本文是来自University of California, Irvine的Alireza Sadeghi发表在ICSE ‘18的工作。
Abstract: Permission-induced attacks, i.e., security breaches enabled by permission misuse, are among the most critical and frequent issues threatening the security of Android devices. By ignoring the temporal aspects of an attack during the analysis and enforcement, the state-of-the-art approaches aimed at protecting the users against such attacks are prone to have low-coverage in detection and high-disruption in prevention of permission-induced attacks. To address this shortcomings, we present Terminator, a temporal permission analysis and enforcement framework for Android. Leveraging temporal logic model checking,Terminator’s analyzer identifies permission-induced threats with respect to dynamic permission states of the apps. At runtime, Terminator’s enforcer selectively leases (i.e., temporarily grants) permissions to apps when the system is in a safe state, and revokes the permissions when the system moves to an unsafe state realizing the identified threats. The results of our experiments, conducted over thousands of apps, indicate that Terminator is able to provide an effective, yet non-disruptive defense against permission-induced attacks. We also show that our approach, which does not require modification to the Android framework or apps’ implementation logic, is highly reliable and widely applicable.
Entry:Zotero link URL link
Kata Container
安装
$ bash -c "$(curl -fsSL https://raw.githubusercontent.com/kata-containers/kata-containers/main/utils/kata-manager.sh) -o"
$ sudo ctr image pull dockerpull.com/library/busybox:latest
$ sudo ctr run --snapshotter devmapper --cni --runtime io.containerd.run.kata-fc.v2 -t --rm dockerpull.com/library/busybox:latest hello sh
https://github.com/containerd/containerd/blob/main/docs/cri/config.md
https://kubernetes.io/docs/setup/production-environment/container-runtimes/#containerd
#!/bin/bash
set -ex
DATA_DIR=/var/lib/containerd/io.containerd.snapshotter.v1.devmapper
POOL_NAME=containerd-pool
mkdir -p ${DATA_DIR}
# Create data file
sudo touch "${DATA_DIR}/data"
sudo truncate -s 50G "${DATA_DIR}/data"
# Create metadata file
sudo touch "${DATA_DIR}/meta"
sudo truncate -s 20G "${DATA_DIR}/meta"
# Allocate loop devices
DATA_DEV=$(sudo losetup --find --show "${DATA_DIR}/data")
META_DEV=$(sudo losetup --find --show "${DATA_DIR}/meta")
# Define thin-pool parameters.
# See https://www.kernel.org/doc/Documentation/device-mapper/thin-provisioning.txt for details.
SECTOR_SIZE=512
DATA_SIZE="$(sudo blockdev --getsize64 -q ${DATA_DEV})"
LENGTH_IN_SECTORS=$(bc <<< "${DATA_SIZE}/${SECTOR_SIZE}")
DATA_BLOCK_SIZE=128
LOW_WATER_MARK=32768
# Create a thin-pool device
sudo dmsetup create "${POOL_NAME}" \
--table "0 ${LENGTH_IN_SECTORS} thin-pool ${META_DEV} ${DATA_DEV} ${DATA_BLOCK_SIZE} ${LOW_WATER_MARK}"
cat << EOF
#
# Add this to your config.toml configuration file and restart containerd daemon
#
[plugins]
[plugins.devmapper]
pool_name = "${POOL_NAME}"
root_path = "${DATA_DIR}"
base_image_size = "20GB"
EOF
Keypoints:
- Sparse definision from optimizer view
- Better communication algorithm with sparse data
- Overlap intra/inter node communication with innet-computing
PCIe 带宽为 $a$ RDMA 网卡带宽为 $b$ NVLink 带宽为 $c$ 卸载部分占原来所有参数总量的 $x (0\le x \le 1)$ 优化目标:
$$CostTime = \max{(\frac{1-x}{b} + \frac{1}{b}, \max(\frac{x}{a}+\frac{1-x}{a}+\frac{1}{a}, \frac{x}{c} + \frac{1}{c}))} = \max (\frac{2 - x}{b}, \frac{2}{a})$$ 解得 $$ x = 2(1 - \frac{b}{a})$$ 要求 $a \le 2b$
代回得 $$CostTime_{min} = \frac{2}{a}$$ 原本的时长为 $$CostTime_{ori}\frac{2}{b}$$ 优化比例 $$rate = \frac{CostTime_{ori} - CostTime_{min}}{CostTime_{ori}} = 1 - \frac{b}{a}$$
整理一下来自百度贴吧tonyhe0215的最新版本疾病数据,
在全科(+16%,5级诊断)、 X光(+50%,0级诊断)、DNA(+54%,1级诊断)、体液(52%,4级诊断)、综合(+67%,1级诊断)的配备下可以达到除了无意识喷发疾病(88.46%)和鬼畜腰疾病(82.43%)以外所有疾病不需要复诊诊断准确度达到100%。
当DNA配备4级诊断时可确保无意识喷发疾病100%。 因此可以安排全科旁为综合诊断室,让鬼畜腰疾病患者最快回到全科进行复诊。
全科医生5级全科技能满,房间18个药柜。核磁19个全息投影3级机器,DNA室12个全息3级机器,这两个科室医生1核磁技能1DNA技能1检查1工作激情1体力或者情商。