alexei bulazel 0xalexei
play

Alexei Bulazel @0xAlexei REcon Brussels 2018 About Me Security - PowerPoint PPT Presentation

Apr 24, 2023 •434 likes •1.92k views

Reverse Engineering Windows Defenders JavaScript Engine Alexei Bulazel @0xAlexei REcon Brussels 2018 About Me Security researcher at River Loop Security RPI / RPISEC 2015 graduate Longtime REcon attendee, first time presenter

  1. Example Stack Trace During Callback Stack Trace (Upside Down) - breakpoint on isNan (function(){ Initial evaluation var x = new Array(1,2,3); x.toString = function(){ JavaScriptInterpreter::eval return isNaN("foobar") JsTree::run }; JsNewExprTree::eval var y = new String(x); })()

  2. Example Stack Trace During Callback Stack Trace (Upside Down) - breakpoint on isNan (function(){ Initial evaluation var x = new Array(1,2,3); x.toString = function(){ JavaScriptInterpreter::eval return isNaN("foobar") JsTree::run }; JsNewExprTree::eval var y = new String(x); Allocating a new String })() preInvokeFunctionThrows JsConstructor_String::call newStringObjectThrows newStringObjectThrowsT<JsStringObject>

  3. Example Stack Trace During Callback Stack Trace (Upside Down) - breakpoint on isNan (function(){ Initial evaluation var x = new Array(1,2,3); x.toString = function(){ JavaScriptInterpreter::eval return isNaN("foobar") JsTree::run }; JsNewExprTree::eval var y = new String(x); Allocating a new String })() preInvokeFunctionThrows JsConstructor_String::call newStringObjectThrows newStringObjectThrowsT<JsStringObject> Reentrance into JS state for .toString JsTree::run JsCallExprTree::eval preInvokeFunctionThrows JsFunctionProxyObject<JsDelegateObject_Global>::call JsDelegateObject_Global::delegate JsDelegateObject_Global::isNan

  4. Regex Engine mpscript> (function(){ var str = "Hello REcon!"; var i = str.search(/REcon/i); ● Regex engine accessible print(i) })() from JS triggerEvent(): str_valueof triggerEvent(): str_search ● Regex parsing and print(): 6 compiling system - big attack surface

  5. Antivirus Integration ● NscriptJSMonitor class implements callbacks used to monitor execution for antivirus purposes NscriptJSMonitor::analyse receives info ○ about specific script actions JsRuntimeState::triggerEvent is called to ● register events (function calls)

  6. JsRuntimeState Large struct that stores entire JS runtime state: variables, function arguments, global utility functions, timeouts, execution parameters, etc… dt mpengine!JsRuntimeState +0x0b0 m_callerValue : Uint4B +0x000 __VFN_table : Ptr32 +0x0b4 m_callerDepth : Uint4B +0x004 m_callStack : Ptr32 CallStack +0x0b8 m_exeLimit : Uint4B +0x008 m_heap : JsHeap +0x0bc m_exeCounter : Uint4B +0x070 m_exeCtxStack : +0x0c0 m_regexpLimit : Uint4B std::vector<JsRuntimeState::ExecutionContext,std:: +0x0c4 m_runLevel : Uint4B allocator<JsRuntimeState::ExecutionContext> > +0x0c8 m_domWrapper : Ptr32 +0x07c m_globalObj : Ptr32 JsObject HtmlDocumentProvider +0x080 m_complType : +0x0cc m_emptyPageDom : HtmlDocument JsRuntimeState::CompletionType +0x0dc m_monitor : Ptr32 +0x084 m_complValue : Uint4B JsEvaluationMonitor +0x088 m_complTarget : Uint4B +0x0e0 m_builder : ProgramTree +0x08c m_labelStack : std::vector<unsigned +0x0e4 m_monitorHeartBeatIsHappy : Bool int,std::allocator<unsigned int> > +0x0e8 m_monitorHeartBeatDelayCount : Uint4B +0x098 m_conversionValue : Uint4B +0x0ec m_shortEventBuf : [80] Char +0x09c m_conversionValueType : JsValueType +0x13c m_logBuf : Ptr32 Char +0x0a0 m_builtins : +0x140 m_timeOutCallBacks : std::vector<JsRuntimeState::Builtin,std::allocator std::list<JsRuntimeState::TimeOutCallBack,std: <JsRuntimeState::Builtin> > :allocator<JsRuntimeState::TimeOutCallBack> > +0x0ac m_callerPropHash : Uint4B +0x148 m_nextCallBackId : Int4B

