Securing Systems by Vulnerability Mitigation and Adaptive Live Patching Yue Chen

Total Page:16

File Type:pdf, Size:1020Kb

Securing Systems by Vulnerability Mitigation and Adaptive Live Patching Yue Chen Florida State University Libraries Electronic Theses, Treatises and Dissertations The Graduate School 2018 Securing Systems by Vulnerability Mitigation and Adaptive Live Patching Yue Chen Follow this and additional works at the DigiNole: FSU's Digital Repository. For more information, please contact [email protected] FLORIDA STATE UNIVERSITY COLLEGE OF ARTS AND SCIENCES SECURING SYSTEMS BY VULNERABILITY MITIGATION AND ADAPTIVE LIVE PATCHING By YUE CHEN A Dissertation submitted to the Department of Computer Science in partial fulfillment of the requirements for the degree of Doctor of Philosophy 2018 Copyright © 2018 Yue Chen. All Rights Reserved. Yue Chen defended this dissertation on January 23, 2018. The members of the supervisory committee were: Zhi Wang Professor Directing Dissertation Ming Yu University Representative Xiuwen Liu Committee Member An-I Andy Wang Committee Member The Graduate School has verified and approved the above-named committee members, and certifies that the dissertation has been approved in accordance with university requirements. ii To my beloved ones. iii ACKNOWLEDGMENTS Pursuing a Ph.D. degree is a unique experience in my life. Here I would like to express my gratitude to a number of people. Without them, I cannot enjoy this wonderful journey. Foremost, I feel incredibly fortunate to have been under Prof. Zhi Wang’s guidance during my Ph.D. study at Florida State. His passion and dedication for research has highly influenced me and opened my eyes to the research world. His encouragement, guidance and support are invaluable power for me to explore the horizons. I have been very lucky to work with several excellent researchers. I want to express my sincere gratitude to the colleagues during my internship at Baidu X-Lab. It is a great pleasure to have the fruitful discussions with Yulong Zhang and Tao Wei to address challenging problems, and their great thoughts and insightful advising have helped me learn a lot. It is also an enjoyable and instrumental experience to work with other colleagues: Zhaofeng Chen, Zhenyu Zhong, Yu Ding; as well as other interns in the lab: Pei Wang and Peng Wang. I am grateful to all the collaborators for their insightful ideas and helpful discussions. In par- ticular, special thanks are given to Xiaoguang Wang, Ryan Baird, David Whalley and Yajin Zhou for the helpful discussions and suggestions with their precious and profound understanding of the research topics. In the computer science department of FSU, I regularly participate in Prof. An-I Andy Wang’s research group meeting. It is a great opportunity to discuss and learn topics in computer systems. I want to express my gratitude to An-I Andy Wang and his students for great suggestions about my research and the great discussion atmosphere. I would also like to thank the rest of my dissertation committee: Prof. Xiuwen Liu and Prof. Ming Yu, for their detailed advice, comments and suggestions. Last but certainly not least, I owe a big debt of gratitude to my parents and family, who support every decision I have made, including the pursuit of this degree. iv TABLE OF CONTENTS List of Tables . viii List of Figures . ix Abstract . xi 1 Introduction 1 1.1 Problem Overview . .1 1.2 Our Approach . .3 1.3 Summary of Contributions . .5 1.4 Dissertation Organization . .5 2 Related Work 6 2.1 Memory Vulnerabilities and Exploits . .6 2.1.1 Buffer Overflow . .6 2.1.2 Information Leakage . .6 2.1.3 NULL Pointer Dereference . .7 2.1.4 Arbitrary Format String . .7 2.1.5 Use-After-Free . .7 2.1.6 Data-only Attack . .7 2.1.7 Return-oriented Programming . .8 2.2 Threat Mitigation . .8 2.2.1 Data Execution Prevention . .8 2.2.2 Software Diversity . .8 2.2.3 ROP Defenses . 10 2.2.4 Control-flow Integrity . 10 2.3 Root-Cause Analysis . 11 2.3.1 Attack/Exploit Detection and Mitigation . 11 2.3.2 Vulnerability/Bug Discovery . 12 2.3.3 Record & Replay . 12 2.4 Patch Generation . 