Monday, September 20, 2010

Addiction: Could it be a big lie?


Go ahead. Judge drug addicts. Call them selfish. A Harvard psychologist gives you permission.

You do not have to be mean to them, he says. Just do not treat them as if they have some sort of, you know, illness.

Gene M. Heyman's book Addiction: A Disorder of Choice comes out this week. Like several other books released this decade, it disparages the overwhelming scientific consensus that addiction is an involuntary disease. Supporters of the overwhelming scientific consensus are not amused.

"His argument crashes and burns," says Tony George, the head of addiction psychiatry at the University of Toronto. "I don't think there's too many self-respecting scholars in the addiction field who would agree with him. I'm shocked that Harvard University Press would publish that."

"These guys – I don't know, academia, they just kind of take what they want, and they don't care about the truth, or what the studies show," says Norman Miller, a professor of medicine at Michigan State University.

"What aspect of disease," says Norman Hoffman, a psychology professor at Western Carolina University, "does he not understand?"

Heyman, a Harvard lecturer in psychology, did not expect to be lauded by the medical-scientific establishment. His book indicts its members. Appealing to an eclectic mix of studies and examples – Philip Roth's impotent alter ego Nathan Zuckerman makes a brief appearance – he attempts to persuade us that we have been persistently deceived by so-called addiction experts who do not understand addiction.

If hardly a controversial topic to those other than the small group of dissidents who want it to be, the semantic disease-or-not debate has important practical implications. How addiction is viewed affects how addicts are treated, by the public and by medical professionals, and how government allocates resources to deal with the problem. Heyman, who says he was once reluctant to share his conclusions, now makes his case forcefully.

Can humans be genetically predisposed to addiction? Sure, he writes, but this does not mean addicts' drug use is not a voluntary behaviour. Are addicts self-destructive? Of course, he writes, but this does not mean they do not respond to the costs and benefits associated with their decisions, even when addiction has changed their brains. Is addiction a chronic, lifelong disorder? No, he concludes. Most experts, he argues, do not understand just how many addicts quit for good.

Addiction draws heavily on behavioural economics, a field that fuses psychology with economic theory to predict human behaviour. The book is complex.

It is fundamentally based, however, on that last, simple point: Addicts quit. Clinical experts believe addiction cannot be permanently conquered, Heyman writes, because they tend to study only addicts who have entered treatment programs. People who never enter treatment – more than three-quarters of all addicts, according to most estimates – relapse far less frequently than those who do, since people in treatment more frequently have additional medical and psychiatric problems.

Miller says Heyman has misinterpreted the data to which he points. George says studies of non-treatment-seeking people contradict Heyman's conclusions. Says Hoffman about those conclusions: "Yeah, so?"

Many addicts, Hoffman agrees, can indeed quit of their own volition. But some people live long lives with cancer. This is not proof that cancer is not a disease, he says, merely that some people suffer from more severe cases of diseases than others.

"If you compare Type 2 diabetes to Type 1 diabetes, one is much more virulent, more difficult to control. But we call them the same; we call them both diabetes," he says. "Since we're talking about a plethora of genes involved in addiction, we may also be looking here at a variety of illnesses that we're labelling the same but are really very different."

Heyman concurs with the expert consensus on the nature of addicts' thinking at the time of a relapse. The addict, he writes, does not choose to be an addict; he or she merely chooses to use the drug one more time, nothing more, and thus ends up an addict unintentionally.

The question is why the addict chooses to use the drug one more time. "The evidence from neuroimaging, animal studies, genetic association studies, clinical trials, is overwhelming," says George: The addicted brain is a changed brain. It is simply incapable of resisting a desired drug. But Heyman argues that addicts with sufficient self-control can organize their lives so that they are not directly confronted with an abstain-or-succumb decision.

People who have stronger incentives to remain clean, such as a good job, are more likely to make better lifestyle choices, Heyman writes. This is not contentious. But he also argues that the inability to resist potentially harmful situations is a product of others' opinions, fear of punishment, and "values"; it is a product of a cost-benefit analysis.

He does not dispute that drug use alters the brain. He does not dispute that some people have genes that make them more susceptible to addiction. He disputes that the person who is predisposed to addiction and the person whose brain has been altered are not able to ponder the consequences of their actions. In other words, he disputes that biological factors make addicts' decisions compulsive.

This is where the experts he maligns begin to grumble again. In the changed brains of many addicts, says George, the capacity for voluntary behaviour with regard to drugs has been overwhelmed. It is as if the brakes that might allow them to stop before using have ceased functioning.

While addicts may not ignore the consequences of their actions, many – even people with families, good jobs and a lot to lose – are unable to make those consequences the basis for their actions.

"Where (Heyman) loses the argument," George says, "is that there are clearly both biological and environmental or contextual factors involved, but he's basically saying that the context and the environment are everything and the biology is irrelevant. Well, what we know about the brain, and the brain on drugs, is startling."

Heyman knows he is a heretic. The book jacket on Addiction calls his thoughts "radical"; in the book, he writes that "most people believe the disease interpretation of addiction is the scientific, enlightened, and humane perspective." Changing minds will be difficult.

Then again, some people manage to quit drugs.

Thursday, September 9, 2010

"Beam me up, Scotty"could soon be a reality


The catch-phrase "Beam me up, Scotty" of the iconic "Star Trek" serial could be close to reality with scientists successfully teleporting objects from one place to another with the help of energy rays.

A team of scientists at the Australian National University in Canberra, using tractor beams - rays that can move objects - have managed to shift tiny particles up to 59 inches from one spot to another.

Researcher Andrei Rhode said his team's technique can move objects 100 times bigger over a distance of almost five feet, reports the Daily Mail.

The method involves shining a hollow laser beam around tiny glass particles which heats up the air around them, but the centre of the beam which strikes the particles stays cool resulting in their being drawn towards the beam's warm edges.

However, the heated air molecules that are bouncing around strike the surface of the glass particles and nudge them back to the cooler centre.

Rhode explained that by using two laser beams, the particles can be manipulated to move in different directions.

"We think the technique could work over even longer distances than those we've tested. With the particles and the laser we use, I would guess up to 10 metres (about 33ft)," he said.

The maximum distance he and his team could achieve was limited by the lab equipment.

But he said that unlike the beams in Star Trek, his technique would not work in outer space, where there is a vacuum.

"On Earth, though, there are many possible applications, such as being able to move dangerous substances and microbes."

Tuesday, September 7, 2010

God did not create the universe, says Hawking


God did not create the universe and the "Big Bang" was an inevitable consequence of the laws of physics, the eminent British theoretical physicist Stephen Hawking argues in a new book.

In "The Grand Design," co-authored with U.S. physicist Leonard Mlodinow, Hawking says a new series of theories made a creator of the universe redundant, according to the Times newspaper which published extracts on Thursday.

"Because there is a law such as gravity, the universe can and will create itself from nothing. Spontaneous creation is the reason there is something rather than nothing, why the universe exists, why we exist," Hawking writes.

"It is not necessary to invoke God to light the blue touch paper and set the universe going."

Hawking, 68, who won global recognition with his 1988 book "A Brief History of Time," an account of the origins of the universe, is renowned for his work on black holes, cosmology and quantum gravity.

Since 1974, the scientist has worked on marrying the two cornerstones of modern physics -- Albert Einstein's General Theory of Relativity, which concerns gravity and large-scale phenomena, and quantum theory, which covers subatomic particles.

His latest comments suggest he has broken away from previous views he has expressed on religion. Previously, he wrote that the laws of physics meant it was simply not necessary to believe that God had intervened in the Big Bang.

He wrote in A Brief History ... "If we discover a complete theory, it would be the ultimate triumph of human reason -- for then we should know the mind of God."

In his latest book, he said the 1992 discovery of a planet orbiting another star other than the Sun helped deconstruct the view of the father of physics Isaac Newton that the universe could not have arisen out of chaos but was created by God.

"That makes the coincidences of our planetary conditions -- the single Sun, the lucky combination of Earth-Sun distance and solar mass, far less remarkable, and far less compelling evidence that the Earth was carefully designed just to please us human beings," he writes.

Hawking, who is only able to speak through a computer-generated voice synthesizer, has a neuro muscular dystrophy that has progressed over the years and left him almost completely paralyzed.

He began suffering the disease in his early 20s but went on to establish himself as one of the world's leading scientific authorities, and has also made guest appearances in "Star Trek" and the cartoons "Futurama" and "The Simpsons."

Last year he announced he was stepping down as Cambridge University's Lucasian Professor of Mathematics, a position once held by Newton and one he had held since 1979.

"The Grand Design" is due to go on sale next week.

