Assessment of Source Code Obfuscation Techniques

Obfuscation techniques are a general category of software protections widely adopted to prevent malicious tampering of the code by making applications more difficult to understand and thus harder to modify. Obfuscation techniques are divided in code and data obfuscation, depending on the protected asset. While preliminary empirical studies have been conducted to determine the impact of code obfuscation, our work aims at assessing the effectiveness and efficiency in preventing attacks of a specific data obfuscation technique - VarMerge. We conducted an experiment with student participants performing two attack tasks on clear and obfuscated versions of two applications written in C. The experiment showed a significant effect of data obfuscation on both the time required to complete and the successful attack efficiency. An application with VarMerge reduces by six times the number of successful attacks per unit of time. This outcome provides a practical clue that can be used when applying software protections based on data obfuscation.Comment: Post-print, SCAM 201

Measure of urban accessibility provided by transport services in Turin: a traveller perspective through a mobility survey

n/

EtherSolve: Computing an Accurate Control-Flow Graph from Ethereum Bytecode

Motivated by the immutable nature of Ethereum smart contracts and of their transactions, quite many approaches have been proposed to detect defects and security problems before smart contracts become persistent in the blockchain and they are granted control on substantial financial value. Because smart contracts source code might not be available, static analysis approaches mostly face the challenge of analysing compiled Ethereum bytecode, that is available directly from the official blockchain. However, due to the intrinsic complexity of Ethereum bytecode (especially in jump resolution), static analysis encounters significant obstacles that reduce the accuracy of exiting automated tools. This paper presents a novel static analysis algorithm based on the symbolic execution of the Ethereum operand stack that allows us to resolve jumps in Ethereum bytecode and to construct an accurate control-flow graph (CFG) of the compiled smart contracts. EtherSolve is a prototype implementation of our approach. Experimental results on a significant set of real world Ethereum smart contracts show that EtherSolve improves the accuracy of the execrated CFGs with respect to the state of the art available approaches. Many static analysis techniques are based on the CFG representation of the code and would therefore benefit from the accurate extraction of the CFG. For example, we implemented a simple extension of EtherSolve that allows to detect instances of the re-entrancy vulnerability

Facing complications of direct anterior approach in total hip arthroplasty during the learning curve

This study aims to evaluate complications and early postoperative clinical outcomes of direct anterior approach (DAA) in total hip arthroplasty (THA)

A constitutive active MAPK/ERK pathway due to BRAFV600E positively regulates AHR pathway in PTC

The aryl hydrocarbon receptor (AHR) is a ligand-activated transcription factor mediating the toxicity and tumor-promoting properties of dioxin. AHR has been reported to be overexpressed and constitutively active in a variety of solid tumors, but few data are currently available concerning its role in thyroid cancer. In this study we quantitatively explored a series of 51 paired-normal and papillary thyroid carcinoma (PTC) tissues for AHR-related genes. We identified an increased AHR expression/activity in PTC, independently from its nuclear dimerization partner and repressor but strictly related to a constitutive active MAPK/ERK pathway. The AHR up-regulation followed by an increased expression of AHR target genes was confirmed by a meta-analysis of published microarray data, suggesting a ligand-independent active AHR pathway in PTC. In-vitro studies using a PTC-derived cell line (BCPAP) and HEK293 cells showed that BRAF(V600E) may directly modulate AHR localization, induce AHR expression and activity in an exogenous ligand-independent manner. The AHR pathway might represent a potential novel therapeutic target for PTC in the clinical practice

The Effectiveness of Source Code Obfuscation: an Experimental Assessment

Source code obfuscation is a protection mechanism widely used to limit the possibility of malicious reverse engineering or attack activities on a software system. Although several code obfuscation techniques and tools are available, little knowledge is available about the capability of obfuscation to reduce attackers’ efficiency, and the contexts in which such an efficiency may vary. This paper reports the outcome of two controlled experiments meant to measure the ability of subjects to understand and modify decompiled, obfuscated Java code, compared to decompiled, clear code. Results quantify to what extent code obfuscation is able to make attacks more difficult to be performed, and reveal that obfuscation can mitigate the effect of factors that can alter the likelihood of a successful attack, such as the attackers’ skill and experience, or the intrinsic characteristics of the system under attack

