LNCS

This paper presents a foundation for refining concurrent programs with structured control flow. The verification problem is decomposed into subproblems that aid interactive program development, proof reuse, and automation. The formalization in this paper is the basis of a new design and implementation of the Civl verifier

SpecCert: Specifying and Verifying Hardware-based Security Enforcement

Over time, hardware designs have constantly grown in complexity and modern platforms involve multiple interconnected hardware components. During the last decade, several vulnerability disclosures have proven that trust in hardware can be misplaced. In this article, we give a formal definition of Hardware-based Security Enforcement (HSE) mechanisms, a class of security enforcement mechanisms such that a software component relies on the underlying hardware platform to enforce a security policy. We then model a subset of a x86-based hardware platform specifications and we prove the soundness of a realistic HSE mechanism within this model using Coq, a proof assistant system

Verifying Policy Enforcers

Policy enforcers are sophisticated runtime components that can prevent failures by enforcing the correct behavior of the software. While a single enforcer can be easily designed focusing only on the behavior of the application that must be monitored, the effect of multiple enforcers that enforce different policies might be hard to predict. So far, mechanisms to resolve interferences between enforcers have been based on priority mechanisms and heuristics. Although these methods provide a mechanism to take decisions when multiple enforcers try to affect the execution at a same time, they do not guarantee the lack of interference on the global behavior of the system. In this paper we present a verification strategy that can be exploited to discover interferences between sets of enforcers and thus safely identify a-priori the enforcers that can co-exist at run-time. In our evaluation, we experimented our verification method with several policy enforcers for Android and discovered some incompatibilities.Comment: Oliviero Riganelli, Daniela Micucci, Leonardo Mariani, and Yli\`es Falcone. Verifying Policy Enforcers. Proceedings of 17th International Conference on Runtime Verification (RV), 2017. (to appear

Streamlined Blockchains: A Simple and Elegant Approach (A Tutorial and Survey)

A blockchain protocol (also called state machine replication) allows a set of nodes to agree on an ever-growing, linearly ordered log of transactions. The classical consensus literature suggests two approaches for constructing a blockchain protocol: 1) through composition of single-shot consensus instances often called Byzantine Agreement; and 2) through direct construction of a blockchain where there is no clear-cut boundary between single-shot consensus instances. While conceptually simple, the former approach precludes cross-instance optimizations in a practical implementation. This perhaps explains why the latter approach has gained more traction in practice: specifically, well-known protocols such as Paxos and PBFT all follow the direct-construction approach. In this tutorial, we present a new paradigm called “streamlined blockchains” for directly constructing blockchain protocols. This paradigm enables a new family of protocols that are extremely simple and natural: every epoch, a proposer proposes a block extending from a notarized parent chain, and nodes vote if the proposal’s parent chain is not too old. Whenever a block gains enough votes, it becomes notarized. Whenever a node observes a notarized chain with several blocks of consecutive epochs at the end, then the entire chain chopping off a few blocks at the end is final. By varying the parameters highlighted in blue, we illustrate two variants for the partially synchronous and synchronous settings respectively. We present very simple proofs of consistency and liveness. We hope that this tutorial provides a compelling argument why this new family of protocols should be used in lieu of classical candidates (e.g., PBFT, Paxos, and their variants), both in practical implementation and for pedagogical purposes

Racial inequities in tooth loss among older Brazilian adults: A decomposition analysis

OBJECTIVE: To determine the extent to which racial inequities in tooth loss and functional dentition are explained by individual socioeconomic status, smoking status and frequency/reason for the use of dental services. METHODS: Data came from the Brazilian Longitudinal Study of Ageing, a nationally representative sample of community-dwelling people aged 50 years and over. Tooth loss and functional dentition (ie 20+ natural teeth) were the outcomes. The main explanatory variable was self-classified race. Covariates included dental visits in the past 12 months, dental visits for check-ups only, smoking status, self-reported chronic conditions, depression and cognitive function. Logistic regression and Blinder-Oaxaca decomposition analysis were used to estimate the share of each factor in race-related tooth loss inequities. RESULTS: The analytical sample comprised of 7126 respondents. While the prevalence of functional dentition in White Brazilians was 37% (95% CI: 33.5;40.9), it was 29% (95% CI: 26.4;31.6) among Browns and 30% (95% CI: 25.1;35.4) among Blacks. The average number of lost teeth among Whites, Browns and Blacks were 18.7 (95% CI: 17.8;19.6), 20.4 (95% CI: 19.7;21.1) and 20.8 (95% CI: 19.5;22.0), respectively. Decomposition analysis showed that the selected covariates explained 71% of the racial inequalities in tooth loss. Dental visits in the previous year and smoking status explained nearly half of race-related gaps. Other factors, such as per capita income, education and cognitive status, also had an important contribution to the examined inequalities. The proportion of racial inequities in tooth loss that was explained by dental visits (frequency and reason) and smoking status decreased from 40% for those 50-59 years of age to 22% among participants aged 70-79 years. CONCLUSIONS: Frequency and reason for dental visits and smoking status explained nearly half of the racial inequity in tooth loss among Brazilian older adults. The Brazilian Family Health Strategy Program should target older adults from racial groups living in deprived areas

