CubicleOS: A library OS with software componentisation for practical isolation

Library OSs have been proposed to deploy applications isolated inside containers, VMs, or trusted execution environments. They often follow a highly modular design in which third-party components are combined to offer the OS functionality needed by an application, and they are customised at compilation and deployment time to fit application requirements. Yet their monolithic design lacks isolation across components: when applications and OS components contain security-sensitive data (e.g., cryptographic keys or user data), the lack of isolation renders library OSs open to security breaches via malicious or vulnerable third-party components

Approximated and User Steerable tSNE for Progressive Visual Analytics

Progressive Visual Analytics aims at improving the interactivity in existing analytics techniques by means of visualization as well as interaction with intermediate results. One key method for data analysis is dimensionality reduction, for example, to produce 2D embeddings that can be visualized and analyzed efficiently. t-Distributed Stochastic Neighbor Embedding (tSNE) is a well-suited technique for the visualization of several high-dimensional data. tSNE can create meaningful intermediate results but suffers from a slow initialization that constrains its application in Progressive Visual Analytics. We introduce a controllable tSNE approximation (A-tSNE), which trades off speed and accuracy, to enable interactive data exploration. We offer real-time visualization techniques, including a density-based solution and a Magic Lens to inspect the degree of approximation. With this feedback, the user can decide on local refinements and steer the approximation level during the analysis. We demonstrate our technique with several datasets, in a real-world research scenario and for the real-time analysis of high-dimensional streams to illustrate its effectiveness for interactive data analysis

CubicleOS: A library OS with software componentisation for practical isolation

Library OSs have been proposed to deploy applications isolated inside containers, VMs, or trusted execution environments. They often follow a highly modular design in which third-party components are combined to offer the OS functionality needed by an application, and they are customised at compilation and deployment time to fit application requirements. Yet their monolithic design lacks isolation across components: when applications and OS components contain security-sensitive data (e.g., cryptographic keys or user data), the lack of isolation renders library OSs open to security breaches via malicious or vulnerable third-party components

Volatile composition of Red Mencia and Souson cultivars from Rias Baixas and Valdeorras AOC (NW Spain)

Mencía and Sousón are two red Vitis vinifera cultivars grown in two geographic areas from Galicia (NW Spain), Appellation of Origin Controlled Valdeorras and Rías Baixas. Valdeorras AOC is situated in south east Galicia, with Continental climate, slate soil, gentle temperature and rainfall and Rías Baixas AOC is located in the southwest Galicia, near of the sea, with Atlantic climate, siliceous soil, and slightly higher temperature and rainfall than the first one. The aim of this study was to carry out a first approximation to determinate the influence of terroir on volatile composition of these red cultivars grown in Galicia. Grapes of Mencía and Sousón, collected in 2009 vintage, were crushed and the musts volatiles were extracted using Solid Phase Extraction (SPE). The identification and quantification was performed by gas chromatography-mass spectrometry (GC-MS) in free and bound form. The results showed a greater effect of terroir in bound compounds (alcohols, volatile phenols, C13-norisoprenoids and volatile fatty acids) between geographic areas for the two cultivars studied. In free fraction C6-compounds and carbonyl compounds showed variability between geographic areas for the cultivars

Spons & shields: practical isolation for trusted execution

Trusted execution environments (TEEs) promise a cost-effective, “lift-and-shift” solution for deploying security-sensitive applications in untrusted clouds. For this, they must support rich, multi-component applications, but a large trusted computing base (TCB) inside the TEE risks that attackers can compromise application security. Fine-grained compartmentalisation can increase security through defense-in-depth, but current solutions either run all software components unprotected in the same TEE, lack efficient shared memory support, or isolate application processes using separate TEEs, impacting performance and compatibility. We describe the Spons & Shields framework (SSF) for Intel SGX TEEs, which offers intra-TEE compartmentalisation using two new abstraction, Spons and Shields. Spons and Shields generalise process, library and user/kernel isolation inside the TEE while allowing for efficient memory sharing. When users deploy unmodified multi-component applications in a TEE, SSF dynamically creates Spons (one per POSIX process or library) and Shields (to enforce a given security policy for memory accesses). Applications can be hardened with minor code changes, e.g., by using a separate Shield to isolate an SSL library. SSF uses compiler instrumentation to protect Shield boundaries, exploiting MPX instructions if available. We evaluate SSF using a complex application service (NGINX, PHP interpreter and PostgreSQL) and show that its overhead is comparable to process isolation

