On Challenges in Verifying Trusted Executable Files in Memory Forensics

Memory forensics is a fundamental step in any security incident response process, especially in computer systems where malware may be present. Thememory of the system is acquired and then analyzed, looking for facts about the security incident. To remain stealthy and undetected in computer systems, malware are abusing the code signing technology, which helps to establish trust in computer software. Intuitively, a memory forensic analyst can think of code signing as a preliminary step to prioritize the list of processes to analyze. However, amemory dump does not contain an exact copy of an executable file (the file as stored in disk) and thus code signing may be useless in this context. In this paper, we investigate the limitations that memory forensics imposes to the digital signature verification process of Windows PE signed files obtained from a memory dump. These limitations are data incompleteness, data changes caused by relocation, catalog-signed files, and executable file and process inconsistencies. We also discuss solutions to these limitations. Moreover, we have developed a Volatility plugin named sigcheck that recovers executable files from a memory dump and computes its digital signature (if feasible). We tested it on Windows 7 x86 and x64 memory dumps. Our experiments showed that the success rate is low, especially when the memory is acquired from a system that has been running for a long time

An Evaluation Framework for Comparative Analysis of Generalized Stochastic Petri Net Simulation Techniques

Availability of a common, shared benchmark to provide repeatable, quantifiable, and comparable results is an added value for any scientific community. International consortia provide benchmarks in a wide range of domains, being normally used by industry, vendors, and researchers for evaluating their software products. In this regard, a benchmark of untimed Petri net models was developed to be used in a yearly software competition driven by the Petri net community. However, to the best of our knowledge there is not a similar benchmark to evaluate solution techniques for Petri nets with timing extensions. In this paper, we propose an evaluation framework for the comparative analysis of generalized stochastic Petri nets (GSPNs) simulation techniques. Although we focus on simulation techniques, our framework provides a baseline for a comparative analysis of different GSPN solvers (e.g., simulators, numerical solvers, or other techniques). The evaluation framework encompasses a set of 50 GSPN models including test cases and case studies from the literature, and a set of evaluation guidelines for the comparative analysis. In order to show the applicability of the proposed framework, we carry out a comparative analysis of steady-state simulators implemented in three academic software tools, namely, GreatSPN, PeabraiN, and TimeNET. The results allow us to validate the trustfulness of these academic software tools, as well as to point out potential problems and algorithmic optimization opportunities

Survivability model for security and dependability analysis of a vulnerable critical system

This paper aims to analyze transient security and dependability of a vulnerable critical system, under vulnerability-related attack and two reactive defense strategies, from a severe vulnerability announcement until the vulnerability is fully removed from the system. By severe, we mean that the vulnerability-based malware could cause significant damage to the infected system in terms of security and dependability while infecting more and more new vulnerable computer systems. We propose a Markov chain-based survivability model for capturing the vulnerable critical system behaviors during the vulnerability elimination process. A high-level formalism based on Stochastic Reward Nets is applied to automatically generate and solve the survivability model. Survivability metrics are defined to quantify system attributes. The proposed model and metrics not only enable us to quantitatively assess the system survivability in terms of security risk and dependability, but also provide insights on the system investment decision. Numerical experiments are constructed to study the impact of key parameters on system security, dependability and profit

Long-term hurricane damage effects on tropical forest tree growth and mortality

Hurricane winds can have large impacts on forest structure and dynamics. To date, most evaluations of hurricane impacts have focused on short-term responses after a hurricane, often lacked pre-hurricane measurements, and missed responses occurring over longer time scales. Here, we use a long-term data set (1974-2009, 35 years) of tree stems ( >3 cm in diameter at 1.3 m aboveground) in four sites (0.35 ha in total) in montane rain forest (∼1600 m elevation) in Jamaica to investigate the patterns of crown damage in individual stems by Hurricane Gilbert in 1988, and how subsequent growth and mortality were affected by hurricane damage, sprouting, and the incidence of multiple stems. Topographical position on a mountain ridge was the best predictor of crown damage, followed by crown size and species identity. The average diameter growth rate of stems that survived the hurricane was greater than that pre-hurricane for the whole 21-yr post-hurricane period. Growth rates of stems with damaged crowns increased less than those with undamaged crowns; differences in growth rate between damaged and undamaged trees disappeared after 11 years. Hurricanedamaged stems had two to eight times higher mortality than undamaged stems for 19 years post hurricane. Many stems sprouted shortly after the hurricane, but few sprouts managed to establish (grow to >3 cm diameter at breast height). However, sprouting and multi-stemming were associated with reduced mortality rate, particularly in damaged trees. From an initial population of 1670 stems in 1974, 54% were still alive in 2009 (21 years after the hurricane). We conclude that despite the high frequency of hurricane damage to tree crowns and the subsequent increased mortality rate in this hurricane-prone tropical montane forest, many stems will be hit and recover from several hurricanes in their lifetimePeer reviewe

