On Ladder Logic Bombs in Industrial Control Systems

In industrial control systems, devices such as Programmable Logic Controllers (PLCs) are commonly used to directly interact with sensors and actuators, and perform local automatic control. PLCs run software on two different layers: a) firmware (i.e. the OS) and b) control logic (processing sensor readings to determine control actions). In this work, we discuss ladder logic bombs, i.e. malware written in ladder logic (or one of the other IEC 61131-3-compatible languages). Such malware would be inserted by an attacker into existing control logic on a PLC, and either persistently change the behavior, or wait for specific trigger signals to activate malicious behaviour. For example, the LLB could replace legitimate sensor readings with manipulated values. We see the concept of LLBs as a generalization of attacks such as the Stuxnet attack. We introduce LLBs on an abstract level, and then demonstrate several designs based on real PLC devices in our lab. In particular, we also focus on stealthy LLBs, i.e. LLBs that are hard to detect by human operators manually validating the program running in PLCs. In addition to introducing vulnerabilities on the logic layer, we also discuss countermeasures and we propose two detection techniques.Comment: 11 pages, 14 figures, 2 tables, 1 algorith

Event-Driven Network Programming

Software-defined networking (SDN) programs must simultaneously describe static forwarding behavior and dynamic updates in response to events. Event-driven updates are critical to get right, but difficult to implement correctly due to the high degree of concurrency in networks. Existing SDN platforms offer weak guarantees that can break application invariants, leading to problems such as dropped packets, degraded performance, security violations, etc. This paper introduces EVENT-DRIVEN CONSISTENT UPDATES that are guaranteed to preserve well-defined behaviors when transitioning between configurations in response to events. We propose NETWORK EVENT STRUCTURES (NESs) to model constraints on updates, such as which events can be enabled simultaneously and causal dependencies between events. We define an extension of the NetKAT language with mutable state, give semantics to stateful programs using NESs, and discuss provably-correct strategies for implementing NESs in SDNs. Finally, we evaluate our approach empirically, demonstrating that it gives well-defined consistency guarantees while avoiding expensive synchronization and packet buffering

A normal stress subgrid-scale eddy viscosity model in large eddy simulation

The Smagorinsky subgrid-scale eddy viscosity model (SGS-EVM) is commonly used in large eddy simulations (LES) to represent the effects of the unresolved scales on the resolved scales. This model is known to be limited because its constant must be optimized in different flows, and it must be modified with a damping function to account for near-wall effects. The recent dynamic model is designed to overcome these limitations but is compositionally intensive as compared to the traditional SGS-EVM. In a recent study using direct numerical simulation data, Horiuti has shown that these drawbacks are due mainly to the use of an improper velocity scale in the SGS-EVM. He also proposed the use of the subgrid-scale normal stress as a new velocity scale that was inspired by a high-order anisotropic representation model. The testing of Horiuti, however, was conducted using DNS data from a low Reynolds number channel flow simulation. It was felt that further testing at higher Reynolds numbers and also using different flows (other than wall-bounded shear flows) were necessary steps needed to establish the validity of the new model. This is the primary motivation of the present study. The objective is to test the new model using DNS databases of high Reynolds number channel and fully developed turbulent mixing layer flows. The use of both channel (wall-bounded) and mixing layer flows is important for the development of accurate LES models because these two flows encompass many characteristic features of complex turbulent flows

Optimal Conditional Expectation at the Video Poker Game Jacks or Better

There are 134,459 distinct initial hands at the video poker game Jacks or Better, taking suit exchangeability into account. A computer program can determine the optimal strategy (i.e., which cards to hold) for each such hand, but a complete list of these strategies would require a book-length manuscript. Instead, a hand-rank table, which fits on a single page and reproduces the optimal strategy perfectly, was found for Jacks or Better as early as the mid 1990s. Is there a systematic way to derive such a hand-rank table? We show that there is indeed, and it involves finding the exact optimal conditional expected return, given the initial hand. In the case of Jacks or Better (paying 800, 50, 25, 9, 6, 4, 3, 2, 1, 0), this is a random variable with 1,153 distinct values, of which 766 correspond to garbage hands for which it is optimal to draw five new cards. We describe the hands corresponding to each of the remaining 387 values of the optimal conditional expected return (sorted from largest to smallest) and show how this leads readily to an optimal strategy hand-rank table for Jacks or Better. Of course, the method applies to other video poker games as well

Trends in Real Food Prices in Six Sub-Saharan African Countries

Demand and Price Analysis, Downloads July 2008-July 2009: 12,

Formation of Five-Dimensional String Solutions from the Gravitational Collapse

We study the formation of five-dimensional string solutions including the Gregory-Laflamme (GL) black string, the Kaluza-Klein (KK) bubble, and the geometry with a naked singularity from the gravitational collapse. The interior solutions of five-dimensional Einstein equations describe collapsing non-isotropic matter clouds. It is shown that the matter cloud always forms the GL black string solution while the KK bubble solution cannot be formed. The numerical study seems to suggest that the collapsing matter forms the geometries with timelike naked curvature singularities, which should be taken cautiously as the general relativity is not reliable in the strong curvature regime.Comment: 17 pages, 10 figures, LaTeX, to appear in Class. Quant. Grav., a appendix and some discussions added, title change

Absorption cross section and Hawking radiation in two-dimensional AdS black hole

We calculate the absorption coefficient of scalar field on the background of the two-dimensional AdS black hole, which is of relevance to Hawking radiation. For the massless scalar field, we find that there does not exist any massless radiation.Comment: 6 pages, revtex, no figure