Publications
Silicon Geiger-mode avalanche photodiode arrays for photon-starved imaging
May 28, 2015
Conference Paper
Published in:
SPIE, Vol. 9492, Advanced Photon Counting Techniques IX, 28 May 2015.
Summary
Geiger-mode avalanche photodiodes (GMAPDs) are capable of detecting single photons. They can be operated to directly trigger all-digital circuits, so that detection events are digitally counted or time stamped in each pixel. An imager based on an array of GMAPDs therefore has zero readout noise, enabling quantum-limited sensitivity for photon-starved imaging applications. In this review, we discuss devices developed for 3D imaging, wavefront sensing, and passive imaging.
Summary
Geiger-mode avalanche photodiodes (GMAPDs) are capable of detecting single photons. They can be operated to directly trigger all-digital circuits, so that detection events are digitally counted or time stamped in each pixel. An imager based on an array of GMAPDs therefore has zero readout noise, enabling quantum-limited sensitivity for photon-starved...
READ MORE
Revised multifunction phased array radar (MPAR) network siting analysis
May 26, 2015
Project Report
Published in:
MIT Lincoln Laboratory Report ATC-425
Summary
As part of the NextGen Surveillance and Weather Radar Capability (NSWRC) program, the Federal Aviation Administration (FAA) is currently developing the solution for aircraft and meteorological surveillance in the future National Airspace System (NAS). A potential solution is a multifunction phased array radar (MPAR) that would replace some or all of the single-purpose radar types used in the NAS today. One attractive aspect of MPAR is that the number of radars deployed would decrease, because redundancy in coverage by single-mission sensors would be reduced with a multifunction system. The lower radar count might then result in overall life cycle cost savings, but in order to estimate costs, a reliable estimate of the number of MPARs is needed. Thus this report addresses the question, "If today's weather and aircraft surveillance radars are replaced by a single class of multimission radars, how many would be needed to replicate the current air space coverage over the United States and its territories?" Various replacement scenarios must be considered, since it is not yet determined which of the organizations that own today's radars (the FAA, the National Weather Service (NWS), the different branches of the U.S. military) would join in an MPAR program. It updates a previous study using a revised set of legacy systems, including 81 additional military airbase radars. Six replacement scenarios were considered, depending on the radar mission categories. Scenario 1 would replace terminal radars only, i.e., the Airport Surveillance Radars (ASRs) and the Terminal Doppler Weather Radar (TDWR). Scenario 2 would include the Scenario 1 radars plus the long-range weather radar, commonly known as NEXRAD. Scenario 3 would add the long-range aircraft surveillance radars, i.e., the Air Route Surveillance Radars (ARSRs), to the Scenario 2 radars. To each of these three scenarios, we then add the military's Ground Position Navigation (GPN) airbase radars for Scenarios 1G, 2G, and 3G. We assumed that the new multimission radar would be available in two sizes--a full-size MPAR and a scaled-down terminal MPAR (TMPAR). Furthermore, we assumed that the new radar antennas would have four sides that could be populated by one, two, three, or four phased array faces, such that the azimuthal coverage provided could be scaled from 90 degrees to 360 degrees. Radars in the 50 United States, Guam, Puerto Rico, U.S. Virgin Islands, Guantanamo Bay (Cuba), and Kwajalein (Marshall Islands) were included in the study.
Summary
As part of the NextGen Surveillance and Weather Radar Capability (NSWRC) program, the Federal Aviation Administration (FAA) is currently developing the solution for aircraft and meteorological surveillance in the future National Airspace System (NAS). A potential solution is a multifunction phased array radar (MPAR) that would replace some or all...
READ MORE
Missing the point(er): on the effectiveness of code pointer integrity
May 18, 2015
Conference Paper
Published in:
2015 IEEE Symp. on Security and Privacy, 18-20 May 2015.
Topic:
R&D area:
R&D group:
Summary
Memory corruption attacks continue to be a major vector of attack for compromising modern systems. Numerous defenses have been proposed against memory corruption attacks, but they all have their limitations and weaknesses. Stronger defenses such as complete memory safety for legacy languages (C/C++) incur a large overhead, while weaker ones such as practical control flow integrity have been shown to be ineffective. A recent technique called code pointer integrity (CPI) promises to balance security and performance by focusing memory safety on code pointers thus preventing most control-hijacking attacks while maintaining low overhead. CPI protects access to code pointers by storing them in a safe region that is protected by instruction level isolation. On x86-32, this isolation is enforced by hardware; on x86-64 and ARM, isolation is enforced by information hiding. We show that, for architectures that do not support segmentation in which CPI relies on information hiding, CPI's safe region can be leaked and then maliciously modified by using data pointer overwrites. We implement a proof-of-concept exploit against Nginx and successfully bypass CPI implementations that rely on information hiding in 6 seconds with 13 observed crashes. We also present an attack that generates no crashes and is able to bypass CPI in 98 hours. Our attack demonstrates the importance of adequately protecting secrets in security mechanisms and the dangers of relying on difficulty of guessing without guaranteeing the absence of memory leaks.
