Proving the Absence of Microarchitectural Timing Channels

Microarchitectural timing channels are a major threat to computer security. A set of OS mechanisms called time protection was recently proposed as a principled way of preventing information leakage through such channels and prototyped in the seL4 microkernel. We formalise time protection and the underlying hardware mechanisms in a way that allows linking them to the information-flow proofs that showed the absence of storage channels in seL4.Comment: Scott Buckley and Robert Sison were joint lead author

Cogent: uniqueness types and certifying compilation

This paper presents a framework aimed at significantly reducing the cost of proving functional correctness for low-level operating systems components. The framework is designed around a new functional programming language, Cogent. A central aspect of the language is its uniqueness type system, which eliminates the need for a trusted runtime or garbage collector while still guaranteeing memory safety, a crucial property for safety and security. Moreover, it allows us to assign two semantics to the language: The first semantics is imperative, suitable for efficient C code generation, and the second is purely functional, providing a user-friendly interface for equational reasoning and verification of higher-level correctness properties. The refinement theorem connecting the two semantics allows the compiler to produce a proof via translation validation certifying the correctness of the generated C code with respect to the semantics of the Cogent source program. We have demonstrated the effectiveness of our framework for implementation and for verification through two file system implementations

Cogent: uniqueness types and certifying compilation.

This paper presents a framework aimed at significantly reducing the cost of proving functional correctness for low-level operating systems components. The framework is designed around a new functional programming language, Cogent. A central aspect of the language is its uniqueness type system, which eliminates the need for a trusted runtime or garbage collector while still guaranteeing memory safety, a crucial property for safety and security. Moreover, it allows us to assign two semantics to the language: The first semantics is imperative, suitable for efficient C code generation, and the second is purely functional, providing a user-friendly interface for equational reasoning and verification of higher-level correctness properties. The refinement theorem connecting the two semantics allows the compiler to produce a proof via translation validation certifying the correctness of the generated C code with respect to the semantics of the Cogent source program. We have demonstrated the effectiveness of our framework for implementation and for verification through two file system implementations

Lassie: HOL4 Tactics by Example

Proof engineering efforts using interactive theorem proving have yielded several impressive projects in software systems and mathematics. A key obstacle to such efforts is the requirement that the domain expert is also an expert in the low-level details in constructing the proof in a theorem prover. In particular, the user needs to select a sequence of tactics that lead to a successful proof, a task that in general requires knowledge of the exact names and use of a large set of tactics. We present Lassie, a tactic framework for the HOL4 theorem prover that allows individual users to define their own tactic language by example and give frequently used tactics or tactic combinations easier-to-remember names. The core of Lassie is an extensible semantic parser, which allows the user to interactively extend the tactic language through a process of definitional generalization. Defining tactics in Lassie thus does not require any knowledge in implementing custom tactics, while proofs written in Lassie retain the correctness guarantees provided by the HOL4 system. We show through case studies how Lassie can be used in small and larger proofs by novice and more experienced interactive theorem prover users, and how we envision it to ease the learning curve in a HOL4 tutorial

Ibrutinib added to 10-day decitabine for older patients with AML and higher risk MDS

The treatment of older, unfit patients with acute myeloid leukemia (AML) is challenging. Based on preclinical data of Bruton tyrosine kinase expression/phosphorylation and ibrutinib cytotoxicity in AML blasts, we conducted a randomized phase 2 multicenter study to assess the tolerability and efficacy of the addition of ibrutinib to 10-day decitabine in unfit (ie, Hematopoietic Cell Transplantation Comorbidity Index ≥3) AML patients and higher risk myelodysplasia patients (HOVON135/SAKK30/15 trial). In total, 144 eligible patients were randomly (1:1) assigned to either 10-day decitabine combined with ibrutinib (560 mg; sequentially given, starting the day after the last dose of decitabine) (n = 72) or to 10-day decitabine (n = 72). The addition of ibrutinib was well tolerated, and the number of adverse events was comparable for both arms. In the decitabine plus ibrutinib arm, 41% reached complete remission/complete remission with incomplete hematologic recovery (CR/CRi), the median overall survival (OS) was 11 months, and 2-year OS was 27%; these findings compared with 50% CR/CRi, median OS of 11.5 months, and 2-year OS of 21% for the decitabine group (not significant). Extensive molecular profiling at diagnosis revealed that patients with STAG2, IDH2, and ASXL1 mutations had significantly lower CR/CRi rates, whereas patients with mutations in TP53 had significantly higher CR/CRi rates. Furthermore, multicolor flow cytometry revealed that after 3 cycles of treatment, 28 (49%) of 57 patients with available bone marrow samples had no measurable residual disease. In this limited number of cases, measurable residual disease revealed no apparent impact on event-free survival and OS. In conclusion, the addition of ibrutinib does not improve the therapeutic efficacy of decitabine. This trial was registered at the Netherlands Trial Register (NL5751 [NTR6017]) and has EudraCT number 2015-002855-85

Comparison of Gene Expression Profiles in Chromate Transformed BEAS-2B Cells

Hexavalent chromium [Cr(VI)] is a potent human carcinogen. Occupational exposure has been associated with increased risk of respiratory cancer. Multiple mechanisms have been shown to contribute to Cr(VI) induced carcinogenesis, including DNA damage, genomic instability, and epigenetic modulation, however, the molecular mechanism and downstream genes mediating chromium's carcinogenicity remain to be elucidated.We established chromate transformed cell lines by chronic exposure of normal human bronchial epithelial BEAS-2B cells to low doses of Cr(VI) followed by anchorage-independent growth. These transformed cell lines not only exhibited consistent morphological changes but also acquired altered and distinct gene expression patterns compared with normal BEAS-2B cells and control cell lines (untreated) that arose spontaneously in soft agar. Interestingly, the gene expression profiles of six Cr(VI) transformed cell lines were remarkably similar to each other yet differed significantly from that of either control cell lines or normal BEAS-2B cells. A total of 409 differentially expressed genes were identified in Cr(VI) transformed cells compared to control cells. Genes related to cell-to-cell junction were upregulated in all Cr(VI) transformed cells, while genes associated with the interaction between cells and their extracellular matrices were down-regulated. Additionally, expression of genes involved in cell proliferation and apoptosis were also changed.This study is the first to report gene expression profiling of Cr(VI) transformed cells. The gene expression changes across individual chromate exposed clones were remarkably similar to each other but differed significantly from the gene expression found in anchorage-independent clones that arose spontaneously. Our analysis identified many novel gene expression changes that may contribute to chromate induced cell transformation, and collectively this type of information will provide a better understanding of the mechanism underlying chromate carcinogenicity