Monorail/Foxa2 regulates floorplate differentiation and specification of oligodendrocytes, serotonergic raphe neurones and cranial motoneurones

In this study, we elucidate the roles of the winged-helix transcription factor Foxa2 in ventral CNS development in zebrafish. Through cloning of monorail (mol), which we find encodes the transcription factor Foxa2, and phenotypic analysis of mol(-/-) embryos, we show that floorplate is induced in the absence of Foxa2 function but fails to further differentiate. In mol(-/-) mutants, expression of Foxa and Hh family genes is not maintained in floorplate cells and lateral expansion of the floorplate fails to occur. Our results suggest that this is due to defects both in the regulation of Hh activity in medial floorplate cells as well as cell-autonomous requirements for Foxa2 in the prospective laterally positioned floorplate cells themselves. Foxa2 is also required for induction and/or patterning of several distinct cell types in the ventral CNS. Serotonergic neurones of the raphe nucleus and the trochlear motor nucleus are absent in mol(-/-) embryos, and oculomotor and facial motoneurones ectopically occupy ventral CNS midline positions in the midbrain and hindbrain. There is also a severe reduction of prospective oligodendrocytes in the midbrain and hindbrain. Finally, in the absence of Foxa2, at least two likely Hh pathway target genes are ectopically expressed in more dorsal regions of the midbrain and hindbrain ventricular neuroepithelium, raising the possibility that Foxa2 activity may normally be required to limit the range of action of secreted Hh proteins

Rigorous engineering for hardware security: Formal modelling and proof in the CHERI design and implementation process

The root causes of many security vulnerabilities include a pernicious combination of two problems, often regarded as inescapable aspects of computing. First, the protection mechanisms provided by the mainstream processor architecture and C/C++ language abstractions, dating back to the 1970s and before, provide only coarse-grain virtual-memory-based protection. Second, mainstream system engineering relies almost exclusively on test-and-debug methods, with (at best) prose specifications. These methods have historically sufficed commercially for much of the computer industry, but they fail to prevent large numbers of exploitable bugs, and the security problems that this causes are becoming ever more acute. In this paper we show how more rigorous engineering methods can be applied to the development of a new security-enhanced processor architecture, with its accompanying hardware implementation and software stack. We use formal models of the complete instruction-set architecture (ISA) at the heart of the design and engineering process, both in lightweight ways that support and improve normal engineering practice -- as documentation, in emulators used as a test oracle for hardware and for running software, and for test generation -- and for formal verification. We formalise key intended security properties of the design, and establish that these hold with mechanised proof. This is for the same complete ISA models (complete enough to boot operating systems), without idealisation. We do this for CHERI, an architecture with \emph{hardware capabilities} that supports fine-grained memory protection and scalable secure compartmentalisation, while offering a smooth adoption path for existing software. CHERI is a maturing research architecture, developed since 2010, with work now underway on an Arm industrial prototype to explore its possible adoption in mass-market commercial processors. The rigorous engineering work described here has been an integral part of its development to date, enabling more rapid and confident experimentation, and boosting confidence in the design.This work was supported by EPSRC programme grant EP/K008528/1 (REMS: Rigorous Engineering for Mainstream Systems). This work was supported by a Gates studentship (Nienhuis). This project has received funding from the European Research Council (ERC) under the European Union's Horizon 2020 research and innovation programme (grant agreement 789108, ELVER). This work was supported by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 (CTSRD), HR0011-18-C-0016 (ECATS), and FA8650-18-C-7809 (CIFV)

CHERI: A hybrid capability-system architecture for scalable software compartmentalization

CHERI extends a conventional RISC Instruction- Set Architecture, compiler, and operating system to support fine-grained, capability-based memory protection to mitigate memory-related vulnerabilities in C-language TCBs. We describe how CHERI capabilities can also underpin a hardware-software object-capability model for application compartmentalization that can mitigate broader classes of attack. Prototyped as an extension to the open-source 64-bit BERI RISC FPGA softcore processor, FreeBSD operating system, and LLVM compiler, we demonstrate multiple orders-of-magnitude improvement in scalability, simplified programmability, and resulting tangible security benefits as compared to compartmentalization based on pure Memory-Management Unit (MMU) designs. We evaluate incrementally deployable CHERI-based compartmentalization using several real-world UNIX libraries and applications.We thank our colleagues Ross Anderson, Ruslan Bukin, Gregory Chadwick, Steve Hand, Alexandre Joannou, Chris Kitching, Wojciech Koszek, Bob Laddaga, Patrick Lincoln, Ilias Marinos, A Theodore Markettos, Ed Maste, Andrew W. Moore, Alan Mujumdar, Prashanth Mundkur, Colin Rothwell, Philip Paeps, Jeunese Payne, Hassen Saidi, Howie Shrobe, and Bjoern Zeeb, our anonymous reviewers, and shepherd Frank Piessens, for their feedback and assistance. This work is part of the CTSRD and MRC2 projects sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C- 0237 and FA8750-11-C-0249. The views, opinions, and/or findings contained in this paper are those of the authors and should not be interpreted as representing the official views or policies, either expressed or implied, of the Department of Defense or the U.S. Government. We acknowledge the EPSRC REMS Programme Grant [EP/K008528/1], Isaac Newton Trust, UK Higher Education Innovation Fund (HEIF), Thales E-Security, and Google, Inc.This is the author accepted manuscript. The final version is available at http://dx.doi.org/10.1109/SP.2015.

