Edward J. Schwartz - Computer Security Researcher - 1 min. read

My colleagues and I finished the camera ready version of our DIRE paper on variable name recovery. Although there's no code released at this time, I'm hoping to release a proof of concept Hex-Rays plugin.

My colleagues and I wrote a survey paper on fuzzing entitled The Art, Science, and Engineering of Fuzzing: A Survey. Late last year this was accepted to appear in the IEEE Transactions on Software Engineering journal, but has not been officially published to date. We also recently learned that it will appear at ICSE 2020. As usual, you can download it from the https://edmcman.github.io/publications page.

Edward J. Schwartz - Computer Security Researcher - 1 min. read

Variable Recovery

As far back as I can remember, one of the accepted dogmas of reverse engineering is that when a program is compiled, some information about the program is lost, and there is no way to recover it. Variable names are one of the most frequently cited casualties of this idea. In fact, this argument is used by countless authors in the introductions of their papers to explain some of the unique challenges that binary analysis has compared to source analysis.

You can imagine how shocking (and cool!) it was then when my colleagues and I found that it's possible to recover a large percentage of variable names. Our key insight is that the semantics of the binary code that accesses a variable is actually a surprisingly good signal for what the variable was named. In other words, we took a huge amount of source code from github, compiled it, and then decompiled it. We then trained a model to predict the variable names, which we can't see in an executable, based on the way that the code accesses those variables, which we can see in an executable. In Meaningful Variable Names for Decompiled Code: A Machine Translation Approach, we showed that this was possible using Statistical Machine Translation, which is one of the techniques used to translate between natural languages.

I'm happy to announce that our latest paper on this subject, DIRE: A Neural Approach to Decompiled Identifier Renaming, was accepted to ASE 2019. In this paper, we found that neural network models work really well for recovering variable names in decompiled code. I'll post our camera ready as soon as its finished.

Code Reuse

I'll be speaking at the 2019 Central Pennsylvania Open Source Conference (CPOSC) in September. I attended CPOSC for the first time last year, and was very impressed by the quality of the talks. The name is a little misleading; talks are not necessarily related to open source software. I'll actually be giving a primer on code reuse attacks.

Edward J. Schwartz - Computer Security Researcher - 5 min. read

Many people don't know that in addition to my work with computers, I'm very passionate about exercise and fitness. I enjoy circuit training, running, soccer, and, the focus of this post, skiing. I've actually only been skiing seriously for a few years, but I like to ski challenging terrain. Sadly, the "mountains" where I live, in central Pennsylvania, leave much to be desired. So usually we go on at least one substantial ski trip per year. This year, for various reasons, my wife gave me the green light to go anywhere I wanted. After a fair amount of research, I chose Zermatt, Switzerland. We visited in early January 2019, for 6 days. (We also spent several days in Lucerne, which was quite nice too!) The point of this post is to share some of my thoughts and experiences. I find that ski resorts vary greatly (and especially so between continents!), so I find it helpful when people describe their experiences at different resorts.

The Resort

The ski resort in Zermatt is called Matterhorn Paradise. Matterhorn Paradise is huge, and is split into three different regions: Sunnega/Rothorn, Gornergrat, and Schwarzee/Klein Matterhorn. Each region is named after the major mountains it comprises. For instance, the main peaks in the Sunnega/Rothorn are Sunnega and Rothorn. Each region also has its own base station in Zermatt. Sunnega/Rothorn is accessed by a funicular train; Gornergrat is accessed via a cog train; and Schwarzee/Klein Matterhorn is accessed by a combination of gondolas and cable cars.


Matterhorn Paradise is quite large. When fully open, they have 53 lifts and 143 marked runs.

Before I go further, it's time for a brief aside. Ski runs are classified as on piste or off piste, which is usually synonymous with groomed and ungroomed runs. Groomed runs are usually flattened each day by grooming machines and so they are relatively flat and easy to ski. Off piste runs generally "bump up" with large moguls, and can have a wide variety of snow conditions. In Zermatt, almost all runs are on piste, and are well groomed. The off piste runs are called itineraries. Although there is a lot of great skiable areas in the resort besides the itineraries, these are usually accompanied by signs saying there is no marked run, and the snow is not avalance controlled. Since rescue services are only available on marked runs, and I was skiing by myself, I didn't tempt fate! In large US resorts, off piste areas are quite different. They are truly areas. There are typically measured in acres, and are all controlled by the ski patrol. This is great for me, since I typically ski alone.