A Declarative Framework for Specifying and Enforcing Purpose-aware Policies

Purpose is crucial for privacy protection as it makes users confident that their personal data are processed as intended. Available proposals for the specification and enforcement of purpose-aware policies are unsatisfactory for their ambiguous semantics of purposes and/or lack of support to the run-time enforcement of policies. In this paper, we propose a declarative framework based on a first-order temporal logic that allows us to give a precise semantics to purpose-aware policies and to reuse algorithms for the design of a run-time monitor enforcing purpose-aware policies. We also show the complexity of the generation and use of the monitor which, to the best of our knowledge, is the first such a result in literature on purpose-aware policies.Comment: Extended version of the paper accepted at the 11th International Workshop on Security and Trust Management (STM 2015

Fully-automated Runtime Enforcement of Component-based Systems with Formal and Sound Recovery

International audienceWe introduce runtime enforcement of specifications on component-based systems (CBS) modeled in the BIP (Behavior, Interaction and Priority) framework. Runtime enforcement is an increasingly popular and effective dynamic validation technique aiming to ensure the correct runtime behavior (w.r.t. a formal specification) of a system using a so-called enforcement monitor. BIP is a powerful and expressive component-based framework for the formal construction of heterogeneous systems. Because of BIP expressiveness however , it is difficult to enforce complex behavioral properties at design-time. We first introduce a theoretical runtime enforcement framework for component-based systems where we delineate a hierarchy of enforceable properties (i.e., properties that can be enforced) according to the number of observational steps a system is allowed to deviate from the property (i.e., the notion of k-step enforceability). To ensure the observational equivalence between the correct executions of the initial system and the monitored system, we show that i) only stutter-invariant properties should be enforced on CBS with our monitors, and ii) safety properties are 1-step enforceable. Second, given an abstract enforcement monitor for some 1-step enforceable property, we define a series of formal transformations to instrument (at relevant locations) a CBS described in the BIP framework to integrate the monitor. At runtime, the monitor observes and automatically avoids any error in the behavior of the system w.r.t. the property. Third, our approach is fully implemented in RE-BIP, an available tool integrated in the BIP tool suite. Fourth, to validate our approach, we use RE-BIP to i) enforce deadlock-freedom on a dining philosophers benchmark, and ii) ensure the correct placement of robots on a map

Epidermolysa bullosa in Danish Hereford calves is caused by a deletion in LAMC2 gene

BACKGROUND Heritable forms of epidermolysis bullosa (EB) constitute a heterogeneous group of skin disorders of genetic aetiology that are characterised by skin and mucous membrane blistering and ulceration in response to even minor trauma. Here we report the occurrence of EB in three Danish Hereford cattle from one herd. RESULTS Two of the animals were necropsied and showed oral mucosal blistering, skin ulcerations and partly loss of horn on the claws. Lesions were histologically characterized by subepidermal blisters and ulcers. Analysis of the family tree indicated that inbreeding and the transmission of a single recessive mutation from a common ancestor could be causative. We performed whole genome sequencing of one affected calf and searched all coding DNA variants. Thereby, we detected a homozygous 2.4 kb deletion encompassing the first exon of the LAMC2 gene, encoding for laminin gamma 2 protein. This loss of function mutation completely removes the start codon of this gene and is therefore predicted to be completely disruptive. The deletion co-segregates with the EB phenotype in the family and absent in normal cattle of various breeds. Verifying the homozygous private variants present in candidate genes allowed us to quickly identify the causative mutation and contribute to the final diagnosis of junctional EB in Hereford cattle. CONCLUSIONS Our investigation confirms the known role of laminin gamma 2 in EB aetiology and shows the importance of whole genome sequencing in the analysis of rare diseases in livestock

The role of receptivity in the courtship behavior of Podocnemis erythrocephala in captivity

The courtship behavior of Podocnemis erythrocephala (Red-headed Amazon River Turtle) in captivity was studied to examine female receptivity and male response to female rejection. We observed 20 females and 39 males in 150 sessions (3–6 h/day for a total of 450 h). In 36% of the trials, there was no interaction between males and females, and 20% of the trials resulted in copulations. All males introduced into tanks approached females, and eventually there was aggression among the males. In 48% of the experiments, females also searched for or approached males. When males initially approached females, they either accepted the male’s advances (14%), rejected the male passively (38%), or rejected the male aggressively (48%). In 86% of the cases where males were rejected, 4% attempted to approach females again, and in 51% they were ultimately successful

Consensus through Herding

State Machine Replication (SMR) is an important abstraction for a set of nodes to agree on an ever-growing, linearly-ordered log of transactions. In decentralized cryptocurrency applications, we would like to design SMR protocols that 1) resist adaptive corruptions; and 2) achieve small bandwidth and small confirmation time. All past approaches towards constructing SMR fail to achieve either small confirmation time or small bandwidth under adaptive corruptions (without resorting to strong assumptions such as the erasure model or proof-of-work). We propose a novel paradigm for reaching consensus that departs significantly from classical approaches. Our protocol is inspired by a social phenomenon called herding, where people tend to make choices considered as the social norm. In our consensus protocol, leader election and voting are coalesced into a single (randomized) process: in every round, every node tries to cast a vote for what it views as the {\it most popular} item so far: such a voting attempt is not always successful, but rather, successful with a certain probability. Importantly, the probability that the node is elected to vote for $v$ is independent from the probability it is elected to vote for $v\u27 \neq v$. We will show how to realize such a distributed, randomized election process using appropriate, adaptively secure cryptographic building blocks. We show that amazingly, not only can this new paradigm achieve consensus (e.g., on a batch of unconfirmed transactions in a cryptocurrency system), but it also allows us to derive the first SMR protocol which, even under adaptive corruptions, requires only polylogarithmically many rounds and polylogarithmically many honest messages to be multicast to confirm each batch of transactions; and importantly, we attain these guarantees under standard cryptographic assumptions