How Professional Hackers Understand Protected Code while Performing Attack Tasks

Code protections aim at blocking (or at least delaying) reverse engineering and tampering attacks to critical assets within programs. Knowing the way hackers understand protected code and perform attacks is important to achieve a stronger protection of the software assets, based on realistic assumptions about the hackers’ behaviour. However, building such knowledge is difficult because hackers can hardly be involved in controlled experiments and empirical studies. The FP7 European project Aspire has given the authors of this paper the unique opportunity to have access to the professional penetration testers employed by the three industrial partners. In particular, we have been able to perform a qualitative analysis of three reports of professional penetration test performed on protected industrial code. Our qualitative analysis of the reports consists of open coding, carried out by 7 annotators and resulting in 459 annotations, followed by concept extraction and model inference. We identified the main activities: understanding, building attack, chosing and customizing tools, and working around or defeating protections. We built a model of how such activities take place. We used such models to identify a set of research directions for the creation of stronger code protections

Investigating the relation between self-assessment and patients' assessments of physicians-in-training empathy: a multicentric, observational, cross-sectional study in three teaching hospitals in Brazil

This study investigated the associations between self-assessed empathy levels by physicians in training and empathy levels as perceived by their patients after clinical encounters. The authors also examined whether patient assessments were valid and reliable tools to measure empathy in physicians in training. Objectives This study investigated the associations between self-assessed empathy levels by physicians in training and empathy levels as perceived by their patients after clinical encounters. The authors also examined whether patient assessments were valid and reliable tools to measure empathy in physicians in training. Design A multicentric, observational, cross-sectional study. Setting This study was conducted in three public teaching hospitals in Brazil. Participants From the 668 patients invited to participate in this research, 566 (84.7%) agreed. Of these, 238 (42%) were male and 328 (58%) were female. From the invited 112 physicians in training, 86 (76.8%) agreed. Of the 86 physicians in training, 35 (41%) were final-year medical students and 51 (59%) were residents from clinical and surgical specialties. The gender distribution was 39 (45%) males and 47 (51%) females. Primary and secondary outcome measures Physicians in training filled the Jefferson Scale of Physician Empathy (JSE) and the Interpersonal Reactivity Index. Patients answered the Jefferson Scale of Patient’s Perceptions of Physician Empathy (JSPPPE) and the Consultation and Relational Empathy Scale (CARE). Results This study found non-significant correlations between patient and physicians-in-training self-assessments, except for a weak correlation (0.241, p<0.01) between the JSPPPE score and the JSE compassionate care subscore. CARE and JSPPPE scales proved to be valid and reliable instruments. Conclusions Physicians-in-training self-assessments of empathy differ from patient assessments. Knowledge about empathy derived from self-assessment studies probably does not capture the perspective of the patients, who are key stakeholders in patient-centred care. Future research on the development of physician empathy or on outcomes of educational interventions to foster empathy should include patient perspectives.Fundação de Amparo à Pesquisa do Estado de São Paulo - FAPESP' (grant number: 2016/11908-1) and by the ’Conselho Nacional de Desenvolvimento Científico e Tecnológico - CNPq' (grant number: 202319/2017-2

Twenty-year trend in mortality among hospitalized patients with pneumococcal community-acquired pneumonia

Background There is only limited information on mortality over extended periods in hospitalized patients with pneumococcal community-acquired pneumonia (CAP). We aimed to evaluate the 30-day mortality and whether is changed over a 20-year period among immunocompetent adults hospitalized with pneumococcal CAP. Methods We conducted a retrospective observational study of data that were prospectively collected at the Hospital Clinic of Barcelona of all adult patients hospitalized with diagnosis of pneumococcal CAP over a 20-year period. To aid analysis, results were divided into four periods of 5 years each (1997-2001, 2002-2006, 2007-2011, 2012-2016). The primary outcome was 30-day mortality, but secondary outcomes included intensive care unit (ICU) admission, lengths of hospital and ICU-stays, ICU-mortality, and need of mechanical ventilation. Results From a cohort of 6,403 patients with CAP, we analyzed the data for 1,120 (17%) adults with a diagnosis of pneumococcal CAP. Over time, we observed decreases in the rates of alcohol consumption, smoking, influenza vaccination, and older patients (age ≥65 years), but increases in admissions to ICU and the need for non-invasive mechanical ventilation. The overall 30-day mortality rate was 8% (95% confidence interval, 6%-9%; 84 of 1,120 patients) and did not change significantly between periods (p = 0.33). Although, we observed a decrease in ICU-mortality comparing the first period (26%) to the second one (10%), statistical differences disappeared with adjustment (p0.38). Conclusion Over time, 30-day mortality of hospitalized pneumococcal CAP did not change significantly. Nor did it change in the propensity-adjusted multivariable analysis. Since mortality in pneumococcal pneumonia has remained unaltered for many years despite the availability of antimicrobial agents with proven in vitro activity, other non-antibiotic strategies should be investigated