Although static program analysis methods are frequently employed to enhance software quality,their efficiency in commercial settings is limited by their high false positive rate.The EUGENE tool can effectively lower t...Although static program analysis methods are frequently employed to enhance software quality,their efficiency in commercial settings is limited by their high false positive rate.The EUGENE tool can effectively lower the false positive rate.However,in continuous integration(CI)environments,the code is always changing,and user feedback from one version of the software cannot be applied to a subsequent version.Additionally,people find it difficult to distinguish between true positives and false positives in the analytical output.In this study,we developed the EUGENE-CI technique to address the CI problem and the EUGENE-rank lightweight heuristic algorithm to rate the reports of the analysis output in accordance with the likelihood that they are true positives.On the three projects ethereum,go-cloud,and kubernetes,we assessed our methodologies.According to the trial findings,EUGENE-CI may drastically reduce false positives while EUGENE-rank can make it much easier for users to identify the real positives among a vast number of reports.We paired our techniques with GoInsight~1 and discovered a vulnerability.We also offered a patch to the community.展开更多
Constraint based program analysis is widely used in program validation, program vulnerability analysis, etc. This paper proposes a temporal correlation function to protect programs from analysis. The temporal correlat...Constraint based program analysis is widely used in program validation, program vulnerability analysis, etc. This paper proposes a temporal correlation function to protect programs from analysis. The temporal correlation function can be applied to resist against both static and dynamic function summary and eoncolie testing. What' s more, the temporal correlation function can produce different outputs even with same input. This feature can be used to damage the premise of function summary as well as prevent concolie testing process to run the new branch with new input. Experiment results show that this method can reduce efficiency and path coverage of concolic testing, while greatly in- creasing the difficulty of constraint based program analysis.展开更多
The space-air-ground integrated networks(SAGINs)are pivotal for modern communication and surveillance,with a growing number of connected devices.The proliferation of Io T devices within these networks introduces new r...The space-air-ground integrated networks(SAGINs)are pivotal for modern communication and surveillance,with a growing number of connected devices.The proliferation of Io T devices within these networks introduces new risks due to potential erroneous synergistic interactions that could compromise system integrity and security.This paper addresses the challenges in coordination,synchronization,and security within SAGINs by introducing a novel static program analysis(SPA)technique using zero-knowledge(ZK)proofs.This approach ensures the detection of risky interactions without compromising sensitive source code,thus safeguarding intellectual property and privacy.The proposed method overcomes the incompatibility between SPA and ZK systems by developing an imperative programming language for SAGINs and a specialized abstract domain for interaction threats.The system translates network control algorithms into arithmetic circuits suitable for ZK analysis,maintaining high accuracy in detecting risks.Evaluations of real-world scenarios demonstrate the system's efficacy in identifying risky interactions with minimal computational overhead.This research presents the first ZK-based SPA scheme for SAGINs,enhancing security and confidentiality in network analysis while adhering to privacy regulations.展开更多
With the scale of programs becoming increasingly bigger, and the complexity degree higher, how to select program fragments for slicing has become an important research topic. A new type of criterion called interesting...With the scale of programs becoming increasingly bigger, and the complexity degree higher, how to select program fragments for slicing has become an important research topic. A new type of criterion called interesting index is proposed for selecting parts of procedures or procedure fragments to do program slicing. This new criterion considers not only the subjective aspects in users, namely users' emphasis on the time efficiency, storage capacity or readability, but also the objective aspect in large procedures. It also represents the benefit of the users, while displaying the many-faceted roles that program slicing plays. In this way users call proceed with program slicing to large systems or unfinished systems.展开更多
This letter proposes a hybrid method for computing dynamic program slicing. The key element is to construct a Coverage-Testing-based Dynamic Dependence Graph (CTDDG),which makes use of both dynamic and static informat...This letter proposes a hybrid method for computing dynamic program slicing. The key element is to construct a Coverage-Testing-based Dynamic Dependence Graph (CTDDG),which makes use of both dynamic and static information to get execution status. The approach overcomes the limitations of previous dynamic slicing methods, which have to redo slicing if slice criterion changes.展开更多
