27 research outputs found
CHERI: A hybrid capability-system architecture for scalable software compartmentalization
CHERI extends a conventional RISC Instruction-
Set Architecture, compiler, and operating system to support
fine-grained, capability-based memory protection to mitigate
memory-related vulnerabilities in C-language TCBs. We describe
how CHERI capabilities can also underpin a hardware-software
object-capability model for application compartmentalization
that can mitigate broader classes of attack. Prototyped as an
extension to the open-source 64-bit BERI RISC FPGA softcore
processor, FreeBSD operating system, and LLVM compiler,
we demonstrate multiple orders-of-magnitude improvement in
scalability, simplified programmability, and resulting tangible
security benefits as compared to compartmentalization based on
pure Memory-Management Unit (MMU) designs. We evaluate
incrementally deployable CHERI-based compartmentalization
using several real-world UNIX libraries and applications.We thank our colleagues Ross Anderson, Ruslan Bukin,
Gregory Chadwick, Steve Hand, Alexandre Joannou, Chris
Kitching, Wojciech Koszek, Bob Laddaga, Patrick Lincoln,
Ilias Marinos, A Theodore Markettos, Ed Maste, Andrew W.
Moore, Alan Mujumdar, Prashanth Mundkur, Colin Rothwell,
Philip Paeps, Jeunese Payne, Hassen Saidi, Howie Shrobe, and
Bjoern Zeeb, our anonymous reviewers, and shepherd Frank
Piessens, for their feedback and assistance. This work is part of
the CTSRD and MRC2 projects sponsored by the Defense Advanced
Research Projects Agency (DARPA) and the Air Force
Research Laboratory (AFRL), under contracts FA8750-10-C-
0237 and FA8750-11-C-0249. The views, opinions, and/or
findings contained in this paper are those of the authors and
should not be interpreted as representing the official views
or policies, either expressed or implied, of the Department
of Defense or the U.S. Government. We acknowledge the EPSRC
REMS Programme Grant [EP/K008528/1], Isaac Newton
Trust, UK Higher Education Innovation Fund (HEIF), Thales
E-Security, and Google, Inc.This is the author accepted manuscript. The final version is available at http://dx.doi.org/10.1109/SP.2015.
Recommended from our members
Efficient tagged memory
We characterize the cache behavior of an in-memory tag table and
demonstrate that an optimized implementation can typically achieve a near-zero memory traffic overhead. Both industry and academia have repeatedly demonstrated tagged memory as a key mechanism to enable enforcement of powerful security invariants, including capabilities pointer integrity, watchpoints, and information-flow tracking. A single-bit tag shadowspace is the most commonly proposed requirement, as one bit is the minimum metadata needed to distinguish between an untyped data word and any number of new hardware-enforced types. We survey various tag shadowspace approaches and identify their common requirements and positive features of their implementations. To avoid non-standard memory widths, we identify the most practical implementation for tag storage to be an in-memory table managed next to the DRAM controller. We characterize the caching performance of such a tag table and demonstrate a DRAM traffic overhead below 5\% for the vast majority of applications. We identify spatial locality on a page scale as the primary factor that enables surprisingly high table cache-ability. We then demonstrate tag-table compression for a set of common applications. A hierarchical structure with elegantly simple optimizations reduces DRAM traffic overhead to below 1\% for most applications. These insights and optimizations pave the way for commercial applications making use of single-bit tags stored in commodity memory
Parent-carer experiences using a peer support network: a qualitative study
This is the final version. Available on open access from BMC via the DOI in this recordAvailability of data and materials:
The datasets generated and/or analysed during the current study are not publicly available to maintain the privacy of participants but are available from the corresponding author on reasonable request.Introduction
Parent-carers of children and young people (CYP) with mental health problems are at greater risk of poor outcomes, such as poor physical and mental health. Peer interventions for parent-carers of CYP with disabilities may improve parent-carer outcomes. This qualitative study investigates parent-carer experiences of using Parental Minds (PM), a multi-component peer support service for parent-carers of CYP with disabilities.
Methods
Twelve current service-users and four staff/volunteers at PM participated in one-to-one semi-structured interviews. All participants were white females, except for one service-user who was male. All interviews were recorded and transcribed verbatim. Thematic analysis of results was used to explore perceived benefits and disadvantages of PM and possible behaviour change mechanisms.