Molecular biology of breast cancer metastasis: The use of mathematical models to determine relapse and to predict response to chemotherapy in breast cancer

Breast cancer mortality rates have shown only modest improvemen despite the advent of effective chemotherapeutic agents which have been administered to a large percentage of women with breast cancer. In an effort to improve breast cancer treatment strategies, a variety of mathematical models have been developed that describe the natural history of breast cancer and the effects of treatment on the cancer. These models help researchers to develop, quantify, and test various treatment hypotheses quickly and efficiently. The present review discusses several of these models, with a focus on how they have been used to predict the initiation time of metastatic growth, the effect of operative therapy on the growth of metastases, and the optimal administration strategy for chemotherapy

Mathematical modeling of the metastatic process

Mathematical modeling in cancer has been growing in popularity and impact since its inception in 1932. The first theoretical mathematical modeling in cancer research was focused on understanding tumor growth laws and has grown to include the competition between healthy and normal tissue, carcinogenesis, therapy and metastasis. It is the latter topic, metastasis, on which we will focus this short review, specifically discussing various computational and mathematical models of different portions of the metastatic process, including: the emergence of the metastatic phenotype, the timing and size distribution of metastases, the factors that influence the dormancy of micrometastases and patterns of spread from a given primary tumor.Comment: 24 pages, 6 figures, Revie

Fast Protection-Domain Crossing in the CHERI Capability-System Architecture

Capability Hardware Enhanced RISC Instructions (CHERI) supplement the conventional memory management unit (MMU) with instruction-set architecture (ISA) extensions that implement a capability system model in the address space. CHERI can also underpin a hardware-software object-capability model for scalable application compartmentalization that can mitigate broader classes of attack. This article describes ISA additions to CHERI that support fast protection-domain switching, not only in terms of low cycle count, but also efficient memory sharing with mutual distrust. The authors propose ISA support for sealed capabilities, hardware-assisted checking during protection-domain switching, a lightweight capability flow-control model, and fast register clearing, while retaining the flexibility of a software-defined protection-domain transition model. They validate this approach through a full-system experimental design, including ISA extensions, a field-programmable gate array prototype (implemented in Bluespec SystemVerilog), and a software stack including an OS (based on FreeBSD), compiler (based on LLVM), software compartmentalization model, and open-source applications.This work is part of the CTSRD and MRC2 projects sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 and FA8750-11-C-0249. We also acknowledge the Engineering and Physical Sciences Research Council (EPSRC) REMS Programme Grant [EP/K008528/1], the EPSRC Impact Acceleration Account [EP/K503757/1], EPSRC/ARM iCASE studentship [13220009], Microsoft studentship [MRS2011-031], the Isaac Newton Trust, the UK Higher Education Innovation Fund (HEIF), Thales E-Security, and Google, Inc.This is the author accepted manuscript. The final version of the article can be found at: http://ieeexplore.ieee.org/document/7723791

CheriABI: Enforcing Valid Pointer Provenance and Minimizing Pointer Privilege in the POSIX C Run-time Environment

The CHERI architecture allows pointers to be implemented as capabilities (rather than integer virtual addresses) in a manner that is compatible with, and strengthens, the semantics of the C language. In addition to the spatial protections offered by conventional fat pointers, CHERI capabilities offer strong integrity, enforced provenance validity, and access monotonicity. The stronger guarantees of these architectural capabilities must be reconciled with the real-world behavior of operating systems, run-time environments, and applications. When the process model, user-kernel interactions, dynamic linking, and memory management are all considered, we observe that simple derivation of architectural capabilities is insufficient to describe appropriate access to memory. We bridge this conceptual gap with a notional \emph{abstract capability} that describes the accesses that should be allowed at a given point in execution, whether in the kernel or userspace. To investigate this notion at scale, we describe the first adaptation of a full C-language operating system (FreeBSD) with an enterprise database (PostgreSQL) for complete spatial and referential memory safety. We show that awareness of abstract capabilities, coupled with CHERI architectural capabilities, can provide more complete protection, strong compatibility, and acceptable performance overhead compared with the pre-CHERI baseline and software-only approaches. Our observations also have potentially significant implications for other mitigation techniques.This work was supported by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 (``CTSRD'') and HR0011-18-C-0016 (``ECATS''). The views, opinions, and/or findings contained in this report are those of the authors and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government. We also acknowledge the EPSRC REMS Programme Grant (EP/K008528/1), the ERC ELVER Advanced Grant (789108), Arm Limited, HP Enterprise, and Google, Inc. Approved for Public Release, Distribution Unlimited