  7. Outline 1. Introduction 2. Tooling & Process 3. Reverse Engineering a. JS Language b. Types c. Memory Management d. Fingerprinting 4. Vulnerability Discussion 5. Conclusion

  8. dt mpengine!JsObject Parent class for JS +0x00 __VFN_table : Ptr32 +0x04 isValid : Bool object types +0x08 m_type : JsValueType +0x0c m_propertyNames : std::map< unsigned int, std::basic_string<char,std::char_traits<char>,std::allocator<char> > const , std::less<unsigned int>, std::allocator<std::pair<unsigned int const , std::basic_string<char,std::char_traits<char>,std::allocator<char> > const > > > : +0x14 m_properties std::map< unsigned int, JsObject::Property, std::less<unsigned int>, std::allocator<std::pair<unsigned int const ,JsObject::Property> > > +0x1c m_propertyArray : std::vector<unsigned int,std::allocator<unsigned int> > +0x28 m_htmlDoc : HtmlDocument::Iterator +0x30 m_proto : Ptr32 JsObject +0x34 m_class : Ptr32 Char +0x38 m_value : Uint4B

  9. Enum JsValueType 0. Empty 1. Undefined 2. Null 3. Boolean 4. String 5. Number 6. Date (present in PDBs, but not used, instead compared by class “Date”) 7. Object 8. FunctionObject 9. RegExpObject a. Reference b. List c. BadValueType

  10. dt mpengine!JsArrayObject +0x00 __VFN_table : Ptr32 +0x04 isValid : Bool +0x08 m_type : JsValueType +0x0c m_propertyNames : std::map< unsigned int, std::basic_string<char,std::char_traits<char>,std::allocator<char> > const , std::less<unsigned int>, std::allocator<std::pair<unsigned int const , std::basic_string<char,std::char_traits<char>,std::allocator<char> > const > > > +0x14 m_properties : std::map< unsigned int, JsObject::Property, std::less<unsigned int>, std::allocator<std::pair<unsigned int const ,JsObject::Property> > > +0x1c m_propertyArray : std::vector<unsigned int,std::allocator<unsigned int> > +0x28 m_htmlDoc : HtmlDocument::Iterator +0x30 m_proto : Ptr32 JsObject +0x34 m_class : Ptr32 Char +0x38 m_value : Uint4B +0x3c m_lengthPropHash : Uint4B

  11. dt mpengine!JsRegExpObject +0x00 __VFN_table : Ptr32 +0x04 isValid : Bool +0x08 m_type : JsValueType +0x0c m_propertyNames : std::map< unsigned int, std::basic_string<char,std::char_traits<char>,std::allocator<char> > const , std::less<unsigned int>, std::allocator<std::pair<unsigned int const , std::basic_string<char,std::char_traits<char>,std::allocator<char> > const > > > +0x14 m_properties : std::map< unsigned int, JsObject::Property, std::less<unsigned int>, std::allocator<std::pair<unsigned int const ,JsObject::Property> > > +0x1c m_propertyArray : std::vector<unsigned int,std::allocator<unsigned int> > +0x28 m_htmlDoc : HtmlDocument::Iterator +0x30 m_proto : Ptr32 JsObject +0x34 m_class : Ptr32 Char +0x38 m_value : Uint4B +0x3c m_patStr : std::basic_string<char,std::char_traits<char>,std::allocator<char> > +0x54 m_flags : Uint4B

  12. dt mpengine!JsObject “Date” +0x00 __VFN_table : Ptr32 +0x04 isValid : Bool +0x08 m_type : JsValueType +0x0c m_propertyNames : std::map<...> dt mpengine!JsDate +0x14 m_properties : std::map<...> +0x28 m_htmlDoc : HtmlDocument::... +0x30 m_proto : Ptr32 JsObject +0x00 __VFN_table : Ptr32 +0x34 m_class : Ptr32 Char +0x04 isValid : Bool +0x38 m_value : Uint4B +0x08 m_type : JsValueType +0x10 m_time : Int8B