13 2.4.1 Kernel Live Patching . 13 2.4.2 Semantic Matching . 14 2.4.3 Automatic Patch/Filter Generation . 14 3 On-demand Live Randomization 16 3.1 Introduction . 16 3.2 Design . 19 3.2.1 Overview . 19 3.2.2 Basic Block Reordering . 21 3.2.3 Basic Block Pointer Conversion . 24 3.2.4 Live Randomization of Kernel Modules . 27 3.2.5 Performance Optimization . 28 v 3.2.6 Binary-only Program Support . 29 3.3 Implementation . 30 3.4 Evaluation . 32 3.4.1 Security . 32 3.4.2 Performance . 35 3.5 Discussion . 36 3.6 Summary . 37 4 Pinpointing Vulnerabilities 39 4.1 Introduction . 39 4.2 System Overview . 40 4.3 System Design . 41 4.3.1 System Overview . 41 4.3.2 Attack Detection . 44 4.3.3 Record and Replay . 45 4.3.4 Pinpointing Vulnerabilities . 49 4.3.5 Prototype Efforts . 53 4.4 Evaluation . 53 4.4.1 Effectiveness . 53 4.4.2 Performance . 61 4.5 Discussion . 62 4.6 Summary . 63 5 Adaptive Android Kernel Live Patching 64 5.1 Introduction . 64 5.2 System Design . 67 5.2.1 Measuring Android Fragmentation . 67 5.2.2 Adaptive Multi-level Patching . 70 5.2.3 Architecture and Workflow . 71 5.2.4 KARMA Patches . 73 5.2.5 Offline Patch Adaptation . 76 5.2.6 Live Patching . 79 5.2.7 Prototype of KARMA . 82 5.3 Evaluation . 82 5.3.1 Evaluation of Applicability . 82 5.3.2 Evaluation of Adaptability . 84 5.3.3 Evaluation of Performance . 87 5.4 Discussion and Future Work . 89 5.5 Summary . 91 6 Conclusion 92 vi Appendix A KARMA Patch Writing for Recent Kernel Vulnerabilities 93 Bibliography . 97 Biographical Sketch . 111 vii LIST OF TABLES 3.1 Average NOP Space per Function . 29 3.2 Statistics of Three Web Servers . 32 4.1 Summary of the evaluation results on a number of DARPA CGC programs. 57 5.1 Devices vulnerable to two infamous root exploits as of Nov. 2016. The second column lists the dates when they are disclosed in Android Security Advisory. 65 5.2 Images obtained from popular devices. 67 5.3 Statistics of the obtained Android kernels. 68 5.4 The extension to Lua. The first five functions can only be used by the live patcher, not by patches. 79 5.5 Clustering 1; 139 kernels for each function by syntax and semantics. The last-but-two column lists the time of semantic matching to compare Nexus 5 (Android 4.4.2, kernel 3.4.0) and Samsung.
Recommended publications
  • A Hybrid Static Type Inference Framework with Neural
    HiTyper: A Hybrid Static Type Inference Framework with Neural Prediction Yun Peng Zongjie Li Cuiyun Gao∗ The Chinese University of Hong Kong Harbin Institute of Technology Harbin Institute of Technology Hong Kong, China Shenzhen, China Shenzhen, China [email protected] [email protected] [email protected] Bowei Gao David Lo Michael Lyu Harbin Institute of Technology Singapore Management University The Chinese University of Hong Kong Shenzhen, China Singapore Hong Kong, China [email protected] [email protected] [email protected] ABSTRACT also supports type annotations in the Python Enhancement Pro- Type inference for dynamic programming languages is an impor- posals (PEP) [21, 22, 39, 43]. tant yet challenging task. By leveraging the natural language in- Type prediction is a popular task performed by most attempts. formation of existing human annotations, deep neural networks Traditional static type inference techniques [4, 9, 14, 17, 36] and outperform other traditional techniques and become the state-of- type inference tools such as Pytype [34], Pysonar2 [33], and Pyre the-art (SOTA) in this task. However, they are facing some new Infer [31] can predict sound results for the variables with enough challenges, such as fixed type set, type drift, type correctness, and static constraints, e.g., a = 1, but are unable to handle the vari- composite type prediction. ables with few static constraints, e.g. most function arguments. To mitigate the challenges, in this paper, we propose a hybrid On the other hand, dynamic type inference techniques [3, 37] and type inference framework named HiTyper, which integrates static type checkers simulate the workflow of functions and solve types inference into deep learning (DL) models for more accurate type according to input cases and typing rules.
