A Verified Information-Flow Architecture

SAFE is a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows. At the lowest level, the SAFE hardware supports fine-grained programmable tags, with efficient and flexible propagation and combination of tags as instructions are executed. The operating system virtualizes these generic facilities to present an information-flow abstract machine that allows user programs to label sensitive data with rich confidentiality policies. We present a formal, machine-checked model of the key hardware and software mechanisms used to dynamically control information flow in SAFE and an end-to-end proof of noninterference for this model. We use a refinement proof methodology to propagate the noninterference property of the abstract machine down to the concrete machine level. We use an intermediate layer in the refinement chain that factors out the details of the information-flow control policy and devise a code generator for compiling such information-flow policies into low-level monitor code. Finally, we verify the correctness of this generator using a dedicated Hoare logic that abstracts from low-level machine instructions into a reusable set of verified structured code generators

Faithful Estimation of Dynamics Parameters from CPMG Relaxation Dispersion Measurements

This work examines the robustness of fitting of parameters describing conformational exchange (kex, pa/b, and Δω) processes from CPMG relaxation dispersion data. We have analyzed the equations describing conformational exchange processes for the intrinsic inter-dependence of their parameters that leads to the existence of multiple equivalent solutions, which equally satisfy the experimental data. We have used Monte-Carlo simulations and fitting to the synthetic data sets as well as the direct 3-D mapping of the parameter space of kex, pa/b, and Δω to quantitatively assess the degree of the parameter inter-dependence. The demonstrated high correlation between parameters can preclude accurate dynamics parameter estimation from NMR spin-relaxation data obtained at a single static magnetic field. The strong parameter inter-dependence can readily be overcome through acquisition of spin-relaxation data at more than one static magnetic field thereby allowing accurate assessment of conformational exchange properties

General rules for bosonic bunching in multimode interferometers

We perform a comprehensive set of experiments that characterize bosonic bunching of up to 3 photons in interferometers of up to 16 modes. Our experiments verify two rules that govern bosonic bunching. The first rule, obtained recently in [1,2], predicts the average behavior of the bunching probability and is known as the bosonic birthday paradox. The second rule is new, and establishes a n!-factor quantum enhancement for the probability that all n bosons bunch in a single output mode, with respect to the case of distinguishable bosons. Besides its fundamental importance in phenomena such as Bose-Einstein condensation, bosonic bunching can be exploited in applications such as linear optical quantum computing and quantum-enhanced metrology.Comment: 6 pages, 4 figures, and supplementary material (4 pages, 1 figure

Cryptographically Secure Information Flow Control on Key-Value Stores

We present Clio, an information flow control (IFC) system that transparently incorporates cryptography to enforce confidentiality and integrity policies on untrusted storage. Clio insulates developers from explicitly manipulating keys and cryptographic primitives by leveraging the policy language of the IFC system to automatically use the appropriate keys and correct cryptographic operations. We prove that Clio is secure with a novel proof technique that is based on a proof style from cryptography together with standard programming languages results. We present a prototype Clio implementation and a case study that demonstrates Clio's practicality.Comment: Full version of conference paper appearing in CCS 201

Evaluation of two interaction techniques for visualization of dynamic graphs

Several techniques for visualization of dynamic graphs are based on different spatial arrangements of a temporal sequence of node-link diagrams. Many studies in the literature have investigated the importance of maintaining the user's mental map across this temporal sequence, but usually each layout is considered as a static graph drawing and the effect of user interaction is disregarded. We conducted a task-based controlled experiment to assess the effectiveness of two basic interaction techniques: the adjustment of the layout stability and the highlighting of adjacent nodes and edges. We found that generally both interaction techniques increase accuracy, sometimes at the cost of longer completion times, and that the highlighting outclasses the stability adjustment for many tasks except the most complex ones.Comment: Appears in the Proceedings of the 24th International Symposium on Graph Drawing and Network Visualization (GD 2016

Hang With Your Buddies to Resist Intersection Attacks

Some anonymity schemes might in principle protect users from pervasive network surveillance - but only if all messages are independent and unlinkable. Users in practice often need pseudonymity - sending messages intentionally linkable to each other but not to the sender - but pseudonymity in dynamic networks exposes users to intersection attacks. We present Buddies, the first systematic design for intersection attack resistance in practical anonymity systems. Buddies groups users dynamically into buddy sets, controlling message transmission to make buddies within a set behaviorally indistinguishable under traffic analysis. To manage the inevitable tradeoffs between anonymity guarantees and communication responsiveness, Buddies enables users to select independent attack mitigation policies for each pseudonym. Using trace-based simulations and a working prototype, we find that Buddies can guarantee non-trivial anonymity set sizes in realistic chat/microblogging scenarios, for both short-lived and long-lived pseudonyms.Comment: 15 pages, 8 figure

Walking dynamics are symmetric (enough)

Many biological phenomena such as locomotion, circadian cycles, and breathing are rhythmic in nature and can be modeled as rhythmic dynamical systems. Dynamical systems modeling often involves neglecting certain characteristics of a physical system as a modeling convenience. For example, human locomotion is frequently treated as symmetric about the sagittal plane. In this work, we test this assumption by examining human walking dynamics around the steady-state (limit-cycle). Here we adapt statistical cross validation in order to examine whether there are statistically significant asymmetries, and even if so, test the consequences of assuming bilateral symmetry anyway. Indeed, we identify significant asymmetries in the dynamics of human walking, but nevertheless show that ignoring these asymmetries results in a more consistent and predictive model. In general, neglecting evident characteristics of a system can be more than a modeling convenience---it can produce a better model.Comment: Draft submitted to Journal of the Royal Society Interfac

Steps Towards a Method for the Formal Modeling of Dynamic Objects

Fragments of a method to formally specify object-oriented models of a universe of discourse are presented. The task of finding such models is divided into three subtasks, object classification, event specification, and the specification of the life cycle of an object. Each of these subtasks is further subdivided, and for each of the subtasks heuristics are given that can aid the analyst in deciding how to represent a particular aspect of the real world. The main sources of inspiration are Jackson System Development, algebraic specification of data- and object types, and algebraic specification of processes

Geometric Universality of Currents

We discuss a non-equilibrium statistical system on a graph or network. Identical particles are injected, interact with each other, traverse, and leave the graph in a stochastic manner described in terms of Poisson rates, possibly dependent on time and instantaneous occupation numbers at the nodes of the graph. We show that under the assumption of constancy of the relative rates, the system demonstrates a profound statistical symmetry, resulting in geometric universality of the statistics of the particle currents. This phenomenon applies broadly to many man-made and natural open stochastic systems, such as queuing of packages over the internet, transport of electrons and quasi-particles in mesoscopic systems, and chains of reactions in bio-chemical networks. We illustrate the utility of our general approach using two enabling examples from the two latter disciplines.Comment: 15 pages, 5 figure