  13. dt mpengine!JsBufString String Primitive Types +0x00 __VFN_table : Ptr32 +0x04 isValid : Bool ● JsBufString +0x08 m_type : JsValueType +0x0c m_numBytes : Uint4B char * buffer ○ +0x10 m_str : Ptr32 Char ● JsSubString ○ Reference to some slice of another string dt mpengine!JsSubString ● JsRefString +0x00 __VFN_table : Ptr32 +0x04 isValid : Bool Reference to a .data section string ○ +0x08 m_type : JsValueType ● JsConcatString +0x0c m_numBytes : Uint4B +0x10 m_parent : Uint4B ○ Tree of concatenated string elements +0x14 m_offset : Uint4B +0x18 m_refDepth : Uint4B dt mpengine!JsConcatString +0x00 __VFN_table : Ptr32 +0x04 isValid : Bool dt mpengine!JsRefString +0x08 m_type : JsValueType +0x00 __VFN_table : Ptr32 +0x0c m_numBytes : Uint4B +0x04 isValid : Bool +0x10 m_lhs : Uint4B +0x08 m_type : JsValueType +0x14 m_rhs : Uint4B +0x0c m_numBytes : Uint4B +0x18 m_refDepth : Uint4B +0x10 m_str : Ptr32 Char

  14. Each JS object class has a delegate function that Method Dispatch dispatches calls to object methods

  15. Number.prototype: Unimplemented Methods ● toLocaleString Object.prototype: ● toPrecision ● toLocaleString ● toFixed ● propertyIsEnumerable ● toExponential ● isPrototypeOf String.prototype.localeCompare 
 Array.prototype: encodeURI ● toLocaleString ● unshift concat (for sparse arrays) ● ● sort

  16. Demo 2 (function() { var i = 0; switch (i) { case 0: print("0"); case 1: print("1"); (function() { } var x = [3, 2, 1]; })() x.sort() })() (function() { String(parseFloat([1, 2, 3].join())).toString() })()

  17. Type Checking Explicit Checking ● m_type ● m_class

  18. Type Checking Explicit Checking ● m_type ● m_class

  19. Casting Type Checking Explicit Checking ● m_type ● m_class

  20. Casting Type Checking Explicit Checking ● m_type ● m_class Duck Typing

  21. Casting Type Checking Explicit Checking ● m_type Redefinition? ● m_class (function x(){ var x = new Array(); x.foo = (new Date()).getMonth; x.foo(); })() triggerEvent(): err_typeerror triggerEvent(): error_tostring Log(): <NA>: 0: uncaught exception: TypeError: Date.prototype.getMonth() must be called only for Dates Duck Typing

  22. DOM Emulation dt mpengine!HtmlDocument::Impl::Node +0x00 type : HtmlDocument::NodeType +0x04 name : std::pair<char const *,unsigned int> +0x0c data : std::pair<char const *,unsigned int> +0x14 html : std::pair<char const *,unsigned int> ● Objects may have m_html pointer to +0x1c parent : Uint4B +0x20 nextSibling : Uint4B HtmlDocument::Iterator for +0x24 firstKid : Uint4B +0x28 lastKid : Uint4B iteration over std::vector of HtmlDocument::Impl::Node objects 
 “ document ” object declared globally ● to allow HTML interaction 
 ● Minimal implementation allows creation and manipulation of document elements

  23. Object Properties ● JavaScript objects are associative arrays mapping property name → value Backed by std::_Tree 
 ○ ● Strings and sparse array numeric properties are hashed to index into map 
 ● Not maintained for primitive non-object types

  24. dt mpengine!JsObject Parent class for JS +0x00 __VFN_table : Ptr32 +0x04 isValid : Bool object types +0x08 m_type : JsValueType +0x0c m_propertyNames : std::map< unsigned int, std::basic_string<char,std::char_traits<char>,std::allocator<char> > const , std::less<unsigned int>, std::allocator<std::pair<unsigned int const , std::basic_string<char,std::char_traits<char>,std::allocator<char> > const > > > : +0x14 m_properties std::map< unsigned int, JsObject::Property, std::less<unsigned int>, std::allocator<std::pair<unsigned int const ,JsObject::Property> > > +0x1c m_propertyArray : std::vector<unsigned int,std::allocator<unsigned int> > +0x28 m_htmlDoc : HtmlDocument::Iterator +0x30 m_proto : Ptr32 JsObject +0x34 m_class : Ptr32 Char +0x38 m_value : Uint4B