Saturday, September 4, 2010

The Beginning Of Universe


I'm on record as predicting that we'll understand what happened at the Big Bang within fifty years. Not just the “Big Bang model” — the paradigm of a nearly-homogeneous universe expanding from an early hot, dense, state, which has been established beyond reasonable doubt — but the Bang itself, that moment at the very beginning. So now is as good a time as any to contemplate what we already think we do and do not understand. (Also, I'll be talking about it Saturday night on Coast to Coast AM, so it’s good practice.)

There is something of a paradox in the way that cosmologists traditionally talk about the Big Bang. They will go to great effort to explain how the Bang was the beginning of space and time, that there is no “before” or “outside,” and that the universe was (conceivably) infinitely big the very moment it came into existence, so that the pasts of distant points in our current universe are strictly non-overlapping. All of which, of course, is pure moonshine. When they choose to be more careful, these cosmologists might say “Of course we don't know for sure, but…” Which is true, but it's stronger than that: the truth is, we have no good reasons to believe that those statements are actually true, and some pretty good reasons to doubt them.

I'm not saying anything avant-grade here. Just pointing out that all of these traditional statements about the Big Bang are made within the framework of classical general relativity, and we know that this framework isn’t right. Classical GR convincingly predicts the existence of singularities, and our universe seems to satisfy the appropriate conditions to imply that there is a singularity in our past. But singularities are just signs that the theory is breaking down, and has to be replaced by something better. The obvious choice for “something better” is a sensible theory of quantum gravity; but even if novel classical effects kick in to get rid of the purported singularity, we know that something must be going on other than the straightforward GR story.

There are two tacks you can take here. You can be specific, by offering a particular model of what might replace the purported singularity. Or you can be general, trying to reason via broad principles to argue about what kinds of scenarios might ultimately make sense.

Many scenarios have been put forward among the “specific” category. We have of course the “quantum cosmology” program, that tries to write down a wave function of the universe; the classic example is the paper by Hartle and Hawking. There have been many others, including recent investigations within loop quantum gravity. Although this program has led to some intriguing results, the silent majority or physicists seems to believe that there are too many unanswered questions about quantum gravity to take seriously any sort of head-on assault on this problem. There are conceptual puzzles: at what point does space time make the transition from quantum to classical? And there are technical issues: do we really think we can accurately model the universe with only a handful of degrees of freedom, crossing our fingers and hoping that unknown ultraviolet effects don't completely change the picture? It's certainly worth pursuing, but very few people (who are not zero-gravity tourists) think that we already understand the basic features of the wave function of the universe.

At a slightly less ambitious level (although still pretty darn ambitious, as things go), we have attempts to “smooth out” the singularity in some semi-classical way. Aguirre and Gratton have presented a proof by construction that such a universe is conceivable; essentially, they demonstrate how to take an inflating space time, cut it near the beginning, and glue it to an identical space time that is expanding the opposite direction of time. This can either be thought of as a universe in which the arrow of time reverses at some special midpoint, or (by identifying events on opposite sides of the cut) as a one-way space time with no beginning boundary. In a similar spirit, Gott and Li suggest that the universe could “create itself,” springing to life out of an endless loop of closed time like curves. More colorfully, “an inflationary universe gives rise to baby universes, one of which turns out to be itself.

And of course, you know that there are going to be ideas based on string theory. For a long time Veneziano and collaborators have been studying what they dub the per-Big-Bang scenario. This takes advantage of the scale-factor duality of the stringy cosmological field equations: for every cosmological solution with a certain scale factor, there is another one with the inverse scale factor, where certain fields are evolving in the opposite direction. Taken literally, this means that very early times, when the scale factor is nominally small, are equivalent to very late times, when the scale factor is large! I'm skeptical that this duality survives to low-energy physics, but the early universe is at high energy, so maybe that's irrelevant. A related set of ideas have been advanced by Steinhardt, Turok, and collaborators, first as the ekpyrotic scenario and later as the cyclic universe scenario. Both take advantage of branes and extra dimensions to try to follow cosmological evolution right through the purported Big Bang singularity; in the ekpyrotic case, there is a unique turnaround point, whereas in the cyclic case there are an infinite number of bounces stretching endlessly into the past and the future.

Personally, I think that the looming flaw in all of these ideas is that they take the homogeneity and isotropy of our universe too seriously. Our observable patch of space is pretty uniform on large scales, it’s true. But to simply extrapolate that smoothness infinitely far beyond what we can observe is completely unwarranted by the data. It might be true, but it might equally well be hopelessly parochial. We should certainly entertain the possibility that our observable patch is dramatically unrepresentative of the entire universe, and see where that leads us.



Inflation makes it plausible that our local conditions don't stretch across the entire universe. In Alan Guth’s original scenario, inflation represented a temporary period in which the early universe was dominated by false-vacuum energy, which then went through a phase transition to convert to ordinary matter and radiation. But it was eventually realized that inflation could be eternal — unavoidable quantum fluctuations could keep inflation going in some places, even if it turns off elsewhere. In fact, even if it turns off “almost everywhere,” the tiny patches that continue to inflate will grow exponentially in volume. So the number of actual cubic centimeters in the inflating phase will grow without bound, leading to eternal inflation. Andrei Linde refers to such a picture as self-reproducing.

If inflation is eternal into the future, maybe you don’t need a Big Bang? In other words, maybe it's eternal into the past, as well, and inflation has simply always been going on? Borde, Guth and Vilenkin proved a series of theorems purporting to argue against that possibility. More specifically, they show that a universe that has always been inflating (in the same direction) must have a singularity in the past.

But that's okay. Most of us suffer under the vague impression — with our intuitions trained by classical general relativity and the innocent-sounding assumption that our local uniformity can be straightforwardly extrapolated across infinity — that the Big Bang singularity is a past boundary to the entire universe, one that must somehow be smoothed out to make sense of the per-Bang universe. But the Bang isn't all that different from future singularities, of the type we're familiar with from black holes. We don't really know what's going on at black-hole singularities, either, but that doesn't stop us from making sense of what happens from the outside. A black hole forms, settles down, Hawking-radiates, and eventually disappears entirely. Something quasi-singular goes on inside, but it's just a passing phase, with the outside world going on its merry way.

The Big Bang could have very well been like that, but backwards in time. In other words, our observable patch of expanding universe could be some local region that has a singularity (or whatever quantum effects may resolve it) in the past, but is part of a larger space in which many past-going paths don't hit that singularity.

The simplest way to make this work is if we are a baby universe. Like real-life babies, giving birth to universes is a painful and mysterious process. There was some early work on the idea by Farhi, Guth and Guven, as well as Fischler, Morgan and Polchinski, which has been followed up more recently by Aguirre and Johnson. The basic idea is that you have a background space time with small (or zero) vacuum energy, and a little sphere of high-density false vacuum. (The sphere could be constructed in your secret basement laboratory, or may just arise as a thermal fluctuation.) Now, if you're not careful, the walls of the sphere will simply implode, leaving you with some harmless radiation. To prevent that from happening, you have two choices. One is that the size of the sphere is greater than the Hubble radius of your universe — in our case, more than ten billion light years across, so that's not very realistic. The other is that your sphere is not simply embedded in the background, it's connected to the rest of space by a “wormhole” geometry. Again, you could imagine making it that way through your wizardry in gravitational engineering, or you could wait for a quantum fluctuation. Truth is, we're not very clear on how feasible such quantum fluctuations are, so there are no guarantees.

But if all those miracles occur, you're all set. Your false-vacuum bubble can expand from a really tiny sphere to a huge inflating universe, eventually reheating and leading to something very much like the local universe we see around us today. From the outside, the walls of the bubble appear to collapse, leaving behind a black hole that will eventually evaporate away. So the baby universe, like so many callous children, is completely cut off from communication with its parent. (Perhaps “teenage universe” would be a more apt description.)

Everyone knows that I have a hidden agenda here, namely the arrow of time. The thing we are trying to explain is not “why was the early universe like that?”, but rather “why was the history of universe from one end of time to the other like that?” I would argue that any scenario that purports to explain the origin of the universe by simply invoking some special magic at early times, without explaining why they are so very different from late times, is completely sidestepping the real question. For example, while the cyclic-universe model is clever and interesting, it is about as hopeless as it is possible to be from the point of view of the arrow of time. In that model, if we knew the state of the universe to infinite precision and evolved it backwards in time using the laws of physics, we would discover that the current state (and the state at every other moment of time) is infinitely finely-tuned, to guarantee that the entropy will decrease monotonically forever into the past. That's just asserting something, not explaining anything.

