Enter Sandbox: Android Sandbox Comparison

Expecting the shipment of 1 billion Android devices in 2017, cyber criminals have naturally extended their vicious activities towards Google's mobile operating system. With an estimated number of 700 new Android applications released every day, keeping control over malware is an increasingly challenging task. In recent years, a vast number of static and dynamic code analysis platforms for analyzing Android applications and making decision regarding their maliciousness have been introduced in academia and in the commercial world. These platforms differ heavily in terms of feature support and application properties being analyzed. In this paper, we give an overview of the state-of-the-art dynamic code analysis platforms for Android and evaluate their effectiveness with samples from known malware corpora as well as known Android bugs like Master Key. Our results indicate a low level of diversity in analysis platforms resulting from code reuse that leaves the evaluated systems vulnerable to evasion. Furthermore the Master Key bugs could be exploited by malware to hide malicious behavior from the sandboxes.Comment: In Proceedings of the Third Workshop on Mobile Security Technologies (MoST) 2014 (http://arxiv.org/abs/1410.6674

TRRespass: Exploiting the Many Sides of Target Row Refresh

After a plethora of high-profile RowHammer attacks, CPU and DRAM vendors scrambled to deliver what was meant to be the definitive hardware solution against the RowHammer problem: Target Row Refresh (TRR). A common belief among practitioners is that, for the latest generation of DDR4 systems that are protected by TRR, RowHammer is no longer an issue in practice. However, in reality, very little is known about TRR. In this paper, we demystify the inner workings of TRR and debunk its security guarantees. We show that what is advertised as a single mitigation mechanism is actually a series of different solutions coalesced under the umbrella term TRR. We inspect and disclose, via a deep analysis, different existing TRR solutions and demonstrate that modern implementations operate entirely inside DRAM chips. Despite the difficulties of analyzing in-DRAM mitigations, we describe novel techniques for gaining insights into the operation of these mitigation mechanisms. These insights allow us to build TRRespass, a scalable black-box RowHammer fuzzer. TRRespass shows that even the latest generation DDR4 chips with in-DRAM TRR, immune to all known RowHammer attacks, are often still vulnerable to new TRR-aware variants of RowHammer that we develop. In particular, TRRespass finds that, on modern DDR4 modules, RowHammer is still possible when many aggressor rows are used (as many as 19 in some cases), with a method we generally refer to as Many-sided RowHammer. Overall, our analysis shows that 13 out of the 42 modules from all three major DRAM vendors are vulnerable to our TRR-aware RowHammer access patterns, and thus one can still mount existing state-of-the-art RowHammer attacks. In addition to DDR4, we also experiment with LPDDR4 chips and show that they are susceptible to RowHammer bit flips too. Our results provide concrete evidence that the pursuit of better RowHammer mitigations must continue.Comment: 16 pages, 16 figures, in proceedings IEEE S&P 202

VPS: Excavating high-level C++ constructs from low-level binaries to protect dynamic dispatching

Polymorphism and inheritance make C++ suitable for writing complex software, but significantly increase the attack surface because the implementation relies on virtual function tables (vtables). These vtables contain function pointers that attackers can potentially hijack and in practice, vtable hijacking is one of the most important attack vector for C++ binaries. In this paper, we present VTable Pointer Separation (vps), a practical binary-level defense against vtable hijacking in C++ applications. Unlike previous binary-level defenses, which rely on unsound static analyses to match classes to virtual callsites, vps achieves a more accurate protection by restricting virtual callsites to validly created objects. More specifically, vps ensures that virtual callsites can only use objects created at valid object construction sites, and only if those objects can reach the callsite. Moreover, vps explicitly prevents false positives (falsely identified virtual callsites) from breaking the binary, an issue existing work does not handle correctly or at all. We evaluate the prototype implementation of vps on a diverse set of complex, real-world applications (MongoDB, MySQL server, Node.js, SPEC CPU2017/CPU2006), showing that our approach protects on average 97.8% of all virtual callsites in SPEC CPU2006 and 97.4% in SPEC CPU2017 (all C++ benchmarks), with a moderate performance overhead of 11% and 9% geomean, respectively. Furthermore, our evaluation reveals 86 false negatives in VTV, a popular source-based defense which is part of GCC