  25. +0x1c m_propertyArray Sparse vs. Dense Array Storage ● “Dense” +0x14 m_properties std::vector of values ● ● “Sparse” ● Stores sequentially numbered std::map of hash(property) → value ● properties from 0 to end value ● Stores string values and nonsequential ● [0,1,2] numeric properties ● Numbers converted to string and hashed var x = [0,1,2]; hash( “foo” ) → “bar” ● x.foo = “bar”; hash( “12” ) → “abc” ● x[12] = “abc”; +0x0c m_propertyNames std::map of hash(property) → name ● ● Stores property names hash( “foo” ) → “foo” ●

  26. Property Hashing

  27. Property Hashing

  28. Property Hashing

  29. Brute Forcing a Hash Collision

  30. Brute Forcing a Hash Collision hash(“ length ”) == hash(“ fyW093 ”)

  31. JsArrayObject::putUpdateLengthThrows ● Fires on any update of Array object properties, checks for update of hash(“ length ”) 
 ● Manages arrays when “ length ” property is changed ○ Erases elements from the array if indexed above the new length

  32. Demo 3 (function() { var x = [1, 2, 3]; print(x.length); // 3 print(x); // "1,2,3" x.fyW093 = 5; print(x.fyW093); // 5 print(x.length); // 5 print(x); // "1,2,3,," x.fyW093 = 1; print(x); // "1" print(x.length) // 1 })()

  33. Outline 1. Introduction 2. Tooling & Process 3. Reverse Engineering a. JS Language b. Types c. Memory Management d. Fingerprinting 4. Vulnerability Discussion 5. Conclusion

  34. Memory Management Memory safe types - std::vector and std::map 
 ● ● Homogeneous Array sizes (no typed arrays) 
 ● No optimizations for object property get / set, fallback on std:: library operations 
 Raw arrays used for JSBufString objects, but few ● chances for controlled allocation sizes

  35. Heap Management Allocations stored in std::vector<JsHeapObject*>

  36. Garbage Collection

  37. Garbage Collection

  38. Garbage Collection Mark-and-Sweep Garbage Collection

  39. Garbage Collection Mark-and-Sweep Garbage Collection Project Zero beat me to it - 2 Days Later...

  40. BinDiffing

  41. BinDiffing

  42. BinDiffing

  43. Heap Teardown After Emulation JsRuntimeState::~JsRuntimeState destructor tears down the JS heap with JsHeap::~JsHeap

  44. JsBufString char Array Backing char arrays used for storage backing ● JsBufString - not std::vector 
 ● Arrays allocated then assigned to JsBufString with initByReceipt 
 ● Only allocated in a few places, done safely

  45. Bug - escape() is broken

  46. Bug - escape() is broken escape(“%”)

  47. Bug - escape() is broken escape(“%”) Buffer size = 3 * numBytes 3 = 3*1

  48. Bug - escape() is broken escape(“%”) Buffer size = 3 * numBytes 3 = 3*1 “%” should escape to 3 characters

  49. Bug - escape() is broken escape(“%”) Buffer size = 3 * numBytes 3 = 3*1 “%” should escape to 3 characters 3 >= 3, function returns early to avoid a buffer overflow

  50. Bug - escape() is broken escape(“%”) Buffer size = 3 * numBytes 3 = 3*1 “%” should escape to 3 characters 3 >= 3, function returns early to avoid a buffer overflow escape() ing any single character element fails - similar problems in other escape related functions

  51. Demo 4 (function() { print(escape("%a")); print(escape("%")); })()

  52. Outline 1. Introduction 2. Tooling & Process 3. Reverse Engineering a. JS Language b. Types c. Memory Management d. Fingerprinting 4. Vulnerability Discussion 5. Conclusion

  53. Fingerprinting Unique traits that identify the Defender JS engine function (){ 
 if (DetectDefender()) 
 { return; } 
 else { MaliciousCode(); } 
 }

  54. Fingerprinting Unique traits that identify the Defender JS engine function (){ 
 function (){ 
 if (DetectDefender()) 
 if (DetectDefender()) 
 { { return; ExploitDefender(); } 
 } 
 else else { { MaliciousCode(); ... } 
 } 
 } }

  55. 
 
