F-14+Tomcat+VF-31“Tomcatters”CAG+1998

Available online at STANDing strong,resistance proteins instigators of plant defence Ewa Lukasik and Frank LW TakkenResistance(R)proteins are involved in specific pathogenrecognition and subsequent initiation of host defence.Most R proteins are nucleotide binding–leucine rich repeat(NB–LRR)proteins,which form a subgroup within theSTAND(signal transduction ATPases with numerousdomains)family.Activity of these multi-domain proteinsdepends on their ability to bind and hydrolyse nucleotides.Since R protein activation often triggers cell-death tightregulation of activation is essential.Autoinhibition,whichseems to be accomplished by intramolecular interactionsbetween the various domains,is important to retain R proteinsinactive.This review summarizes recent data on intra-andintermolecular interactions that support a model in whichpathogen perception triggers a series of conformationalchanges,allowing the newly exposed NB domain to interactwith downstream signalling partners and activate defencesignalling.AddressesPlant Pathology,Swammerdam Institute for Life Sciences,University ofAmsterdam,PO Box94215,1090GE Amsterdam,The NetherlandsCorresponding author:Takken,Frank LW(f.l.w.takken@uva.nl)Current Opinion in Plant Biology2009,12:427–436This review comes from a themed issue onBiotic InteractionsEdited by Xinnian Dong and Regine KahmannAvailable online24th April20091369-5266/$–see front matter#2009Elsevier Ltd.All rights reserved.DOI10.1016/j.pbi.2009.03.001IntroductionThe long history of battle between pathogens andplants is evident by the sophisticated,multilayeredimmune system of plants[1].Thefirst line of theinnate defence system is based on recognition of con-served pathogen-derived molecules,called MAMPs(microbe-associated molecular patterns),by patternrecognition receptors(PRR).Specialized microbes,however,can evade or suppress this MAMP triggeredimmunity(MTI)by secretion of virulence factors,so-called effectors.A subset of these effectors,referred toas AVRs,can be perceived by resistance(R)proteinsthat trigger a second layer of host defence,referred to aseffector triggered immunity(ETI).Rapid ionfluxes,anoxidative burst,and transcriptional reprogramming areinduced during both MTI and ETI.Only with thelatter often also programmed cell death around theinfection site occurs,which is called the hypersensitiveresponse(HR).The complex relation between plant resistance andpathogen virulence through co-evolution was recentlydescribed as a‘zig-zag’model[1].An illustrativeexample of this zig-zag model is the interaction betweentomato and Fusarium oxysporum.The fungus requiresthe effector AVR3for full virulence,possibly to sup-press MTI.This effector,however,can be recognizedby the tomato R protein I-3that subsequently triggersETI.To counteract this defence response,it has beenhypothesized that the fungus evolved a second effector(AVR1)that suppresses these I-3mediated defences.To thwart the fungus the plant in turn evolved R proteinI-1that recognizes AVR1and activates host defencesonce more[2 ].Over40R genes have been cloned over the last twodecades and the majority belongs to the NB–LRR family,as they contain a nucleotide-binding domain(NB)fusedto a C-terminal leucine-rich repeat(LRR)domain(Figure1).The LRR domain is proposed to adopt anarc-shaped conformation,forming a protein-protein inter-action surface[3].The NB is part of a larger domain that iscalled the NB–ARC as it is shared between R proteinsand the human apoptotic protease-activating factor1(APAF-1)and its Caenorhabditis elegans homolog CED-4.As indicated in Figure1,many conserved motifs can bediscerned in the NB–ARC domain.Proteins carrying anNB–ARC domain belong to the STAND(signal trans-duction ATPases with numerous domains)family ofNTPases[4].Based on3D modelling,the NB–ARC of R proteins isproposed to contain three subdomains:the NB forming aP-loop NTPase fold,the ARC1consisting of a four-helixbundle and the ARC2adopting a winged-helix fold(reviewed in[5];Figure1).Most of the conserved motifsin the NB–ARC are present at the interface of these threedomains where they form the nucleotide-binding pocket(Figure1).The N-termini of NB–LRRs are structurallydiverse.Some carry a domain having homology to the tolland human interleukin-1receptor(TIR)domain andthese R proteins are called TIR-NB–LRRs or TNLs.Non-TIR NB–LRR members are referred to as CC–NB–LRRs or CNLs,because many of them contain a pre-dicted coiled coil region(CC),sometimes extended by aDNA binding domain such as a BEAF/DREAF zincfinger domain(BED)or by a solanaceous domain(SD)(reviewed in[6]).Some NB –LRR proteins have been shown to bind to their cognate AVRs directly,whereas others have been shown to interact indirectly through an intermediary host-factor [7].Such a host-factor could either represent a virulence target of the effector (guard model)[8]or a target mimic(decoy model)[9].In both models,modification of the host target by the effector triggers defence in resistant plants.However,only when the target is a guardee its manipulation by the effector enhances disease develop-ment in susceptible plants [9].Either way,defence428Biotic InteractionsFigure1Schematic representation of a typical NB –LRR protein.The (sub)domains are depicted as coloured boxes:CC/TIR domain (orange),NB (red),ARC1(purple),ARC2(blue)subdomains and LRR domain (green)whereas conserved motifs are marked as lines.Consensus of sequences is written next to name of the motif (according to [47]).Insert,predicted 3D structure of the NB –ARC domain of I-2modelled on the ADP-bound Apaf1(1z6t)template.Conserved motifs and N-and C-termini are marked.ADP and Mg atoms are depicted as balls and sticks (adopted from [35]).signalling is activated by the R protein after AVR recog-nition whereby the R protein acts as a molecular switch. Here,we will focus on changes in intra-and intermole-cular interactions of R proteins during their activation.As reversible,dynamic intramolecular interactions have been most intensively studied for the potato resistance protein Rx,we use this protein as a model.Based on Rx, we propose a mechanistic model for R protein activation that is then evaluated with data available for other R proteins and their interacting partners. Intramolecular interactions in NB–LRR R proteinsR protein activation often triggers a hypersensitive response(HR).To prevent damage due to spontaneous inappropriate activation,these proteins must be under tight negative control.This seems to be accomplished by intramolecular interactions between the various subdo-mains of the R protein.Pathogen perception is proposed to release this autoinhibition,enabling the conformation-al changes required to activate defence signalling. Intramolecular interactions in RxRx is a CNL that confers resistance to Potato Virus X by recognition of the viral coat protein(CP).The LRR domain of Rx confers negative regulation,as its deletion results in a weak auto-activation phenotype[10].How-ever,the LRR domain also provides positive control,as expression of just the N-terminal half of Rx containing auto-activation mutations in the NB–ARC domain does not induce a strong HR unless both halves are co-expressed[11,12 ].Domain swaps between Rx and its paralogue Gpa2revealed that pathogen recognition specificity is mainly mediated by the C-terminal part of the LRR.Furthermore,when C-and N-terminal parts of the LRR domain were combined with the ARC2 subdomain of its paralogue in swap constructs,HR was induced in the absence of a pathogen[12 ].Apparently, when incompatible domains are combined in one protein,autoinibition is diminished.Autoactivation also resulted from specific point mutations that map either in the NB,the ARC2or the N-terminal part of the LRR domain[10],indicating that these three subdomains are involved in autoinhibition and/or relaying pathogen recognition into signalling.Surprisingly,CP-dependent HR can be reconstituted when the CC domain is co-expressed in trans with the NB–ARC–LRR domain,or the LRR domain in trans with the CC–NB–ARC.The three Rx domains physi-cally interact,as shown by co-immunoprecipitation experiments[11],and the ARC1was identified as the main scaffolding domain for LRR binding[12 ].This physical interaction between LRR and CC–NB–ARC is disrupted in the presence of the CP,but remained unaffected by point mutations in the NB–ARC or LRR domain that resulted in autoactivation or loss-of-function[11,12 ].These observations imply that many residues scattered over the various domains may con-tribute to their intramolecular interaction and that CP perception might generate a more drastic conformational change than induced by autoactivating mutations.Nota-bly,the NB–ARC domain alone does not suffice for LRR binding and the CC is required for a stable interaction [12 ,13 ].Conversely,the CC also does not bind the NB–ARC unless the latter is fused to the LRR.This CC–NB–ARC–LRR interaction is disrupted by the CP.But unlike the CC–NB–ARC–LRR interaction,it is also diminished by autoactivation or loss-of-function mutations in the NB–ARC domain[11,13 ].Furthermore,this interaction can be abolished by single point mutations in the con-served‘EDVID’motif in the CC(Figure1),suggestive for a defined interaction interface.The EDVID motif is part of a larger region that is responsible for the inter-action with RanGAP2(Ran GTPase Activating Protein2) [13 ,14,15].Silencing RanGAP2suppresses Rx-mediated PVX resistance,showing that it is required for Rx function.RanGAPs is known to regulate the activity of the GTPase Ran that controls nucleo-cyto-plasmic trafficking[16].How RanGAP affects Rx activity has yet to be determined.A refined model for resistance protein activation based on RxCombining the current models on R protein function [5,17]with the recent data on Rx[13 ]allows us to propose a more refined model describing the interaction dynamics and specific functions of the individual subdomains in signalling.No nucleotide binding stu-dies have been reported for Rx specifically,but the highly conserved NB–ARC domain of NB–LRRs appears to function as a molecular switch wherein the ADP bound state represents the‘off’and the ATP the ‘on’state[5].In our updated model,the CC and LRR both bind the NB–ARC,thereby providing an interaction platform that mediates CP recognition at their interface(Figure2). Such a closed conformation of Rx would be stabilized by the N-terminal part of the LRR domain that negatively regulates R protein activity[10,11].Currently,it is unclear how Rx senses the CP,co-immunoprecipitation experiments aiming to show an interaction between CP and RanGAP2have been inconclusive[14,15].Never-theless,recognition of the CP releases autoinhibition conferred by the N-terminal part of the LRR allowing the NB–ARC domain to exchange ADP for ATP.ATP-binding by the NB–ARC abrogates its CC binding,which in turn affects the NB–ARC interaction with the C-terminal LRR domain.In this activated conformation the NB–ARC domain becomes exposed[11],allowing the protein to bind and activate downstream signallingNB-LRR activation Lukasik and Takken429partners.Possibly these functions are provided by the NB subdomain because it triggered HR in the absence of the CP [13 ].Apparently,overexpression of NB subdomain overrules the endogenous requirements needed for Rx to trigger defence signalling.In conclusion,in this model pathogen perception triggers a series of conformational changes,allowing the exposed NB domain to trigger defence signalling.Intramolecular interaction in other NB –LRR R proteinsIs the model proposed above also applicable to NB –LRR proteins other than Rx?Analogous to Rx,negative and/or positive regulatory functions for the LRR domain have been identified for RPS5,I-2,RPS2,RPS1A and Mi-1.2[18–21].Furthermore,genetic and molecular studies showed that,similar to Rx,recognition specificity is often provided by the LRR domain which is under diversifying selection and highly variable [3].For the L proteins of flax,that confer resistance to the rust fungus Melampsora lini ,the LRR has been proposed to be the major recog-nition domain,although for a subset of these proteins the TIR domain has also been shown to play an important role in determining specificity [22].However,in a yeast two-hybrid experiment,a specific interaction with the AVR protein only requires the NB –LRR domains of L and not the TIR domain [23].Physical interaction between the LRR domain and other R protein parts has been observed in vivo for Bs2,RPS5and Mi-1.2[18,19,24].Only for Bs2this interaction was analyzed in the presence of the cognate AVR protein.Unlike Rx,the interaction between CC –NB –ARC and LRR was not disrupted by the AVR protein.In Mi-1.2,similar to Rx,the interaction between CC –NB –ARC and LRR was found to be constitutive and independent of the presence of autoactivation or loss-of-function mutations in the NB –ARC domain [19].Interaction between CC and NB –ARC domains has also been reported for RPS5[18].However,neither for Bs2nor for N,a TNL protein,a physical interaction between430Biotic InteractionsFigure2Model for NB –LRR protein activation.In the absence of a pathogen an NB –LRR protein resides in its resting (ADP)state,in which the LRR stabilizes the closed conformation.The recognition platform for the AVR protein (brown triangle)is provided by the C-terminal part of the LRR together with CC/TIR domain (CC)and the latter could be bound to an interactor (referred to as guardee or decoy –G/D).Perception of the AVR (direct or via the G/D)changes the interaction surface between the N-terminal part of the LRR and the ARC2subdomain,thereby releasing the autoinhibition conferred by the LRR.Subsequent nucleotide exchange triggers a second conformational change,altering the interactions of the NB –ARC domain with CC and LRR domains (induced state).In the activated state the NB subdomain is accessible to interact with downstream signalling partners.Hydrolysis of ATP could return the protein to its resting state.the N-terminus and remaining part could be detected in vivo[24,25].An interaction,possibly a transient one, cannot be excluded,as the co-expression of the same Bs2domains reconstitutes protein function,suggesting interaction.Taken together,although data for intramo-lecular interaction of NB–LRR proteins remain scarce, they already reveal some differences in how these proteins are regulated and function.Despite differences within one class,it will also be of interest to investigate whether there are general class-specific interaction pat-terns for CNL and TNL proteins.An interesting obser-vation is that overexpression of the TIR domain of some TNL proteins(L10,RPS4,RPP1A,At4g19530)can trig-ger HR,but only when fused to a small part of the NB-domain containing the TIR-specific pre-P-loop motif [26,27 ].Either the extended TIR domain is sufficient to interact and activate downstream signalling partners,or it might activate other TNLs in trans,thereby causing an HR phenotype.Immunoprecipitation studies using the extended TIR domain as bait may provide an answer to this question.In the Rx model,both the LRR domain and the N-terminus are required for recognition whereas the NB subdomain is responsible for downstream signalling. How is this to be reconciled with the observation that TNLs and CNLs,having different N-termini,have a different requirement for downstream signalling com-ponents:EDS1/PAD4for TNLs and NDR1for CNLs [28].Besides carrying structurally different N-termini,the NB–ARC domains of TNLs and CNLs show clear dis-tinctions in two R protein specific NBS(RNBS)motifs:the RNBS-A and RNBS-D([29,30];Figure1).The RNBS-A is part of the NB subdomain whereas the RNBS-D belongs to the ARC2subdomain.Functional importance of both motifs is signified by the autoactivation and loss-of-func-tion mutations observed in these motifs[10,31,32 ,33]. These conserved RNBS motifs are not found in the related STAND proteins belonging to the NACHT-LRR(NAIP, CIITA,HET-E,TP-1)family.Interestingly,however, NACHT proteins contain a conserved motif,called Motif-II,located at the position corresponding to the RNBS-A.This positional conservation implies that this motif could be important for interaction with distinct partners[34].Support for this idea comes from3D model-ling ing ADP-bound APAF-1(resembles resting state)[35]and ATP-bound CED4(mimics the activated state)(unpublished)as template,it can be observed that the RNBS-A motif is buried in APAF,but more exposed in CED-4,due to the translocation of the ARC2domain, making it potentially available for an interacting partner. The RNBS-D is located on the ARC2that in APAF-1is involved in the interaction with the N-terminal CARD domain[36].Solving the ATP-bound structure of activated APAF-1,or of an NB–LRR R protein,should determine whether accessibility to these two motifs indeed changes upon nucleotide exchange.NB-LRR activation Lukasik and Takken431 Figure3Schematic relation between intra-and intermolecular interactions found with NB–LRR domains.NB–LRR proteins consist of three major domains: CC/TIR(orange),NB–ARC(pink)and LRR(green).TheNB–ARC domain(pink)can be subdivided into the NB(red),ARC1(purple), ARC2(blue)subdomains,and the LRR(green)is roughly divided intoa C-and a N-terminal part.Intramolecular interactions between domains are indicated with double headed arrows.Proteins physically interacting with a specific(sub)domain are indicated at the corresponding region in the structure.RIN2/3*–also requires hhGRExE motif in the NB.RIN13**–also requires C-terminal half of the CC domain.Since the NB of Rx alone can trigger HR[13 ],it is tempting to speculate that the RNBS-A in the NB might contribute to the observed specificity in downstream signalling components.The tobacco TNL protein N, conferring resistance to tobacco mosaic virus,provides independent support for a role of the RNBS-A motif in downstream signalling.Specific point mutations in the RNBS-A disrupt the protein’s ability to induce viral resistance and to trigger HR,but did not alter its ability to oligomerize upon pathogen perception.Oligomeriza-tion,which requires a functional nucleotide-binding site, was suggested to be one of the earliest events in elicitor-mediated activation of N.Since RNBS-A mutations did not influence oligomerization,the RNBS-A could be involved in interaction with downstream signalling com-ponents[25].Future experiments,in which the TNL-and CNL-specific motifs are swapped or mutated,can put this model to the test.The role of the RNBS-D in the ARC2is unknown,but the observed co-evolution of RNBS-D and the type of N-terminal domain suggests that it could be involved in the interaction between the ARC2and the N-terminus in NB–LRR R proteins,in line with the proposed intramo-lecular interactions in Rx(Figure2).Intermolecular interactions of NB–LRR R proteinsR protein activity is also regulated by intermolecular interactions.Specifically,these interactions have been found to be required for R protein accumulation and/or pathogen recognition.Identification of interacting part-ners can provide insight into the specific roles of the different domains in R protein function(Figure3). Table1lists proteins that physically,and genetically interact with NB–LRR R proteins.Most interactors have been identified by yeast two-hybrid screens,but recently432Biotic InteractionsTable1Proteins physically and genetically interacting with NB–LRR R proteins.Interactor NB–LRR protein analyzed Activity Relation to R protein function Ref.Interacting Non-interactingNRIP1:N receptor interacting protein1N a,b Bs4a,b RhodanesesulfurtransferaseAVR perception:in thepresence of p50(AVR)NRIP1translocates from thechloroplast and binds N[48 ]Pto:resistance toP.syringae pv.tomato Prf b Kinase AVR perception:bindsAvrPto&AvrPtoB[49]PBS1:avrPphB susceptible RPS5b Kinase AVR perception:PBS1iscleaved by AvrPphB[18,50]RIN4:RPM1interacting protein4RPM1a,bRPS2bRPP5a Unknown;requiredfor basal resistance(repressor)AVR perception:RIN4isphosphorylated by AvrRpm1and AvrB and cleavedby AvrRpt2[51–53]WRKY1/2:transcription factors Mla10a,b Transcription factors;repressors of basal resistanceAVR perception:interactswith Mla10in the presenceof AVR A10[54 ]TIP49a:(RIN1)RPM1 interacting protein1RPP5a RPM1a,b RPS2a Transcriptionalregulator;interacts with theTATA-binding protein complexUnknown[55]RanGap:RanGTPase-activating protein Rx b Rx2b Gpa2b BS2HRT bPrf N bNucleo-cytoplasmic transport Unknown[14,15]RIN2/3:RPM1interacting protein2/3RPM1a,b RPS2a RPP5a RING-finger E3ligase Unknown[56] RIN13:RPM1interacting protein13RPM1a,b Unknown Unknown[42]CRT1:compromised recognition of TCV HRT1b SSI4bRx b RPS2bATPase activity;GHKL memberUnknown[43 ]Sgt1:suppressor of G2allele of skp1Mla1a Bs2b Mla6a Co-chaperone ofHsp90/Hsp70;bindsRAR1member SCF complex(co)Chaperone/proteasome[24,57]Hsp90:heat shock protein90N a,b RPM1bMla1a Mla6a I-2aChaperone;ATPaseinteracts with Sgt1,RAR1and PP5Chaperone[57–60]PP5:protein phosphatase5I-2a,b RPM1aMi-1.2a N aPhosphatase;co-chaperone of Hsp90(co)Chaperone[58,60]a Identified using yeast two-hybrid.b Identified using co-immunoprecipitation.also co-immunoprecipitation experiments have been suc-cessful.As can be seen in Table1,most interactors specifically bind one or a few closely related R proteins.The excep-tions often interact with the LRR domain of NB–LRRs (Figure3).These three LRR interactors,heat shock protein90(Hsp90),suppressor of G2allele of skp1 (Sgt1)and protein phosphatase5(PP5),have all been proposed to act as molecular(co)chaperones and interact with a diverse set of R proteins(see references in Table1).Chaperones facilitate protein folding and stability under changing environmental conditions that could otherwise lead to their aggregation[37].Sgt1was found to control the stability of R proteins such as Rx and N[25,38].Besides functioning as co-chaperone,Sgt1also acts downstream of R proteins as silencing of sgt1sup-pressed HR induced by overexpression of the Rx NB domain or the extended TIR domain of RPS4without affecting their accumulation[13 ,27 ].Sgt1has originally been identified as a member of the SCF E3ubiquitin ligase complex that targets proteins for proteolysis by the proteasome[39].Sgt1connects the Hsp90chaperone system to the substrate-specific arm of SCF complexes, allowing ubiquitination of Hsp90client proteins[40]. Hence,besides its role in regulating the stability of R proteins,or their downstream partners,Sgt1has been proposed to be involved in the removal of negative regulators that control resistance responses[40,41 ]. Future studies aimed at the identification of such Sgt1 interacting regulators could aid in identifying its func-tion(s).Until now,two proteins have been reported to interact specifically with NB–ARC domains:the HRT interactor CRT1(compromise recognition of turnip crinkle virus) and RIN13(RPMI interacting protein13)[42].CRT1is a member of the GHKL(gyrase,Hsp90,histidine kinase, MutL)ATPase/kinases superfamily and is distantly related to the chaperone Hsp90[43 ].Mutation/silencing of CRT1confers TCV susceptibility in conjunction with an altered,HR-like response to the TCV elicitor.This suggests an early function of CRT1in HRT-mediated resistance signalling in which the impaired defence response results in poor viral containment triggering trailing necrosis due to the residual HRT activity[43 ]. CRT1binds multiple plant NB–LRR proteins.Although it is not yet known to which subdomain(s)in NB–LRR proteins CRT1binds,CRT1is unlikely to be the com-ponent that provides specificity for downstream signalling components for CNLs and TNLs,as it associates with members of both classes[43].RIN13interacts strongly with the CC–NB domain of RPM1and weakly to that of RPS2,whereas it does not bind the TNL RPP5[42].Arabidopsis lines in which RIN13is silenced,or knocked out,showed normal HR but impaired resistance to Pseudomonas strains carrying AvrRPM1,resembling the crt1phenotype.RIN13is a plant-specific protein with orthologues in rice,whose precise function remains unknown[42].Interactors of the N-terminal domain of NB–LRR proteins are very diverse and often show high specificity to their interacting partner(Figure3).Three of them are predicted to be involved in nuclear processes and can be linked to transcriptional processes(WRKY,TIP49a)or nucleo-cytoplasmic transport(RanGAP2)(reviewed in [6];Table1).The other interactors encode kinases (Pto and PBS),a rhodanese sulfurtransferase(NRIP1), E3ligases(RIN2and RIN3)or are involved in basal defence via an unknown mechanism(e.g.Rin4[44])(for references see Table1).Null mutants of these interactors impaired defence/HR signalling of the affected R protein. For Pto,RIN4,NRIP1and PBS1,it has been shown that they act upstream of R protein activation as they are directly targeted by the AVR proteins.Different models have been proposed that explain the function of these N-terminal interactors.One view is that they could encode virulence targets(guard model,[8]),but it has also been suggested that they could represent target-mimics(decoy model,[9]).In both models,the N-terminal interactors assist the R protein with recognition of the pathogen, whichfits the model proposed in Figure2.The subcel-lular localization of the interactor in this model indicates the site of action for the effector,rather than that for the R protein.NB–LRR R proteins that directly interact with their cognate effector protein apparently do not need an N-terminal adaptor for activation.Future studies focuss-ing on N-terminal interactors(RIN2,RIN3,WRKY and RanGAP2)for which no AVR binding has(yet)been found could clarify whether the CC/TIR domain indeed aids perception rather than downstream signalling. Taken together,proteins interacting with the LRR domain in general seem to be involved in stabilizing R protein complexes.Inherent instability of these proteins may explain the difficulties in producing these proteins in heterologous expression systems and their tendency to form aggregates herein[45,46].At least a subset of N-terminal interactors also interacts with the cognate effec-tor protein,which supports the involvement of this domain in pathogen recognition(Figure2).The subcel-lular localization of the interactors could provide clues to the actual virulence function of the effectors. Conclusions and future prospectsExploration of intra-and intermolecular interactions of NB–LRR R proteins has significantly improved our un-derstanding of their activation during defence signalling. Unfortunately,our knowledge is still fragmentary as only for a limited number of NB–LRR proteins intramolecular interaction data are available and interactors of only a handful of R proteins have been identified.Although theNB-LRR activation Lukasik and Takken433overall similarity in structure of different NB–LRR proteins suggests conserved molecular functions for the specific domains,it is already clear from the few cases analyzed that there are differences in the exact mechan-isms by which they perceive pathogens and activate host defences.In the model proposed here the major role for the highly variable N-terminal domain lies in pathogen recognition rather than signalling.Uncovering the function of the interactors of this domain is required to validate this model.Of specific interest will be the identification of proteins interacting with the conserved NB–ARC domain,as this seems to be the main integrator con-verting pathogen recognition into defence activation. These proteins may be different for TNL and CNL proteins.Genetic screens aimed at their identification have so far been unsuccessful in unveiling their identity, perhaps due to lethality or redundancy.Possibly,tar-geted proteomics approaches using NB–LRR proteins as baits will turn out to be a more fruitful approach. Another major challenge for the future will be the elucidation of the3D structure of R proteins,preferably in the different conformational states,as this will be key to fully elucidate the molecular mechanism underlying their function.AcknowledgementsWe apologize to those colleagues whose work we were unable to review due to lack of space.We are grateful to Martijn Rep,Wladimir Tameling and Ben Cornelissen for providing critical review and helpful comments. Research in the Takken lab is supported by CBSG(Netherlands Genomics Initiative/NWO)and by the EC Integrated Project BIOEXPLOIT CT-2005-513959.References and recommended readingPapers of particular interest,published within the period of review, have been highlighted as:of special interestof outstanding interest1.Jones JDG,Dangl JL:The plant immune system.Nature2006,444:323-329.2. Houterman PM,Cornelissen BJC,Rep M:Suppression of plant resistance gene-based immunity by a fungal effector.PLoS Pathog2008,4:e1000061.A clear demonstration of the evolutionary battle between plants andpathogens,exemplified by the interaction between tomato and the soil born fungus F.oxysporum.Analysis of the Avr1effector protein revealedits dual function:activation of resistance gene I-1and suppression of I-2 and I-3resistance function.3.Padmanabhan M,Cournoyer P,Dinesh-Kumar SP:The leucinerich repeat domain in plant innate immunity:a wealth ofpossibilities.Cell Microbiol2008,11:191-198.4.Leipe DD,Koonin EV,Aravind L:Evolution and classification ofP-loop kinases and related proteins.J Mol Biol2003,333:781-815.5.Takken FLW,Albrecht M,Tameling WIL:Resistance proteins:molecular switches of plant defence.Curr Opin Plant Biol2006, 9:383-390.6.Tameling WIL,Takken FLW:Resistance proteins:scoutsof the plant innate immune system.Euro J Plant Pathol2008,121:243-255.7.Caplan J,Padmanabhan M,Dinesh-Kumar SP:Plant NB–LRRimmune receptors:from recognition to transcriptionalreprogramming.Cell Host Microbe2008,3:126-135.8.van der Biezen EA,Jones JDG:Plant disease-resistanceproteins and the gene-for-gene concept.Trends Biochem Sci 1998,23:454-456.9.van der Hoorn RAL,Kamoun S:From guard to decoy:a newmodel for perception of plant pathogen effectors.Plant Cell2008,20:2009-2017.10.Bendahmane A,Farnham G,Moffett P,Baulcombe DC:Constitutive gain-of-function mutants in a nucleotide binding site-leucine rich repeat protein encoded at the Rx locus ofpotato.Plant J2002,32:195-204.11.Moffett P,Farnham G,Peart J,Baulcombe DC:Interactionbetween domains of a plant NBS-LRR protein indisease resistance-related cell death.EMBO J2002,21:4511-4519.12.Rairdan GJ,Moffett P:Distinct domains in the ARC region of the potato resistance protein Rx mediate LRR binding andinhibition of activation.Plant Cell2006,18:2082-2093.This paper builds on the work presented in[11]where it was showed that a decomposed NB–LRR protein can still function when its separated domains are co-expressed in planta.Based on domain swaps with Rx and Gpa2and subsequent Co-IPs the authors could map recognition specificity to the C-terminal part of the LRR and the ARC1subdomain was shown to be responsible for LRR binding.Inappropriate pairings of LRR and ARC2resulted in autoactivation,suggesting that interplay between the LRR and ARC2domains confers autoinhibition.13.Rairdan GJ,Collier SM,Sacco MA,Baldwin TT,Boettrich T,Moffett P:The coiled-coil and nucleotide binding domains of the Potato Rx disease resistance protein function in pathogen recognition and signaling.Plant Cell2008,20:739-751. Extensive analysis of the CC domain of Rx identified a new and conserved motif(EDVID)required for intramolecular interactions.This motif is part of a larger region that is essential for RanGap binding.Furthermore,the authors showed that overexpression of a stabilized NB subdomain triggered Sgt1-dependent HR.This exciting observation implies that the NB alone is sufficient to activate defence signalling and HR.14.Sacco MA,Mansoor S,Moffett P:A RanGAP protein physicallyinteracts with the NB–LRR protein Rx,and is required for Rx-mediated viral resistance.Plant J2007,52:82-93.15.Tameling WIL,Baulcombe DC:Physical association of the NB–LRR resistance protein Rx with a Ran GTPase-activatingprotein is required for extreme resistance to Potato virus X.Plant Cell2007,19:1682-1694.16.Meier I:Composition of the plant nuclear envelope:theme andvariations.J Exp Bot2007,58:27-34.17.van Ooijen G,van den Burg HA,Cornelissen BJC,Takken FLW:Structure and function of resistance proteins in solanaceous plants.Ann Rev Phytopath2007,45:43-72.18.Ade J,DeYoung BJ,Golstein C,Innes RW:Indirect activation of aplant nucleotide binding site-leucine-rich repeat proteinby a bacterial protease.Proc Natl Acad Sci U S A2007,104:2531-2536.19.van Ooijen G,Mayr G,Albrecht M,Cornelissen BJC,Takken FLW:Transcomplementation,but not physical association of theCC–NB–ARC and LRR domains of tomato R protein Mi-1.2is altered by mutations in the ARC2subdomain.Mol Plant2008, 1:401-410.20.Weaver LM,Swiderski MR,Li Y,Jones JDG:The Arabidopsisthaliana TIR-NB–LRR R-protein,RPP1A;protein localizationand constitutive activation of defence by truncated alleles in tobacco and Arabidopsis.Plant J2006,47:829-840.21.Tao Y,Yuan F,Leister RT,Ausubel FM,Katagiri F:Mutationalanalysis of the Arabidopsis nucleotide binding site-leucine-rich repeat resistance gene RPS2.Plant Cell2000,12:2541-2554.22.Ellis JG,Dodds PN,Lawrence GJ:Flax rust resistance genespecificity is based on direct resistance-avirulence proteininteractions.Ann Rev Phytopath2007,45:289-306.434Biotic Interactions。

