An Empirical Application of User-Guided Program Analysis

Although static program analysis methods are frequently employed to enhance software quality,their efficiency in commercial settings is limited by their high false positive rate.The EUGENE tool can effectively lower the false positive rate.However,in continuous integration(CI)environments,the code is always changing,and user feedback from one version of the software cannot be applied to a subsequent version.Additionally,people find it difficult to distinguish between true positives and false positives in the analytical output.In this study,we developed the EUGENE-CI technique to address the CI problem and the EUGENE-rank lightweight heuristic algorithm to rate the reports of the analysis output in accordance with the likelihood that they are true positives.On the three projects ethereum,go-cloud,and kubernetes,we assessed our methodologies.According to the trial findings,EUGENE-CI may drastically reduce false positives while EUGENE-rank can make it much easier for users to identify the real positives among a vast number of reports.We paired our techniques with GoInsight~1 and discovered a vulnerability.We also offered a patch to the community.

Statistical Approach to Basketball Players’Skill Level

In basketball, each player’s skill level is the key to a team’s success or failure, the skill level is affected by many personal and environmental factors. A physics-informed AI statistics has become extremely important. In this article, a complex non-linear process is considered by taking into account the average points per game of each player, playing time, shooting percentage, and others. This physics-informed statistics is to construct a multiple linear regression model with physics-informed neural networks. Based on the official data provided by the American Basketball League, and combined with specific methods of R program analysis, the regression model affecting the player’s average points per game is verified, and the key factors affecting the player’s average points per game are finally elucidated. The paper provides a novel window for coaches to make meaningful in-game adjustments to team members.

A Generic Graph Model for WCET Analysis of Multi-Core Concurrent Applications

Worst-case execution time (WCET) analysis of multi-threaded software is still a challenge. This comes mainly from the fact that synchronization has to be taken into account. In this paper, we focus on this issue and on automatically calculating and incorporating stalling times (e.g. caused by lock contention) in a generic graph model. The idea that thread interleavings can be studied with a matrix calculus is novel in this research area. Our sparse matrix representations of the program are manipulated using an extended Kronecker algebra. The resulting graph represents multi-threaded programs similar as CFGs do for sequential programs. With this graph model, we are able to calculate the WCET of multi-threaded concurrent programs including stalling times which are due to synchronization. We employ a generating function-based approach for setting up data flow equations which are solved by well-known elimination-based dataflow analysis methods or an off-the-shelf equation solver. The WCET of multi-threaded programs can finally be calculated with a non-linear function solver.

Tail-Bound Cost Analysis over Nondeterministic Probabilistic Programs

For probabilistic programs,there is some work for qualitative and quantitative analysis about expec-tation or mean,such as expected termination time,and expected cost analysis.However,another non-trivial issue is about tail bounds(i.e.,upper bounds of tail probabilities),which can provide high-probability guarantees to extreme events.In this work,we focus on the problem of tail-bound cost analysis over nondeterministic proba-bilistic programs,which aims to automatically obtain the tail bound of resource usages over such programs.To achieve this goal,we present a novel approach,combined with a suitable concentration inequality,to derive the tail bound of accumulated cost until program termination.Our approach can handle both positive and negative costs.Moreover,our approach enables an automated template-based synthesis of supermartingales and leads to an efficient polynomial-time algorithm.To show the effectiveness of our approach,we present experimental results on various programs and make a comparison with state-of-the-art tools.

System Dependence Graph Construction for Aspect Oriented C++

This paper proposes an extended system dependence graph called AspectSDG to represent control and data dependences for AspeetC＋＋ programs, and presents an approach for the construction of AspectSDG. This approach decomposes aspect-oriented programs into three parts： component codes, aspect codes, and weaving codes. It constructs program dependence graphs （PDGs） for each part, and then connects the PDGs at call sites to form the complete AspectSDG. The AspectSDG can deal with advice precedence correctly, and represent the additional dependences caused by aspect codes. Based on this model, we introduce how to compute a static slice of an AspectC＋ ＋ program.

An Algorithm of Programming Data Flow Analysis Based on Data Flow Expresion

This paper states the basic principle of program data flow analysis in a formal way and gives the concept of data flow expression. On the basis of this concept, an algorithm of finding data flow exceptions is rendered. This algorithm has great generality, with which it is easy to develop a tool for program test. So it is practical in application.

Automatic discovery of stateful variables in network protocol software based on replay analysis

Network protocol software is usually characterized by complicated functions and a vast state space.In this type of program,a massive number of stateful variables that are used to represent the evolution of the states and store some information about the sessions are prone to potentialflaws caused by violations of protocol specification requirements and program logic.Discovering such variables is significant in discovering and exploiting vulnerabilities in protocol software,and still needs massive manual verifications.In this paper,we propose a novel method that could automatically discover the use of stateful variables in network protocol software.The core idea is that a stateful variable features information of the communication entities and the software states,so it will exist in the form of a global or static variable during program execution.Based on recording and replaying a protocol program’s execution,varieties of variables in the life cycle can be tracked with the technique of dynamic instrument.We draw up some rules from multiple dimensions by taking full advantage of the existing vulnerability knowledge to determine whether the data stored in critical memory areas have stateful characteristics.We also implement a prototype system that can discover stateful variables automatically and then perform it on nine programs in Pro FuzzBench and two complex real-world software programs.With the help of available open-source code,the evaluation results show that the average true positive rate(TPR)can reach 82%and the average precision can be approximately up to 96%.