 Hardcoded Values mpscript>(function(){ 
 print(navigator.userAgent); 
 })() 
 print(): Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1) 
 > log(document.referrer) http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web mpscript> (function (){ 
 var x = new Date(); 
 print(x); 
 })() 
 triggerEvent(): date_tostring 
 print(): Mon 19 Mar 2012 01:29:10 UTC 


  56. Instantiating Non-Objects mpscript> (function (){ 
 mpscript> (function (){ 
 var x = new eval(); 
 var x = new isFinite(); 
 print(x); 
 print(x); 
 })() 
 })() 
 JavaScriptLog(): [object Object] 
 JavaScriptLog(): [object Object] 
 (function (){ var x = new print(); print(x) })() JavaScriptLog(): [object Object] (function (){ var x = new isNaN (); print(x) })() JavaScriptLog(): [object Object]

  57. Typos mpscript> (function (){ 
 try{ 
 var x = new CollectGarbage(); 
 } 
 catch(e){ 
 print(e); 
 } })() JavaScriptLog(): 
 TypeError: collectGarbage() is not a constructor ( collectGarbage() throws an exception, undefined)

  58. Elements Are Functions mpscript> (function x(){ var x = document.createElement("p"); print(typeof(x)); })() print(): function

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web Alexei Bulazel &amp; Blent Yener River Loop Security Rensselaer Polytechnic Institute (RPI) Introduction Automated dynamic malware analysis is

684 views • 33 slides
PRESENTATION SECRETS BY ALEXEI KAPTEREV DOWNLOAD EBOOK : PRESENTATION SECRETS BY ALEXEI KAPTEREV

PRESENTATION SECRETS BY ALEXEI KAPTEREV DOWNLOAD EBOOK : PRESENTATION SECRETS BY ALEXEI KAPTEREV

Read Online and Download Ebook PRESENTATION SECRETS BY ALEXEI KAPTEREV DOWNLOAD EBOOK : PRESENTATION SECRETS BY ALEXEI KAPTEREV PDF Click link bellow and free register to download ebook: PRESENTATION SECRETS BY ALEXEI KAPTEREV DOWNLOAD FROM

470 views • 7 slides
Spectral gaps and oscillations Alexei Poltoratski Texas A&amp;M Abel Symposium, 8/2012 Alexei

Spectral gaps and oscillations Alexei Poltoratski Texas A&amp;M Abel Symposium, 8/2012 Alexei

Spectral gaps and oscillations Alexei Poltoratski Texas A&amp;M Abel Symposium, 8/2012 Alexei Poltoratski (Texas A&amp;M) Spectral gaps and oscillations Abel Symposium, 8/2012 1 / 22 Contents of the talk Alexei Poltoratski (Texas A&amp;M)

850 views • 42 slides
Formalizing Type Operations Using the Image Type Constructor Aleksey Nogin and Alexei

Formalizing Type Operations Using the Image Type Constructor Aleksey Nogin and Alexei

Formalizing Type Operations Using the Image Type Constructor Aleksey Nogin and Alexei Kopylov California Institute of Technology WoLLIC, 2006 WoLLIC06 Aleksey Nogin, Alexei Kopylov Image Type p. 1 Introduction Set theory

616 views • 26 slides
Memory-Efficient Heterogeneous Speech Recognition Hybrid in GPU-Equipped Mobile Devices Alexei

Memory-Efficient Heterogeneous Speech Recognition Hybrid in GPU-Equipped Mobile Devices Alexei

Verbumware Inc Memory-Efficient Heterogeneous Speech Recognition Hybrid in GPU-Equipped Mobile Devices Alexei V. Ivanov, Alexei V. Ivanov, CTO, Verbumware Inc. CTO, Verbumware Inc. GPU Technology Conference, San Jose, March 17, 2015 Verbum

185 views • 16 slides
Mathematical and Computational Modelling of Saturated Poroplastic Materials J.Alexei Lu zar

Mathematical and Computational Modelling of Saturated Poroplastic Materials J.Alexei Lu zar

Motivation Modelling 2-Scale Model Local PDEs Simulation Mathematical and Computational Modelling of Saturated Poroplastic Materials J.Alexei Lu zar Obreg on, SEN/UFF M. Murad, LNCC/MCT VIII Workshop in Partial Differential

720 views • 29 slides
On the relation between the magnitude and exponent of OTOCs (Based on the paper with Alexei Kitaev

