Technology

Virtual Private Networks (VPNs) are legal and increasingly popular for individuals wanting to circumvent censorship, avoid mass surveillance or access geographically limited services like Netflix and BBC iPlayer. Used by around 20 per cent of European internet users they encrypt users’ internet communications, making it more difficult for people to monitor their activities.

The study of fourteen popular VPN providers found that eleven of them leaked information about the user because of a vulnerability known as ‘IPv6 leakage’. The leaked information ranged from the websites a user is accessing to the actual content of user communications, for example comments being posted on forums. Interactions with websites running HTTPS encryption, which includes financial transactions, were not leaked.

The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6. IPv6 replaces the previous IPv4, but many VPNs only protect user’s IPv4 traffic. The researchers tested their ideas by choosing fourteen of the most famous VPN providers and connecting various devices to a WiFi access point which was designed to mimic the attacks hackers might use.

Researchers attempted two of the kinds of attacks that might be used to gather user data – ‘passive monitoring’, simply collecting the unencrypted information that passed through the access point; and DNS hijacking, redirecting browsers to a controlled web server by pretending to be commonly visited websites like Google and Facebook.

The study also examined the security of various mobile platforms when using VPNs and found that they were much more secure when using Apple’s iOS, but were still vulnerable to leakage when using Google’s Android.

Dr Gareth Tyson, a lecturer from QMUL and co-author of the study, said:

“There are a variety of reasons why someone might want to hide their identity online and it’s worrying that they might be vulnerable despite using a service that is specifically designed to protect them.

“We’re most concerned for those people trying to protect their browsing from oppressive regimes. They could be emboldened by their supposed anonymity while actually revealing all their data and online activity and exposing themselves to possible repercussions.”

References:http://phys.org/

Operators must continually monitor conditions in power plants to assure they are operating safely and efficiently. Researchers on the Sensors and Controls Team at DOE’s National Energy Technology Laboratory can now fabricate prototype optical sensors that demonstrate superior properties in comparison to traditional sensors using a new laser-heated pedestal growth (LHPG) system. According to NETL researcher Michael Buric, “The new sensors have broader functional temperature ranges, increased durability, and reduced cost. Sensors produced using LHPG will be capable of operating in the high temperature and harsh environments associated with advanced power systems.”

LHPG is a crystal growth technique that reforms bulk high temperature-resistant materials, such as sapphire or YSZ (yttrium stabilized zirconium), into single-crystal optical fibers. The technique produces optical fibers with very high melting temperatures for use as sensor substrates. The LHPG system enables researchers to precisely control crystal growth, and to incorporate novel sensor materials with fiber-substrates during the growth process. The ability to control fabrication parameters along with high temperature-resistant materials generates optical fiber sensors with improved measurement sensitivity and durability. The optical fibers developed at the new facility will be incorporated into fiber sensor assemblies and evaluated for functionality under high temperature and pressure conditions. The materials that demonstrate the most promising performance characteristics will be further evaluated in various sensing configurations.

Optical fiber-based sensors offer distinct advantages including broadband wavelength and compatibility, and resistance to electromagnetic interference. They also eliminate electrical wires and contacts, which are commonly associated with sensor failure. Additionally, fiber optic sensors are compatible with embedded, remote, and distributed sensing technologies.
Innovative process control systems capable of functioning in the extreme environments of conventional and future fossil fuel-based power generation systems will play a key role in improving efficiency while reducing carbon dioxide (CO2) emissions.

Advanced sensor materials will enable continued use of our coal resources to improve U.S. economic competitiveness while providing global environmental benefits through reduced greenhouse gas emissions. The sensors developed using LHPG could also be applied to process monitoring and control for other energy systems, including solid oxide fuel cells, gas turbines, boilers, and oxy-fuel combustion. Other research at NETL is expanding the application of fiber optic-based sensors for use in subsurface monitoring including unconventional, deep, and ultra-deepwater oil and gas resource recovery and CO2 storage.

References:http://phys.org/

An electronic accelerometer of the kind found in most smart phones that let the device determine its orientation and respond to movement, could also be used to save lives on our roads, according to research to be published in the International Journal of Vehicle Safety.

Samuel Lawoyin, Ding-Yu Fei and Ou Bai of Virginia Commonwealth University, in Richmond, Virginia, USA and Xin Liu of Harbin Institute of Technology, Harbin, China, have shown how an accelerometer can accurately detect when a driver is becoming drowsy, 8 times out of ten. Used in combination with other detection methods, the system could be used to significantly reduce the number of accidents caused by driver fatigue among commercial and long-distance drivers and others.

The team reports that each year there are thousands of avoidable accidents that take place on our roads because of driver fatigue, with an estimated 76000 injuries and 1200 deaths in the USA alone. Some observers suggest that driver drowsiness on long journeys is just as hazardous as alcohol consumption. Technology that can monitor deviations in the movement of the vehicle’s steering wheel when the driver begins to nod off is prohibitively expensive and difficult to implement. Likewise, monitoring systems that measure either the electrical activity in the driver’s heart or brain have their own problems while eyelid monitoring is also difficult to implement in a real-world driving scenario.