The baby-universe idea at least has the chance to give rise to a spontaneous violation of time-reversal symmetry and explain the arrow of time. If we start with empty space an evolve it forward, baby universes can (hypothetically) be born; but the same is true if we run it backwards. The increase of entropy doesn't arise from a fine-tuning at one end of the universe's history, it's a natural consequence of the ability of the universe to always increase its entropy. We're a long way from completely understanding such a picture; ultimately we'll have to be talking about a Hilbert space of wave functions that involve an infinite number of disconnected components of space time, which has always been a tricky problem. But the increase of entropy is a fact of life, right here in front of our noses, that is telling us something deep about the universe on the very largest scales.

Update: On the same day I wrote this post, the cover story at New Scientist by David Shiga covers similar ground. Sadly, subscription-only, which is no way to run a magazine. The article also highlights the Banks-Fischer holographic cosmology proposal.

Thursday, September 2, 2010

The Next Generation Of Wireless Telephony


Europe has witnessed in recent years a massive growth in mobile communications, ranging from the more traditional analogue based systems to the current generation of digital systems such as GSM (Global System for Mobile Communications), DCS-1800 (Digital Communication System at 1800 MHz), ERMES (European Radio Messaging System), and to a lesser extent DECT (Digital European Cordless Telephone), and TETRA (Trans European Truncked Radio). The GSM family of products (GSM + DCS-1800), which represents the first large scale deployment of commercial digital cellular system ever, enjoys world wide success, having already been adopted by over 190 operators in more than 80 countries. In a very short period of time, the percentage of European cellular subscribers using GSM or DCS-1800 has already exceeded 50%. In addition, the figure portrays the penetration rates of the combined analogue and digital cellular systems for the same time frame. It is worth noticing that the biggest markets of Europe in terms of subscribers (i.e., UK, Italy and Germany) are not the markets with the largest penetration rates. In this respect, the largest penetration rates are found in the Nordic countries, close to or even exceeding 25% of the population.

Third Generation systems and technologies are being actively researched world wide. In Europe, such systems are commonly referred under the name UMTS (Universal Mobile Telecommunications Systems) while internationally, and particularly in the ITU context, they are referred to as FPLMTS (Future Public Land Mobile Telecommunications Systems) or more recently IMT-2000 (International Mobile Telecommunications for the year 2000).

In this context, but also in a world wide perspective, with many competing mobile and personal communication technologies and standards being proposed to fulfill the users needs, the essential questions, to which no immediate, conclusive, firm answers can be given, are: To what extent, and how fast, will the users' requirements evolve beyond the need for voice and low data rate communications?, and which will be the technologies that will meet the requirements for mobile and personal communications services and applications beyond the year 2000?.

The rapid advance of component technology; the pressure to integrate fixed and mobile networks; the developments in the domains of service engineering, network management and intelligent networks; the desire to have multi-application hand-held terminals; and above all the increasing scope and sophistication of the multimedia services expected by the customer; all demand performance advances beyond the capability of second generation technology. The very success of second generation systems in becoming more cost effective and increasingly cost attractive raises the prospect that it will reach an early capacity and service saturation in Europe's major conurbations. These pressures will lead to the emergence of third generation systems representing a major opportunity for expansion of the global mobile marketplace rather than a threat to current systems and products.

The ground work for UMTS started in 1990, and some early answers can already be provided regarding its requirements, characteristics and capabilities, with the initial standards development process already under way at ETSI (European Telecommunications Standards Institute). The basic premise upon which work is being carried out, is that by the turn of the century, the requirements of the mobile users will have evolved and be commensurate with those services and applications that will be available over conventional fixed or wireline networks. The citizen in the third millennium will wish to avail himself of the full range of broadband multimedia services provided by the global information highway, whether wired or wireless connected.

Various international forums have raised the issue of technology migration from Second to Third Generation via the use of spectrum in the FPLMTS/UMTS bands. This may result in the spectrum being allocated, in some parts of the world, in an inefficient piecemeal fashion to evolved Second Generation technologies and potentially many new narrow-application systems, thereby impeding the development of broadband mobile multimedia services.

Terminal, system and network technology as researched within the EU-funded ACTS projects, may alleviate to a large extent the complexity of the sharing of the spectrum between the Second and Third Generation systems. Finding the solution to the problem of evolution and migration path from Second (GSM, DCS-1800, DECT) to Third Generation systems (FPLMTS/UMTS), particularly from a service provision point of view, is also the subject of intense research carried out in the context of ACTS projects. Some of the key questions that are addressed include a detail consideration of the feasibility, as well as the cost effectiveness and attractiveness of the candidate enhancements. In this context, the ACTS projects will develop a set of guidelines aiming at reducing the uncertainties and associated investment risks regarding the new wireless technologies, by providing the sector actors and the investment community with clear perspectives on the technological evolution and on the path to the timely availability to the user of advanced services and applications.

In response to the imperatives of the internal European market, specific measures were taken, as early as 1987, to promote the Union-wide introduction of GSM, DECT, and ERMES. European Council Directives were adopted to set out common frequency bands to be allocated in each Member State to ensure pan-European operation, together with European Council Recommendations promoting the co-ordinated introduction of services based on these systems.

In 1994, the European Commission adopted a Green Paper on Mobile and Personal Communications with the aim of establishing the framework of the future policy in the field of mobile and personal communications. The Green Paper proposed to adapt, where necessary, the telecommunications policy of the European Union to foster a European-wide framework for the provision of mobile infrastructure, and to facilitate the emergence of trans-European mobile networks, services, and markets for mobile terminals and equipment.

Based on the Green Paper, the European Commission set out general positions on the future development of the mobile and personal sector, and defined an action plan which included actions to pursue the full application of competition rules; the development of a Code of Conduct for service providers; and the agreement on procedures for licensing of satellite-based personal communications. The action plan also advocated the possibility of allowing service offerings as a combination of fixed and mobile networks in order to facilitate the full-scale development of personal communications; the lifting of constraints on alternative telecommunications infrastructures and constraints on direct interconnection with other operators; the adoption and implementation of Decisions of the ERC (European Radio-communications Committee) on frequency bands supporting DCS-1800 and TETRA; the opening up of an Europe-wide Numbering Space for pan-European services including personal communications services; and continuing support of work towards UMTS. 

The combination of these regulatory changes will contribute to a substantial acceleration of the EU's mobile communications market and speed the progress towards Third Generation mobile/personal communications. It will however be necessary to encourage potential operators and manufacturers to invest in the required technology, by setting out a clear calendar for the adoption of the required new standards and the re-farming of the necessary spectrum. The applicable licensing regimes and rules for flexible sharing of the available spectrum need also to be adopted at an early stage so as to permit the identification of novel market opportunities commensurate with the broadband multimedia requirements of the Third Generation mobile telecommunications systems.

In light of the above, and in accordance with the political mandate given by the European Parliament and the European Council, the major actors in the mobile and personal communications sector have been brought together as a task force which has lead to the setting up of the UMTS Forum. The main objective of the Forum are to contribute to the elaboration of an European policy for mobile and personal communications based on an industry wide consensus view, and pave the way for ensuring that mobile communications will play a pivotal role in the Global Information Society.

The continued evolution of Second Generation systems has been recognized as an issue of great societal and economic importance for Europe and the European industry. To facilitate and crystallize such an ambition, and in accordance with the political mandate given by the European Parliament and the European Council, an ad-hoc group called the UMTS Task Force was convened by the European Commission and was charged with the task of identifying Europe's mobile communications strategy towards UMTS. The report of the UMTS Task Force and its recommendations have been largely endorsed by the European mobile industry, and as a result the UMTS Forum has now been created with the mandate to provide an on-going high level strategic steer to the further development of European mobile and personal communications technologies. High on the priorities of the UMTS Forum are the issues of technology, spectrum, marketing and regulatory regimes. Drawing participation beyond the European industry, the UMTS Forum is expected to play an important role in bringing into commercial reality the UMTS vision.

Wednesday, September 1, 2010

The Next Generation Internet


By now, anyone who reads the morning paper has probably heard that the Internet will be an even bigger deal in the future than it is today. School children will access all the great works of literature ever written with the click of a mouse, surgery will be performed via cyberspace, all transactions with the government will be conducted via your personal computer, making bureaucratic line ups a thing of the past.

Sound too good to be true? Much of what has been written about two buzzword initiatives, Internet2 (I2) and the Next Generation Internet (NGI), would lead one to believe that these scenarios are just around the corner.

And some may be. Already in the works are projects to split the spectrum of light traveling the Internet's optical networks, allowing high priority traffic to pass at the highest and least interrupted frequency, while passing low priority traffic (i.e. your e-mail) along at a lower frequency. Teleinstrumentation the remote operation of such rare resources as satellites and electron microscopes has been demonstrated. Digital libraries containing environmental data have been used to simulate natural and man made disasters for emergency response teams. Classrooms and entire universities have gone online, making remote education an option for students.

