Variable Renaming Research Articles

Control-Flow Deobfuscation using Trace-Informed Compositional Program Synthesis

Code deobfuscation, which attempts to simplify code that has been intentionally obfuscated to prevent understanding, is a critical technique for downstream security analysis tasks like malware detection. While there has been significant prior work on code deobfuscation, most techniques either do not handle control flow obfuscations that modify control flow or they target specific classes of control flow obfuscations, making them unsuitable for handling new types of obfuscations or combinations of existing ones. In this paper, we study a new deobfuscation technique that is based on program synthesis and that can handle a broad class of control flow obfuscations. Given an obfuscated program P, our approach aims to synthesize a smallest program that is a control-flow reduction of P and that is semantically equivalent. Since our method does not assume knowledge about the types of obfuscations that have been applied to the original program, the underlying synthesis problem ends up being very challenging. To address this challenge, we propose a novel trace-informed compositional synthesis algorithm that leverages hints present in dynamic traces of the obfuscated program to decompose the synthesis problem into a set of simpler subproblems. In particular, we show how dynamic traces can be useful for inferring a suitable control-flow skeleton of the deobfuscated program and performing independent synthesis of each basic block. We have implemented this approach in a tool called Chisel and evaluate it on 546 benchmarks that have been obfuscated using combinations of six different obfuscation techniques. Our evaluation shows that our approach is effective and that it produces code that is almost identical (modulo variable renaming) to the original (non-obfuscated) program in 86% of cases. Our evaluation also shows that Chisel significantly outperforms existing techniques.

A contract-based semantics and refinement for hybrid Simulink block diagrams

Simulink is widely used for modelling, simulating, and analysing cyber–physical systems (CPS). However, for safety-critical CPS, Simulink is insufficient to ensure safety since it lacks an official formal semantics to support compositional reasoning and verification. In this paper, we present a contract-based semantic model for hybrid Simulink block diagrams, including both discrete-time and continuous-time blocks. In our semantic formalisation, the semantics of a block is defined as a contract, and we define five operations on contracts, which are sequential composition, parallel composition, feedback composition, variable renaming, and variable hiding. We then develop a refinement calculus for hybrid Simulink block diagrams. Finally, we use a water tank system and a vehicle speed control system as case studies to demonstrate our approach.

DIRE and its Data: Neural Decompiled Variable Renamings with Respect to Software Class

The decompiler is one of the most common tools for examining executable binaries without the corresponding source code. It transforms binaries into high-level code, reversing the compilation process. Unfortunately, decompiler output is far from readable because the decompilation process is often incomplete. State-of-the-art techniques use machine learning to predict missing information like variable names. While these approaches are often able to suggest good variable names in context, no existing work examines how the selection of training data influences these machine learning models. We investigate how data provenance and the quality of training data affect performance, and how well, if at all, trained models generalize across software domains. We focus on the variable renaming problem using one such machine learning model, DIRE . We first describe DIRE in detail and the accompanying technique used to generate training data from raw code. We also evaluate DIRE ’s overall performance without respect to data quality. Next, we show how training on more popular, possibly higher quality code (measured using GitHub stars) leads to a more generalizable model because popular code tends to have more diverse variable names. Finally, we evaluate how well DIRE predicts domain-specific identifiers, propose a modification to incorporate domain information, and show that it can predict identifiers in domain-specific scenarios 23% more frequently than the original DIRE model.

Automated variable renaming: are we there yet?

Identifiers, such as method and variable names, form a large portion of source code. Therefore, low-quality identifiers can substantially hinder code comprehension. To support developers in using meaningful identifiers, several (semi-)automatic techniques have been proposed, mostly being data-driven (e.g., statistical language models, deep learning models) or relying on static code analysis. Still, limited empirical investigations have been performed on the effectiveness of such techniques for recommending developers with meaningful identifiers, possibly resulting in rename refactoring operations. We present a large-scale study investigating the potential of data-driven approaches to support automated variable renaming. We experiment with three state-of-the-art techniques: a statistical language model and two DL-based models. The three approaches have been trained and tested on three datasets we built with the goal of evaluating their ability to recommend meaningful variable identifiers. Our quantitative and qualitative analyses show the potential of such techniques that, under specific conditions, can provide valuable recommendations and are ready to be integrated in rename refactoring tools. Nonetheless, our results also highlight limitations of the experimented approaches that call for further research in this field.