However, microelectronic accelerometers are a widely available device found in smart phones and other gadgets that can detect movement and so the researchers suggest they might be used to construct a simple, wearable device for a driving hat, headband, or attachment for spectacles or sunglasses that would trigger an alarm when the driver’s head movements indicate that they are becoming drowsy. It might even be possible to exploit the accelerometer in the driver’s phone for the same application. In the current tests, however, the team has used an accelerometer unobtrusively attached steering wheel itself to provide a simple means to detecting the kind of unusual steering adjustments that are commonly seen being made by drowsy drivers as they slip in and out of full wakefulness.

“Because the number of highway fatalities due to drowsy driving continues to show consistently high annual figures year after year, the necessity for a practical and inexpensive means of drowsy driving monitoring is becoming especially apparent,” the team concludes.” This study shows that the implementation of an accelerometer-based method for drowsy driving detection will be effective and yield high accuracy classifications of a driver’s drowsy state which has the potential to save lives.”

References:http://phys.org/

At the Association for Computing Machinery’s Programming Language Design and Implementation conference this month, MIT researchers presented a new system that repairs dangerous software bugs by automatically importing functionality from other, more secure applications.

Remarkably, the system, dubbed CodePhage, doesn’t require access to the source code of the applications whose functionality it’s borrowing. Instead, it analyzes the applications’ execution and characterizes the types of security checks they perform. As a consequence, it can import checks from applications written in programming languages other than the one in which the program it’s repairing was written.

Once it’s imported code into a vulnerable application, CodePhage can provide a further layer of analysis that guarantees that the bug has been repaired.

“We have tons of source code available in open-source repositories, millions of projects, and a lot of these projects implement similar specifications,” says Stelios Sidiroglou-Douskos, a research scientist at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) who led the development of CodePhage. “Even though that might not be the core functionality of the program, they frequently have subcomponents that share functionality across a large number of projects.”

With CodePhage, he says, “over time, what you’d be doing is building this hybrid system that takes the best components from all these implementations.”

Sidiroglou-Douskos and his coauthors—MIT professor of computer science and engineering Martin Rinard, graduate student Fan Long, and Eric Lahtinen, a researcher in Rinard’s group—refer to the program CodePhage is repairing as the “recipient” and the program whose functionality it’s borrowing as the “donor.” To begin its analysis, CodePhage requires two sample inputs: one that causes the recipient to crash and one that doesn’t. A bug-locating program that the same group reported in March, dubbed DIODE, generates crash-inducing inputs automatically. But a user may simply have found that trying to open a particular file caused a crash.

Carrying the past

First, CodePhage feeds the “safe” input—the one that doesn’t induce crashes—to the donor. It then tracks the sequence of operations the donor executes and records them using a symbolic expression, a string of symbols that describes the logical constraints the operations impose.

At some point, for instance, the donor may check to see whether the size of the input is below some threshold. If it is, CodePhage will add a term to its growing symbolic expression that represents the condition of being below that threshold. It doesn’t record the actual size of the file—just the constraint imposed by the check.

Next, CodePhage feeds the donor the crash-inducing input. Again, it builds up a symbolic expression that represents the operations the donor performs. When the new symbolic expression diverges from the old one, however, CodePhage interrupts the process. The divergence represents a constraint that the safe input met and the crash-inducing input does not. As such, it could be a security check missing from the recipient.

CodePhage then analyzes the recipient to find locations at which the input meets most, but not quite all, of the constraints described by the new symbolic expression. The recipient may perform different operations in a different order than the donor does, and it may store data in different forms. But the symbolic expression describes the state of the data after it’s been processed, not the processing itself.

At each of the locations it identifies, CodePhage can dispense with most of the constraints described by the symbolic expression—the constraints that the recipient, too, imposes. Starting with the first location, it translates the few constraints that remain into the language of the recipient and inserts them into the source code. Then it runs the recipient again, using the crash-inducing input.

If the program holds up, the new code has solved the problem. If it doesn’t, CodePhage moves on to the next candidate location in the recipient. If the program is still crashing, even after CodePhage has tried repairs at all the candidate locations, it returns to the donor program and continues building up its symbolic expression, until it arrives at another point of divergence.

Automated future

The researchers tested CodePhage on seven common open-source programs in which DIODE had found bugs, importing repairs from between two and four donors for each. In all instances, CodePhage was able to patch up the vulnerable code, and it generally took between two and 10 minutes per repair.

As the researchers explain, in modern commercial software, security checks can take up 80 percent of the code—or even more. One of their hopes is that future versions of CodePhage could drastically reduce the time that software developers spend on grunt work, by automating those checks’ insertion.

“The longer-term vision is that you never have to write a piece of code that somebody else has written before,” Rinard says. “The system finds that piece of code and automatically puts it together with whatever pieces of code you need to make your program work.”

“The technique of borrowing code from another program that has similar functionality, and being able to take a program that essentially is broken and fix it in that manner, is a pretty cool result,” says Emery Berger, a professor of computer science at the University of Massachusetts at Amherst. “To be honest, I was surprised that it worked at all.”

“The donor program was not written by the same people,” Berger explains. “They have different coding standards; they name variables differently; they use all kinds of different variables; the variables could be local; or they could be higher up in the stack. And CodePhage is able to identify these connections and say, ‘These variables correlate to these variables.’ Speaking in terms of organ donation, it transforms that code to make it a perfect graft, as if it had been written that way in the beginning. The fact that it works as well as it does is surprising—and cool.”

References:http://phys.org/