Miguel Correia

To investigate the effects of percutaneous transluminal angioplasty on the vasa vasorum in dogs with experimentally created abdominal aortic stenoses. Two stenoses were created in the abdominal aorta in each of 21 dogs. After 6 weeks, the more cephalic stenosis was dilated; the other stenosis served as an untreated control. Groups of three dogs were killed at 24 hours, 3 and 6 weeks, and 4, 8, 12, and 18 months after angioplasty. The aortae were studied by means of histologic examination, microangiography, scanning electron microscopy, and the Spalteholz technique. At nondilated stenoses, the vasa vasorum was interrupted in the outer adventitia and unchanged in the outer media. At dilated stenoses, the number of precapillary arterioles in the outer media progressively increased up to 8 months; thereafter, the number of precapillary arterioles began to decrease. At 18 months, the number was normal. Angioplasty brings about changes in the number of precapillary arterioles in the outer media of the aorta in our canine model of focal abdominal aortic stenosis.

The paper presents a new reliable multicast protocol that tolerates arbitrary faults, including Byzantine faults. This protocol is developed using a novel way of designing secure protocols which is based on a well-founded hybrid failure model. Despite our claim of arbitrary failure resilience, the protocol need not necessarily incur the cost of "Byzantine agreement", in number of participants and round/message complexity. It can rely on the existence of a simple distributed security kernel-the TTCB-where the participants only execute crucial parts of the protocol operation, under the protection of a crash failure model. Otherwise, participants follow an arbitrary failure model. The TTCB provides only a few basic services, which allow our protocol to have an efficiency similar to that of accidental fault-tolerant protocols: for f faults, our protocol requires f+2 processes, instead of 3f+1 in Byzantine systems. Besides, the TTCB (which is synchronous) allows secure operation of timed protocols, despite the unpredictable time behavior of the environment (possibly due to attacks on timing assumptions).

The application of dependability concepts and techniques to the design of secure distributed systems is raising a considerable amount of interest in both communities under the designation of intrusion tolerance. However, practical intrusion-tolerant replicated systems based on the state machine approach (SMA) can handle at most f Byzantine components out of a total of n = 3f + 1, which is the maximum resilience in asynchronous systems. This paper extends the normal asynchronous system with a special distributed oracle called TTCB. Using this extended system we manage to implement an intrusion-tolerant service based on the SMA with only 2f + 1 replicas. Albeit a few other papers in the literature present intrusion-tolerant services with this approach, this is the first time the number of replicas is reduced from 3f + 1 to 2f + 1. Another interesting characteristic of the described service is a low time complexity.

This paper describes the design of a security kernel called TTCB, which has innovative features. Firstly, it is a distributed subsystem with its own secure network. Secondly, the TTCB is real-time, that is, a synchronous subsystem capable of timely behavior. These two characteristics together are uncommon in security kernels. Thirdly, the TTCB can be implemented using only COTS components. We discuss essentially three things in this paper: (1) The TTCB is a simple component providing a small set of basic secure services. It aims at building a new style of protocols to achieve intrusion tolerance, which for the most part execute in insecure, arbitrary failure environments, and resort to the TTCB only in crucial parts of their operation. (2) Besides, the TTCB is a synchronous device supplying functions that may be an enabler of a new generation of timed secure protocols, until now known to be fragile due to attacks on timing assumptions. (3) Finally, we present a design methodology that establishes our hybrid failure assumptions in a well-founded manner. It helps us to achieve a robust design, despite using exclusively COTS components, with the advantage of allowing the security kernel to be easily deployed on widely used platforms.