Long-Term and Inter-annual Mass Changes in the Iceland Ice Cap Determined From GRACE Gravity Using Slepian Functions

The Gravity Recovery and Climate Experiment (GRACE) satellites have measured anomalies in the Earth's time-variable gravity field since 2002, allowing for the measurement of the melting of glaciers due to climate change. Many techniques used with GRACE data have difficulty constraining mass change in small regions, such as Iceland, often requiring broad averaging functions in order to capture trends. These techniques also capture data from nearby regions, causing signal leakage. Alternatively, Slepian functions may solve this problem by optimally concentrating data both in the spatial domain (e.g., Iceland) and spectral domain (i.e., the bandwidth of the data). We use synthetic experiments to show that Slepian functions can capture trends over Iceland without meaningful leakage and influence from ice changes in Greenland. We estimate a mass change over Iceland from GRACE data of approximately -9.3 ± 1.0 Gt/yr between March 2002 and November 2016, with an acceleration of 1.1 ± 0.5 Gt/yr2.NASA Space Grant Internship at the University of Arizona; TRIFF-WEES program at the University of ArizonaOpen access journalThis item from the UA Faculty Publications collection is made available by the University of Arizona with support from the University of Arizona Libraries. If you have questions, please contact us at [email protected]

Formal Model-Driven Analysis of Resilience of GossipSub to Attacks from Misbehaving Peers

GossipSub is a new peer-to-peer communication protocol designed to counter attacks from misbehaving peers by carefully controlling what information is disseminated and to whom, via a score function computed by each peer that captures positive and negative behaviors of its neighbors. The score function depends on several parameters (weights, caps, thresholds, etc.) that can be configured by applications using GossipSub. The specification for GossipSub is written in English and its resilience to attacks from misbehaving peers is supported empirically by emulation testing using an implementation in Golang. In this work we take a foundational approach to understanding the resilience of GossipSub to attacks from misbehaving peers. We build the first formal model of GossipSub, using the ACL2s theorem prover. Our model is officially endorsed by GossipSub developers. It can simulate GossipSub networks of arbitrary size and topology, with arbitrarily configured peers, and can be used to prove and disprove theorems about the protocol. We formalize fundamental security properties stating that the score function is fair, penalizes bad behavior and rewards good behavior. We prove that the score function is always fair, but can be configured in ways that either penalize good behavior or ignore bad behavior. Using our model, we run GossipSub with the specific configurations for two popular real-world applications: the FileCoin and Eth2.0 blockchains. We show that all properties hold for FileCoin. However, given any Eth2.0 network (of any topology and size) with any number of potentially misbehaving peers, we can synthesize attacks where these peers are able to continuously misbehave by never forwarding topic messages, while maintaining positive scores so that they are never pruned from the network by GossipSub.Comment: In revie

Verification of GossipSub in ACL2s

GossipSub is a popular new peer-to-peer network protocol designed to disseminate messages quickly and efficiently by allowing peers to forward the full content of messages only to a dynamically selected subset of their neighboring peers (mesh neighbors) while gossiping about messages they have seen with the rest. Peers decide which of their neighbors to graft or prune from their mesh locally and periodically using a score for each neighbor. Scores are calculated using a score function that depends on mesh-specific parameters, weights and counters relating to a peer's performance in the network. Since a GossipSub network's performance ultimately depends on the performance of its peers, an important question arises: Is the score calculation mechanism effective in weeding out non-performing or even intentionally misbehaving peers from meshes? We answered this question in the negative in our companion paper by reasoning about GossipSub using our formal, official and executable ACL2s model. Based on our findings, we synthesized and simulated attacks against GossipSub which were confirmed by the developers of GossipSub, FileCoin, and Eth2.0, and publicly disclosed in MITRE CVE-2022-47547. In this paper, we present a detailed description of our model. We discuss design decisions, security properties of GossipSub, reasoning about the security properties in context of our model, attack generation and lessons we learnt when writing it.Comment: In Proceedings ACL2-2023, arXiv:2311.0837