But misconceptions about I2 and NGI abound, first and foremost that they are interchangeable terms for the same project, closely followed by the perception that the government is hard at work right now digging trenches and laying cable for what is to be a brand new Internet.

I2 and NGI are separate and distinctly different initiatives. It's easiest to think of them as two different answers to the same plaguing problem. The problem is congestion on the commercially available Internet.

The need for a new Internet

Prior to 1995, the National Science Foundation's (NSF) NSFnet served the research and academic community and allowed for cross country communications on relatively unclogged T3 (45 megabit per second) lines that were unavailable for commercial use. However, NSFnet went public in 1995, setting the stage for today's Internet. As the Internet has become irrevocably a part of life, the increase in e-mail traffic and the proliferation of graphically dense pages have eaten up valuable bandwidth.

With all of this data congealing in cyberspace, for the Internet currently knows no differentiation between a Web site belonging to Arthur Andersen or Pamela Anderson there has arisen a critical need for a new Internet. The answers to the questions for what purpose and for who's use vary depending upon the proposed solution.

Internet2: The bottom-up initiative

Internet2 is the university community's response to the need for a return to dedicated bandwidth for academic and research use exclusively. Currently, about 120 universities and 25 corporate sponsors are members of Internet2, which in October 1997 incorporated itself forming the University Corporation for Advanced Internet Development (UCAID).

UCAID now serves as the support and administrative organisation for the project known as Internet2. Members pay an annual fee of between $10,000 and $25,000 and must demonstrate that they are making a definitive, substantial, and continuing commitment to the development, evolution, and use of networking facilities and applications in the conduct of research and education before they are approved for membership.

Internet2 represents the interests of the academic community through its concentration on applications that require more bandwidth and end to end quality of service than is available relying upon the commercial Internet. I2 is focused upon the needs of academia first, but is expected to develop technologies and applications that will eventually make their way into the rest of society.

The vBNS: A prototype for both Internets

The vBNS (very-high-performance Backbone Network Service), a project of the National Science Foundation and MCI Telecommunications, is a nationwide network that supports high performance, high bandwidth research applications. Like the old NSFnet, vBNS is a closed network, available only to the academic and research community. Currently it connects 46 academic institutions across the country, though a total of 92 have been approved for connectivity. A component of the vBNS project is research into high speed networking and communications and transfer of this data to the broader networking community. In many ways, the vBNS is the prototype for both I2 and NGI. The kinds of applications that both I2 and NGI would like to foster are currently deployed on this network.

Since its formation in 1996, I2 has concentrated on defining the environment where I2-type applications will run, holding member meetings and demonstrations where developers express programming needs and innovations that will be incorporated into a set of network tools that do not currently exist. One such meeting is scheduled to be held later this month at the Highway 1 technology forum in Washington, D.C.

I2 member meetings also provide a forum for researchers to investigate trends that will contribute to the applications environment, including object oriented programming, software componentisation, object request brokering, dynamic run time binding, multitiered applications delivery with separation of data, and presentation functions.

Internet2 also continues to define its relationship with the other Internet initiative, Next Generation Internet, at the same time as NGI explores how best to apply the experience and expertise of the I2 community to its task. While acknowledging their differences, in statements each initiative positions its relationship to the other, determining where the line between the two could or should be drawn and what benefit each brings to the other's agenda.

The NGI roadmap


The NGI initiative is divided into three progressive stages, called goals in NGI parlance. Goal 1 is underway now, Goal 3 is targeted for the end of next year.

Goal 1 calls for NGI to research, develop, and experiment with advanced network technologies that will provide dependability, diversity in classes of service, security, and realtime capability for such applications as wide area distributed computing, teleoperation, and remote control of experimental facilities. In this first phase, the project, led by the Defense Advanced Research Projects Agency (DARPA) - will set the stage for the technologies, applications, and test beds envisioned for Goals 2 and 3.

Goal 2 led by the NSF constructs the actual NGI networks and also depends heavily upon the vBNS. NGI expects that Goal 1 development will, by this point, have overcome the speed bumps of incompatible performance capabilities and service models in switches, routers, local area networks, and workstations. In Goal 2, 100 sites (universities, federal research institutions, and other research partners) will be connected at speeds in excess of 100 times that of today's Internet.

As with I2, the vBNS would serve as a backbone for the network connecting NGI participants. To bring in other research partners and provide additional connectivity, the vBNS would interconnect to other federal research networks, including DREN (Defense), NREN (NASA), ESnet (DoE), and eventually SuperNet (DARPA's terabyte research network). The vBNS would also serve as a base for interconnecting to foreign high-performance networks, including the Canadian CA*net II, and others routed through the Science, Technology, and Research Transit Access Point (STAR-TAP) in Chicago.

Goal 2 of the NGI project also has the most planned collaboration with Internet2. NGI officials foresee the NSF supporting the GigaPoPs that would interconnect the I2 institutions and coordinating I2 and NGI interconnectivity to support interoperability and shared experimentation with NGI technologies and applications.

The Internet speed comes in the second, high-risk, high-security, test bed planned for the second phase of Goal 2. In this phase, 10 sites will be connected on a network employing ultra high speed switching and transmission technologies and end to end network connectivity at more than 1 gigabit per second, approximately 1000 times faster than today's Internet. This 1 gigabit per second network is intended to provide the research base for an eventual Terabyte per second network that would employ NGI conceived and developed technologies for harnessing such speed. A 1 Terabyte per second network additionally takes advantage of optical technology pioneered by DARPA.

The impossible becomes commonplace

The current Internet exploded once it was opened up for commercial use and privatisation. Both I2 and NGI include industry as part of their advisory and actual or envisioned working teams, a nod to the future when the technologies or applications developed within either initiative, be they Terabyte per second networks, quality of service tools, digital libraries, or remote collaboration environments, are ready for and applicable to the market place.

On today's Internet it sometimes takes many seconds to get one picture, while on tomorrow's Internet, you're going to get many pictures in one second. This means high definition video, such as that being used now for scientific visualisation. It's only a matter of time until industry seizes upon and spins this technology off into other worlds of interest to folks outside the sciences, like the entertainment industry.

Both initiatives have obstacles before them, I2 depends upon academic resources and investment, and NGI relies on Congressional budgets and endorsement.

Still, there is cautious hope within their respective communities that I2 and NGI can create not a new Internet, but a new Internet environment.

Molecular Switches

The world of molecular computing, with its ultrafast speeds, low power needs and inexpensive materials, is one step closer to reality. Using chemical processes rather than silicon based photolithography, researchers at Rice University and Yale University in the US have created a molecular computer switch with the ability to be turned on and off repeatedly.

Such a switch, or logic gate, is a necessary computing component, used to represent ones and zeros, the binary language of digital computing.

As far as building the basic components of molecular computing is concerned, 50 percent of the job is done, the other 50 percent is memory. Rice and Yale researchers plan to announce a molecular memory device soon.

The cost of the molecular switches would be at least several thousand times less expensive than traditional solid state devices. They also promise continued miniaturisation and increased computing power, leapfrogging the limits of silicon.

The switch works by applying a voltage to a 30 nanometer wide self assembled array of the molecules, allowing current to flow in only one direction within the device. The current only flows at a particular voltage, and if that voltage is increased or decreased it turns off again making the switch reversible. In other previous demonstrations of a molecular logic gate there was no reversibility.

In addition the difference in the amount of current that flows in the on/off state, known as the peak to valley ratio is 1000 to 1. The typical silicon device response is at best, 50 to 1. The dramatic response from off to on when the voltage is applied indicates the increased reliability of the signal.

The active electronic compound, 2'-amino-4-ethynylphenyl-4'-ethynylphenyl-5'-nitro-1-benzenethiol, was designed and synthesised at Rice. The molecules are one million times smaller in area than typical silicon-based transistors.

Not only is it much smaller than any switch that you could build in the solid state, it has complementary properties, which in this case if you want a large on/off ratio it blows silicon away.

The measurements of the amount of current passing through a single molecule occurred at a temperature of approximately 60 Kelvin, or about -350 degrees Fahrenheit.

In addition to logic gates, potential applications include a variety of other computing components, such as high frequency oscillators, mixers and multipliers.

It really looks like it will be possible to have hybrid molecular and silicon based computers within five to 10 years.

Plastic Displays

Polyester may be the material of choice for future flat panel displays. Researchers in the U.S. have recently made breakthroughs in developing thin film transistor displays out of polyethylene terephthalate (PET) - a thin, flexible and rugged plastic that you can bend, roll up, fold, or bend into practically any shape you need.