Results
Three themes and eight subthemes were identified. Participants identified that internal and external factors influence their self-concept. The identification of themselves as a priority, and empowerment by reassurance and affirmation lead to improved parent-carer self-efficacy and agency to better care for their CYP. Participants described the difficulty of speaking honestly with friends and family about what they experience because it is perceived as different to what “normal” parents experience. From participant accounts, PM enables the construction of a support network and links external services to help manage family circumstances rather than offer curative treatment/intervention. Proactive and immediate advice which is constantly and consistently available was valued by participants. Participants expressed the need for a flexible range of service components which provide holistic support that encompasses both health and social care.
Conclusions
PM was perceived to be beneficial as a multi-component peer support service which increases parenting self-efficacy and empowerment, reduces isolation, improves access to services, and is tailored to individual needs. Parent-carers reported benefits in parenting and wellbeing practices. The development of a refined logic model will inform a future study of the effectiveness of PM on parent-carer outcomes
Cornucopia: Temporal safety for CHERI heaps
Use-after-free violations of temporal memory safety continue to plague software systems, underpinning many high-impact exploits. The CHERI capability system shows great promise in achieving C and C++ language spatial memory safety, preventing out-of-bounds accesses. Enforcing language-level temporal safety on CHERI requires capability revocation, traditionally achieved either via table lookups (avoided for performance in the CHERI design) or by identifying capabilities in memory to revoke them (similar to a garbage-collector sweep). CHERIvoke, a prior feasibility study, suggested that CHERI’s tagged capabilities could make this latter strategy viable, but modeled only architectural limits and did not consider the full implementation or evaluation of the approach. Cornucopia is a lightweight capability revocation system for CHERI that implements non-probabilistic C/C++ temporal memory safety for standard heap allocations. It extends the CheriBSD virtual-memory subsystem to track capability flow through memory and provides a concurrent kernel-resident revocation service that is amenable to multi-processor and hardware acceleration. We demonstrate an average overhead of less than 2% and a worst-case of 8.9% for concurrent
revocation on compatible SPEC CPU2006 benchmarks on a multi-core CHERI CPU on FPGA, and we validate Cornucopia against the Juliet test suite’s corpus of temporally unsafe programs. We test its compatibility
with a large corpus of C programs by using a revoking allocator as the system allocator while booting multi-user CheriBSD. Cornucopia is a viable strategy for always-on temporal heap memory safety, suitable for production environments.This work was supported by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 (“CTSRD”) and HR0011-18-C-0016 (“ECATS”). We also acknowledge the EPSRC REMS Programme Grant (EP/K008528/1), the ABP Grant (EP/P020011/1), the ERC ELVER Advanced Grant (789108), the Gates Cambridge Trust, Arm Limited, HP Enterprise, and Google, Inc
Recommended from our members
CheriABI: Enforcing Valid Pointer Provenance and Minimizing Pointer Privilege in the POSIX C Run-time Environment
The CHERI architecture allows pointers to be implemented as capabilities (rather than integer virtual addresses) in a manner that is compatible with, and strengthens, the semantics of the C language. In addition to the spatial protections offered by conventional fat pointers, CHERI capabilities offer strong integrity, enforced provenance validity, and access monotonicity. The stronger guarantees of these architectural capabilities must be reconciled with the real-world behavior of operating systems, run-time environments, and applications. When the process model, user-kernel interactions, dynamic linking, and memory management are all considered, we observe that simple derivation of architectural capabilities is insufficient to describe appropriate access to memory. We bridge this conceptual gap with a notional \emph{abstract capability} that describes the accesses that should be allowed at a given point in execution, whether in the kernel or userspace. To investigate this notion at scale, we describe the first adaptation of a full C-language operating system (FreeBSD) with an enterprise database (PostgreSQL) for complete spatial and referential memory safety. We show that awareness of abstract capabilities, coupled with CHERI architectural capabilities, can provide more complete protection, strong compatibility, and acceptable performance overhead compared with the pre-CHERI baseline and software-only approaches. Our observations also have potentially significant implications for other mitigation techniques.This work was supported by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 (``CTSRD'') and HR0011-18-C-0016 (``ECATS''). The views, opinions, and/or findings contained in this report are those of the authors and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government. We also acknowledge the EPSRC REMS Programme Grant (EP/K008528/1), the ERC ELVER Advanced Grant (789108), Arm Limited, HP Enterprise, and Google, Inc. Approved for Public Release, Distribution Unlimited
Exploring UK medical school differences: the MedDifs study of selection, teaching, student and F1 perceptions, postgraduate outcomes and fitness to practise