Locally Nameless Sets

This paper provides a new mathematical foundation for the locally nameless representation of syntax with binders, one informed by nominal techniques. It gives an equational axiomatization of two key locally nameless operations, "variable opening" and "variable closing" and shows that a lot of the locally nameless infrastructure can be defined from that in a syntax-independent way, including crucially a "shift" functor for name binding. That functor operates on a category whose objects we call locally nameless sets . Functors combining shift with sums and products have initial algebras that recover the usual locally nameless representation of syntax with binders in the finitary case. We demonstrate this by uniformly constructing such an initial locally nameless set for each instance of Plotkin's notion of binding signature. We also show by example that the shift functor is useful for locally nameless sets of a semantic rather than a syntactic character. The category of locally nameless sets is proved to be isomorphic to a known topos of finitely supported M-sets, where M is the full transformation monoid on a countably infinite set. A corollary of the proof is that several categories that have been used in the literature to model variable renaming operations on syntax with binders are all equivalent to each other and to the category of locally nameless sets.

Semantics and canonicalisation of SPARQL 1.1

We define a procedure for canonicalising SPARQL 1.1 queries. Specifically, given two input queries that return the same solutions modulo variable names over any RDF graph (which we call congruent queries), the canonicalisation procedure aims to rewrite both input queries to a syntactically canonical query that likewise returns the same results modulo variable renaming. The use-cases for such canonicalisation include caching, optimisation, redundancy elimination, question answering, and more besides. To begin, we formally define the semantics of the SPARQL 1.1 language, including features often overlooked in the literature. We then propose a canonicalisation procedure based on mapping a SPARQL query to an RDF graph, applying algebraic rewritings, removing redundancy, and then using canonical labelling techniques to produce a canonical form. Unfortunately a full canonicalisation procedure for SPARQL 1.1 queries would be undecidable. We rather propose a procedure that we prove to be sound and complete for a decidable fragment of monotone queries under both set and bag semantics, and that is sound but incomplete in the case of the full SPARQL 1.1 query language. Although the worst case of the procedure is super-exponential, our experiments show that it is efficient for real-world queries, and that such difficult cases are rare.

Almost all Classical Theorems are Intuitionistic

Canonical expressions represent the implicative propositions (i.e., the propositions with only implications) up-to renaming of variables. Using a Monte-Carlo approach, we explore the model of canonical expressions in order to confirm the paradox that says that asymptotically almost all classical theorems are intuitionistic. Actually we found that more than 96.6% of classical theorems are intuitionistic among propositions of size 100.

Symbolizing while solving linear systems

Solving systems of linear equations is of central importance in linear algebra and many related applications, yet there is limited literature examining the symbolizing processes students use as they work to solve systems of linear equations. In this paper, we examine this issue by analyzing final exam data from 68 students in an introductory undergraduate linear algebra course at a large public research university in the United States. Based on our analysis, we expanded our framework (Larson & Zandieh, 2013) for interpretations of matrix equations to include augmented matrices and symbolic forms commonly used in solving linear systems. We document considerable variation in students’ symbolization processes, which broadly occurred along two primary trajectories: systems trajectories and row reduction trajectories. Row reduction trajectories included at least five symbolic shifts, two of which students executed with a great deal of success and uniformity. Students’ symbolizing processes varied more in relation to the other three shifts, and these variations were often linked to trends of variable renaming, variable creation, or imagined parameter reasoning. Students were more flexible in their solution strategies when solving systems involving lines than for systems involving planes.

Fuzzy lattice operations on first-order terms over signatures with similar constructors: A constraint-based approach

Unification and generalization are operations on two terms computing respectively their greatest lower bound and least upper bound when the terms are quasi-ordered by subsumption up to variable renaming (i.e., t1⪯t2 iff t1=t2σ for some variable substitution σ). When term signatures are such that distinct functor symbols may be related with a fuzzy equivalence (called a similarity), these operations can be formally extended to tolerate mismatches on functor names and/or arity or argument order. We reformulate and extend previous work with a declarative approach defining unification and generalization as sets of axioms and rules forming a complete constraint-normalization proof system. These include the Reynolds-Plotkin term-generalization procedures, Maria Sessa's “weak” unification with partially fuzzy signatures and its corresponding generalization, as well as novel extensions of such operations to signatures with weaker functor similarities (i.e., with possibly different arities). One advantage of this approach is that it requires no modification of the conventional data structures for terms and substitutions. This and the fact that these declarative specifications are efficiently executable conditional Horn-clauses offers great practical potential for fuzzy information-handling applications.

