Toward least-privilege isolation for software

Hackers leverage software vulnerabilities to disclose, tamper with, or destroy sensitive data. To protect sensitive data, programmers can adhere to the principle of least-privilege, which entails giving software the minimal privilege it needs to operate, which ensures that sensitive data is only available to software components on a strictly need-to-know basis. Unfortunately, applying this principle in practice is dif- �cult, as current operating systems tend to provide coarse-grained mechanisms for limiting privilege. Thus, most applications today run with greater-than-necessary privileges. We propose sthreads, a set of operating system primitives that allows �ne-grained isolation of software to approximate the least-privilege ideal. sthreads enforce a default-deny model, where software components have no privileges by default, so all privileges must be explicitly granted by the programmer. Experience introducing sthreads into previously monolithic applications|thus, partitioning them|reveals that enumerating privileges for sthreads is di�cult in practice. To ease the introduction of sthreads into existing code, we include Crowbar, a tool that can be used to learn the privileges required by a compartment. We show that only a few changes are necessary to existing code in order to partition applications with sthreads, and that Crowbar can guide the programmer through these changes. We show that applying sthreads to applications successfully narrows the attack surface by reducing the amount of code that can access sensitive data. Finally, we show that applications using sthreads pay only a small performance overhead. We applied sthreads to a range of applications. Most notably, an SSL web server, where we show that sthreads are powerful enough to protect sensitive data even against a strong adversary that can act as a man-in-the-middle in the network, and also exploit most code in the web server; a threat model not addressed to date

Simple Opportunistic Encryption

Network traffic encryption is becoming a requirement, not an option. Enabling encryption will be a communal effort so a solution that gives partial benefits until fully deployed is needed. A solution that requires little changes to existing infrastructure will also help as it can be quickly deployed to give immediate shortterm benefits. We argue that tcpcrypt, a TCP option for opportunistic encryption is the path of least-resistance for a solution against large-scale traffic encryption. Tcpcrypt requires no changes to applications, is compatible with existing networks (works with NATs), and just works by default. It is high performance, so it can be deployed on servers without much concern. tcpcrypt attempts to maximize security for any given setting. By default, it will protect against passive eavesdropping, and also allows detecting large scale interception. With authentication, tcpcrypt can provide full security against active attackers and so it is a complete solution both for the short-term and long-term

Implementing mass rearing of trissolcus japonicus (Hymenoptera: Scelionidae) on cold-stored host eggs

Halyomorpha halys (Stål) (Hemiptera: Pentatomidae), a pest of Asian origin, has been causing severe damage to Italian agriculture. The application of classical biological control by the release of Trissolcus japonicus (Ashmead) (Hymenoptera: Scelionidae), an exotic egg parasitoid, appears to be one promising solution. In Italy, releases of T. japonicus in the field were authorized in 2020. In this study, some parameters that could influence the rearing of T. japonicus in insectaries were investigated. A significantly higher production of progeny was observed on host eggs stored at 6◦C (86.5%) compared to −24◦C (48.8%) for up to two months prior to exposure to parasitism. There were no significant differences in progeny production from single females in a vial provided with only one egg mass (83.2%) or 10 females inside a cage with 6 egg masses (83.9%). The exposure of parasitoids to refrigerated (6◦C) egg masses of H. halys for 72 h led to a significantly higher production of progeny (62.1%) compared to shorter exposures for 48 (44.0%) or 24 h (37.1%). A decline in production of progeny by the same female was detected between the first (62.1%) and the second parasitization (41.3%). Adult parasitoids stored at 16◦C for up to 90 days had an 87.1% survival rate, but a significant decrease in progeny production was detected. These parameters could be adjusted when rearing T. japonicus for specific aims such as the production of individuals for field release or colony maintenance

