From 6041cf6e9b2e643b8398d4ea02d27c6b79c81124 Mon Sep 17 00:00:00 2001
From: jsh77 <jsh77@cam.ac.uk>
Date: Thu, 26 May 2022 16:49:58 +0000
Subject: [PATCH] Update on Overleaf.

---
 .../attack-surface-vs-linux-compatibility.tex |  92 ++++++++++++++++++
 figures/least-most-linux.png                  | Bin 23940 -> 0 bytes
 report.tex                                    |  85 +++++++++++-----
 3 files changed, 151 insertions(+), 26 deletions(-)
 create mode 100644 diagrams/attack-surface-vs-linux-compatibility.tex
 delete mode 100644 figures/least-most-linux.png

diff --git a/diagrams/attack-surface-vs-linux-compatibility.tex b/diagrams/attack-surface-vs-linux-compatibility.tex
new file mode 100644
index 0000000..dfd204a
--- /dev/null
+++ b/diagrams/attack-surface-vs-linux-compatibility.tex
@@ -0,0 +1,92 @@
+\documentclass[12pt,crop,tikz]{standalone}
+
+\providecommand{\rootdir}{..}
+\usetikzlibrary{backgrounds}
+\usetikzlibrary{positioning}
+\usetikzlibrary{calc}
+\usetikzlibrary{decorations.pathreplacing}
+
+\tikzstyle{arrow} = [thick,->,>=stealth]
+
+% The Tableau20 colours
+\definecolor{TabLightOrange}{RGB}{255,187,120}
+\definecolor{TabOrange}{RGB}{255,127,14}
+\definecolor{TabLightBlue}{RGB}{174,199,232}
+\definecolor{TabBlue}{RGB}{31,119,180}
+\definecolor{TabGreen}{RGB}{44,160,44}
+\definecolor{TabLightGreen}{RGB}{152,223,138}
+\definecolor{TabSalmon}{RGB}{255,152,150}
+\definecolor{TabRed}{RGB}{214,39,40}
+\definecolor{TabPurple}{RGB}{148,103,189}
+\definecolor{TabLightPurple}{RGB}{197,176,213}
+\definecolor{TabLightPink}{RGB}{247,182,210}
+\definecolor{TabPink}{RGB}{227,119,194}
+\definecolor{TabLightBrown}{RGB}{196,156,148}
+\definecolor{TabBrown}{RGB}{140,86,75}
+\definecolor{TabGray}{RGB}{127,127,127}
+\definecolor{TabOlive}{RGB}{188,189,34}
+\definecolor{TabLightOlive}{RGB}{219,219,141}
+\definecolor{TabLightGray}{RGB}{199,199,199}
+\definecolor{TabLightCyan}{RGB}{158,218,229}
+\definecolor{TabCyan}{RGB}{23,190,207}
+
+\begin{document}
+
+\def\titlepad{0.1}
+\def\boxspacing{40mm}
+
+\def\layer{0.3}
+
+\def\inner{0.3}
+\def\innerspace{0.2}
+
+\def\layerwidth{5cm}
+\def\halflayerwidth{2.35cm}
+\def\layerheight{0.8cm}
+\def\innerwidth{4.4cm}
+\def\halfinnerwidth{2.1cm}
+
+\begin{tikzpicture}[ every node/.style={font=\small}
+  , layer/.style=    {rectangle, draw=black!50, thick, minimum width=\layerwidth    , minimum height=\layerheight}
+  , halflayer/.style={rectangle, draw=black!50, thick, minimum width=\halflayerwidth, minimum height=\layerheight}
+  , inner/.style=    {rectangle, draw=black!50, thick, minimum width=\innerwidth    , minimum height=\layerheight}
+  , halfinner/.style={rectangle, draw=black!50, thick, minimum width=\halfinnerwidth, minimum height=\layerheight}
+  , red/.style={fill=TabPurple!40}
+  , orange/.style={fill=TabBlue!40}
+  , yellow/.style={fill=TabCyan!40}
+  , green/.style={fill=TabLightGreen!60}
+  , node distance = 0cm
+	, arrow={->,>=stealth}
+  ]
+  
+    \begin{scope}[local bounding box=graph-body]
+        \node[layer,orange] (void-processes) {Void Processes (§\ref{sec:system-design})};
+        \node[circle,fill,inner sep=1.5pt, yellow, below = \innerspace of void-processes] (void-processes-dot) {};
+
+        \node[circle,fill,inner sep=1.5pt, yellow, above left=3*\layerheight and 3*\layerheight of void-processes-dot] (unikernels-dot) {};
+        \node[layer, above = \innerspace of unikernels-dot] (unikernels) {Unikernels};
+        
+        \node[circle,fill,inner sep=1.5pt, yellow, below right=3*\layerheight and 2*\layerheight of void-processes-dot] (containers-dot) {};
+        \node[layer, above = \innerspace of containers-dot] (containers) {Containers (§\ref{sec:priv-sep-perspective})};
+        
+        \node[circle,fill,inner sep=1.5pt, yellow, below left=5*\layerheight and 1*\layerheight of void-processes-dot] (virtual-machines-dot) {};
+        \node[layer, above = \innerspace of virtual-machines-dot] (virtual-machines) {Virtual Machines (§\ref{sec:priv-sep-another-machine})};
+        
+        \node[circle,fill,inner sep=1.5pt, yellow, below right=5*\layerheight and 11*\layerheight of void-processes-dot] (ambient-authority-dot) {};
+        \node[layer, above left=\innerspace and \innerspace of ambient-authority-dot] (ambient-authority) {Ambient Authority};
+    \end{scope}
+    
+    \coordinate (graph-body-nw) at ($ (graph-body.north west) + (-0.3, 0.3 + \titlepad) $);
+    \coordinate (graph-body-ne) at ($ (graph-body.north east) + ( 0.3, 0.3 + \titlepad) $);
+    \coordinate (graph-body-sw) at ($ (graph-body.south west) + (-0.3,-0.3) $);
+    \coordinate (graph-body-se) at ($ (graph-body.south east) + ( 0.3,-0.3) $);
+    
+    % Axes
+    \draw[->] ($ (graph-body-nw) + (0.15, 0) $) -- (graph-body-ne);
+    \draw[->] (graph-body-nw) -- (graph-body-sw);