    [Show full text]
  • Fast and Scalable VMM Live Upgrade in Large Cloud Infrastructure
    Fast and Scalable VMM Live Upgrade in Large Cloud Infrastructure Xiantao Zhang Xiao Zheng Zhi Wang Alibaba Group Alibaba Group Florida State University [email protected] [email protected] [email protected] Qi Li Junkang Fu Yang Zhang Tsinghua University Alibaba Group Alibaba Group [email protected] [email protected] [email protected] Yibin Shen Alibaba Group [email protected] Abstract hand over passthrough devices to the new KVM instance High availability is the most important and challenging prob- without losing any ongoing (DMA) operations. Our evalua- lem for cloud providers. However, virtual machine mon- tion shows that Orthus can reduce the total migration time itor (VMM), a crucial component of the cloud infrastruc- and downtime by more than 99% and 90%, respectively. We ture, has to be frequently updated and restarted to add secu- have deployed Orthus in one of the largest cloud infrastruc- rity patches and new features, undermining high availabil- tures for a long time. It has become the most effective and ity. There are two existing live update methods to improve indispensable tool in our daily maintenance of hundreds of the cloud availability: kernel live patching and Virtual Ma- thousands of servers and millions of VMs. chine (VM) live migration. However, they both have serious CCS Concepts • Security and privacy → Virtualization drawbacks that impair their usefulness in the large cloud and security; • Computer systems organization → Avail- infrastructure: kernel live patching cannot handle complex ability. changes (e.g., changes to persistent data structures); and VM live migration may incur unacceptably long delays when Keywords virtualization; live upgrade; cloud infrastructure migrating millions of VMs in the whole cloud, for example, ACM Reference Format: to deploy urgent security patches.
    [Show full text]
  • ACDT: Architected Composite Data Types Trading-In Unfettered Data Access for Improved Execution
    ACDT: Architected Composite Data Types Trading-in Unfettered Data Access for Improved Execution Andres Marquez∗, Joseph Manzano∗, Shuaiwen Leon Song∗, Benoˆıt Meistery Sunil Shresthaz, Thomas St. Johnz and Guang Gaoz ∗Pacific Northwest National Laboratory fandres.marquez,joseph.manzano,[email protected] yReservoir Labs [email protected] zUniversity of Delaware fshrestha,stjohn,[email protected] Abstract— reduction approaches associated with improved data locality, obtained through optimized data and computation distribution. With Exascale performance and its challenges in mind, one ubiquitous concern among architects is energy efficiency. In the SW-stack we foresee the runtime system to have a Petascale systems projected to Exascale systems are unsustainable particular important role to contribute to the solution of the at current power consumption rates. One major contributor power challenge. It is here where the massive concurrency is to system-wide power consumption is the number of memory managed and where judicious data layouts [11] and data move- operations leading to data movement and management techniques ments are orchestrated. With that in mind, we set to investigate applied by the runtime system. To address this problem, we on how to improve efficiency of a massively multithreaded present the concept of the Architected Composite Data Types adaptive runtime system in managing and moving data, and the (ACDT) framework. The framework is made aware of data trade-offs an improved data management efficiency requires. composites, assigning them a specific layout, transformations Specifically, in the context of run-time system (RTS), we and operators. Data manipulation overhead is amortized over a explore the power efficiency potential that data compression larger number of elements and program performance and power efficiency can be significantly improved.
