72 research outputs found
Grand Pwning Unit:Accelerating Microarchitectural Attacks with the GPU
Dark silicon is pushing processor vendors to add more specialized units such as accelerators to commodity processor chips. Unfortunately this is done without enough care to security. In this paper we look at the security implications of integrated Graphical Processor Units (GPUs) found in almost all mobile processors. We demonstrate that GPUs, already widely employed to accelerate a variety of benign applications such as image rendering, can also be used to 'accelerate' microarchitectural attacks (i.e., making them more effective) on commodity platforms. In particular, we show that an attacker can build all the necessary primitives for performing effective GPU-based microarchitectural attacks and that these primitives are all exposed to the web through standardized browser extensions, allowing side-channel and Rowhammer attacks from JavaScript. These attacks bypass state-of-the-art mitigations and advance existing CPU-based attacks: we show the first end-to-end microarchitectural compromise of a browser running on a mobile phone in under two minutes by orchestrating our GPU primitives. While powerful, these GPU primitives are not easy to implement due to undocumented hardware features. We describe novel reverse engineering techniques for peeking into the previously unknown cache architecture and replacement policy of the Adreno 330, an integrated GPU found in many common mobile platforms. This information is necessary when building shader programs implementing our GPU primitives. We conclude by discussing mitigations against GPU-enabled attackers
Augmenting Inertial Motion Capture with SLAM Using EKF and SRUKF Data Fusion Algorithms
Inertial motion capture systems widely use low-cost IMUs to obtain the
orientation of human body segments, but these sensors alone are unable to
estimate link positions. Therefore, this research used a SLAM method in
conjunction with inertial data fusion to estimate link positions. SLAM is a
method that tracks a target in a reconstructed map of the environment using a
camera. This paper proposes quaternion-based extended and square-root unscented
Kalman filters (EKF & SRUKF) algorithms for pose estimation. The Kalman filters
use measurements based on SLAM position data, multi-link biomechanical
constraints, and vertical referencing to correct errors. In addition to the
sensor biases, the fusion algorithm is capable of estimating link geometries,
allowing the imposing of biomechanical constraints without a priori knowledge
of sensor positions. An optical tracking system is used as a reference of
ground-truth to experimentally evaluate the performance of the proposed
algorithm in various scenarios of human arm movements. The proposed algorithms
achieve up to 5.87 (cm) and 1.1 (deg) accuracy in position and attitude
estimation. Compared to the EKF, the SRUKF algorithm presents a smoother and
higher convergence rate but is 2.4 times more computationally demanding. After
convergence, the SRUKF is up to 17% less and 36% more accurate than the EKF in
position and attitude estimation, respectively. Using an absolute position
measurement method instead of SLAM produced 80% and 40%, in the case of EKF,
and 60% and 6%, in the case of SRUKF, less error in position and attitude
estimation, respectively.Comment: 8 pages, 8 figures, 4 tables, 21 reference
Comparing Two Inferior Oblique Weakening Procedures: Disinsertion versus Myectomy
Purpose: To compare two methods for treating inferior oblique overaction (IOOA): disinsertion versus myectomy of the muscle.
Methods: In this prospective interventional case series, patients were randomly assigned to undergo either IO myectomy or disinsertion. The changes in vertical and horizontal deviations following these two surgical procedures were evaluated. The postoperative IO function of grade 0 or +1 and the fundus extorsion of grade 0 or +1 was considered as the successful outcome.
Results: Thirty-six patients (50 eyes) with a mean age of 12.67 ± 4.05 years were included. In the myectomy group, the mean preoperative hyperdeviation in adduction was 29.5 ± 9.32 prism diopter (PD), which decreased to 9.15 ± 7.86 PD after surgery (P = 0.001). In the disinsertion group, these measurements were 32.73 ± 12.42 and 12.65 ± 9.34 PD before and after the surgery, respectively (P = 0.001). The success rate of surgery based on the IOOA grading was 87.4% and 92.3% in the myectomy and disinsertion groups, respectively (P = 0.780). The successful correction rate of abnormal fundus torsion was 91.6% in the myectomy and 88.4% in the disinsertion group (P = 0.821). In comparison, 48% of the cases in the myectomy group and 50% in the disinsertion group were within the normal range of torsional position postoperatively (P = 0.786). There was no statistically significant difference in terms of changes in the horizontal or vertical deviations, V-pattern, and dissociated vertical deviation between the two groups.