+    
+    % Axis labels
+    \node[rectangle,fill=white] at ($ (graph-body-nw)!0.5!(graph-body-ne) $) (x-axis-label) {Attack surface};
+    \node[rectangle,fill=white,rotate around={90:($ (graph-body-nw)!0.5!(graph-body-sw) $)}] at ($ (graph-body-nw)!0.5!(graph-body-sw) $) (y-axis-label) {Linux compatibility};
+\end{tikzpicture}
+\end{document}
\ No newline at end of file
diff --git a/figures/least-most-linux.png b/figures/least-most-linux.png
deleted file mode 100644
index 783935708d9256eb5b481e6d0d2196dbe567e046..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 23940
zcmeFZc|2QP*9M$H5+Vs|iXnzl^N^awOj~q7t5u4Mnu|)!vkZp2lj?-3A*wAcB}Elg
z5;~%!RdW%ov8c4>`HTC0-uJoh=XwA6{{FuFe#btEbM{_)@3r<`*IL&(mmKV@k#KQ1
z002PR+8j6m0D#>&=bhY8&R>+t%gdYs7<R(i5>VbDInDWUz{lCv_t-Ij3g?^~089%2
zaP3~gIm9^!=XNR(0Opjy-QTF7|M@T2oeKV+b3o_rg*oZuZB8K>aKQc~rv&Z(#`*Yj
z4yAvUegJ@_r9r!j2LNCWusvXLG8#CWmv&G1P0b5UmzyO@a5!qO%>C>z0M|hw{;&fU
zTwxtzU}`qjT1fs9@m#u+E&uV?xjygD8BE5nY-|(f6AWL@2doSUie>j}2by#qi8{^s
z?9|uCK7BIWlC*W&S&1K>3@SALpTZ#qt~356LS=sO;)H{Y5I4k<^!MUP1!yodz>(Gb
zBks~gpMT%>zm=TK2c?Dn=*Bkue!}mE`j5Lgby3$<2zpt|qOXshUV8QJ|ER(N2(P|>
zb;3ujSZ~d`rIU$l{-*^0`WC9h%&rz?$@cAiw|)O+&AE4RSl$}S?`)FmLD!<o8niua
zrEPUDxG3l59sje7{P3|t(DRZ72u-A%vhE;mL_FF?_d=jr&s!O?P)c)ahaI;sdgpMv
zW+{XTcYH7Veu>S6?$ZGH3G>RR{nv>6wgFNEDdoOwtXkT(!_DV1E!u3@qKa}@`c}uG
zwbOh^rB<z%nMEZ{``lZ5_WCcp__Ep0J{z7Ez?L{lbRFI6%#&vIe@J)<wBgukn89`I
zW#u-{Q3&P9xAv_nyy<O4`meA9ejx}AmETo$_mnyV{gG?F9U}Q)4`TfykmC7N8qL4a
zySL@P2hCn+>VQcTc}9CFB6A$R8p2%D>=>w8(2f>Dh_s$}H(>b@BA@O}>K&iF%*)s@
zQyZC;SJ_m(N}O}NqtA|o`_d;KFFJ3%0M!h}O4wX=RF0xURg5kp|1rfSK=|sV5&3M?
zhpUHyGgYipN*8KoqL+81YcZ`}X%{mJ6waQ=r(7|d&{+OR$$T^R`0&et6L&pXh)nJ9
zBD}WEJ-Z#afkGa7W=06xSBV_rL-ss8`PB@g^g}Kh(W*^zxTt&S=0Cgk`wS4%^N=O|
z#%A`s(>731p2y{gp9tbYA~BpfuGYRpleq0&eAClV^7x6jTC*?CLe(o6k9-WuwW_4v
zeAt1AQkrfoR0uu#Xm6H9=kAk#CD+rd%*;v(ZW><jX5oj@;j8aPJ_$D~3p+Ro3H;Mk
zD8hYNfjf}RGVC*VmrtLhdFv8G#u3iHi@#NzGkNy2tc(ksa&uNoYjyBp<USv@mP9|3
ze9CF6typ?#dzl|0)Nixi!qMhll}8oBp7(|Ae2MSOy^AI<%w52Q>k@q1+jAF6kitIO
zQQQ?Ri1#Z^$u7rp4jBH^=EhIb#R?x|F*o~V%^uc^=2{q_E1#<Jl(LM_xdSoUGa+PD
z;J}&6QA9f9%(;%Q@!Zo55q*003GZtT$=}ww^(oVMJAcOKy|CI%xA7ouT`h+p%~D^J
zzI>ietCwX7-N6ew8t<FFO!?jRdA9AnjR`8=Y7NEn#N_Qa;X|Z8b^TApr47Rk+Qx%=
zO&{Mx`3=#3=)Fhb%Vm!##vm7y<rsJOf%R7&&dKNvr(I_qBlOUzKLer#5Ra-muyDld
z@|5anE<Uhdytw)COoLI)8?rAu4q_bprzahOW>sH}90kA~x9|d2NhpWBkM<`#0E0I7
zwA@NoR$Q_{Ay$DUN;5|+Jjg55dRT+-Lzmlv|C}o_sKfUuk=Jo8JQaE0G!<miZeO2k
zo5S;S2HC{$bO1<Y_5Cc12ZYdL2)HklM_8~_3Jy>6rs;}GkuPST%4@s^x1z{vVRx5)
z*G4g7XKqhY+z;&I^|bGkx<K|J@RjsCu=Ni@D?Utyb*w&5xm<Zh_>_adc)0A)Oz2zf
z;QU@{7t18>&||rP?Pnr`r>)-CfNfWWCDqW}!k#|@>CgFx$?xdP;v)Z$njc>F0`yUt
zLH7qepxn9AzulA(`A5Vy5-vj0cEs)A9)Cb&0ZG~}Q0o^h#Wc|e!K!+`3=C6HZAKYu
z^HK~kRpxl^U1g<62g#bs7oGk({3@)ufS@?mb+p&#OE1e)KN^`x9A_Jr<h2!yO4JG<
z4oRifv9@eyUi;oH6RuPDl9zOQBzL4BMzk{4y{YAfOPUzVpr{%Em)URjd{Ii_Ozz!T
z8};ty{;n)Wf7ffoSPd6=jll#R_L2&djpq{_b*<(8ujL!=Xs+m#7IyvQrPGz$y2h{%
zK`q^7JHR8O1S~5CbT-)+D+X;gWj*Vqq!R|<ea?tXGmP;gj6c-9<NP#Npeu1>1mO4O
z5o3m6hNc;O_hiu!Qn2eukQ__XKJ}9)@&;Oh2{?3kb&B5I@p83WGG2RT78tD0#P$Yo
zp+NLUKa!8ny^XFO(zW7Iqg7Bx%4NMy&jd5FGy|aaOsWiBW}jkRi1NSJEQED10yH>L
z3afSfTDA(B3-4l%IY*{=vi16;GKm2>?{c|B%|B<lxa+@X-Wy+_L4T&mu`~_D|Bnt+
zjrKiFtzLLqv?GGPih(>GJ+%rAx04`F_z|F}JaffCF%3$=LHwDTxufJNw3Vmw)R;n~
zt|~7hETEW-V!L6P*rtwU5c640M^dv1bB{*q3LXFSiL1KGDxe)Uli$|<z3keVbZEs&
zG}cC$SZZ$KwvuS5swcT;@RBh2+BEI7!ZVGw8>|?ln|hVe$p;Y+Xgv6#a;}*Weiy!U
z@cb_Xb}Q7TUFO4GQ?R_5ZMFMD7^vpl#swNC7kG_PV+b|whzoK3mFrGbjNXEND`g#F
zZ*JkaucisJ6{0&1;qR#?o5=p>)>wjtg!>|C3YLN;NGO*htAGYI1!2D2rRmF06bIlM
z6e%5>3;1CpdT8ZGua6Z)8~i%N*LHpf)7A-7zyi{^Iux^NiCrBKizNa7SgQd91B66h
zm$jWdxZR%|Te4Eh)UnRfQw-*g=k07(XQ`#H9M=9rD|$cmcRlZ@VKo1j1Zf-c1fR=F
zVr+=XPgN}IL?A_X=EU(DX~-+C;g^kghYQ%LbsIuYTU@>BCID)GDX;S~sSocAJljMn
z?h(r;7qBD<nKKuiA&#R${*X?32+Pntr#I4<;5(@MUTDQWHO$l1rX3g0W2C_I4DpYB
zkQ<_M80dE_yqOQ0w-CVQZvRkr{al?$I<Y$VZK_>OM`IPF<7xsDW}#t}aUkz(UWnh`
z&oxF8P}u^yCLaGNY#6D*g_&G;xc%Js-3>hRc=uC7;dtr%)cVJ*J)Z7!Z|UN-(hcRG
z*n6WxB1!Me6MQM8H`lOIi1KCF$}2F`!jBkx7O};^AGknKm)#GR?7U-lWciM7fXt#r
z>e%qlw>3*ubMdHN(xg9MjUc$}HG+ts@s7s&bJbLIjRw=y#s6?g@BOYD8+`t5cErk8
zMbgqVm+ig&)TIk}iE8)9J~i%k&Bp$BU&+;2{lh)9BrTo7hrm}+;lCqJ<{|5Z4q3`J
z0Oy-~GJ<i9xb`^~51RV}0#cf!jrl1?t#Y3XiQ9hlDJ4Z)(8{wSN%2%$QunHBt#U*J
z#-&O3mg%kW4|rA~5(K{X4zGbGO7i_k6gJRa7P^|U!cy;()}i1iJ^gsvOAvx}RNKH1
z1*Lz)Grcjb=Z95i78Pc*aD9<9BQ)TyVt^>5Oaku?_(+%WHz-S19L1rbT@1jli?nM$
z5oarc%XLpyyIYdxtrjk87_{<24i^#Sz-bn9pS_2PF*jim;QYOp|JRv4{{RFvhXQb8
zeDn&YL^^qd(f`<$Dqod*v%UYyxA@E7mhYU5Y@9XAy}ZrS@okD#fUIH#)&e7wtApR9
zT70e|NQb8ey}X$W!86YhZ|Tin+5RfU6g`{VN#B@7Oh#cv%OQTBThBow<QTszJ6%s2
zc4&#&sFQm~zayYGDu}>uN72Z4R^=|rH&wsd6~2ZQ9#6@VgrtHVI?z#!Pk)e4j14)s
z%=*uApSQGbDAc(c`oDAZO{kBQ7e#IgsFMtT^di}orFbsQ!ugF7>u5fyEXR~DaFoY@
z|Gd?4r|X!5keYjyA#qrH+ZsbLIQ}}q=-Fc5Zv;WYU#wb8EpvQz=>2?I4scMI38{X>
z1l6S8FTdk1(SEpS1Zor`<W?nYkk;nGJ$ULSBGU9a{eZuNZNwj4ss95sbS;2+Ze|Hb
zt}hyuo+CJjq~*+d9#o>H7tvj$%vLt|?ZA|4@j8B^n`#vahAPs*PbBZZk?lSWl$I~f
