Set-related restrictions for semantic groupings

Semantic database models utilize several fundamental forms of groupings to increase their expressive power. In this paper we consider four of the most common of these constructs; basic set groupings, is-a related groupings, power set groupings, and Cartesian aggregation groupings. For each, we define a number of useful restrictions that control its structure and composition. This permits each grouping to capture more subtle distinctions of the concepts or situations in the application environment. The resulting set of restrictions forms a framework which increases the expressive power of semantic models and specifies various set-related integrity constraints

Software Side-Channel Analysis

Software side-channel attacks are able to recover confidential information by observing non-functional computation characteristics of program execution such as elapsed time, amount of allocated memory, or network packet size. The ability to automatically determine the amount of information that a malicious user can gain through side-channel observations allows one to quantitatively assess the security of an application. Since most software that accesses confidential information leaks some amount of information through side channels, it is important to quantify the amount of leakage in order to detect vulnerabilities. In addition, one can prove that a program is vulnerable to side-channel attacks by synthesizing attacks that recover confidential information. In this dissertation, I provide methods for (1) quantifying side-channel vulnerabilities and (2) synthesizing adaptive side-channel attack steps. My approaches advance the state-of-the-art in automatic software side-channel analysis which I summarize as follows. I make use of symbolic execution to extract program constraints that characterize the relationship between secret information, the inputs of a malicious user, and observable program behaviors. By applying model counting constraint solving to these constraints, I compute probabilistic relationships among secrets, attacker inputs, and attacker side-channel observations. These probabilities are used to quantify information leakage for a program by applying methods from the field of quantitative information flow. Moreover, by automatically generating a symbolic expression that quantifies information leakage, I am able to perform numeric maximization over attacker inputs to synthesize optimal attack steps. The sequence of attack steps serves as a proof of exploitability. I give two different automatic attack synthesis techniques: a fully static approach and an online dynamic approach that constructs an attack that takes into account system noise and is able to execute the attack through the network. I demonstrate the effectiveness of my approaches on a set of experimental benchmarks

Solitonic Brane Inflation

We present a new type of brane inflation motivated by multi-kink solitonic solutions of a scalar field in five dimensions. In the thin brane limit, we analyze a non-static configuration in which the distance between two parallel domain walls decreases. We show that the ensuing spacetime is inflationary, both on the branes, and, for certain potentials, in the bulk. We argue that this inflationary regime is transitory and can end via a brane merger into a single kink solution - a flat, thick brane RS2 universe. This scenario is quite general; we show that any potential which supports a single flat kink solution is also likely to support an inflationary multi-kink configuration.Comment: 15 pages, 3 figures; v.2: journal versio

Automata-based Model Counting String Constraint Solver for Vulnerability Analysis

Most common vulnerabilities in modern software applications are due to errors in string manipulation code. String constraint solvers are essential components of program analysis techniques for detecting and repairing vulnerabilities that are due to string manipulation errors. In this dissertation, we present an automata-based string constraint solver for vulnerability analysis of string manipulating programs.Given a string constraint, we generate an automaton that accepts all solutions that satisfy the constraint. Our string constraint solver can also map linear arithmetic constraints to automata in order to handle constraints on string lengths. By integrating our string constraint solver to a symbolic execution tool, we can check for string manipulation errors in programs. Recently, quantitative and probabilistic program analyses techniques have been proposed which require counting the number of solutions to string constraints. We extend our string constraint solver with model counting capability based on the observation that, using an automata-based constraint representation, model counting reduces to path counting, which can be solved precisely. Our approach is parameterized in the sense that, we do notassume a finite domain size during automata construction, resulting in a potentially infinite set of solutions, and our model counting approach works for arbitrarily large bounds.We have implemented our approach in a tool called ABC (Automata-Based model Counter) using a constraint language that is compatible with the SMTLIB language specification used by satifiabilty-modula-theories solvers. This SMTLIB interface facilitates integration of our constraint solver with existing symbolic execution tools. We demonstrate the effectiveness of ABC on a large set of string constraints extracted from real-world web applications.We also present automata-based testing techniques for string manipulating programs. A vulnerability signature is a characterization of all user inputs that can be used to exploit a vulnerability. Automata-based static string analysis techniques allow automated computation of vulnerability signatures represented as automata. Given a vulnerability signature represented as an automaton, we present algorithms for test case generation based on state, transition, and path coverage. These automaticallygenerated test cases can be used to test applications that are not analyzable statically, and to discover attack strings that demonstrate how the vulnerabilities can be exploited. We experimentally comparedifferent coverage criteria and demonstrate the effectiveness of our test generation approach

TIMP: An R package for modeling multi-way spectroscopic measurements

TIMP is an R package for modeling multiway spectroscopic measurements. The package allows for the simultaneous analysis of datasets collected under different experimental conditions in terms of a wide variety of parametric models. Models arising in spectroscopy data analysis often have some parameters that are intrinstically nonlinear, and some parameters that are conditionally linear on estimates of the nonlinear parameters. TIMP fits such separable nonlinear models using partitioned variable projection, a variant of the variable projection algorithm that is described here for the first time. The of the partitioned variable projection algorithm allows fitting many models for spectroscopy datasets using much less memory as compared to under the standard variable projection algorithm that is implemented in nonlinear optimization routines (e.g., the plinear option of the R function nls), as is shown here. An overview of modeling with TIMP is also given that includes several case studies in the application of the package