CHERI: a research platform deconflating hardware virtualisation and protection

Contemporary CPU architectures conflate virtualization and protection, imposing virtualization-related performance, programmability, and debuggability penalties on software requiring finegrained protection. First observed in micro-kernel research, these problems are increasingly apparent in recent attempts to mitigate software vulnerabilities through application compartmentalisation. Capability Hardware Enhanced RISC Instructions (CHERI) extend RISC ISAs to support greater software compartmentalisation. CHERI’s hybrid capability model provides fine-grained compartmentalisation within address spaces while maintaining software backward compatibility, which will allow the incremental deployment of fine-grained compartmentalisation in both our most trusted and least trustworthy C-language software stacks. We have implemented a 64-bit MIPS research soft core, BERI, as well as a capability coprocessor, and begun adapting commodity software packages (FreeBSD and Chromium) to execute on the platform

Observational study to estimate the changes in the effectiveness of bacillus Calmette-Guérin (BCG) vaccination with time since vaccination for preventing tuberculosis in the UK.

Until recently, evidence that protection from the bacillus Calmette-Guérin (BCG) vaccination lasted beyond 10 years was limited. In the past few years, studies in Brazil and the USA (in Native Americans) have suggested that protection from BCG vaccination against tuberculosis (TB) in childhood can last for several decades. The UK's universal school-age BCG vaccination programme was stopped in 2005 and the programme of selective vaccination of high-risk (usually ethnic minority) infants was enhanced. To assess the duration of protection of infant and school-age BCG vaccination against TB in the UK. Two case-control studies of the duration of protection of BCG vaccination were conducted, the first on minority ethnic groups who were eligible for infant BCG vaccination 0-19 years earlier and the second on white subjects eligible for school-age BCG vaccination 10-29 years earlier. TB cases were selected from notifications to the UK national Enhanced Tuberculosis Surveillance system from 2003 to 2012. Population-based control subjects, frequency matched for age, were recruited. BCG vaccination status was established from BCG records, scar reading and BCG history. Information on potential confounders was collected using computer-assisted interviews. Vaccine effectiveness was estimated as a function of time since vaccination, using a case-cohort analysis based on Cox regression. In the infant BCG study, vaccination status was determined using vaccination records as recall was poor and concordance between records and scar reading was limited. A protective effect was seen up to 10 years following infant vaccination [< 5 years since vaccination: vaccine effectiveness (VE) 66%, 95% confidence interval (CI) 17% to 86%; 5-10 years since vaccination: VE 75%, 95% CI 43% to 89%], but there was weak evidence of an effect 10-15 years after vaccination (VE 36%, 95% CI negative to 77%; p = 0.396). The analyses of the protective effect of infant BCG vaccination were adjusted for confounders, including birth cohort and ethnicity. For school-aged BCG vaccination, VE was 51% (95% CI 21% to 69%) 10-15 years after vaccination and 57% (95% CI 33% to 72%) 15-20 years after vaccination, beyond which time protection appeared to wane. Ascertainment of vaccination status was based on self-reported history and scar reading. The difficulty in examining vaccination sites in older women in the high-risk minority ethnic study population and the sparsity of vaccine record data in the later time periods precluded robust assessment of protection from infant BCG vaccination > 10 years after vaccination. Infant BCG vaccination in a population at high risk for TB was shown to provide protection for at least 10 years, whereas in the white population school-age vaccination was shown to provide protection for at least 20 years. This evidence may inform TB vaccination programmes (e.g. the timing of administration of improved TB vaccines, if they become available) and cost-effectiveness studies. Methods to deal with missing record data in the infant study could be explored, including the use of scar reading. The National Institute for Health Research Health Technology Assessment programme. During the conduct of the study, Jonathan Sterne, Ibrahim Abubakar and Laura C Rodrigues received other funding from NIHR; Ibrahim Abubakar and Laura C Rodrigues have also received funding from the Medical Research Council. Punam Mangtani received funding from the Biotechnology and Biological Sciences Research Council

Significance of herpesvirus immediate early gene expression in cellular immunity to cytomegalovirus infection

Interstitial pneumonia linked with reactivation of latent human cytomegalovirus due to iatrogenic immunosuppression can be a serious complication of bone marrow transplantation therapy of aplastic anaemia and acute leukaemia1. Cellular immunity plays a critical role in the immune surveillance of inapparent cytomegalovirus infections in man and the mouse1−7. The molecular basis of latency, however, and the interaction between latently or recurrently infected cells and the immune system of the host are poorfy understood. We have detected a so far unknown antigen in the mouse model. This antigen is found in infected cells in association with the expression of the herpesvirus 'immediate early' genes and is recognized by cytolytic T lymphocytes (CTL)8. We now demonstrate that an unexpectedly high proportion of the CTL precursors generated in vivo during acute murine cytomegalovirus infection are specific for cells that selectively synthesize immediate early proteins, indicating an immunodominant role of viral non-structural proteins