Worst-case execution time (WCET) analysis of multi-threaded software is still a challenge. This comes mainly from the fact that synchronization has to be taken into account. In this paper, we focus on this issue and o...Worst-case execution time (WCET) analysis of multi-threaded software is still a challenge. This comes mainly from the fact that synchronization has to be taken into account. In this paper, we focus on this issue and on automatically calculating and incorporating stalling times (e.g. caused by lock contention) in a generic graph model. The idea that thread interleavings can be studied with a matrix calculus is novel in this research area. Our sparse matrix representations of the program are manipulated using an extended Kronecker algebra. The resulting graph represents multi-threaded programs similar as CFGs do for sequential programs. With this graph model, we are able to calculate the WCET of multi-threaded concurrent programs including stalling times which are due to synchronization. We employ a generating function-based approach for setting up data flow equations which are solved by well-known elimination-based dataflow analysis methods or an off-the-shelf equation solver. The WCET of multi-threaded programs can finally be calculated with a non-linear function solver.展开更多
In basketball, each player’s skill level is the key to a team’s success or failure, the skill level is affected by many personal and environmental factors. A physics-informed AI statistics has become extremely impor...In basketball, each player’s skill level is the key to a team’s success or failure, the skill level is affected by many personal and environmental factors. A physics-informed AI statistics has become extremely important. In this article, a complex non-linear process is considered by taking into account the average points per game of each player, playing time, shooting percentage, and others. This physics-informed statistics is to construct a multiple linear regression model with physics-informed neural networks. Based on the official data provided by the American Basketball League, and combined with specific methods of R program analysis, the regression model affecting the player’s average points per game is verified, and the key factors affecting the player’s average points per game are finally elucidated. The paper provides a novel window for coaches to make meaningful in-game adjustments to team members.展开更多
This paper proposes an extended system dependence graph called AspectSDG to represent control and data dependences for AspeetC++ programs, and presents an approach for the construction of AspectSDG. This approach de...This paper proposes an extended system dependence graph called AspectSDG to represent control and data dependences for AspeetC++ programs, and presents an approach for the construction of AspectSDG. This approach decomposes aspect-oriented programs into three parts: component codes, aspect codes, and weaving codes. It constructs program dependence graphs (PDGs) for each part, and then connects the PDGs at call sites to form the complete AspectSDG. The AspectSDG can deal with advice precedence correctly, and represent the additional dependences caused by aspect codes. Based on this model, we introduce how to compute a static slice of an AspectC+ + program.展开更多
Classes are key software components in an object-oriented software system. In many industrial OO software systems, there are some classes that have complicated structure and relationships. So in the processes of softw...Classes are key software components in an object-oriented software system. In many industrial OO software systems, there are some classes that have complicated structure and relationships. So in the processes of software maintenance, testing, software reengineering, software reuse and software restructure, it is a challenge for software engineers to understand these classes thoroughly. This paper proposes a class comprehension model based on constructivist learning theory, and implements a software visualization tool (MFV-Class) to help in the comprehension of a class. The tool provides multiple views of class to uncover manifold facets of class contents. It enables visualizing three object-oriented metrics of classes to help users focus on the understanding process. A case study was conducted to evaluate our approach and the toolkit.展开更多
This paper states the basic principle of program data flow analysis in a formal way and gives the concept of data flow expression. On the basis of this concept, an algorithm of finding data flow exceptions is rendered...This paper states the basic principle of program data flow analysis in a formal way and gives the concept of data flow expression. On the basis of this concept, an algorithm of finding data flow exceptions is rendered. This algorithm has great generality, with which it is easy to develop a tool for program test. So it is practical in application.展开更多
An optimization model and its solution algorithm for alternate traffic restriction(ATR) schemes were introduced in terms of both the restriction districts and the proportion of restricted automobiles. A bi-level progr...An optimization model and its solution algorithm for alternate traffic restriction(ATR) schemes were introduced in terms of both the restriction districts and the proportion of restricted automobiles. A bi-level programming model was proposed to model the ATR scheme optimization problem by aiming at consumer surplus maximization and overload flow minimization at the upper-level model. At the lower-level model, elastic demand, mode choice and multi-class user equilibrium assignment were synthetically optimized. A genetic algorithm involving prolonging codes was constructed, demonstrating high computing efficiency in that it dynamically includes newly-appearing overload links in the codes so as to reduce the subsequent searching range. Moreover,practical processing approaches were suggested, which may improve the operability of the model-based solutions.展开更多