BACKGROUND: Medical schools differ, particularly in their teaching, but it is unclear whether such differences matter, although influential claims are often made. The Medical School Differences (MedDifs) study brings together a wide range of measures of UK medical schools, including postgraduate performance, fitness to practise issues, specialty choice, preparedness, satisfaction, teaching styles, entry criteria and institutional factors. METHOD: Aggregated data were collected for 50 measures across 29 UK medical schools. Data include institutional history (e.g. rate of production of hospital and GP specialists in the past), curricular influences (e.g. PBL schools, spend per student, staff-student ratio), selection measures (e.g. entry grades), teaching and assessment (e.g. traditional vs PBL, specialty teaching, self-regulated learning), student satisfaction, Foundation selection scores, Foundation satisfaction, postgraduate examination performance and fitness to practise (postgraduate progression, GMC sanctions). Six specialties (General Practice, Psychiatry, Anaesthetics, Obstetrics and Gynaecology, Internal Medicine, Surgery) were examined in more detail. RESULTS: Medical school differences are stable across time (median alpha = 0.835). The 50 measures were highly correlated, 395 (32.2%) of 1225 correlations being significant with p < 0.05, and 201 (16.4%) reached a Tukey-adjusted criterion of p < 0.0025. Problem-based learning (PBL) schools differ on many measures, including lower performance on postgraduate assessments. While these are in part explained by lower entry grades, a surprising finding is that schools such as PBL schools which reported greater student satisfaction with feedback also showed lower performance at postgraduate examinations. More medical school teaching of psychiatry, surgery and anaesthetics did not result in more specialist trainees. Schools that taught more general practice did have more graduates entering GP training, but those graduates performed less well in MRCGP examinations, the negative correlation resulting from numbers of GP trainees and exam outcomes being affected both by non-traditional teaching and by greater historical production of GPs. Postgraduate exam outcomes were also higher in schools with more self-regulated learning, but lower in larger medical schools. A path model for 29 measures found a complex causal nexus, most measures causing or being caused by other measures. Postgraduate exam performance was influenced by earlier attainment, at entry to Foundation and entry to medical school (the so-called academic backbone), and by self-regulated learning. Foundation measures of satisfaction, including preparedness, had no subsequent influence on outcomes. Fitness to practise issues were more frequent in schools producing more male graduates and more GPs. CONCLUSIONS: Medical schools differ in large numbers of ways that are causally interconnected. Differences between schools in postgraduate examination performance, training problems and GMC sanctions have important implications for the quality of patient care and patient safety
The Analysis of Teaching of Medical Schools (AToMS) survey: an analysis of 47,258 timetabled teaching events in 25 UK medical schools relating to timing, duration, teaching formats, teaching content, and problem-based learning
BACKGROUND: What subjects UK medical schools teach, what ways they teach subjects, and how much they teach those subjects is unclear. Whether teaching differences matter is a separate, important question. This study provides a detailed picture of timetabled undergraduate teaching activity at 25 UK medical schools, particularly in relation to problem-based learning (PBL). METHOD: The Analysis of Teaching of Medical Schools (AToMS) survey used detailed timetables provided by 25 schools with standard 5-year courses. Timetabled teaching events were coded in terms of course year, duration, teaching format, and teaching content. Ten schools used PBL. Teaching times from timetables were validated against two other studies that had assessed GP teaching and lecture, seminar, and tutorial times. RESULTS: A total of 47,258 timetabled teaching events in the academic year 2014/2015 were analysed, including SSCs (student-selected components) and elective studies. A typical UK medical student receives 3960 timetabled hours of teaching during their 5-year course. There was a clear difference between the initial 2 years which mostly contained basic medical science content and the later 3 years which mostly consisted of clinical teaching, although some clinical teaching occurs in the first 2 years. Medical schools differed in duration, format, and content of teaching. Two main factors underlay most of the variation between schools, Traditional vs PBL teaching and Structured vs Unstructured teaching. A curriculum map comparing medical schools was constructed using those factors. PBL schools differed on a number of measures, having more PBL teaching time, fewer lectures, more GP teaching, less surgery, less formal teaching of basic science, and more sessions with unspecified content. DISCUSSION: UK medical schools differ in both format and content of teaching. PBL and non-PBL schools clearly differ, albeit with substantial variation within groups, and overlap in the middle. The important question of whether differences in teaching matter in terms of outcomes is analysed in a companion study (MedDifs) which examines how teaching differences relate to university infrastructure, entry requirements, student perceptions, and outcomes in Foundation Programme and postgraduate training