I really enjoyed the itineraries in Zermatt. The problem was that there weren't enough of them. On the best day, there were 11 itineraries open. And some of them shouldn't have been open -- you know the snow is bad when you find yourself heading towards the ice because you know how it's going to behave. But most of the itineraries were a lot of fun. For the most part, they were empty. I would get off a crowded cable car of skiers, take a turn at the entrance to an itinerary, and would watch as 20 skiers went past without even slowing down. More snow for me! I also had some close encounters with some type of mountain goats, too, which was neat. On other days, though, due to wind and lift closures, there were sometimes only one or two itineraries open. And it's pretty boring to ski the same thing over and over again.

Zermatt is well known for its free skiing, and I tried to book a guide while I was there. Unfortunately, I couldn't find one because the snow conditions were so bad. Bummer!

Finally, there's the on piste runs. There were a few steep, wide runs that I found enjoyable. But they didn't have very much sustained pitch, which is weird considering the resort is in the alps! Also, a lot of the runs are cat tracks that really aren't that enjoyable at all.

One of the cool things about Zermatt is that it's linked to Cervinia (when it's not too windy). Cervinia's terrain was (almost?) all on piste, but had softer snow and more sustained steep runs, so I actually preferred the on piste skiing there to Zermatt's. Also, it's cool to ski to Italy for lunch.

Although this isn't really the terrain, the view of the mountains adds a lot to the overall experience of Zermatt (and Cervinia). I kept stopping to appreciate the view at various points on runs. It's really a magical setting. Even though it wasn't the best skiing I've experienced, it was still quite an experience.

Lift Infrastructure

When the resort was mostly open, the quality of the lift infrastructure really shined. There were never any lines, and you could usually get a lift or gondola to yourself if you were willing to wait a minute or two. All lifts that I saw were high speed detachables. Going straight up or down the mountain is fairly easily. However, navigating laterally is a lot more challenging. I found the signage to be lacking, and even when you knew where to go, it took quite a long time. If you want to go from opposite ends of the resort, such as from Sunnega/Rothorn to Schwarzee/Klein Matterhorn, it can easily take an hour. In some cases, it’s easier to descend to Zermatt, take a (free) bus to the other valley station, and take the lift up.

However, this is a tale of two resorts. When Zermatt was mostly open, the lift infrastructure was outstanding. The majority of the days I was there, at least one major lift was not functioning. The most common reason for this is high winds, which shut down lifts to Rothorn, Schwarzee, and Klein Matterhorn. Especially when the Schwarzee lift is shut down, which is the primary way to access the majority of the Klein Matterhorn terrain, the resort shrinks dramatically, and the lifts on the other part of the mountain develop significant lift lines. In addition to longer lift lines, some terrain becomes inaccessible, which can reduce the variety of the terrain available.

Another frustrating aspect about Matterhorn Paradise is that it's fairly hard to tell what terrain is actually going to be open that day. On two days, parts of the mountain initially showed as open, but when I got there I discovered that they were closed. Since my second choice of terrain was all the way on the other side of the resort, this wasted more than an hour of ski time!


  • Don't start first thing in the morning. The mountains are so tall that visibility isn't good until 9:30 or 10AM anyway, so there's no point being on first chair unless you like skiing by feel only. Plus the runs won't be accurately marked as open until around that time anyway.

  • Food in Switzerland is expensive. Really, really expensive. Burgers cost about $30, pizzas about $20. Get to know the grocery stores, which are expensive but at least affordable! Or, you know, ski to Italy!


It's probably evident that I was a little disappointed in Zermatt. For me, and the conditions that were present, it just wasn't the best fit. That being said, if you're an intermediate skier and really like skiing on piste, it might be the place for you. Or if you're a more advanced skier and are present during conditions that permit more backcountry skiing, you also might have a better time than I did. In either case, the atmosphere of being in the Alps is great, even if the skiing wasn't the greatest (for me). But for my next trip, I'm probably going to stay closer to home.. maybe Whistler or Alta. We'll see!

Edward J. Schwartz - Computer Security Researcher - 2 min. read

Semantic UI comes with the ability to add themes, but this must be done at build time. Semantic UI is built using LESS, a CSS pre-processing system. LESS adds variables and other useful features to CSS.

Unfortunately, the gatsbyjs starter that I was using imported the Semantic UI as a pre-built CSS file, so there was no easy way to change the theming. This blog post is about how to fix that. Unfortunately, it's harder than it should be!