For probabilistic programs,there is some work for qualitative and quantitative analysis about expec-tation or mean,such as expected termination time,and expected cost analysis.However,another non-trivial issue is abou...For probabilistic programs,there is some work for qualitative and quantitative analysis about expec-tation or mean,such as expected termination time,and expected cost analysis.However,another non-trivial issue is about tail bounds(i.e.,upper bounds of tail probabilities),which can provide high-probability guarantees to extreme events.In this work,we focus on the problem of tail-bound cost analysis over nondeterministic proba-bilistic programs,which aims to automatically obtain the tail bound of resource usages over such programs.To achieve this goal,we present a novel approach,combined with a suitable concentration inequality,to derive the tail bound of accumulated cost until program termination.Our approach can handle both positive and negative costs.Moreover,our approach enables an automated template-based synthesis of supermartingales and leads to an efficient polynomial-time algorithm.To show the effectiveness of our approach,we present experimental results on various programs and make a comparison with state-of-the-art tools.展开更多
Neurorehabilitation involves training of brain activity, which influences the resistive torque and electromyogram. This quantitative evaluation is numerical modeling of biomaterial of human body. Measurement for rehab...Neurorehabilitation involves training of brain activity, which influences the resistive torque and electromyogram. This quantitative evaluation is numerical modeling of biomaterial of human body. Measurement for rehabilitation and developing numerical modeling in patients are useful for information technology education with healthcare background. The resistive torque and electromyogram were measured. Electromyogram is the neuronal activity from eight lower limb muscles. Both activities are output signals for angle input signals. The resistive torque of a stroke patient shows a hysteresis curve, and this is a velocity-dependent component, particular for stroke. Differentiated angle by muscle spindle, a velocity-dependent component, is a stretch reflex (spasticity). In an electromyogram of a stroke patient, SLR (stretch reflex via spinal cord) means a short latency reflex, and LLR (stretch reflex via cerebral cortex) means a long latency reflex. An example of some stroke electromyogram shows long latency reflex, and this is voluntary movement during the experiment. The example of some stroke resistive torque reveals that viscoelasticity is used for the intrinsic component. The example of some stroke electromyogram reveals that long latency reflex is used for the reflex component of lower limbs. Current research needs improvement. Intrinsic viscoelasticity is modeled by a second-order differential equation. The reflex component of stroke patients is modeled by a double exponential function. Open source software is in use. Information technology-based analyses by numerical modeling would be applied in future healthcare education.展开更多
The ability to solve various constraints is a principal factor of automatic constraint solvers. Most object-oriented languages treat a character string as a primitive data type which is manipulated by string library f...The ability to solve various constraints is a principal factor of automatic constraint solvers. Most object-oriented languages treat a character string as a primitive data type which is manipulated by string library functions. Most constraint solvers have limitations on their input constraints, such as strong restrictions on the expressiveness of constraints or lack of the ability to solve hybrid constraints. These limitations hinder applying automated constraint solvers on program analysis techniques for programs containing strings and string manipulation functions. We propose an approach to automatically solve program constraints involving strings and string manipulation functions. Based on the character array model, we design a constraint language which contains primitive operations to precisely describe the constraints of commonly used string manipulation functions. The translated string constraints together with numeric constraints are then solved by a two- phase test generation procedure: firstly, a partial solution is obtained to satisfy the arithmetic constraints of the position variables, and the solution is utilized to simplify the string constraints into pure character array constraints; secondly, the pure array constraints are solved by an off-the-shelf array-specific theory based constraint solver. We integrate the approach into an automated testing tool to support the generation of string test cases, and then perform experiments. The results of the experiments prove that the integration of the proposed approach promotes the testing coverage of the existing testing tool, and the integrated tool has an advantage of handling specific string manipulation functions compared with an existing string solver.展开更多