tomcat告警规则
Tomcat告警规则（Alarm Rules）用于监控Tomcat服务器的运行状态，并在出现异常或错误时发出告警。

以下是一些常见的Tomcat告警规则：
1.CPU使用率告警：监控Tomcat服务器的CPU使用率，当CPU
使用率超过一定阈值时发出告警。

2.内存使用率告警：监控Tomcat服务器的内存使用情况，当内
存使用率超过一定阈值时发出告警。

3.线程数告警：监控Tomcat服务器的线程数，当线程数超过一
定阈值时发出告警。

4.连接数告警：监控Tomcat服务器的连接数，当连接数超过一
定阈值时发出告警。

5.错误日志数量告警：监控Tomcat服务器日志中错误日志的数
量，当错误日志数量超过一定阈值时发出告警。

以上是一些常见的Tomcat告警规则，根据实际需求，还可以定制其他的告警规则。

在配置告警规则时，需要设置阈值和告警方式（如邮件、短信等），以便在异常或错误发生时及时收到告警信息。

华为数通HCIA211试卷五华为数通HCIA211试卷五1.【单选题】1分| DHCPv6服务发送的RA报文中的MO标记位取值为01，则主机采用下列哪种方式进行地址自动配置？A 取值没有任何意义B DHCPv6无状态自动配置C DHCPv6有状态自动配置D 无状态自动配置2.【多选题】1分| 以下关于MPLS报文头中S字段说法正确的是哪些？A 用来标志本标签后是否还有其他标签，1表示是，0表示不是B S位存在于每一个MPLS报文头中C 用来标志本标签后是否还有其他标签，0表示是，1表示不是D S位在帧模式中只有1bit，在信元模式中有2bit3.【判断题】1分| VRP界面下，使用命令startup saved-configuration backup.cfg，配置下次启动时使用backup.cfg文件。

A对B错4.【多选题】1分| STP端口在下列哪种状态之间转化时存在Forward Delay？A Forwarding-DisabledB Blocking-ListeningC Disabled-BlockingD Listening-LearningE Learning-Forwarding5.【多选题】1分| STP中选举根端口时需要考虑以下哪些参数？A 端口的双工模式B 端口槽位编号，如G0/0/1C 端口的MAC地址D 端口优先级E 端口到达根交换机的Cost6.【多选题】1分| 当路由器运行在同一个OSPF区域中时，对它们的LSDB和路由表的描述正确的是（）。

A 各台路由器得到的链路状态数据库是不同的B 各台路由器的路由表是不同的C 所有路由器得到的链路状态数据库是相同的D 所有路由器得到的路由表是相同的7.【多选题】1分| 路由表当中包含以下哪些要素？A InterfaceB ProtocolC Destination/MaskD CostE NextHop8.【多选题】1分| 某台路由器路由表输出信息如下，下列说法正确的是？A 本路由器到达10.0.0.1的NextHop为10.0.21.2B 本路由器到达10.0.2.2的NextHop为10.0.21.2C 本路由器到达10.0.0.1的NextHop为10.0.12.2D 本路由器到达10.0.2.2的NextHop为10.0.12.29.【多选题】1分| 以下应用程序中基于TCP协议的是哪一项？A FTPB HTTPC PingD TFTP10.【多选题】1分| 在交换机上，哪些VLAN可以通过使用undo命令来对其进行删除？A vlan 4094B vlan 1C vlan 2D vlan 102411.【判断题】1分| 静态NAT只能实现私有地址和公有地址的一对一映射。