High-Order Flux Reconstruction on Stretched and Warped Meshes

High-order computational fluid dynamics is gathering a broadening interest as a future industrial tool, with one such approach being flux reconstruction (FR). However, due to the need to mesh complex geometries if FR is to displace current lower?order methods, FR will likely have to be applied to stretched and warped meshes. Therefore, it is proposed that the analytical and numerical behaviors of FR on deformed meshes for both the one-dimensional linear advection and the two-dimensional Euler equations are investigated. The analytical foundation of this work is based on a modified von Neumann analysis for linearly deformed grids, which is presented. The temporal stability limits for linear advection on such grids are also explored analytically and numerically, with Courant?Friedrichs?Lewy (CFL) limits set out for several Runge?Kutta schemes, with the primary trend being that contracting mesh regions give rise to higher CFL limits, whereas expansion leads to lower CFL limits. Lastly, the benchmarks of FR are compared to finite difference and finite volumes schemes, as are common in industry, with the comparison showing the increased wave propagating ability on warped and stretched meshes, and hence FR?s increased resilience to mesh deformation

Fast Protection-Domain Crossing in the CHERI Capability-System Architecture

Capability Hardware Enhanced RISC Instructions (CHERI) supplement the conventional memory management unit (MMU) with instruction-set architecture (ISA) extensions that implement a capability system model in the address space. CHERI can also underpin a hardware-software object-capability model for scalable application compartmentalization that can mitigate broader classes of attack. This article describes ISA additions to CHERI that support fast protection-domain switching, not only in terms of low cycle count, but also efficient memory sharing with mutual distrust. The authors propose ISA support for sealed capabilities, hardware-assisted checking during protection-domain switching, a lightweight capability flow-control model, and fast register clearing, while retaining the flexibility of a software-defined protection-domain transition model. They validate this approach through a full-system experimental design, including ISA extensions, a field-programmable gate array prototype (implemented in Bluespec SystemVerilog), and a software stack including an OS (based on FreeBSD), compiler (based on LLVM), software compartmentalization model, and open-source applications.This work is part of the CTSRD and MRC2 projects sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 and FA8750-11-C-0249. We also acknowledge the Engineering and Physical Sciences Research Council (EPSRC) REMS Programme Grant [EP/K008528/1], the EPSRC Impact Acceleration Account [EP/K503757/1], EPSRC/ARM iCASE studentship [13220009], Microsoft studentship [MRS2011-031], the Isaac Newton Trust, the UK Higher Education Innovation Fund (HEIF), Thales E-Security, and Google, Inc.This is the author accepted manuscript. The final version of the article can be found at: http://ieeexplore.ieee.org/document/7723791

CHERI: A hybrid capability-system architecture for scalable software compartmentalization

CHERI extends a conventional RISC Instruction- Set Architecture, compiler, and operating system to support fine-grained, capability-based memory protection to mitigate memory-related vulnerabilities in C-language TCBs. We describe how CHERI capabilities can also underpin a hardware-software object-capability model for application compartmentalization that can mitigate broader classes of attack. Prototyped as an extension to the open-source 64-bit BERI RISC FPGA softcore processor, FreeBSD operating system, and LLVM compiler, we demonstrate multiple orders-of-magnitude improvement in scalability, simplified programmability, and resulting tangible security benefits as compared to compartmentalization based on pure Memory-Management Unit (MMU) designs. We evaluate incrementally deployable CHERI-based compartmentalization using several real-world UNIX libraries and applications.We thank our colleagues Ross Anderson, Ruslan Bukin, Gregory Chadwick, Steve Hand, Alexandre Joannou, Chris Kitching, Wojciech Koszek, Bob Laddaga, Patrick Lincoln, Ilias Marinos, A Theodore Markettos, Ed Maste, Andrew W. Moore, Alan Mujumdar, Prashanth Mundkur, Colin Rothwell, Philip Paeps, Jeunese Payne, Hassen Saidi, Howie Shrobe, and Bjoern Zeeb, our anonymous reviewers, and shepherd Frank Piessens, for their feedback and assistance. This work is part of the CTSRD and MRC2 projects sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C- 0237 and FA8750-11-C-0249. The views, opinions, and/or findings contained in this paper are those of the authors and should not be interpreted as representing the official views or policies, either expressed or implied, of the Department of Defense or the U.S. Government. We acknowledge the EPSRC REMS Programme Grant [EP/K008528/1], Isaac Newton Trust, UK Higher Education Innovation Fund (HEIF), Thales E-Security, and Google, Inc.This is the author accepted manuscript. The final version is available at http://dx.doi.org/10.1109/SP.2015.

