Practical Fine-grained Privilege Separation in Multithreaded Applications

An inherent security limitation with the classic multithreaded programming model is that all the threads share the same address space and, therefore, are implicitly assumed to be mutually trusted. This assumption, however, does not take into consideration of many modern multithreaded applications that involve multiple principals which do not fully trust each other. It remains challenging to retrofit the classic multithreaded programming model so that the security and privilege separation in multi-principal applications can be resolved. This paper proposes ARBITER, a run-time system and a set of security primitives, aimed at fine-grained and data-centric privilege separation in multithreaded applications. While enforcing effective isolation among principals, ARBITER still allows flexible sharing and communication between threads so that the multithreaded programming paradigm can be preserved. To realize controlled sharing in a fine-grained manner, we created a novel abstraction named ARBITER Secure Memory Segment (ASMS) and corresponding OS support. Programmers express security policies by labeling data and principals via ARBITER's API following a unified model. We ported a widely-used, in-memory database application (memcached) to ARBITER system, changing only around 100 LOC. Experiments indicate that only an average runtime overhead of 5.6% is induced to this security enhanced version of application

A prototype and demonstrator of Akogrimo’s architecture: An approach of merging grids, SOA, and the mobile Internet

The trend of merging telecommunication infrastructures with traditional Information Technology (IT) infrastructures is ongoing and important for commercial service providers. The driver behind this development is, on one hand, the strong need for enhanced services and on the other hand, the need of telecommunication operators aiming at value-added service provisioning to a wide variety of customers. In the telecommunications sector, the IP Multimedia Subsystem (IMS) is a promising service platform, which may become a ''standard'' for supporting added-value services on top of the next generation network infrastructure. However, since its range of applicability is bound to SIP- enabled services, IMS extensions are being proposed by ''SIPifying'' applications. In parallel to these developments within the traditional IT sector, the notion of Virtual Organizations (VO) enabling collaborative businesses across organizational boundaries is addressed in the framework of Web Services (WS) standards implementing a Service-oriented Architecture (SOA). Here, concepts for controlled resource and service sharing based on WS and Semantic Technologies have been consolidated. Since the telecommunications sector has become, in the meantime ''mobile'', all concepts brought into this infrastructure must cope with the dynamics mobility brings in. Therefore, within the Akogrimo project the VO concept has been extended towards a Mobile Dynamic Virtual Organization (MDVO) concept, additionally considering key requirements of mobile users and resources. Especial attention is given to ensure the duality of the merge of both, SOA and IMS approaches to holistically support SOA-enabled mobile added-value services and their users. This work describes major results of the Akogrimo project, paying special attention to the overall Akogrimo architecture, the prototype implemented, and the key scenario in which the instantiated Akogrimo architecture shows a very clear picture of applicability, use, and an additional functional evaluation

300 faces in-the-wild challenge: database and results

Computer Vision has recently witnessed great research advance towards automatic facial points detection. Numerous methodologies have been proposed during the last few years that achieve accurate and efficient performance. However, fair comparison between these methodologies is infeasible mainly due to two issues. (a) Most existing databases, captured under both constrained and unconstrained (in-the-wild) conditions have been annotated using different mark-ups and, in most cases, the accuracy of the annotations is low. (b) Most published works report experimental results using different training/testing sets, different error metrics and, of course, landmark points with semantically different locations. In this paper, we aim to overcome the aforementioned problems by (a) proposing a semi-automatic annotation technique that was employed to re-annotate most existing facial databases under a unified protocol, and (b) presenting the 300 Faces In-The-Wild Challenge (300-W), the first facial landmark localization challenge that was organized twice, in 2013 and 2015. To the best of our knowledge, this is the first effort towards a unified annotation scheme of massive databases and a fair experimental comparison of existing facial landmark localization systems. The images and annotations of the new testing database that was used in the 300-W challenge are available from http://ibug.doc.ic.ac.uk/resources/facial-point-annotations