Homomorphic Evaluation of the AES CircuitCraig Gentry IBM ResearchShai HaleviIBM ResearchNigel P.SmartUniversity of Bristol February16,2012AbstractWe describe a working implementation of leveled homomorphic encryption(without bootstrapping) that can evaluate the AES-128circuit.Our current implementation takes about a week to evaluate anentire AES encryption operation,using NTL(over GMP)as our underlying software platform,andrunning on a large-memory ing SIMD techniques,we can process close to100blocks ineach evaluation,yielding an amortized rate of roughly2hours per block.For this implementation we developed both AES-specific optimizations as well as several“generic”tools for FHE evaluation.These last tools include(among others)a different variant of the Brakerski-Vaikuntanathan key-switching technique that does not require reducing the norm of the ciphertext vector,and a method of implementing the Brakerski-Gentry-Vaikuntanathan modulus-switching transformationon ciphertexts in CRT representation.Keywords.AES,Fully Homomorphic Encryption,ImplementationThefirst and second authors are sponsored by DARPA under agreement number FA8750-11-C-0096.The ernment is authorized to reproduce and distribute reprints for Governmental purposes notwithstand-ing any copyright notation thereon.The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements,either expressed or implied,of DARPA or the ernment.Distribution Statement“A”(Approved for Public Release, Distribution Unlimited).The third author is sponsored by DARPA and AFRL under agreement number FA8750-11-2-0079.The same disclaimers as above apply.He is also supported by the European Commission through the ICT Programme under Contract ICT-2007-216676ECRYPT II and via an ERC Advanced Grant ERC-2010-AdG-267188-CRIPTO,by EPSRC via grant COED–EP/I03126X,and by a Royal Society Wolfson Merit Award.The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements,either expressed or implied,of the European Commission or EPSRC.Contents1Introduction1 2Background22.1Notations and Mathematical Background (2)2.2BGV-type Cryptosystems (3)2.3Computing on Packed Ciphertexts (5)3General-Purpose Optimizations63.1A New Variant of Key Switching (6)3.2Modulus Switching in Evaluation Representation (7)3.3Dynamic Noise Management (8)3.4Randomized Multiplication by Constants (8)4Homomorphic Evaluation of AES94.1Homomorphic Evaluation of the Basic Operations (9)4.2Implementing The Permutations (11)4.3Performance Details (12)References12 A More Details13A.1Plaintext Slots (14)A.2Canonical Embedding Norm (14)A.3Double CRT Representation (15)A.4Sampling From A q (15)A.5Canonical embedding norm of random polynomials (16)B The Basic Scheme16B.1Our Moduli Chain (16)B.2Modulus Switching (17)B.3Key Switching (18)B.4Key-Generation,Encryption,and Decryption (19)B.5Homomorphic Operations (20)C Security Analysis and Parameter Settings21C.1Lower-Bounding the Dimension (22)C.1.1LWE with Sparse Key (23)C.2The Modulus Size (24)C.3Putting It Together (26)D Further AES Implementation Methods27E Scale(c,q t,q t−1)in dble-CRT Representation281IntroductionIn his breakthrough result[11],Gentry demonstrated that fully-homomorphic encryption was theoretically possible,assuming the hardness of some problems in integer lattices.Since then,many different improve-ments have been made,proposing new variants,improving efficiency,suggesting other hardness assump-tions,etc.Some of these works were accompanied by implementation[20,12,7,21,16],but all the imple-mentations so far were either“proofs of concept”that can compute only one basic operation at a time(at great cost),or special-purpose implementations limited to evaluating very simple functions.In this work we report on thefirst implementation powerful enough to support an“interesting real world circuit”.Specifi-cally,we implemented a variant of the leveled FHE-without-bootstrapping scheme of Brakerski,Gentry,and Vaikuntanathan[4](BGV),with support for deep enough circuits so that we can evaluate an entire AES-128 encryption operation.Why AES?We chose to shoot for an evaluation of AES since it seems like a natural benchmark:AES is widely deployed and used extensively in security-aware applications(so it is“practically relevant”to imple-ment it),and the AES circuit is nontrivial on one hand,but on the other hand not astronomical.Moreover the AES circuit has a regular(and quite“algebraic”)structure,which is amenable to parallelism and optimiza-tions.Indeed,for these same reasons AES is often used as a benchmark for implementations of protocols for secure multi-party computation(MPC),for example[19,8,14,15].Using the same yardstick to measure FHE and MPC protocols is quite natural,since these techniques target similar application domains and in some cases both techniques can be used to solve the same problem.Beyond being a natural benchmark,homomorphic evaluation of AES decryption also has interesting applications:When data is encrypted under AES and we want to compute on that data,then homomorphic AES decryption would transform this AES-encrypted data into an FHE-encrypted data,and then we could perform whatever computation we wanted.(Such applications were alluded to in[16,21]).Our Contributions.Our implementation is based on a variant of the ring-LWE scheme of BGV[4,6,5], using the techniques of Smart and Vercauteren(SV)[21]and Gentry,Halevi and Smart(GHS)[13],and we introduce many new optimizations.Some of our optimizations are specific to AES,these are described in Section4.Most of our optimization,however,are more general-purpose and can be used for homomorphic evaluation of other circuits,these are described in Section3.Many of our general-purpose optimizations are aimed at reducing the number of FFTs and CRTs that we need to perform,by reducing the number of times that we need to convert polynomials between coef-ficient and evaluation representations.Since the cryptosystem is defined over a polynomial ring,many of the operations involve various manipulation of integer polynomials,such as modular multiplications and additions and Frobenius maps.Most of these operations can be performed more efficiently in evaluation representation,when a polynomial is represented by the vector of values that it assumes in all the roots of the ring polynomial(for example polynomial multiplication is just point-wise multiplication of the evalu-ation values).On the other hand some operations in BGV-type cryptosystems(such as key switching and modulus switching)seem to require coefficient representation,where a polynomial is represented by listing all its coefficients.1Hence a“naive implementation”of FHE would need to convert the polynomials back and forth between the two representations,and these conversions turn out to be the most time-consuming part of the execution.In our implementation we keep ciphertexts in evaluation representation at all times, converting to coefficient representation only when needed for some operation,and then converting back.1The need for coefficient representation ultimately stems from the fact that the noise in the ciphertexts is small in coefficient representation but not in evaluation representation.1We describe variants of key switching and modulus switching that can be implemented while keeping almost all the polynomials in evaluation representation.Our key-switching variant has another advantage, in that it significantly reduces the size of the key-switching matrices in the public key.This is particularly important since the main limiting factor for evaluating deep circuits turns out to be the ability to keep the key-switching matrices in memory.Other optimizations that we present are meant to reduce the number of modulus switching and key switching operations that we need to do.This is done by tweaking some operations(such as multiplication by constant)to get a slower noise increase,by“batching”some operations before applying key switching,and by attaching to each ciphertext an estimate of the“noisiness”of this ciphertext,in order to support better noise bookkeeping.Our Implementation.Our implementation was based on the NTL C++library running over GMP,we utilized a machine which consisted of a processing unit of Intel Xeon CPUs running at2.0GHz with18MB cache,and most importantly with256GB of RAM.2Memory was our main limiting factor in the implemen-tation.With this machine it took us just under eight days to compute a single block AES encryption using an implementation choice which minimizes the amount of memory required;this is roughly two orders of magnitude faster than what could be done with the Gentry-Halevi implementation[12].The computation was performed on ciphertexts that could hold1512plaintext slots each;where each slot holds an element of F28.This means that we can compute 1512/16 =94AES operations in parallel,which gives an amortize time per block of roughly two hours.We note that there are a multitude of optimizations that one can perform on our basic implementation. Most importantly,we believe that by using the“bootstrapping as optimization”technique from BGV[4]we can speedup the AES performance by an additional order of magnitude.Also,there are great gains to be had by making better use of parallelism:Unfortunately,the NTL library(which serves as our underlying software platform)is not thread safe,which severely limits our ability to utilize the multi-core functionality of modern processors(our test machine has24cores).We expect that by utilizing many threads we can speed up some of our(higher memory)AES variants by as much as a16x factor;just by letting each thread compute a different S-box lookup.Organization.In Section2we review the main features of BGV-type cryptosystems[5,4],and briefly survey the techniques for homomorphic computation on packed ciphertexts from SV and GHS[21,13]. Then in Section3we describe our“general-purpose”optimizations on a high level,with additional details provided in Appendices A and B.A brief overview of AES and a high-level description(and performance numbers)of one of our AES-specific implementations is provided in Section4,with details of alternative implementations being provided in Appendix D.2Background2.1Notations and Mathematical BackgroundFor an integer q we identify the ring Z/q Z with the interval(−q/2,q/2]∩Z,and we use[z]q to denote the reduction of the integer z modulo q into that interval.Our implementation utilizes polynomial rings defined by cyclotomic polynomials,A=Z[X]/Φm(X).The ring A is the ring of integers of a the m th cyclotomic numberfield Q(ζm).We let A q def=A/q A=Z[X]/(Φm(X),q)for the(possibly composite)integer q,and we identify A q with the set of integer polynomials of degree uptoφ(m)−1reduced modulo q.2This machine was BlueCrystal Phase2;and the authors would like to thank the University of Bristol’s Advanced Computing Research Centre(https:///)for access to this facility2Coefficient vs.Evaluation Representation.Let m,q be two integers such that Z /q Z contains a primitive m -th root of unity,and denote one such primitive m -th root of unity by ζ∈Z /q Z .Recallthat the m ’th cyclotomic polynomial splits into linear terms modulo q ,Φm (X )= i ∈(Z /m Z )∗(X −ζi )(mod q ).For an element a ∈A q ,we consider two ways of representing it:Viewing a as a degree-(φ(m )−1)poly-nomial,a (X )= i<φ(m )a i X i ,we can just list all the coefficients in order a = a 0,a 1,...,a φ(m )−1 ∈(Z /q Z )φ(m ).We call a the coefficient representation of a .For the other representation we consider the values that the polynomial a (X )assumes on all primitive m -th roots of unity modulo q ,b i =a (ζi )mod q for i ∈(Z /m Z )∗.The b i ’s in order also yield a vector b ∈(Z /q Z )φ(m ),which we call the evaluation representation of a .Clearly these two representations are related via b =V m ·a ,where V m is the Van-dermonde matrix over the primitive m -th roots of unity modulo q .We remark that for all i we have the equality (a mod (X −ζi ))=a (ζi )=b i ,hence the evaluation representation of a is just a polynomial Chinese-Remaindering representation.In both evaluation and coefficient representations,an element a ∈A q is represented by a φ(m )-vector of integers in Z /q Z .If q is a composite then each of these integers can itself be represented either using the standard binary encoding of integers or using Chinese-Remaindering relative to the factors of q .We usually use the standard binary encoding for the coefficient representation and Chinese-Remaindering for the evaluation representation.(Hence the latter representation is really a double CRT representation,relative to both the polynomial factors of Φm (X )and the integer factors of q .)2.2BGV-type CryptosystemsOur implementation uses a variant of the BGV cryptosystem due to Gentry,Halevi and Smart,specifically the one described in [13,Appendix D](in the full version).In this cryptosystem both ciphertexts and secret keys are vectors over the polynomial ring A ,and the native plaintext space is the space of binary polynomials A 2.(More generally it could be A p for some fixed p ≥2,but in our case we will always use A 2.)At any point during the homomorphic evaluation there is some “current integer modulus q ”and “current secret key s ”,that change from time to time.A ciphertext c is decrypted using the current secret key s by taking inner product over A q (with q the current modulus)and then reducing the result modulo 2in coefficient representation .Namely,the decryption formula isa ←[[ c ,s mod Φm (X )]q noise ]2.(1)The polynomial [ c ,s mod Φm (X )]q is called the “noise”in the ciphertext c .Informally,c is a valid ciphertext with respect to secret key s and modulus q if this noise has “sufficiently small norm”relative to q .The meaning of “sufficiently small norm”is whatever is needed to ensure that the noise does not wrap around q when performing homomorphic operations,in our implementation we keep the norm of the noise always below some pre-set bound (which is determined in Appendix C.2).The specific norm that we use to evaluate the magnitude of the noise is the “canonical embedding norm reduced mod q ”,as described in [13,Appendix D](in the full version).This is useful to get smaller parameters,but for the purpose of presentation the reader can think of the norm as the Euclidean norm of the noise in coefficient representation.More details are given in the Appendices.We refer to the norm of the noise as the noise magnitude .The central feature of BGV-type cryptosystems is that the current secret key and modulus evolve as we apply operations to ciphertexts.We apply five different operations to ciphertexts during homomorphic evaluation.Three of them —addition,multiplication,and automorphism —are “semantic operations”that we use to evolve the plaintext data which is encrypted under those ciphertexts.The other two operations3—key-switching and modulus-switching —are used for “maintenance”:These operations do not change the plaintext at all,they only change the current key or modulus (respectively),and they are mainly used to control the complexity of the evaluation.Below we briefly describe each of these five operations on a high level.For the sake of self-containment,we also describe key generation and encryption in Appendix B.More detailed description can be found in [13,Appendix D].Addition.Homomorphic addition of two ciphertext vectors with respect to the same secret key and mod-ulus q is done just by adding the vectors over A q .If the two arguments were encrypting the plaintext polynomials a 1,a 2∈A 2then the sum will be an encryption of a 1+a 2∈A 2.This operation has no effect on the current modulus or key,and the norm of the noise is at most the sum of norms from the noise in the two arguments.Multiplication.Homomorphic multiplication is done via tensor product over A q .In principle,if the two arguments have dimension n over A q then the product ciphertext has dimension n 2,each entry in the output computed as the product of one entry from the first argument and one entry from the second.3This operation does not change the current modulus,but it changes the current key:If the two input ciphertexts are valid with respect to the dimension-n secret key vector s ,encrypting the plaintext polynomi-als a 1,a 2∈A 2,then the output is valid with respect to the dimension-n 2secret key s which is the tensor product of s with itself,and it encrypt the polynomial a 1·a 2∈A 2.The norm of the noise in the product ciphertext can be bounded in terms of the product of norms of the noise in the two arguments.The specific bound depends on the norm in use,for our choice of norm function the norm of the product is no larger than the product of the norms of the two arguments.Key Switching.The public key of BGV-type cryptosystems includes additional components to enable converting a valid ciphertext with respect to one key into a valid ciphertext encrypting the same plaintext with respect to another key.For example,this is used to convert the product ciphertext which is valid with respect to a high-dimension key back to a ciphertext with respect to the original low-dimension key.To allow conversion from dimension-n key s to dimension-n key s (both with respect to the same modulus q ),we include in the public key a matrix W =W [s →s ]over A q ,where the i ’th column of W is roughly an encryption of the i ’th entry of s with respect to s (and the current modulus).Then given a valid ciphertext c with respect to s ,we roughly compute c =W ·c to get a valid ciphertext with respect to s .In some more detail,the BGV key switching transformation first ensures that the norm of the ciphertext c itself is sufficiently low with respect to q .In [4]this was done by working with the binary encoding of c ,and one of our main optimization in this work is a different method for achieving the same goal (cf.Section 3.1).Then,if the i ’th entry in s is s i ∈A (with norm smaller than q ),then the i ’th column of W [s →s ]is an n -vector w i such that [ w i ,s mod Φm (X )]q =2e i +s i for a low-norm polynomial e i ∈A .Denoting e =(e 1,...,e n ),this means that we have s W =s +2e over A q .For any ciphertext vector c ,setting c =W ·c ∈A q we get the equation[ c ,s mod Φm (X )]q =[s W c mod Φm (X )]q =[ c ,s +2 c ,e mod Φm (X )]qSince c ,e ,and [ c ,s mod Φm (X )]q all have low norm relative to q ,then the addition on the right-hand side does not cause a wrap around q ,hence we get [[ c ,s mod Φm (X )]q ]2=[[ c ,s mod Φm (X )]q ]2,as needed.The key-switching operation changes the current secret key from s to s ,and does not change the current modulus.The norm of the noise is increased by at most an additive factor of 2 c ,e .3It was shown in [6]that over polynomial rings this operation can be implemented while increasing the dimension only to 2n −1rather than to n 2.4Modulus Switching.The modulus switching operation is intended to reduce the norm of the noise,to compensate for the noise increase that results from all the other operations.To convert a ciphertext c with respect to secret key s and modulus q into a ciphertext c encrypting the same thing with respect to the same secret key but modulus q ,we roughly just scale c by a factor q /q (thus getting a fractional ciphertext),then round appropriately to get back an integer ciphertext.Specifically c is a ciphertext vector satisfying(a)c =c (mod 2),and (b)the “rounding error term”τdef =c −(q /q )c has low norm.Converting cto c is easy in coefficient representation,and one of our optimizations is a method for doing the same in evaluation representation (cf.Section 3.2)This operation leaves the current key s unchanged,changes the current modulus from q to q ,and the norm of the noise is changed as n ≤(q /q ) n + τ·s .Note that if the key s has low norm and q is sufficiently smaller than q ,then the noise magnitude decreases by this operation.A BGV-type cryptosystem has a chain of moduli,q 0<q 1···<q L −1,where fresh ciphertexts are with respect to the largest modulus q L −1.During homomorphic evaluation every time the (estimated)noise grows too large we apply modulus switching from q i to q i −1in order to decrease it back.Eventually we get ciphertexts with respect to the smallest modulus q 0,and we cannot compute on them anymore (except by using bootstrapping).Automorphisms.In addition to adding and multiplying polynomials,another useful operation is convert-ing the polynomial a (X )∈A to a (i )(X )def =a (X i )mod Φm (X ).Denoting by κi the transformationκi :a →a (i ),it is a standard fact that the set of transformations {κi :i ∈(Z /m Z )∗}forms a group under composition (which is the Galois group G al (Q (ζm )/Q )),and this group is isomorphic to (Z /m Z )∗.In [4,13]it was shown that applying the transformations κi to the plaintext polynomials is very useful,some more examples of its use can be found in our Section 4.Denoting by c (i ),s (i )the vector obtained by applying κi to each entry in c ,s ,respectively,it was shown in [4,13]that if s is a valid ciphertext encrypting a with respect to key s and modulus q ,then c (i )is a valid ciphertext encrypting a (i )with respect to key s (i )and the same modulus q .Moreover the norm of noise remains the same under this operation.We remark that we can apply key-switching to c (i )in order to get an encryption of a (i )with respect to the original key s .2.3Computing on Packed CiphertextsSmart and Vercauteren observed [20,21]that the plaintext space A 2can be viewed as a vector of “plaintext slots”,by an application the polynomial Chinese Remainder Theorem.Specifically,if the ring polynomial Φm (X )factors modulo 2into a product of irreducible factors Φm (X )= −1j =0F j (X )(mod 2),then a plaintext polynomial a (X )∈A 2can be viewed as encoding different small polynomials,a j =a mod F j .Just like for integer Chinese Remaindering,addition and multiplication in A 2correspond to element-wise addition and multiplication of the vectors of slots.The effect of the automorphisms is a little more involved.When i is a power of two then the transforma-tions κi :a →a (i )is just applied to each slot separately.When i is not a power of two the transformation κi has the effect of roughly shifting the values between the different slots.For example,for some parameters we could get a cyclic shift of the vector of slots:If a encodes the vector (a 0,a 1,...,a −1),then κi (a )(for some i )could encode the vector (a −1,a 0,...,a −2).This was used in [13]to devise efficient procedures for applying arbitrary permutations to the plaintext slots.We note that the values in the plaintext slots are not just bits,rather they are polynomials modulo the irreducible F j ’s,so they can be used to represents elements in extension fields GF (2d ).In particular,in some of our AES implementations we used the plaintext slots to hold elements of GF (28),and encrypt one5byte of the AES state in each slot.Then we can use an adaption of the techniques from [13]to permute the slots when performing the AES row-shift and column-mix.3General-Purpose OptimizationsBelow we summarize our optimizations that are not tied directly to the AES circuit and can be used also in homomorphic evaluation of other circuits.Underlying many of these optimizations is our choice of keeping ciphertext and key-switching matrices in evaluation (double-CRT)representation.Our chain of moduli is defined via a set of primes of roughly the same size,p 0,...,p L −1,all chosen such that Z /p i Z has a m ’th roots of unity.(In other words,m |p i −1for all i .)For i =0,...,L −1we then define our i ’th modulus as q i = i j =0p i .The primes p 0and p L −1are special (p 0is chosen to ensure decryption works,and p L −1is chosen to control noise immediately after encryption),however all other primes p i are of size 217≤p i ≤220if L <100,see Appendix C.In the t -th level of the scheme we have ciphertexts consisting of elements in A q t (i.e.,polynomialsmodulo (Φm (X ),q t )).We represent an element c ∈A q t by a φ(m )×(t +1)“matrix”of its evaluationsat the primitive m -th roots of unity modulo the primes p 0,...,p t .Computing this representation from the coefficient representation of c involves reducing c modulo the p i ’s and then t +1invocations of the FFT algorithm,modulo each of the p i (picking only the FFT coefficients corresponding to (Z /m Z )∗).To convert back to coefficient representation we invoke the inverse FFT algorithm t +1times,each time padding the φ(m )-vector of evaluation point with m −φ(m )zeros (for the evaluations at the non-primitive roots of unity).This yields the coefficients of t +1polynomials modulo (X m −1,p i )for i =0,...,t ,we then reduce each of these polynomials modulo (Φm (X ),p i )and apply Chinese Remainder interpolation.We stress that we try to perform these transformations as rarely as we can.3.1A New Variant of Key SwitchingAs described in Section 2,the key-switching transformation introduces an additive factor of 2 c ,e in the noise,where c is the input ciphertext and e is the noise component in the key-switching matrix.To keep the noise magnitude below the modulus q ,it seems that we need to ensure that the ciphertext c itself has low norm.In BGV [4]this was done by representing c as a fixed linear combination of small vectors,i.e.c = i 2i c i with c i the vector of i ’th bits in c .Considering the high-dimension ciphertextc ∗=(c 0|c 1|c 2|···)and secret key s ∗=(s |2s |4s |···),we note that we have c ∗,s ∗ = c ,s ,and c ∗has low norm (since it consists of 0-1polynomials).BGV therefore included in the public key the matrix W =W [s ∗→s ](rather than W [s →s ]),and had the key-switching transformation computes c ∗from c and sets c =W ·c ∗.When implementing key-switching,there are two drawbacks to the above approach.First,this increases the dimension (and hence the size)of the key switching matrix.This drawback is fatal when evaluating deep circuits,since having enough memory to keep the key-switching matrices turns out to be the limiting factor in our ability to evaluate these deep circuits.Another drawback is it seems that this key-switching procedure requires that we first convert c to coefficient representation in order to compute the c i ’s,then convert each of the c i ’s back to evaluation representation before multiplying by the key-switching matrix.In level t of the circuit,this seem to require Ω(t log q t )FFTs.In this work we propose a different variant:Rather than manipulating c to decrease its norm,we instead temporarily increase the modulus q .To that end we recall that for a valid ciphertext c ,encrypting plaintext a with respect to s and q ,we have the equality c ,s =2e +a over A q ,for a low-norm polynomial e .6This equality,we note,implies that for every odd integer p we have the equality c ,p s =2e +a ,holding over A pq ,for the “low-norm”polynomial e (namely e =p ·e +p −12a ).Clearly,when considered relativeto secret key p s and modulus pq ,the noise in c is p times larger than it was relative to s and q .However,since the modulus is also p times larger,we maintain that the noise has norm sufficiently smaller than the modulus.In other words,c is still a valid ciphertext that encrypts the same plaintext a with respect to secret key p s and modulus pq .By taking p large enough,we can ensure that the norm of c (which is independent of p )is sufficiently small relative to the modulus pq .We therefore include in the public key a matrix W =W [p s →s ]modulo pq for a large enough odd integer p .(Specifically we need p ≈q √m .)Given a ciphertext c ,valid with respect to s and q ,we apply the key-switching transformation simply by setting c =W ·c over A pq .The additive noise term c ,e that we get is now small enough relative to our large modulus pq ,thus the resulting ciphertext c is valid with respect to s and pq .We can now switch the modulus back to q (using our modulus switching routine),hence getting a valid ciphertext with respect to s and q .We note that even though we no longer break c into its binary encoding,it seems that we still need to recover it in coefficient representation in order to compute the evaluations of c mod p .However,since we do not increase the dimension of the ciphertext vector,this procedure requires only O (t )FFTs in level t (vs.O (t log q t )=O (t 2)for the original BGV variant).Also,the size of the key-switching matrix is reduced by roughly the same factor of log q t .Our new variant comes with a price tag,however:We use key-switching matrices relative to a larger modulus,but still need the noise term in this matrix to be small.This means that the LWE problem under-lying this key-switching matrix has larger ratio of modulus/noise,implying that we need a larger dimension to get the same level of security than with the original BGV variant.In fact,since our modulus is more than squared (from q to pq with p >q ),the dimension is increased by more than a factor of two.This translates to more than doubling of the key-switching matrix,partly negating the size and running time advantage that we get from this variant.We comment that a hybrid of the two approaches could also be used:we can decrease the norm of c only somewhat by breaking it into digits (as opposed to binary bits as in [4]),and then increase the modulus somewhat until it is large enough relative to the smaller norm of c .We speculate that the optimal setting in terms of runtime is found around p ≈√q ,but so far did not try to explore this tradeoff.3.2Modulus Switching in Evaluation RepresentationGiven an element c ∈A q t in evaluation (double-CRT)representation relative to q t = t j =0p j ,we wantto modulus-switch to q t −1–i.e.,scale down by a factor of p t ;we call this operation Scale (c,q t ,q t −1)The output should be c ∈A ,represented via the same double-CRT format (with respect to p 0,...,p t −1),such that (a)c ≡c (mod 2),and (b)the “rounding error term”τ=c −(c/p t )has a very low norm.As p t is odd,we can equivalently require that the element c †def=p t ·c satisfy(i)c †is divisible by p t ,(ii)c †≡c (mod 2),and(iii)c †−c (which is equal to p t ·τ)has low norm.Rather than computing c directly,we will first compute c †and then set c ←c †/p t .Observe that once we compute c †in double-CRT format,it is easy to output also c in double-CRT format:given the evaluations for c †modulo p j (j <t ),simply multiply them by p −1t mod p j .The algorithm to output c †in double-CRT format is as follows:7。