A Formal Analysis of SCTP: Attack Synthesis and Patch Verification

SCTP is a transport protocol offering features such as multi-homing, multi-streaming, and message-oriented delivery. Its two main implementations were subjected to conformance tests using the PacketDrill tool. Conformance testing is not exhaustive and a recent vulnerability (CVE-2021-3772) showed SCTP is not immune to attacks. Changes addressing the vulnerability were implemented, but the question remains whether other flaws might persist in the protocol design. We study the security of the SCTP design, taking a rigorous approach rooted in formal methods. We create a formal Promela model of SCTP, and define 10 properties capturing the essential protocol functionality based on its RFC specification and consultation with the lead RFC author. Then we show using the Spin model checker that our model satisfies these properties. We define 4 attacker models - Off-Path, where the attacker is an outsider that can spoof the port and IP of a peer; Evil-Server, where the attacker is a malicious peer; Replay, where an attacker can capture and replay, but not modify, packets; and On-Path, where the attacker controls the channel between peers. We modify an attack synthesis tool designed for transport protocols, Korg, to support our SCTP model and four attacker models. We synthesize 14 unique attacks using the attacker models - including the CVE vulnerability in the Off-Path attacker model, 4 attacks in the Evil-Server attacker model, an opportunistic ABORT attack in the Replay attacker model, and eight connection manipulation attacks in the On-Path attacker model. We show that the proposed patch eliminates the vulnerability and does not introduce new ones according to our model and protocol properties. Finally, we identify and analyze an ambiguity in the RFC, which we show can be interpreted insecurely. We propose an erratum and show that it eliminates the ambiguity

A Case Study in Analytic Protocol Analysis in ACL2

When verifying computer systems we sometimes want to study their asymptotic behaviors, i.e., how they behave in the long run. In such cases, we need real analysis, the area of mathematics that deals with limits and the foundations of calculus. In a prior work, we used real analysis in ACL2s to study the asymptotic behavior of the RTO computation, commonly used in congestion control algorithms across the Internet. One key component in our RTO computation analysis was proving in ACL2s that for all alpha in [0, 1), the limit as n approaches infinity of alpha raised to n is zero. Whereas the most obvious proof strategy involves the logarithm, whose codomain includes irrationals, by default ACL2 only supports rationals, which forced us to take a non-standard approach. In this paper, we explore different approaches to proving the above result in ACL2(r) and ACL2s, from the perspective of a relatively new user to each. We also contextualize the theorem by showing how it allowed us to prove important asymptotic properties of the RTO computation. Finally, we discuss tradeoffs between the various proof strategies and directions for future research.Comment: In Proceedings ACL2-2023, arXiv:2311.0837

Making the invisible visible: Informal Innovation in South Africa

This research is the first statistical representation of informal innovation in South Africa. It uses methodology comparable to that used in high income countries such as US, UK, Russia, China and South Korea. While data collection methods are comparable, the higher rate of informal businesses in South Africa make this research both novel in that it helps us understand informal economy innovation, and cautions direct comparisons, especially related to the rate of commercialization among innovations

Uphold the nuclear weapons test moratorium

The Trump administration is considering renewing nuclear weapons testing (1), a move that could increase the risk of another nuclear arms race as well as an inadvertent or intentional nuclear war. Following in the long tradition of scientists opposing nuclear weapons due to their harmful effects on both humanity and the planet (2), we ask the U.S. government to desist from plans to conduct nuclear tests. During the Cold War, the United States conducted 1030 nuclear weapons tests, more than all other nuclear-armed nations combined (3). In 1996, the United States signed the Comprehensive Nuclear Test Ban Treaty (CTBT), agreeing not to conduct a nuclear weapons test of any yield (4). The United States has not yet ratified the CTBT but did spearhead the 2016 adoption of UN Security Council Resolution 2310, which calls upon all countries to uphold the object and purpose of the CTBT by not conducting nuclear tests (5). Eight of the nine nuclear-armed states, including the five permanent members of the UN Security Council, have observed a moratorium on nuclear testing since 1998 (3, 4). The ninth, North Korea, responding to international pressure, stopped testing warhead detonations (as opposed to missile flights) in 2017 (6). If the United States ratified the CTBT, joining the 168 countries who have already done so (4), there is a good chance that the other holdout countries would ratify the treaty as well (7)

Uphold the nuclear weapons test moratorium

The Trump administration is considering renewing nuclear weapons testing (1), a move that could increase the risk of another nuclear arms race as well as an inadvertent or intentional nuclear war. Following in the long tradition of scientists opposing nuclear weapons due to their harmful effects on both humanity and the planet (2), we ask the U.S. government to desist from plans to conduct nuclear tests. During the Cold War, the United States conducted 1030 nuclear weapons tests, more than all other nuclear-armed nations combined (3). In 1996, the United States signed the Comprehensive Nuclear Test Ban Treaty (CTBT), agreeing not to conduct a nuclear weapons test of any yield (4). The United States has not yet ratified the CTBT but did spearhead the 2016 adoption of UN Security Council Resolution 2310, which calls upon all countries to uphold the object and purpose of the CTBT by not conducting nuclear tests (5). Eight of the nine nuclear-armed states, including the five permanent members of the UN Security Council, have observed a moratorium on nuclear testing since 1998 (3, 4). The ninth, North Korea, responding to international pressure, stopped testing warhead detonations (as opposed to missile flights) in 2017 (6). If the United States ratified the CTBT, joining the 168 countries who have already done so (4), there is a good chance that the other holdout countries would ratify the treaty as well (7)