Conclusion: Both surgical techniques seem to be effective for treatment of inferior oblique muscle overaction
Prebaked µVMs: Scalable, Instant VM Startup for IaaS Clouds
Abstract-IaaS clouds promise instantaneously available resources to elastic applications. In practice, however, virtual machine (VM) startup times are in the order of several minutes, or at best, several tens of seconds, negatively impacting the elasticity of applications like Web servers that need to scale out to handle dynamically increasing load. VM startup time is strongly influenced by booting the VM's operating system. In this work, we propose using so-called prebaked µVMs to speed up VM startup. µVMs are snapshots of minimal VMs that can be quickly resumed and then configured to application needs by hot-plugging resources. To serve µVMs, we extend our VM boot cache service, Squirrel, allowing to store µVMs for large numbers of VM images on the hosts of a data center. Our experiments show that µVMs can start up in less than one second on a standard file system. Using 1000+ VM images from a production cloud, we show that the respective µVMs can be stored in a compressed and deduplicated file system within 50 GB storage per host, while starting up within 2-3 seconds on average
TRRespass: Exploiting the Many Sides of Target Row Refresh
After a plethora of high-profile RowHammer attacks, CPU and DRAM vendors
scrambled to deliver what was meant to be the definitive hardware solution
against the RowHammer problem: Target Row Refresh (TRR). A common belief among
practitioners is that, for the latest generation of DDR4 systems that are
protected by TRR, RowHammer is no longer an issue in practice. However, in
reality, very little is known about TRR. In this paper, we demystify the inner
workings of TRR and debunk its security guarantees. We show that what is
advertised as a single mitigation mechanism is actually a series of different
solutions coalesced under the umbrella term TRR. We inspect and disclose, via a
deep analysis, different existing TRR solutions and demonstrate that modern
implementations operate entirely inside DRAM chips. Despite the difficulties of
analyzing in-DRAM mitigations, we describe novel techniques for gaining
insights into the operation of these mitigation mechanisms. These insights
allow us to build TRRespass, a scalable black-box RowHammer fuzzer. TRRespass
shows that even the latest generation DDR4 chips with in-DRAM TRR, immune to
all known RowHammer attacks, are often still vulnerable to new TRR-aware
variants of RowHammer that we develop. In particular, TRRespass finds that, on
modern DDR4 modules, RowHammer is still possible when many aggressor rows are
used (as many as 19 in some cases), with a method we generally refer to as
Many-sided RowHammer. Overall, our analysis shows that 13 out of the 42 modules
from all three major DRAM vendors are vulnerable to our TRR-aware RowHammer
access patterns, and thus one can still mount existing state-of-the-art
RowHammer attacks. In addition to DDR4, we also experiment with LPDDR4 chips
and show that they are susceptible to RowHammer bit flips too. Our results
provide concrete evidence that the pursuit of better RowHammer mitigations must
continue.Comment: 16 pages, 16 figures, in proceedings IEEE S&P 202
SpyHammer: Using RowHammer to Remotely Spy on Temperature
RowHammer is a DRAM vulnerability that can cause bit errors in a victim DRAM
row by just accessing its neighboring DRAM rows at a high-enough rate. Recent
studies demonstrate that new DRAM devices are becoming increasingly more
vulnerable to RowHammer, and many works demonstrate system-level attacks for
privilege escalation or information leakage. In this work, we leverage two key
observations about RowHammer characteristics to spy on DRAM temperature: 1)
RowHammer-induced bit error rate consistently increases (or decreases) as the
temperature increases, and 2) some DRAM cells that are vulnerable to RowHammer
cause bit errors only at a particular temperature. Based on these observations,
we propose a new RowHammer attack, called SpyHammer, that spies on the
temperature of critical systems such as industrial production lines, vehicles,
and medical systems. SpyHammer is the first practical attack that can spy on
DRAM temperature. SpyHammer can spy on absolute temperature with an error of
less than 2.5 {\deg}C at the 90th percentile of tested temperature points, for
12 real DRAM modules from 4 main manufacturers
Quality of Life among Persons with HIV/AIDS in Iran: Internal Reliability and Validity of an International Instrument and Associated Factors
The purpose of this cross-sectional study on 191 HIV/AIDS patient was to prepare the first Persian translation of complete WHOQOL-HIV instrument, evaluate its reliability and validity, and apply it to determine quality of life and its associated factors in Tehran, Iran. Student's t-test was used to compare quality of life between groups. Mean Cronbach's α of facets in all six domains of instrument were more than 0.6 indicating good reliability. Item/total corrected correlations coefficients had a lower limit of more than 0.5 in all facets except for association between energy and fatigue facet and physical domain. Compared to younger participants, patients older than 35 years had significantly lower scores in overall quality of life (P = 0.003), social relationships (P = 0.021), and spirituality/religion/personal beliefs (P = 0.024). Unemployed patients had significantly lower scores in overall quality of life (P = 0.01), level of independence (P = 0.004), and environment (P = 0.001) compared to employed participants. This study demonstrated that the standard, complete WHOQOL-HIV 120 instrument translated into Farsi and evaluated among Iranian participants provides a reliable and valid basis for future research on quality of life for HIV and other patients in Iran
- …