Tackling binary program analysis problems has traditionally implied manually defining rules and heuristics,a tedious and time consuming task for human analysts.In order to improve automation and scalability,we propose...Tackling binary program analysis problems has traditionally implied manually defining rules and heuristics,a tedious and time consuming task for human analysts.In order to improve automation and scalability,we propose an alternative direction based on distributed representations of binary programs with applicability to a number of downstream tasks.We introduce Bin2vec,a new approach leveraging Graph Convolutional Networks(GCN)along with computational program graphs in order to learn a high dimensional representation of binary executable programs.We demonstrate the versatility of this approach by using our representations to solve two semantically different binary analysis tasks–functional algorithm classification and vulnerability discovery.We compare the proposed approach to our own strong baseline as well as published results,and demonstrate improvement over state-of-the-art methods for both tasks.We evaluated Bin2vec on 49191 binaries for the functional algorithm classification task,and on 30 different CWE-IDs including at least 100 CVE entries each for the vulnerability discovery task.We set a new state-of-the-art result by reducing the classification error by 40%compared to the source-code based inst2vec approach,while working on binary code.For almost every vulnerability class in our dataset,our prediction accuracy is over 80%(and over 90%in multiple classes).展开更多
The Linux kernel adopts a large number of security checks to prevent security-sensitive operations from being executed under unsafe conditions.If a security-sensitive operation is unchecked,a missing-check issue arise...The Linux kernel adopts a large number of security checks to prevent security-sensitive operations from being executed under unsafe conditions.If a security-sensitive operation is unchecked,a missing-check issue arises.Missing check is a class of severe bugs in software programs especially in operating system kernels,which may cause a variety of security issues,such as out-of-bound accesses,permission bypasses,and privilege escalations.Due to the lack of security specifications,how to automatically identify security-sensitive operations and their required security checks in the Linux kernel becomes a challenge for missing-check analysis.In this paper,we present an accurate missing-check analysis method for Linux kernel,which can automatically infer possible security-sensitive operations.Particularly,we first automatically identify all possible security check functions of Linux.Then according to their callsites,a two-direction analysis method is leveraged to identify possible security-sensitive operations.A missing-check bug is reported when the security-sensitive operation is not protected by its corresponding security check.We have implemented our method as a tool,named AMCheX,on top of the LLVM(Low Level Virtual Machine)framework and evaluated it on the Linux kernel.AMCheX reported 12 new missing-check bugs which can cause security issues.Five of them have been confirmed by Linux maintainers.展开更多
The existing slicing algorithms do not consider parameterized types in generic programs, so they are not suitable for generic programs. To solve this problem, this paper presents a generic system dependence graph for ...The existing slicing algorithms do not consider parameterized types in generic programs, so they are not suitable for generic programs. To solve this problem, this paper presents a generic system dependence graph for Java generic programs based on the traditional system dependence graph to express dependences for parameterized type information. A novel slicing criterion and slicing algorithm for generic programs is proposed. The slices computed by the algorithm can help to understand relations between concepts and types for generic programs and can express the features of generic programs better.展开更多
Network protocol software is usually characterized by complicated functions and a vast state space.In this type of program,a massive number of stateful variables that are used to represent the evolution of the states ...Network protocol software is usually characterized by complicated functions and a vast state space.In this type of program,a massive number of stateful variables that are used to represent the evolution of the states and store some information about the sessions are prone to potentialflaws caused by violations of protocol specification requirements and program logic.Discovering such variables is significant in discovering and exploiting vulnerabilities in protocol software,and still needs massive manual verifications.In this paper,we propose a novel method that could automatically discover the use of stateful variables in network protocol software.The core idea is that a stateful variable features information of the communication entities and the software states,so it will exist in the form of a global or static variable during program execution.Based on recording and replaying a protocol program’s execution,varieties of variables in the life cycle can be tracked with the technique of dynamic instrument.We draw up some rules from multiple dimensions by taking full advantage of the existing vulnerability knowledge to determine whether the data stored in critical memory areas have stateful characteristics.We also implement a prototype system that can discover stateful variables automatically and then perform it on nine programs in Pro FuzzBench and two complex real-world software programs.With the help of available open-source code,the evaluation results show that the average true positive rate(TPR)can reach 82%and the average precision can be approximately up to 96%.展开更多