Modeling optimal oil production paths under risk service contracts

Due to the rigorous fiscal terms and huge potential risk of risk service contracts,optimizing oil production paths is one of the main challenges in designing oilfield development plans.In this paper,an oil production path optimization model is developed to maximize economic benefits within constraints of technology factors and oil contracts.This analysis describes the effects of risk service contract terms on parameters of inputs and outputs and quantifies the relationships between production and production time,revenues,investment and costs.An oil service development and production project is illustrated in which the optimal production path under its own geological conditions and contract terms is calculated.The influences of oil price,service fees per barrel and operating costs on the optimal production have been examined by sensitivity analysis.The results show that the oil price has the largest impact on the optimal production,which is negatively related to oil price and positively related to service fees per barrel and operating costs.

XBASE数据应用程序源代码分析

讨论了ＸＢＡＳＥ命令文件和库文件结构，提出了分析命令文件的方法和相关库的概念，介绍了分析系统的建立和应用情况。

Automated String Constraints Solving for Programs Containing String Manipulation Functions

The ability to solve various constraints is a principal factor of automatic constraint solvers. Most object-oriented languages treat a character string as a primitive data type which is manipulated by string library functions. Most constraint solvers have limitations on their input constraints, such as strong restrictions on the expressiveness of constraints or lack of the ability to solve hybrid constraints. These limitations hinder applying automated constraint solvers on program analysis techniques for programs containing strings and string manipulation functions. We propose an approach to automatically solve program constraints involving strings and string manipulation functions. Based on the character array model, we design a constraint language which contains primitive operations to precisely describe the constraints of commonly used string manipulation functions. The translated string constraints together with numeric constraints are then solved by a two- phase test generation procedure： firstly, a partial solution is obtained to satisfy the arithmetic constraints of the position variables, and the solution is utilized to simplify the string constraints into pure character array constraints; secondly, the pure array constraints are solved by an off-the-shelf array-specific theory based constraint solver. We integrate the approach into an automated testing tool to support the generation of string test cases, and then perform experiments. The results of the experiments prove that the integration of the proposed approach promotes the testing coverage of the existing testing tool, and the integrated tool has an advantage of handling specific string manipulation functions compared with an existing string solver.

Bin2vec:learning representations of binary executable programs for security tasks

Tackling binary program analysis problems has traditionally implied manually defining rules and heuristics,a tedious and time consuming task for human analysts.In order to improve automation and scalability,we propose an alternative direction based on distributed representations of binary programs with applicability to a number of downstream tasks.We introduce Bin2vec,a new approach leveraging Graph Convolutional Networks(GCN)along with computational program graphs in order to learn a high dimensional representation of binary executable programs.We demonstrate the versatility of this approach by using our representations to solve two semantically different binary analysis tasks–functional algorithm classification and vulnerability discovery.We compare the proposed approach to our own strong baseline as well as published results,and demonstrate improvement over state-of-the-art methods for both tasks.We evaluated Bin2vec on 49191 binaries for the functional algorithm classification task,and on 30 different CWE-IDs including at least 100 CVE entries each for the vulnerability discovery task.We set a new state-of-the-art result by reducing the classification error by 40%compared to the source-code based inst2vec approach,while working on binary code.For almost every vulnerability class in our dataset,our prediction accuracy is over 80%(and over 90%in multiple classes).

AMCheX: Accurate Analysis of Missing-Check Bugs for Linux Kernel

The Linux kernel adopts a large number of security checks to prevent security-sensitive operations from being executed under unsafe conditions.If a security-sensitive operation is unchecked,a missing-check issue arises.Missing check is a class of severe bugs in software programs especially in operating system kernels,which may cause a variety of security issues,such as out-of-bound accesses,permission bypasses,and privilege escalations.Due to the lack of security specifications,how to automatically identify security-sensitive operations and their required security checks in the Linux kernel becomes a challenge for missing-check analysis.In this paper,we present an accurate missing-check analysis method for Linux kernel,which can automatically infer possible security-sensitive operations.Particularly,we first automatically identify all possible security check functions of Linux.Then according to their callsites,a two-direction analysis method is leveraged to identify possible security-sensitive operations.A missing-check bug is reported when the security-sensitive operation is not protected by its corresponding security check.We have implemented our method as a tool,named AMCheX,on top of the LLVM(Low Level Virtual Machine)framework and evaluated it on the Linux kernel.AMCheX reported 12 new missing-check bugs which can cause security issues.Five of them have been confirmed by Linux maintainers.