z#at{wEI?Q%*Sz~4XsPf|?pmJ8L!#z%Fk^lVlQNPmf@*$y(x^iie$oSSVe)e$z%K?7
z`j<oOtnWU1UF$`Oyt;Vk*(Q^GP<dJkN2ZUb=+t*1KSjw!uf6bIkh8Fh<r{cEZr)v+
z#wQ3di_gP;DG#ofpx>o}x{m^_J<o!hgv$|Kg}*gFpra2mPl-jzbcn%EVjy;pR7S{E
zBilaDE!i&=B?iR9$djYsX!MVN`uM{4iDvf`#KZMe+CH$~<!uwA#C6Ct4$vyO3tts|
zzWHTM*&n=Y`<=C)tv!YeFmhPkgN9!z1pH%fDdC4~3g&52l1yvvC$%{YnC<l63acRL
zQ!9N34I*}3vy=Bh+xZJpZ2LX)_a3JueBPq%-+te*o$Ci#gzUVoO!}qzk3}1PoGSdV
zopSGr@>9c&_R}IpIqhAH5u4lIy%~&8!8=XRPT^huMAsg;fuQ7Hkud>`d9)1(>s4bu
z@Hn-QXz+T=-B!z*K-)odi)*dxydP$gAjd8L#FoNTy6NrX+{L2Ddxjr0aaC9aB(-0F
z&0HVBJTn!&T=i%+7tY7%WeV(ek?O0=!nb)xLt1fk$K!`F_7+D*`JHdMRQ@?7OAhn`
z?COrTVchIa?`<guPwl^Y@uQGf@MEoLG5AVdu3-OU$%S$;<s^?Kr3NtcKnvAubujH)
zkbPt#tRsBL#qH2?MA|q(W%FO?>x&x1jupBC+9+zR1m^Z7wwZpQ&fuLrN{<0Yy~`^u
zU)+3ql6pUBaOiI9hO6z4BkP@~)sEgR$K+l0QKJ14HXu5RGu@opABUV9DR#(^vp4&U
zc)wXnE@*klnlyttehATU-tw53v`Ey5)-;AieoK!OD|?>udNzI@x)bWD$lj@{-ScPP
zCzMz$<^h_A@?6k*s>5UuJc97S?DP(JO3nA4#mRt=+fnict<oa!F$$>Tw<+J8Dy?$z
zcuyx)dUS!`sS>o^cxq@<{?8%#eE?{-uuzfsF)c6jOWpneN4)WBM)60P0G$T7D#IS}
z0+ck#7HJ0=`C4C$qCBEbo3GWe2xtT!$%hXD*58o~(<0Aad?e<tODtwA=urMtP%-%8
znAV&ZH1k&|ro>PLk%>yf;1k+STS?Ne$EK;Xnp|gYO_+biu-fB~*C37R=?__xH~lP}
zl`{C?Zg%^S89`0Lo=eJOVpvuVBvYCrF~r*ik###)H*_}+aq0vMt5PMY(Q*87`hx_X
z-ibcHj0vj>@Hr_;@c?xR*!C5s_Fa{Rpp=?0>|W}lGuAGBo2Cg}NIu2lCYTVu1Onyd
zT5*b*aa?~+&C+SQ={LP>K8VAas`)j96a59-h@%fyDD<6o8Z4QOhF@$+j@wb=_eN)B
zFl`7NA(Q29|80;a=4=luZ9Ttbz)~Qv%9H{-Q4217`zyB2bNX=v=y!uRbng8FT~9+X
zN$%i#wyq;@B8AujUqPj#Hr%Q%q`VKm!3Y(@nUPR=(}9saUUHnMfnGi+^1*j=MXFCv
zfW7yIJ=VNcFE6WrsyX!q&A)F#k-N!)uY|ATWPc$FYINzkh2lXYKqASKAk<$kWUh%d
zI0B=jt2Oc16RQZG9F=o;C5)AM782?-L@(5-QNCMFa$$Lhf90ufL9^ejzq5*&wM1!U
zgk?<MKM7p+iL#VEn&O4$#g>Qz@{OJaJO9$2buHA52X)aK^)}Y^6hCh7A3R=pbp@|H
z3#@BjFoQ3Q>d`vm1rX3~9W@~vRfj9c!4GXromX<t8%1Xt7yK*^K9_A%OD<)w+WhVt
z7~RU-y3*!gwTx+vz-`QjxE~3ed%wzE67#QBNHOeZlKDEY2UyEDK`uJp9|_~ZSwSsv
zfL@DpS+x6Mm0k)AyZAlEJbV<Cxz@LVOG_1a?383M=p`}zgZF#W74y$dq`Z(nYYTzY
z6Jl_&l*2K1gWs<h_w5`dLNoe$%8Yrd=u6f8r~6@ZId<)5^qK2IB9w&N6YX0%tI(fm
z58V9jT!4a$ie(<BS$u&{L2&g$qlN_HbWjQSj60UFDUhC0{rH0>zG*tPrvJrRi0bG`
z=BHSppDCAfA5v>+=kF82TouhQX2TzWzcEc*!$jYMW6FV{W~f!9Zwt50fLZAbR3rY-
zo`t*7i1@RMg6AvU-@e({oH4u8lZ&~>yX>gz-t_sr$eJYyd7nt?+F&E5)cglqjM>0r
zQOQB&VKNGp@o34ESCUcyk7Wp3+}SC?ru{}41j{SA->!XO>OF$w?HvW3$&d5cMekpc
zyoG_w9eulQ$@z!o(&ZCTSOev2m}3eH9=xS^z=Jt8y+mTi<JZB?(!92;+e0J!TsplD
zT2I>1Mh2yaQ(f@*Xf6Mr+Vh8N1<sNbsCmH5PoJ(`eU3MTmt`@sdju0xf8jkQBMhVW
zy`yWfv+FbT^1hI0lBpJ8?DgJoun>96Z+*QVQ925r{kSCYzLWe^W^mvp7KUJXB&TNd
z*_Exjxx=9w7yRzcg*y7fph2c`19;j{8<46?Cb1PHVF6wC&IqGNf-WIEHNSH3(D#m`
zF*YM<pWR-@4n|2j<+R^W+_jrrP-JFgJ<P}M;@-9-%boVf*g~);UPtTJ)R6>1nj;2^
z6HYT9K>2;wcLom0><2&XwSav`(iWaqscTR}bv6v6d7ER*lW7jr92J5_?~-n{=J*m)
zZp01E4OO+a7?|yJvi!!H-t1pVfXUGt-<c{8*2sAp_q~{A&+$Ut=1B>6e8ds``ag&`
zD<66U%9(FN?c<CK;OSSJyW=x9F2mDUfmyG-n63|}DARbrilFnz5t(3QADZiD9Qus;
zK=@J3)Pro<TrOOTXCZyfhHcnRdK&iL^QAl7o*dj&^C*HWN;mfx>8qJ&`IM1u(UXTC
z+yb4Y1Tt!(4CDDsRU-;z-H_`%T`bc+iTFn~X%}eFdaHBG$f`n*n;B;=yshtyu9+^)
zMfg!V&zkmop6uCHh%<j&66oLucKO(u4zrBhu{yD9IzdM{rlVza!06pN8{JNJ!`#G_
zquvX$VljOJ7obKIUOLPq7>7x$rxx9uLsahz#(stPS^6n`z};jl%sZWU+b7N0{$on%
zK409@?9xhgB9V7R=%&;KzobWUS=n~^>7FNs&z4EpOixV{6Tn6m1L4d=MA8>HtwPHn
zhX-a677bQlw6Iv8U(xn00ybW&(nA~aU1-AIgCu!lWD@-z6Q+Y1JVH<4BSj?em$d}Y
zcn#kB?9{>A9RUaX6KB!9Rd@;R(tdbfB9d+0Vx2Lh0Jo`nY6hxd{Bn@~K@O-YR9!v$
zLOqfDwB<R9^RK!(uw9xfE51)`n4CgQa^RB`az=?Zqobh{#KsR|Oes@Jsd*L3w9C{B
zDi<)Ab1jSRCm&ps)V5@}B@%yO(d#$k{BhfeMbqc%J}Iz_5J@!QPS5!)J+HA{*YLM8
zelmhD9{!Tj@$M<hD!=W5;zebHJxd0CpAsRFIg#({+U@p>d3HQ+DhV5J4Lp-~Kk`8A
zu2;qjL7WJ$4X-)ug$qkzirS_65J3JAJoPtPhiiimlkGwShf|(2dH00f-d12*bP2>u
zhkqGP-jaPL=n^CHmXhwHRrxhL;`#<pECqaG`A!{K<7O|!cgv+FOs*~baG>Ak`e(U-
zCW_Av9C}ZmY!`m<k)sJZ(`sG(vXR2_DG$i{#ekamF#1ZOwN3l7FJMVKJf(OvhK(5!
z5g~)&mxAA2?tGue+W1<D;QyI=OlE(<q%G@L2Thpnpv2WywYkBl*+R5aWbp}yh@DJx
z?EDF~AuTb$DF0eFK}9Dem@ye{+JO4G60?a~PL0P>x(un%^T)-jcGl1h+plMnzMQL)
zm#wOvXQst*;k-Y8zEU5gW25NZb8JL#wrI~_uJE9_Z4Vi--0PZo`&s>Lg@?O_e7V;v
z;VC<wNW3W_GBQ11#HX>gGo_bq*N6Hn@ZfVKmpAfHZ=LE4Nk2DVKsfNMZo8^VxYThJ
zX&@*$KExww6U*67FHj>=-{A4Z)3=WTug`(g$fyx%g0N1q9X=*saWGsZ?3MjYMx(wC
zh?2)=UhJ1}EN$AEEe<262OYOdPrtdf@sX`jmI5n$Yk+eL?Avjo>*)X$T0YUBK^vFW
z5b?+tl;A<2)5uDB6aaQ$5iFUDWz`Eck`l~kfSCb?Idfg4-f33V<iaa)DUuIC0xc5|
zJZju0?#nQw&OwVj_qE$U9eH1$XnTZtX-6_21hYMxa@T>oCT^yD%{U3#`|<{?=NfJs
zIvscN#Pe5X=iM_}`|d4`jEa{O*uJo@hb2O`ns{Y{pZC=QzcgCJ!e&szLd_)V;~7^%
zuEfD?;IK?I#JD(ER`aNAs~7Iw&}e`GPpc~`E%lTjBt9d4Djux~%1gP~j{2O|vn=#i
zEb^cVo>=6lgBrM9i605<Bz1h)vue<ysMeYG+S4E_BJV~=MjxXryGA_x$1p{kDsVD6
z_^|AymeT^`cWSOu-q*q>nqLvrrj*jUgCL7rJ>-sOjBAt<FZ^jNAr?HG8p$#mX89Yh
zBG!&J0Gfyv*E;({39Mz~KA!N;!BG^}0p<sNhd5X)*<wVV`K!^S>f^T%r>v)4blkq4
z3}K2s*ktRvDq|)aEbZGf2Oc1kSlC)feB+YKp26fhm)M9eNA{Gme+T_oHhHj7_Mm=Q
zeYgc9lW@(dUk`BV%Ik)xAHmYSNCa_K6j1}E8#`1~KgWM}j~1$YE`Bs;D-h`a6fYiK
zFlaUKgLV;pl-PuqT!hXayz}Bf?e=)dWBoZ8?U^Q*bOz0Vp7vZ-2c`UHZlVMP&o##+
zCc{P@m>*hw8ml9uJW@^QE8kKG!e0@O9tOMWsZ}`PZbXcvz?%0{!H$@t9)+;#)Pe3%