This paper proposes an action analysis for implementing combining partial evaluation efficiently. By analyzing the results of binding time analysis, on erations, which should be used in the combining partial evaluatio...This paper proposes an action analysis for implementing combining partial evaluation efficiently. By analyzing the results of binding time analysis, on erations, which should be used in the combining partial evaluation, are determined in advance, so that the computation in the combination of specialized programs is reduced effectively.展开更多
基金the Project"Research on the protection technology of endogenous safety for industrial control system"supported by National Science and Technology Major Project(2016YFB08002)。
文摘Although static program analysis methods are frequently employed to enhance software quality,their efficiency in commercial settings is limited by their high false positive rate.The EUGENE tool can effectively lower the false positive rate.However,in continuous integration(CI)environments,the code is always changing,and user feedback from one version of the software cannot be applied to a subsequent version.Additionally,people find it difficult to distinguish between true positives and false positives in the analytical output.In this study,we developed the EUGENE-CI technique to address the CI problem and the EUGENE-rank lightweight heuristic algorithm to rate the reports of the analysis output in accordance with the likelihood that they are true positives.On the three projects ethereum,go-cloud,and kubernetes,we assessed our methodologies.According to the trial findings,EUGENE-CI may drastically reduce false positives while EUGENE-rank can make it much easier for users to identify the real positives among a vast number of reports.We paired our techniques with GoInsight~1 and discovered a vulnerability.We also offered a patch to the community.
基金Supported by the National Natural Science Foundation of China(No.61121061)National Key Technology R&D Program(No.2012BAH38B02,2012BAH06B00)
文摘Constraint based program analysis is widely used in program validation, program vulnerability analysis, etc. This paper proposes a temporal correlation function to protect programs from analysis. The temporal correlation function can be applied to resist against both static and dynamic function summary and eoncolie testing. What' s more, the temporal correlation function can produce different outputs even with same input. This feature can be used to damage the premise of function summary as well as prevent concolie testing process to run the new branch with new input. Experiment results show that this method can reduce efficiency and path coverage of concolic testing, while greatly in- creasing the difficulty of constraint based program analysis.
基金supported by the National Natural Science Foundation of China(Grant Nos.62232002,62202051)the National Key R&D Program of China(Grant Nos.2021YFB2700500 and 2021YFB2700503)+7 种基金the China Postdoctoral Science Foundation(Grant Nos.2021M700435,2021TQ0042)the Guangdong Provincial Key Laboratory of Novel Security Intelligence Technologies(Grant No.2022B1212010005)the Key-Area Research and Development Program of Guangdong Province(Grant No.2021B0101400003)the Open Project Funding of Key Laboratory of Mobile Application Innovation and Governance TechnologyMinistry of Industry and Information Technology(Grant No.2023IFS080601-K)the Yunnan Provincial Major Science and Technology Special Plan Projects(Grant No.202302AD080003)the Beijing Institute of Technology Research Fund Program for Young Scholarsthe Young Elite Scientists Sponsorship Program by CAST(Grant No.2023QNRC001)
文摘The space-air-ground integrated networks(SAGINs)are pivotal for modern communication and surveillance,with a growing number of connected devices.The proliferation of Io T devices within these networks introduces new risks due to potential erroneous synergistic interactions that could compromise system integrity and security.This paper addresses the challenges in coordination,synchronization,and security within SAGINs by introducing a novel static program analysis(SPA)technique using zero-knowledge(ZK)proofs.This approach ensures the detection of risky interactions without compromising sensitive source code,thus safeguarding intellectual property and privacy.The proposed method overcomes the incompatibility between SPA and ZK systems by developing an imperative programming language for SAGINs and a specialized abstract domain for interaction threats.The system translates network control algorithms into arithmetic circuits suitable for ZK analysis,maintaining high accuracy in detecting risks.Evaluations of real-world scenarios demonstrate the system's efficacy in identifying risky interactions with minimal computational overhead.This research presents the first ZK-based SPA scheme for SAGINs,enhancing security and confidentiality in network analysis while adhering to privacy regulations.