Who Should Fill Out a Pediatric PROM? Psychometric Assessment From a Clinical Perspective in 567 Children With a Cleft

Background:The CLEFT-Q is a questionnaire developed for patients with a cleft lip and/or palate (CL/P). Numerous scales have been implemented as part of the ICHOM Standard Set for CL/P. Although validated for completion by patients only, clinicians noted that caregivers are often involved in completion of the scales. Aim of the study was to promote further standardization of Patient Reported Outcome Measures (PROMs) in pediatric patients by examining the preferences of patients and parents concerning the reporter type. Moreover, possible discrepancies in outcomes between reporter types were explored. Methods: Data from 567 patients with CL/P and their caregivers that completed scales of the CLEFT-Q questionnaire were collected. Reporter group sizes and proportions were examined at the ages of 8, 12, and 15 years to determine the preferred manner of completion. Mean outcomes were analyzed per scale at the 3 ages, and compared between the 3 reporter groups: “patient,” “caregiver,” and “together.” Results: In all age-groups, the majority completed the PROMs together. Concerning the reporter types per age-group, an upward trend was seen in the proportion of patients that completed the scales alone. In the caregiver group, a downward trend was observed, and the highest proportion of parents that completed the scales was found at age 8. No significant differences were found between the reporter types in any of the scales. Conclusion: Even if a PROM questionnaire is validated for patient report only, it is recommended to record the reporter type when a pediatric PROM is completed. In order to capture outcomes that represent the patient’s voice validly and reliably, though with support of the caregiver, a pediatric PROM should be filled out by the patient alone and thereafter evaluated with the caregiver(s). Concerning the CLEFT-Q, there seems to be demand for a validated parent-version of the scales

Water and Dust Emission from W Hydrae

We construct a self-consistent model for the wind around W Hya by solving the coupled equations describing the hydrodynamics and dust radiative transfer problems. The model matches simultaneously the observed continuum radiation and wind velocity profile. The water line emission is calculated next using the water abundance as the only free parameter, fitted from the ISO observations of Neufeld et al. (1996) and Barlow et al. (1996). The gas temperature is determined from a thermal balance calculation that includes water as one of its main components. Our model successfully fits all the observed water lines, resolving a major discrepancy between the modeling results of the two observing teams. The mass loss rate is 2.3 x 10^{-6} M_solar yr^{-1}, the water abundance is 1.0 x 10^{-4} and the ortho:para ratio is 1:1.3.Comment: 5 pages, 3 figures, uses aastex.cls and emulateapj5.sty, accepted by ApJ Letter

Devil is Virtual: Reversing Virtual Inheritance in C++ Binaries

Complexities that arise from implementation of object-oriented concepts in C++ such as virtual dispatch and dynamic type casting have attracted the attention of attackers and defenders alike. Binary-level defenses are dependent on full and precise recovery of class inheritance tree of a given program. While current solutions focus on recovering single and multiple inheritances from the binary, they are oblivious to virtual inheritance. Conventional wisdom among binary-level defenses is that virtual inheritance is uncommon and/or support for single and multiple inheritances provides implicit support for virtual inheritance. In this paper, we show neither to be true. Specifically, (1) we present an efficient technique to detect virtual inheritance in C++ binaries and show through a study that virtual inheritance can be found in non-negligible number (more than 10\% on Linux and 12.5\% on Windows) of real-world C++ programs including Mysql and libstdc++. (2) we show that failure to handle virtual inheritance introduces both false positives and false negatives in the hierarchy tree. These false positves and negatives either introduce attack surface when the hierarchy recovered is used to enforce CFI policies, or make the hierarchy difficult to understand when it is needed for program understanding (e.g., during decompilation). (3) We present a solution to recover virtual inheritance from COTS binaries. We recover a maximum of 95\% and 95.5\% (GCC -O0) and a minimum of 77.5\% and 73.8\% (Clang -O2) of virtual and intermediate bases respectively in the virtual inheritance tree.Comment: Accepted at CCS20. This is a technical report versio