This paper is available on line at REVIEW ARTICLEPlant virus gene expression strategiesPedro I. Bustamante 1Laboratorio de Biotecnología, Universidad Mayor, Campus Huechuraba, Santiago-Chile,E-mail: pbustama@risc.umayor.clRoger HullJohn Innes Centre, Norfolk Research Park, Norwich, NR4 7UH, U.K.E-mail: roger.hull@1Corresponding authorPlant viruses can cause serious losses to most, if not all, major crops upon which depend for food. Many viruses are endemic,causing moderate losses each year. Others, such as those causing rice tungro, give periodic severe epidemics. There are no fully collated figures for world-wide losses due to viruses but some examples has been listed, i.e., rice tungro in SE ASIA and african cassava mosaic in Africa with 1,500 and 2,000millions dollars per year in losses respectively.However, in recent years the understanding of the genome organisation of plant viruses has increased in parallel with development of molecular biological techniques. The ability to obtain nucleotide sequences of complete viral genomes has also permitted the elucidation and understanding of expression strategies used by many different plant viruses.This review is aimed to summarise some aspects of the main strategies used by plant viruses to express their genomes.To date the Virus Identification Data Exchange (VIDE)database (plant virus database operated at the Australian National University in Canberra, Australia) contains 569characters for more than 890 plant virus species in 55 genera,according Gibbs (1994), and cited by Murphy et al. (1995).The VIDE database is accessible through the Internet from the BioWeb server .au/Groups/MES/vide/ (Brunt et al., 1996). Plant viruses can cause serious losses to most, if not all, major crops upon which we depend for food. Many viruses are endemic, causing moderate losses each year.Others, such as those causing rice tungro, give periodic severe epidemics. There are no fully collated figures for world-wide losses due to viruses but some examples has been listed by Hull (1994), i.e. rice tungro in SE Asia, african casava mosaic in Africa and potato viruses in UK with 1,500,2,000 and 30-50 millions dollars per year in losses respectively.In recent years the understanding of the genome organisation of plant viruses has increased rapidly in parallel with the development of molecular biological techniques.The ability to obtain nucleotide sequences of complete viral genomes has also permitted the elucidation and understanding of expression strategies used for many different plant viruses.For many years, the only nucleic acid found in plant viruses was RNA, but it is now clear that viruses infecting plants may contain any one of the four types of genetic material:single-stranded RNA (ssRNA, about 75% of plant viruses),double-stranded RNA (dsRNA, reoviruses), single-stranded DNA (ssDNA, geminiviruses) or double-stranded DNA (dsDNA, caulimo- and badnaviruses). Of those for which the genome is known or can be extrapolated by being in thesame group as a known virus, the vast majority have ssRNA of the (+) or messenger polarity (termed (+) RNA). These (+)strand plant viruses are classified into more than 25 distinct taxonomic groups (Murphy et al., 1995) and show a wide variation in capsid morphology ranging from the rod shaped tobravirus, the filamentous potyvirus, to the icosahedral viruses (e.g. bromovirus, sobemovirus, comovirus,tombusvirus, nepovirus, tymovirus ).There are also some economically important viruses with minus-strand and ambisense genomic RNA species (rhabdoviruses, tospoviruses and tenuiviruses ). Tospovirus is the only genus of plant viruses in the Bunyaviridae family (German et al., 1992). However, Toriyama (1995) has also proposed to include the Tenuivirus group as a new genus of plant-related viruses of the Bunyaviridae family.This review is aimed to summarise some aspects of the main strategies used by plant viruses to express their genomes.Genome organisationAlthough the majority of known plant viruses have RNA genomes, it is the smaller division of plant DNA viruses which are better known. In the following sections, mainly information related to plant RNA viruses will be discussed and for information about plant DNA viruses or some viroids, there are several reviews that cover in depth these aspects (Symons, 1991;Lazarowitz, 1992,Timmermans et al.,1994,Rothnie et al., 1994).Plant RNA viruses show a wide variation in their genome structure and organisation and may have different terminal structures such as cap structures or genome-linked proteins (VPg) at the 5' end, and a poly(A)-tail or tRNA-like structure at the 3' end of their RNA (reviewed by Goldbach et al.,1991). For some viruses the genome needed for infection is divided between two or more segments which may be encapsidated in the same particle or in separate particles (multicomponent) and even like the tobacco necrosis virus (TNV), have associated satellite RNAs (Hull, 1990; Hull and Davies, 1992, Matthews, 1991). Most, if not all, plant virus genomes encode four or more proteins with functions that operate at various stages in the infection cycle.Information on the genome organisation and sequence similarities of the non-structural proteins, in particular of their RNA-dependent RNA polymerases (RdRps) and helicases, show that most plant RNA viruses are genetically related and appear to have possible evolutionary links with some animal RNA viruses (Ishihama and Barbier,1994,Strauss et al., 1996).Table 1. Characteristic of RNA virus superfamiliesGroup Lineage Virus groups Helicasetype Common features Morphology Hosts andvectorsSuper 1 (POL1)Picorna-likePoty-likeSobemo-likeArteri-likePicornaviridaeComovirusNepovirusCalicivirusPotyvirusBymovirusSobemovirusLuteovirusNodavirusCorona virusArterivirusTorovirusIIIIINone5’-VPG3’-poli (A)No subgenomic RNAsPolyprotein processingNo overlapping ORFs5’-cap3’-poly (A)Nested set of mRNAsEnvelopedIcosahedralSeparateencapsidationRod-shapedIsometricMammalsPlantsMammalsPlantsPlantsInsectMammalsSuper 2 (POL2)PhageFlavi-likePesti-likeCarmo-likeRNA coliphagesFlavivirusPestivirusCarmovirusTombusvirusNoneIIIINoneOne ORFNo 3’-poly (A)EnvelopedIcosahedralBacteriaHumansMammalsPlantsSuper 3 (POL3)Tymo-likeRubi-likeTobamo-likeTymovirusCarlavirusPotexvirusCapillovirusRubellaHepatitis EAlphavirusesTobamovirusTricornavirusHordeivirusTobravirusClosterovirusIII5’-capsSubgenomics mRNAsNo Overlapping ORFsReadthrough (most)IcosahedralFilamentousEnvelopedRod-shapedPlantsMinus strandRNA Paramyxoviridae Rhabdoviridae Orthomyxoviridae Arenaviridae FiloviridaeEnvelopedSelf-complementaryterminiHelical capsidOverlapping ORFsSomesegmentedgenomesSome with MproteinPleiomorphicEnveloped rodMammalsBirdsFishInsectsPlantsDouble-strandRNA Reoviridae BimaviridaeSegmented genome5’-cap3’-OHss RNA intermediatesVertebratesPlantsArthropodsMollusks Vpg, genome-linked protein; ORF, open reading frameAdapted from Straus et al., 1996The analogous modular arrangement of these coding sequences also suggests that these viruses may employ similar RNA replication strategies (Dolja and Carrington, 1992;Koonin and Dolja, 1993). This has led to the proposal (Goldbach, 1986;Koonin, 1991a;Koonin et al., 1991;Dolja and Carrington, 1992;Koonin and Dolja, 1993), based on the three different types of sequence motifs in the RdRps, of the division of the positive-strand RNA viruses into three 'Supergroups'.Supergroup I, which includes, the Picorna-like, Poty-like, Sobemo-like and Arteri-like. They have common features as, a VPg protein covalently linked to the 5' end of the RNA, 3'-poly (A), no subgenomic RNAs, polyprotein processing, no overlapping ORFs (see Table 1 for more detail). Supergroup II, which includes the coliphages, Flavi-like, Pesti-like and Carmo-like viruses. They shares such features as, enveloped virions and no 3' -poly (A) (see Table 1).Supergroup III, which includes the Tymo-like, Rubi-like and Tobamo-like viruses. They have common features as, 5' caps, subgenomics mRNAs, no overlapping ORFs and read-through expression strategy (most of them) (see Table 1).The grouping is based on sequence homology of three similarly organised non-structural proteins of Sindbis virus, including the RNA capping enzyme, RNA helicase and RdRp (Koonin, 1991a;Koonin, 1991b). Subgrouping can also be based on conserved sequence motifs of helicases (helicase superfamilies 1, 2 and 3), proteases and the presence of capping enzymes (reviewed in Koonin and Dolja, 1993). RdRp however is the only domain of positive-strand RNA viruses allowing an all-inclusive phylogenetic analysis.Replication of plant RNA virusesBustamante P.I. and Hull R.Most viruses encode proteins that are involved in viral nucleic acid replication. The discovery of the RdRps marked a major breakthrough in understanding the replication of progeny RNA from genomic viral RNA (reviewed in David et al., 1992; Ishihama and Barbier, 1994).Potential RdRps have been described for many plant RNA viruses including brome mosaic virus (BMV) (Hardy et al., 1979), cowpea chlorotic mosaic virus (CCMV) (Miller and Hall, 1984), turnip yellow mosaic virus (TYMV) (Mouches et al., 1984), alfalfa mosaic virus (AlMV) (Houwing and Jaspers, 1986), cucumber mosaic virus (CMV) (Hayes and Buck, 1990), TMV (Young et al.., 1987), turnip crinkle virus (TCV) (Song and Simon, 1994), red clover necrotic mosaic dianthovirus (RCNMV) (Bates et al.., 1995), tomato spotted wilt virus (TSWV) (Adkins et al.., 1995). While it is accepted that the role of RdRp in replication of RNA viruses is essential, the mechanism of its function is unclear and may differ for different virus groups. In in vitro studies on BMV, CCMV, AlMV, and TYMV the enzyme has only been shown to synthesise minus-strand RNA while complete replication of both minus-strand and new progeny plus-strand RNA has been demonstrated for CMV (Hayes and Buck, l990).In addition, host factors have also been implicated in the replication complexes of TYMV (Mouches et al.., 1984), TMV (Meshi et al.., 1988), cowpea mosaic virus (CPMV) (Derssers et al.., 1984), BMV (Quadt and Jaspars, 1990;Quadt et al., 1993), CMV (Hayes and Buck, l990). The requirement for host-factors goes some way in explaining the inability of some extracted viral RdRps to fully complete a replication cycle. Proposed mechanisms for the precise mode of action of several viral RdRps as well as their structure and organisation have been reviewed extensively (for comprehensive reviews see Marsh et al., 1989,David et al., 1992,Ishihama and Barbier, 1994).In general however, the viral RdRps are complex moieties, acting as RNA replicases or transcriptases, synthesising both (-) and (+) strands. Moreover, RdRps not only catalyse RNA polymerisation but, in many viruses, also effect RNA modifications (e.g. RNA methyltransferase activity).Replication of plus-strand RNA virusesReplication of plant positive-strand RNA viruses takes place in the cytoplasm of infected cells. RNA polymerases appear to be membrane-bound, and some proteins implicated in replication have membrane-binding domains, e.g. P58 encoded by RNA1 of CPMV. However the precise sites where RNA replication takes place have not been clearly defined and probably differ for different viruses. Granular inclusion bodies have been invoked as the sites for TMV-RNA replication (Saito et al., 1987; Okamoto et al., 1988). Replication of (+) strand RNA viruses can be separated into four overlapping steps:(i) The uncoating of the virus, which exposes the nucleic acid to the replication processes. (ii) Translation, during which the viral RNA serves as a messenger RNA and produces structural and non-structural proteins. This process is further divided into the primary or early translation of proteins required for replication, e.g. the RdRp, and secondary or late translation of proteins with late functions, e.g. the coat protein. (iii) Replication of the genome which yields progeny RNA molecules takes place in two stages, both catalysed by an RdRp:(1) Synthesis of a full-length complementary (negative) RNA strand using the genomic (positive) RNA strand as a template. (2) Synthesis of progeny genomic RNA and subgenomics RNAs using the negative-strand RNA as a template. And finally (iv) the progeny genomic strands are encapsidated.The virus-encoded proteins required for RNA replication have been deduced from the composition of purified polymerases capable of copying genomic RNA to produce a negative strand, from the use of mutants, for divided genome viruses from the minimum number of RNA segments needed to infect protoplasts and from the presence of conserved sequence motifs found in polymerases in other systems (Quadt and Jaspars, 1990).Initiation of the synthesis of a negative-strand on a positive-strand RNA template requires binding of the polymerase to a recognition site at the 3' end of the template. The 3' end of the RNA of many viruses can be folded into a characteristic secondary or tertiary structure which includes the RNA polymerase binding site. Sequences at the 5' end of the genomic RNA are also required for RNA infectivity (French and Ahlquist, 1987) and presumably reflect the requirement for binding of the polymerase at the 3' end of negative-strand RNA.One system currently being used to study positive-strand RNA virus replication is the plant bromovirus group (Ahlquist, 1992). The bromoviruses are icosahedral, positive-strand, tripartite RNA viruses in the alphavirus-like superfamily. The two bromovirus proteins required for RNA replication, 1a and 2a, are translated from genomic RNA1 and RNA2, respectively, while proteins required for infection spread are translated from genomic RNA3 and a subgenomic mRNA, RNA4, transcribed from negative-strand RNA3. Protein 1a (109 K) contains an N-terminal m7G methyltransferase-like domain thought to be involved in capping viral RNA (Rozanov et al., 1992) and a C-terminal helicase-like domain (Gorbalenya et al., 1988). Protein 2a (94 K) contains a central polymerase-like domain (Kamer and Argos, 1984). Site-specific mutagenesis studies showed that all three conserved domains in 1a and 2a are required for RNA synthesis (Kroner et al., 1990;Traynor et al., 1991).Bromovirus RNA synthesis can be divided into three distinct steps:negative-strand synthesis, positive-strand synthesis, and subgenomic mRNA transcription. Each of these steps is differentially regulated. For example, negative-strand RNA accumulation plateaus by 8 h post-inoculation, while positive-strand genomic RNA and subgenomic mRNA continue to accumulate until or beyond 20 h post-inoculation (Kroner et al., 1990). French and Ahlquist (1987) described that BMV-directed replication of RNA3 in vivo depends on cis-acting sequences in three regions of RNA3:the 3' and 5' noncoding regions and the intercistronic noncoding region. Later, Janda and Ahlquist (1993) demonstrated that BMV RNA3 derivates can be replicated and direct subgenomic mRNA transcription in yeast expressing BMV proteins 1a and 2a from DNA plasmids.Recently, it has been shown that yeast expressing 1a and 2a and replicating RNA3 derivatives can be extracted to yield BMV-specific template-dependent RdRp activity (Quadt et al., 1995). Moreover, even though RdRp activity was asssayed on in vitro-supplied BMV-RNA templates, it was found that RdRp can only be isolated from cells expressing certain BMV RNA template sequences as well as 1a and 2a. Strong correlation between extracted RdRp activity and BMV (-)-strand RNA accumulation in vivo was found for all RNA3 derivatives tested. Thus, extractable in vitro RdRp activity paralleled formation of a complex capable of viral RNA synthesis in vivo. These results suggest that assembly of active RdRp requires not only viral proteins but also viral RNA, either to direct contribute some nontemplate function or to recruit essential host factors in the RdRp complex (Quadt et al., 1995)Plant virus gene expression strategiesZaccomer et al. (1995) have reviewed recently other elements believed to be involved in virus replication:1)tRNA-like structures. It has long been known that theRNA genomes of certain positive-strand plant viruses have tRNA-related properties (reviewed in Mans et al., 1992). These 3' tRNA-like structures have been shown to be involved in minus-strand synthesis in the case of TMV (Dawson et al., 1988), BMV (Miller et al., 1985) and TYMV (Tsai and Dreher, 1991).2)Pseudoknots. In addition to the pseudoknots in thetRNA-like structures, a few viruses have pseudoknots upstream of these structures which appear to participate in RNA replication. In TMV the most downstream of the six double-helical structures that compose the three pseudoknots already mentioned located just upstream of the tRNA-like structure, is required for replication (Takamatsu et al., 1990). Also Leathers et al. (1993) have reported that this region probably is involved in translation. However, pseudoknots present either in BMV-RNA3 (Lahser et al., 1993) or TYMV (Tsai and Dreher, 1992) are only involved in RNA replication.3)Poly(A) structures. In CPMV, both M-RNA and B-RNAcontain the sequence UUUUAUU immediately followed by the poly(A) tail. This heptanucleotide sequence together with the first four A residues immediately downstream can adopt a hairpin structure. A similar structure can also be formed by the M-RNA of RCMCV (Shanks et al., 1986). In CPMV B-RNA, deletions from the 3' end of the RNA can prevent formation of the hairpin and dramatically interfere with RNA replication (Eggen et al., 1989).4)Internal control region (ICR)-like sequences. Similaritiesexist between viral RNA sequences (bromoviruses, cucumoviruses, tobamoviruses, tobraviruses and tymoviruses) and the ICR2 of the RNA polymerase III promoter of eukaryotes (Marsh et al., 1989). A role for these sequences in replication has been demonstrated for BMV RNA (Pogue et al., 1992) and is also proposed for the RNA of CMV (Boccard and Baulcombe, 1993) and AlMV (van der Vossen et al., 1993). The presence of ICR-like sequences suggests that a host RNA polymerase III subunit and/or one of its cofactors could participate in viral RNA replication.Replication of minus-strand RNA virusesNegative-strand RNA viruses are a large and diverse group of enveloped viruses. They are found in hosts from the plant and animal kingdoms, and have a wide range of morphologies, biological properties and genome organisations (Conzelmann, 1996). A major distinction is made between viruses whose genome consists of a single RNA molecule (order Mononegavirales), including the families Rhabdoviridae, Paramyxoviridae and Filoviridae, and those possesing multipartite (segmented) genomes, comprising the families Orthomyxoviridae (six to nine segments), Bunyaviridae (three segments) and Arenaviridae (two segments).Characteristically, the genetic information of negative-strand RNA viruses is exclusively found in the form of a ribonucleoprotein complex (RNP) in which the genomic or antigenomic ssRNA is tightly encapsidated in a nucleoprotein (N or NP) and associated with the virus RdRp. In the case of non-segmented viruses, the latter consists of a catalytic subunit (L) and a non-catalytic cofactor, a phosphoprotein (P). After infection of a cell, the RNP serves as a template for two distinct RNA synthesis functions, transcription of subgenomic, usually non-overlapping mRNAs and the replication of full-length RNAs (for detailed reviews see Galinski, 1991). The RNP genomes appear to posses only one promoter, at the 3' end of the RNA where the virus RdRp enters for both mRNA transcription and genome replication (Conzelman, 1996).For viruses in the family Bunyaviridae, the polymerase protein, either acting alone or in concert with undefined viral or cellular factors, must first functions as a cap-dependent endonuclease to generate a primer for transcriptions of a non-encapsidated transcript of subgenomic length. At some point, the polymerase must switch to a process of independently initiating transcription at the precise-3' end of the template and producing an encapsidated, full length transcript (Schmaljohn, 1996). Presumably, some viral or host factor is required to signal a suppression of the transcription termination signal responsible for generation of truncated mRNA and also to prevent the addition of the capped and methylated structures to the 5' termini of the cRNAs (Schmaljohn, 1996). For the rhabdovirus vesicular stomatitis virus, the switch to antigenome synthesis appears to be controlled by the N protein (Banerjee, 1987).In animal viruses such Influenza A (Orthomyxoviridae), which has a genome consisting of eight ssRNA segments of negative polarity, the replication and transcription of the virus genome are catalysed by a virus-encoded RdRp (Kobashagi et al., 1992, Huang et al., 1990). The RdRp is composed of three subunits, PB1, PB2 and PA, which are tightly associated at the double-stranded stem region of the panhandle formed by the 5' and 3' termini of each RNA segment (Huang et al., 1990, Hsu et al., 1987). RdRp plays an essential role in both replication and transcription but little is known about the molecular mechanism of replication. However, some evidence suggests that PB1, PA and the nucleoprotein can support the replication of the influenza virus genome as well as the transcription to yield uncapped poly (A)+RNA but PB2 is specifically required for the synthesis of capped RNA (Nakagawa et al., 1995).Virion-associated RdRp polymerase activity has been also found in plant rhabdoviruses. In the case of wheat rosette stunt virus, both detergent-treated virions and isolated nucleocapsids exhibit RNA polymerase activity. Like animal rhabdoviruses, the enzyme activity can be regained upon mixing of L and NS proteins and using N-associated RNA template. Products synthesised in vitro by the virion-associated RNA polymerase of plant rhabdoviruses contain genome-length and single-strand virus complementary RNA (vcRNA) indicating that the RdRp acts not only as transcriptase but also as replicase.Replication of ambisense virusesRdRp activity has been detected in detergent-disrupted virions of animal-infecting members of the Bunyaviridae (Vialat and Bouloy, 1992) and has been directly linked to the L-protein of bunyamwera virus, the type member of the family (Jin and Elliot, 1991). An RdRp activity has been found associated with virions of TSWV, a plant- and insect-infecting member of the family Bunyaviridae. Radiolabelled nucleoside triphosphate was incorporated into trichloroacetic acid-precipitable products by detergent-disrupted, purified TSWV virions. The predominantly double-stranded RNA products were RNase-resistant at high but not low salt concentrations. Discrete products of approximately 3.0 kb were synthesised that hybridised to purified TSWV RNA and transcripts of cDNA clones encompassing parts of each of the three genomic RNAs. The predominant products were viral sense although significant amounts of viral complementary sense S RNA products were also synthesised (Adkins et al., 1995).Bustamante P.I. and Hull R.Barbier et al. (1992) working with the Tenuivirus rice stripe virus (RSV) a virus with some genome organisation features in common with TSWV, isolated an RNA polymerase activity by CsCl centrifugation from purified RSV ribonucleoproteins (RNPs). The active fraction contained two viral structural proteins, a 30 K nucleocapsid (N) protein and a 230 K putative polymerase protein. An in vitro RNA synthesis system was reconstituted using this RNA-free protein fraction and short model templates carrying the conserved 5' and 3' terminal sequences. This showed that, as in the case of influenza virus, a minimum promoter function resides in the panhandle secondary structure formed by the complementary termini or in the 3' terminal sequence of 11-14 nucleotides in length.Modes of gene expressionAnother major problem facing RNA viruses with limited genome size is their obvious dependence on the host eukaryotic protein-synthesising system. These small genomes are also expected to encode a range of virus proteins. The strategies of expression that have emerged from recent studies suggest that the viral genomes appear to have evolved to overcome the obvious constraints of the plant host system.The eukaryotic 80S ribosome is usually able only to translate the first ORF in the 5' region of an mRNA, according the "scanning ribosome model" proposed by Kozak (1991). The model states that the 40S ribosomal subunit (carrying Met-tRNA imet and various initiation factors) binds initially at the 5’end of mRNA. The ubiquitous m7G cap and the associated cap-binding protein(s) explain the predilection of eukaryotic ribosomes to engage mRNA at the 5’-end. Then the migrating 40S ribosomal subunit stalls at the first AUG codon, which is recognised in large part by base pairing with the anticodon in Met-tRNA imet. However, the stop-scanning step and hence selection of the initiator codon, is susceptible to modulation, by context, at least in vertebrates and selection of more distal AUG is permitted under certain defined circumstances (Kozak, 1991).The possibility that might be cases of internal translation initiation has been shown. Pelletier and Sonenberg (1988) have proposed that there is efficient internal initiation on poliovirus RNA. The evidence comes from experiments exploiting the fact that translation of a dicistronic mRNA with two non-overlapping ORFs (A and B) generally gives a low yield of B protein (located downstream) compared with A.Pelletier and Sonenberg (1988) used a construct in which the entire 5' untranslated region (736 nt) of type 2 poliovirus was placed in the intercistronic region of a capped dicistronic mRNA. When the cells expressing the dicistronic mRNA are infected with the poliovirus, the synthesis of protein A (upstream) was inhibited and protein B enhanced, demonstrating that downstream cistron translation is independent of upstream. In addition, cell-free extracts from poliovirus-infected cells translated cistron B but not A. Similar results have been published also by Jang et al. (1988) for encephalomyocarditis virus RNA and more recently for bovine viral diarrhea virus by Poole et al. (1995).The main strategies used by plant viruses to allow protein synthesis in a eukaryotic system from positive sense RNA genome containing more than one gene are discussed below (see Figure 1 for some illustrations).Subgenomic RNAsThe expression of internal genes such coat protein (CP) of the positive RNA viruses is frequently mediated via subgenomic RNAs, considered in this study as mRNAs (see Figure 1a). These mRNAs are encapsidated in some viruses, but not in others. Among plant RNA viruses, the mechanism of synthesis of the subgenomic RNA encoding the CP has been examined in several viruses, i.e., TMV (Palukaitis et al., 1983), CMV (Jaspars et al., 1985). From these studies, two mechanisms have been proposed to explain the synthesis of subgenomic RNA species:(1) During (-) RNA strand synthesis by the RdRp, premature termination could lead to the formation of (-) RNA strands of subgenomic length that could serve as template to generate the subgenomic (+) RNA; alternatively (2) the subgenomic (+) RNA could be synthesised via internal initiation on (-) RNA strands of genomic length.The evidence from in vivo and in vitro experiments with various RNA viruses clearly tends to favour the second mechanism. Since subgenomic RNAs contain at their 3' end the elements required for the production of complementary subgenomic RNA chains, various explanations have been put forward to account for the lack of autonomous replication of subgenomic RNA. These are that (1) the sequence contained within the subgenomic RNA is insufficient for replication of the subgenomic RNA; (2) the subgenomic RNA, which is frequently a highly efficient mRNA, may not be available for replication; and (3) the subgenomic RNA would be produced late in infection or at time when negative-strand synthesis has ceased. From different experiments, the first explanation is certainly the most likely.Miller et al. (1985), studying the mechanism of BMV subgenomic RNA4 formation from genomic RNA3 by using the in vitro RdRp system provided, the first unequivocal evidence that the subgenomic RNA of a positive-strand RNA virus is synthesised (at least in vitro) by internal initiation of positive-strand RNA synthesis on a negative-strand template.。