MICROSTRUCTURAL STUDIES FOR OPTIMIZATION OF HEAT TREATMENT IN COMPONENTS OF STEEL X38CrMoV5-1 SUBJECTED TO HIGH STRESSES

This material X38CrMoV5-1 is an alloyed steel used for hot working, with good toughness and high resistance to thermal shock. The presence of Cr, Mo and V gives this steel a high resistance to wear, keeping its hardness properties at high temperature. Cr and Mo delay softening annealing and inhibit the grain growth. The great resistance to high temperatures of this type of steels is related with an easy martensitic transformation. This transformation happens even at low cooling speeds. The properties of these types of martensitic steels result as a consequence of their complex microstructure that is obtained by an extremely controlled thermal treatment. Dilatometric testing was performed on continuous cooling from austenization temperature (1050ºC). This testing shows the high hardenability of this type of steels. ATD studies have been done to complement the dilatometric testing. After the previous results, it has been considered that the optimal treatment to get tough and tenacious structure, consists in submitting material to an annealing processing at 780ºC/1hour, followed by a quenching treatment at 1020ºC/1hour and finally cooling in oil with a double tempering at 580ºC/2 hours. This treatment provides the best properties that guarantee service with safety parts.Peer Reviewe

CAP-VMs: Capability-based isolation and sharing in the cloud

Cloud stacks must isolate application components, while permitting efficient data sharing between components deployed on the same physical host. Traditionally, the MMU enforces isolation and permits sharing at page granularity. MMU approaches, however, lead to cloud stacks with large TCBs in kernel space, and page granularity requires inefficient OS interfaces for data sharing. Forthcoming CPUs with hardware support for memory capabilities offer new opportunities to implement isolation and sharing at a finer granularity. We describe cVMs, a new VM-like abstraction that uses memory capabilities to isolate application components while supporting efficient data sharing, all without mandating application code to be capability-aware. cVMs share a single virtual address space safely, each having only capabilities to access its own memory. A cVM may include a library OS, thus minimizing its dependency on the cloud environment. cVMs efficiently exchange data through two capability-based primitives assisted by a small trusted monitor: (i) an asynchronous read/write interface to buffers shared between cVMs; and (ii) a call interface to transfer control between cVMs. Using these two primitives, we build more expressive mechanisms for efficient cross-cVM communication. Our prototype implementation using CHERI RISC-V capabilities shows that cVMs isolate services (Redis and Python) with low overhead while improving data sharing

Understanding the gendered coaching workforce in Spanish sport

The present study focuses on the demographic and labor characteristics of coaches in Spain. Kanter’s theory on occupational sex segregation will be used as a guiding framework. The study was conducted with 1685 coaches (82.3% men and 17.7% women) from different sports and performance domains. The results show that there is an underrepresentation of women as coaches in Spain and data highlight that coaches’ gender is related to three structural factors: opportunity, power, and proportion. The present data reveal that women are younger, less likely to be in a marriage-like relationship, less likely to have children, and more likely to have competed at a high level as an athlete when compared to their male counterparts. However, fewer women than men access and participate in coach education in Catalonia and the working status of women was different to that of men. To expand, women worked less hours, were more likely to be assistant coaches, and had less years of coaching experience. Understanding of how gender influences women’s access, progression, and retention in coaching in Spain illustrates the need for gender sport policies and practices in sport organizations. This approach can benefit not only women, but the diversity and enrichment of the coaching system

ORC: Increasing cloud memory density via object reuse with capabilities

Cloud environments host many tenants, and typically there is substantial overlap between the application binaries and libraries executed by tenants. Thus, memory de-duplication can increase memory density by allocating memory for shared binaries only once. Existing de-duplication approaches, however, either rely on a shared OS to de-deduplicate binary objects, which provides unacceptably weak isolation; or exploit hypervisor-based de-duplication at the level of memory pages, which is blind to the semantics of the objects to be shared. We describe Object Reuse with Capabilities (ORC), which supports the fine-grained sharing of binary objects between tenants, while isolating tenants strongly through a small trusted computing base (TCB). ORC uses hardware sup- port for memory capabilities to isolate tenants, which permits shared objects to be accessible to multiple tenants safely. Since ORC shares binary objects within a single address space through capabilities, it uses a new relocation type to create per-tenant state when loading shared objects. ORC supports the loading of objects by an untrusted guest, outside of its TCB, only verifying the safety of the loaded data. Our experiments show that ORC achieves a higher memory density with a lower overhead than hypervisor-based de-deduplication