    [Show full text]
  • Evaluating Variability Modeling Techniques for Supporting Cyber-Physical System Product Line Engineering
    This paper will be presented at System Analysis and Modeling (SAM) Conference 2016 (http://sdl-forum.org/Events/SAM2016/index.htm) Evaluating Variability Modeling Techniques for Supporting Cyber-Physical System Product Line Engineering Safdar Aqeel Safdar 1, Tao Yue1,2, Shaukat Ali1, Hong Lu1 1Simula Research Laboratory, Oslo, Norway 2 University of Oslo, Oslo, Norway {safdar, tao, shaukat, honglu}@simula.no Abstract. Modern society is increasingly dependent on Cyber-Physical Systems (CPSs) in diverse domains such as aerospace, energy and healthcare. Employing Product Line Engineering (PLE) in CPSs is cost-effective in terms of reducing production cost, and achieving high productivity of a CPS development process as well as higher quality of produced CPSs. To apply CPS PLE in practice, one needs to first select an appropriate variability modeling technique (VMT), with which variabilities of a CPS Product Line (PL) can be specified. In this paper, we proposed a set of basic and CPS-specific variation point (VP) types and modeling requirements for proposing CPS-specific VMTs. Based on the proposed set of VP types (basic and CPS-specific) and modeling requirements, we evaluated four VMTs: Feature Modeling, Cardinality Based Feature Modeling, Common Variability Language, and SimPL (a variability modeling technique dedicated to CPS PLE), with a real-world case study. Evaluation results show that none of the selected VMTs can capture all the basic and CPS-specific VP and meet all the modeling requirements. Therefore, there is a need to extend existing techniques or propose new ones to satisfy all the requirements. Keywords: Product Line Engineering, Variability Modeling, and Cyber- Physical Systems 1 Introduction Cyber-Physical Systems (CPSs) integrate computation and physical processes and their embedded computers and networks monitor and control physical processes by often relying on closed feedback loops [1, 2].
    [Show full text]
  • UML Profile for Communicating Systems a New UML Profile for the Specification and Description of Internet Communication and Signaling Protocols
    UML Profile for Communicating Systems A New UML Profile for the Specification and Description of Internet Communication and Signaling Protocols Dissertation zur Erlangung des Doktorgrades der Mathematisch-Naturwissenschaftlichen Fakultäten der Georg-August-Universität zu Göttingen vorgelegt von Constantin Werner aus Salzgitter-Bad Göttingen 2006 D7 Referent: Prof. Dr. Dieter Hogrefe Korreferent: Prof. Dr. Jens Grabowski Tag der mündlichen Prüfung: 30.10.2006 ii Abstract This thesis presents a new Unified Modeling Language 2 (UML) profile for communicating systems. It is developed for the unambiguous, executable specification and description of communication and signaling protocols for the Internet. This profile allows to analyze, simulate and validate a communication protocol specification in the UML before its implementation. This profile is driven by the experience and intelligibility of the Specification and Description Language (SDL) for telecommunication protocol engineering. However, as shown in this thesis, SDL is not optimally suited for specifying communication protocols for the Internet due to their diverse nature. Therefore, this profile features new high-level language concepts rendering the specification and description of Internet protocols more intuitively while abstracting from concrete implementation issues. Due to its support of several concrete notations, this profile is designed to work with a number of UML compliant modeling tools. In contrast to other proposals, this profile binds the informal UML semantics with many semantic variation points by defining formal constraints for the profile definition and providing a mapping specification to SDL by the Object Constraint Language. In addition, the profile incorporates extension points to enable mappings to many formal description languages including SDL. To demonstrate the usability of the profile, a case study of a concrete Internet signaling protocol is presented.