How do you coax a seemingly inflexible, delicate display to perform such acrobatics? The answer is in the roll to roll technique, a process for manufacturing thin film transistors (TFTs). Conventional TFTs are manufactured onto a rigid glass substrate, but the new technique calls for making the transistors on flexible plastic. In fact plastic displays can be manufactured in much the same way that potato chip bags are produced, in which a giant sheet is spooled onto a machine that prints the packaging and cuts the material into individual chip bags.

In manufacturing displays, the plastic would be spooled through a machine, transistor circuit layers would be deposited onto the material, etching processes would produce patterns to form the pixels, and the display would then be cut to size.

Technical challenges still remain. This type of process of making semiconductors doesn't exist yet. The concept holds promise not only for a new generation of ultralight, flexible displays but also for cost savings. Since manufacturing plants will need to be retooled for the roll to roll process, startup costs will be substantial. But the potential for cost savings in the long run because of cheap plastic and mass production techniques is also significant.

The real technical challenge though, is a matter of heat. In conventional TFT production, temperatures reach up to 350 degrees Celsius, hotter than plastic can withstand without deforming. The Lawrence Livermore group, funded by DARPA's High Definition Systems Project recently built high performance transistors at or below 100 degrees Celsius by using a short burst of light lasting 35 nanoseconds to produce the polycrystalline silicon (polysilicon).

Meanwhile, Philips Semiconductors Lab in Red Hill, Surrey, England, is also making headway in developing plastic displays. Its recipe calls for making polysilicon transistors on plastic by baking the plastic first, so that the heat used in the transistor production process doesn't cause expansion.

Although mass production of plastic displays is five years away, they could be used in all sorts of ways. The applications could include notebook and desktop displays, video game machines, and hand held appliances, as well as displays that don't exist now, for example, wrap around simulators, roll up displays, wearable displays sewn into clothing, and paper thin electronic books and newspapers. E Ink, based in Boston, is currently developing an ultrathin electronic book based on plastic technology.

Protonic Memory


One of the minor horrors of the computer age is to be working on a document not yet saved to the hard drive and lose everything because of a power outage or a system crash that forces the operator to shut down the computer.

Attempts to create circuits that store the information when the power is interrupted have used high voltages, which quickly wear down computer electronic components, and have been expensive. Now scientists at Sandia and at France Telecom have applied for a patent on a prototype memory retention device that is inexpensive, low-powered, and simple to fabricate.

To transmit data, the device uses embedded protons, which remain where they are when the power turns off, thus preserving the information. In devices such as DRAM's (dynamic random access memory), typically based on electron flow, the information is lost when the power is turned off.

To create the memory retentive chip, only a few steps must be added to the hundreds currently used to fabricate microchips. The key additional step is to bathe the hot microchip in hydrogen gas. The gas, permeating the chip, breaks up into single ions - protons - at defects in the silicon dioxide. (The defects are created by the heat of the manufacturing process.) The protons can roam only within the chip's central layer of silicon dioxide, where they are trapped by two layers of silicon that sandwich the silicon dioxide.

The Sandia researchers found that:

A positive low voltage applied to one side of the silicon repels the protons to the far side of the silicon dioxide.

A negative low voltage applied to the silicon attracts the protons to the near side of the silicon dioxide.

If the power is turned off, the protons stay where they are, retaining information in the chip circuit.

First observation of the effect that protons remain in silicon when it is baked at high temperatures in hydrogen gas came as part of a systematic study at Sandia and France Telecom of the effects of hydrogen on silicon.

Life


Internet Blogs
इन्टरनेट

Today another sunny day and I still sit on my couch thinking about another boring day for me, there would not be power in my region for empowering my computer for evading my boredom. But whatsoever, life never stops. Unfortunately always in life you think a lot to you but it never comes true. I also weaved my dreams in my life but, have broken now. And now struggling with my broken dreams to get rid off but it still continue to arise endless hope. In life as I think, it gives you the way it wants to, but when it fails to get the right direction as if decided. Then the life has messed around and it has nothing to stay with. Life is very pouring thing as water it always want to pour in its direction. When you direct its way by yourself then it denies. As my dream has broken, I am sheer confused. Now I am sitting around my chair and thinking about my future life, how is it going to be? After all I am not leaving my hope cause of life is an on going property and it never stops. Just I want to share my personal family condition to all of you, well I don’t know whether it is right or not as a family member after describing all, I think I will feel better than before that bottled away. I born in a small village of Bihar, the state of India called Babhanauli. And then I came to a small town of Bihar, Katihar. I have been brought here by my aunty. My uncle don’t want me very much as my aunty, they bring up me. I have studied in very difficulties. But forgot that all now I am 23 old and I think this is the right age to start my carrier. And I am going abroad for getting by my life. I should think life is the gift of god and we should live it in the manner that life wants by its own way. Always listen to your life and your heart because life is precious and so beautiful….

Just a day for our beautiful life that has one end motion even after many hardship and difficulties.

By—Rajesh Kumar

Thank you.

Sunday, August 22, 2010

IEEE 802.22 WRAN Standard


The IEEE 802.22 standard defines a system for a Wireless Regional Area Network, WRAN that uses unused or white spaces within the television bands between 54 and 862 MHz, especially within rural areas where usage may be lower.

To achieve its aims, the 802.22 standard utilises cognitive radio technology to ensure that no undue interference is caused to television services using the television bands. In this way 802.22 is the first standard to fully incorporate the concept of cognitive radio.

The IEEE 802.22 WRAN standard is aimed at supporting license-exempt devices on a non-interfering basis in spectrum that is allocated to the TV Broadcast Service. With operating data rates comparable to those offered by many DSL / ADSL services it can provide broadband connectivity using spectrum that is nominally allocated to other services without causing any undue interference. In this way IEEE 802.22 makes effective use of the available spectrum without the need for new allocations.

IEEE 802.22 background

The IEEE 802.22 standard for a Wireless Regional Area Network or WRAN system has been borne out of a number of requirements, and also as a result of a development in many areas of technology.

In recent years there has been a significant proliferation in the number of wireless applications that have been deployed, and along with the more traditional services this has placed a significant amount of pressure on sharing the available spectrum. Coupled to this there is always a delay in re-allocating any spectrum that may come available.

In addition to this the occupancy levels of much of the spectrum that has already been allocated is relatively low. For example in the USA, not all the TV channels are used as it is necessary to allow guard bands between active high power transmitters to prevent mutual interference. Also not all stations are active all of the time. Therefore by organising other services around these constraints it is possible to gain greater spectrum utilisation without causing interference to other users. Despite the fact that the impetus for 802.22 is coming from the USA, the aim for the standard is that it can be used within any regulatory regime.

One particular technology that is key to the deployment of new services that may bring better spectrum utilisation is that of cognitive radios technology. By using this the radios can sense their environment and adapt accordingly. The use of cognitive radio technology is therefore key to the new IEEE 802.22 WRAN standard.

IEEE 802.22 standard history

The concept for 802.22 can trace its origins back to the first ideas for cognitive radio. With the development of technologies for the software defined radio, J Mitola in his doctoral thesis in 2000 coined the name "Cognitive Radio" for a form of radio that would change its performance by detecting its environment and changing accordingly.

In 2004 the FCC issued and NPRM (notice of proposed rulemaking) regarding the television spectrum. As a result in November 2004 the IEEE 802.22 working group was formed to develop a WRAN system that would deliver broadband connectivity particularly to rural areas by sharing the television spectrum.

By May 2006 draft v0.1 of the IEEE 802.22 standard was available, although much work was still required. Also discussions were required with broadcasters whose spectrum was being shared as they were fearful of interference and reduced revenues from advertising as a result.

The standard is expected to be completed by the first quarter of 2010 and with this some of the first networks could be deployed.

802.22 basics

There are a number of elements that were set down for the basis of the 802.22 standard. These include items such as the system topology, system capacity and the projected coverage for the system. By setting these basic system parameters in place, the other areas fall into place.
System topology: The system is intended to be a point to multipoint system, i.e. it has a base station with a number of users or Customer Premises Equipments, CPEs located within a cell. The base station obviously links back to the main network and transmits the data on the downlink to the various users and receivers data from the CPEs in the uplink. It also controls the medium access and addition to these traditional roles for a base station, it also manages the "cognitive radio" aspects of the system. It uses the CPEs to perform a distributed measurement of the signal levels of possible television (or other) signals on the various channels at their individual locations. These measurements are collected and collated and the base station decides whether any actions are to be taken. In this way the IEEE 802.22 standard is one of the first cognitive radio networks that has been defined.
Coverage area: The coverage area for the IEEE 802.22 standard is much greater than many other IEEE 802 standards - 802.11, for example is limited to less than 50 metres in practice. However for 802.22, the specified range for a CPE is 33 km and in some instances base station coverage may extend to 100 km. To achieve the 33 km range, the power level of the CPE is 4 Watts EIRP (effective radiated power relative to an isotropic source).
System capacity: The system has been defined to enable users to achieve a level of performance similar to that of DSL services available. This equates to a downlink or download speed of around 1.5 Mbps at the cell periphery and an uplink or upstream speed of 384 kbps. These figures assume 12 simultaneous users. To attain this the overall system capacity must be 18 Mpbs in the downlink direction.

