Abstract: Software fault isolation methods using byte-granularity memory protection are described. In an embodiment, untrusted drivers or other extensions to a software system are run in a separate domain from the host portion of the software system, but share the same address space as the host portion. Calls between domains are mediated using an interposition library and access control data is maintained for substantially each byte of relevant virtual address space. Instrumentation added to the untrusted extension at compile-time, before load-time, or at runtime and added by the interposition library enforces the isolation between domains, for example by adding access right checks before any writes or indirect calls and by redirecting function calls to call wrappers in the interposition library. The instrumentation also updates the access control data to grant and revoke access rights on a fine granularity according to the semantics of the operation being invoked.

Abstract: To reduce the dependency of overlay networks on underlay networks to route messages, a virtual ring routing architecture may be formed that leverages the design of the overlay network to achieve their desirable scaling and robustness properties but also reduce the dependency on any underlay network to setup and maintain connectivity. More particularly, each node may have a single, fixed, location independent node identifier, to organize the nodes into a virtual ring. The connectivity between nodes through the actual network topology may be formed by a plurality of nodes in the virtual ring by maintaining connectivity to those nodes identified as virtual neighbor nodes within the virtual ring. The path segments defining communication connections between virtual neighbor nodes may be used to route messages between any pair of nodes in the network and may reduce route discovery overhead, reduce delay in transmission, and reduce or eliminate flooding to setup or maintain the path segments.

Abstract: The invention relates to the production of bioactive products that are derived from milk proteins for the production of bioactive milk products derived from milk proteins, particularly caseins. The 16 inventive peptides can be obtained chemically, biotechnologically or by means of enzymatic treatment from proteins containing same and give rise to peptides with an antimicrobial activity, an in vitro angiotensin converter inhibitor activity and/or antihypertensive activity and/or antioxidant activity. Said nutraceutical products are suitable for use in the food and pharmaceutical industries, both in the form of a hydrolyzate or bioactive peptides.

Abstract: A containment system may include a protection system which may protect the computing device from future attacks. For example, a patch may be automatically generated which resolves a detected vulnerability in a program. IN another example, a filter may be automatically generated which filters actions and/or messages which take advantage of a detected vulnerability in a program.

Abstract: A containment system may include generating and/or sending an alert as the basis for safely sharing knowledge about detected worms. An alert may contain information that proves that a given program has a vulnerability. The alert may be self-certifying such that its authenticity may be independently verified by a computing system.

Abstract: The majority of such software attacks exploit software vulnerabilities or flaws to write data to unintended locations. For example, control-data attacks exploit buffer overflows or other vulnerabilities to overwrite a return address in the stack, a function pointer, or some other piece of control data. Non-control-data attacks exploit similar vulnerabilities to overwrite security critical data without subverting the intended control flow in the program. We describe a method for securing software against both control-data and non-control-data attacks. A static analysis is carried out to determine data flow information for a software program. Data-flow tracking instructions are formed in order to track data flow during execution or emulation of that software. Also, checking instructions are formed to check the tracked data flow against the static analysis results and thereby identify potential attacks or errors. Optional optimisations are described to reduce the resulting additional overheads.

Abstract: One aspect of the invention is a vulnerability detection mechanism that can detect a large class of attacks through dynamic dataflow analysis. Another aspect of the invention includes self-certifying alerts as the basis for safely sharing knowledge about worms. Another aspect of the invention is a resilient and self-organizing protocol to propagate alerts to all non-infected nodes in a timely fashion, even when under active attack during a worm outbreak. Another aspect of the invention is a system architecture that enables a large number of mutually untrusting computers to collaborate in the task of stopping a previously unknown worm, even when the worm is spreading rapidly and exploiting unknown vulnerabilities in popular software packages.

Abstract: Methods of detecting memory errors using write integrity testing are described. In an embodiment, additional analysis is performed when a program is compiled. This analysis identifies a set of objects which can be written by each instruction in the program. Additional code is then inserted into the program so that, at runtime, the program checks before performing a write instruction that the particular object being written is one of the set of objects that it is allowed to write. The inserted code causes an exception to be raised if this check fails and allows the write to proceed if the check is successful. In a further embodiment, code may also be inserted to perform checks before indirect control-flow transfer instructions, to ensure that those instructions cannot transfer control to locations different from those intended.

Abstract: Methods and apparatus for generating error reports with enhanced privacy are described. In an embodiment the error is triggered by an input to a software program. An error report is generated by identifying conditions on an input to the program which ensure that, for any input which satisfies the conditions, the software program will follow the same execution path such that the error can be reproduced. The error report may include these conditions or may include a new input generated using the conditions.