文摘With the scale of programs becoming increasingly bigger, and the complexity degree higher, how to select program fragments for slicing has become an important research topic. A new type of criterion called interesting index is proposed for selecting parts of procedures or procedure fragments to do program slicing. This new criterion considers not only the subjective aspects in users, namely users' emphasis on the time efficiency, storage capacity or readability, but also the objective aspect in large procedures. It also represents the benefit of the users, while displaying the many-faceted roles that program slicing plays. In this way users call proceed with program slicing to large systems or unfinished systems.
文摘This letter proposes a hybrid method for computing dynamic program slicing. The key element is to construct a Coverage-Testing-based Dynamic Dependence Graph (CTDDG),which makes use of both dynamic and static information to get execution status. The approach overcomes the limitations of previous dynamic slicing methods, which have to redo slicing if slice criterion changes.
文摘Worst-case execution time (WCET) analysis of multi-threaded software is still a challenge. This comes mainly from the fact that synchronization has to be taken into account. In this paper, we focus on this issue and on automatically calculating and incorporating stalling times (e.g. caused by lock contention) in a generic graph model. The idea that thread interleavings can be studied with a matrix calculus is novel in this research area. Our sparse matrix representations of the program are manipulated using an extended Kronecker algebra. The resulting graph represents multi-threaded programs similar as CFGs do for sequential programs. With this graph model, we are able to calculate the WCET of multi-threaded concurrent programs including stalling times which are due to synchronization. We employ a generating function-based approach for setting up data flow equations which are solved by well-known elimination-based dataflow analysis methods or an off-the-shelf equation solver. The WCET of multi-threaded programs can finally be calculated with a non-linear function solver.
文摘In basketball, each player’s skill level is the key to a team’s success or failure, the skill level is affected by many personal and environmental factors. A physics-informed AI statistics has become extremely important. In this article, a complex non-linear process is considered by taking into account the average points per game of each player, playing time, shooting percentage, and others. This physics-informed statistics is to construct a multiple linear regression model with physics-informed neural networks. Based on the official data provided by the American Basketball League, and combined with specific methods of R program analysis, the regression model affecting the player’s average points per game is verified, and the key factors affecting the player’s average points per game are finally elucidated. The paper provides a novel window for coaches to make meaningful in-game adjustments to team members.
基金Supported by the National Science Foundation forDistinguished Young Scholars (60425206) the National Natural Sci-ence Foundation of China ( 90412003 , 60373066 , 60403016 ,60503033) the National Basic Research Programof China (973 Pro-gram2002CB312000)
文摘This paper proposes an extended system dependence graph called AspectSDG to represent control and data dependences for AspeetC++ programs, and presents an approach for the construction of AspectSDG. This approach decomposes aspect-oriented programs into three parts: component codes, aspect codes, and weaving codes. It constructs program dependence graphs (PDGs) for each part, and then connects the PDGs at call sites to form the complete AspectSDG. The AspectSDG can deal with advice precedence correctly, and represent the additional dependences caused by aspect codes. Based on this model, we introduce how to compute a static slice of an AspectC+ + program.
基金Project supported by the National Basic Research Program (973)of China (No. 2002CB312101)+4 种基金 the National Natural ScienceFoundation of China (No. 60272031) Doctorate Research Foun-dation of the State Education Commission of China (No.20010335049) Zhejiang Provincial Natural Science Foundation ofChina (No. ZD0212)
文摘Classes are key software components in an object-oriented software system. In many industrial OO software systems, there are some classes that have complicated structure and relationships. So in the processes of software maintenance, testing, software reengineering, software reuse and software restructure, it is a challenge for software engineers to understand these classes thoroughly. This paper proposes a class comprehension model based on constructivist learning theory, and implements a software visualization tool (MFV-Class) to help in the comprehension of a class. The tool provides multiple views of class to uncover manifold facets of class contents. It enables visualizing three object-oriented metrics of classes to help users focus on the understanding process. A case study was conducted to evaluate our approach and the toolkit.
文摘This paper states the basic principle of program data flow analysis in a formal way and gives the concept of data flow expression. On the basis of this concept, an algorithm of finding data flow exceptions is rendered. This algorithm has great generality, with which it is easy to develop a tool for program test. So it is practical in application.
