In-Silico Patterning of Vascular Mesenchymal Cells in Three Dimensions

Cells organize in complex three-dimensional patterns by interacting with proteins along with the surrounding extracellular matrix. This organization provides the mechanical and chemical cues that ultimately influence a cell's differentiation and function. Here, we computationally investigate the pattern formation process of vascular mesenchymal cells arising from their interaction with Bone Morphogenic Protein-2 (BMP-2) and its inhibitor, Matrix Gla Protein (MGP). Using a first-principles approach, we derive a reaction-diffusion model based on the biochemical interactions of BMP-2, MGP and cells. Simulations of the model exhibit a wide variety of three-dimensional patterns not observed in a two-dimensional analysis. We demonstrate the emergence of three types of patterns: spheres, tubes, and sheets, and show that the patterns can be tuned by modifying parameters in the model such as the degradation rates of proteins and chemotactic coefficient of cells. Our model may be useful for improved engineering of three-dimensional tissue structures as well as for understanding three dimensional microenvironments in developmental processes.National Institutes of Health (U.S.) (GM69811)United States. Dept. of Energy (DOE CSGF fellowship

Why Your Encrypted Database Is Not Secure

Encrypted databases, a popular approach to protecting data from compromised database management systems (DBMS’s), use abstract threat models that capture neither realistic databases, nor realistic attack scenarios. In particular, the “snapshot attacker” model used to support the security claims for many encrypted databases does not reflect the information about past queries available in any snapshot attack on an actual DBMS. We demonstrate how this gap between theory and reality causes encrypted databases to fail to achieve their “provable security” guarantees

Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools

System call interposition is a powerful method for regulating and monitoring application behavior. In recent years, a wide variety of security tools have been developed that use this technique. This approach brings with it a host of pitfalls for the unwary implementer that if overlooked can allow his tool to be easily circumvented. To shed light on these problems, we present the lessons we learned in the course of several design and implementation cycles with our own system call interposition-based sandboxing tool. We first present some of the problems and pitfalls we encountered, including incorrectly replicating OS semantics, overlooking indirect paths to resources, race conditions, incorrectly subsetting a complex interface, and side effects of denying system calls. We then present some practical solutions to these problems, and provide general principles for avoiding the difficulties we encountered

When Virtual is Harder than Real: Security Challenges in Virtual MachineBased Computing Environments

As virtual machines become pervasive users will be able tocreate, modify and distribute new "machines " with unprecedented ease. This flexibility provides tremendous benefits forusers. Unfortunately, it can also undermine many assumptions that today's relatively static security architectures rely on aboutthe number of hosts in a system, their mobility, connectivity, patch cycle, etc.We examine a variety of security problems virtual computing environments give rise to. We then discuss potential directions forchanging security architectures to adapt to these demands.

A Virtual Machine Introspection Based Architecture for Intrusion Detection

Today's architectures for intrusion detection force the IDS designer to make a difficult choice. If the IDS resides on the host, it has an excellent view of what is happening in that host's software, but is highly susceptible to attack. On the other hand, if the IDS resides in the network, it is more resistant to attack, but has a poor view of what is happening inside the host, making it more susceptible to evasion. In this paper we present an architecture that retains the visibility of a host-based IDS, but pulls the IDS outside of the host for greater attack resistance. We achieve this through the use of a virtual machine monitor. Using this approach allows us to isolate the IDS from the monitored host but still retain excellent visibility into the host's state. The VMM also offers us the unique ability to completely mediate interactions between the host software and the underlying hardware. We present a detailed study of our architecture, including Livewire, a prototype implementation. We demonstrate Livewire by implementing a suite of simple intrusion detection policies and using them to detect real attacks

When virtual is harder than real: Security challenges in virtual machine based computing environments

As virtual machines become pervasive users will be able to create, modify and distribute new “machines ” with unprecedented ease. This flexibility provides tremendous benefits for users. Unfortunately, it can also undermine many assumptions that today’s relatively static security architectures rely on about the number of hosts in a system, their mobility, connectivity, patch cycle, etc. We examine a variety of security problems virtual computing environments give rise to. We then discuss potential directions for changing security architectures to adapt to these demands.

Opportunistic measurement: Extracting insight from spurious traffic

While network measurement techniques are continually improving, representative network measurements are increasingly scarce. The issue is fundamentally one of access: either the points of interest are hidden, are unwilling, or are sufficiently many that representative analysis is daunting if not unattainable. In particular, much of the Internet’s modern growth, in both size and complexity, is “protected” by NAT and firewall technologies that preclude the use of traditional measurement techniques. Thus, while we can see the shrinking visible portion of the Internet with ever-greater fidelity, the majority of the Internet remains invisible. We argue for a new approach to illuminate these hidden regions of the Internet: opportunistic measurement that leverages sources of “spurious ” network traffic such as worms, misconfigurations, spam floods, and malicious automated scans. We identify a number of such sources and demonstrate their potential to provide measurement data at a far greater scale and scope than modern research sources. Most importantly, these sources provide insight into portions of the network unseen using traditional measurement approaches. Finally, we discuss the challenges of bias and noise that accompany any use of spurious network traffic. I