Aura: Programming with Authorization and Audit

Standard programming models do not provide direct ways of managing secret or untrusted data. This is a problem because programmers must use ad hoc methods to ensure that secrets are not leaked and, conversely, that tainted data is not used to make critical decisions. This dissertation advocates integrating cryptography and language-based analyses in order to build programming environments for declarative information security, in which high-level specifications of confidentiality and integrity constraints are automatically enforced in hostile execution environments. This dissertation describes Aura, a family of programing languages which integrate functional programming, access control via authorization logic, automatic audit logging, and confidentially via encryption. Aura\u27s programming model marries an expressive, principled way to specify security policies with a practical policy-enforcement methodology that is well suited for auditing access grants and protecting secrets. Aura security policies are expressed as propositions in an authorization logic. Such logics are suitable for discussing delegation, permission, and other security-relevant concepts. Aura\u27s (dependent) type system cleanly integrates standard data types, like integers, with proofs of authorization-logic propositions; this lets programs manipulate authorization proofs just like ordinary values. In addition, security-relevant implementation details---like the creation of audit trails or the cryptographic representation of language constructs---can be handled automatically with little or no programmer intervention

A Cryptographic Decentralized Label Model

Information-flow security policies are an appealing way of specifying confidentiality and integrity policies in information systems. Most previous work on language-based security has assumed that programs run in a closed, managed environment and that they use potentially unsafe constructs, such as declassification, to interface to external communication channels, perhaps after encrypting data to preserve its confidentiality. This situation is unsatisfactory for systems that need to communicate over untrusted channels or use untrusted persistent storage, since the connection between the cryptographic mechanisms used in the untrusted environment and the abstract security labels used in the trusted language environment is ad hoc and unclear. This paper addresses this problem in three ways: First, it presents a simple, security-typed language with a novel mechanism called packages that provides an abstract means for creating opaque objects and associating them with security labels; well-typed programs in this language enforce noninterference. Second, it shows how to implement these packages using public-key cryptography. This implementation strategy uses a variant of Myers and Liskov\u27s decentralized label model, which supports a rich label structure in which mutually distrusting data owners can specify independent confidentiality and integrity requirements. Third, it demonstrates that this implementation of packages is sound with respect to Dolev-Yao style attackers-such an attacker cannot determine the contents of a package without possessing the appropriate keys, as determined by the security label on the package

Self-Identifying Sensor Data

Public-use sensor datasets are a useful scientific resource with the unfortunate feature that their provenance is easily disconnected from their content. To address this we introduce a technique to directly associate provenance information with sensor datasets. Our technique is similar to traditional watermarking but is intended for application to unstructured datasets. Our approach is potentially imperceptible given sufficient margins of error in datasets, and is robust to a number of benign but likely transformations including truncation, rounding, bit-flipping, sampling, and reordering. We provide algorithms for both one-bit and blind mark checking. Our algorithms are probabilistic in nature and are characterized by a combinatorial analysis.Engineering and Applied Science

A bulk-mass-modeling-based method for retrieving particulate matter pollution using CALIOP observations

In this proof-of-concept paper, we apply a bulk-mass-modeling method using observations from the NASA Cloud-Aerosol Lidar with Orthogonal Polarization (CALIOP) instrument for retrieving particulate matter (PM) concentration over the contiguous United States (CONUS) over a 2-year period (2008–2009). Different from previous approaches that rely on empirical relationships between aerosol optical depth (AOD) and PM2.5 (PM with particle diameters less than 2.5 µm), for the first time, we derive PM2.5 concentrations, during both daytime and nighttime, from near-surface CALIOP aerosol extinction retrievals using bulk mass extinction coefficients and model-based hygroscopicity. Preliminary results from this 2-year study conducted over the CONUS show a good agreement (r2∼0.48; mean bias of −3.3 µg m−3) between the averaged nighttime CALIOP-derived PM2.5 and ground-based PM2.5 (with a lower r2 of ∼0.21 for daytime; mean bias of −0.4 µg m−3), suggesting that PM concentrations can be obtained from active-based spaceborne observations with reasonable accuracy. Results from sensitivity studies suggest that accurate aerosol typing is needed for applying CALIOP measurements for PM2.5 studies. Lastly, the e-folding correlation length for surface PM2.5 is found to be around 600 km for the entire CONUS (∼300 km for western CONUS and ∼700 km for eastern CONUS), indicating that CALIOP observations, although sparse in spatial coverage, may still be applicable for PM2.5 studies