基金Projects(71171200,51108465,71101155)supported by the National Natural Science Foundation of China
文摘An optimization model and its solution algorithm for alternate traffic restriction(ATR) schemes were introduced in terms of both the restriction districts and the proportion of restricted automobiles. A bi-level programming model was proposed to model the ATR scheme optimization problem by aiming at consumer surplus maximization and overload flow minimization at the upper-level model. At the lower-level model, elastic demand, mode choice and multi-class user equilibrium assignment were synthetically optimized. A genetic algorithm involving prolonging codes was constructed, demonstrating high computing efficiency in that it dynamically includes newly-appearing overload links in the codes so as to reduce the subsequent searching range. Moreover,practical processing approaches were suggested, which may improve the operability of the model-based solutions.
基金the National Natural Science Foundation of China(Nos.61802254,62072299,and 61772336)。
文摘For probabilistic programs,there is some work for qualitative and quantitative analysis about expec-tation or mean,such as expected termination time,and expected cost analysis.However,another non-trivial issue is about tail bounds(i.e.,upper bounds of tail probabilities),which can provide high-probability guarantees to extreme events.In this work,we focus on the problem of tail-bound cost analysis over nondeterministic proba-bilistic programs,which aims to automatically obtain the tail bound of resource usages over such programs.To achieve this goal,we present a novel approach,combined with a suitable concentration inequality,to derive the tail bound of accumulated cost until program termination.Our approach can handle both positive and negative costs.Moreover,our approach enables an automated template-based synthesis of supermartingales and leads to an efficient polynomial-time algorithm.To show the effectiveness of our approach,we present experimental results on various programs and make a comparison with state-of-the-art tools.
文摘Neurorehabilitation involves training of brain activity, which influences the resistive torque and electromyogram. This quantitative evaluation is numerical modeling of biomaterial of human body. Measurement for rehabilitation and developing numerical modeling in patients are useful for information technology education with healthcare background. The resistive torque and electromyogram were measured. Electromyogram is the neuronal activity from eight lower limb muscles. Both activities are output signals for angle input signals. The resistive torque of a stroke patient shows a hysteresis curve, and this is a velocity-dependent component, particular for stroke. Differentiated angle by muscle spindle, a velocity-dependent component, is a stretch reflex (spasticity). In an electromyogram of a stroke patient, SLR (stretch reflex via spinal cord) means a short latency reflex, and LLR (stretch reflex via cerebral cortex) means a long latency reflex. An example of some stroke electromyogram shows long latency reflex, and this is voluntary movement during the experiment. The example of some stroke resistive torque reveals that viscoelasticity is used for the intrinsic component. The example of some stroke electromyogram reveals that long latency reflex is used for the reflex component of lower limbs. Current research needs improvement. Intrinsic viscoelasticity is modeled by a second-order differential equation. The reflex component of stroke patients is modeled by a double exponential function. Open source software is in use. Information technology-based analyses by numerical modeling would be applied in future healthcare education.
基金This work was partially supported by the National Natural Science Foundation of China under Grant Nos. 61202080, 61702044, and 61502029.
文摘The ability to solve various constraints is a principal factor of automatic constraint solvers. Most object-oriented languages treat a character string as a primitive data type which is manipulated by string library functions. Most constraint solvers have limitations on their input constraints, such as strong restrictions on the expressiveness of constraints or lack of the ability to solve hybrid constraints. These limitations hinder applying automated constraint solvers on program analysis techniques for programs containing strings and string manipulation functions. We propose an approach to automatically solve program constraints involving strings and string manipulation functions. Based on the character array model, we design a constraint language which contains primitive operations to precisely describe the constraints of commonly used string manipulation functions. The translated string constraints together with numeric constraints are then solved by a two- phase test generation procedure: firstly, a partial solution is obtained to satisfy the arithmetic constraints of the position variables, and the solution is utilized to simplify the string constraints into pure character array constraints; secondly, the pure array constraints are solved by an off-the-shelf array-specific theory based constraint solver. We integrate the approach into an automated testing tool to support the generation of string test cases, and then perform experiments. The results of the experiments prove that the integration of the proposed approach promotes the testing coverage of the existing testing tool, and the integrated tool has an advantage of handling specific string manipulation functions compared with an existing string solver.