In order to be able to meet these requirements using a 6 MHz television channel spectral efficiency of around 3 bits / sec / Hz are required to give the required physical layer raw data transfer rate.

Monday, August 16, 2010

A study of knowledge management


In the prevailing uncertain and ever-changing business environment knowledge has become the single certain source for sustainable competitive advantage. Learning from past mistakes and avoiding reinventing the wheel are crucial tasks and no organization can today afford not to look for ways to make the best use of its knowledge. With Siemens Industrial Turbomachinery AB (SIT) being an actor in a complex and high-technology industry managing and leveraging the organization’s knowledge becomes essential. It came to the authors’ attention that the project manager department (GL) within the gas division of SIT experienced a need for improved processes for managing and utilizing the organization’s knowledge-base.

On the first of January 2010 Siemens carried out a major reorganization, which affected SIT and the GL department by merging two previously separate departments of project managers into one unit. With efforts underway to harmonize the two department’s former working methods the situation implies timeliness for conducting a study on how to improve the company’s knowledge management initiative. This master thesis hence evolved to focus on examining and point out the improvement opportunities that exist with regards to knowledge sharing between projects, and between projects and the organization, and how tools and processes should be designed to collect, preserve, disseminate and reuse experiences, knowledge and lessons learned within a project-based organization in the best possible way.

The research approach of the study was of a qualitative character including interviews with the 16 project managers of GL and other key employees both at SIT and at Siemens Oil & Gas division’s new CS and IP business units. Combined with meeting participation and observations of the project managers in their daily operations an increased understanding of the current situation at SIT and GL emerged; an understanding needed to identify the reasons and factors affecting the low degree of retention and utilization of the organization’s knowledge-base; an understanding leading up to the development of a model highlighting the important aspects for successful knowledge management initiatives, and how these aspects correlate.

In order to improve the knowledge utilization a continuous lessons learned gathering throughout the project life-cycle needs to be implemented. This is primarily achieved through collecting lessons learned at the regular project meetings together with special lessons learned workshops. The collection and reutilization of knowledge hence needs to be integrated with the project management process. Improving the different forums available for knowledge sharing is also needed to enable an increased level of transformation of human capital into structural capital; augmenting the organization’s knowledge-base. Providing forums for knowledge sharing together with a visualized management support through actions, feedback and the introduction of a culture aimed at organizational learning further enhance the retention and utilization of the organization’s knowledge-base.

Although the approach of this study is based on a case study of the SIT organization the conclusions are regarded to be of value for other project-based organizations and thus rending the conclusions to be generalized and used within other lines of business. The generic conclusion of this study is that in order to implement a successful knowledge management initiative all factors of the model need to be considered and attended too.