Abstract Representation of Binders in OCaml using the Bindlib Library

The Bindlib library for OCaml provides a set of tools for the manipulation of data structures with variable binding. It is very well suited for the representation of abstract syntax trees, and has already been used for the implementation of half a dozen languages and proof assistants (including a new version of the logical framework Dedukti). Bindlib is optimised for fast substitution, and it supports variable renaming. Since the representation of binders is based on higher-order abstract syntax, variable capture cannot arise during substitution. As a consequence, variable names are not updated at substitution time. They can however be explicitly recomputed to avoid "visual capture" (i.e., distinct variables with the same apparent name) when a data structure is displayed.

Об аналоге теоремы Слупецкого для полиномиальных функций

Functional systems are among the main objects in discrete mathematics and mathematical cybernetics. The meaningful connection of functional systems with real cybernetic models of control systems, on the one hand, determines a series of essential requirements that are imposed on functional systems, and on the other hand, generates a class of important problems that have both theoretical and application significance. The theory of functional systems covers a wide range of problem areas, the main of them being the problems of completeness, relative completeness, expressibility, synthesis, analysis, and some others. The article considers the functional systems of polynomial functions falling in the following categories: (i) with natural coefficients in which the values of both the arguments and the functions themselves belong to the set of natural numbers; (ii) with integer coefficients in which the values of both the arguments and the functions themselves belong to the set of integer numbers; and (iii) with rational coefficients in which the values of both the arguments and the functions themselves belong to the set of rational numbers. The superposition operations (permutation of variables, renaming of variables without identifying them, identifying the variables, introducing a fictitious variable, removing a fictitious variable, and substituting one function into another) were taken as a set of operations in all these functional systems, and the problem of relative completeness is investigated for these systems. An algorithmic approach of this problem (an analog of Slupecki's theorem) is presented for the above-mentioned functional systems. In particular, it has been proven that the posed problem has a positive answer only for a functional system with natural coefficients, whereas the answer for the other two systems is negative.

A Complete Uniform Substitution Calculus for Differential Dynamic Logic

This article introduces a relatively complete proof calculus for differential dynamic logic (dL) that is entirely based on uniform substitution, a proof rule that substitutes a formula for a predicate symbol everywhere. Uniform substitutions make it possible to use axioms instead of axiom schemata, thereby substantially simplifying implementations. Instead of subtle schema variables and soundness-critical side conditions on the occurrence patterns of logical variables to restrict infinitely many axiom schema instances to sound ones, the resulting calculus adopts only a finite number of ordinary dLformulas as axioms, which uniform substitutions instantiate soundly. The static semantics of differential dynamic logic and the soundness-critical restrictions it imposes on proof steps is captured exclusively in uniform substitutions and variable renamings as opposed to being spread in delicate ways across the prover implementation. In addition to sound uniform substitutions, this article introduces differential forms for differential dynamic logic that make it possible to internalize differential invariants, differential substitutions, and derivatives as first-class axioms to reason about differential equations axiomatically. The resulting axiomatization of differential dynamic logic is proved to be sound and relatively complete.

Higher-Order Pattern Anti-Unification in Linear Time

We present a rule-based Huet’s style anti-unification algorithm for simply typed lambda-terms, which computes a least general higher-order pattern generalization. For a pair of arbitrary terms of the same type, such a generalization always exists and is unique modulo alpha -equivalence and variable renaming. With a minor modification, the algorithm works for untyped lambda-terms as well. The time complexity of both algorithms is linear.

Renaming Global Variables in C Mechanically Proved Correct

Most integrated development environments are shipped with refactoring tools. However, their refactoring operations are often known to be unreliable. As a consequence, developers have to test their code after applying an automatic refactoring. In this article, we consider a refactoring operation (renaming of global variables in C), and we prove that its core implementation preserves the set of possible behaviors of transformed programs. That proof of correctness relies on the operational semantics of C provided by CompCert C in Coq.

Binding as sets of scopes

Our new macro expander for Racket builds on a novel approach to hygiene. Instead of basing macro expansion on variable renamings that are mediated by expansion history, our new expander tracks binding through a set of scopes that an identifier acquires from both binding forms and macro expansions. The resulting model of macro expansion is simpler and more uniform than one based on renaming, and it is sufficiently compatible with Racket's old expander to be practical.

A unified treatment of syntax with binders

AbstractAtoms and de Bruijn indices are two well-known representation techniques for data structures that involve names and binders. However, using either technique, it is all too easy to make a programming error that causes one name to be used where another was intended. We propose an abstract interface to names and binders that rules out many of these errors. This interface is implemented as a library inAgda. It allows defining and manipulating term representations in nominal style and in de Bruijn style. The programmer is not forced to choose between these styles: on the contrary, the library allows using both styles in the same program, if desired. Whereas indexing the types of names and terms with a natural number is a well-known technique to better control the use of de Bruijn indices, we index types with worlds. Worlds are at the same time more precise and more abstract than natural numbers. Via logical relations and parametricity, we are able to demonstrate in what sense our library is safe, and to obtain theorems for free about world-polymorphic functions. For instance, we prove that a world-polymorphic term transformation function must commute with any renaming of the free variables. The proof is entirely carried out inAgda.