On the Effectiveness of Address-Space RandomizationHovav ShachamStanford University hovav@Matthew PageStanford Universitympage@Ben PfaffStanford Universityblp@Eu-Jin GohStanford University eujin@Nagendra ModaduguStanford Universitynagendra@Dan BonehStanford Universitydabo@ABSTRACTAddress-space randomization is a technique used to fortify systems against buffer overflow attacks.The idea is to in-troduce artificial diversity by randomizing the memory lo-cation of certain system components.This mechanism is available for both Linux(via PaX ASLR)and OpenBSD. We study the effectiveness of address-space randomization andfind that its utility on32-bit architectures is limited by the number of bits available for address randomization.In particular,we demonstrate a derandomization attack that will convert any standard buffer-overflow exploit into an ex-ploit that works against systems protected by address-space randomization.The resulting exploit is as effective as the original,albeit somewhat slower:on average216seconds to compromise Apache running on a Linux PaX ASLR system. The attack does not require running code on the stack.We also explore various ways of strengthening address-space randomization and point out weaknesses in each.Sur-prisingly,increasing the frequency of re-randomizations adds at most1bit of security.Furthermore,compile-time ran-domization appears to be more effective than runtime ran-domization.We conclude that,on32-bit architectures,the only benefit of PaX-like address-space randomization is a small slowdown in worm propagation speed.The cost of randomization is extra complexity in system support.Categories and Subject DescriptorsD.4.6[Operating Systems]:Security and ProtectionGeneral TermsSecurity,MeasurementKeywordsAddress-space randomization,diversity,automated attacks Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on thefirst page.To copy otherwise,to republish,to post on servers or to redistribute to lists,requires prior specific permission and/or a fee.CCS’04,October25-29,2004,Washington,DC,USA.Copyright2004ACM1-58113-961-6/04/0010...$5.00.1.INTRODUCTIONRandomizing the memory-address-space layout of soft-ware has recently garnered great interest as a means of di-versifying the monoculture of software[19,18,26,7].It is widely believed that randomizing the address-space lay-out of a software program prevents attackers from using the same exploit code effectively against all instantiations of the program containing the sameflaw.The attacker must ei-ther craft a specific exploit for each instance of a random-ized program or perform brute force attacks to guess the address-space layout.Brute force attacks are supposedly thwarted by constantly randomizing the address-space lay-out each time the program is restarted.In particular,this technique seems to hold great promise in preventing the ex-ponential propagation of worms that scan the Internet and compromise hosts using a hard-coded attack[11,31].In this paper,we explore the effectiveness of address-space randomization in preventing an attacker from using the same attack code to exploit the sameflaw in multiple randomized instances of a single software program.In par-ticular,we implement a novel version of a return-to-libc attack on the Apache HTTP Server[3]on a machine run-ning Linux with PaX Address Space Layout Randomization (ASLR)and Write or Execute Only(W⊕X)pages. Traditional return-to-libc exploits rely on knowledge of addresses in both the stack and the(libc)text segments. With PaX ASLR in place,such exploits must guess the seg-ment offsets from a search space of either40bits(if stack and libc offsets are guessed concurrently)or25bits(if se-quentially).In contrast,our return-to-libc technique uses addresses placed by the target program onto the stack.At-tacks using our technique need only guess the libc text seg-ment offset,reducing the search space to an entirely prac-tical16bits.While our specific attack uses only a single entry-point in libc,the exploit technique is also applicable to chained return-to-libc attacks.Our implementation shows that buffer overflow attacks (as used by,e.g.,the Slammer worm[11])are as effective on code randomized by PaX ASLR as on non-randomized code. Experimentally,our attack takes on the average216sec-onds to obtain a remote shell.Brute force attacks,like our attack,can be detected in practice,but reasonable counter-measures are difficult to design.Taking vulnerable machines offline results in a denial of service attack,and leaving them online while afix is sought allows the vulnerability to beexploited.The problem of detecting and managing a brute force attack is especially exacerbated by the speed of our attack.While PaX ASLR appears to provide a slowdown in attack propagation,work done by Staniford et al.[31]sug-gests that this slowdown may be inadequate for inhibiting worm propagation.Although our discussion is specific to PaX ASLR,the attack is generic and applies to other address-space ran-domization systems such as that in OpenBSD.The attack also applies to any software program accessible locally or through a network connection.Our attack demonstrates what we call a derandomization attack;derandomization converts any standard buffer-overflow exploit into an ex-ploit that works against systems protected by address-space randomization.The resulting exploit is as effective as the original,but slower.On the other hand,the slowdown is not sufficient to prevent its being used in worms or in a targeted attack.In the second part of the paper,we explore and analyze the effectiveness of more powerful randomization techniques such as increasing the frequency of re-randomization and alsofiner grained randomizations.We show that subse-quent re-randomizations(regardless of frequency)after the initial address-space randomization improve security against a brute force attack by at most a factor of2.This result suggests that it would be far more beneficial to focus on increasing the entropy in the address-space layout.Further-more,this result shows that our brute force attacks are still feasible against network servers that are restarted with dif-ferent randomization upon crashing(unlike Apache).We also analyze the effectiveness of crash detectors in mitigat-ing such attacks.Our analysis suggests that runtime address-space random-ization is far less effective on32-bit architectures than com-monly pile-time address-space randomization can be more effective than runtime randomization because the address space can be randomized at a muchfiner gran-ularity at compile-time than runtime(e.g.,by reordering functions within libraries).We note that buffer overflow mitigation techniques can prevent some attacks,including the one we present in this paper.However,overflow mitiga-tion by itself without any address-space randomization also defeats many of these attacks.Thus,the security provided by overflow mitigation is largely orthogonal to address-space randomization.We speculate that the most promising solution appears to be upgrading to a64-bit architecture.Randomization comes at a cost:in both32and64bit architectures,randomized executables are more difficult to debug and support.1.1Related WorkExploits.Buffer overflow exploits started with simple stack smashing techniques where the return address of the current stack frame is overwritten to point to injected code[1].After the easy stack smashing vulnerabilities were discovered and exploited,aflurry of new attacks emerged that exploited overflows in the heap[20],format string errors[28],integer overflows[35],and double-free()errors[2]. Countermeasures.Several techniques were developed to counter stack smashing—StackGuard by Cowan et al.[14] detects stack smashing attacks by placing canary values next to the return address.StackShield by Vendicator[32]makes a second copy of the return address to check against before using it.These techniques are effective for reducing the number of exploitable buffer overflows but does not com-pletely remove the threat.For example,Bulba and Kil3r[8] show how to bypass these buffer overflow defenses. ProPolice by Etoh[16]extends the ideas behind Stack-Guard by reordering local variables and function arguments, and placing canaries in the stack.ProPolice also copies function pointers to an area preceding local variable buffers. ProPolice is packaged with the latest versions of OpenBSD. PointGuard by Cowan et al.[13]prevents pointer corruption by encrypting them while in memory and only decrypting values before dereferencing.W⊕X Pages and Return-to-libc.The techniques described so far aim to stop attackers from seizing control of program execution.A orthogonal technique called W⊕X nullifies at-tacks that inject and execute code in a process’s address space.W⊕X is based on the observation that most of the exploits so far inject malicious code into a process’s address space and then circumvent program control to execute the injected code.Under W⊕X,pages in the heap,stack,and other memory segments are marked either writable(W)or executable(X),but not both.StackPatch by Solar De-signer[29]is a Linux kernel patch that makes the stack non-executable.The latest versions of Linux(through the PaX project[26])and of OpenBSD contain implementations of W⊕X.Our sample attack works on a system running PaX with W⊕X.With W⊕X memory pages,attackers cannot inject and execute code of their own choosing.Instead,they must use existing executable code—either the program’s own code or code in libraries loaded by the program.For example,an attacker can overwrite the stack above the return address of the current frame and then change the return address to point to a function he wishes to call.When the function in the current frame returns,program controlflow is redi-rected to the attacker’s chosen function and the overwritten portions of the stack are treated as arguments. Traditionally,attackers have chosen to call functions in the standard C-language library,libc,which is an attrac-tive target because it is loaded into every Unix program and encapsulates the system-call API by which programs access such kernel services as forking child processes and commu-nicating over network sockets.This class of attacks,orig-inally suggested by Solar Designer[30],is therefore known as“return-to-libc.”Implementations of W⊕X on CPUs whose memory-man-agement units lack a per-page execute bit—for example, current x86chips—incur a significant performance penalty. Another defense against malicious code injection is ran-domized instruction sets[6,21].On the other hand,ran-domized instruction sets are ineffective against return-to-libc attacks for the same reasons as those given above for W⊕X pages.Address-Space Randomization.Observe that a“return-to-libc”attack needs to know the virtual addresses of the libc functions to be written into a function pointer or return address.If the base address of the memory segment con-taining libc is randomized,then the success rate of such an attack significantly decreases.This idea is implemented inPaX as ASLR[27].PaX ASLR randomizes the base address of the stack,heap,code,and mmap()ed segments of ELF ex-ecutables and dynamic libraries at load and link time.We implemented our attack against a PaX hardened system and will give a more detailed description of PaX in Sect.2.1. Previous projects have employed address randomization as a security mechanism.Yarvin et al.[34]develop a low-overhead RPC mechanism by placing buffers and executable-but-unreadable stubs at random locations in the address space,treating the addresses of these buffers and stubs as ca-pabilities.Their analysis shows that a32-bit address space is insufficient to keep processes from guessing such capabil-ity addresses,but that a64-bit address space is,assuming a time penalty is assessed on bad guesses.Bhatkar et al.[7]define and discuss address obfuscation. Their implementation randomizes the base address of the stack,heap,and code segments and adds random padding to stack frame and malloc()function calls.They imple-mented a binary tool that rewrites executables and object files to randomize addresses.Randomizing addresses at link and compilation timefixes the randomizations when the sys-tem is built.This approach has the shortcoming of giv-ing an attacker afixed address-space layout that she can probe repeatedly to garner information.Their solution to this problem is periodically to“re-obfuscate”executables and libraries—that is,periodically relink and recompile ex-ecutables and libraries.As pointed out in their paper,this solution interferes with host based intrusion detection sys-tems based onfiles’integrity checksums.Our brute force attack works just as well on the published version of this system because their published implementation only ran-domizes the base address of libraries`a la PaX.Xu et al.[33]designed a runtime randomization system that does not require kernel changes,but is otherwise sim-ilar to PaX.The primary difference between their system and PaX is that their system randomizes the location of the Global Offset Table(GOT)and patches the Procedu-ral Linkage Table(PLT)accordingly.Our attack also works against their system because:(1)their system uses13bits of randomness(3bits less than PaX),and(2)our attack does not need to determine the location of the GOT.2.BREAKING PAX ASLRWe briefly review the design of PaX and Apache before describing our attack and experimental results.2.1PaX ASLR DesignPaX applies ASLR to ELF binaries and dynamic libraries. For the purposes of ASLR,a process’s user address space consists of three areas,called the executable,mapped,and stack areas.The executable area contains the program’s executable code,initialized data,and uninitialized data;the mapped area contains the heap,dynamic libraries,thread stacks,and shared memory;and the stack area is the main user stack.ASLR randomizes these three areas separately,adding to the base address of each one an offset variable randomly chosen when the process is created.For the Intel x86ar-chitecture,PaX ASLR provides16,16,and24bits of ran-domness,respectively,in these memory areas.In particu-lar,the mapped data offset,called delta mmap,is limited to 16bits of randomness because(1)altering bits28through 31would limit the mmap()system call’s ability to handle large memory mappings,and(2)altering bits0through11 would cause memory mapped pages not to be aligned on page boundaries.Our attack takes advantage of two characteristics of the PaX ASLR system.First,because PaX ASLR randomizes only the base addresses of the three memory areas,once any of the three delta variables is leaked,an attacker can fix the addresses of any memory location within the area controlled by the variable.In particular,we are interested in the delta mmap variable that determines the randomized offset of segments allocated by mmap().As noted above, delta mmap only contains16bits of randomness.Because our return-to-libc technique does not need to guess any stack addresses(unlike traditional return-to-libc attacks), our attack only needs to brute force the small amount of entropy in delta mmap.Our attack only requires a linear search of the randomized address space.That is,our exploit requires216=65,536probes at worst and32,768probes on the average,which is a relatively small number.Second,in PaX each offset variable isfixed throughout a process’s lifetime,including any processes that fork()from a parent process.Many network daemons,specifically the Apache web server,fork child processes to handle incoming connections,so that determining the layout of any one of these related processes reveals that layout for all of them. Although this behavior on fork()is not a prerequisite for our attack,we show in Sect.3.2that it halves the expected time to success.2.2Return-to-libc AttackWe give a high level overview of the attack before describ-ing its implementation in greater detail and giving experi-mental data.We emphasize that although our discussion is specific to PaX ASLR,the attack applies to other address-space randomization systems such as that in OpenBSD. 2.2.1OverviewWe implemented our attack on the Apache web server running on Linux with PaX ASLR and W⊕X pages.The current version of the Apache server(1.3.29)has no known overflows,so we replicated a buffer overflow similar to one discovered in the Oracle9PL/SQL Apache module[10,22]. This Oracle hole can be exploited using a classic buffer over-flow attack—an attacker injects her own code by supply-ing an arbitrarily long request to the web server that over-flows an internal buffer.Nevertheless,this attack fails in an Apache server protected by PaX W⊕X.Instead,we ex-ploit this hole using the return-to-libc technique discussed in Sect.1.1.Our return-to-libc technique is non-standard.Chained return-to-libc attacks generally rely on prior knowledge of stack addresses.PaX randomizes24bits of stack base ad-dresses(on x86),making these attacks infeasible.However, PaX does not randomize the stack layout,which allows us to locate a pointer to attacker supplied data on the stack. Moreover,a randomized layout would provide no protection against access to data in the top stack frame,and little pro-tection against access to data in adjacent frames.Our attack against Apache occurs in two steps.Wefirst determine the value of delta mmap using a brute force at-tack that pinpoints an address in libc.Once the delta mmap value is obtained,we mount a return-to-libc attack to ob-tain a shell.ap getline()argumentssaved EIPsaved EBP64byte buffer...bottom of stack(lower addresses)Figure1:Apache child process stack before probeFirst,the attack repeatedly overflows the stack buffer ex-posed by the Oracle hole with guesses for the address of the libc function usleep()in an attempt to return into the usleep()function.An unsuccessful guess causes the Apache child process to crash,and the parent process to fork a new child in its place,with the same randomization deltas.A successful exploit causes the connection to hang for16seconds and gives enough information for us to de-duce the value of delta mmap.Upon obtaining delta mmap, we now know the location of all functions in libc,including the system()function.1With this information,we can now mount a return-to-libc attack on the same buffer exposed by the Oracle hole to invoke the system()function.Our attack searches for usleep()first only for conve-nience;it could instead search directly for system()and check periodically whether it has obtained a shell.Our at-tack can therefore be mounted even if libc entry points are independently randomized,a possibility we consider in Sect.3.3.2.2.2.2ImplementationWefirst describe the memory hole in the Oracle9PL/SQL Apache module.Oracle Buffer Overflow.We create a buffer overflow in Apache similar to one found in Oracle9[10,22].Specifically, we add the following lines to the function ap getline()in http protocol.c:char buf[64];...strcpy(buf,s);/*Overflow buffer*/ Although the buffer overflow in the Oracle exploit is1000 bytes long,we use a shorter buffer for the sake of brevity. In fact,a longer buffer works to the attacker’s advantage because it gives more room to supply shell commands. Precomputing libc Addresses.In order to build the ex-ploit,we mustfirst determine the offsets of the functions system(),usleep(),and a ret instruction in the libc li-brary.The offsets are easily obtained using the system objdump tool.With these offsets,once the exploit deter-mines the address of usleep(),we can deduce the value of delta mmap followed by the correct virtual addresses of system()and ret,with the simple sumaddress=0x40000000+offset+delta mmap.1The system()function executes user-supplied commands via the standard shell(usually/bin/sh).0x010101010xDEADBEEFguessed address of usleep()0xDEADBEEF64byte buffer,nowfilled with A’s...bottom of stack(lower addresses)Figure2:Stack after one probe(Here0x40000000is the standard base address for memory obtained with mmap()under Linux.)Exploit Step1.As mentioned in the overview,thefirst step is to determine the value of delta mmap.We do this by re-peatedly overflowing the stack buffer exposed by the Oracle hole with guesses for usleep()’s address in an attempt to return into the usleep()function in libc.More specifically, the brute force attack works as follows:1.Iterate over all possible values for delta mmap startingfrom0and ending at65535.2.For each value of delta mmap,compute the guess forthe randomized virtual address of usleep()from its offset.3.Create the attack buffer(described later)and send itto the Apache web server.4.If the connection closes immediately,continue with thenext value of delta mmap.If the connection hangs for 16seconds,then the current guess for delta mmap is correct.The contents of the attack buffer sent to Apache are best described by illustrations of the Apache child process’s stack before and after overflowing the buffer with the current guess for usleep()’s address.Figure1shows the Apache child process’s stack before the attack is mounted and Fig-ure2shows the same stack after one guess for the address of usleep().The saved return address of ap getline()(saved EIP) is overwritten with the guessed address of the usleep() function in the libc library,the saved EBP pointer is over-written with usleep()’s return address0xDEADBEEF,and 0x01010101(decimal16,843,009)is the argument passed to usleep()(the sleep time in microseconds).Any shorter time interval results in null bytes being included in the attack buffer.2Note that the method for placing null bytes onto the stack by Nergal[24]is infeasible because stack addresses are strongly randomized.Finally,when ap getline()returns, control passes to the guessed address of usleep().If the value of delta mmap(and hence the address of usleep()) is guessed correctly,Apache will hang for approximately 16seconds and then terminate the connection.If the ad-dress of usleep()is guessed incorrectly,the connection ter-2Null bytes act as C string terminators,causing strcpy() (our attack vector)to terminate before overflowing the entire buffer.ap getline()argumentssaved EIPsaved EBP64byte buffer...bottom of stack(lower addresses)Figure3:Apache child process stack before overflowminates immediately.This difference in behavior tells us when we have guessed the correct value of delta mmap. Exploit Step2.Once delta mmap has been determined,we can compute the addresses of all other functions in libc with certainty.The second step of the attack uses the same Ora-cle buffer overflow hole to conduct a return-to-libc attack. The composition of the attack buffer sent to the Apache web server is the critical component of step2.Again,the con-tents of the attack buffer are best described by illustrations of the Apache child process’s stack before and after the step 2attack.Figure3shows the Apache child process’s stack before the attack and Figure4shows the stack immediately after the strcpy()call in ap getline()(the attack buffer has already been injected).Thefirst64bytes of the attack buffer isfilled with the shell command that we want system()to execute on a suc-cessful exploit.The shell command is followed by a series of pointers to ret instructions that serves as a“stack pop”sequence.Recall that the ret instruction pops4bytes from the stack into the EIP register,and program execution con-tinues from the address now in EIP.Thus,the effect of this sequence of ret s is to pop a desired number of32-bit words offthe stack.Just above the pointers to ret instructions,the attack buffer contains the address of system().The stack pop sequence“eats up”the stack until it reaches a pointer pointing into the original64byte buffer,which serves as the argument to the system()function.Wefind such a pointer in the stack frame of ap getline()’s calling function. After executing strcpy()on the exploited buffer,Apache returns into the sequence of ret instructions until it reaches system().Apache then executes the system()function with the supplied commands.In our attack,the shell command is“wget /dropshell;chmod+x dropshell;./dropshell;”where dropshell is a pro-gram that listens on a specified port and provides a remote shell with the user id of the Apache process.Note that any shell command can be executed.2.2.3ExperimentsThe brute force exploit was executed on a2.4GHz Pen-tium4machine against a PaX ASLR(for Linux kernel ver-sion2.6.1)protected Apache server(version1.3.29)running on a Athlon1.8GHz machine.The two machines were con-nected over a100Mbps network.Each probe sent by our exploit program results in a to-tal of approximately200bytes of network traffic,including Ethernet,IP,and TCP headers.Therefore,our brute force attack only sends a total of12.8MB of network data at worst,and6.4MB of network data on expectation.pointer into64byte buffer0xDEADBEEFaddress of system()address of ret instruction...address of ret instruction0xDEADBEEF64byte buffer(contains shell commands)...bottom of stack(lower addresses)Figure4:Stack after buffer overflowAfter running10trials,we obtained the following timing measurements(in seconds)for our attack against the PaX ASLR protected Apache server:Average Max Min21681029The speed of our attack is limited by the number of child processes Apache allows to run concurrently.We used the default setting of150in our experiment.2.3Information Leakage AttacksIn the presence of information leakage,attacks can be crafted that require fewer probes and are therefore more ef-fective than our brute force attack in defeating randomized layouts.For instance,Durden[15]shows how to obtain the delta_mmap variable from the stack by retrieving the return address of the main()function using a format string vulner-ability.Durden also shows how to convert a special class of buffer overflow vulnerabilities into a format string vulnera-bility.Not all overflows,however,can be exploited to create a format string bug.Furthermore,for a remote exploit,the leaked information has to be conveyed back to the attacker over the network,which may be difficult when attacking a network daemon.Note that the brute force attack de-scribed in the previous section works against any buffer over-flows and does not make any assumptions about the network server.3.IMPROVEMENTS TO ADDRESS-SPACERANDOMIZATION ARCHITECTURE Our attack on address-space randomization relied on sev-eral characteristics of the implementation of PaX ASLR.In particular,our attack exploited the low entropy(16bits)of PaX ASLR on32-bit x86processors,and the feature that address-space layouts are randomized only at program load-ing and do not change during the process lifetime.This sec-tion explores the consequences of changing either of these assumptions by moving to a64-bit architecture or making the randomization more frequent or morefine-grained. 3.164-Bit ArchitecturesIn case of Linux on32-bit x86machines,16of the32ad-dress bits are available for randomization.As our resultsshow,16bits of address randomization can be defeated by a brute force attack in a matter of minutes.Any64-bit machine,on the other hand,is unlikely to have fewer than 40address bits available for randomization given that mem-ory pages are usually between4kB and4MB in size.On-line brute force attacks that need to guess at least40bits of randomness can be ruled out as a threat,since an attack of this magnitude is unlikely to go unnoticed.Although64-bit machines are now beginning to be more widely deployed,32-bit machines are likely to remain the most widely deployed machines in the short and medium term.Furthermore,ap-plications that run in32-bit compatibility mode on a64-bit machine are no less vulnerable than when running on a32-bit machine.Some proposed64-bit systems implement a global virtual address space,that is,all applications share a single64-bit address space[12].Analyzing the effectiveness of ad-dress randomization in these operating systems is beyond the scope of this paper.3.2Randomization FrequencyPaX ASLR randomizes a process’s memory segments only at process creation.If we randomize the address space lay-out of a process more frequently,we might naively expect a significant increase in security.However,we will demon-strate that after the initial address space randomization, periodic re-randomizing adds no more than1bit of secu-rity against brute force attacks regardless of the frequency, providing little extra security.This also shows that brute force attacks are feasible even against non-forking network daemons that crash on every probe.On the other hand,fre-quent re-randomizations can mitigate the damage when the layout of afixed randomized address space is leaked through other channels.We analyze the security implications of increasing the fre-quency of address-space randomization by considering two brute force attack scenarios:1.The address-space randomization isfixed during theduration of an attack.For example,this scenario ap-plies to our brute force attack against the current im-plementation of PaX ASLR or in any situation where the randomized address space isfixed at compile-time.2.The address-space randomization changes with eachprobe.It is pointless to re-randomize the address space more than once between any two probes.Therefore, this scenario represents the best re-randomization fre-quency for a ASLR program.This scenario applies,for example,to brute force attacks attacks against non-forking servers protected by PaX ASLR that crash on every probe;these servers are restarted each time witha different randomized address-space layout.The brute force attacks in the two scenarios are different. In scenario1,a brute force attack can linear search the ad-dress space through its probes before launching the exploit (exactly our attack in Sect.2).In scenario2,a brute force attack guesses the layout of the address space randomly, tailors the exploit to the guessed layout,and launches the exploit.We now analyze the expected number of probe attempts for a brute force attack to succeed against a network server in both scenarios.In each case,let n be the number of bits of randomness that must be guessed to successfully mount the attack,implying that there are2n possibilities.Fur-thermore,only1out of these2n possibilities is correct.The brute force attack succeeds once it has determined the cor-rect state.Scenario1.In this scenario,the server has afixed address-space randomization throughout the attack.Since the ran-domization isfixed,we can compute the expected number of probes required by a brute force attack by viewing the problem as a standard sampling without replacement prob-lem.The probability that the brute force attack succeeds only after taking exactly t probes is2n−12n·2n−22n−1...2n−t−12n−t|{z}Pr[first t−1probes fail]·12n−t−1=12n,where n is the number of bits of randomness in the address space.Therefore,the expected number of probes required for scenario1is2nXt=1t·12n=12n·2nXt=1t=(2n+1)/2≈2n−1.Scenario2.In this scenario,the server’s address space is re-randomized with every probe.Therefore,the expected number of probes required by a brute force attack can be computed by viewing the problem as a sampling with re-placement problem.The probability that the brute force attack succeeds only after taking exactly t probes is given by the geometric random variable with p=1/2n.The ex-pected number of probes required is1/p=2n. Conclusions.We can easily see that a brute force attack in scenario2requires approximately2n/2n−1=2times as many probes compared to scenario1.Since scenario2repre-sents the best possible frequency that an ASLR program can do,we conclude that increasing the frequency of address-space re-randomization is at best equivalent to increasing the entropy of the address space by only1bit.The difference between a forking server and a non-forking server for the purposes of our brute force attack is that for the forking server the address-space randomization is the same for all the probes,whereas the non-forking server crashes and has a different address-space randomization on every probe.This difference is exactly that between scenar-ios1and2.Therefore,the brute force attack is also feasible against non-forking servers if the address-space entropy is low.For example,in the case of Apache protected by PaX ASLR,we expect to perform215=32,768probes beforefix-ing the value of delta mmap,whereas if Apache were a single-process event-driven server that crashes on each probe,the expected number of probes required would double to a mere 216=65,536.3.3Randomization GranularityPaX ASLR only randomizes the offset location of an en-tire shared library.Below,we discuss the feasibility of ran-domizing addresses at an evenfiner granularity.For ex-ample,in addition to randomizing segment base addresses, we could also randomize function and variable addresses。

