The automatic patch-based exploit generation problem is: given a program P and a patched version of the program P', automatically generate an exploit for the potentially unknown vulnerability present in P but fixed in P'. In this paper, we propose techniques for automatic patch-based exploit generation, and show that our techniques can automatically generate exploits for vulnerable programs based upon patches provided via Windows Update.

In many cases we are able to automatically generate exploits within minutes or less. Although our techniques may not work in all cases, a fundamental tenet of security is to conservatively estimate the capabilities of attackers. Thus, our results indicate that automatic patch-based exploit generation should be considered practical. One important security implication of our results is that current patch distribution schemes which stagger patch distribution over long time periods, such as Windows Update, may allow attackers who receive the patch first to compromise the significant fraction of vulnerable hosts who have not yet received the patch. Thus, we conclude update schemes, such as Windows Update as currently implemented, can detract from overall security, and should be redesigned.

Automatic Patch-Based Exploit Generation

We evaluated the Department of Homeland Security (DHS) National Applications Office (NAO) privacy stewardship to determine whether the NAO is conducting activities to instill and promote a culture of privacy, and its planned operations are in compliance with privacy regulations. Privacy stewardship includes privacy integration in the program mission and strategic plans, established privacy requirements at the outset of program initiation, procedures and training for operational and staff accountability for privacy protections, and a privacy framework for internal control and external oversight.

Generally, NAO is making good progress in developing an effective privacy program for its operations. Specifically, NAO involved the DHS Privacy Office early in program planning and development of key organizational documents. Also, NAO acknowledges privacy requirements and states a commitment to privacy in its Charter. By doing so, NAO signaled its intent to incorporate accepted privacy principles in its policies and operating procedures. We identified several elements that serve as a framework for NAO’s privacy stewardship. These include ongoing privacy oversight by departmental privacy and civil liberties officers, public notice of system of records, training of NAO personnel, and approved risk assessments. However, a revised Privacy Impact Assessment and a Civil Liberties Impact Assessment reflecting changes in the Charter are still necessary prior to NAO becoming operational.

In our report, we made two recommendations to strengthen privacy stewardship at the NAO. The Under Secretary for Intelligence & Analysis concurred with our findings and recommendations. We consider these recommendations resolved, but open, pending our review of documentation provided by the NAO.

National Applications Office Privacy Stewardship

Imagine a more trusted, privacy enhanced Internet experience where devices and software enable people to make more effective choices and take control over who, and what, to trust online.

It is not an overstatement to say that the Internet has transformed the way we live. Social networking represents the new town square; blogging has turned citizens into journalists; and e-commerce sites have spurred global competition in the marketplace. But with people of all ages flocking online, and with the proliferation of high-profile, targeted attacks on individual or organizational information, assets and identities, more and more people consider the lack of security and privacy on the Internet to be at an unacceptable level.

End to End Trust

In the more than a century since 'perfect' platinum-iridium cylinders were first used as the world's kilogram standards, their weights have mysteriously fluctuated. Scientists are rethinking what the measure means.

The international kilogram conundrum

As parallelism in microprocessors becomes mainstream, new programming languages and environments are emerging to meet the challenges of parallel programming. To support research on these languages, we are developing a lowlevel language infrastructure called Pillar (derived from Parallel Implementation Language). Although Pillar programs are intended to be automatically generated from source programs in each parallel language, Pillar programs can also be written by expert programmers. The language is defined as a small set of extensions to C. As a result, Pillar is familiar to C programmers, but more importantly, it is practical to reuse an existing optimizing compiler like gcc [1] or Open64 [2] to implement a Pillar compiler.

Pillar’s concurrency features include constructs for threading, synchronization,
and explicit data-parallel operations. The threading constructs focus on creating new threads only when hardware resources are idle, and otherwise executing parallel work within existing threads, thus minimizing thread creation overhead.

