Combining Static and Dynamic Analysis for Vulnerability Detection

In this paper, we present a hybrid approach for buffer overflow detection in C code. The approach makes use of static and dynamic analysis of the application under investigation. The static part consists in calculating taint dependency sequences (TDS) between user controlled inputs and vulnerable statements. This process is akin to program slice of interest to calculate tainted data- and control-flow path which exhibits the dependence between tainted program inputs and vulnerable statements in the code. The dynamic part consists of executing the program along TDSs to trigger the vulnerability by generating suitable inputs. We use genetic algorithm to generate inputs. We propose a fitness function that approximates the program behavior (control flow) based on the frequencies of the statements along TDSs. This runtime aspect makes the approach faster and accurate. We provide experimental results on the Verisec benchmark to validate our approach.Comment: There are 15 pages with 1 figur

Runtime protection via dataflow flattening

Software running on an open architecture, such as the PC, is vulnerable to inspection and modification. Since software may process valuable or sensitive information, many defenses against data analysis and modification have been proposed. This paper complements existing work and focuses on hiding data location throughout program execution. To achieve this, we combine three techniques: (i) periodic reordering of the heap, (ii) migrating local variables from the stack to the heap and (iii) pointer scrambling. By essentialy flattening the dataflow graph of the program, the techniques serve to complicate static dataflow analysis and dynamic data tracking. Our methodology can be viewed as a data-oriented analogue of control-flow flattening techniques. Dataflow flattening is useful in practical scenarios like DRM, information-flow protection, and exploit resistance. Our prototype implementation compiles C programs into a binary for which every access to the heap is redirected through a memory management unit. Stack-based variables may be migrated to the heap, while pointer accesses and arithmetic may be scrambled and redirected. We evaluate our approach experimentally on the SPEC CPU2006 benchmark suit

Acoustic, thermal and flow processes in a water filled nanoporous glasses by time-resolved optical spectroscopy

We present heterodyne detected transient grating measurements on water filled Vycor 7930 in the range of temperature 20 - 90 degrees C. This experimental investigation enables to measure the acoustic propagation, the average density variation due the liquid flow and the thermal diffusion in this water filled nano-porous material. The data have been analyzed with the model of Pecker and Deresiewicz which is an extension of Biot model to account for the thermal effects. In the whole temperature range the data are qualitatively described by this hydrodynamic model that enables a meaningful insight of the different dynamic phenomena. The data analysis proves that the signal in the intermediate and long time-scale can be mainly addressed to the water dynamics inside the pores. We proved the existence of a peculiar interplay between the mass and the heat transport that produces a flow and back-flow process inside the nano-pores. During this process the solid and liquid dynamics have opposite phase as predicted by the Biot theory for the slow diffusive wave. Nevertheless, our experimental results confirm that transport of elastic energy (i.e. acoustic propagation), heat (i.e. thermal diffusion) and mass (i.e. liquid flow) in a liquid filled porous glass can be described according to hydrodynamic laws in spite of nanometric dimension of the pores. The data fitting, based on the hydrodynamic model, enables the extraction of several parameters of the water-Vycor system, even if some discrepancies appear when they are compared with values reported in the literature.Comment: 32 pages, 11 figure

A Model of a Turbulent Boundary Layer With a Non-Zero Pressure Gradient

According to a model of the turbulent boundary layer proposed by the authors, in the absence of external turbulence the intermediate region between the viscous sublayer and the external flow consists of two sharply separated self-similar structures. The velocity distribution in these structures is described by two different scaling laws. The mean velocity u in the region adjacent to the viscous sublayer is described by the previously obtained Reynolds-number-dependent scaling law $\phi = u/u_*=A\eta^{\alpha}$, $A=\frac{1}{\sqrt{3}} \ln Re_{\Lambda}+ \frac 52$, $\alpha=\frac{3}{2\ln Re_{\Lambda}}$, $\eta = u_* y/\nu$. (Here $u_*$ is the dynamic or friction velocity, y is the distance from the wall, $\nu$ the kinematic viscosity of the fluid, and the Reynolds number $Re_{\Lambda}$ is well defined by the data) In the region adjacent to the external flow the scaling law is different: $\phi= B\eta^{\beta}$. The power $\beta$ for zero-pressure-gradient boundary layers was found by processing various experimental data and is close (with some scatter) to 0.2. We show here that for non-zero-pressure-gradient boundary layers, the power $\beta$ is larger than 0.2 in the case of adverse pressure gradient and less than 0.2 for favourable pressure gradient. Similarity analysis suggests that both the coefficient B and the power $\beta$ depend on $Re_{\Lambda}$ and on a new dimensionless parameter P proportional to the pressure gradient. Recent experimental data of Perry, Maru\v{s}i\'c and Jones (1)-(4) were analyzed and the results are in agreement with the model we propose.Comment: 10 pages, 9 figure