z@;C7wSKwd`up5nC{bZK{!LxqvYfrY4*-v@Ihc7*9shC;J;8sd59mP3AMi_h9F`Hs=
z#@wLHT*wc$1lHRuP5#cnqHEd4H3DoA2(J9xH{=~Fm~%%VY~SQ`+gdL%;g<MMo-I0H
zdS5oUpyf?QAHP$k`5?y}zuxna&4sj3`8$%;8F9vvpCbVhrHqX{z4?&`h-K|d7{+Db
zea5NKrdNtJd|kn=V0_qni3N*i&-&iCo{umzpRAWq8k^=9fqSdst-pw$@tOZ)?$6Aj
z9vKAXnWVcB<a=&7<&~1Cx2RnNh{2gxLQ;T@vRzE^{;9di&5)E37OPBc!*@CF-3e=>
zV8v&i*lzV(eaR0yhvCdmA=!nBZC;~V(ZEPp-sYUeNSM``0E+(Bq#(<LHc$I`YAEs{
z8LFB@UMa*@ZSQX@9*sqFO&n=A{k+wmaNl%jgKe;h$|BBLx(}zu$v%BJH>PiZ+Ed!n
zx`s!5GP7-0n|pywep(D19mQgTROJfg#`1KjZ@+s=)}EDGkhM7^-5M4z>6jplWr;&-
zuJ<#6e?jpQ1Y{uWgqhrLh^aJ!p2%f=Y_2F?6qWLbGZ4w3gR0Ey?kER02=3j(=TAQv
zh~=l%5R6t4IHeQPl~4Ec40<a%k>=z|TDY)%?AUtCM&~0c1ERAti1V?e#CVM@+p{aK
zuO^*wa(9AzGidx8;Q2egY(oLWx6i=ei9tJ{EOPMMct6t02q4(;y&gpmJP2WfIq=30
zDWmz3x1KK-9(24zm4G9_``AMJ)r1^?gFVk_LQsY%!SpZW>TnlsQ2$eDPJ=0ivvBR>
z`V)ahLu$NMO0hhxg8WM?1I*MK4Q-cP$#ucIBK+ka;zuEVKWj=B2ZC1NLc(KcC1LZt
zG8OdECeXBbYho|HJ?>{B*wC->tvPV4@~KS&c$*wRLzJgA^n88m^`K7m_B){s+i2ux
zP*!o-kLaT&8m-ekIlj343v}4)PpHB7f*D(coBvvS{tO(%P>EG<I-DiXcGQdGG2E2G
zBZh4yvn}VJc$_{n#3x%+<=oGxUKy$=$gRsk^;%pMG}W(4+GkL71|T(K-bivDhMr9*
z*=%AdDP5m-FoRTB9fY~3n~P6Rly=|$CQ84O@dEiE_Z#0>?Yw6}`>z%k+=)+0RhTRP
z&U(L>hAakz-%cZuteuq{oFG@la@Ci@4h%XT_r)%wzVdx2zJAQvjBioBO`?k6KRzIp
zyM0<|zSsjk_2Ql|CR{A&W3q&-$5VCT0$yImAt%T7&hWS7D%TIyi``{Suv7b1!?_-n
zh}lT9zu~}<f5xN!?6<BRa3t^7o5R;$&Pi;MSH4{xF^?qpYz!iQFNd*%A2*Ej3`52*
z>R{&3;1Kf|-}=Z218`GNm75<k7ZZ^4O5481{!xAkd(YU6uEUa+t980FX!1e&;=5Z_
zg|&~zPA((s&pYUHZBEpRJ}9OSR&6OElE1a%Ljj1iCwpu}PLK47{yi6Es)RSbuNk1`
z@U*@2)ushY-rqT0bwTrsVcU}0?NgEmG01$gtnWW&2Vc+x$L<;KS(Isj$We`f>S^N-
zmx_84qh3ZmSr(-=0?s`AtP<D_AV7|$N_*NfH)o7dGMj*D;*F0@cUP8;ogr0p(v{s+
z;qTM~stp7I-SiFB3v%}^zaLfY*{g`hAD5bWW6{RSmV~V+%<)a#@bWliKadX>_ufP$
zl*am~)+Y8k45wvWuotZ~kv?PTlT#40-v1<cxPCG1Eh`L<L5d*X){ySEi?w^;)e#?V
z1gL)gnJgDNd*#7DTNi&qA9s5pxBW8n`#RqQ+Iln0u;8JxUD}EmA(gRI?IJxB5sBMx
z-@{jw4|NN%!mYl)^&{(L&i31R<!JFA4-eP<v2;y1Jh-DSlH#WQ;@!<gal~?04X*@B
zN)0*~e!NE0r~&2Ia>#PouPD(kUORf;KIK3AkIw_)?(cB<WwxG&9!Ot}(wreZ-n6bv
zH1an3@YJS@@k;9VM~z3#+oU~aR&9D_)-SnoBOYIvP>h{#M!JYb@(x0&2e*D*4v+M^
zjI#`$;+mvX<<*&5>{|=*jmt%ukqa86AOYHaS~9VK+@a6njHfKMUNMK;Vt5mt0*cR|
zX_s#d1&?fipBMPA1f?T=gyUpDW@--aTyF}FK_jl7$=asn8VbS;UUiA_Vpd;%zBKOE
zE7qBRE%4BQGQsdG6lOlq(0Ehr^egoh9@@{~P$8<92ltzgC1VC^nl}d=+bUR#Cxems
zL5hM@3l)>zC$T1=1$x}Fay+=h?jvza=Gl5#IBCo@=4Ty2I+q7(Dkl>>S$UlMG-;)r
zXVq{FUJJ~9+~$+t(h0}lqfwE>pfL8gz-&ZM;e)_^M|OeG-v}?qj??dEU1yzrFML4g
zp%u_bgzn|Q7kYPEl!Tf~uhSB`HGz1oL)(1)tVh|d$7SoDOC!*`#?b25o~d>TfPWmR
zK<CGSPUwm>^3u||H=7B!lFJ@47=&6(_;!~sjTO|Y^uDL-ZoVyBD+u2G5h34ezVam{
z_`|vp0rp_YAU)V`e;#sC@aX)E4MD+nPSm$%1s`yhQYV|y$5Xb6*zn%7d8|i~#@qKZ
zNMDc&^p7KNOfs@qTa6I7_M+F_wji^PnwWA?StHi(97L^1OBF#;Elon!NYi#VM)bFi
z>K-Shx-A~S@-rD~PxEZvCRu2eK2x2+y^D~2=H>j!WlJO<ls8)4?OWu6lYL%Z74!;`
zuGVEfEfp<Pp88St*^o<&@Pt*H{Qjyhh8{eVzBR~fM11Zg9M2hZFPo!^!=aBTcHyzo
z_hxdV{Vp^@!6c0A{+U{UY3h+%ufJ59%|K(d8Tc1CXIus@pLZRIE7q8m=|NgHEWiG8
zbZdm`IacNeR{`S=0a=!6WgZBE8biIHe#5se;<qEI*NBgq+&H2I(}x-itZ8z=iYicm
z*})4z&L9fIyif0L_ELj%S(_*U_~2tKGI^dZMq9?`tZYkQ`>IV+{tVFmZ6sz)E4qFi
zh4H`nP|0Idkh(^*QuvNki>T#m4+?4djl>e_But4<WrF=^h1x^LdD$)%ouS54?U8An
zqgKrRo=ej3Gwx{A&zG82AJ64sTAOeyBb0))>9P^9N3%di@G;wHgj%4?)X}KaYL^L3
zmhMMjg<~N27Tqg?*-5H?ey$}j4~pApF~=<Q;~ZirH}e?ygU2Q;tZioZIw8^{kM40s
z0d=)xY=6G8=sZo6DEX9^A^H7icKyIxoxxm-JLBlZ?v!HIMSp-)VB9d@5Bfg*z5ReB
zq!eiW>0DQR?Cg1VL(!;;0cx0Rj|Y@NDCYBb=ce%3`GUJXfti;crv&#zM#bDjxBYXC
z%Xvz-b=x+h+AI4o3pa&-0x(B|`Iw({*^l`YDe2`gY0cL&Q26l7c@SnuAtN|*zedXu
zHKcQRvtV(o?2Nm4+K#I;*9O@)Z=C_khC^-NS!y~1!HfmJ!2tP9Ae7=hsy~IiG)*7j
zn<oLAyQzk^LiwDp7cpFDq>Su{MpPzwBjR;0UFQ8MzMBipU#6m_ZakiQs%DnF!qD@{
z(BeI0VZuaYNTqyWa_e;EzR3X%QY>=bDb^UNLZ8$qe_V(Sxw#PAB%S;WpD#=RmIQmy
z=7tb8k6r1weD2}m1$-Fo6}rrXPuo-27`S0!y~-6d(zCJ8nG@y=>J!=%$Y{O6(iP7b
zg0971f1LOqOT<AX8gEKG4EJE4i<Q=tLn1Klk=D%Wk7{wm^Hf``h&YAOuGPo8C-7~n
zDi#!K_z?I0yOy&)X7x4hnHJyK<Y&}dCV=q#DDu5giD-CuUqr@rpx@-#6z|B(-4T;N
z--P;Mvt##!-+uwgTNusw()oKNc|VOCXXRLnENkKK+vD4eW!FNnXeY)s2R^k)Pv)h0
z(AxQ-$E(r=bo7pN@~^uObK*W~%Os4rR?WS73Efkr-T?eDl|XpA$j$uXFocM0m>>9s
zm+^UdtUYdfe>@yYfHn`|fyTTaOkSAOz$og2@7Jihpuw`0i{iOF)A-iFS|KTNoTp4R
z<#m1Kw}tN!WssRr4IR>d?@BF(0vLo6Li}>o@T?o^1vx!(Aly5mW`lm%08;JciCndH
zI)`K8Uit0gacPsES|={PEWFT@=%*7-^nm7#d$8QIc?+6PG4~jEt`JnRCxdM6b=18x
zL3uDp)ahBiw2D!Ge-xC^(@!;jH{x>52(Ru2>T!A7EQ-%bUsXXP^HrZEIPcGHKpCGl
zJ!7vD%<RTAn00z%`G-W)lQA;EuliPzu@CmV@J&Fu0U@k}Im8)jXTXo_DQ~fwiY@bn
zuW6K(?FckHbII^1qzyY&FQq`4mfDe&gkM_nd#E3DM}EwCVB%KngQyMT2G9yUfE6*>
zY90C?3Ucfe%TgmAITbGAgDZj>q<>SiyNIhO2;JfhZ$x_Ms((h*s134I_k*)NMziH*
z1N(`=olDyC9T85M5gn1*dyt75sS+$L+U)Dm?zQd@kp)%z=41yEOp%sL8IpeaAR4M?
zA$S#vXbz{n%KSwW(jcd1I2$=hrFPN*Z1KK5pPdSjlq*sAg~fE^GiDj}8Zhvg`ChJQ
z$sgt#3#P}Cr<q!JJhgj9$ewp~z!FcDzw!;gFp=3m*kTzCY#4b#B0XO@ucHP8(~h&Y
zdLvW#@CY}aS5%&pw{;)MRLDJ!J9tN8{BK+48)fQFtm#)^f=YRxlCqG}E0EER2mxad
zj@kc6E<t%yKR4@@cGWA<Bb1D8s&;O+PZF=FB9B@`ZeFm#-aDCRyDug1yrs;H>t4?T
zLCvDby*GlPw*rbyUo{Cz_z_VJ+NW_#xYZ;gqb0yWwDKdK5a$o>-_Vzxvx%0LBF0C2
zLEiUm9%AXf0@#~tT;pJ*55x9q$mq|$aSNt#@uChdFrMhX%r9nxC^?HQQ!<3rp82jj