Experimental glomerulonephritis induced by hydrocarbon exposure: A systematic review

BACKGROUND: Much epidemiological evidence suggests that hydrocarbon exposure may induce glomerulonephritis and worsen its course in many patients. The mechanisms are unknown, however, no specific microscopic pattern has been identified, and it has also been argued that hydrocarbon exposure causes tubular damage mainly. Studying experimental animals may best answer these questions, and as no systematic review of glomerulonephritis produced experimentally by hydrocarbon exposure has been performed previously, I found it relevant to search for and analyse such studies. METHODS: Animal experiments having mimicked human glomerulonephritis by hydrocarbon exposure were sought on Medline and Toxnet RESULTS: Twenty-six experiments using thirteen different hydrocarbons were identified. Several human subtypes were observed including IgA nephritis, mesangial, proliferative and extracapillary glomerulonephritis, focal and focal-segmental sclerosis, minimal change nephropathy, anti-GBM and anti-TBM nephritis, and glomerulonephritis associated with peiarteritis nodosa. Glomerular proteinuria was seen in 10/12 experiments that included urine analyses, and renal failure in 5/8 experiments that included measurements of glomerular function. All experiments resulted in various degrees of tubular damage as well. In most studies, where the animals were examined at different times during or after the exposure, the renal microscopic and functional changes were seen immediately, whereas deposits of complement and immunoglobulins appeared late in the course, if at all. CONCLUSION: These experiments are in accord with epidemiological evidence that hydrocarbon exposure may cause glomerulonephritis and worsen renal function. Probable mechanisms include an induction of autologous antibodies and a disturbance of normal immunological functions. Also, tubular damage may increase postglomerular resistance, resulting in a glomerular deposition of macromolecules. In most models a causal role of glomerular immune complex formation was unlikely, but may rather have been a secondary phenomenon. As most glomerulonephritis subgroups were seen and as some of the hydrocarbons produced more than one subgroup, the microscopic findings in a patient cannot be used as a clue to the causation of his disease. By the same reason, the lack of a specific histological pattern in patients with glomerulonephritis assumed to have been caused by hydrocarbon exposure is not contradictive

Cornucopia: Temporal safety for CHERI heaps

Use-after-free violations of temporal memory safety continue to plague software systems, underpinning many high-impact exploits. The CHERI capability system shows great promise in achieving C and C++ language spatial memory safety, preventing out-of-bounds accesses. Enforcing language-level temporal safety on CHERI requires capability revocation, traditionally achieved either via table lookups (avoided for performance in the CHERI design) or by identifying capabilities in memory to revoke them (similar to a garbage-collector sweep). CHERIvoke, a prior feasibility study, suggested that CHERI’s tagged capabilities could make this latter strategy viable, but modeled only architectural limits and did not consider the full implementation or evaluation of the approach. Cornucopia is a lightweight capability revocation system for CHERI that implements non-probabilistic C/C++ temporal memory safety for standard heap allocations. It extends the CheriBSD virtual-memory subsystem to track capability flow through memory and provides a concurrent kernel-resident revocation service that is amenable to multi-processor and hardware acceleration. We demonstrate an average overhead of less than 2% and a worst-case of 8.9% for concurrent revocation on compatible SPEC CPU2006 benchmarks on a multi-core CHERI CPU on FPGA, and we validate Cornucopia against the Juliet test suite’s corpus of temporally unsafe programs. We test its compatibility with a large corpus of C programs by using a revoking allocator as the system allocator while booting multi-user CheriBSD. Cornucopia is a viable strategy for always-on temporal heap memory safety, suitable for production environments.This work was supported by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 (“CTSRD”) and HR0011-18-C-0016 (“ECATS”). We also acknowledge the EPSRC REMS Programme Grant (EP/K008528/1), the ABP Grant (EP/P020011/1), the ERC ELVER Advanced Grant (789108), the Gates Cambridge Trust, Arm Limited, HP Enterprise, and Google, Inc

Predictive factor for the response to adjuvant therapy with emphasis in breast cancer

One of the major challenges of early-stage breast cancer is to select the adjuvant therapy that ensures the most benefits and the least harm for the patient. The definition of accurate predictive factors is therefore of paramount importance. So far the choice of adjuvant therapy has been based on the number of affected lymph nodes and the hormone receptor status of the patient. This paper evaluates the use of other tumor-related markers as predictive factors for adjuvant therapy. These include HER2, p53 and Bcl-2, cathepsin B, p27, proliferating cell nuclear antigen (PCNA), cyclin D, Ki-67, and vascular endothelial growth factor (VEGF)