Abstract: Methods and architectures for automatic filter generation are described. In an embodiment, these filters are generated in order to block inputs which would otherwise disrupt the normal functioning of a program. An initial set of filter conditions is generated by analyzing the path of a program from a point at which a bad input is received to the point at which the malfunctioning of the program is detected and creating conditions on an input which ensure that this path is followed. Having generated the initial set of filter conditions, the set is made less specific by determining which instructions do not influence whether the point of detection of the attack is reached and removing the filter conditions which correspond to these instructions.

Abstract: An exercise apparatus comprising at least one glove, at least one sphere and an adhering means that adheres the glove to the sphere. The glove comprises a central panel comprising finger engaging portions and a thumb hole, a plurality of straps extending from either side of the central panel are adapted to be attached together across the back of the hand for securing the glove, and an elevated pad on the central panel disposed in a way to contact the sphere and elevate the hand when performing exercises.

Abstract: A spherical exercise apparatus including two flexible inflatable hemispherical members that can be inflated with fluid or air and attached together to form a spherical object. The flat bases of the hemispherical member are made to adjoin with means to attach them, permitting a user to perform exercises on the spherical object, or each hemispherical member. The hemispherical members include gripping and anti-slip features on their round surfaces. The apparatus further includes a plate-like member that acts as a base for the hemispherical members when used individually. Alternately, each hemispherical member can include a permanently attached base member attached to its flat surface, wherein the base members include a means to attach the hemispherical members.

Abstract: A hydrocyclone which includes a main body having a chamber therein, the chamber including an inlet section, and a separating section, the separating section having an inner side wall which tapers inwardly away from the inlet section, the hydrocyclone further including a feed inlet feeding a particle bearing slurry mixture into the inlet section of the chamber, an overflow outlet at one end of the chamber adjacent the inlet section thereof, and an underflow outlet at the other end of the chamber remote from the inlet section of the chamber. The hydrocyclone further includes an overflow outlet control chamber adjacent the inlet section of the chamber of the hydrocyclone and in communication therewith via the overflow outlet, the overflow outlet control chamber including a tangentially located discharge outlet and a centrally located air core stabilising orifice which is remote from the overflow outlet.

Abstract: A containment system may include generating and/or sending an alert as the basis for safely sharing knowledge about detected worms. An alert may contain information that proves that a given program has a vulnerability. The alert may be self-certifying such that its authenticity may be independently verified by a computing system.

Abstract: To reduce the dependency of overlay networks on underlay networks to route messages, a virtual ring routing architecture may be formed that leverages the design of the overlay network to achieve their desirable scaling and robustness properties but also reduce the dependency on any underlay network to setup and maintain connectivity. More particularly, each node may have a single, fixed, location independent node identifier, to organize the nodes into a virtual ring. The connectivity between nodes through the actual network topology may be formed by a plurality of nodes in the virtual ring by maintaining connectivity to those nodes identified as virtual neighbor nodes within the virtual ring. The path segments defining communication connections between virtual neighbor nodes may be used to route messages between any pair of nodes in the network and may reduce route discovery overhead, reduce delay in transmission, and reduce or eliminate flooding to setup or maintain the path segments.

Abstract: A containment system may include a protection system which may protect the computing device from future attacks. For example, a patch may be automatically generated which resolves a detected vulnerability in a program. IN another example, a filter may be automatically generated which filters actions and/or messages which take advantage of a detected vulnerability in a program.

Abstract: One aspect of the invention is a vulnerability detection mechanism that can detect a large class of attacks through dynamic dataflow analysis. Another aspect of the invention includes self-certifying alerts as the basis for safely sharing knowledge about worms. Another aspect of the invention is a resilient and self-organizing protocol to propagate alerts to all non-infected nodes in a timely fashion, even when under active attack during a worm outbreak. Another aspect of the invention is a system architecture that enables a large number of mutually untrusting computers to collaborate in the task of stopping a previously unknown worm, even when the worm is spreading rapidly and exploiting unknown vulnerabilities in popular software packages.

Abstract: A new approach for asynchronous state-machine replication in a fault-tolerant system offers both integrity and high availability in the presence of Byzantine faults. The approach also improves the security of previous systems by recovering replicas proactively without necessarily identifying that they have failed or been attacked. This proactive recovery limits the time extent of a particular fault by regularly recovering replicas. In this way, the system works correctly even when all the replicas fail multiple times over the lifetime of the system, provided that less than ⅓ of the replicas are all faulty within a window of vulnerability.

Abstract: A passenger compartment cover for a convertible vehicle for screening out debris, sunlight glare, and insects from the users in the passenger compartment of a convertible vehicle. The passenger compartment cover for a convertible vehicle includes sheets of mesh material being securely attached to one another and being adapted to cover a passenger compartment of a convertible vehicle; and also includes pieces of mesh material being fastenable to the sheets of mesh material and forming windows therein; and further includes fastening members being attached to the sheets of mesh material and the pieces of mesh material for fastening the sheets of mesh material and the pieces of mesh material to the convertible vehicle.