文摘Tackling binary program analysis problems has traditionally implied manually defining rules and heuristics,a tedious and time consuming task for human analysts.In order to improve automation and scalability,we propose an alternative direction based on distributed representations of binary programs with applicability to a number of downstream tasks.We introduce Bin2vec,a new approach leveraging Graph Convolutional Networks(GCN)along with computational program graphs in order to learn a high dimensional representation of binary executable programs.We demonstrate the versatility of this approach by using our representations to solve two semantically different binary analysis tasks–functional algorithm classification and vulnerability discovery.We compare the proposed approach to our own strong baseline as well as published results,and demonstrate improvement over state-of-the-art methods for both tasks.We evaluated Bin2vec on 49191 binaries for the functional algorithm classification task,and on 30 different CWE-IDs including at least 100 CVE entries each for the vulnerability discovery task.We set a new state-of-the-art result by reducing the classification error by 40%compared to the source-code based inst2vec approach,while working on binary code.For almost every vulnerability class in our dataset,our prediction accuracy is over 80%(and over 90%in multiple classes).
基金supported by the National Nature Science Foundation of China under Grant Nos.61802415,62032019 and 62032024.PDF(PC)23。
文摘The Linux kernel adopts a large number of security checks to prevent security-sensitive operations from being executed under unsafe conditions.If a security-sensitive operation is unchecked,a missing-check issue arises.Missing check is a class of severe bugs in software programs especially in operating system kernels,which may cause a variety of security issues,such as out-of-bound accesses,permission bypasses,and privilege escalations.Due to the lack of security specifications,how to automatically identify security-sensitive operations and their required security checks in the Linux kernel becomes a challenge for missing-check analysis.In this paper,we present an accurate missing-check analysis method for Linux kernel,which can automatically infer possible security-sensitive operations.Particularly,we first automatically identify all possible security check functions of Linux.Then according to their callsites,a two-direction analysis method is leveraged to identify possible security-sensitive operations.A missing-check bug is reported when the security-sensitive operation is not protected by its corresponding security check.We have implemented our method as a tool,named AMCheX,on top of the LLVM(Low Level Virtual Machine)framework and evaluated it on the Linux kernel.AMCheX reported 12 new missing-check bugs which can cause security issues.Five of them have been confirmed by Linux maintainers.
基金Supported by and the National High Technology Research and Development Program of China (863 Program) (2009AA01Z147)the National Natural Science Foundation of China (90818027, 60633010)
文摘The existing slicing algorithms do not consider parameterized types in generic programs, so they are not suitable for generic programs. To solve this problem, this paper presents a generic system dependence graph for Java generic programs based on the traditional system dependence graph to express dependences for parameterized type information. A novel slicing criterion and slicing algorithm for generic programs is proposed. The slices computed by the algorithm can help to understand relations between concepts and types for generic programs and can express the features of generic programs better.
基金Project supported by the National Natural Science Foundation of China(Nos.61902416 and 61902412)the Natural Science Foundation of Hunan Province,China(No.2019JJ50729)。
文摘Network protocol software is usually characterized by complicated functions and a vast state space.In this type of program,a massive number of stateful variables that are used to represent the evolution of the states and store some information about the sessions are prone to potentialflaws caused by violations of protocol specification requirements and program logic.Discovering such variables is significant in discovering and exploiting vulnerabilities in protocol software,and still needs massive manual verifications.In this paper,we propose a novel method that could automatically discover the use of stateful variables in network protocol software.The core idea is that a stateful variable features information of the communication entities and the software states,so it will exist in the form of a global or static variable during program execution.Based on recording and replaying a protocol program’s execution,varieties of variables in the life cycle can be tracked with the technique of dynamic instrument.We draw up some rules from multiple dimensions by taking full advantage of the existing vulnerability knowledge to determine whether the data stored in critical memory areas have stateful characteristics.We also implement a prototype system that can discover stateful variables automatically and then perform it on nine programs in Pro FuzzBench and two complex real-world software programs.With the help of available open-source code,the evaluation results show that the average true positive rate(TPR)can reach 82%and the average precision can be approximately up to 96%.
文摘This paper proposes an action analysis for implementing combining partial evaluation efficiently. By analyzing the results of binding time analysis, on erations, which should be used in the combining partial evaluation, are determined in advance, so that the computation in the combination of specialized programs is reduced effectively.