Genome Diversity of Epstein-Barr Virus from Multiple Tumor Types and Normal Infection

Epstein-Barr virus (EBV) infects most of the world’s population and is causally associated with several human cancers, but little is known about how EBV genetic variation might influence infection or EBV-associated disease. There are currently no published wild-type EBV genome sequences from a healthy individual and very few genomes from EBV-associated diseases. We have sequenced 71 geographically distinct EBV strains from cell lines, multiple types of primary tumor, and blood samples and the first EBV genome from the saliva of a healthy carrier. We show that the established genome map of EBV accurately represents all strains sequenced, but novel deletions are present in a few isolates. We have increased the number of type 2 EBV genomes sequenced from one to 12 and establish that the type 1/type 2 classification is a major feature of EBV genome variation, defined almost exclusively by variation of EBNA2 and EBNA3 genes, but geographic variation is also present. Single nucleotide polymorphism (SNP) density varies substantially across all known open reading frames and is highest in latency-associated genes. Some T-cell epitope sequences in EBNA3 genes show extensive variation across strains, and we identify codons under positive selection, both important considerations for the development of vaccines and T-cell therapy. We also provide new evidence for recombination between strains, which provides a further mechanism for the generation of diversity. Our results provide the first global view of EBV sequence variation and demonstrate an effective method for sequencing large numbers of genomes to further understand the genetics of EBV infection

Toward Future Installations: Mutual Interactions of Short Intakes With Modern High Bypass Fans

In this paper, we investigate the coupled interaction between a new short intake design with a modern fan in a high-bypass ratio civil engine, specifically under the off-design condition of high incidence. The interaction is expected to be much more significant than that on a conventional intake. The performance of both the intake-alone and rotor-alone configurations are examined under isolation. Subsequently, a comprehensive understanding on the two-way interaction between intake and fan is presented. This includes the effect of fan on intake angles of attack (AoA) tolerance (FoI) and the effect of circumferential and radial flow distortion induced by the intake on the fan performance (IoF). In the FoI scenario, the rotor effectively redistributes the mass flow at the fan-face. The AoA tolerance of the short-intake design has increased by ≈4 deg when compared with the intake-alone configuration. Dynamic nature of distortion due to shock unsteadiness has been quantified. ST plots and power spectral density (PSD) of pressure fluctuations show the existence of a spectral gap between the shock unsteadiness and blade passing, with almost an order of magnitude difference in the corresponding frequencies. In the IoF scenario, both the “large” (O(360 deg)) and “small” scale distortion (O(10–60 deg)) induced by the intake results in a non-uniform inflow to the rotor. Sector analysis reveals a substantial variation in the local operating condition of the fan as opposed to its steady characteristic. Streamline curvature, upwash, and wake thickening are identified to be the three key factors affecting the fan performance. These underlying mechanisms are discussed in detail to provide further insights into the physical understanding of the fan-intake interaction. In addition to the shock-induced separation on the intake lip, the current study shows that shorter intakes are much more prone to the upwash effect at higher AoA. Insufficient flow straightening along the engine axis is reconfirmed to be one of the limiting factors for the short-intake design

Can We Really Prevent Suicide?

Every year, suicide is among the top 20 leading causes of death globally for all ages. Unfortunately, suicide is difficult to prevent, in large part because the prevalence of risk factors is high among the general population. In this review, clinical and psychological risk factors are examined and methods for suicide prevention are discussed. Prevention strategies found to be effective in suicide prevention include means restriction, responsible media coverage, and general public education, as well identification methods such as screening, gatekeeper training, and primary care physician education. Although the treatment for preventing suicide is difficult, follow-up that includes pharmacotherapy, psychotherapy, or both may be useful. However, prevention methods cannot be restricted to the individual. Community, social, and policy interventions will also be essentia

A Measurement of Rb using a Double Tagging Method

The fraction of Z to bbbar events in hadronic Z decays has been measured by the OPAL experiment using the data collected at LEP between 1992 and 1995. The Z to bbbar decays were tagged using displaced secondary vertices, and high momentum electrons and muons. Systematic uncertainties were reduced by measuring the b-tagging efficiency using a double tagging technique. Efficiency correlations between opposite hemispheres of an event are small, and are well understood through comparisons between real and simulated data samples. A value of Rb = 0.2178 +- 0.0011 +- 0.0013 was obtained, where the first error is statistical and the second systematic. The uncertainty on Rc, the fraction of Z to ccbar events in hadronic Z decays, is not included in the errors. The dependence on Rc is Delta(Rb)/Rb = -0.056*Delta(Rc)/Rc where Delta(Rc) is the deviation of Rc from the value 0.172 predicted by the Standard Model. The result for Rb agrees with the value of 0.2155 +- 0.0003 predicted by the Standard Model.Comment: 42 pages, LaTeX, 14 eps figures included, submitted to European Physical Journal