Pointer Provenance in a Capability Architecture

We design and implement a framework for tracking pointer provenance, using our CHERI fat-pointer capability architec- ture to facilitate analysis of security implications of program pointer flows in both user and privileged code, with mini- mal instrumentation. CHERI enforces pointer provenance validity at the architectural level, in the presence of complex pointer arithmetic and type casting. CHERI present new op- portunities for provenance research: we discuss use cases and highlight lessons and open questions from our work.DARPA/AFRL FA8750-10-C-0237, Google Chrome University Research Program Awar

Exploring C semantics and pointer provenance

The semantics of pointers and memory objects in C has been a vexed question for many years. C values cannot be treated as either purely abstract or purely concrete entities: the language exposes their representations, but compiler optimisations rely on analyses that reason about provenance and initialisation status, not just runtime representations. The ISO WG14 standard leaves much of this unclear, and in some respects differs with de facto standard usage - which itself is difficult to investigate. In this paper we explore the possible source-language semantics for memory objects and pointers, in ISO C and in C as it is used and implemented in practice, focussing especially on pointer provenance. We aim to, as far as possible, reconcile the ISO C standard, mainstream compiler behaviour, and the semantics relied on by the corpus of existing C code. We present two coherent proposals, tracking provenance via integers and not; both address many design questions. We highlight some pros and cons and open questions, and illustrate the discussion with a library of test cases. We make our semantics executable as a test oracle, integrating it with the Cerberus semantics for much of the rest of C, which we have made substantially more complete and robust, and equipped with a web-interface GUI. This allows us to experimentally assess our proposals on those test cases. To assess their viability with respect to larger bodies of C code, we analyse the changes required and the resulting behaviour for a port of FreeBSD to CHERI, a research architecture supporting hardware capabilities, which (roughly speaking) traps on the memory safety violations which our proposals deem undefined behaviour. We also develop a new runtime instrumentation tool to detect possible provenance violations in normal C code, and apply it to some of the SPEC benchmarks. We compare our proposal with a source-language variant of the twin-allocation LLVM semantics proposal of Lee et al. Finally, we describe ongoing interactions with WG14, exploring how our proposals could be incorporated into the ISO standard

CHERI Concentrate: Practical Compressed Capabilities

We present CHERI Concentrate, a new fat-pointer compression scheme applied to CHERI, the most developed capability-pointer system at present. Capability fat-pointers are a primary candidate for enforcing fine-grained and non-bypassable security properties in future computer systems, although increased pointer size can severely affect performance. Thus, several proposals for capability compression have been suggested but these did not support legacy instruction sets, ignored features critical to the existing software base, and also introduced design inefficiencies to RISC-style processor pipelines. CHERI Concentrate improves on the state-of-the-art region-encoding efficiency, solves important pipeline problems, and eases semantic restrictions of compressed encoding, allowing it to protect a full legacy software stack. We analyze and extend logic from the open-source CHERI prototype processor design on FPGA to demonstrate encoding efficiency, minimize delay of pointer arithmetic, and eliminate additional load-to-use delay. To verify correctness of our proposed high-performance logic, we present a HOL4 machine-checked proof of the decode and pointer-modify operations. Finally, we measure a 50%-75% reduction in L2 misses for many compiled C-language benchmarks running under a commodity operating system using compressed 128-bit and 64-bit formats, demonstrating both compatibility with and increased performance over the uncompressed, 256-bit format

Thunderclap: Exploring Vulnerabilities in Operating System IOMMU Protection via DMA from Untrustworthy Peripherals