Self-Identifying Data for Fair Use

Public-use earth science datasets are a useful resource with the unfortunate feature that their provenance is easily disconnected from their content. “Fair-use policies” typically associated with these datasets require appropriate attribution of providers by users, but sound and complete attribution is difficult if provenance information is lost. To address this we introduce a technique to directly associate provenance information with sensor datasets. Our technique is similar to traditional watermarking but is intended for application to unstructured time-series datasets. Our approach is potentially imperceptible given sufficient margins of error in datasets, and is robust to a number of benign but likely transformations including truncation, rounding, bit-flipping, sampling, and reordering. We provide algorithms for both one-bit and blind mark checking, and show how our system can be adapted to various data representation types. Our algorithms are probabilistic in nature and are characterized by both combinatorial and empirical analyses. Mark embedding can be applied at any point in the data lifecycle, allowing adaptation of our scheme to social or scientific concerns.Engineering and Applied Science

A conserved morphogenetic mechanism for epidermal ensheathment of nociceptive sensory neurites.

Interactions between epithelial cells and neurons influence a range of sensory modalities including taste, touch, and smell. Vertebrate and invertebrate epidermal cells ensheath peripheral arbors of somatosensory neurons, including nociceptors, yet the developmental origins and functional roles of this ensheathment are largely unknown. Here, we describe an evolutionarily conserved morphogenetic mechanism for epidermal ensheathment of somatosensory neurites. We found that somatosensory neurons in Drosophila and zebrafish induce formation of epidermal sheaths, which wrap neurites of different types of neurons to different extents. Neurites induce formation of plasma membrane phosphatidylinositol 4,5-bisphosphate microdomains at nascent sheaths, followed by a filamentous actin network, and recruitment of junctional proteins that likely form autotypic junctions to seal sheaths. Finally, blocking epidermal sheath formation destabilized dendrite branches and reduced nociceptive sensitivity in Drosophila. Epidermal somatosensory neurite ensheathment is thus a deeply conserved cellular process that contributes to the morphogenesis and function of nociceptive sensory neurons

Local lung hypoxia determines epithelial fate decisions during alveolar regeneration.

After influenza infection, lineage-negative epithelial progenitors (LNEPs) exhibit a binary response to reconstitute epithelial barriers: activating a Notch-dependent ΔNp63/cytokeratin 5 (Krt5) remodelling program or differentiating into alveolar type II cells (AEC2s). Here we show that local lung hypoxia, through hypoxia-inducible factor (HIF1α), drives Notch signalling and Krt5pos basal-like cell expansion. Single-cell transcriptional profiling of human AEC2s from fibrotic lungs revealed a hypoxic subpopulation with activated Notch, suppressed surfactant protein C (SPC), and transdifferentiation toward a Krt5pos basal-like state. Activated murine Krt5pos LNEPs and diseased human AEC2s upregulate strikingly similar core pathways underlying migration and squamous metaplasia. While robust, HIF1α-driven metaplasia is ultimately inferior to AEC2 reconstitution in restoring normal lung function. HIF1α deletion or enhanced Wnt/β-catenin activity in Sox2pos LNEPs blocks Notch and Krt5 activation, instead promoting rapid AEC2 differentiation and migration and improving the quality of alveolar repair

Flow and retreat of the Late Quaternary Pine Island-Thwaites palaeo-ice stream, West Antarctica

Multibeam swath bathymetry and sub-bottom profiler data are used to establish constraints on the flow and retreat history of a major palaeo-ice stream that carried the combined discharge from the parts of the West Antarctic Ice Sheet now occupied by the Pine Island and Thwaites glacier basins. Sets of highly elongated bedforms show that, at the last glacial maximum, the route of the Pine Island-Thwaites palaeo-ice stream arced north-northeast following a prominent cross-shelf trough. In this area, the grounding line advanced to within similar to 68 km of, and probably reached, the shelf edge. Minimum ice thickness is estimated at 715 m on the outer shelf, and we estimate a minimum ice discharge of similar to 108 km(3) yr(-1) assuming velocities similar to today's Pine Island glacier (similar to 2.5 km yr(-1)). Additional bed forms observed in a trough northwest of Pine Island Bay likely formed via diachronous ice flows across the outer shelf and demonstrate switching ice stream behavior. The "style" of ice retreat is also evident in five grounding zone wedges, which suggest episodic deglaciation characterized by halts in grounding line migration up-trough. Stillstands occurred in association with changes in ice bed gradient, and phases of inferred rapid retreat correlate to higher bed slopes, supporting theoretical studies that show bed geometry as a control on ice margin recession. However, estimates that individual wedges could have formed within several centuries still imply a relatively rapid overall retreat. Our findings show that the ice stream channeled a substantial fraction of West Antarctica's discharge in the past, just as the Pine Island and Thwaites glaciers do today