Monday, August 9, 2010

System Implementation


The implementation of the algorithms described in Chapter 3 consists of approximately 7000 lines of C++.
This code is logically divided into components that match the system diagram in Figure 3.1. In this Chapter
we will explain the details of our implementation, focusing on the instrumentation and analysis routines that
make up the core of the system and the corresponding data structures.
4.1 Binary Instrumentation
The implementation of stage 1 of our algorithm is essentially two components that work in tandem to
perform instrumentation and run-time analysis. Using the functionality provided by Pin we instrument a
variety of events, including thread creation, system calls, and instruction execution. The instrumentation
code analyses the events and registers callbacks to the correct run-time processing routines.
4.1.1 Hooking System Calls
All taint analysis algorithms require some method to seed an initial pool of tainted locations. One approach
is to hook system calls known to read data that may be potentially tainted by attacker input, e.g. read.
Another potential approach is to hook specific library calls, but as previously pointed out [14] this could
require one to hook large numbers of library calls instead of a single system call on which they all rely.
To mark memory locations as tainted we hook the relevant system calls and extract their destination
locations. Pin allows us to register functions to be called immediately before a system call is executed
(PIN AddSyscallEntryFunction) and after it returns (PIN AddSyscallExitFunction). We use
this functionality to hook read, recv and recvfrom. When a system call is detected we extract the
destination bu er of the function using PIN GetSyscallArgument and store the location. This provides
us with the start address for a sequence of tainted memory locations.
When a system call returns we extract its return value using Pin GetSyscallReturn. For the system
calls we hook a return value greater than 0 means the call succeeded and data was read in. When the return
value is greater than 0 it also indicates exactly how many contiguous bytes from the start address we should
consider to be tainted. On a successful system call we first store the data read in, the destination memory
location and the file or socket it came from in a DataSource object. The DataSource class is a class
we created to allow us to keep track of any input data so that it can be recreated later when building the
exploit. It also allows us to determine what input source must be used in order to deliver an exploit to the
target program. Once the DataSource object has been stored we mark the range of the destination bu er
as tainted.
Once a location has been marked as tainted the instruction level instrumentation code can propagate the
taint information through the programs memory and registers.
45
4.1.2 Hooking Thread Creation and Signals
As well as system calls we insert hooks on thread creation and on signals received from the OS. In multithreaded
applications it is necessary for us to determine when threads are created and destroyed and to
identify the currently active thread when calling our analysis routines. Threads do not share registers so
a register that is tainted by one thread should not be marked as tainted for any others. When a thread is
created we instantiate a new object in our taint analysis engine that represents the taint state of its registers.
This object is deleted when the thread is destroyed.
As mentioned in Chapter 3, one of the mechanisms one could potentially use to detect a possible vulnerability
is by analysing any signals sent to the program. Using the function PIN AddContextChangeFunction
we can register a routine to intercept such signals. If the signal is one of SIGKILL, SIGABRT or SIGSEGV
we pause the program and attempt to generate an exploit. We eventually decided not to use this mechanism
for vulnerability detection as it introduced complications when attempting to determine the exact cause of
the signal and hence the vulnerability.
4.1.3 Hooking Instructions for Taint Analysis
In Chapter 3 all of the binary instrumentation is performed by algorithm 3.1. In this section we will elaborate
on the methods by which this instrumentation takes place.
Our taint analysis engine provides a low level API through the TaintManager class. This class provides
methods for directly marking memory regions and registers as tainted or untainted. To reflect the
taint semantics of each x86 instruction at run-time we created another class titled x86Simulator. This
class interacts directly with the TaintManager class and provides a higher level API to the rest of our
analysis client. For each x86 instruction X the x86Simulator contains functions with names beginning
with simulateX e.g. simulateMOV corresponds to the mov instruction. Each of these functions takes
arguments specifying the operands of the x86 instruction and computes the set of tainted locations resulting
from the instruction and these operands.
For each instruction taint analysis is performed by inserting a callback into the instruction stream to the
correct simulate function and provide it with the instructions operands. As Pin does not utilise an IR this
requires us to do some extra processing on each instruction in order to determine the required simulation
function and extract the instructions operands.
The x86Simulator class provides a mechanism for taint analysis but to use it we must have a method of
analysing individual x86 instruction. Pin allows one to register a function to hook every executed instruction
via INS AddInstrumentFunction. We use this function to filter out those instructions we wish to process.
For every instruction executed we first determine exactly what instruction it is so we can model its taint
semantics. This process is made easier as Pin filters each instruction into one or more categories, e.g. the
movsb instruction belongs to the XED CATEGORY STRINGOP category. It also assigns each instruction a
unique type, e.g. XED ICLASS MOVSB for the movsb instruction. An example of the code that performs
this filtering is shown in Listing 4.1.
This code allows us to determine the type of instruction being executed. The code to process the actual
instruction and insert the required callback is encapsulated in the processX86.processX functions.
Inserting Taint Analysis Callbacks
When hooking an instruction the goal is to determine the correct x86Simulator function to register a
callback to so that at run-time we can model the taint semantics of the instruction correctly. The code in
Listing 4.1 allows us to determine the instruction being executed but each instruction can have di erent
taint semantics depending on the types of its operands. For example, the x86 mov instruction can occur
in a number of di erent forms with the destination and source operands potentially being one of several
combinations of memory locations, registers and constants. In order to model the taint semantics of the
instruction we must also know the type of each operand as well as the type of the instruction. Listing 4.2
demonstrates the use of the Pin API to extract the required operand information for the mov instruction.
The code shown is part of the processX86.processMOV function.
46
Listing 4.1: “Filtering x86 instructions”
1 UINT32 cat = INS_Category(ins);
2
3 switch (cat) {
4 case XED_CATEGORY_STRINGOP:
5 switch (INS_Opcode(ins)) {
6 case XED_ICLASS_MOVSB:
7 case XED_ICLASS_MOVSW:
8 case XED_ICLASS_MOVSD:
9 processX86.processREP_MOV(ins);
10 break;
11 case XED_ICLASS_STOSB:
12 case XED_ICLASS_STOSD:
13 case XED_ICLASS_STOSW:
14 processX86.processSTO(ins);
15 break;
16 default:
17 insHandled = false;
18 break;
19 }
20 break;
21
22 case XED_CATEGORY_DATAXFER:
23
24 ...
Listing 4.2: “Determining the operand types for a mov instruction”
1 if (INS_IsMemoryWrite(ins)) {
2 writesM = true;
3 } else {
4 writesR = true;
5 }
6
7 if (INS_IsMemoryRead(ins)) {
8 readsM = true;
9 } else if (INS_OperandIsImmediate(ins, 1)) {
10 sourceIsImmed = true;
11 } else {
12 readsR = true;
13 }
Listing 4.3: “Inserting the analysis routine callbacks for a mov instruction”
1 if (writesM) {
2 INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(&x86Simulator::simMov_RM),
3 IARG_MEMORYWRITE_EA,
4 IARG_MEMORYWRITE_SIZE,
5 IARG_UINT32, INS_RegR(ins, INS_MaxNumRRegs(ins)-1),
6 IARG_INST_PTR,
7 IARG_END);
8 } else if (writesR) {
9 if (readsM)
10 INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(&x86Simulator::simMov_MR), ..., IARG_END);
11 else
12 INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(&x86Simulator::simMov_RR), ..., IARG_END);
13 }
47
Once the operand types have been extracted we can determine the correct function in x86Simulator
to register as a callback. The x86Simulator class contains a function for every x86 instruction we wish
to analyse and for each instruction it contains one or more variants depending on the possible variations in
its operand types. For example, a mov instruction takes two operands; ignoring constants it can move data
from memory to a register, from a register to a register or from a register to memory. This results in three
functions in x86Simulator to handle the mov instruction - simMov MR, simMov RR and simMov RM.
The code in Listing 4.3 is from the function processX86.processMOV. It uses function INS InsertCall
to insert a callback to the correct analysis routine depending on the types of the mov instructions operands.
Along with the callback function to register, INS InsertCall takes the parameters to pass to this function1.
This process is repeated for any x86 instructions we consider to propagate taint information.
Under-approximating the Set of Tainted Locations
Due to time constraints on our implementation we have not created taint simulation functions for all possible
x86 instructions. In order to avoid false positives it is therefore necessary to have a default action for all
non-simulated instructions. This default action is to untaint all destination operands of the instruction. Pin
provides API calls that allow us to access the destination operands of an instruction without considering its
exact semantics. By untainting these destinations we ensure that all locations that we consider to be tainted
are in fact tainted. We perform a similar process for instructions that modify the EFLAGS register but are
not instrumented.
4.1.4 Hooking Instructions to Detect Potential Vulnerabilities
We detect potential vulnerabilities by checking the arguments to certain instructions. For a direct exploit
we require the value pointed to by the ESP register at a ret instruction to be tainted or the memory location/
register used by a call instruction. We can extract the value of the ESP using the IARG REG VALUE
placeholder provided by Pin and the operands to call instructions can be extracted in the same way as for
the taint analysis callbacks.
For an indirect exploit we must check the destination address of the write instruction is tainted, rather
than the value at that address. As described in [19], an address to an x86 instruction can have a number of
constituent components with the e ective address computed as follows2:
Effective address = Displacement + BaseReg + IndexReg * Scale
In order to exploit a write vulnerability we must control one or more of these components. Pin provides
functions to extract each component of an e ective address. e.g. INS OperandMemoryDisplacement,
INS OperandMemoryIndexReg and so on. For each instruction that writes to memory we insert a callback
to run-time analysis routine that takes these address components as parameters and the value of the write
source.
4.1.5 Hooking Instructions to Gather Conditional Constraints
As described in Chapter 3, to gather constraints from conditional instructions we record the operands
of instructions that modify the EFLAGS register and then generate constraints on these operands when
a conditional jump is encountered. Detecting if an instruction writes to the EFLAGS register is done
by checking if the EFLAGS register is in the list of written registers for the current instruction, e.g. if
1At instrumentation-time it is sometimes not possible to determine the exact operand values an instruction will have at runtime.
To facilitate passing such information to run-time analysis routines Pin provides placeholder values. These placeholders
are replaced by Pin with the corresponding value at run-time. For example, there are placeholders for the address written
by the instruction (IARG MEMORYWRITE EA) and the amount of data written (IARG MEMORYWRITTEN EA). There are a number
of other placeholders defined for retrieving common variables such as the current thread ID, instruction pointer and register
values.
2From the Pin website, http://www.pintool.org
48
Listing 4.4: “Inserting a callback on EFLAGS modification”
1 if (op0Mem && op1Reg) {
2 INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(&x86Simulator::updateEflagsInfo_RM),
3 IARG_MEMORYREAD_EA,
4 IARG_MEMORYREAD_SIZE,
5 IARG_UINT32, INS_RegR(ins, INS_MaxNumRRegs(ins)-1),
6 IARG_UINT32, eflagsMask,
7 IARG_CONTEXT,
8 IARG_THREAD_ID,
9 IARG_INST_PTR,
10 IARG_END);
11 }
Listing 4.5: “Inserting callbacks on a conditional jump”
1 VOID
2 processJCC(INS ins, JCCType jccType)
3 {
4 unsigned eflagsMask = extractEflagsMask(ins, true);
5 INS_InsertCall(ins, IPOINT_AFTER, AFUNPTR(&x86Simulator::addJccCondition),
6 IARG_UINT32, eflagsMask,
7 IARG_BOOL, true,
8 IARG_UINT32, jccType,
9 IARG_INST_PTR,
10 IARG_END);
11
12 INS_InsertCall(ins, IPOINT_TAKEN_BRANCH, AFUNPTR(&x86Simulator::addJccCondition),
13 IARG_UINT32, eflagsMask,
14 IARG_BOOL, false,
15 IARG_UINT32, jccType,
16 IARG_INST_PTR,
17 IARG_END);
18 }
INS RegWContain(ins, REG EFLAGS) is true. If an instruction does write to the EFLAGS register we
can extract from it a bitmask describing those flags written.
Using the same INS Is* functions as shown in Listing 4.2 we determine the types of each operand.
Once again this is necessary as we use a di erent simulation function for each combination of operand types,
where an operand type can be a memory location, register or constant. Once the operand types have been
discovered we register a callback to the correct run-time routine, passing it the instruction operands and a
bitmask describing the bits changed in the EFLAGS register. Listing 4.4 exemplifies how the callback is
registered for a two operand instruction where the first operand is a memory location and the second is a
register.
On lines 3 and 4 the Pin placeholders to extract the memory location used and its size are used. The
register ID is extracted on line 5 and passed as a 32-bit integer. Similarly the bitmask describing the EFLAGS
modified is passed as a 32-bit integer on line 6.
Inserting Callbacks to Record Conditions from Conditional Jumps
The above code is used to keep track of the operands on which conditional jumps depend on. To then
convert this information to a constraint we need to instrument conditional jumps. Algorithm 3.1 in Chapter
3 we described the process of instrumenting a conditional jump instruction. We insert two callbacks for each
conditional jump. One on the path resulting from a true condition and one on the path resulting from a
false condition.
49
Listing 4.6: “Simulating a mov instruction”
1 VOID
2 x86Simulator::simMov_MR(UINT32 regId, ADDRINT memR, ADDRINT memRSize, THREADID id, ADDRINT pc)
3 {
4 SourceInfo si;
5
6 // If the source location is not tainted then untaint the destination
7 if (!tmgr.isMemLocTainted(memR, memRSize)) {
8 tmgr.unTaintReg(regId, id);
9 return;
10 }
11
12 // Set the information on the source operand
13 si.type = MEMORY;
14 // The mov instruction reads from address memR
15 si.loc.addr = memR;
16
17 vector sources;
18 sources.push_back(si);
19
20 TaintInfoPtr tiPtr = tmgr.createNewTaintInfo(sources, (unsigned)memRSize,
21 DIR_COPY, X_ASSIGN, 0);
22 tmgr.updateTaintInfoR(regId, tiPtr, id);