Direct Memory Access (DMA) attacks have been known for many years: DMA-enabled I/O peripherals have complete access to the state of a computer and can fully compromise it including reading and writing all of system memory. With the popularity of Thunderbolt 3 over USB Type-C and smart internal devices, opportunities for these attacks to be performed casually with only seconds of physical access to a computer have greatly broadened. In response, commodity hardware and operating-system (OS) vendors have incorporated support for Input-Output Memory Management Units (IOMMUs), which impose memory protection on DMA, and are widely believed to protect against DMA attacks. We investigate the state-of-the-art in IOMMU protection across OSes using a novel I/O security research platform, and find that current protections fall short when faced with a functional network peripheral that uses its complex interactions with the OS for ill intent, and demonstrate compromises against macOS, FreeBSD, and Linux, which notionally utilize IOMMUs to protect against DMA attackers. Windows only uses the IOMMU in limited cases and remains vulnerable. Using Thunderclap, an open-source FPGA research platform we built, we explore a number of novel exploit techniques to expose new classes of OS vulnerability. The complex vulnerability space for IOMMU-exposed shared memory available to DMA-enabled peripherals allows attackers to extract private data (sniffing cleartext VPN traffic) and hijack kernel control flow (launching a root shell) in seconds using devices such as USB-C projectors or power adapters. We have worked closely with OS vendors to remedy these vulnerability classes, and they have now shipped substantial feature improvements and mitigations as a result of our work.DARPA I2O FA8750-10-C-0237 ("CTSRD") DARPA MTO HR0011- 18-C-0016 ("ECATS") Arm Ltd Google Inc This work was also supported by EPSRC EP/R012458/1 (“IOSEC”)

CHERI JNI: Sinking the Java Security Model into the C

Java provides security and robustness by building a high- level security model atop the foundation of memory protection. Unfortunately, any native code linked into a Java program – including the million lines used to implement the standard library – is able to bypass both the memory protection and the higher-level policies. We present a hardware-assisted implementation of the Java native code interface, which extends the guarantees required for Java’s security model to native code. Our design supports safe direct access to buffers owned by the JVM, including hardware-enforced read-only access where appropriate. We also present Java language syntax to declaratively describe isolated compartments for native code. We show that it is possible to preserve the memory safety and isolation requirements of the Java security model in C code, allowing native code to run in the same process as Java code with the same impact on security as running equivalent Java code. Our approach has a negligible impact on performance, compared with the existing unsafe native code interface. We demonstrate a prototype implementation running on the CHERI microprocessor synthesized in FPGA.Defense Advanced Research Projects Agency Google, Inc. Isaac Newton Trust Thales E-Securit

Purification and functional characterisation of rhiminopeptidase A, a novel aminopeptidase from the venom of Bitis gabonica rhinoceros

This study describes the discovery and characterisation of a novel aminopeptidase A from the venom of B. g. rhinoceros and highlights its potential biological importance. Similar to mammalian aminopeptidases, rhiminopeptidase A might be capable of playing roles in altering the blood pressure and brain function of victims. Furthermore, it could have additional effects on the biological functions of other host proteins by cleaving their N-terminal amino acids. This study points towards the importance of complete analysis of individual components of snake venom in order to develop effective therapies for snake bites

Transcriptional recapitulation and subversion of embryonic colon development by mouse colon tumor models and human colon cancer

Colon tumors from four independent mouse models and 100 human colorectal cancers all exhibited striking recapitulation of embryonic colon gene expression from embryonic days 13.5-18.5

Can social dancing prevent falls in older adults? a protocol of the Dance, Aging, Cognition,Economics (DAnCE) fall prevention randomised controlled trial

Background:  Falls are one of the most common health problems among older people and pose a major economic burden on health care systems. Exercise is an accepted stand-alone fall prevention strategy particularly if it is balance training or regular participation in Tai chi. Dance shares the ‘holistic’ approach of practices such as Tai chi. It is a complex sensorimotor rhythmic activity integrating multiple physical, cognitive and social elements. Small-scale randomised controlled trials have indicated that diverse dance styles can improve measures of balance and mobility in older people, but none of these studies has examined the effect of dance on falls or cognition. This study aims to determine whether participation in social dancing: i) reduces the number of falls; and ii) improves cognitive functions associated with fall risk in older people. Methods/design: A single-blind, cluster randomised controlled trial of 12 months duration will be conducted. Approximately 450 participants will be recruited from 24 self-care retirement villages that house at least 60 residents each in Sydney, Australia. Village residents without cognitive impairment and obtain medical clearance will be eligible. After comprehensive baseline measurements including physiological and cognitive tests and self-completed questionnaires, villages will be randomised to intervention sites (ballroom or folk dance) or to a wait-listed control using a computer randomisation method that minimises imbalances between villages based on two baseline fall risk measures. Main outcome measures are falls, prospectively measured, and the Trail Making cognitive function test. Cost-effectiveness and cost-utility analyses will be performed. Discussion: This study offers a novel approach to balance training for older people. As a community-based approach to fall prevention, dance offers older people an opportunity for greater social engagement, thereby making a major contribution to healthy ageing. Providing diversity in exercise programs targeting seniors recognises the heterogeneity of multicultural populations and may further increase the number of taking part in exercise