    [Show full text]
  • NMOS 6510 Unintended Opcodes No More Secrets (V0.95 - 24/12/20)
    NMOS 6510 Unintended Opcodes no more secrets (v0.95 - 24/12/20) (w) 2013-2020 groepaz/solution, all rights reversed Contents Preface...................................................................................................................................................I Scope of this Document....................................................................................................................I Intended Audience............................................................................................................................I License..............................................................................................................................................I What you get...................................................................................................................................II Naming Conventions.....................................................................................................................III Address-Mode Abbreviations...................................................................................................III Mnemonics................................................................................................................................III Processor Flags.........................................................................................................................IV Opcode Matrix......................................................................................................................................1 Unintended
    [Show full text]
  • Demarinis Kent Williams-King Di Jin Rodrigo Fonseca Vasileios P
    sysfilter: Automated System Call Filtering for Commodity Software Nicholas DeMarinis Kent Williams-King Di Jin Rodrigo Fonseca Vasileios P. Kemerlis Department of Computer Science Brown University Abstract This constant stream of additional functionality integrated Modern OSes provide a rich set of services to applications, into modern applications, i.e., feature creep, not only has primarily accessible via the system call API, to support the dire effects in terms of security and protection [1, 71], but ever growing functionality of contemporary software. How- also necessitates a rich set of OS services: applications need ever, despite the fact that applications require access to part of to interact with the OS kernel—and, primarily, they do so the system call API (to function properly), OS kernels allow via the system call (syscall) API [52]—in order to perform full and unrestricted use of the entire system call set. This not useful tasks, such as acquiring or releasing memory, spawning only violates the principle of least privilege, but also enables and terminating additional processes and execution threads, attackers to utilize extra OS services, after seizing control communicating with other programs on the same or remote of vulnerable applications, or escalate privileges further via hosts, interacting with the filesystem, and performing I/O and exploiting vulnerabilities in less-stressed kernel interfaces. process introspection. To tackle this problem, we present sysfilter: a binary Indicatively, at the time of writing, the Linux
    [Show full text]
  • Live Kernel Patching Using Kgraft
    SUSE Linux Enterprise Server 12 SP4 Live Kernel Patching Using kGraft SUSE Linux Enterprise Server 12 SP4 This document describes the basic principles of the kGraft live patching technology and provides usage guidelines for the SLE Live Patching service. kGraft is a live patching technology for runtime patching of the Linux kernel, without stopping the kernel. This maximizes system uptime, and thus system availability, which is important for mission-critical systems. By allowing dynamic patching of the kernel, the technology also encourages users to install critical security updates without deferring them to a scheduled downtime. A kGraft patch is a kernel module, intended for replacing whole functions in the kernel. kGraft primarily oers in-kernel infrastructure for integration of the patched code with base kernel code at runtime. SLE Live Patching is a service provided on top of regular SUSE Linux Enterprise Server maintenance. kGraft patches distributed through SLE Live Patching supplement regular SLES maintenance updates. Common update stack and procedures can be used for SLE Live Patching deployment. Publication Date: 09/24/2021 Contents 1 Advantages of kGraft 3 2 Low-level Function of kGraft 3 1 Live Kernel Patching Using kGraft 3 Installing kGraft Patches 4 4 Patch Lifecycle 6 5 Removing a kGraft Patch 6 6 Stuck Kernel Execution Threads 6 7 The kgr Tool 7 8 Scope of kGraft Technology 7 9 Scope of SLE Live Patching 8 10 Interaction with the Support Processes 8 11 GNU Free Documentation License 8 2 Live Kernel Patching Using kGraft 1 Advantages of kGraft Live kernel patching using kGraft is especially useful for quick response in emergencies (when serious vulnerabilities are known and should be xed when possible or there are serious system stability issues with a known x).
    [Show full text]
  • Data Types and Variables
    Color profile: Generic CMYK printer profile Composite Default screen Complete Reference / Visual Basic 2005: The Complete Reference / Petrusha / 226033-5 / Chapter 2 2 Data Types and Variables his chapter will begin by examining the intrinsic data types supported by Visual Basic and relating them to their corresponding types available in the .NET Framework’s Common TType System. It will then examine the ways in which variables are declared in Visual Basic and discuss variable scope, visibility, and lifetime. The chapter will conclude with a discussion of boxing and unboxing (that is, of converting between value types and reference types). Visual Basic Data Types At the center of any development or runtime environment, including Visual Basic and the .NET Common Language Runtime (CLR), is a type system. An individual type consists of the following two items: • A set of values. • A set of rules to convert every value not in the type into a value in the type. (For these rules, see Appendix F.) Of course, every value of another type cannot always be converted to a value of the type; one of the more common rules in this case is to throw an InvalidCastException, indicating that conversion is not possible. Scalar or primitive types are types that contain a single value. Visual Basic 2005 supports two basic kinds of scalar or primitive data types: structured data types and reference data types. All data types are inherited from either of two basic types in the .NET Framework Class Library. Reference types are derived from System.Object. Structured data types are derived from the System.ValueType class, which in turn is derived from the System.Object class.