  1. The first step is to add LESS support to gatsbyjs.

    First, install the module: npm install --save gatsby-plugin-less less

    Then add the module into gatsby-config.js:

    module.exports = {
      plugins: [
  2. The next step is to add the Semantic UI LESS files to your gatsbyjs app. You can actually do this by installing the semantic-ui-less npm package: npm install --save semantic-ui-less

  3. Next you actually need to add the theming configuration files to your project. You can copy these from node-modules/semantic-ui-less, specifically the theme.config.example file and the _site directory. Copy these files to src/semantic and rename theme.config.example to theme.config and _site to site. Since we're using the semantic-ui-less NPM package, we can change the line that imports theme.less to @import (multiple) "~semantic-ui-less/theme.less";. We also need to change the @siteFolder line to @siteFolder: '../../src/semantic/site'; so it uses our version of the site directory. Also, because of an annoying bug, you should add @fontPath : '../assets/fonts'; to the end of theme.config. Having fun yet?

  4. Gatsbyjs will use webpack to load semantic-ui-less. If we don't do anything,semantic-ui-less will use its own theme config files. Since we want to use our own, we add the following to gatsby-node.js to make it use our version instead:

    const path = require('path');
    exports.onCreateWebpackConfig = ({ actions }) => {
        resolve: {
          alias: {
            '../../theme.config$': path.join(__dirname, 'src/semantic/theme.config'),
  5. Find references to the precompiled version of semantic, and change them to reference the semantic-ui-less version. For me, this required changing import "../css/semantic.min.css"; in my Layout component to import "semantic-ui-less/semantic.less";.

  6. Now we can finally start to theme! Take a look at node_modules/semantic-ui-less/themes/default/site.variables, and pick something to modify. Let's change the font to Comic Sans. We can do that by writing @fontName: 'Comic Sans MS'; in src/semantic/site/globals/site.variables.

  7. Behold the splendor of your new font!

Edward J. Schwartz - Computer Security Researcher - 4 min. read

Hi there. This is my first blog entry on my new website.

This Christmas break, my wife and I decided to update our websites. Her website was using Concrete5, and mine was a manually edited, single page, static site.

We decided to use this as an opportunity to learn some new Web technologies. As someone who doesn't work in web development, I find it fairly hard to keep up with the latest Web technologies.

This time around, we decided to use the Gatsby static site generator. So launched an exciting delve into many other new (to us, anyway!) web technologies. Since I didn't really know what many of these were, here are my descriptions on a few of them:

  • Gatsby

    Gatsby is a static site generator. It builds single page applications using ReactJS. As you'd expect, you can define sites programatically. There is a plugin system that allows you to pull in content from a variety of sources. On this site, I pull in my content from Markdown files.

  • ReactJS

    ReactJS is a framework for defining User Interface components in Javascript. They are UI because they provide an interface for the user. They are components in that each component performs a limited function. Components can be used in different pages and applications, and components can be built on top of each other. The reason that React is in the name is that components can share data with each other, and they can automatically react to changes.

  • Styled JSX

    ReactJS components are defined in JSX files. Styled JSX is a library that lets you programatically write CSS in the same file to format the component. There are a couple advantages to this. For example, Styled JSX can enforce a local scoping so that CSS rules only apply to elements created by the component the style is being defined in.

    Here's an example from my publications page:

    <style jsx>{`
      span.me {
        text-decoration: underline;

    There are a lot of other CSS-in-Javascript libraries too.

  • PostCSS

    PostCSS is a modular post-processor for CSS. I'm using postcss-nested to allow nesting of CSS rules that is not normally allowed. There are a lot of other interesting plugins available too.

  • Semantic UI

    I think of Semantic UI as an abstraction layer for CSS. They define a number of semantic elements or components, and provide nice looking implementations of those semantic elements. Here's an example of some of the components you can easily build using Semantic UI.

  • Semantic UI React

    Semantic UI React encapsulates the components of Semantic UI into ReactJS components. In "regular" Semantic UI, you specify components using CSS:

    <div class="card">
      <div class="image">
        <img src="/images/avatar2/large/matthew.png">
      <div class="content">
        <div class="header">Matt Giampietro</div>
        <div class="meta">
        <div class="description">
          Matthew is an interior designer living in New York.
      <div class="extra content">
        <span class="right floated">
          Joined in 2013
          <i class="user icon"></i>
          75 Friends

    In React, though, you can refer to them like ReactJS components (which are basically just specialized HTML tags):

     <Image src='/images/avatar/large/matthew.png' />
         <span className='date'>Joined in 2015</span>
         Matthew is a musician living in Nashville.
     <Card.Content extra>
         <Icon name='user' />
         22 Friends

    Almost all of this site is built using Semantic UI React. I started from fabien0102's Semantic UI Gatsby Starter, which I really liked because the components are built mostly with Semantic UI React, and so you can just "read" them to understand what's going on.

    I really liked the appearance of greglobinski's Hero Blog Starter, however, so I implemented some of that in Semantic UI. I like the result!

Powered with by Gatsby 2.0