Rehabilitation and outcomes after complicated vs uncomplicated mild TBI:results from the CENTER-TBI study

Background: Despite existing guidelines for managing mild traumatic brain injury (mTBI), evidence-based treatments are still scarce and large-scale studies on the provision and impact of specific rehabilitation services are needed. This study aimed to describe the provision of rehabilitation to patients after complicated and uncomplicated mTBI and investigate factors associated with functional outcome, symptom burden, and TBI-specific health-related quality of life (HRQOL) up to six months after injury. Methods: Patients (n = 1379) with mTBI from the Collaborative European NeuroTrauma Effectiveness Research in TBI (CENTER-TBI) study who reported whether they received rehabilitation services during the first six months post-injury and who participated in outcome assessments were included. Functional outcome was measured with the Glasgow Outcome Scale – Extended (GOSE), symptom burden with the Rivermead Post Concussion Symptoms Questionnaire (RPQ), and HRQOL with the Quality of Life after Brain Injury – Overall Scale (QOLIBRI-OS). We examined whether transition of care (TOC) pathways, receiving rehabilitation services, sociodemographic (incl. geographic), premorbid, and injury-related factors were associated with outcomes using regression models. For easy comparison, we estimated ordinal regression models for all outcomes where the scores were classified based on quantiles. Results: Overall, 43% of patients with complicated and 20% with uncomplicated mTBI reported receiving rehabilitation services, primarily in physical and cognitive domains. Patients with complicated mTBI had lower functional level, higher symptom burden, and lower HRQOL compared to uncomplicated mTBI. Rehabilitation services at three or six months and a higher number of TOC were associated with unfavorable outcomes in all models, in addition to pre-morbid psychiatric problems. Being male and having more than 13 years of education was associated with more favorable outcomes. Sustaining major trauma was associated with unfavorable GOSE outcome, whereas living in Southern and Eastern European regions was associated with lower HRQOL. Conclusions: Patients with complicated mTBI reported more unfavorable outcomes and received rehabilitation services more frequently. Receiving rehabilitation services and higher number of care transitions were indicators of injury severity and associated with unfavorable outcomes. The findings should be interpreted carefully and validated in future studies as we applied a novel analytic approach. Trial registration: ClinicalTrials.gov NCT02210221.</p

Antimicrobial resistance among migrants in Europe: a systematic review and meta-analysis