zt%inlF0K|^tvCBy&hvaeXkBq#8TF_WwpBa9!E8Y%A>o_zL}{u=&t0Ur9kF1P!=(D)
zbMNLV!kFiSTGm>4V(?fOy&n)P%KS7ubWL*N7p|+r;b}#Ti5z}%NlEE0aFDEpvx<73
z|4QZYs@Ho~Sv!|fa@457`_ok)uO?qF1UGOG#~D3$tHE4)#aO-_oG9fFn+p2ohsTcp
zKKCA#Z*#^EngBihRHn{sCi1n}-?#BG2fD@b)~J&+$jIDTiS|jj@0#}d-7H2rkZe~;
zY8_{l&}Z%jiyX`$oi37$QxAbU`<`36bw~0DCJMX<oO_wp8rh0;_?gDXz%SrRP<-nQ
zx3s1^+6FmrXzxLY`>aY&LvL{le=XNCskJfW<lh-RPws+FUo^4PDeEN0>)!G%a!(gT
zKh+=Tf5N_mD!kBPunC@MUSVrSOGc7^=X8Ws{g!e&mOglOhLB0K(5;iwl)L+8QQOK-
zD_C(HS#Q8eDeZdq=PQWwEhH>;z$3s7ujCLROt54W7_W|>>U(>Nb;xdI&ursGdsp4g
ziQ;pOh(j&U2_m<b9C0X~Qdv$85|_mY|AShZ`gO6kowJuIy#S${uBC}FtG_;cP2!9i
z%@pp|%4jmrT2huzSI+_^ep}OPfFIoQe(VOBT(C&oBPs&F{lMHx3ms&ry)JX$r3EKN
zu!}k_AIGCNOw%IYj9qfyt!Gr|4{BgbfNRdp>xy0CQ>Xrwm)I_%lgb*wqT7nfJ^x~)
zUUs05RBQvc1qyd->RW{$U_Sq)YhUn;c<uV=MEJR~G){tZTFBp4&+H!0pW#Z5+-HG1
zSA=)WyM5mHU3s<J9%;8dFpq2Nxvio&P5OdE-gb|LvZh((zdafHTTV;18zZS#N#C|_
z&c7`=k}D@vatUt0;^g(t2x>OM-KvrtrZlpVuBS=s2ZaA6-)?4IT!j_lvE_AYfnM<^
z*vEfY;ZJ%+`2HhrCTM%be8i&I%}7rD@8FBmtIm6yuL+%(mDE~yr%g+lfUMgJxzRkT
zc`HabXN~KyE3dn1^%texS=Gw{ZR=vC$J};oR}PgP$W{8Ysy#vmsarcpja?Q7r$v@D
zVHF<v^^fAETR6YE8FGQ}hO5F3DBO$Pblo3%&nk><|2PCZXer^(JGYw}7a2ru22Yua
zE&J4Ypq3Snp=?H_%~atFcSk}^tgZc#J&$>u=P$3TcAF^8*#BY5FVMVQMC3c{+<ltf
z5h%0?ojkqu;}DWVgP}rIsV&t)o39miWo<1s-}C;<D1mY}7LTX#c*AsDGkme%6<@t*
zIX49`qBPA7U~*&Z$YPZ16qdsjYWw-8VJ2TX<rbsqz>gijI6XuPFY83@p7NA?EIl-E
zrMZQzbCqJt-rK-Q6iTpB?a3~z$#>EmY9?1B)a=~`PwqYssH#?(_g!D%!2qYKJYVEs
zzx;+tN2tlW7i=Eq;?sCzW3IDZ!dUb=rRvoAT1*gp_{z<8`UOLTnzGkyg&};EGWoL5
z`eWT#!>iAjlDfPvRcw(U;9t)E$%BvqhsOu8_f?!Ueh9&DpCFwXD@8_7rO>kma+P8_
zX(CK`u6h9P97E<Ez`A&l`bc7t3!KwPP|M{mZU&&atQb3)6I$5pI^p=ppCs7m{%CkU
z<rh}$QF9wxd`hqZR>hLTW;laJ=zJ{cZfAH34dFy&q>(<HAsm{JW>>WT=F3E}%b^s^
z_5C*cWh#x^w)U8&9mGmc5F?^7Wm&*pc{FTYy=P<wi;V*`)CdrazJhvNPEnzvEo%e~
zggSJkEk@b6TuB2zlEN}9Ck>h>bVrDD0$St|OWBf^9kA~20a0?S8P9MLgP;>#G1xqj
z;jHM?n0Dl5vU4iPT9(Aug_J#bR*5PXCa}rv{`>yh;~zMt$T5wnj7Gle6jUH*-INtB
zIXGHVwa(<uy+&}T6P`ju0sK^!$rLJVO059kN9Si6_DuJ#NkgGrD<lgtu*EqV=u01D
z&Hh1p3v%Xy%6L%b{lK}xG-&wO9S}Gti45$RXPJTv#_@@Hv3cQ?yY`-@?a%@_ib`Gr
zMT`QT*$;f%tj!8r=64>sfkhl`+M@xbWQ4JT&|F}~jH$34`8!p5N>B<lG|F!PScXIl
zVj_VQo~0ld1W$k5p^oQu*m%q27dKBRfkhOezNDTJb3R$m2|W0{-0wdif+P2qq0SdY
z>XU&3LfPQq(&wxMcjy&H<R@5l4UH?vo|AXPK_oHR$f#tgm?9$PeqJqx!^qf0MW>Df
zG1;#TzpTM|A$uU_pWR=0YBkIi9{wVA&cg5XWMa}3)Vlc@K|B|^t_HP+3gW6dGOi|n
zV#^!z)x6Yaft>+Rs}8qK1nylR%N`5RT6KXyO>mz)NNZ-K7`zzna|I(jo6CzO5Doa5
zYQ%_jE>LAzGHuNS?NYvvq7B4jE%>J3(4-B<FiUqHWMpCF4_5b7#b)#)a>$IUojnRn
zKqy38zJfQXUC`+n{L3SQ4ei014pxGW|MO$%$<J6@-G~FCbb@}fB~Z9l7*T(yRv=Rp
z9{wmZ{Xt%V=<{obcS&c*PMZ6%4WluVYpBv;_|(-OV-n`mK{aV6R0%Wz!G-C%H!4N&
z^#!#PqdYa@p-}6lW)-Z=x}R^|&4<&C8|@4G)KXKh9OlWXY>*e@_k7AA13wkY&NJk<
zBW)Ap!@*!<O1>RUPKX{!Lk98K(!FS2R7cVC6owavFycgadG$J{N=xvNRrQ?%cf=dR
zb>2|hxJ}f|ga|)2ywI7_-Pg|SiitdFUi_t>$Y=geS8YeA#OjWOr8dF436OiukUzF1
zfFNKHy}@t5J64uawBgZm0!ui<3q9Jgw{G4f8z{)Kt(E>soT2}QGL-SO9^U%qMw*1d
zRG+{AV;N8I9zrbV@>DiLH+xJZ-4Ae=>OkTz<X(J!ZBUA{C`XL2#KVU$XU499(#4xl
zI31kc|E?)N@1MZ+KYem;{Jei2;sE0C=FyM%KKdK;x8^_m4S36mqpYA$yljPbpkHPp
zxtk3WB9p!tM<Y2Q&LjFHMi*d;H;oMJN@r0=MVMUT=3Lf)@H?psv&HVAzRQ?^ozyk;
zG@gXRt7Tld+#hy5c{29<pss-AzHpPje1s<@^rt6(gejF=zEgTALM!75Z^v)>f|UsG
zp{9}^K|AsS>kz?d+9jGNH)T^O5deNXLZ_Y=Xn;9#9Jh?$RrDjCGK*<HX^Lo@HL-jO
z376TkZ@1#@t-+T8+yaefs#AB4)2VF&YJT<it2U)wo-AILqokWRBGN@t|J-mLgoSH!
z4kz$J0iF*}%kbRaMBb>fOtdUcjkDr25P>%P5O~o-Vv@&5QFvfHxJ~x%jdk);KO26P
z0^?9<5PmPxNmh7Ke{g>9f<(JZ!LDbZbPt3g8xTfiVkngu@w(DdP$F+IQx|^U>*Mv8
zvk9TqzmNH6N}o#qmrk%k%MHopNlmWEv*FEpluRb7o^C-9%7u!O3ns)4n1H)j?#|pl
zvbm18X$=<87Sq<XIYh4yYk7oyh}7>?BLlhdwKK$~xX?pS^me2E^i)R~ayha%csMgx
z(;|y>2vY*n^QIuJzr|l#1qC953&FGS4RTSW2~~fQ@|__)i6UBHxi-hX#n)1~;>9MK
zzaNbXaA}<CNWMi6>5n68p7Myz^R#A5tUKX{^wShrx@&tE-^@m=TQ25YsT7!HFYxL9
zMW&>xs1OA1{MI+?_I%W~-Iv%O#Z<sI1@FuiM?jc7oOlv~v+-GH5w(w_Zi*dv#U0XO
z&4z3u0`bC}$BK&Czy_{P2AH7g2G5K_gi~IbAA3QWz`O6wu-v70z?G>U`oap9?ct{i
zB^>Xb+CP=UTSU+Lz~3jWcYB|vh6n#O2G!Gb3IJ6YqKmefv#Vep&QT11_O1G7c)4ZG
z<_5knyr~*_A6tEOuPZQcv;xsowK!h02R?dwm8Y?jjcNOR^Y$+}pG{C3J#337e`Lv$
z(1d#LM+20-EFiZNm9bK9iM?ww(e@Y8B<P*t@xRUjhUGk7SJ6c|Af0ZmEh=?S)g&(x
z8gsa9`fh_p*bNQE{v`1j`_%7+W{V`bLYO2RMhvzpex#1}o|)C*K=NRfU2T1m4_ZET
z#WU@2c}~Isj6VRX)EG5uJ!_A%6zzk}hRnvLgEyWmunyCjUP(x$?#GJFz8FcVW9hC-
zIinh*GMjtZ`?LMTjd_bW8rdF3XVjf#8NJZ1CaE)`ycUE1;NYIIXCUO`m)k!M(B?Uw
zY0uW<Qy${D)sGB;ntoOrONqU2?6(k_OSE~M0CBqmrci>)_szw!eZI%UU%UqCT#`})
zcsQi6jaEOeLo(^sY|{qdL;=E{VsS~6VZ;)tMU{0O#G>sWnCO{d!TM$kn&vFeONIuM
zC-MnE?Om3yXdf>sxrNGCGH%X>lt=b-XRUIx_if5w1y=;)8sH%<X&ES`?y0y{o<xYp
zY>M*Nv(jo+TC|QfIx$)|dS?d!b{eDvq_CbRp=vHg$z1f7!Y827xAP(I%=Ou(;lyBB
z%!6)UqusI8YXB*R!Z)fp%>E~5Bwb<R=3ae>Gv<MP0<%$bU2`MXiQidA4W#3(hu|wj
zipzITXaj6nZdq}JJbzCZpX6mWwye)qZU=6B&+^=BjBHFg)clbEK|o;FXXp7+OsFP(
zD?z|(RH<n7-4)b9Tgd;tj~!$KxluuLV1-y@X>x%xp0VXte}4j=g_x1-nyPftht-MK
z@rmcBV>Kpjn2I9u&%*M?FS5B;ztsz9a9N9NkTumQSs1(o7X4L7yhXu5G(5Mog||JB
zSy;k%_MYbCBdXW4eN$yqZq+HvtgU{C25_FFx$?QvDCS7pg|Q*D{L+4NEg4e)iu99U
zAPLzT6+$D<zL*==h(;(h2V!|eS~_Xs;rVcjchg=rhwc@4xu*pfd<A5Y$Ioo<Cvf#`