ECFGM: enriched control flow graph miner for unknown vicious infected code detection

Vicious codes, especially viruses, as a kind of impressive malware have caused many disasters and continue to exploit more vulnerabilities. These codes are injected inside benign programs in order to abuse their hosts and ease their propagation. The offsets of injected virus codes are unknown and their targets usually are latent until they are executed and activated, what in turn makes viruses very hard to detect. In this paper enriched control flow graph miner, ECFGM in short, is presented to detect infected files corrupted by unknown viruses. ECFGM uses enriched control flow graph model to represent the benign and vicious codes. This model has more information than traditional control flow graph (CFG) by utilizing statistical information of dependent assembly instructions and API calls. To the best of our knowledge, the presented approach in this paper, for the first time, can recognize the offset of infected code of unknown viruses in the victim files. The main contributions of this paper are two folds: first, the presented model is able to detect unknown vicious code using ECFG model with reasonable complexity and desirable accuracy. Second, our approach is resistant against metamorphic viruses which utilize dead code insertion, variable renaming and instruction reordering methods.

Nameless, painless

De Bruijn indices are a well known technique for programming with names and binders. They provide a representation that is both simple and canonical. However, programming errors tend to be really easy to make. We propose a safer programming interface implemented as a library. Whereas indexing the types of names and terms by a numerical bound is a famous technique, we index them by worlds, a different notion of index that is both finer and more abstract. While being more finely typed, our approach incurs no loss of expressiveness or efficiency. Via parametricity we obtain properties about functions polymorphic on worlds. For instance, well-typed world-polymorphic functions over open λ-terms commute with any renaming of the free variables. Our whole development is conducted within Agda, from the code of the library, to its soundness proof and the properties of external functions. The soundness of our library is demonstrated via the construction of a logical relations argument.

Normalization and optimization of schema mappings

Schema mappings are high-level specifications that describe the relationship between two database schemas. They are an important tool in several areas of database research, notably in data integration and data exchange. However, a concrete theory of schema mapping optimization including the formulation of optimality criteria and the construction of algorithms for computing optimal schema mappings is completely lacking to date. The goal of this work is to fill this gap. We start by presenting a system of rewrite rules to minimize sets of source-to-target tuple-generating dependencies (st-tgds, for short). Moreover, we show that the result of this minimization is unique up to variable renaming. Hence, our optimization also yields a schema mapping normalization. By appropriately extending our rewrite rule system, we also provide a normalization of schema mappings containing equality-generating target-dependencies (egds). An important application of such a normalization is in the area of defining the semantics of query answering in data exchange, since several definitions in this area depend on the concrete syntactic representation of the st-tgds. This is, in particular, the case for queries with negated atoms and for aggregate queries. The normalization of schema mappings allows us to eliminate the effect of the concrete syntactic representation of the st-tgds from the semantics of query answering. We discuss in detail how our results can be fruitfully applied to aggregate queries.

Using views to generate efficient evaluation plans for queries

We study the problem of generating efficient, equivalent rewritings using views to compute the answer to a query. We take the closed-world assumption, in which views are materialized from base relations, rather than views describing sources in terms of abstract predicates, as is common when the open-world assumption is used. In the closed-world model, there can be an infinite number of different rewritings that compute the same answer, yet have quite different performance. Query optimizers take a logical plan (a rewriting of the query) as an input, and generate efficient physical plans to compute the answer. Thus our goal is to generate a small subset of the possible logical plans without missing an optimal physical plan. We first consider a cost model that counts the number of subgoals in a physical plan, and show a search space that is guaranteed to include an optimal rewriting, if the query has a rewriting in terms of the views. We also develop an efficient algorithm for finding rewritings with the minimum number of subgoals. We then consider a cost model that counts the sizes of intermediate relations of a physical plan, without dropping any attributes, and give a search space for finding optimal rewritings. Our final cost model allows attributes to be dropped in intermediate relations. We show that, by careful variable renaming, it is possible to do better than the standard “supplementary relation” approach, by dropping attributes that the latter approach would retain. Experiments show that our algorithm of generating optimal rewritings has good efficiency and scalability.