Practical and Effcient Runtime Taint Tracking

Runtime taint tracking is a technique for controlling data propagation in applications. It is typically used to prevent disclosure of confidential information or to avoid application vulnerabilities. Taint tracking systems intercept application operations at runtime, associate meta-data with the data being processed and inspect the meta-data to detect unauthorised data propagation. To keep metadata up-to-date, every attempt of the application to access and process data is intercepted. To ensure that all data propagation is monitored, different categories of data (e.g. confidential and public data) are kept isolated. In practice, the interception of application operations and the isolation of different categories of data are hard to achieve. Existing applications, language interpreters and operating systems need to be re-engineered while keeping metadata up-to-date incurs significant overhead at runtime. In this thesis we show that runtime taint tracking can be implemented with minimal changes to existing infrastructure and with reduced overhead compared to previous approaches. In other words, we suggest methods to achieve both practical and efficient runtime taint tracking. Our key observation is that applications in specific domains are typically implemented in high-level languages and use a subset of the available language features. This facilitates the implementation of a taint tracking system because it needs to support only parts of a programming language and it may leverage features of the execution platform. This thesis explores three different applications domains. We start with event processing applications in Java, for which we introduce a novel solution to achieve isolation and a practical method to declare restrictions about data propagation. We then focus on securing PHP web applications. We show that if taint tracking is restricted to a small part of an application, the runtime overhead is significantly reduced without sacrificing effectiveness. Finally, we target accidental data disclosure in Ruby web applications. Ruby emerges as an ideal choice for a practical taint tracking system because it supports meta-programming facilities that simplify interception and isolation

Cor triatriatum presenting as heart failure with reduced ejection fraction: a case report

Cor triatriatum is a rare congenital cardiac malformation and it usually refers to the left atrium. We report an unusual case of cor triatriatum in a 33 - year old woman presented with congestive heart failure caused by left ventricular systolic dysfunction

Neurological and neurourological complications of electrical injuries

Electrical injury can affect any system and organ. Central nervous system (CNS) complications are especially well recognised, causing an increased risk of morbidity, while peripheral nervous system (PNS) complications, neurourological and cognitive and psychological abnormalities are less predictable after electrical injuries.PubMed was searched for English language clinical observational, retrospective, review and case studies published in the last 30 years using the key words: electrical injury, electrocution, complications, sequelae, neurological, cognitive, psychological, urological, neuropsychological, neurourological, neurogenic, and bladder.In this review, the broad spectrum of neurological, cognitive, psychological and neurourological consequences of electrical trauma are discussed, and clinical features characteristic of an underlying neurological, psychological or neurourological disorder are identified. The latest information about the most recently discovered forms of nervous system disorders secondary to electrical trauma, such as the presentation of neurological sequelae years after electrocution, in other words long-term sequelae, are presented. Unexpected central nervous system or muscular complications such as hydrocephalus, brain venous thrombosis, and amyotrophic lateral sclerosis are described. Common and uncommon neuropsychological syndromes after electrical trauma are defined. Neurourological sequelae secondary to spinal cord or brain trauma or as independent consequences of electrical shock are also highlighted

Distributed Middleware Enforcement of Event Flow Security Policy

Distributed, event-driven applications that process sensitive user data and involve multiple organisational domains must comply with complex security requirements. Ideally, developers want to express security policy for such applications in data-centric terms, controlling the flow of information throughout the system. Current middleware does not support the specification of such end-to-end security policy and lacks uniform mechanisms for enforcement. We describe DEFCon-Policy, a middleware that enforces security policy in multi-domain, event-driven applications. Event flow policy is expressed in a high-level language that specifies permitted flows between distributed software components. The middleware limits the interaction of components based on the policy and the data that components have observed. It achieves this by labelling data and assigning privileges to components. We evaluate DEFCon-Policy in a realistic medical scenario and demonstrate that it can provide global security guarantees without burdening application developers

Le droit hellénique des opérations d'initiés

The legal framework concerning the holders of privileged or inside information (insiders) in Greece is defined by the Presidential decree n° 53 of 14 February 1992 entitled "acts of holders of privileged information" according to the directive 89/592/EEC and by the article 30 of the law 1806/1988 "concerning the modification of the stock exchange legislation". Other legal texts of banking, tax, criminal and european law are also applied for the issues that are not covered by the presidential decree or the directive. The application of the provisions of the presidential decree 53/92 is assigned to the Supervisory Committee of the Capital Markets. This Committee is assisted by the Directorate of the Ministry of National Economy, responsible for the supervision of the Stock Exchange and front the Governing Body of the Stock Exchange of Athens. The Committee has not applied any sanctions till now.Le cadre juridique qui concerne les détenteurs d'informations confidentielles en Grèce est régi par le décret présidentiel n° 53 du 14 février 1992 « sur les actes des personnes détentrices d'informations confidentielles », conforme à la directive 89/592/CEE ainsi qu'à la disposition de l'article 30 de la loi 1806/1988 « sur la modification de la législation boursière ». D'autres dispositions de droit boursier, bancaire, fiscal, pénal et européen sont appliquées pour les cas qui ne sont pas visés par la directive et le décret présidentiel. L'application des dispositions du D.P. 53/92 a été confiée au Comité de contrôle des marchés de capitaux. Ce Comité est assisté dans son œuvre par la Direction du ministère de l'Économie Nationale qui est chargé de la surveillance de la Bourse et par le Conseil d'administration de la Bourse d'Athènes. Jusqu'à présent le Comité n'a pas établi les sanctions que les contrevenants pourraient encourir.Papagiannis Ioannis M., Kalogeras Dimitris A. Le droit hellénique des opérations d'initiés. In: Revue internationale de droit comparé. Vol. 50 N°1, Janvier-mars 1998. pp. 93-108

Synthesis and Characterisation of Iron Oxide Nanoparticles with Tunable Sizes by Hydrothermal Method

The present study investigates the effect of different reaction times on the crystallinity, surface morphology and size of iron oxide nanoparticles. In this synthetic system, aqueous iron (III) nitrate (Fe(NO$_3$)$_3\cdot9$H$_2$O) nonahydrate, provided the iron source and triethylamine was the precipitant and alkaline agent. The as-synthesised iron oxide nanoparticles were characterised by X-ray diffraction (XRD), Rietveld analysis, Scanning Electron Microscopy (SEM) and Fourier transform infrared spectroscopy (FTIR). Prolonged reaction times indicated the change on nanoparticle shape from elongated nanorods to finally distorted nanocubes. Analysis on the crystallinity of the iron oxide nanoparticles suggest that the samples mainly consist of two phases, which are Goethite ($\alpha$-FeOOH) and Hematite $(\alpha$-Fe$_2$O$_3$), respectively

PHP Aspis: using partial taint tracking to protect against injection attacks

Web applications are increasingly popular victims of security attacks. Injection attacks, such as Cross Site Scripting or SQL Injection, are a persistent problem. Even though developers are aware of them, the suggested best practices for protection are error prone: unless all user input is consistently filtered, any application may be vulnerable. When hosting web applications, administrators face a dilemma: they can only deploy applications that are trusted or they risk their system’s security. To prevent injection vulnerabilities, we introduce PHP Aspis: a source code transformation tool that applies partial taint tracking at the language level. PHP Aspis augments values with taint meta-data to track their origin in order to detect injection vulnerabilities. To improve performance, PHP Aspis carries out taint propagation only in an application’s most vulnerable parts: thirdparty plugins. We evaluate PHP Aspis with Wordpress, a popular open source weblog platform, and show that it prevents all code injection exploits that were found in Wordpress plugins in 2010