Dr. Xiang Fu Assistant Professor Department of Computer Science Hofstra University

 Introduction  Path Transducer Model  Relational Constraint  Call Sequence Synthesis  Detecting Workflow Attack  Related Work and Conclusion

Web Server Databases

 Traditionally, SQLUnit & DBUnit ◦ Manual Test Case Design  Reverse Inference of DB State ◦ Given Query & Expected Result ◦ Generate Initial DB Instance  Our Problem: Synthesis Problem ◦ Given Database State ◦ Synthesize Call Sequence of Servlets

 White-box Analysis  (1) Interface Extraction  Path Transducers  (2) Coverage Goal Extraction  (3) Call Sequence Generation  Adaptation  Discover Workflow Attacks

 Servlet  Path Transducers  Relational Transducer that Models One Execution Path ◦ Path Condition ◦ Side Effects to DB Servlet

 Relational Data Schema  Input Domain  Finite Set of Session Variables  Boolean Combination of Terms ◦ Equality  v’ = v + 1 ◦ Satisfiability Check

 Selection  Projection  Cross Product  Union  Difference

SimpleScarf ShowSessions.php InsertSession.phpAddMember.php GenOptions.php Login.php

U sers vchar uname vchar pwd S essions int sid vchar sname M embers int sid vchar uname

 Check Valid Session Var #uname  Select Session Info  No Side Effects

 User Specify New Session Name $S I  Update Relation Sessions

 Takes Two Parameters ◦ $u A : User Name ◦ $s A : Session Name  Add Membership Info

 Add User: One of Many Functions Available  Takes Two Parameters ◦ $u G : User name ◦ $p G : Password Encrypt Password Password Rules Encoded Using String Constraint

 Given Two Parameters ◦ $u L : user name ◦ $p L : password  When Success, Update Session Variable ◦ #u: Session Variable on user name

 Key to Synthesis  Khurshid’s Approach [ASE’08]  Translate to Alloy

Transition System Post Image

Join of Session and Membership Select Session Name ‘s1’ Project to uname Find users in paper session ‘s1’ but not in ‘s2’ Goal: Find DB Instance Satisfies query

VarsClausesTrans_TimeSolve_Time ms78ms

Coverage Goal: Line # 45 Path Transducers CALL Seq Synthesis Algorithm List of HTTP Requests

(Η’,ϒ’)  Knowledge In Advance: ◦ (1) Each Path Transducer – Transition System (Relational Logic) ◦ (2) Relations being Modified (add, drop, modify) ◦ (3) Session Vars being Modified  Algorithm: Backtrack (Η,ϒ)(Η,ϒ) HTTP Request Current Constraint ϒ’ = Pre(H’, ϒ) Heuristic to pick to the next servlet: watch the difference between the relations in the current constraints and target constraints. “Insertion” has priority

Coverage Goal Target Constraint: True Initial Constraint: Path Transducer:

TransitionPost-Image Standard Existential Quantification Initial Constraint: Compare M and #u modified!  Next servlet: AddMember or Login

1.07 seconds for generating the model by ALLOY

EnterAddrChargeCCGenReceiptPrintShipping How to Detect Workflow Attack? (1)Static Analysis for ALL URLS that could be generated by a servlet (2)Modify the Backtrack algorithm for locating an “abnormal” link not in the ALL_URLs set Database manipulation TAKEN CARE OF.

 Proposal of Several Interesting Directions ◦ Extraction of Path Transducer Model ◦ Solving Relational Constraints ◦ Call Sequence Synthesis Algorithm ◦ Extension for Detecting Workflow Attacks  Future Directions ◦ Implementation …

 Interface Extraction ◦ [Halfond’FSE07], [Halfond’FSE’08]  Relational Transducer ◦ [Abiteboul’JCSS00]  Query Aware Relational Constraint Solving ◦ [Binnig’ICDE07, Khalek’ICSE08]  Session Based Testing of Web App ◦ [Elbaum’TSE05, Sampath’ASE05, Sprenkle’FSE05]