MSc Computer Science Dissertation


Introduction
1.1 Introduction
In this work we will consider the problem of automatic generation of exploits for software vulnerabilities. We
provide a formal definition for the term “exploit” in Chapter 2 but, informally, we can describe an exploit
as a program input that results in the execution of malicious code1. We define malicious code as a sequence
of bytes injected by an attacker into the program that subverts the security of the targeted system. This is
typically called shellcode. Exploits of this kind often take advantage of programmer errors relating to memory
management or variable typing in applications developed in C and C++. These errors can lead to bu er
overflows in which too much data is written to a memory bu er, resulting in the corruption of unintended
memory locations. An exploit will leverage this corruption to manipulate sensitive memory locations with
the aim of hijacking the control flow of the application.
Such exploits are typically built by hand and require manual analysis of the control flow of the application
and the manipulations it performs on input data. In applications that perform complex arithmetic
modifications or impose extensive conditions on the input this is a very di cult task. The task resembles
many problems to which automated program analysis techniques have been already been successfully applied
[38, 27, 14, 43, 29, 9, 10, 15]. Much of this research describes systems that consist of data-flow analysis in
combination with a decision procedure. Our approach extends techniques previously used in the context of
other program analysis problems and also encompasses a number of new algorithms for situations unique to
exploit generation.
1.2 Motivation
Due to constraints on time and programmer e ort it is necessary to triage software bugs into those that
are serious versus those that are relatively benign. In many cases security vulnerabilities are of critical
importance but it can be di cult to decide whether a bug is usable by an attacker for malicious purposes or
not. Crafting an exploit for a bug is often the only way to reliably determine if it is a security vulnerability.
This is not always feasible though as it can be a time consuming activity and requires low-level knowledge
of file formats, assembly code, operating system internals and CPU architecture. Without a mechanism
to create exploits developers risk misclassifying bugs. Classifying a security-relevant bug incorrectly could
result in customers being exposed to the risk for an extended period of time. On the other hand, classifying
a benign bug as security-relevant could slow down the development process and cause extensive delays as it
is investigated. As a result, there has been an increasing interest into techniques applicable to Automatic
Exploit Generation (AEG).
1We consider exploits for vulnerabilities resulting from memory corruption. Such vulnerabilities are among the most common
encountered in modern software. They are typically exploited by injecting malicious code and then redirecting execution to
that code. Other vulnerabililty types, such as those relating to design flaws or logic problems, are not considered here.
3
The challenge of AEG is to construct a program input that results in the execution of shellcode. As the
starting point for our approach we have decided to use a program input that is known to cause a crash.
Modern automated testing methods routinely generate many of these inputs in a testing session, each of
which must be manually inspected in order to determine the severity of the underlying bug.
Previous research on automated exploit generation has addressed the problem of generating inputs that
corrupt the CPU’s instruction pointer. This research is typically criticised by pointing out that crashing a
program is not the same as exploiting it [1]. Therefore, we believe it is necessary to take the AEG process a
step further and generate inputs that not only corrupt the instruction pointer but result in the execution of
shellcode. The primary aim of this work is to clarify the problems that are encountered when automatically
generating exploits that fit this description and to present the solutions we have developed.
We perform data-flow analysis over the path executed as a result of supplying a crash-causing input
to the program under test. The information gathered during data-flow analysis is then used to generate
propositional formulae that constrain the input to values that result in the execution of shellcode. We
motivate this approach by the observation that at a high level we are trying to answer the question “Is it
possible to change the test input in such a way that it executes attacker specified code?”. At its core, this
problem involves analysing how data is moved through program memory and what constraints are imposed
on it by conditional statements in the code.
1.3 Related Work
Previous work can be categorised by their approaches to data-flow analysis and their final result. On one
side is research based on techniques from program analysis and verification. These projects typically use
dynamic run-time instrumentation to perform data-flow analysis and then build formulae describing the
programs execution. While several papers have discussed how to use such techniques to corrupt the CPU’s
instruction pointer they do not discuss how this corruption is exploited to execute shellcode. Significant
challenges are encountered when one attempts to take this step from crashing the program to execution of
shellcode.
Alternatives to the above approach are demonstrated in tools from the security community [37, 28] that
use ad-hoc pattern matching in memory to relate the test input to the memory layout of the program at the
time of the crash. An exploit is then typically generated by using this information to complete a template.
This approach su ers from a number of problems as it ignores modifications and constraints applied to
program input. As a result it can produce both false positives and false negatives, without any information
as to why the exploit failed to work or failed to be generated.
The following are papers that deal directly with the problem of generating exploits:
(i) Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications - This paper [11]
is the closest academic paper, in terms of subject matter, to our work. An approach is proposed and
demonstrated that takes a program P and a patched version P0, and produces a sample input for P
that exercises the vulnerability patched in P0. Using the assumption that any new constraints added
by the patched version relate to the vulnerability they generate an input that violates these constraints
but passes all others along a path to the vulnerability point (e.g. the first out of bounds write). The
expected result of providing such an input to P is that it will trigger the vulnerability. Their approach
works on binary executables, using data-flow analysis to derive a path condition and then solving such
conditions using the decision procedure STP to produce a new program input.
As the generated program input is designed to violate the added constraints it will likely cause a
crash due to some form of memory corruption. The possibility of generating an exploit that results
in shellcode execution is largely ignored. In the evaluation a specific case in which the control flow
was successfully hijacked is given, but no description of how this would be automatically achieved is
described.
(ii) Convicting Exploitable Software Vulnerabilities: An E cient Input Provenance Based Approach - This
paper [35] again focuses on exploit generation but uses a “suspect input” as its starting point instead
4
of the di erences between two program binaries. Once again data-flow analysis is used to build a path
condition which is then used to generate a new input using a decision procedure. User interaction is
required to specify how to mutate input to meet certain path conditions. As in the previous case,
the challenges and benefits involved in generating an exploit that result in shellcode execution are not
discussed.
(iii) Byakugan - Byakugan [28] is an extension for the Windows debugger, WinDbg, that can search through
program memory attempt to match sequences of bytes from an input to those found in memory. It
can work with the Metasploit [39] tool to assist in generation of exploits. In terms of the desired end
result, this is similar to our approach although it su ers from the limitations of pattern matching.
When searching in memory the tool accounts for common modification to data such as converting to
upper/lower case and unicode encoding but will miss all others. It makes no attempt at tracking path
conditions and as a result can o er no guarantees on what parts of the input are safe to change and
still trigger the vulnerability.
(iv) Automated Exploit Development, The future of exploitation is here - This document [37] is a whitepaper
describing the techniques used in the Prototype-8 tool for automated exploit generation. The generation
of control flow hijacking exploits is the focus of the tool. This is achieved by attaching a debugger to
a running process and monitoring its execution for erroneous events as test cases are delivered to the
program. When such an event occurs the tool follows a static set of rules to create an exploit based
on what type of vulnerability was discovered (i.e. it distinguishes between stack and heap overflows).
These rules attempt to determine what parts of the input data overwrote what sensitive data and hence
may be used to gain control of the program execution. Once this is determined these values are used to
generate an exploit based on a template for the vulnerability type. No attempt is made to determine
constraints that may exist on this input or to customise the exploit template to pass these constraints.
(v) Automatic Discovery of API-Level Exploits - In this paper [25] a framework is presented to model the
details of the APIs provided by functions such as printf. Once the e ects of these API features have
been formalised they can be used in predicates to specifying conditions required for an exploit. These
predicates can then be automatically solved to provide API call sequences that exploit a vulnerability.
This approach is restricted to creating exploits where all required memory corruption can be introduced
via a single API, such as printf.
As well as the above papers, the BitBlaze project [50] has resulted in a number of papers that do not
deal explicitly with the generation of exploits but do solve related problems. Approaching the issue of
automatically generating signatures for vulnerabilities [9, 10] they describe a number of useful techniques
for gathering constraints up to a particular vulnerability point and using these constraints to describe data
that might constitute an exploit.
There is also extensive previous work on data-flow analysis, taint propagation, constraint solving and
symbolic execution. Combinations of these techniques to other ends, such as vulnerability discovery [27, 14],
dynamic exploit detection [43] and general program analysis [29] are now common.
1.4 Thesis
Our thesis is as follows:
Given an executable program and an input that causes it to crash there exists a sound algorithm to determine
if a control flow hijacking exploit is possible. If a control flow hijacking exploit is possible there exists
an algorithm that will automatically generate this exploit.
The purpose of this work is to investigate the above thesis and attempt to discover and implement a
satisfying algorithm. Due to the sheer number of ways in which a program may crash, and a vulnerability be
5
exploited, it is necessary to limit our research to a subset of the possible exploit types. In our investigation
we impose the following practical limits2:
1. Data derived from user input corrupts a stored instruction pointer, function pointer or the destination
location and source value of a write instruction.
2. Address space layout randomisation may be enabled on the system but no other exploit prevention
mechanisms are in place.
3. Shellcode is not automatically generated and must be provided to the exploit generation algorithm.