Concurrent Program Verification with Invariant-Guided Underapproximation

Automatic verification of concurrent programs written in low-level languages like ANSI-C is an important task as multi-core architectures are gaining widespread adoption. Formal verification, although very valuable for this domain, rapidly runs into the state-explosion problem due to multiple thread interleavings. Recently, Bounded Model Checking (BMC) has been used for this purpose, which does not scale in practice. In this work, we develop a method to further constrain the search space for BMC techniques using underapproximations of data flow of shared memory and lazy demand-driven refinement of the approximation. A novel contribution of our method is that our underapproximation is guided by likely data-flow invariants mined from dynamic analysis and our refinement is based on proof-based learning. We have implemented our method in a prototype tool. Initial experiments on benchmark examples show potential performance benefit

Myocardial blood flow quantification by Rb-82 cardiac PET/CT: A detailed reproducibility study between two semi-automatic analysis programs.

Several analysis software packages for myocardial blood flow (MBF) quantification from cardiac PET studies exist, but they have not been compared using concordance analysis, which can characterize precision and bias separately. Reproducible measurements are needed for quantification to fully develop its clinical potential. Fifty-one patients underwent dynamic Rb-82 PET at rest and during adenosine stress. Data were processed with PMOD and FlowQuant (Lortie model). MBF and myocardial flow reserve (MFR) polar maps were quantified and analyzed using a 17-segment model. Comparisons used Pearson's correlation ρ (measuring precision), Bland and Altman limit-of-agreement and Lin's concordance correlation ρc = ρ·C b (C b measuring systematic bias). Lin's concordance and Pearson's correlation values were very similar, suggesting no systematic bias between software packages with an excellent precision ρ for MBF (ρ = 0.97, ρc = 0.96, C b = 0.99) and good precision for MFR (ρ = 0.83, ρc = 0.76, C b = 0.92). On a per-segment basis, no mean bias was observed on Bland-Altman plots, although PMOD provided slightly higher values than FlowQuant at higher MBF and MFR values (P < .0001). Concordance between software packages was excellent for MBF and MFR, despite higher values by PMOD at higher MBF values. Both software packages can be used interchangeably for quantification in daily practice of Rb-82 cardiac PET

Thermal decomposition kinetics of sodium carboxymethyl cellulose: Model-free methods

Thermal analysis techniques such as thermogravimetric analysis (TGA) have been widely used because they provide rapid quantitative determination of various processes under isothermal or non-isothermal conditions. It allows the estimation of effective kinetic and thermodynamic parameters for various decomposition and thermal reactions. In this article, thermal degradation of sodium carboxymethyl cellulose (SMC) is investigated by means of dynamic thermogravimetric/derivative thermogravimetry (TG/DTG) in helium atmosphere with the flow rate 100 mL/min at the heating rate of 10-30 °C/min until the furnace wall temperature reached 700 °C. The non-isothermal degradation of SMC found to be taking place occurred major one step and minor two steps. Using a non-isothermal kinetic method based on a TGA data, kinetic parameters (Eand ln A) are calculated by Kissinger-Akahira-Sunose (KAS), Flynn-Wall-Ozawa (FWO) and Friedman methods. The results of studied polymer demonstrated that E and ln A is varied with function of conversion (α), which is in good agreement with literature data

Dynamic water allocation policies improve the global efficiency of storage systems