The Case for Ubiquitous Transport-Level Encryption

Today, Internet traffic is encrypted only when deemed necessary. Yet modern CPUs could feasibly encrypt most traffic. Moreover, the cost of doing so will only drop over time. Tcpcrypt is a TCP extension designed to make end-to-end encryption of TCP traffic the default, not the exception. To facilitate adoption tcpcrypt provides backwards compatibility with legacy TCP stacks and middle-boxes. Because it is implemented in the transport layer, it protects legacy applications. However, it also provides a hook for integration with application-layer authentication, largely obviating the need for applications to encrypt their own network traffic and minimizing the need for duplication of functionality. Finally, tcpcrypt minimizes the cost of key negotiation on servers; a server using tcpcrypt can accept connections at 36 times the rate achieved using SSL

Secure Opportunistic Multipath Key Exchange

The security of today\u27s widely used communication security protocols is based on trust in Certificate Authorities (CAs). However, the real security of this approach is debatable, since certificate handling is tedious and many recent attacks have undermined the trust in CAs. On the other hand, opportunistic encryption protocols such as Tcpcrypt, which are currently gaining momentum as an alternative to no encryption, have similar security to using untrusted CAs or self-signed certificates: they only protect against passive attackers. In this paper, we present a key exchange protocol, Secure Multipath Key Exchange (SMKEX), that enables all the benefits of opportunistic encryption (no need for trusted third parties or pre-established secrets), as well as proven protection against some classes of active attackers. Furthermore, SMKEX can be easily extended to a trust-on-first-use setting and can be easily integrated with TLS, providing the highest security for opportunistic encryption to date while also increasing the security of standard TLS. We show that SMKEX is made practical by the current availability of path diversity between different AS-es. We also show a method to create path diversity with encrypted tunnels without relying on the network topology. These allow SMKEX to provide protection against most adversaries for a majority of Alexa top 100 web sites. We have implemented SMKEX using a modified Multipath TCP kernel implementation and a user library that overwrites part of the socket API, allowing unmodified applications to take advantage of the security provided by SMKEX

Cetaceans in the Mediterranean Sea. Encounter rate, dominant species, and diversity hotspots

We investigated the presence and diversity of cetaceans in the Mediterranean Sea, analysing the data collected by 32 different research units, over a period of 15 years (2004–2018), and shared on the common web-GIS platform named Intercet. We used the encounter rate, the species prevalence, and the Shannon diversity index as parameters for data analysis. The results show that cetacean diversity, in the context of the Mediterranean basin, is generally quite low when compared with the eastern Atlantic, as few species, namely the striped dolphin, the bottlenose dolphin, the fin whale, and the sperm whale, dominate over all the others. However, some areas, such as the Alboran Sea or the north-western Mediterranean Sea, which includes the Pelagos Sanctuary (the Specially Protected Area of Mediterranean Interest located in the northern portion of the western basin), show higher levels of diversity and should be considered hotspots to be preserved. Primary production and seabed profile seem to be the two main drivers influencing the presence and distribution of cetaceans, with the highest levels of diversity observed in areas characterized by high levels of primary production and high bathymetric variability and gradient. This collective work underlines the importance of data sharing to deepen our knowledge on marine fauna at the scale of the whole Mediterranean Sea and encourages greater efforts in the networking process, also to accomplish the requirements of the Marine Strategy Framework Directive, with particular reference to Descriptor 1: biological diversity is maintained

High Efficiency CdTe Solar Cells by Low Temperature Deposition with MgZnO HRT Layer

CdTe solar cells have shown high efficiency and the technology is scalable. As a result thin film CdTe modules are competitive with crystalline silicon modules. Thin film CdTe devices with efficiency above 22% have been reported using high substrate temperatures during the deposition process. It is known that high substrate temperatures result in large grain size with a reduced number of grain boundaries and this is believed to contribute to the high efficiency. However, use of high temperature requires robust substrates and excludes the use of most flexible substrate materials. It also involves higher energy consumption and more complicated machinery. In this work we present a process for high efficiency solar cells with an improved front contact, by introducing magnesium-doped zinc oxide high resistance transparent layer. By optimizing the fabrication process we have achieved a conversion efficiency exceeding 16%, which is one of the highest reported for substrate temperatures below 500\ub0C