On the relation between the magnitude and exponent of OTOCs (Based on the paper with Alexei Kitaev

On the relation between the magnitude and exponent of OTOCs (Based on the paper with Alexei Kitaev [1812.00120] ) Yingfei Gu Harvard University YITP, June 24, 2019 Outline Introduction: OTOC in SYK Kinetic equation approach: an

419 views • 20 slides
The Sun - II Alexei Gilchrist Some resources http://www.nineplanets.org/sol.html

The Sun - II Alexei Gilchrist Some resources http://www.nineplanets.org/sol.html

The Sun - II Alexei Gilchrist Some resources http://www.nineplanets.org/sol.html The Universe: Secrets of the Sun video Secrets of the Sun Search on youtube (references are to clips here

641 views • 38 slides
The six vertex model and randomly growing interfaces in (1+1) dimensions Alexei Borodin Through

The six vertex model and randomly growing interfaces in (1+1) dimensions Alexei Borodin Through

The six vertex model and randomly growing interfaces in (1+1) dimensions Alexei Borodin Through the last two decades, the large time asymptotics of a number of out-of-equilibrium random growth models in (1+1)d have been analyzed

743 views • 25 slides
The Noise Collector for sparse recovery in high dimensions Alexei Novikov Department of

The Noise Collector for sparse recovery in high dimensions Alexei Novikov Department of

The Noise Collector for sparse recovery in high dimensions Alexei Novikov Department of Mathematics Penn State University, USA with M.Moscoso (Madrid), G.Papanicolaou (Stanford), and C.Tsogka (UC Merced). Supported by NSF and AFOSR. Inverse

433 views • 26 slides
Gianfranco Gambarelli University of Bergamo, Italy Athens 2004 Alexei BAR Nemov 25

Gianfranco Gambarelli University of Bergamo, Italy Athens 2004 Alexei BAR Nemov 25

Gianfranco Gambarelli University of Bergamo, Italy Athens 2004 Alexei BAR Nemov 25 APPLICATIONS - Gymnastics - Diving SPORTS : - Figure skating - Synchronized swimming - ... - LIBOR - EURIBOR BANKING : - EONIASWAP - EUREPO - ...

294 views • 28 slides
Bypassing the Language Bottleneck Alexei (Alyosha) Efros UC Berkeley Collaborators David

Bypassing the Language Bottleneck Alexei (Alyosha) Efros UC Berkeley Collaborators David

Visual Understanding without Naming: Bypassing the Language Bottleneck Alexei (Alyosha) Efros UC Berkeley Collaborators David Abhinav Scott Martial Natasha Yaser Satkin Fouhey Gupta Hebert Kholgade Sheikh Vincent Ivan Josef

1.26k views • 83 slides
Recognizing Action At A Distance Alexei A. Efros, et Al. Presented by: Sunny Chow 1 Background

Recognizing Action At A Distance Alexei A. Efros, et Al. Presented by: Sunny Chow 1 Background

Recognizing Action At A Distance Alexei A. Efros, et Al. Presented by: Sunny Chow 1 Background We are adept at classifying actions. Easily categorize even with noisy and small images Want computers to do just as well How do we do

558 views • 37 slides
A Reexamination of Contingent Convertibles with Stock Price Triggers George Pennacchi and Alexei

A Reexamination of Contingent Convertibles with Stock Price Triggers George Pennacchi and Alexei

A Reexamination of Contingent Convertibles with Stock Price Triggers George Pennacchi and Alexei Tchistyi 1 16 th Annual FDIC/JFSR Banking Research Conference 9 September 2016 1 Both from Department of Finance, University of Illinois. Contingent

339 views • 30 slides
modelling fidelity Ashur Rafiev , Fei Xia, Alexei Iliasov, Rem Gensh, Ali Aalsaud, Alexander

modelling fidelity Ashur Rafiev , Fei Xia, Alexei Iliasov, Rem Gensh, Ali Aalsaud, Alexander

Power-proportional modelling fidelity Ashur Rafiev , Fei Xia, Alexei Iliasov, Rem Gensh, Ali Aalsaud, Alexander Romanovsky, Alex Yakovlev Newcastle University W01 DATE 2015 Motivation Modelling effort is becoming a bottleneck in many

403 views • 24 slides
Trustless, Interoperable Cryptocurrency-Backed Assets Website: xclaim.io Joint Work With Alexei