Minimum Aerosol Layer Detection Sensitivities and Their Subsequent Impacts on Aerosol Optical Thickness Retrievals in CALIPSO Level 2 Data Products

Due to instrument sensitivities and algorithm detection limits, level 2 (L2) Cloud-Aerosol Lidar with Orthogonal Polarization (CALIOP) 532 nm aerosol extinction profile retrievals are often populated with retrieval fill values (RFVs), which indicate the absence of detectable levels of aerosol within the profile. In this study, using 4 years (20072008 and 20102011) of CALIOP version 3 L2 aerosol data, the occurrence frequency of daytime CALIOP profiles containing all RFVs (all-RFV profiles) is studied. In the CALIOP data products, the aerosol optical thickness (AOT) of any all-RFV profile is reported as being zero, which may introduce a bias in CALIOP-based AOT climatologies. For this study, we derive revised estimates of AOT for all-RFV profiles using collocated Moderate Resolution Imaging Spectroradiometer (MODIS) Dark Target (DT) and, where available, AErosol RObotic NEtwork (AERONET) data. Globally, all-RFV profiles comprise roughly 71 % of all daytime CALIOP L2 aerosol profiles (i.e., including completely attenuated profiles), accounting for nearly half (45 %) of all daytime cloud-free L2 aerosol profiles. The mean collocated MODIS DT (AERONET) 550 nm AOT is found to be near 0.06 (0.08) for CALIOP all-RFV profiles. We further estimate a global mean aerosol extinction profile, a so-called noise floor, for CALIOP all-RFV profiles. The global mean CALIOP AOT is then recomputed by replacing RFV values with the derived noise-floor values for both all-RFV and non-all-RFV profiles. This process yields an improvement in the agreement of CALIOP and MODIS over-ocean AOT

Population dynamics of sporogony for Plasmodium vivax parasites from western Thailand developing within three species of colonized Anopheles mosquitoes

BACKGROUND: The population dynamics of Plasmodium sporogony within mosquitoes consists of an early phase where parasite abundance decreases during the transition from gametocyte to oocyst, an intermediate phase where parasite abundance remains static as oocysts, and a later phase where parasite abundance increases during the release of progeny sporozoites from oocysts. Sporogonic development is complete when sporozoites invade the mosquito salivary glands. The dynamics and efficiency of this developmental sequence were determined in laboratory strains of Anopheles dirus, Anopheles minimus and Anopheles sawadwongporni mosquitoes for Plasmodium vivax parasites circulating naturally in western Thailand. METHODS: Mosquitoes were fed blood from 20 symptomatic Thai adults via membrane feeders. Absolute densities were estimated for macrogametocytes, round stages (= female gametes/zygotes), ookinetes, oocysts, haemolymph sporozoites and salivary gland sporozoites. From these census data, five aspects of population dynamics were analysed; 1) changes in life-stage prevalence during early sporogony, 2) kinetics of life-stage formation, 3) efficiency of life-stage transitions, 4) density relationships between successive life-stages, and 5) parasite aggregation patterns. RESULTS: There was no difference among the three mosquito species tested in total losses incurred by P. vivax populations during early sporogony. Averaged across all infections, parasite populations incurred a 68-fold loss in abundance, with losses of ca. 19-fold, 2-fold and 2-fold at the first (= gametogenesis/fertilization), second (= round stage transformation), and third (= ookinete migration) life-stage transitions, respectively. However, total losses varied widely among infections, ranging from 6-fold to over 2,000-fold loss. Losses during gametogenesis/fertilization accounted for most of this variability, indicating that gametocytes originating from some volunteers were more fertile than those from other volunteers. Although reasons for such variability were not determined, gametocyte fertility was not correlated with blood haematocrit, asexual parasitaemia, gametocyte density or gametocyte sex ratio. Round stages and ookinetes were present in mosquito midguts for up to 48 hours and development was asynchronous. Parasite losses during fertilization and round stage differentiation were more influenced by factors intrinsic to the parasite and/or factors in the blood, whereas ookinete losses were more strongly influenced by mosquito factors. Oocysts released sporozoites on days 12 to 14, but even by day 22 many oocysts were still present on the midgut. The per capita production was estimated to be approximately 500 sporozoites per oocyst and approximately 75% of the sporozoites released into the haemocoel successfully invaded the salivary glands. CONCLUSION: The major developmental bottleneck in early sporogony occurred during the transition from macrogametocyte to round stage. Sporozoite invasion into the salivary glands was very efficient. Information on the natural population dynamics of sporogony within malaria-endemic areas may benefit intervention strategies that target early sporogony (e.g., transmission blocking vaccines, transgenic mosquitoes)