In addition to the usual synchronization constructs, Pillar includes transactional memory. Its sequential features include stack walking, second-class continuations, support for precise garbage collection, tail calls, and seamless integration of Pillar and legacy code. This paper describes the design and implementation of the Pillar software stack, including the language, compiler, runtime, and high-level converters (that translate high-level language programs into Pillar programs). It also reports on early experience with three high-level languages that target Pillar.

Pillar: A Parallel Implementation Language

The booklet 2063 A.D. was published by General Dynamics Astronautics, and placed into a time capsule in July of 1963. It is believed that only 200 copies were ever printed. The 50 page book contains predictions by scientists, politicians, astronauts and military commanders about the state of space exploration in the year 2063. This edition is a reprint made from scans of the original 1963 book.

2063 A.D. by Matt Novak

Kaplan feels that we tend to divide the world up artificially into old Cold War classifications of the Middle East, the South Asian Indian subcontinent, and the Pacific Rim of East Asia. These divisions were forced on the U.S. by the Cold War, in which the country had a whole world to patrol, in a way. And so Washington broke it up into academic specialties in order to get a better grip on things. But increasingly, as China, North Korea, Japan, and India do more and more trade with Iran and Syria, and the Indian and Chinese navies are increasingly in the Persian Gulf, these boundaries are breaking apart. A holistic map of Eurasia is reasserting itself. Any conflict with Iran would involve India and China in some way, because of all the trade they do there. The Persian Gulf is about to become much more clogged with oil supertankers than it ever was. That is because among a number of big phenomena going on in the world today, Kaplan said, one is the growth of the Chinese and Indian middle classes.

India has 1.5 billion people. Its middle class is growing from 200 million to a predicted 350 million. China has similar statistics. Middle classes are acquisitive, Kaplan observed. They buy things and consume a lot of energy. And so the growth of these middle classes means tremendous energy consumption, much of which is going to have to be solved by oil. Ninety percent of India’s energy requirements are going to be filled by oil in the Persian Gulf within a few years, as opposed to 65 percent today. China’s statistics are similar. We are about to see a major energy highway from the Persian Gulf across the Indian Ocean to the strait of Malacca to China and Japan and across the Persian Gulf to the west coast of India. Energy politics are going to tie China and India much more closely to the Arab and Persian world than they ever were before.

This is why the U.S. position now in the Middle East is untenable, Kaplan argued. The U.S. has to find a way gradually, with carrots and sticks, to open up Iran and have some sort of normalized relationship with that country. The rest of the world is not going to wait the U.S. out, but is moving closer to Iran and Russia, because crude oil petroleum prices are going to continue to go up over the long run because of the growth of middle classes around the world.

Robert Kaplan on the New Balance of Power

TinEye is an image search engine built by Idee currently in private beta. Give it an image and it will tell you where the image appears on the web.

TinEye

Information sharing is a principal component of the DNI’s strategy for improving the Intelligence Community’s ability to overcome the new challenging threat environment that we face as a Nation. This document outlines a forward-leaning information sharing strategy to enhance our capability to operate as a unified, integrated intelligence enterprise. The information sharing strategy is focused on developing a “responsibility to provide” culture in which we unlock intelligence data from a fragmented information technology infrastructure spanning multiple intelligence agencies and make it readily discoverable and accessible from the earliest point at which an analyst can add value. This new information sharing model will rely on attribute-based access and tagged data with security built-in to create a trusted environment for collaboration among intelligence professionals to share their expertise and knowledge. Moreover, we should reiterate our commitment to develop a risk management approach where we carefully contemplate anticipated benefits and potential costs, ensuring mission success and protection of privacy, civil liberties, and sources and methods. As we embark on this challenging endeavor, we look forward to working collaboratively with you to implement this strategy’s information sharing strategic goals and objectives in a manner that benefits the Intelligence Community as one enterprise.

IC Information Sharing Strategy

Recently declassified documents reveal a little-known side of the network: an internal culture that has been surprisingly bureaucratic and persistently fractious.

Penalty for crossing an Al Qaeda boss? A nasty memo