计算机常用端口号一览表：1传输掌握协议端口效劳多路开关选择器2compressnet 治理有用程序3压缩进程5 远程作业登录7 回显(Echo)9 丢弃11 在线用户13 时间15 netstat17 每日引用18消息发送协议19字符发生器20文件传输协议(默认数据口)21文件传输协议(掌握)22SSH 远程登录协议23telnet 终端仿真协议24预留给个人用邮件系统25smtp 简洁邮件发送协议27 NSW 用户系统现场工程师29 MSG ICP31 MSG 验证33 显示支持协议35 预留给个人打印机效劳37时间38路由访问协议39资源定位协议41图形42WINS 主机名效劳43“外号“ who is效劳44MPM(消息处理模块)标志协议45 消息处理模块46消息处理模块(默认发送口)47NI FTP48数码音频后台效劳49TACACS 登录主机协议50远程邮件检查协议51IMP(接口信息处理机)规律地址维护52 施乐网络效劳系统时间协议53域名效劳器54施乐网络效劳系统票据交换55ISI 图形语言56施乐网络效劳系统验证57预留个人用终端访问58施乐网络效劳系统邮件59预留个人文件效劳60未定义61NI 邮件?62异步通讯适配器效劳63WHOIS+64 通讯接口65TACACS 数据库效劳66Oracle SQL*NET67引导程序协议效劳端68引导程序协议客户端69小型文件传输协议70信息检索协议71远程作业效劳72远程作业效劳73远程作业效劳74远程作业效劳75预留给个人拨出效劳76分布式外部对象存储77预留给个人远程作业输入效劳78修正 TCP79Finger(查询远程主机在线用户等信息) 80 全球信息网超文本传输协议(www)81HOST2 名称效劳82传输有用程序83模块化智能终端 ML 设备84公用追踪设备85模块化智能终端 ML 设备86Micro Focus Cobol 编程语言87预留给个人终端连接88Kerberros 安全认证系统89SU/MIT 终端仿真网关90DNSIX 安全属性标记图91MIT Dover 假脱机92网络打印协议93设备掌握协议94Tivoli 对象调度95SUPDUP96DIXIE 协议标准97快速远程虚拟文件协议98TAC(东京大学自动计算机)闻协议101usually from sri-nic102iso-tsap103ISO Mail104 x400-snd105 csnet-ns109 Post Office110 Pop3 效劳器(邮箱发送效劳器)111 portmap 或 sunrpc113 身份查询115 sftp117 path 或 uucp-path119 闻效劳器121 BO jammerkillah123 network time protocol (exp)135 DCE endpoint resolutionnetbios-ns 137 NetBios-NS138 NetBios-DGN139 win98 共享资源端口(NetBios-SSN) 143 IMAP 电子邮件144 NeWS - news153 sgmp - sgmp158 PCMAIL161 snmp - snmp162 snmp-trap -snmp170 network PostScript175 vmnet194 Irc315 load400 vmnet0443 安全效劳456 Hackers Paradise500 sytek512 exec513 login514 shell - cmd515 printer - spooler517 talk518 ntalk520 efs526 tempo - newdate530 courier - rpc531 conference - chat532 netnews - readnews533 netwall540 uucp - uucpd 543 klogin544 kshell550 new-rwho - new-who555 Stealth Spy(Phase)556 remotefs - rfs_server600 garcon666 Attack FTP750 kerberos - kdc751 kerberos_master754 krb_prop888 erlogin1001 Silencer 或 WebEx1010 Doly trojan v1.351011 Doly Trojan1024 NetSpy.698 (YAI)1025 NetSpy.6981033 Netspy1042 Bla1.11047 GateCrasher1080 Wingate1109 kpop1243 SubSeven1245 Vodoo1269 Maverick s Matrix1433 Microsoft SQL Server 数据库效劳1492 FTP99CMP (BackOriffice.FTP) 1509 Streaming Server1524 ingreslock1600 Shiv1807 SpySender1981 ShockRave1999 Backdoor2023 黑洞(木马) 默认端口2023 黑洞(木马) 默认端口2023 Pass Ripper2053 knetd2140 DeepThroat.10 或 Invasor2283 Rat2565 Striker2583 Wincrash22801 Phineas3129 MastersParadise.923150 Deep Throat 1.03210 SchoolBus3389 Win2023 远程登陆端口4000 OICQ Client4567 FileNail4950 IcqTrojan5000 WindowsXP 默认启动的 UPNP 效劳5190 ICQ Query5321 Firehotcker5400 BackConstruction1.2 或 BladeRunner 5550 Xtcp5555 rmt - rmtd5556 mtb - mtbd5569 RoboHack5714 Wincrash35742 Wincrash6400 The Thing6669 Vampire6670 Deep Throat6711 SubSeven6713 SubSeven6767 NT Remote Control6771 Deep Throat 36776 SubSeven6883 DeltaSource6939 Indoctrination6969 Gatecrasher.a7306 网络精灵(木马)7307 ProcSpy7308 X Spy7626 冰河(木马) 默认端口7789 ICQKiller8000 OICQ Server9400 InCommand9401 InCommand9402 InCommand9535 man9536 w9537 mantst9872 Portal of Doom9875 Portal of Doom9989 InIkiller10000 bnews10001 queue10002 poker10167 Portal Of Doom10607 Coma11000 Senna Spy Trojans11223 ProgenicTrojan12076 Gjamer 或 MSH.104b12223 Hack?9 KeyLogger12345 netbus 木马默认端口12346 netbus 木马默认端口12631 WhackJob.NB1.716969 Priotrity17300 Kuang220230 Millenium II (GrilFriend)20231 Millenium II (GrilFriend)20234 NetBus Pro20331 Bla21554 GirlFriend 或 Schwindler 1.8222222 Prosiak23456 Evil FTP 或 UglyFtp 或 WhackJob27374 SubSeven29891 The Unexplained30029 AOLTrojan30100 NetSphere30303 Socket2330999 Kuang31337 BackOriffice31339 NetSpy31666 BO Whackmole31787 Hack a tack33333 Prosiak33911 Trojan Spirit 2023 a34324 TN 或 Tiny Telnet Server40412 TheSpy40421 MastersParadise.9640423 Master Paradise.9747878 BirdSpy250766 Fore 或 Schwindler53001 Remote Shutdown54320 Back Orifice 202354321 SchoolBus 1.661466 Telecommando65000 Devil端口概念在网络技术中，端口〔Port〕大致有两种意思：一是物理意义上的端口，比方，ADSL Modem、集线器、交换机、路由器用于连接其他网络设备的接口，如 RJ-45 端口、SC 端口等等。

