13 research outputs found
Diagnose network failures via data-plane analysis
Diagnosing problems in networks is a time-consuming and error-prone process. Previous tools to assist operators primarily focus on analyzing control
plane configuration. Configuration analysis is limited in that it cannot find
bugs in router software, and is harder to generalize across protocols since it
must model complex configuration languages and dynamic protocol behavior.
This paper studies an alternate approach: diagnosing problems through
static analysis of the data plane. This approach can catch bugs that are
invisible at the level of configuration files, and simplifies unified analysis of a
network across many protocols and implementations. We present Anteater, a
tool for checking invariants in the data plane. Anteater translates high-level
network invariants into boolean satisfiability problems, checks them against
network state using a SAT solver, and reports counterexamples if violations
have been found. Applied to a large campus network, Anteater revealed 23
bugs, including forwarding loops and stale ACL rules, with only five false
positives. Nine of these faults are being fixed by campus network operators
Invariant Synthesis for Incomplete Verification Engines
We propose a framework for synthesizing inductive invariants for incomplete
verification engines, which soundly reduce logical problems in undecidable
theories to decidable theories. Our framework is based on the counter-example
guided inductive synthesis principle (CEGIS) and allows verification engines to
communicate non-provability information to guide invariant synthesis. We show
precisely how the verification engine can compute such non-provability
information and how to build effective learning algorithms when invariants are
expressed as Boolean combinations of a fixed set of predicates. Moreover, we
evaluate our framework in two verification settings, one in which verification
engines need to handle quantified formulas and one in which verification
engines have to reason about heap properties expressed in an expressive but
undecidable separation logic. Our experiments show that our invariant synthesis
framework based on non-provability information can both effectively synthesize
inductive invariants and adequately strengthen contracts across a large suite
of programs
Building abstractions for fast, secure, reliable computer systems
Modern computer systems play important roles in our society and everyday lives. Their performance, security and reliability are of critical importance. Real-world computer systems, however, occasionally suffer from performance degradation, security exploits, and poor reliability, because of the lack of efficient automatic analyses.
This dissertation introduces a new methodology for building efficient automatic analyses for real-world computer systems through identifying and designing proper abstractions. It demonstrates the methodology within the context of three real-world computer systems: detecting net- work defects at the data plane level, exploiting data parallelism in web pages, and formally verifying security invariants in operating system kernels.
This dissertation presents the design, implementation, and evaluation of the above systems, and shows that choosing the proper set of abstractions is an essential step to constructing efficient automatic analyses for real-world computer systems. Moreover, these analyses can become valuable tools to improve the performance, security and reliability of computer systems
Clinical characteristics of liver injury in SARS-CoV-2 Omicron variant- and Omicron subvariant-infected patients
Introduction and Objectives: Liver injury in severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2) Omicron variant- and Omicron subvariant-infected patients is unknown at present, and the aim of this study is to summarize liver injury in these patients. Patients and Methods: In this study, 460 SARS-CoV-2-infected patients were enrolled. Five severe or critical patients were excluded, and 34 patients were also excluded because liver injury was not considered to be related to SARS-CoV-2 infection. Liver injury was compared between Omicron and non-Omicron variants- and between Omicron subvariant-infected patients; additionally, the clinical data related to liver injury were also analyzed. Results: Among the 421 patients enrolled for analysis, liver injury was detected in 76 (18.1%) patients, including 46 Omicron and 30 non-Omicron variant-infected patients. The ratios did not differ between Omicron and non-Omicron variant-, Omicron BA.1, BA.2 and BA.5 subvariant-infected patients (P>0.05). The majority of abnormal parameters of liver function tests were mildly elevated (1-3 × ULN), the most frequently elevated parameter of liver function test was γ-glutamyl transpeptidase (GGT, 9.5%, 40/421), and patients with cholangiocyte or biliary duct injury markers were higher than with hepatocellular injury markers. Multivariate analysis showed that age (>40 years old, OR=1.898, 95% CI=1.058–3.402, P=0.032), sex (male gender, OR=2.031, 95% CI=1.211–3.408, P=0.007), serum amyloid A (SAA) level (>10 mg/ml, OR=3.595, 95% CI=1.840–7.026, P<0.001) and vaccination status (No, OR=2.131, 95% CI=1.089–4.173, P=0.027) were independent factors related to liver injury. Conclusions: Liver injury does not differ between Omicron and non-Omicron variants or between Omicron subvariant-infected patients. The elevations of cholangiocyte or biliary duct injury biomarkers are dominant in SARS-CoV-2-infected patients
Verifying security invariants in ExpressOS
Security for applications running on mobile devices is important. In this paper we present ExpressOS, a new OS for enabling highassurance applications to run on commodity mobile devices securely. Our main contributions are a new OS architecture and our use of formal methods for proving key security invariants about our implementation. In our use of formal methods, we focus solely on proving that our OS implements our security invariants correctly, rather than striving for full functional correctness, requiring significantly less verification effort while still proving the security relevant aspects of our system. We built ExpressOS, analyzed its security, and tested its performance. Our evaluation shows that the performance of ExpressOS is comparable to an Android-based system. In one test, we ran the same web browser on ExpressOS and on an Android-based system, and found that ExpressOS adds 16 % overhead on average to the page load latency time for nine popular web sites