheriSH, a novel and highly compatible technique that protects against buffer overflows between fields of the same object, hereby ensuring that the CHERI spatial memory protection is complete. I find that the byte-granular spatial safety provided by CHERI pure-capability code is not only stronger than most other approaches, but also incurs almost negligible performance overheads in common cases (0.1% geometric mean) and a worst-case overhead of only 23.3% compared to the insecure MIPS baseline. Moreover, I show that the pure-capability programming model provides near-complete source-level compatibility with existing programs. I evaluate this based on porting large widely used open-source applications such as PostgreSQL and WebKit with only minimal changes: fewer than 0.1% of source lines. I conclude that pure-capability CHERI C/C++ is an eminently viable programming environment offering strong memory protection, good source-level compatibility and low performance overheads

The SM and NLO multileg working group: Summary report

This report summarizes the activities of the SM and NLO Multileg Working Group of the Workshop "Physics at TeV Colliders", Les Houches, France 8-26 June, 2009.Comment: 169 pages, Report of the SM and NLO Multileg Working Group for the Workshop "Physics at TeV Colliders", Les Houches, France 8-26 June, 200

A systematic analysis of defenses against code reuse attacks

Thesis: M. Eng., Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, 2013.Cataloged from PDF version of thesis.Includes bibliographical references (pages 85-88).In this thesis, we developed a systematic model of the code reuse attack space where facts about attacks and defenses were represented as propositional statements in boolean logic and the possibility of deploying malware was a satisfiability instance. We use the model to analyze the space in two ways: we analyze the defense configurations of a real-world system and we reason about hypothetical defense bypasses. We construct attacks based on the hypothetical defense bypasses. Next, we investigate the control flow graphs enforced by proposed control flow integrity (CFI) systems. We model the behavior of these systems using a graph search. We also develop several code reuse payloads that work within the control flow graph enforced by one proposed CFI defense. Our findings illustrate that the defenses we investigated are not effective in preventing real world attacks.by Kelly Casteel.M. Eng

GAMBIT: the global and modular beyond-the-standard-model inference tool

We describe the open-source global fitting package GAMBIT: the Global And Modular Beyond-the-Standard-Model Inference Tool. GAMBIT combines extensive calculations of observables and likelihoods in particle and astroparticle physics with a hierarchical model database, advanced tools for automatically building analyses of essentially any model, a flexible and powerful system for interfacing to external codes, a suite of different statistical methods and parameter scanning algorithms, and a host of other utilities designed to make scans faster, safer and more easily-extendible than in the past. Here we give a detailed description of the framework, its design and motivation, and the current models and other specific components presently implemented in GAMBIT. Accompanying papers deal with individual modules and present first GAMBIT results. GAMBIT can be downloaded from gambit.hepforge.org

Two-Fermion Production in Electron-Positron Collisions

This report summarizes the results of the two-fermion working group of the LEP2-MC workshop, held at CERN from 1999 to 2000. Recent developments in the theoretical calculations of the two fermion production process in the electron-positron collision at LEP2 center of the mass energies are reported. The Bhabha process and the production of muon, tau, neutrino and quark pairs is covered. On the basis of comparison of various calculations, theoretical uncertainties are estimated and compared with those needed for the final LEP2 data analysis. The subjects for the further studies are identified.Comment: 2-fermion working group report of the LEP2 Monte Carlo Workshop 1999/2000, 113 pages, 24 figures, 35 table