EffectiveSan: Type and Memory Error Detection using Dynamically Typed C/C++

Low-level programming languages with weak/static type systems, such as C and C++, are vulnerable to errors relating to the misuse of memory at runtime, such as (sub-)object bounds overflows, (re)use-after-free, and type confusion. Such errors account for many security and other undefined behavior bugs for programs written in these languages. In this paper, we introduce the notion of dynamically typed C/C++, which aims to detect such errors by dynamically checking the "effective type" of each object before use at runtime. We also present an implementation of dynamically typed C/C++ in the form of the Effective Type Sanitizer (EffectiveSan). EffectiveSan enforces type and memory safety using a combination of low-fat pointers, type meta data and type/bounds check instrumentation. We evaluate EffectiveSan against the SPEC2006 benchmark suite and the Firefox web browser, and detect several new type and memory errors. We also show that EffectiveSan achieves high compatibility and reasonable overheads for the given error coverage. Finally, we highlight that EffectiveSan is one of only a few tools that can detect sub-object bounds errors, and uses a novel approach (dynamic type checking) to do so.Comment: To appear in the Proceedings of 39th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI2018

The ground state energy of a spinor field in the background of a finite radius flux tube

We develop a formalism for the calculation of the ground state energy of a spinor field in the background of a cylindrically symmetric magnetic field. The energy is expressed in terms of the Jost function of the associated scattering problem. Uniform asymptotic expansions needed are obtained from the Lippmann-Schwinger equation. The general results derived are applied to the background of a finite radius flux tube with a homogeneous magnetic field inside and the ground state energy is calculated numerically as a function of the radius and the flux. It turns out to be negative, remaining smaller by a factor of $\alpha$ than the classical energy of the background except for very small values of the radius which are outside the range of applicability of QED.Comment: 25 pages, 3 figure

Validation of Memory Accesses Through Symbolic Analyses

International audienceThe C programming language does not prevent out-of- bounds memory accesses. There exist several techniques to secure C programs; however, these methods tend to slow down these programs substantially, because they populate the binary code with runtime checks. To deal with this prob- lem, we have designed and tested two static analyses - sym- bolic region and range analysis - which we combine to re- move the majority of these guards. In addition to the analy- ses themselves, we bring two other contributions. First, we describe live range splitting strategies that improve the effi- ciency and the precision of our analyses. Secondly, we show how to deal with integer overflows, a phenomenon that can compromise the correctness of static algorithms that validate memory accesses. We validate our claims by incorporating our findings into AddressSanitizer. We generate SPEC CINT 2006 code that is 17% faster and 9% more energy efficient than the code produced originally by this tool. Furthermore, our approach is 50% more effective than Pentagons, a state- of-the-art analysis to sanitize memory accesses

Locating Vulnerabilities in Binaries via Memory Layout Recovering

Locating vulnerabilities is an important task for security auditing, exploit writing, and code hardening. However, it is challenging to locate vulnerabilities in binary code, because most program semantics (e.g., boundaries of an array) is missing after compilation. Without program semantics, it is difficult to determine whether a memory access exceeds its valid boundaries in binary code. In this work, we propose an approach to locate vulnerabilities based on memory layout recovery. First, we collect a set of passed executions and one failed execution. Then, for passed and failed executions, we restore their program semantics by recovering fine-grained memory layouts based on the memory addressing model. With the memory layouts recovered in passed executions as reference, we can locate vulnerabilities in failed execution by memory layout identification and comparison. Our experiments show that the proposed approach is effective to locate vulnerabilities on 24 out of 25 DARPA’s CGC programs (96%), and can effectively classifies 453 program crashes (in 5 Linux programs) into 19 groups based on their root causes

Роль молекулярно-генетических изменений в прогнозе эффективности адъювантной внутрипузырной терапии немышечно-инвазивного рака мочевого пузыря

Bladder cancer (BC) is represented by non-muscle-invasive forms at the stage Ta, T1, CIS (NMBC) in 75 % of cases. The gold standard of treatment of NMBC patients is transurethral resection, but its implementation does not always allow the patient to be relieved of the recurrence of the disease. In this regard, patients with a low risk of progression after transurethral resection are administered by intravesical chemotherapy, with high risk (T1G2/3) – using instillation with BCG (Bacillus Calmette–Guerin) vaccine. Searching of NMBC markers for laboratory diagnostics, which would help to determine sensitivity or resistance to the planned type of adjuvant therapy remains an actual problem. The data published mainly in the last 5–7 years about genetic predictors of the response to adjuvant chemotherapy and, to a greater extent, immunotherapy with BCG vaccine, are reviewed in this work. Allele combinations in the genes involved in immune response, xenobiotic biotransformation and other loci that are associated with the response to the adjuvant NMBC therapy in meta-analyzes are systematized. Also, expression profiles of mRNA, microRNA and proteins, as well as panels of methylated loci associated with the effectiveness of chemotherapy and immunotherapy of NMBC are considered. It was demonstrated that the somatic mutations sequencing in the primary tumor and the total mutational load using high-throughput sequencing technologies (NGS) identified a number of potential prognostic markers. Perhaps, the mutational load will be more widely used as a highly informative predictor of immunotherapeutic effect in BC: BCG therapy of NMBC and BC targeted therapy using the inhibitors of immune control points, after the standardization of the analysis. This review is intended to oncologists, geneticists, molecular biologists, urologists, pathologists and other specialists working in the field of molecular genetics in oncological urology.Рак мочевого пузыря (РМП) в 75 % случаев представлен немышечно-инвазивными формами на стадии Та, Т1, CIS. При немышечно-инвазивном РМП (НМРМП) «золотым стандартом» лечения является трансуретральная резекция мочевого пузыря, однако ее проведение далеко не всегда позволяет избавить пациента от рецидива заболевания. В связи с этим пациентам с низким риском прогрессирования после трансуретральной резекции назначают внутрипузырную химиотерапию, с высоким риском (T1G2/3) — инстилляции вакциной БЦЖ (бацилла Кальметта-Герена). Остается актуальным вопрос о поиске маркеров для лабораторной диагностики, которые помогли бы заблаговременно определить чувствительность или резистентность к планируемому виду адъювантной терапии НМРМП. В настоящей работе рассмотрены опубликованные преимущественно в последние 5-7лет данные о генетических предикторах ответа на адъювантную химиотерапию и, в большей мере, иммунотерапию вакциной БЦЖ. Систематизированы подтвержденные в метаанализах сочетания аллелей в генах иммунного ответа, детоксикации ксенобиотиков и других локусах, которые ассоциированы с ответом на адъювантную терапию НМРМП. Отдельно рассмотрены экспрессионные профили на уровнях матричных РНК, микро-РНК и белков, панели метилированных локусов, ассоциированные с эффективностью химио- и иммунотерапии НМРМП. Показано, что определение соматических мутаций в первичной опухоли и общей мутационной нагрузки с помощью технологий высокопроизводительного секвенирования (NGS) также позволило выявить ряд потенциальных прогностических маркеров. Возможно, после стандартизации анализа мутационной нагрузки он будет шире использоваться как высокоинформативный предиктор иммунотерапии РМП: БЦЖ-терапии НМРМП и схем лечения РМП с назначением таргетных ингибиторов иммунных контрольных точек. Обзор ориентирован на онкологов, генетиков, молекулярных биологов, урологов, патоморфологов и других специалистов, работающих в области молекулярной генетики онкоурологических заболеваний