用户名:diag密码：-assured打死、激活单个用户端口打死端口命令：mbd:slif,xx (xx 表示tdm号)激活端口命令：mbi:slif,xxv ip if 查看AG节点的IP配置情况remove ip if <ip-address>删除IP的命令，该命令要谨慎使用。

v route state 查看AG节点的路由配置情况查看hw flag：My-Chassis:ACT-FSB:1.1(r0)>=14:diag:main# d v h2 hw fl Huawei softswitch flag:-----------------------Provisioned dwa pattern value 1 : enableQueue virtual context : enableSubtract rtp termiantion first : enableNotify event in NULL context : disableDM end with log timer : enable查看：d v h2 zte fld v h2 asb fl查看VOIP配置情况view voip def查看foip配置情况：v foip def查看语音编码优先级：v rmgr conf查看告警d display alarm infombdisplay-alarm查看自动回收RTPview h2 work emp sta查看板间心跳v ftam con查看节点关联情况：d v coco tcci sta查看设备正常运行的时间view uptime查看设备使用的启动文件view nvram查看设备中的文件ls查看设备主用的控制处在那一侧view redundancy unit state查看端口的状态view h248 term sum查看用户板mbdi:smcl,安全模块号例如：mbdi:smcl,1打死用户板mbd:smcl,安全模块号例如：mbd:smcl,1激活用户板mbi:smcl,安全模块号例如：mbi:smcl,1查看4&11 铃流板：mbdi:smcl,129查看4&21 铃流板：mbdi:smcl,133查看4&9 测试板：mbdi:smcl,137mbdi:tdsp,1打死铃流板：mbd:smcl,129mbd:smcl,133打死测试板：mbd:smcl,137mbd:tdsp,1激活铃流板：mbi:smcl,129mbi:smcl,133激活测试板：mbi:smcl,137mbi:tdsp,1 ----需要等待10分钟左右才激活测试铃流板mbv:rcct,1,1mbv:rcct,2,1mbv:rcct,9,1mbv:rcct,10,1测试板测试：mbv:ltau,1,1查看媒体网关信息配置：v mgw con跟踪整个机架的H248消息d define cms debug h248关闭跟踪整个机架的H248消息d define cms debug none跟踪单个用户的H248消息d define dbg trace tdm/1 h248关闭跟踪单个用户的H248消息d def dbg tr tdm/1 off显示系统异常信息，在主控板异常重启时信息收集view sysexc crashinfo。

RCNP考试题库VLAN 之间互相访问，希望利用直连在交换机上的路由器实现，于是对路由器进行了如下配置：interface gig 0/0no shutdowninterface gig 0/0.10encapsulation dot1q 10ip address 172.16.10.254 255.255.255.0关于配置命令 enc dot1q 10 中的数字 10，以下说法正确的是（）A、10 表示子接口号B、10 表示 vlan 号C、10 表示子网号D、10 表示调用的 ACL 号码7.在锐捷交换机上查看当前所有被创建的 VLAN 应该使用命令（）A、show vlanB、show vlan.datC、show memory vlanD、show flash:vlan.dat8.如果要把交换机 Trunk 的许可 VLAN 列表改为默认的许可所有 VLAN 的状态，应该使用命令（）A、no switchport trunk allowed vlanB、default switchport trunk allowed vlanC、switchport trunk allowed vlan resetD、reset switchport trunk allowed vlan9.工程师在部署 VLAN 时，把一个接口分配给一个不存在的VLAN，那么（）A、这个 VLAN 将自动被创建B、这个接口将进入 error 状态C、系统会提升操作者请在创建 VLAN 后，再配置此接口的VLAN 信息D、系统会提示 VLAN 不存在，命令不被执行10.两台三层交换机通过互联 vlan 500 进行三层互联，以下说法正确的是（）A、物理接口必须通过 no switchport 配置为三层路由接口B、物理接口只能配置为 trunkC、物理接口只能配置为 accessD、物理接口可以配置为 trunk，也可以配置为 access11.在锐捷交换机上，Trunk 端口叙述正确的是（）A、默认不传递 VLAN1 的信息B、该接口默认传输所有的 VLANC、该接口一般不仅可以连接交换机，还主要用来连接主机D、交换机接口默认模式为 Trunk12.一般情况下，交换机和交换机连接的接口模式是？交换机和主机连接的接口模式是？A、 access,trunkB、 access,accessC、 trunk,trunkD、 trunk,access13.为了防止不必要的其他 VLAN 内的广播流量在汇聚交换机与接入交换机之间的链路上泛洪,在校园网中比较常见的是使用什么方法来避免?A、使用 VTP 协议B、使用 Trunk 链路修剪C、使用 ACLD、使用端口下的风暴控制14.标准的 802.1Q 标记数据时一般情况标识的最大 Vlan 号是（）A、4096B、4095C、4094D、102315.锐捷交换机 VLAN 修剪命令格式是下列哪条命令?A、 switchport trunk allowed vlan remove vidB、 switchport trunk remove vidC、 switchport trunk prune vidD、 switchport trunk allowed vid16.为了 VLAN 环境的安全和可靠，在配置 Trunk 时要确保交换机的 NativeVLAN 的一致性。