    [Show full text]
  • Malware Detection Advances in Information Security
    Malware Detection Advances in Information Security Sushil Jajodia Consulting Editor Center for Secure Information Systems George Mason University Fairfax, VA 22030-4444 email: ja jodia @ smu.edu The goals of the Springer International Series on ADVANCES IN INFORMATION SECURITY are, one, to establish the state of the art of, and set the course for future research in information security and, two, to serve as a central reference source for advanced and timely topics in information security research and development. The scope of this series includes all aspects of computer and network security and related areas such as fault tolerance and software assurance. ADVANCES IN INFORMATION SECURITY aims to publish thorough and cohesive overviews of specific topics in information security, as well as works that are larger in scope or that contain more detailed background information than can be accommodated in shorter survey articles. The series also serves as a forum for topics that may not have reached a level of maturity to warrant a comprehensive textbook treatment. Researchers, as well as developers, are encouraged to contact Professor Sushil Jajodia with ideas for books under this series. Additional titles in the series: ELECTRONIC POSTAGE SYSTEMS: Technology, Security, Economics by Gerrit Bleumer; ISBN: 978-0-387-29313-2 MULTIVARIATE PUBLIC KEY CRYPTOSYSTEMS by Jintai Ding, Jason E. Gower and Dieter Schmidt; ISBN-13: 978-0-378-32229-2 UNDERSTANDING INTRUSION DETECTION THROUGH VISUALIZATION by Stefan Axelsson; ISBN-10: 0-387-27634-3 QUALITY OF PROTECTION: Security Measurements and Metrics by Dieter Gollmann, Fabio Massacci and Artsiom Yautsiukhin; ISBN-10; 0-387-29016-8 COMPUTER VIRUSES AND MALWARE by John Aycock; ISBN-10: 0-387-30236-0 HOP INTEGRITY IN THE INTERNET by Chin-Tser Huang and Mohamed G.
    [Show full text]
  • Thread Evolution Kit for Optimizing Thread Operations on CE/Iot Devices
    Thread Evolution Kit for Optimizing Thread Operations on CE/IoT Devices Geunsik Lim , Student Member, IEEE, Donghyun Kang , and Young Ik Eom Abstract—Most modern operating systems have adopted the the threads running on CE/IoT devices often unintentionally one-to-one thread model to support fast execution of threads spend a significant amount of time in taking the CPU resource in both multi-core and single-core systems. This thread model, and the frequency of context switch rapidly increases due to which maps the kernel-space and user-space threads in a one- to-one manner, supports quick thread creation and termination the limited system resources, degrading the performance of in high-performance server environments. However, the perfor- the system significantly. In addition, since CE/IoT devices mance of time-critical threads is degraded when multiple threads usually have limited memory space, they may suffer from the are being run in low-end CE devices with limited system re- segmentation fault [16] problem incurred by memory shortages sources. When a CE device runs many threads to support diverse as the number of threads increases and they remain running application functionalities, low-level hardware specifications often lead to significant resource contention among the threads trying for a long time. to obtain system resources. As a result, the operating system Some engineers have attempted to address the challenges encounters challenges, such as excessive thread context switching of IoT environments such as smart homes by using better overhead, execution delay of time-critical threads, and a lack of hardware specifications for CE/IoT devices [3], [17]–[21].
    [Show full text]
  • Red Hat Enterprise Linux for Real Time 7 Tuning Guide
    Red Hat Enterprise Linux for Real Time 7 Tuning Guide Advanced tuning procedures for Red Hat Enterprise Linux for Real Time Radek Bíba David Ryan Cheryn Tan Lana Brindley Alison Young Red Hat Enterprise Linux for Real Time 7 Tuning Guide Advanced tuning procedures for Red Hat Enterprise Linux for Real Time Radek Bíba Red Hat Customer Content Services [email protected] David Ryan Red Hat Customer Content Services [email protected] Cheryn Tan Red Hat Customer Content Services Lana Brindley Red Hat Customer Content Services Alison Young Red Hat Customer Content Services Legal Notice Copyright © 2015 Red Hat, Inc. This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. Linux ® is the registered trademark of Linus Torvalds in the United States and other countries. Java ® is a registered trademark of Oracle and/or its affiliates. XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
    [Show full text]