Trustless, Interoperable Cryptocurrency-Backed Assets Website: xclaim.io Joint Work With Alexei

Trustless, Interoperable Cryptocurrency-Backed Assets Website: xclaim.io Joint Work With Alexei Dominik Joshua Panayiotis William Arthur Knottenbelt Zamyatin Harz Lind Panayiotu Gervais This research was co-funded by Blockchain.com, Outlier

867 views • 40 slides
Transport layer Transport services and protocols applicatio Provide communication n

Transport layer Transport services and protocols applicatio Provide communication n

Transport layer Transport services and protocols applicatio Provide communication n transport between application processes network data link running on different hosts physical Protocols run in end system OS Sender transport

941 views • 55 slides
Area of Rectangles 2 Return to Table of Contents 3 Slide 7 / 152 Slide 8 / 152 Area of a

Area of Rectangles 2 Return to Table of Contents 3 Slide 7 / 152 Slide 8 / 152 Area of a

Slide 1 / 152 Slide 2 / 152 Geometry Area of Figures 2015-10-27 www.njctl.org Slide 3 / 152 Slide 4 / 152 Table of Contents Throughout this unit, the Standards for Mathematical Practice are used. Click on the topic to go to that section

308 views • 26 slides
Dina Kat abi MI T Lab f or Comput er Science dk@mit.edu www.ana.lcs.mit.edu/dina Sharing t he

Dina Kat abi MI T Lab f or Comput er Science dk@mit.edu www.ana.lcs.mit.edu/dina Sharing t he

XCP: eXplicit Control Protocol Dina Kat abi MI T Lab f or Comput er Science dk@mit.edu www.ana.lcs.mit.edu/dina Sharing t he I nt ernet I nf rast ruct ure I s f undament al Much research in Congest ion Cont rol, QoS, Dif f Serv,

667 views • 43 slides
The Odd One(s) Out Thies Lindenthal &amp; Carolin Schmidt htl24@cam.ac.uk carolin.schmidt@zew.de

The Odd One(s) Out Thies Lindenthal &amp; Carolin Schmidt htl24@cam.ac.uk carolin.schmidt@zew.de

2019-05-17 The Odd One(s) Out Thies Lindenthal &amp; Carolin Schmidt htl24@cam.ac.uk carolin.schmidt@zew.de Two core observations motivate our paper First: Observed transaction prices follow a ruler distribution Disproportionally

1.05k views • 35 slides
Last class Lecture 6 A vertex (w x, w y, w z, w) - clipping is in the - windowing and

Last class Lecture 6 A vertex (w x, w y, w z, w) - clipping is in the - windowing and

Last lecture (clip coordinates): Last class Lecture 6 A vertex (w x, w y, w z, w) - clipping is in the - windowing and viewport normalized view volume if: - scan conversion/ rasterization w &gt; 0 projective transform - w &lt;=

805 views • 5 slides
Chapter 8 Communication Networks and Services Transport Layer Protocols: UDP and TCP Fall 2012

Chapter 8 Communication Networks and Services Transport Layer Protocols: UDP and TCP Fall 2012

Chapter 8 Communication Networks and Services Transport Layer Protocols: UDP and TCP Fall 2012 Prof. Chung-Horng Lung 1 Outline UDP Protocol TCP Quick Overview TCP Header TCP Connection Management TCP Congestion

750 views • 44 slides
WEDA 2018 Fall Conference Eric Pitcher REGIONAL MANAGER, ECONOMIC DEVELOPMENT SEPTEMBER 28,

WEDA 2018 Fall Conference Eric Pitcher REGIONAL MANAGER, ECONOMIC DEVELOPMENT SEPTEMBER 28,

WEDA 2018 Fall Conference Eric Pitcher REGIONAL MANAGER, ECONOMIC DEVELOPMENT SEPTEMBER 28, 2018 BNSF Railway BNSF Railway is committed to serving our customers today and investing to accommodate their growth tomorrow. 28 ~400 32,500

829 views • 25 slides
L ECTURE 2 The Effects of Monetary Changes: Narrative Evidence and Natural Experiments August

L ECTURE 2 The Effects of Monetary Changes: Narrative Evidence and Natural Experiments August

Economics 210c/236a Christina Romer Fall 2018 David

783 views • 62 slides

More recommend