Towards a Formally Verified Security Monitor for VM-based Confidential Computing

Confidential computing is a key technology for isolating high-assurance applications from the large amounts of untrusted code typical in modern systems. Existing confidential computing systems cannot be certified for use in critical applications, like systems controlling critical infrastructure, hardware security modules, or aircraft, as they lack formal verification. This paper presents an approach to formally modeling and proving a security monitor. It introduces a canonical architecture for virtual machine (VM)-based confidential computing systems. It abstracts processor-specific components and identifies a minimal set of hardware primitives required by a trusted security monitor to enforce security guarantees. We demonstrate our methodology and proposed approach with an example from our Rust implementation of the security monitor for RISC-V

Secure Storage with Deduplication

We describe a new secure storage scheme that facilitates deduplication. The scheme is also proved secure in the universal-composability model. It is a single server scheme, and the basic scheme does not prevent against off-line dictionary attacks if the server is compromised. However, if a global secret key is shared amongst users of the organization, and this key is never stored at the server, we also get protection against off-line dictionary attacks even if the server is compromised. The UC security model for deduplication is based on an earlier work of Liu, Asokan and Pinkas, Proc. CCS 2015. The scheme obtains additional optimization by employing the XTS-AES mode of encryption in the public random permutation model. Another upshot of the analysis is that one can first MAC and then encrypt using XTS mode and attain authenticated encryption, avoiding the pitfalls cautioned against by Hugo Krawczyk, in the work ``How Secure is SSL?\u27\u27, CRYPTO 2001

Inverse planned stereotactic intensity modulated radiotherapy (IMRT) in the treatment of incompletely and completely resected adenoid cystic carcinomas of the head and neck: initial clinical results and toxicity of treatment

BACKGROUND: Presenting the initial clinical results in the treatment of complex shaped adenoid cystic carcinomas (ACC) of the head and neck region by inverse planned stereotactic IMRT. MATERIALS: 25 patients with huge ACC in different areas of the head and neck were treated. At the time of radiotherapy two patients already suffered from distant metastases. A complete resection of the tumor was possible in only 4 patients. The remaining patients were incompletely resected (R2: 20; R1: 1). 21 patients received an integrated boost IMRT (IBRT), which allow the use of different single doses for different target volumes in one fraction. All patients were treated after inverse treatment planning and stereotactic target point localization. RESULTS: The mean folllow-up was 22.8 months (91 – 1490 days). According to Kaplan Meier the three year overall survival rate was 72%. 4 patients died caused by a systemic progression of the disease. The three-year recurrence free survival was according to Kaplan Meier in this group of patients 38%. 3 patients developed an in-field recurrence and 3 patient showed a metastasis in an adjacent lymph node of the head and neck region. One patient with an in-field recurrence and a patient with the lymph node recurrence could be re-treated by radiotherapy. Both patients are now controlled. Acute side effects >Grade II did only appear so far in a small number of patients. CONCLUSION: The inverse planned stereotactic IMRT is feasible in the treatment of ACC. By using IMRT, high control rates and low side effects could by achieved. Further evaluation concerning the long term follow-up is needed. Due to the technical advantage of IMRT this treatment modality should be used if a particle therapy is not available

Comment on Qian et al. 2008: La Niña and El Niño composites of atmospheric CO2 change

It is well known that interannual extremes in the rate of change of atmospheric CO2 are strongly influenced by the occurrence of El Niño-Southern Oscillation (ENSO) events. Qian et al. presented ENSO composites of atmospheric CO2 changes. We show that their composites do not reflect the atmospheric changes that are most relevant to understanding the role of ENSO on atmospheric CO2 variability. We present here composites of atmospheric CO2 change that differ markedly from those of Qian et al., and reveal previously unreported asymmetries between the effects on the global carbon system of El Niño and La Niña events. The calendar-year timing differs; La Niña changes in atmospheric CO2 typically occur primarily over September–May, while El Niño changes occur primarily over December–August. And the net concentration change is quite different; La Niña changes are about half the size of El Niño changes. These results illustrate new aspects of the ENSO/global carbon budget interaction and provide useful global-scale benchmarks for the evaluation of Earth System Model studies of the carbon system

Should Teachers Treat Illiteracy, Hypocalligraphy, and Dysmathematica?

Generally, providers of psychosocial services now have rejected the view that interpersonal and emotional problems are best explained as analogs of disease, but rather have accepted the alternative view that they are learning phenomena. Still to be appreciated, however, is the implication of this change: that it is necessary likewise to reject the clinical treatment component of the medical model in favor of the mass teaching component of the educational model. Until this second step is taken, the providers of psychological services will continue to function deep inside the medical model and outside the educational model. This paper attempts to drive home that point by an allegory showing what might have happened had providers of intellectual services been led astray by the same sort of historical accident that led astray the providers of psychosocial services. Developments which might take place as the educational model takes firmer hold among professionals also are discussed.La plupart des gens responsables des services psychosociaux ont maintenant rejeté l'idée que les problèmes interpersonnels et émotionnels sont analogues à une maladie. Plutôt, on opte maintenant à interpréter ces problèmes comme des phénomènes d'apprentissage. Cependant, on oublie encore une conséquence de ce changement d'optique: on doit également rejeter le Iraiiement en clinique du modèle médical etopter pour l'éducation du public telle que préconisée par le modèle de l'éducation .Avant d'avoir franchi cette deuxième étape, les practiciens continueront à évoluer à l'intérieur d'un modèle médical. Cet article attire notre attention à ce point par une allégorie qui illustre ce qui se serait passé si les enseignants avaient fait fausse routecomme l'ont fait les practiciens en services psyohosociaux. Enfin, on aborde lesdéveloppements qui surgiront à mesure que les professionnels adopteront davantage un modèle apparenté à celui de l'éducation