Summary
Memory corruption attacks continue to be a major vector of attack for compromising modern systems. Numerous defenses have been proposed against memory corruption attacks, but they all have their limitations and weaknesses. Stronger defenses such as complete memory safety for legacy languages (C/C++) incur a large overhead, while weaker ones...
READ MORE
Simultaneous transmit and receive (STAR) system architecture using multiple analog cancellation layers
May 17, 2015
Conference Paper
Published in:
2015 IEEE MTT-S Int. Microwave Symp. (IMS 2015) 17-22 May 2015.
Summary
Simultaneous Transmit and Receive operation requires a high amount of transmit-to-receive isolation in order to avoid self-interference. This isolation is best achieved by utilizing multiple cancellation techniques. The combination of adaptive multiple-input multiple-output spatial cancellation with a high-isolation antenna and RF canceller produces a novel system architecture that focuses on cancellation in the analog domain before the receiver's low-noise amplifier. A prototype of this system has been implemented on a moving vehicle, and measurements have proven that this design is capable of providing more than 90 dB of total isolation in realistic multi path environments over a 30 MHz bandwidth centered at 2.45 GHz. Index Terms-Adaptive systems, full-duplex wireless communication, interference cancellation, multiaccess communication, simultaneous transmit and receive, STAR.
Summary
Simultaneous Transmit and Receive operation requires a high amount of transmit-to-receive isolation in order to avoid self-interference. This isolation is best achieved by utilizing multiple cancellation techniques. The combination of adaptive multiple-input multiple-output spatial cancellation with a high-isolation antenna and RF canceller produces a novel system architecture that focuses on...
READ MORE
Repeatable reverse engineering for the greater good with PANDA
May 16, 2015
Conference Paper
Published in:
37th Int. Conf. on Software Engineering, 16 May 2015.
Topic:
R&D area:
R&D group:
Summary
We present PANDA, an open-source tool that has been purpose-built to support whole system reverse engineering. It is built upon the QEMU whole system emulator, and so analyses have access to all code executing in the guest and all data. PANDA adds the ability to record and replay executions, enabling iterative, deep, whole system analyses. Further, the replay log files are compact and shareable, allowing for repeatable experiments. A nine billion instruction boot of FreeBSD, e.g., is represented by only a few hundred MB. Furhter, PANDA leverages QEMU's support of thirteen different CPU architectures to make analyses of those diverse instruction sets possible within the LLVM IR. In this way, PANDA can have a single dynamic taint analysis, for example, that precisely supports many CPUs. PANDA analyses are written in a simple plugin architecture which includes a mechanism to share functionality between plugins, increasing analysis code re-use and simplifying complex analysis development. We demonstrate PANDA's effectiveness via a number of use cases, including enabling an old but legitimate version of Starcraft to rund espite a lost CD key, in-depth diagnosis of an Internet Explorer crash, and uncovering the censorship activities and mechanisms of a Chinese IM client.
Summary
We present PANDA, an open-source tool that has been purpose-built to support whole system reverse engineering. It is built upon the QEMU whole system emulator, and so analyses have access to all code executing in the guest and all data. PANDA adds the ability to record and replay executions, enabling...
READ MORE
Coherent beam-combining of quantum cascade amplifier arrays
May 10, 2015
Conference Paper
Published in:
CLEO: Conf. on Lasers and Electro-Optics, 10-15 May 2015.
Topic:
R&D area:
Summary
We present design, packaging and coherent beam combining of quantum cascade amplifier (QCA) arrays, measurements of QCA phase noise, the drive-current-to-optical-phase transfer function, and the small signal gain for QCAs.
Summary
We present design, packaging and coherent beam combining of quantum cascade amplifier (QCA) arrays, measurements of QCA phase noise, the drive-current-to-optical-phase transfer function, and the small signal gain for QCAs.
READ MORE
Unifying leakage classes: simulatable leakage and pseudoentropy
May 2, 2015
Conference Paper
Published in:
8th Int. Conf. Information-Theoretic Security (ICITS 2015), 2-5 May 2015 in Lecture Notes in Computer Science (LNCS), Vol. 9063, 2015, pp. 69-86.
Topic:
R&D area:
R&D group:
Summary
Leakage resilient cryptography designs systems to withstand partial adversary knowledge of secret state. Ideally, leakage-resilient systems withstand current and future attacks; restoring confidence in the security of implemented cryptographic systems. Understanding the relation between classes of leakage functions is an important aspect. In this work, we consider the memory leakage model, where the leakage class contains functions over the system's entire secret state. Standard limitations include functions over the system's entire secret state. Standard limitations include functions with bounded output length, functions that retain (pseudo) entropy in the secret, and functions that leave the secret computationally unpredictable. Standaert, Pereira, and Yu (Crypto, 2013) introduced a new class of leakage functions they call simulatable leakage. A leakage function is simulatable if a simulator can produce indistinguishable leakage without access to the true secret state. We extend their notion to general applications and consider two versions. For weak simulatability: the simulated leakage must be indistinguishable from the true leakage in the presence of public information. For strong simulatability, this requirement must also hold when the distinguisher has access to the true secret state. We show the following: --Weakly simulatable functions retain computational unpredictability. --Strongly simulatability functions retain pseudoentropy. --There are bounded length functions that are not weakly simulatable. --There are weakly simulatable functions that remove pseudoentropy. --There are leakage functions that retain computational unpredictability are not weakly simulatable.