Quantized Skyrmion Fields in 2+1 Dimensions

A fully quantized field theory is developped for the skyrmion topological excitations of the O(3) symmetric CP$^1$-Nonlinear Sigma Model in 2+1D. The method allows for the obtainment of arbitrary correlation functions of quantum skyrmion fields. The two-point function is evaluated in three different situations: a) the pure theory; b) the case when it is coupled to fermions which are otherwise non-interacting and c) the case when an electromagnetic interaction among the fermions is introduced. The quantum skyrmion mass is explicitly obtained in each case from the large distance behavior of the two-point function and the skyrmion statistics is inferred from an analysis of the phase of this function. The ratio between the quantum and classical skyrmion masses is obtained, confirming the tendency, observed in semiclassical calculations, that quantum effects will decrease the skyrmion mass. A brief discussion of asymptotic skyrmion states, based on the short distance behavior of the two-point function, is also presented.Comment: Accepted for Physical Review

The need for structured thoracic robotic training: the perspective of an American Association for Thoracic Surgery surgical robotic fellow

Since the initial experiences with robotic platforms in thoracic surgery (1), the number of procedures performed with this technique have continued to increase (2). Not only have newer trainees demonstrated interest in the field, but former open and VATS surgeons have also become aware of the advantages that the robotic platform provides (1,3). However, although some authors have implemented robotic thoracic surgery safely (4,5) others still consider it inefficient, citing the increased operative time (related to the learning curve), the initial instrument cost, and the lack of appropriate directed training (3)

Tick holocyclotoxins trigger host paralysis by presynaptic inhibition

Ticks are important vectors of pathogens and secreted neurotoxins with approximately 69 out of 692 tick species having the ability to induce severe toxicoses in their hosts. The Australian paralysis tick (Ixodes holocyclus) is known to be one of the most virulent tick species producing a flaccid paralysis and fatalities caused by a family of neurotoxins known as holocyclotoxins (HTs). The paralysis mechanism of these toxins is temperature dependent and is thought to involve inhibition of acetylcholine levels at the neuromuscular junction. However, the target and mechanism of this inhibition remain uncharacterised. Here, we report that three members of the holocyclotoxin family; HT-1 (GenBank AY766147), HT-3 (GenBank KP096303) and HT-12 (GenBank KP963967) induce muscle paralysis by inhibiting the dependence of transmitter release on extracellular calcium. Previous study was conducted using extracts from tick salivary glands, while the present study is the first to use pure toxins from I. holocyclus. Our findings provide greater insight into the mechanisms by which these toxins act to induce paralysis

Decoupling of the S=1/2 antiferromagnetic zig-zag ladder with anisotropy

The spin-1/2 antiferromagnetic zig-zag ladder is studied by exact diagonalization of small systems in the regime of weak inter-chain coupling. A gapless phase with quasi long-range spiral correlations has been predicted to occur in this regime if easy-plane (XY) anisotropy is present. We find in general that the finite zig-zag ladder shows three phases: a gapless collinear phase, a dimer phase and a spiral phase. We study the level crossings of the spectrum,the dimer correlation function, the structure factor and the spin stiffness within these phases, as well as at the transition points. As the inter-chain coupling decreases we observe a transition in the anisotropic XY case from a phase with a gap to a gapless phase that is best described by two decoupled antiferromagnetic chains. The isotropic and the anisotropic XY cases are found to be qualitatively the same, however, in the regime of weak inter-chain coupling for the small systems studied here. We attribute this to a finite-size effect in the isotropic zig-zag case that results from exponentially diverging antiferromagnetic correlations in the weak-coupling limit.Comment: to appear in Physical Review

NaIrO3 - A pentavalent post-perovskite

Sodium iridium(V) oxide, NaIrO3, was synthesized by a high pressure solid state method and recovered to ambient conditions. It is found to be isostructural with CaIrO3, the much-studied structural analogue of the high-pressure post-perovskite phase of MgSiO3. Among the oxide post-perovskites, NaIrO3 is the first example with a pentavalent cation. The structure consists of layers of corner- and edge-sharing IrO6 octahedra separated by layers of NaO8 bicapped trigonal prisms. NaIrO3 shows no magnetic ordering and resistivity measurements show non-metallic behavior. The crystal structure, electrical and magnetic properties are discussed and compared to known post-perovskites and pentavalent perovskite metal oxides.Comment: 22 pages, 5 figures. Submitted to Journal of Solid State Chemistr

Photo--assisted current and shot noise in the fractional quantum Hall effect

The effect of an AC perturbation on the shot noise of a fractional quantum Hall fluid is studied both in the weak and the strong backscattering regimes. It is known that the zero-frequency current is linear in the bias voltage, while the noise derivative exhibits steps as a function of bias. In contrast, at Laughlin fractions, the backscattering current and the backscattering noise both exhibit evenly spaced singularities, which are reminiscent of the tunneling density of states singularities for quasiparticles. The spacing is determined by the quasiparticle charge $\nu e$ and the ratio of the DC bias with respect to the drive frequency. Photo--assisted transport can thus be considered as a probe for effective charges at such filling factors, and could be used in the study of more complicated fractions of the Hall effect. A non-perturbative method for studying photo--assisted transport at $\nu=1/2$ is developed, using a refermionization procedure.Comment: 14 pages, 6 figure