Water impoundment by dams strongly affects the river natural flow regime, its attributes and the related ecosystem biodiversity. Fostering the sustainability of water uses e.g., hydropower systems thus implies searching for innovative operational policies able to generate Dynamic Environmental Flows (DEF) that mimic natural flow variability. The objective of this study is to propose a Direct Policy Search (DPS) framework based on defining dynamic flow release rules to improve the global efficiency of storage systems. The water allocation policies proposed for dammed systems are an extension of previously developed flow redistribution rules for small hydropower plants by Razurel et al. (2016). The mathematical form of the Fermi-Dirac statistical distribution applied to lake equations for the stored water in the dam is used to formulate non-proportional redistribution rules that partition the flow for energy production and environmental use. While energy production is computed from technical data, riverine ecological benefits associated with DEF are computed by integrating the Weighted Usable Area (WUA) for fishes with Richter's hydrological indicators. Then, multiobjective evolutionary algorithms (MOEAs) are applied to build ecological versus economic efficiency plot and locate its (Pareto) frontier. This study benchmarks two MOEAs (NSGA II and Borg MOEA) and compares their efficiency in terms of the quality of Pareto's frontier and computational cost. A detailed analysis of dam characteristics is performed to examine their impact on the global system efficiency and choice of the best redistribution rule. Finally, it is found that non-proportional flow releases can statistically improve the global efficiency, specifically the ecological one, of the hydropower system when compared to constant minimal flows. (C) 2017 Elsevier Ltd. All rights reserved

Chemical-biochemical process and ventilation study of the change in gaseous pollutants in ventilated swine buildings

The chemical analysis consists of sampling ammonia, methane, hydrogen sulfide, and carbon dioxide by Gas Chromatography/Mass Spectrometry (GC/MS). The results of the chemical-biochemical control experiment show that: (1) the chemical-bacteria additives slightly reduced the methane and carbon dioxide release, while the same additives did not show any effect on the reduction of ammonia; (2) the hydrogen sulfide contents of the swine manure continued to be low. Methane, ammonia, and carbon dioxide levels generated from stored swing manure were 3.76 and 2.2 ppm of methane, 0.35 and 0.11 ppm of ammonia, and 1000 and 470 ppm of carbon dioxide for treated and untreated manure, respectively;An emission model based on the two-film resistance theory is presented. Based on the model, the gases liquid phase resistance appears to control are nitrogen, oxygen, carbon dioxide, hydrogen sulfide, and methane, while ammonia is controlled by gas phase resistance. The average emission rate of methane, ammonia, and carbon dioxide at 15°C are 0.02, 1.52, and 0.50 g/min for untreated samples, and 0.04, 3.91, and 1.06 g/min for treated samples, respectively;A multiple airflow regions model is presented from the standpoint of the matrix method for dynamic system analysis. The model includes the local flow rate and internal mean-age of polluted air. The starting point in the model formulation is the flow matrix Q, consisting of the total flow rate between each airspace. At last, the local flow rates are also contained in the inverse flow matrix, Q[superscript](-1). The model calculation is in 3-D lumped form of control volumes representing conservation of airflow rate. The model shows that gaseous pollutant distribution is similar to the measured data from the research literature and field chamber test. The results also indicated that the mean-holding time, local mean-age, local flow-rate, and entrainment ratio of airflow can describe the dynamic behavior of gaseous pollutants in ventilated airspaces

Experimental and computational approach to the transient behaviour of wall-flow diesel particulate filters

[EN] The implementation of tight vehicle emission standards has forced manufactures to use aftertreatment systems extensively. In addition to pollutant emissions abatement, these devices have a noticeable impact on the wave pattern. This fact affects the muffler design criteria. All monolithic aftertreatment devices produces a damping effect because of the honeycomb structure and the narrow channels. However, this response is more marked in wall-flow diesel particulate filters (DPF) because of the alternatively plugged ends and the dissipative properties of the porous substrate. The main goal of this paper is to assess the transient fluid-dynamic behaviour of wall-flow DPFs using experimental and modelling techniques. The experimental data were gathered in clean and loaded conditions. The DPF was subjected to a variety of pressure excitations to characterise its transient behaviour in the time and frequency domains. Afterwards, the DPF response was evaluated under engine-like operating conditions in an unsteady flow gas stand. Once the main characteristics of the response were known, a non-linear gas-dynamics model was proposed for analysis and prediction. The model accounts for space and time gradients, combining the thermo-and fluid-dynamic solution with a model based on a packed bed of spherical particles that defines the meso-structure of the loaded substrate. (C) 2016 Elsevier Ltd. All rights reserved.This work has been partially supported by the Spanish Ministerio de Economia y Competitividad through Grant No. TRA2013-40853-R.Torregrosa, AJ.; Serrano, J.; Piqueras, P.; García Afonso, Ó. (2017). Experimental and computational approach to the transient behaviour of wall-flow diesel particulate filters. Energy. 119:887-900. https://doi.org/10.1016/j.energy.2016.11.051S88790011