zFO%F0!9jesMnP|51=*&$#8}o=sm9!mBOGN>ISSm+-?)&qJcyGuwQ{8-obl`9izRm!
zklGw-CF461?4*f`o}dP<kd`24E)UZD6H8}sDV_LXF$K#zocx$owS&D1C`j12Sv7jn
zKqNi+0zRRh*qJEd54=a3mo8Wv+iKy^E_a=kgDU(Mr*C}z@)gs#Ink`dep7NcGg0gZ
z_YAQHhG7O53RkP`!<A)D|52cc$MmdIi^QEwA*qCHyEHqCW4aVfo($zArU*pKlj6oX
zD7MrQ)UPI6dm6VBS6FhZl8tE`!IH>eq$(ZIL7mgaR#2cJ3{@7LA&=(8CG(LwnFKTx
zcQt?IaIKIAQ5MTD=|;Qoj*>p{iOCyle%b)N3<Ecr&;tj=!a-5QF|oxuEo`r>4u3VJ
z0u~_?lj*|YsHmI-4rY?lwpJ%tFY(q`hhP0w>IDF(PFBlPg0wNxk@J9p#_H@Ax2mV^
zCfqb+Ik0LJ!*<C-bP_xJY-)MRiD90A=yFr0VEk#9>&rAu5ac7hem&^55$sRqG`>iQ
z-=g=>4Z|k8O5N@yhylF$cw0eSaaCd0XT78+ZqvHmqgs9X<`)5U3kqn8D~^o%?uqAr
zAQz=D)i-S*egK&k$Fhi)d`pjx=FkFPcq&X`6S;Ut9i2hx4N1JXyG`b@Wq`bo&)JHb
zkfxRp8a%V*#Hv^#0P|UsF2k&xWTdfTBJ4bf&+tP((>VU#4D~F4!V<zVXCUsLW__41
zRLoR~IQ;_ZSfOl*3#J6(*?j~!AK>1{)iCn0P`FP7aTW!FVT1H1DRa}N(a=ZDFKK|F
zk($84s=0yX^F~W9(HMo6TdajJZ8uPjHB2g<2*&GA0iMbRP)tjEKH?71leu>-FGC-$
zbN^8n9;EaB-WltI`XwNN@L-1+edp0F<+USy7b$tN@Q#N>yC)q57B(hWnf=&LhF=lk
zXClz9%{8o}-mYxZh~y5cc3{Tj(aeqsStbURHp~=FPr1d?!LCXmCK+!ChHkw2j5#b^
z3X1VGTA5}mpfjfVHKE{|0*3id{Z(EB+lj1=7@+`%6tS@IM;<Ano|048>!~-WUGe*z
z3oP)Mi2Mz6dv@$HByTFO(4>Uav8YEq^ik$wNjFWS<ncgHD}Aq88t9Vgk2}>(kIF)T
z%acF8q9TEV*^H%61g%_fRx=VS*-&iXA|DMIh7Dc~W-M1i;iG}sd^M^IrqCM5;AkCQ
zVhWZ<np|uQ;Zw&u+JF>ir2fj{9dn@W7hT(9%(vXlK?wC(i*Dg)$S=$G0_ZcdQ{66~
zpYd_1cB@~-%h0tt#6x(8s(saD&=lY$8TE_71c$%Q`(y-8rN5yHnjn6rrm>XKe2$~K
z(R>pOKfKI}oLY)7O=P=OZAdSB1K9q8%M^Hh3lKi+kt&LpGzMR%Og2c*UPr($fGG_#
zqbjus4G_373@_uH<aZ9SnGUQd6<tjJiDzC^LL;QOOpP{t9r*fRaxd>qNa(xuy~{as
za$yrjj;PAFw)8L%u_JeR${<pXu*4nGj4Xl?nfZX{M@H_|1(hyju?3^0dx$IVH)!0x
zEv{HhI8=%fhex~dK#%8-tUH^{gls%h?=MGCe{iB|e`Sh3!TUTKfsNKPB6;e|U*sV*
z6Xz0+Z|to&bxWf`+%3@fbvH}F>C+LKrVYr@dP>~Fu@6*3nzOKO(4Iv>1)#bn46zFN
zY@>S-d8=0}(zXxPVrE06xcr#;6do)D!IgXQ*TJRT@Bo(26iVSR(i}Ybf0>}&&@6Sz
z9ejo-U=_B>)8vQ!m{3ZuG3=}4yea^+`!0ZZsC;DuS}iO=`2pft?wDJCZ@u%2ZdRo1
zCdiihBdDvGEfCKQJ$znUSb;-wM1KiIyYWK(tr*nDW|BY{X{7{Qohm{T(;=@rz|Q{*
z02Z3RQO0{1N&KWtd8yj<HfSi5%NrUKj;}e$XbQ6-CndsHXDq<}+)&Ulx<K>CLc<^k
zG`6D}ts`V^<j<Ff7sZzJ@glZ!EpS}*94yCqo<eg9X>Daja5{>xySX&`aIGh;QL=!U
z7SWj?WKiWZlxthr*fS{hP=lt8mYD+tQ}+e&aAYpB`*BM23-;{9t~;_DZ5DQ<uiU2i
z^`3kddoV)fIFM3qh=qR}cfX{+*ADad6t0qkx{!bSsa)8`$t$Iou5ccUk+fLqx&z}l
zx$ql0a2`&`>d(O5zYCTbe3hqjkd6MbW*=Ji@3`9EQl=-9LECzG<D<YN)qlzJ_jKy+
z&Q5}_+7>3cj7PB32L1v|e~Xd-d9iRAz2^3$M;ixP|GVwo5aa*rZ%-bBcBBD-ogEzd
za~bEg6J@*FFqfB>b!xod`r)NN$j-C_awmkZed=>PNfQlXhzq{93_=%yBF%+V#jhzu
zTF~&XskT@530Rm1{Q==U1PxGdHeC>n-&lECSH3ay6*!@#jnLk339N`~H3{xC41CqO
z(J<L@CQwYANrdW9fk=OI@c)1M|H*OCNhU2B*c7K4WW4(iU0{AiRDUB|GpuNKVK1XA
zPXALw%o8N~Qos$c)0S7(O|v(8|EWjJTtr#tn{?6(eA-0#=-JYLDj8{AFXKs11uGEE
z<y4n}|C{pZNPy?+J{MS;8Az?ST<Z2-x0wQ)$TX4g{?s0*9sUX*OV8#_+usE>57WZl
zzOn^sOsT+&ZN6OBUKp`3ouqdWP~lK3u&PeR<(_95_x#kt!9@+E=Pq9>H&wFE|6AM3
zMxju`_LWgF10IypUg7d0j`Pf8&q!j~t_q;VOFo&q_8^ESYu{QOet0MbtSmdi6J`E{
zY)eP{+hj<Oyr@jQMADJN2WJe?&@{^^e^^Ri@}(+I*)gM3XsdYN?T2eA&E5-9Ru>*j
z?0NiC*k=5R?wD+w!SFTwkv@@SVhdiz4ZOmb$w&)~!v4)1bMi?~>mFQTUB^l{ruJh|
zmGOT55Wi+oEE<8_%p!eN;<LJNQ~s<(%acPlvri`7tPLm2N7Q-7SspHb*=)-3W{8M@
z_A8f)tuFLg5KPAoHFBkLAfB-Ns2EBP@2%VW%cWguqC)c<^wAZukMXqv7gAkiPL;~%
z^3l1Xp=VP$R1A@3eHy})^q4KPxhFI)_21KI-lfaDab!^N^YW4Zr<dyrYijGZU_vMf
zMLGdO(9m0?3y6UzBuJBvbU}&~X)09+kVFABM2d<u4ZVdTQY8?T9FPtQSSW`gB7&e`
z0lYc?{l0T@{+Ii9-}b}aYp=c5m}88&*4*pOmkm<Nb0TSHEr6u!r-#(u?805XYryS^
zmzW$6-fq(zC2PoyPD#a~uT7Vpd;rE~ZrN|&rXeucE6`5fHl--Ee2*KC(&RNxtpC>e
z1wlspun#N&GA;jGB}CUx=8~ykiNn2KOU4hPrI=#PaKKZqmy$2@$m>ys^)xTp6=PA&
zOeFVvZ++gMv>no^$WYc1e3bxDYfWojC%f;nwWM|x%RJx+`tyKq>{!vxg_-K#fS{sl
zV4)H{ap?E=D6z6S;%U;ehh_5-Z9mBFmvLRP*mG6Z*i&}r6M4zviQL%Y$n7q$JzURk
zCz1ax<Ta|wX@!o`7r8||I`2It6X{#dv*SC(9@(^;_EkIt;6`_%$}Rd#J-m)ce!hKg
z=&HpZElZ3YEX8hhjjQdmQH)v-3y@u+cqvwIK(B~{#bT6;mw}W>9bi~$#HJWV;lP|K
zegFv4>gN2N%pHD|qPBPGE{~YWPH^B{JOCRa-&-E86iql4_5uMtnU?6omPsg|Q)5^?
zfh?O=ncSw=l1_cp{s1;Kab_65PDQBI!hh+qfK1y~1~m361RN`Kvfx_>TDGJ;bJcCm
zCq}f)#LP}E%cAt666HEly754^Rf0f6>GP0_*V%%0<-hb_8K!fLNHd{$63}-{PskIW
zZE;6HZYMb({)bC{DVACV&#C!>Wd2PpgZZX}oiy;)!~@a)ut>29q<LBKM^`e!;Fn1f
zCPxWtH&dh0Bjv({&CEq9J88`gBSl}(mcm7)z)HH5#Qd{1m1&Q0rjk$O#trG=F`SLF
z=JN=~F7IEl5b8>X9B@yS`h~_FihNX7bN_v^kdGcipbO#5g4$#dv>!z-;2RMk3m5P>
z_a>5f>;<bGDxTt!Ow)Pp%)wfrWZQ44U9#McGtJXpW<DZ<%JR<Q0h>2nH{}rxYhdh4
z2=7E7-1TQUsRZXcXUZ773sl|Ee@vWto0jm7WjaS_$`Y6(*=HSM%YO%oL$1>N?($YT
zB?2T4-7QJHO~dF5@ue2PH#S!$bDeDS8crHY0+l=`zCB&rGJ5BHRFect&BX4X=mf2b
zeCJ!HuWg#QiVUSXJiU^(S8*zs72(>{D$q<rYV^(qy8^n(Irg>kX<RHx7UzYUDYNMf
z#EeBLhVbX3$l7SY&G)DmmHv>6%3iBh`Z8fD3f>@xo+qTLsR0sV{X8bNMM#|01h{13
z5H4=$_gz2b+&OReSYpoS0M~>t@!Qv0rL0pBer`SObBd}6ajQO5*astVrNPfUeI|mn
znHh<P?L^$zew@zpnR9VMu(mlX$*5MYG~0*N5x6%&elc^J44b-@KGn}@5LqL^E6JHP
z7H4TAs3sj!3I50G;9i9pLHZW4lvFej0%n;;)V3~FHZMunZ(@Q-I&A+VfiEmIY7YK^
zTN33NdrZ3+w<P|7)*f8K^E0{RA8#|#$%~k`&{+$@;8nV1snXFvA!hHP70*zD^}e*-
z4&{aw-M_!TI7osK?;^oH*&XDO>-^}SR{k;x#S!8RQcuICaPuXp@<mq`{rc-N@Em9h
z9YWNuJ+pO@HO~G&>;=wIiz=31#2#Ef6ZZDpKe6_|f@i@TfH>)=$xlmF3jRy5sqK*F