Effects of pretreatments of Napier Grass with deionized water, sulfuric acid and sodium hydroxide on pyrolysis oil characteristics
The depletion of fossil fuel reserves has led to
increasing interest in liquid bio-fuel from renewable biomass. Biomass is a complex organic material consisting of
different degrees of cellulose, hemicellulose, lignin,
extractives and minerals. Some of the mineral elements
tend to retard conversions, yield and selectivity during
pyrolysis processing. This study is focused on the extraction of mineral retardants from Napier grass using deionized water, dilute sodium hydroxide and sulfuric acid and subsequent pyrolysis in a fixed bed reactor. The raw biomass was characterized before and after each pretreatment
following standard procedure. Pyrolysis study was conducted
in a fixed bed reactor at 600 o�C, 30 �C/min and 30 mL/min N2 flow. Pyrolysis oil (bio-oil) collected was analyzed using standard analytic techniques. The bio-oil yield and characteristics from each pretreated sample were compared with oil from the non-pretreated sample. Bio-oil
yield from the raw sample was 32.06 wt% compared to
38.71, 33.28 and 29.27 wt% oil yield recorded from the
sample pretreated with sulfuric acid, deionized water and
sodium hydroxide respectively. GC–MS analysis of the oil
samples revealed that the oil from all the pretreated biomass had more value added chemicals and less ketones and
aldehydes. Pretreatment with neutral solvent generated
valuable leachate, showed significant impact on the ash
extraction, pyrolysis oil yield, and its composition and
therefore can be regarded as more appropriate for thermochemical conversion of Napier grass
Changes in grassland management and linear infrastructures associated to the decline of an endangered bird population
European grassland birds are experiencing major population declines, mainly due to changes in
farmland management. We analyzed the role of habitat availability, grazing management and
linear infrastructures (roads and power lines) in explaining spatial and temporal variation in the
population density of little bustards (Tetrax tetrax) in Portugal, during a decade in which the species
population size halved. We used data from 51 areas (totaling ca. 1,50,000 ha) that were sampled
in two different periods (2003–2006 and 2016). In 2003–2006, when the species occurred at high
densities, habitat availability was the only factor affecting spatial variation in bustard density. In the
2016 survey, variation in density was explained by habitat availability and livestock management,
with reduced bird numbers in areas with higher proportions of cattle. Population declines across the
study period were steeper in areas that initially held higher densities of bustards and in areas with a
higher proportion of cattle in the total stocking rate. Areas with higher densities of power lines also
registered greater density declines, probably due to avoidance behavior and to increased mortality.
Overall, our results show little bustards are currently lacking high quality grassland habitat, whose
persistence depends on extensive grazing regimes and low linear infrastructure densitiesinfo:eu-repo/semantics/publishedVersio
The Analysis of Teaching of Medical Schools (AToMS) survey: an analysis of 47,258 timetabled teaching events in 25 UK medical schools relating to timing, duration, teaching formats, teaching content, and problem-based learning
Background What subjects UK medical schools teach, what ways they teach subjects, and how much they teach those subjects is unclear. Whether teaching differences matter is a separate, important question. This study provides a detailed picture of timetabled undergraduate teaching activity at 25 UK medical schools, particularly in relation to problem-based learning (PBL). Method The Analysis of Teaching of Medical Schools (AToMS) survey used detailed timetables provided by 25 schools with standard 5-year courses. Timetabled teaching events were coded in terms of course year, duration, teaching format, and teaching content. Ten schools used PBL. Teaching times from timetables were validated against two other studies that had assessed GP teaching and lecture, seminar, and tutorial times. Results A total of 47,258 timetabled teaching events in the academic year 2014/2015 were analysed, including SSCs (student-selected components) and elective studies. A typical UK medical student receives 3960 timetabled hours of teaching during their 5-year course. There was a clear difference between the initial 2 years which mostly contained basic medical science content and the later 3 years which mostly consisted of clinical teaching, although some clinical teaching occurs in the first 2 years. Medical schools differed in duration, format, and content of teaching. Two main factors underlay most of the variation between schools, Traditional vs PBL teaching and Structured vs Unstructured teaching. A curriculum map comparing medical schools was constructed using those factors. PBL schools differed on a number of measures, having more PBL teaching time, fewer lectures, more GP teaching, less surgery, less formal teaching of basic science, and more sessions with unspecified content. Discussion UK medical schools differ in both format and content of teaching. PBL and non-PBL schools clearly differ, albeit with substantial variation within groups, and overlap in the middle. The important question of whether differences in teaching matter in terms of outcomes is analysed in a companion study (MedDifs) which examines how teaching differences relate to university infrastructure, entry requirements, student perceptions, and outcomes in Foundation Programme and postgraduate training