Summary
Leakage resilient cryptography designs systems to withstand partial adversary knowledge of secret state. Ideally, leakage-resilient systems withstand current and future attacks; restoring confidence in the security of implemented cryptographic systems. Understanding the relation between classes of leakage functions is an important aspect. In this work, we consider the memory leakage...
READ MORE
Model of turn-on characteristics of InP-based Geiger-mode avalanche photodiodes suitable for circuit simulations
April 22, 2015
Conference Paper
Published in:
SPIE, Vol. 9492, Advanced Photon Counting Techniques IX, 28 May 2015.
Topic:
R&D area:
Summary
A model for the turn-on characteristics of separate-absorber-multiplier InP-based Geiger-mode Avalanche Photodiodes (APDs) has been developed. Verilog-A was used to implement the model in a manner that can be incorporated into circuit simulations. Rather than using SPICE elements to mimic the voltage and current characteristics of the APD, Verilog-A can represent the first order nonlinear differential equations that govern the avalanche current of the APD. This continuous time representation is fundamentally different than the piecewise linear characteristics of other models. The model is based on a driving term for the differential current, which is given by the voltage overbias minus the voltage drop across the device?s space-charge resistance RSC. This drop is primarily due to electrons transiting the separate absorber. RSC starts off high and decreases with time as the initial breakdown filament spreads laterally to fill the APD. With constant bias voltage, the initial current grows exponentially until space charge effects reduce the driving function. With increasing current the driving term eventually goes to zero and the APD current saturates. On the other hand, if the APD is biased with a capacitor, the driving term becomes negative as the capacitor discharges, reducing the current and driving the voltage below breakdown. The model parameters depend on device design and are obtained from fitting the model to Monte-Carlo turn-on simulations that include lateral spreading of the carriers of the relevant structure. The Monte-Carlo simulations also provide information on the probability of avalanche, and jitter due to where the photon is absorbed in the APD.
Summary
A model for the turn-on characteristics of separate-absorber-multiplier InP-based Geiger-mode Avalanche Photodiodes (APDs) has been developed. Verilog-A was used to implement the model in a manner that can be incorporated into circuit simulations. Rather than using SPICE elements to mimic the voltage and current characteristics of the APD, Verilog-A can...
READ MORE
Deep neural network approaches to speaker and language recognition
April 21, 2015
Journal Article
Published in:
IEEE Signal Process. Lett., Vol. 22, No. 10, October 2015, pp. 1671-5.
Topic:
R&D area:
Summary
The impressive gains in performance obtained using deep neural networks (DNNs) for automatic speech recognition (ASR) have motivated the application of DNNs to other speech technologies such as speaker recognition (SR) and language recognition (LR). Prior work has shown performance gains for separate SR and LR tasks using DNNs for direct classification or for feature extraction. In this work we present the application for single DNN for both SR and LR using the 2013 Domain Adaptation Challenge speaker recognition (DAC13) and the NIST 2011 language recognition evaluation (LRE11) benchmarks. Using a single DNN trained for ASR on Switchboard data we demonstrate large gains on performance in both benchmarks: a 55% reduction in EER for the DAC13 out-of-domain condition and a 48% reduction in Cavg on the LRE11 30 s test condition. It is also shown that further gains are possible using score or feature fusion leading to the possibility of a single i-vector extractor producing state-of-the-art SR and LR performance.
Summary
The impressive gains in performance obtained using deep neural networks (DNNs) for automatic speech recognition (ASR) have motivated the application of DNNs to other speech technologies such as speaker recognition (SR) and language recognition (LR). Prior work has shown performance gains for separate SR and LR tasks using DNNs for...
READ MORE
Planted clique detection below the noise floor using low-rank sparse PCA
April 19, 2015
Conference Paper
Published in:
Proc. IEEE Int. Conf. on Acoustics, Speech and Signal Processing, ICASSP, 19-24 April 2015.
Topic:
R&D area:
Summary
Detection of clusters and communities in graphs is useful in a wide range of applications. In this paper we investigate the problem of detecting a clique embedded in a random graph. Recent results have demonstrated a sharp detectability threshold for a simple algorithm based on principal component analysis (PCA). Sparse PCA of the graph's modularity matrix can successfully discover clique locations where PCA-based detection methods fail. In this paper, we demonstrate that applying sparse PCA to low-rank approximations of the modularity matrix is a viable solution to the planted clique problem that enables detection of small planted cliques in graphs where running the standard semidefinite program for sparse PCA is not possible.
Summary
Detection of clusters and communities in graphs is useful in a wide range of applications. In this paper we investigate the problem of detecting a clique embedded in a random graph. Recent results have demonstrated a sharp detectability threshold for a simple algorithm based on principal component analysis (PCA). Sparse...
READ MORE