zIa){0i|RGt$GO(yyAhju6)EGa4D}bfM-(B^E2_&h+rVkXp^6=a2v|O)_p(&Np;Q_x
z_)*6J`3>RYkt*(GxSyIM1nF6>4Z88S%cQus8|t5askO4V_r!-EV}%A(QHRO_e!)Ed
zq&>QH8(LulFl^esJwNu-2y^07$BAE^-~;xqIU)%dBF_5Q%~=$u^|8=)!gVL9MIIL}
z1)XQ?CkUW)-jH5P!MqMxJztMghF2PoQ^-zUqeaph`0*-!(w~FL!PP7KEIkhF1nDkL
zz|uxX1nS$Q1|ybx!Z%;nWqE7Y;4UA3Yrm;q)09s9{BkGuWQdVv>aY2jinXaiY5B93
zK{5Lu3lw4>9Fn*g$by3!7@*Q~okzujva@LDxQUzyFh9}ZrP6nwCy7|dG&4QCi}Fdp
zLcHlAx?k-hNjC&{f4t+>UV*z@r6SFUSWeWn3!4E{9aW93xzDy=@h<~h=Buf`qg&RN
z-CVx#?ta#HX?NmGq_&RgM{*FKUjMey`^dH^r@Z-S5pLKUDGqf}18oWVDBBIA`*?=o
zB8_gcC%A}cf)b1)*16_8QElwc2=xSR=F0e<h;CY>hL(IRl<yMVhqS&OjL(=mrFiSx
z-FuL3qETyXU$Eg6@0EJ_aSxxPtPJ$=70L`&8k*Pg20t);+2ChUnnT+Q6Ay$((CtEY
z>~iDpQ~Zp;x=hl2jxO)mtd@X|rNo}g(25C^ASHgD1M|3otWUT}<|=USitsY_!Z&QD
ze!TEwN``#hgYTV>a3?STO)lLVu3ccnpTmL_Py`f=Po`&bL^S;<|BMicxXT^`-g>72
zUuhAjf)98R7L+BLSh#|w4AoCt|IH!s;_7<jPR=}Wo4E_mRa@dtfrkrxB_Pn)^s$yt
zprBtO<|qAgX}?CKx4N3S%jqiNLKHx^d&u+ND5mF(*Q{@3QiVML+kU_%ao;&;OeZC@
z2*<Y>b(c3OO$HqSxgdXnH{S$S+!ikJk|=eu>*(_cs227<`I%aBf&zB3%oe)tN<v&x
z+LIvAIl>Jd@Ju`F3k?y+d>a@nIII{!2|mms4XrnW`%t+#8M9PmJ;jK-o7ikV@Ej$o
zo*GRl0>3s9tcZSC{_csS@Ohw6P=GNgXj~q5A7GB!iBQcpn@PpCjJ?={mh~8tfVIuc
zqlX9}Wj#`Uf+M*u`;vkQEalDo8HS<9yJG!UzRNa9Xq=PH?G>$!05t-_{CR_h)}>x)
zQu=E&i8ClbQEWOOPFLQPpaT7y8c_h=0QmZ2ggdtLg~?1<XtB0I6C5ot4ziTgTz`>k
z3#~LRUB9aF_Ru9-RJaI)U{f-3%`zo>F%<SS)eCL#%?8&bd$hKNXxi+*U>hU#G__gA
zCe59GkK|i+GdQq#2!dGcxB7XA;#^#YIdbRJMSevHz&&pjVX_(#Bk4(eTOo-Gq5vO6
zhQ{%2!L9KQ#dhoMqFYpifoa%JSENK7>eWhoRIwp5DR60JD@=Ki$EpG0pj%6}XXd<H
zc?<E8HwMnCdV%^-%I8<THJlHh5m5>4I3Q7!PNzuAHgHhXV&$5NnPKN3L3d#6*rx;(
zxjKuqR3Mw>_n8MXmYYafZ$B)2WQBaCx&&vSLw!gIcDt1u83s$g3fBva6S+b(pBKVt
zW<UF2Zfn0-mc&LD9!$=dFCvvB>(RNxVVQWN>sVmC3AvMhPVl>!6x-5y4N)hPomoEC
z<brT)gg}4Gk(3fW!H-|19v3z@nBMM+-nj${@;VSbXBs5cmxA9Er(De47hOQf=bBcX
zV;0Q!&2P%R<(|G&f+10q*C&fi$xTv*f6UiXPl!VU1pqp79;>|Kz;R}oD9;K?W{PVk
z#fYsftB;Og+|1t>F<<VWdB;c_6Nl%l7-&t%0ccwm>j8Tu<O9GwfMm=i#PE}Wxf#-~
z-;Y@)8;!6;8;UMIg{LQQ1#QTIdfgR6pOo(3<=X?7oUlx}Pp<Q#s)u$s)ZQYP`kk_G
z!P@PL#fXhX%(BA>56ow%_zwfmBuPWRl*Pf7h11yEz(?~Cgp!4$l53J+!OMUOPr=H1
zxZVbi3d=T&(-EwU>jKvINQZMT`t+yn8Zz2<ef0fiu~l)XVCL2W&88R}ow6{MdC$nU
zNj9g^C~)a~qUbF`c1Dv8s|P*crM$bWgJ@7fxUN!c$Wg+=M?zmpddq)JGabw6cWASC
zJ*{d({ACy}NjZ9;-6~~Qc@DTse{UQ3OWLz*4`Q6*%jr*Um1bL-X;#(Mw*3tvL|uO(
zi~dnZd^@M*%_gjDZK<xe<G22N6W9r<HziXW!sQUh2Ix-Mul|q1s1Jz<tb1u+#bW1M
zv%l3^`zoL^vNS3|Uzl93ZW-V(e!=#-Lz{70Gx!dobo<~i#w{XL@n%tjx9lE|raN+d
z+~M(9RuVs=$6~=r3cI{adt_^Gp7>?A;1wzrD$W=klRV22oAgnBid*>x!c5X6U`lEx
zg*7O?LZTPRn*BirlslaQYsd&aiqKOrN@9$dWo_ZgpT7m`k0n?WBBj@YGM00)Zy+I`
z@eZvpoVu+#nemRx22GHJLIWK@k&lXi0ljsk^emRPi*ffMh{`su++H@tn+`2w_ljhb
zU(=mQRgMvUF3baq8smJNjlq+R(QkK&+(>B{F{Ef{f9dp4aK?XBf`uBHm(UKJL#thB
zKc+HkgwNvWALDpZmA$glJ#}fm803H`%HUvo$cezey#ITF(Lg?xV`%ne_ra_GTAA>J
zgfMdaT4!CU53iP!wb!|p{z`NDk<ai*eljiRpaPn~5`X_OeuKlPHks~<XT7gNCd90X
zh(H#^|GV}7%j4a@gWKElU)AW>E??U{r}OXIC-QN7MRj}pX@_mU&vJdcg1lPuU%s<V
zBJerKEU*dwTc?vuwQ#zj^JMhz4p<G)-n$P8e3$z)(X2jLJxZ&R{6JUF?P(DCbkVKl
z9<aliTAR<}QM9E2-E(&Sw3TqNiAkG*CKWUw_$jWSE$s)AnsNrKVFs(&SDAWc#o}S_
z-@@$)Evoqlzf6;%-4}in-uOdduqF64rF#Y%UH9(z>)m-hkq1!$Ep5PdhyQxp2|)KU
zdD%47%fr<prvZ^cWTr$QVhWQw^+s||4B^hKB@E}RBUkK=_*$(lbVR7ItguXadn5by
z#9OMLHyCcco9$70Jmr6(yS>v-edVr9_Aele)9ao|%Gr}3JBvgy!o=|B;K#2;6XLav
zc-Kt(JNQk$p!11asthWIHS{AST9e0r2*<r%Xx=iOI$6@<Shgp)dz`A0ZAPyBbX8T#
zr7<#UnbSnsO{RBg6OGiiy#$J*uJF$-7#Nvq?BpOm8!0+hT4?k}kPy}STPNuUJlM|0
zFb!sL4B7^>by<P3yXePil%RRI8K-v5&JF%>&g@{lSJ9WTRdva7NIp%k>n)b<K=7Od
zgTK4<Pvg)*dmqh3;^JpwVu>8nb~pomaP%UMt>(B)GX~?#c)hFz^DHK#D^gCBXxCln
zIYagNBOP$hMx!tJ;nM!yLhx|U9VGZC`r7CBEb$ZQ4kAPvNSuB=$YWj2vDSgEa>S++
zOxgnbdaW-wJzz8{w}J~(5;U?9pWR)UwE)9D#!}oiy?UDpj2&raQkKeO_D2pTR#=Bs
zY{<)$fcYzmRtc{Hrp04;?Mf{;LgCqF7OnOrQKRW0zt}8sh%h_@5G&rvwSk5eF09|x
zVSy3!22N7{cJ$Lr4Jq5xH@|K4m>^+hOi@2^oL$~@rWlVYKd{7fH0iINBmT&2u1Xnz
zZ@=>asU|zmsZK#4yxJ8wW2to&eSf*zaa^;%1aB#C?>o>$O_k5aB0UKXk1dY!GYd=p
z{3x<I|DAUaJXGoFv=<Tbtv$OS>XT7IEEg{evR?SYvDPy|vf~38i7sv8e0Vqb4d-~p
zXV#W`08L@!dN%}M`IVpmpR5g?GmC+3Svwi*i1mn&b}sDX`KeFVKAH1IYE#ca9?;I-
z`Si()KI%s8R6!_ph}%8%I8=(Y5zD>6m@A;FH{&^F`8~b>o_#tOkLvH#qbre~eNt&<
z*TpR`0EVJ=p!dRC``spSdVHM!!l*draxgUW+>LSU8?8Sa$aRl=V3eOZjEXX%Z0G<0
z9y&>fuN5VCqi62ih+ZDXWj^~UOpcM8w-8PTA1}Ir<QM`aX#=>;=urJT^hCZ@E5%y~
zH`gn2ouEo@D`K^ek`(*%h{IYkJ?~G0hpRkWd`BBCmrYuM{`4c5VRRhRQw4=QPeHiE
zCi7$=!nyV+RGJOT=uL*fCo7(lthYo?3qIr^`6<))3sXm_x|D)l2`TP(vRKC%$|Y2l
z*K~`3Yti~=Txzk7@Is9ISeRAH6D>c*1@{<ssq@$W5_(Ep&ei%jVQJ0jq+A6Fiz7K7
zCre06l0A<mqZgV4D%0e?C_f#&(`<$NgQ_BIPHtCy18zsbsF9-?cn#Ay6bobHUIfD(
zDGoIjhTDcz)q>5wo>HXXSZv`He{$U^9`<e7(2)c_e6z~9YZ9j={!NKqw%HlcW@Qh?
z9_qVzOTA~_j(^pKa+Caz7p?^|m#8ScUtx&0)k6}--;F4FN4nVKO@mCcJ=4BwhJaPl
z5spcO?CUCBZFfG%VYOHxUXNSTf9zbW6#_8t(Lr*P_Z)hJF~n<EnVg3@@6ihJrz>K9
z)e8in%QPKl<kf2GSEEikxpPQPeC5asE-rykuFk8(NQ|XYA@Zgt8G~N-A@1YpngioU
zv)=QvB4icH2v*ecmU@}ed@P_hF<ku<ARn#lazhR7SY_Jm`;gON=B(G$?ILJkG)Q+T
zlh9L3@+5x6gdF;phF$c9=ahE%s3O=6rMBYIvBH87-e)MnMvf%7TKb;}XXmY{!9mz-
m){(TFcTZ;BP6K{}%>=4CcV62+WS(%&hCOY4s?O9q<$nM`U+=E~