Minimal information for studies of extracellular vesicles 2018 (MISEV2018):a position statement of the International Society for Extracellular Vesicles and update of the MISEV2014 guidelines

The last decade has seen a sharp increase in the number of scientific publications describing physiological and pathological functions of extracellular vesicles (EVs), a collective term covering various subtypes of cell-released, membranous structures, called exosomes, microvesicles, microparticles, ectosomes, oncosomes, apoptotic bodies, and many other names. However, specific issues arise when working with these entities, whose size and amount often make them difficult to obtain as relatively pure preparations, and to characterize properly. The International Society for Extracellular Vesicles (ISEV) proposed Minimal Information for Studies of Extracellular Vesicles (“MISEV”) guidelines for the field in 2014. We now update these “MISEV2014” guidelines based on evolution of the collective knowledge in the last four years. An important point to consider is that ascribing a specific function to EVs in general, or to subtypes of EVs, requires reporting of specific information beyond mere description of function in a crude, potentially contaminated, and heterogeneous preparation. For example, claims that exosomes are endowed with exquisite and specific activities remain difficult to support experimentally, given our still limited knowledge of their specific molecular machineries of biogenesis and release, as compared with other biophysically similar EVs. The MISEV2018 guidelines include tables and outlines of suggested protocols and steps to follow to document specific EV-associated functional activities. Finally, a checklist is provided with summaries of key points

klf2ash317 Mutant Zebrafish Do Not Recapitulate Morpholino-Induced Vascular and Haematopoietic Phenotypes.

INTRODUCTION AND OBJECTIVES: The zinc-finger transcription factor Krϋppel-like factor 2 (KLF2) transduces blood flow into molecular signals responsible for a wide range of responses within the vasculature. KLF2 maintains a healthy, quiescent endothelial phenotype. Previous studies report a range of phenotypes following morpholino antisense oligonucleotide-induced klf2a knockdown in zebrafish. Targeted genome editing is an increasingly applied method for functional assessment of candidate genes. We therefore generated a stable klf2a mutant zebrafish and characterised its cardiovascular and haematopoietic development. METHODS AND RESULTS: Using Transcription Activator-Like Effector Nucleases (TALEN) we generated a klf2a mutant (klf2ash317) with a 14bp deletion leading to a premature stop codon in exon 2. Western blotting confirmed loss of wild type Klf2a protein and the presence of a truncated protein in klf2ash317 mutants. Homozygous klf2ash317 mutants exhibit no defects in vascular patterning, survive to adulthood and are fertile, without displaying previously described morphant phenotypes such as high-output cardiac failure, reduced haematopoetic stem cell (HSC) development or impaired formation of the 5th accessory aortic arch. Homozygous klf2ash317 mutation did not reduce angiogenesis in zebrafish with homozygous mutations in von Hippel Lindau (vhl), a form of angiogenesis that is dependent on blood flow. We examined expression of three klf family members in wildtype and klf2ash317 zebrafish. We detected vascular expression of klf2b (but not klf4a or biklf/klf4b/klf17) in wildtypes but found no differences in expression that might account for the lack of phenotype in klf2ash317 mutants. klf2b morpholino knockdown did not affect heart rate or impair formation of the 5th accessory aortic arch in either wildtypes or klf2ash317 mutants. CONCLUSIONS: The klf2ash317 mutation produces a truncated Klf2a protein but, unlike morpholino induced klf2a knockdown, does not affect cardiovascular development