BACKGROUND: Rates of antimicrobial resistance (AMR) are rising globally and there is concern that increased migration is contributing to the burden of antibiotic resistance in Europe. However, the effect of migration on the burden of AMR in Europe has not yet been comprehensively examined. Therefore, we did a systematic review and meta-analysis to identify and synthesise data for AMR carriage or infection in migrants to Europe to examine differences in patterns of AMR across migrant groups and in different settings. METHODS: For this systematic review and meta-analysis, we searched MEDLINE, Embase, PubMed, and Scopus with no language restrictions from Jan 1, 2000, to Jan 18, 2017, for primary data from observational studies reporting antibacterial resistance in common bacterial pathogens among migrants to 21 European Union-15 and European Economic Area countries. To be eligible for inclusion, studies had to report data on carriage or infection with laboratory-confirmed antibiotic-resistant organisms in migrant populations. We extracted data from eligible studies and assessed quality using piloted, standardised forms. We did not examine drug resistance in tuberculosis and excluded articles solely reporting on this parameter. We also excluded articles in which migrant status was determined by ethnicity, country of birth of participants' parents, or was not defined, and articles in which data were not disaggregated by migrant status. Outcomes were carriage of or infection with antibiotic-resistant organisms. We used random-effects models to calculate the pooled prevalence of each outcome. The study protocol is registered with PROSPERO, number CRD42016043681. FINDINGS: We identified 2274 articles, of which 23 observational studies reporting on antibiotic resistance in 2319 migrants were included. The pooled prevalence of any AMR carriage or AMR infection in migrants was 25·4% (95% CI 19·1-31·8; I2 =98%), including meticillin-resistant Staphylococcus aureus (7·8%, 4·8-10·7; I2 =92%) and antibiotic-resistant Gram-negative bacteria (27·2%, 17·6-36·8; I2 =94%). The pooled prevalence of any AMR carriage or infection was higher in refugees and asylum seekers (33·0%, 18·3-47·6; I2 =98%) than in other migrant groups (6·6%, 1·8-11·3; I2 =92%). The pooled prevalence of antibiotic-resistant organisms was slightly higher in high-migrant community settings (33·1%, 11·1-55·1; I2 =96%) than in migrants in hospitals (24·3%, 16·1-32·6; I2 =98%). We did not find evidence of high rates of transmission of AMR from migrant to host populations. INTERPRETATION: Migrants are exposed to conditions favouring the emergence of drug resistance during transit and in host countries in Europe. Increased antibiotic resistance among refugees and asylum seekers and in high-migrant community settings (such as refugee camps and detention facilities) highlights the need for improved living conditions, access to health care, and initiatives to facilitate detection of and appropriate high-quality treatment for antibiotic-resistant infections during transit and in host countries. Protocols for the prevention and control of infection and for antibiotic surveillance need to be integrated in all aspects of health care, which should be accessible for all migrant groups, and should target determinants of AMR before, during, and after migration. FUNDING: UK National Institute for Health Research Imperial Biomedical Research Centre, Imperial College Healthcare Charity, the Wellcome Trust, and UK National Institute for Health Research Health Protection Research Unit in Healthcare-associated Infections and Antimictobial Resistance at Imperial College London

How do 66 European institutional review boards approve one protocol for an international prospective observational study on traumatic brain injury? Experiences from the CENTER-TBI study

Background The European Union (EU) aims to optimize patient protection and efficiency of health-care research by harmonizing procedures across Member States. Nonetheless, further improvements are required to increase multicenter research efficiency. We investigated IRB procedures in a large prospective European multicenter study on traumatic brain injury (TBI), aiming to inform and stimulate initiatives to improve efficiency. Methods We reviewed relevant documents regarding IRB submission and IRB approval from European neurotrauma centers participating in the Collaborative European NeuroTrauma Effectiveness Research in Traumatic Brain Injury (CENTER-TBI). Documents included detailed information on IRB procedures and the duration from IRB submission until approval(s). They were translated and analyzed to determine the level of harmonization of IRB procedures within Europe. Results From 18 countries, 66 centers provided the requested documents. The primary IRB review was conducted centrally (N = 11, 61%) or locally (N = 7, 39%) and primary IRB approval was obtained after one (N = 8, 44%), two (N = 6, 33%) or three (N = 4, 23%) review rounds with a median duration of respectively 50 and 98 days until primary IRB approval. Additional IRB approval was required in 55% of countries and could increase duration to 535 days. Total duration from submission until required IRB approval was obtained was 114 days (IQR 75-224) and appeared to be shorter after submission to local IRBs compared to central IRBs (50 vs. 138 days, p = 0.0074). Conclusion We found variation in IRB procedures between and within European countries. There were differences in submission and approval requirements, number of review rounds and total duration. Research collaborations could benefit from the implementation of more uniform legislation and regulation while acknowledging local cultural habits and moral values between countries.Peer reviewe