油门　％记录号工况工况名称运行时间　s转速　r∕mi扭矩　N．m功率　kW油耗率　g∕油耗量　kg∕11磨合90080023119.3265.2 5.1320.6 21磨合90079923019.3269.7 5.1721 31磨合90080023119.3264.1 5.0720.9 42磨合60090024523.1268.3 6.1722.1 52磨合60090024322.9268.1 6.1421.9 62磨合60090024423268.5 6.1522.2 73磨合900100026127.4262.47.1323.4 83磨合900100026127.3263.57.223.7 93磨合900100026127.3263.37.1823.5 104磨合600100052054.422412.2326.7 114磨合600100052254.6224.412.2327 124磨合600100052154.5224.112.2327 135磨合900120034843.7265.511.5527.6 145磨合900120034543.3265.711.4928 155磨合900120034543.4266.511.5327.8 166磨合600120060075.4237.217.8731.3 176磨合600120060175.5236.117.7630.6 186磨合600119960075.1236.917.8531.3 197磨合900140043063264.116.6432 207磨合900139843062.9263.716.6132.1 217磨合900140043063.1263.316.6132.5 228磨合6001399690101.1236.823.9837.4 238磨合6001398690101.3236.723.9537.1 248磨合6001400690101.1236.223.8837.1 259磨合6001600700117.3241.328.3443.3 269磨合6001601700117.6241.828.3343.3 279磨合6001600700117.2241.828.3343.5 289磨合6001601700117.2241.928.3643.8 299磨合6001600700117.5239.128.0542.8 309磨合6001597700116.8240.628.1642.8 3110磨合60015981030172.3224.938.8749.3 3210磨合60015981030172.7224.238.6949.7 3310磨合60015981030172.4224.938.7849.8 3410磨合60016011030172.8224.438.8249.6 3510磨合60016021030172.7225.738.8949.8 3610磨合60015981030172.4224.638.850.3 3710磨合60016011030172.6224.938.8350 3810磨合60016021030172.5225.738.9549.7 3910磨合60016021030172.8225.538.9450.1 4011磨合6001800861162.523538.0754 4111磨合6001800861162.4234.938.0754.1 4211磨合6001805860162235.237.9953.7 4311磨合6001795859161.8234.738.0353.9 4411磨合6001793859161.3234.838.0254.7 4511磨合6001805860162.123538.0154.2 4611磨合6001799860162233.938.0754.5 4711磨合6001801860162.3235.138.1152.4 4811磨合6001803860162.2233.337.8152.3 4911磨合6001798860162.623437.9353.1 5011磨合600180086016223437.9452.7 5111磨合6001799860162233.737.9453 5212磨合60017931200225.4225.951.0961 5312磨合60017961200225.9225.151.0660.6 5412磨合60018001200226.2225.551.0560.35512磨合60018011200226.5225.951.1260.6 5612磨合60018001200226225.450.9560.6 5712磨合60018001200225.9226.451.0660.9 5812磨合60017981200225.9225.851.0561 5912磨合60018021200227.3226.251.0460.9 6012磨合60018001200226.422651.1161.6 6112磨合60017991200225.7224.65161.1 6212磨合60018001200225.7225.551.0761 6312磨合60017951200225.5225.951.1361.4 6412磨合60018001200226.1225.851.0660.8 6512磨合60017981200225.8226.551.1961.1 6612磨合60018001200226.722651.1260.9 6713磨合60019051030205.5227.446.7860 6813磨合60019011030205.422846.7460.5 6913磨合60018961029204.4227.446.6661.2 7013磨合60019021030205.3227.446.7760.4 7113磨合60019021030205228.246.7861.2 7213磨合60019001030205.5228.146.7660.8 7313磨合60018971030205.8227.746.761.1 7413磨合60019021031206.5228.346.6960.9 7513磨合60018901030203.4229.646.7661.5 7613磨合60019001030205.9227.146.7261.2 7713磨合60018841029204.7228.846.7361.9 7813磨合60018961030204.2228.646.8560.9 7914磨合60018991300258.9223.558.0465.6 8014磨合60018981301258.3224.157.9966.5 8114磨合60019131305261.4222.557.9866.1 8214磨合60018981300258.1223.857.9466.1 8314磨合60018961301259.5224.157.8766.2 8414磨合60018921298257.6222.957.7666.3 8514磨合60019011300257.5223.257.765.9 8614磨合60019051302260.2223.857.7965.7 8714磨合60018971301261224.157.7165.9 8814磨合60019081302259222.257.7165.5 8914磨合60018991301258.3222.457.5163.8 9014磨合60018971300258.2222.557.4764.3 9114磨合60019021300257.9223.157.7764.1 9214磨合60019041299258.6222.657.6364.7 9314磨合60018961301258222.857.6365.2 9415磨合6001499700109.7238.126.0340.5 9515磨合6001500700109.9238.426.240.4 9615磨合6001499700109.9238.826.2340.3 9715磨合6001497700110238.326.1939.9 9815磨合6001499700109.9238.726.240.1 9915磨合6001498700109.9238.225.8340 10015磨合6001499700109.8238.726.2140.4 10115磨合6001501700110.1238.126.1740.2 10215磨合6001499700110.1237.526.1140.2 10315磨合6001499700109.9237.826.0240.2 10415磨合6001502700110.2237.525.9940.1 10515磨合6001495700109.8237.225.8940.4 10616磨合60012971200162.9212.834.7444.3 10716磨合60012981200163211.234.4444 10816磨合60012991200163.4213.634.7944.6 10916磨合60012991200163.2213.434.6844.311016磨合60012961200162.9212.734.7244.4 11116磨合60012991200163.4212.234.6144.3 11216磨合60012951200162.6212.534.6344.6 11316磨合60012961200162.9210.734.3844.5 11416磨合60013011200163.3209.234.0744.3燃油温度　℃机油压力　k机油温度　℃大气压力　k环境温度　℃相对湿度　％中冷后温　℃中冷前压　k中冷后压　k中冷前温　℃3.5 5.542.233.538101.13728.534188.83.3 5.342.925.334.6101.238.328.734387.73.2 5.243.217.333101.239.428.733590.27.28.941.831.551.210131.227.944382.87.59.144.426.546.9101.132.928.339688.76.98.644.816.238.4101.236.128.539587.19.71148.420.433.410137.828.843489.19.511.249.818.131.1101.139.429430899.311.150.216.728.2101.140.729.241491.621.823.460.820.527101.24229.341290.621.823.461.722.924.8101.243.729.441190.821.523.16223.322.8101.345.129.440891.325.526.666.627.121.7101.346.329.6517912526.166.42820.7101.446.929.6508922526.265.82820101.447.329.652090.3495085.838.619.1101.448.229.748893.451.25283.841.937.9101.137.42949892.947.748.695.24725.7101.247.830.449192.450.350.285.34149101.136.829.659590.849.949.986.740.940.7101.240.23057792.149.549.687.241.634.3101.342.730.257492.380.680.4111.84631.5101.344.530.455194.180.379.7112.241.928.4101.44630.554794.579.479.2112.141.727.1101.547.230.654794.5989712743.425.6101.548.430.959696.398.897.3128.14324.3101.549.331.159296.798.597127.843.323.4101.65031.259396.697.496.4128.142.823.1101.650.331.259296.699.698121.142.653.110134.738.660994.39997.5123.342.845.610137.339.160295.1 132.1129.9146.841.939101.140.230.757997.4 129.8127.5149.842.629.510140.840.259095.7 128.2126.3151.442.72510144.243.257697.3 129.7127.6152.543.122.2101.146.944.357197.8 129.4127.6152.143.319.7101.249.333.557097.9 129127.215343.618.1101.351.138.356798.1 128.1126153.642.116.7101.452.63856698.2 127.5125.7153.743.115.6101.453.837.656498.4 128.8127154.343.614.6101.554.938.356298.4 122119.4153.542.414.2101.555.437.960599.5 123.2120.115342.514.1101.655.63860499.5 122119.3151.942.814.1101.655.738.160599.6 122.3119.8151.14313.9101.655.737.960299.7 123.3120.6150.243.113.6101.65637.960099.8 122119.7152.943.713.6101.656.43860299.8 123120.1151.842.613.7101.656.437.960099.8 127.2124.3138.442.743.4101.433.836.662396.3 127.8124.7140.742.836.7101.436.537.761597.8 127.1124.2141.442.732.2101.538.937.761098.3 127.7124.9142.843.128.8101.640.937.561098.8 126.9124.1143.54326.3101.742.737.760898.8 162.5158.9166.143.323.3101.84538.3591100.9 162158.5166.843.921101.94737.6589101.1 161157.7167.243.318.110249.337.9589101.2160.6156.9167.443.316.21025138.1588101.2 159.8156.3168.443.215102.152.338.6588101.2 159.7156167.942.614.5102.152.938.5586101.5 159.1155.5168.642.313.7102.253.938.2584101.6 160.3156.6167.942.813.3102.254.537.5583101.6 159.3155.8169.743.713.1102.254.937.8583101.6 157.7154.216943.312.6102.355.638.3584101.4 157.7154.1167.941.912.2102.356.137.6583101.4 159155.8168.242.511.9102.356.637.9582101.6 158.9155.216943.511.7102.456.838.2581101.6 158.7155.1167.143.311.1102.357.337.6580101.7 159.2155.7166.743.510.7102.45837.7580101.5 141.513816043.611102.457.538.1592101.7 142.4138.7159.843.711.7102.456.837.8592101.7 142.7139.4158.643.111.7102.456.438.1590101.7 141.9138.51594311.7102.356.138590101.7 142.1138.6159.443.111.6102.355.537.7590101.7 141.8138.2160.443.111.6102.355.338.1589101.8 140.7137.4159.142.811.6102.355.137.7590101.7 142.5139.1159.343.111.4102.35538.1590101.7 140.2136.8159.142.711.2102.355.237.8589101.7 139.8136.4160.743.211.5102.354.838.1590101.7 141.4137.9159.143.112.1102.354.637.5587101.7 141.5138159.643.112.2102.354.637.6589101.7 167.1162.9175.143.411.9102.35537.5577103.6 1671631754311.7102.355.538.2575103.8 167.5162.9175.543.211.4102.455.738.4576103.9 166.7162.6177.243.811.3102.455.937.5575103.8 167.3163.2175.844.411.1102.456.237.8577103.6 166.3162.3175.644.911102.456.538.3578103.5 165.8161.8176.444.710.9102.456.738579103.3 168.4163.9174.644.110.6102.456.937.6580103.3 165.2161.3176.243.910.8102.456.938.4578103.4 166161.9175.144.510.7102.456.938580103.3 165.8161.3164.842.431.1101.632.939.3604102.2 166161.6167.142.826.4101.736.138.8592103.7 166.6162.316943.223101.83937.1589104.6 167.4162.9170.243.219.6101.941.537.4588104.9 166.3161.7170.843.117.310243.837.5586105.1 88.187.2114.442.51510246.138.154597.3 87.987.411542.613.2102.147.238.154996.7 87.286.5115.342.512.3102.24837.954896.8 87.487.1114.74311.6102.248.837.854696.9 87.687.1115.14311.7102.349.537.754197.5 86.185.5113.642.511.1102.350.437.653498.4 88.187.1113.943.711.2102.350.637.355495.5 87.487.1114.744.210.9102.350.937.254596.7 87.58711544.310.8102.351.337.454396.8 86.885.9115.943.110.6102.351.23854396.8 86.786.1116.14210.2102.351.338.254397 85.885.3116.341.79.9102.352.138.354296.8 114.2113.5135.143.89.4102.35437.645298.4 113.3113134.643.88.7102.455.737.4438100.5 113.1113.3133.444.38.4102.557.137.845298 113113.2134.642.58102.558.137.845397.9112.1112135.342.77.6102.558.837.945297.7 112.2111.9134.743.27.6102.559.337.745397.9 111.6111.3135.143.37.2102.659.83844898.4 111.4111.9135.1437.1102.659.838.344399.2 112.1112.3135.242.7 6.9102.66038.644698.7排气背压　k进气负压　k记录时间进气温度　℃涡后温度　℃进水温度　℃出水温度　℃84.786.819537.30.7-0.12010-09-16 15:54:4879.280.419838.10.6-0.12010-09-16 16:09:4880.985.820038.20.7-0.12010-09-16 16:24:4940.258.520634.30.7-0.12010-09-17 09:39:25648121336.40.6-0.12010-09-17 09:49:2635.48121237.60.7-0.12010-09-17 10:16:4777.483.621938.21-0.12010-09-17 14:17:3078.381.922339.40.9-0.12010-09-17 14:32:3084.281.322440.11-0.12010-09-17 14:47:3045.581.532240.3 1.1-0.12010-09-17 14:57:30748332841.1 1.4-0.12010-09-17 15:07:3172.883.233041.4 1.5-0.12010-09-17 15:17:3156.581.629442 1.9-0.12010-09-17 15:32:3181.683.729441.6 1.7-0.12010-09-17 15:47:3138.580.829441.3 1.7-0.12010-09-17 16:02:3176.384.137542.8 2.5-0.12010-09-17 16:12:3177.98536540.6 2.3-0.12010-09-18 09:49:5135.381.738250.7 2.4-0.22010-09-19 16:13:0332.281.433342.6 2.7-0.42010-09-20 09:42:1134.881.533643 2.9-0.42010-09-20 09:57:1236.480.933643.73-0.32010-09-20 10:12:1244.778.338346.24-0.52010-09-20 10:22:1248.682.438046.5 4.1-0.52010-09-20 10:32:1250.382.537846.3 4.2-0.52010-09-20 10:42:1249.282.536448.4 5.8-0.92010-09-20 10:52:1259.383.236248.9 5.8-0.92010-09-20 11:02:1357.282.936048.2 6.2-0.82010-09-20 11:12:135882.936048.8 5.9-0.92010-09-20 11:22:1359.583.234043.86-12010-09-21 07:55:1850.382.634945.4 5.7-0.92010-09-21 08:05:1949.282.840247.38.5-1.32010-09-21 08:15:1955.182.839052.48.6-1.12010-09-21 13:55:5242.882.340454.38.4-1.12010-09-21 14:05:5246.982.441154.78.6-1.12010-09-21 14:15:5243.282.341455.58.6-1.32010-09-21 14:25:5244.682.341655.28.5-1.12010-09-21 14:35:5345.680.541555.98.3-12010-09-21 14:45:5347.982.541554.58.6-1.12010-09-21 14:55:5348.182.541655.98.4-12010-09-21 15:05:5358.683.238257.79.3-1.32010-09-21 15:15:5352.482.838057.59.5-1.32010-09-21 15:25:5352.582.837854.89.7-1.42010-09-21 15:35:545382.237855.49.7-1.22010-09-21 15:45:5456.482.837753.29.3-1.42010-09-21 15:55:5453.382.837856.69.6-1.42010-09-21 16:05:5453.382.837555.59.6-1.42010-09-21 16:15:5433.282.335742.89.9-1.62010-09-22 09:15:3736.782.436444.39.8-1.62010-09-22 09:25:3839.182.537145.69.5-1.42010-09-22 09:35:384182.537445.89.8-1.52010-09-22 09:45:3842.682.637646.19.5-1.52010-09-22 09:55:3843.382.843555.113.7-1.82010-09-22 10:05:3845.482.943749.513.7-1.92010-09-22 10:15:3844.182.74369413.6-1.72010-09-22 10:25:3942.581.443696.313.7-1.72010-09-22 10:35:3942.882.843552.313.7-1.82010-09-22 10:45:3943.582.943466.313.8-1.82010-09-22 10:55:39 43.882.943454.913.7-1.82010-09-22 11:05:39 4482.84336713.8-1.72010-09-22 11:15:40 44.18243451.813.7-1.92010-09-22 11:25:40 44.282.943349.513.6-1.82010-09-22 11:35:40 43.982.943148.213.5-1.82010-09-22 11:45:4043.782.943148.913.9-1.62010-09-22 11:55:4044.182.743349.813.7-1.82010-09-22 12:05:40 4481.643148.413.8-1.72010-09-22 12:15:41 44.382.943051.213.6-1.82010-09-22 12:25:41 41.582.739950.612.8-1.82010-09-22 12:35:41 41.282.739849.913-1.82010-09-22 12:45:41 4182.639749.712.9-1.72010-09-22 12:55:41 40.782.139848.712.9-1.82010-09-22 13:05:41 40.978.939952.413-1.72010-09-22 13:15:42 40.882.740052.812.7-1.82010-09-22 13:25:42 40.682.639949.312.8-1.72010-09-22 13:35:42 40.382.639949.413.1-1.92010-09-22 13:45:42 40.581.839949.312.7-1.82010-09-22 13:55:42 40.578.140151.712.8-1.82010-09-22 14:05:42 40.482.740049.512.9-1.82010-09-22 14:15:43 40.382.640151.312.7-1.72010-09-22 14:25:4342.582.94495216.5-2.12010-09-22 14:35:4343.882.844951.516.4-1.92010-09-22 14:45:4344.381.145053.417.1-2.22010-09-22 14:55:43 46.382.945154.116.1-2.22010-09-22 15:05:44 45.182.945051.516.6-2.12010-09-22 15:15:44 458345050.816.1-22010-09-22 15:25:44 45.182.945154.316.5-2.22010-09-22 15:35:44 45.381.744952.116.9-2.12010-09-22 15:45:44 49.183.345152.516.1-2.22010-09-22 15:55:44 45.682.945048.616.5-2.12010-09-22 16:05:45 5983.443340.416.9-2.32010-09-23 09:23:11 74.785.444242.916.7-2.22010-09-23 09:33:11 76.58544644.316.5-2.32010-09-23 09:43:11 76.4854494516.2-2.22010-09-23 09:53:12 76.38545147.916.2-2.12010-09-23 10:03:12 68.182.837343.45-0.62010-09-23 10:13:1270.183.237242.6 4.6-0.72010-09-23 10:23:1271.383.437243.2 5.2-0.62010-09-23 10:33:1272.883.537243.2 5.1-0.62010-09-23 10:43:13 77.183.937243.8 5.2-0.62010-09-23 10:53:13 8283.637043 5.2-0.62010-09-23 11:03:13 76.384.437143.6 4.9-0.72010-09-23 11:13:13 73.68437145.2 5.1-0.72010-09-23 11:23:13 73.483.937145.3 5.1-0.72010-09-23 11:33:1473.183.937044.45-0.62010-09-23 11:43:1474.284.237046.8 5.2-0.62010-09-23 11:53:14 72.983.536946.2 4.9-0.62010-09-23 12:03:14 78.984.445346.4 5.3-0.72010-09-23 12:13:14 83.284.245545.2 5.4-0.72010-09-23 12:23:15 61.782.745244.7 5.6-0.62010-09-23 12:33:15 69.583.945045.4 5.5-0.72010-09-23 12:43:1568.483.445045.6 5.6-0.62010-09-23 12:53:1569.483.645045.4 5.6-0.72010-09-23 13:03:15 74.58444945.7 5.5-0.72010-09-23 13:13:15 80.783.744846.3 5.6-0.72010-09-23 13:23:16 82.387.344746.7 5.6-0.72010-09-23 13:33:16。

路由器再曝安全问题，华为赫然在列成千上万的Wi-Fi路由器可能遭到恶意软件的新型攻击，恶意软件将设备捆绑到僵尸网络中，使其具有分布式拒绝服务（DDoS）攻击功能，并以此向黑客出售。

Gafgyt恶意软件可以通过小型办公室和家庭路由器的漏洞访问到这些设备。

最近Gafgyt（也称为Bashlite）进行了更新，华为HG532和Realtek RTL81XX一直是Gafgyt的目标，现在还将Zyxel P660HN-T1A列入了攻击目标。

一般情况下，恶意软件都通过扫描程序来查找公网节点，然后利用漏洞实现入侵。

专家称，为了在攻击时获得充分资源，新版本的Gafgyt会杀死JenX之类的其他恶意软件，从而使其可以充分利用设备发起攻击。

Gafgyt僵尸网络似乎正在直接与另一个僵尸网络JenX竞争，后者的攻击目标正是华为和Realtek路由器。

黑客除了利用Gafgyt 发起DDoS攻击，还主要将其用于攻击游戏服务器，尤其是那些使用Valve Source Engine的游戏，包括热门游戏《反恐精英》和《军团要塞2》。

目标服务器不是由Valve部署的，而是由玩家部署的私有服务器。

很多年轻玩家出于报复对手的心态而选择攻击对方。

玩家甚至不需要访问地下论坛就可以使用这些恶意服务。

专家指出，僵尸网络租用服务在Instagram上使用伪造的个人资料做广告，租用费用仅为8美元。

专家介绍说：“显然，他们可以通过该平台接触到大量年轻人，所有人都可以使用这些服务，而且比地下站点更容易访问。

”随着越来越多的物联网产品连接到互联网，如果设备没有保持最新状态，将设备捆绑到僵尸网络和其他恶意活动中将会变得更加容易。

新版Gafgyt主要针对的是旧路由器，其中一些已经投放市场长达五年以上。

专家建议用户将路由器升级到较新的型号，并应定期应用软件更新以确保设备受到保护，尽可能地抵抗攻击。

Davila 说道：“总的来说，用户可以养成习惯，例如更新路由器，安装最新补丁程序，并设置复杂的密码，从而抵御僵尸网络的攻击。

margatoxin 分子量Margatoxin（MgTx）是一种毒性蛋白质，来源于美洲蜘蛛Centruroides margaritatus的毒液，主要作用于电压门控类型的钾离子通道Kv1.3。

作为Kv1.3通道的特异性拮抗剂，Margatoxin具有潜在的药物研发和治疗自身免疫性疾病的潜力。

其分子量为9.0 kDa。

Margatoxin由46个氨基酸残基组成，包含一个肽环结构和两个半胱氨酸残基间的二硫键。

该肽环结构通过疏水键和静电键与靶蛋白结合，产生高亲和力和选择性。

研究显示，Margatoxin与Kv1.3通道之间的结合主要通过肽环上的残基进行，其中包括Lys27、Tyr32和Tyr36。

这些残基与Kv1.3通道上相应的氨基酸进行静电相互作用，引起了Margatoxin对该通道的拮抗作用。

Kv1.3通道是T细胞中的重要离子通道，在多种疾病发展过程中起到关键作用。

由于Margatoxin对Kv1.3通道的高选择性和拮抗作用，它在研究和治疗多种自身免疫性疾病中显示出巨大的潜力。

自身免疫性疾病如类风湿关节炎、多发性硬化症和炎症性肠病等，是由于机体免疫系统异常激活导致的。

Kv1.3通道在T细胞中的活化与这些疾病的发病机制密切相关，因此通过拮抗剂抑制Kv1.3通道的功能，可以有效调节免疫反应，改善疾病症状。

研究表明，Margatoxin不仅对Kv1.3通道有拮抗作用，还对其他类型的电压门控离子通道表现出一定的亲和力。

例如，Margatoxin显示出对Kv1.1和Kv1.2通道的拮抗作用，尽管亲和力相对较低。

此外，Margatoxin还能与N型钙离子通道进行结合，并抑制其功能。

这些结果表明Margatoxin具有一定的通道特异性，能够拮抗多种离子通道的功能。

Margatoxin的研究也促进了钾离子通道拮抗剂的发展。

许多疾病如心律失常和癫痫都与离子通道的功能异常有关。

通过发现并研究与特定离子通道相互作用的拮抗剂，可以开发出有效的药物治疗方案。

电脑监控与管理的利器——PcLog
黄家贞
【期刊名称】《网管员世界》
【年(卷),期】2003(000)008
【摘要】你的同事和家人在你的机器上做了什么？他们是不是使用了你的工作帐号玩游戏？你的孩子趁家长不在是不是浏览了些不应该去的网站？你负责的局域网中的用户是不是没有工作而是在玩游戏？这些事情你可能都一无所知．PcLog软件能够确切地告诉你．他们已经做的和正在做的一切事情!
【总页数】2页(P84-85)
【作者】黄家贞
【作者单位】无
【正文语种】中文
【中图分类】TP393.1
【相关文献】
1.试论用电脑信息管理实行道路施工项目质量动态监控 [J], 张丹红
2.邮件赢利应用系列专题:统一监控管理--Email服务电信级品质保障的利器 [J], 苏杰
3.正邪一念间——用Pclog监控管理还是盗密 [J], 闪电精灵
4.电脑定时管理利器 [J], 西山月
5.网络管理利器,十大局域网监控工具推荐 [J], 米沃奇
因版权原因，仅展示原文概要，查看原文内容请购买。

tomcat假死与异常监控tomcat假死与异常监控在开发的tomcat服务应用中，经常会遇到tomcat假死情况，除了每次出现假死时找出原因外，有时候由于业务的重要性，需要及时发现服务异常并及时解决。

所以本人就想通过Linux定时任务定时监控的方式来预防这个问题，一旦发现及时通知告警并重启服务，然后才通过日志查明原因从根本上解决。

1）tomcat假死状态处于假死状态时，后台日志不在生成，服务链接没有响应，但tomcat的进程是存在的，所以若要监控是否处于假死状态可以从日志和服务链接方面入手，但由于检测日志比较麻烦，本人选择的是通过选择某个服务链接获取其访问状态码http_code，若状态码不正常则确认为tomcat服务异常。

例如：url=“http://localhost/….”code=$(curl -o /dev/null --retry 3 -s -w %{http_code} $url) echo “${code}”上面脚本中url变量为选择的适合的监控链接，code就是该链接正常时应该返回的返回码，正常是为200，有时候由于浏览器缓存可能返回302等也是正常的，所以建议最好选择那种后台的链接能够返回200的，这样检测起来比较方便。

2）tomcat异常监控在tomcat运行日志中，经常会出现一些异常，对于有些异常我们可以不用管，但例如数据库链接异常、内存溢出异常等，这些异常会直接导致服务不能正常使用，所以需要对这些类型的异常进行监控，同样的本人也是通过Linux脚本实时检查tomcat运行日志的方式来检测服务状态。

脚本如下：errormessage1="/doc/261950289.html,ng.OutOfMemoryError"ifcat ${tomcatpath}/logs/catalina.out |grep "$errormessage1">/dev/null thenrestartFlag="yes"其实就是通过cat |grep 的方式来查找异常特征字符串是否在运行日志文件中存在，存在则代表出现了该类异常，当然这是需要程序对该类异常做了处理的（捕捉到并输出到控制台）。

电脑病毒AV终结者介绍“AV终结者”即“帕虫”是一系列反击杀毒软件，破坏系统安全模式、感染脚本和网页文件的病毒。

下面由店铺给你做出详细的AV终结者介绍!希望对你有帮助!AV终结者介绍如下：它运行时会关闭任务管理器、注册表编辑器、等系统进程和安全软件，将自己扩散到所有磁盘中，感染全部的正常VBS脚本文件，植入木马下载器的病毒。

“AV终结者”名称中的“AV”即为英文“反病毒”(Anti-Virus)的缩写。

[2]别称“帕虫”危害破坏系统安全模式等类型一系列反击杀毒软件外文名 Anti-Virus代表木马和蠕虫中文名 AV终结者AV终结者集目前最流行的病毒技术于一身，破坏过程经过了严密的“策划”，首先摧毁用户电脑的安全防御体系，之后“AV终结者”自动连接到指定的网站，大量下载各类木马病毒，盗号木马、广告木马、风险程序接踵而来，使用户的网银、网游、QQ账号密码以及机密文件都处于极度危险之中。

2危害介绍编辑AV终结者(1)禁用所有杀毒软件以相关安全工具，让用户电脑失去安全保障。

(2)破坏安全模式，致使用户根本无法进入安全模式清除病毒。

(3)强行关闭带有病毒字样的网页，只要在网页中输入“病毒”相关字样，网页遂被强行关闭，即使是一些安全论坛也无法登陆，用户无法通过网络寻求解决办法。

(4)在各磁盘根目录创建可自动运行的exe程序和autorun.inf文件，一般用户重装系统后，会习惯性的双击访问其他盘符，病毒将再次被运行。

例子：鬼影病毒3传播方式编辑AV终结者该病毒利用了IFEO重定向劫持技术，使大量的杀毒软件和安全相关工具无法运行;会破坏安全模式，使中毒用户无法在安全模式下查杀病毒;会下载大量病毒到用户计算机来盗取用户有价值的信息和某些帐号;能通过可移动存储介质传播。

主要传授方式如下：1.通过某个视频专用播放器捆绑传播。

2.通过网络游戏外挂捆绑病毒传播。

3.通过恶意软件(游戏)下载站的下载资源。