Slicing Java Generic Programs Using Generic System Dependence Graph

The existing slicing algorithms do not consider parameterized types in generic programs, so they are not suitable for generic programs. To solve this problem, this paper presents a generic system dependence graph for Java generic programs based on the traditional system dependence graph to express dependences for parameterized type information. A novel slicing criterion and slicing algorithm for generic programs is proposed. The slices computed by the algorithm can help to understand relations between concepts and types for generic programs and can express the features of generic programs better.

An Action Analysis for Combining Partial Evaluation

This paper proposes an action analysis for implementing combining partial evaluation efficiently. By analyzing the results of binding time analysis, on erations, which should be used in the combining partial evaluation, are determined in advance, so that the computation in the combination of specialized programs is reduced effectively.

Fine-Tuning Pre-Trained CodeBERT for Code Search in Smart Contract

Smart contracts,which automatically execute on decentralized platforms like Ethereum,require high security and low gas consumption.As a result,developers have a strong demand for semantic code search tools that utilize natural language queries to efficiently search for existing code snippets.However,existing code search models face a semantic gap between code and queries,which requires a large amount of training data.In this paper,we propose a fine-tuning approach to bridge the semantic gap in code search and improve the search accuracy.We collect 80723 different pairs of<comment,code snippet>from Etherscan.io and use these pairs to fine-tune,validate,and test the pre-trained CodeBERT model.Using the fine-tuned model,we develop a code search engine specifically for smart contracts.We evaluate the Recall@k and Mean Reciprocal Rank(MRR)of the fine-tuned CodeBERT model using different proportions of the finetuned data.It is encouraging that even a small amount of fine-tuned data can produce satisfactory results.In addition,we perform a comparative analysis between the fine-tuned CodeBERT model and the two state-of-the-art models.The experimental results show that the finetuned CodeBERT model has superior performance in terms of Recall@k and MRR.These findings highlight the effectiveness of our finetuning approach and its potential to significantly improve the code search accuracy.

Using deep learning to solve computer security challenges:a survey

Although using machine learning techniques to solve computer security challenges is not a new idea,the rapidly emerging Deep Learning technology has recently triggered a substantial amount of interests in the computer security community.This paper seeks to provide a dedicated review of the very recent research works on using Deep Learning techniques to solve computer security challenges.In particular,the review covers eight computer security problems being solved by applications of Deep Learning:security-oriented program analysis,defending return-oriented programming(ROP)attacks,achieving control-flow integrity(CFI),defending network attacks,malware classification,system-event-based anomaly detection,memory forensics,and fuzzing for software security.

Analyses for specific defects in Android applications:a survey

Android applications(APPS)are in widespread use and have enriched our life.To ensure the quality and security of the apps,many approaches have been proposed in recent years for detecting bugs and defects in the apps,of which program analysis is a major one.This paper mainly makes an investigation of existing works on the analysis of Android apps.We summarize the purposes and proposed techniques of existing approaches,and make a taxonomy of these works,based on which we point out the trends and challenges of research in this field.From our survey,we sum up four main findings:(1)program analysis in Android security field has gained particular attention in the past years,the fields of functionality and performance should also gain proper attention;the infrastructure that supports detection of various defects should be enriched to meet the industry’s need;(2)many kinds of defects result from developers’misunderstanding or misuse of the characteristics and mechanisms in Android system,thus the works that can systematically collect and formalize Android recommendations are in demand;(3)various program analysis approaches with techniques in other fields are applied in analyzing Android apps;however,they can be improved with more precise techniques to be more applicable;(4)The fragmentation and evolution of Android system blocks the usability of existing tools,which should be taken into consideration when developing new approaches.

A Termination Condition of Unfolding Loop for Generalized Partial Computation

The unfolding problem of loop has always been a difficult problem on the partial computation and Generalized Partial Computation( GPC ) of imperative language. This paper makes use of Data Flow Analysis( DFA ) technique to present an efficient termination condition of unfolding loop for partial evaluation or generalized partial evaluation, and this termination condition can solve the problem very well.

Automatic Identification of Use Cases from Codes: A User’s Goal Driven Approach

Based on the different roles played by base flow and alternative flow in the process to achieve user＇s goals, we have found that loop structure is frequently used to implement alternative flow and/or to connect different use cases. This paper presents an approach to identify base flows and alternative flows of different use cases by traversing control flow graph in which back edges are eliminated. The effectiveness of the approach is verified by identification of the use case structure of an ATM system. The workload of human intervention of the approach is relatively slight, and the manner of human intervention closely follows the usual process of software comprehension.

An Buffer Overflow Automatic Detection Method Based on Operation Semantic

Buffer overflow is the most dangerous attack method that can be exploited. According to the statistics of Computer Emergency Readiness Team （ CERT ）, buffer overflow accounts for 50% of the current software vulnerabilities, and this ratio is going up. Considering a subset of C language, Mini C, this paper presents an abstract machine model that can realire buffer overflow detection, which is based on operation semantic. Thus the research on buffer overflow detection can be built on strict descriptions of operation semantic. Not only the correctness can be assured, but also the system can be realized and extended easily.