diff --git a/report.tex b/report.tex
index 8a995ec..b94b908 100644
--- a/report.tex
+++ b/report.tex
@@ -37,10 +37,9 @@
 \title{Void Processes: Minimising privilege by default}
 \author{Jake Hillion}
 \date{June 2022}
-\newcommand{\candidatenumber}{2373A}
+\newcommand{\candidatenumber}{2492A}
 \newcommand{\college}{Queens' College}
 \newcommand{\course}{Computer Science Tripos, Part III}
-%\newcommand{\course}{Master of Philosophy in Advanced Computer Science}
 
 % Select which version this is:
 % For the (anonymous) submission (without your name or acknowledgements)
@@ -143,21 +142,43 @@ Words outside text (captions, etc.): 128
 
 \onehalfspacing
 
+\ifsubmission\else
+% not included in submission for blind marking:
+
+\newpage
+{\Huge \bf Declaration}
+
+\vspace{24pt}
+
+I, Jake Hillion of Queens' College, being a candidate for Computer
+Science Tripos, Part III, hereby declare that this report and the
+work described in it are my own work, unaided except as may be
+specified below, and that the report does not contain material that
+has already been used to any substantial extent for a comparable
+purpose.
+
+\vspace{60pt}
+\textbf{Signed}:  Jake Hillion
+
+\vspace{12pt}
+\textbf{Date}: \today
+
+
+\vfill
+
+This dissertation is copyright \copyright 2022 Jake Hillion. 
+\\
+All trademarks used in this dissertation are hereby acknowledged.
+
+\fi
+\cleardoublepage % preserve page numbers after missing declaration
+
 \chapter*{Abstract}
 
 The important of privilege separation - separating the parts of an application with the most risk of attack from the parts with the most reward for an attacker - for protection of resources in a modern operating system cannot be understated. As Linux has grown into the behemoth of an operating system that it is today, many privileges and attack vectors have been enabled, large amounts of which are given passively to new processes. New methods for protecting applications and processes have come along at nearly the same rate. This paper presents void processes: a framework to restrict Linux processes, removing access to ambient resources by default and providing APIs to systematically unlock abilities that applications require. Void processes solve the problem of needing to know what your privilege is in order to reduce it, as an application developer can begin from a clean slate.
 
 This project built a system, the void orchestrator, to enable application developers to build upwards from a point of zero-privilege, rather than removing privilege that they don't need. This report gives the background and technical details of how to achieve this on modern Linux. I present a summary of the privilege separation techniques currently employed in production and details on how to create an empty set of namespaces to remove all privilege in Linux, a technique named entering the void. The shortcomings of Linux when creating empty namespaces are discussed, before setting forth the methods for re-adding features in each of these domains. Finally, two example applications are built and their performance evaluated to show the utility of the system. This report aims to demonstrate the value of a paradigm shift from reducing an arbitrary amount of privilege to adding only what is necessary.
 
-\ifsubmission\else
-% not included in submission for blind marking:
-
-\chapter*{Acknowledgements}
-
-This project would not have been possible without the wonderful
-support of \ldots [optional]
-
-\fi
 \cleardoublepage % preserve page numbers after missing acknowledgements
 
 \setcounter{tocdepth}{1} % only show up to sections in the table of contents
@@ -185,7 +206,7 @@ Much prior work exists in the space of privilege separation, including: virtual
 
 \begin{figure}[h]
     \centering
-    \includegraphics[width=0.6\textwidth]{figures/least-most-linux.png}
+    \includestandalone[width=0.8\textwidth]{diagrams/attack-surface-vs-linux-compatibility}
     
     \caption{Privilege separated environments plotted to compare the number of application changes required against the remaining attack surface of the environment.}
     \label{fig:attack-vs-changes}
@@ -660,6 +681,32 @@ Although good isolation of the host system from the void process is provided, th
 
 There are two problems when working with cgroups namespaces in user-space: needing sufficient discretionary access control, and leaving the control of individual application processes in a global namespace. An alternative kernel design would increase the utility by solving both of these problems. A process in a new cgroups namespace could instead create a detached hierarchy with the process as a leaf of the root and full permissions in the user-namespace that created it. The main cgroups hierarchy could then still see a single application to control, while the application itself would have full access over sharing its resources.  This presents the ability for mechanisms of managing cgroups to clash between the namespaces, as the outer namespace would now have control over what resources are delegated to the application rather than each process in the application. Such a system would also provide improved behaviour over the current, which requires a delegation flag to be handed to the manager informing it to go no further down the tree. This would be significantly better enforced with namespaces. That is, the main namespace could be handled by \texttt{systemd}, while the \texttt{/docker} namespace could be internally managed by docker. This would allow \texttt{systemd} to move the \texttt{/docker} namespace around as required, with no awareness of the choices made internally.
 
+\section{Performance}
+
+As shown in this chapter, creating a void requires creating 7 distinct namespaces to hide access to everything that is possible. There are two options to create these namespaces: \texttt{clone(2)} or \texttt{unshare(2)}. As the void orchestrator uses clone we evaluate the performance of this tool.
+
+These tests were run on my development machine, using Linux 5.15.0-33-generic on Ubuntu 22.04 LTS. It is a Xen based virtual machine, hence absolute results are less important than trends. The test process calls \texttt{clone(2)} with the requisite flags, then waits for the child process to exit. The child process exits immediately after returning from clone. The time is taken from before the \texttt{clone(2)} call and after the \texttt{wait} call returns using the high precision \texttt{CLOCK\_MONOTONIC}. This code is compiled into a tight C for loop, which executes 1250 times. The first 250 entries are discarded. Prior to running the variety of clone tests, 12500 clone calls are made in an attempt to warm up the system.
+
+Figure \ref{fig:namespace-times} compares the time of \texttt{clone(2)} calls with a single namespace creation flag, and a \texttt{clone(2)} call that creates no namespaces. Ignoring the (repeatable) anomaly that a clone call which creates a namespace is cheaper than one which doesn't, there is a clear difference shown in the creation time of network namespaces compared to user. This aligns with different namespaces having to protect different areas of the system. Further, we see that creating a network namespace is approximately four times slower than not creating any.
+
+\begin{figure}
+    \centering
+    \includegraphics[width=0.7\textwidth]{graphs/namespace_times.png}
+
+    \caption{Performance of making the \texttt{clone(2)} system call with varying namespace creation flags. The test is run in a tight compiled C loop with high precision timings taken before and after each new process is cloned and waited for. \texttt{clone(2)} presents very noisy results on a system with background activity.}
+    \label{fig:namespace-times}
+\end{figure}
+
+As void processes must create multiple namespaces to effectively isolate processes the creating of multiple namespaces is of more interest than a single one at a time. The creation of multiple namespaces is shown in Figure \ref{fig:namespace-stacked-times}. Here the divide between the three slowest namespaces in Figure \ref{fig:namespace-times} is e
+
+\begin{figure}
+    \centering
+    \includegraphics[width=0.8\textwidth]{graphs/namespace_stacked_times.png}
+
+    \caption{Performance of making the \texttt{clone(2)} system call with increasing amounts of namespace creation flags. The effects of Figure \ref{fig:namespace-times} are amplified when creating multiple namespaces in a single call this frequently. There is a clear divide between the time taken for user, pid, uts, and cgroup namespaces and ipc, ns and net namespaces.}
+    \label{fig:namespace-stacked-times}
+\end{figure}
+
 \section{Summary}
 
 In this chapter I presented the 8 namespaces available in Linux 5.15. What each namespace protects against, how to completely empty each created namespace, and the constraints in doing so were presented. For cgroup and mount namespaces, alternative designs that increase the usability of the namespaces were discussed.
@@ -970,21 +1017,7 @@ Privilege separation often presents a trade-off between performance and security
 
 Every void process created requires a set of 7 unique namespaces, which is a lot of work compared to a standard \texttt{fork(2)}/\texttt{vfork(2)} call. Here I evaluated the overhead of such operations, first on the raw clone calls, and secondly on launching the basic Fibonacci application (§\ref{sec:building-fib}).
 
-\begin{figure}
-    \centering
-    \includegraphics[width=0.7\textwidth]{graphs/namespace_times.png}
 
-    \caption{Performance of making the \texttt{clone(2)} system call with varying namespace creation flags. The test is run in a tight compiled C loop with high precision timings taken before and after each new process is cloned and waited for. \texttt{clone(2)} presents very noisy results on a system with background activity.}
-    \label{fig:namespace-times}
-\end{figure}
-
-\begin{figure}
-    \centering
-    \includegraphics[width=0.8\textwidth]{graphs/namespace_stacked_times.png}
-
-    \caption{Performance of making the \texttt{clone(2)} system call with increasing amounts of namespace creation flags. The effects of Figure \ref{fig:namespace-times} are amplified when creating multiple namespaces in a single call this frequently. There is a clear divide between the time taken for user, pid, uts, and cgroup namespaces and ipc, ns and net namespaces.}
-    \label{fig:namespace-stacked-times}
-\end{figure}
 
 \begin{figure}
     \centering