In this two-part paper, influences from environmental factors on lightning in a convective storm are assessed with a model. In Part I, an electrical component is described and applied in the Aerosol-Cloud model (AC). AC treats many types of secondary (e.g. breakup in ice-ice collisions, raindrop-freezing fragmentation, rime-splintering) and primary (heterogeneous, homogeneous freezing) ice initiation. AC represents lightning flashes with a statistical treatment of branching from a fractal law constrained by video imagery. The storm simulated is from the Severe Thunderstorm Electrification and Precipitation Study (STEPS, 19/20 June 2000). The simulation was validated microphysically (e.g., ice/droplet concentrations and mean sizes, liquid water content [LWC], reflectivity, surface precipitation) and dynamically (e.g., ascent) in our 2017 paper. Predicted ice concentrations (~10 L-1) agreed—to within a factor of about two—with aircraft data at flight levels (−10 to −15 °C). Here, electrical statistics of the same simulation are compared with observations. Flash rates (to within a factor of two), triggering altitudes and polarity of flashes, and electric fields, agree with STEPS observations. The ‘normal’ tripole of charge structure observed during an electrical balloon sounding is reproduced by AC. It is related to reversal of polarity of non-inductive charging in ice-ice collisions seen in lab experiments when temperature or LWC are varied. Positively charged graupel and negatively charged snow at most mid-levels, charged away from the fastest updrafts, is predicted to cause the normal tripole. Total charge separated in the simulated storm is dominated by collisions involving secondary ice from fragmentation in graupel-snow collisions.
Advances in software virtualization and network processing lead to increasing network softwarization. Software network elements running on commodity platforms replace or complement hardware components in cloud and mobile network infrastructure. However, such commodity platforms have a large attack surface and often lack granular control and tight integration of the underlying hardware and software stack. Often, software network elements are either themselves vulnerable to software attacks or can be compromised through the bloated trusted computing base. To address this, we protect the core security assets of network elements -authentication credentials and cryptographic context -by provisioning them to and maintaining them exclusively in isolated execution environments. We complement this with a secure and scalable mechanism to enroll network elements into software defined networks. Our evaluation results show a negligible impact on run-time performance and only a moderate performance impact at the deployment stage. arXiv:1806.07302v1 [cs.NI] 19 Jun 2018 directly (by intercepting or modifying traffic), or indirectly through horizontal attacks aimed to leak authentication credentials and encryption keys [54].Earlier research addressed SDN security through additional services [48,53,21], formal verification [6] and isolated execution using Intel Software Guard Extensions (SGX) [52,43,28,44], and most popular network element implementation support communication over transport layer security (TLS) [15]. Despite these efforts, the confidentiality and integrity of authentication credentials of network elements in SDN remain unaddressed. In particular, the existing approaches to provision authentication credentials to network elements in SDN are either plain insecure or both insecure and unscalable, requiring manual steps 4 [38]. Moreover, credentials provisioned to network elements in virtualized environments are often stored in plaintext on the file system. Adversaries exploiting vulnerabilities in process and virtualization isolation can access authentication credentials to perform network attacks or impersonate network elements. In this paper, we address two complementary questions: (1) How can authentication credentials be securely provisioned to software network elements in SDN deployments? and (2) How can the TLS context of virtual switches be protected on compromised hosts? ContributionsIn this work, we present the following contributions:-A secure, practical, and scalable mechanism to provision authentication credentials and bootstrap communication between software network elements. -TLSonSGX 5 , a library allowing to maintain authentication credentials and the TLS context exclusively in isolated execution environments. -A novel approach to restricting the availability of authentication credentials for SDN components to hosts with an attested trusted computing base. -A first thorough analysis of the performance trade-offs of deploying components of network elements in SGX enclaves. StructureThe remainder of thi...
We demonstrate a tool for identifying, prioritizing and evaluating vulnerabilities in software. The tool aims to improve security in products by making maintenance more efficient and robust. Software components and release versions are matched with vulnerability information from open resources. The results are visualized on several different levels, ranging from product portfolio and individual products, to specific releases and vulnerabilities. The tool keeps track of how security evolves over time in deployed releases, and also how the maintenance organization progresses in evaluating new vulnerabilities. This will result in more efficient, accurate, and robust security analysis and awareness within the organization, and the anticipated long term effect is more secure products.
Abstract. We consider the problem of detecting exploits based on returnoriented programming. In contrast to previous works we investigate to which extent we can detect ROP payloads by only analysing streaming data, i.e., we do not assume any modifications to the target machine, its kernel or its libraries. Neither do we attempt to execute any potentially malicious code in order to determine if it is an attack. While such a scenario has its limitations, we show that using a layered approach with a filtering mechanism together with the Fast Fourier Transform, it is possible to detect ROP payloads even in the presence of noise and assuming that the target system employs ASLR. Our approach, denoted eavesROP, thus provides a very lightweight and easily deployable mitigation against certain ROP attacks. It also provides the added merit of detecting the presence of a brute-force attack on ASLR since library base addresses are not assumed to be known by eavesROP.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.