Presentation is loading. Please wait.

Presentation is loading. Please wait.

Precise Interface Identification to Improve Testing and Analysis of Web Applications William G.J. Halfond, Saswat Anand, and Alessandro Orso Georgia Institute.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Precise Interface Identification to Improve Testing and Analysis of Web Applications William G.J. Halfond, Saswat Anand, and Alessandro Orso Georgia Institute."— Presentation transcript:

1 Precise Interface Identification to Improve Testing and Analysis of Web Applications William G.J. Halfond, Saswat Anand, and Alessandro Orso Georgia Institute of Technology

2 Example Web Application 2 Web Server End Users Initial Visit Web Application getQuote.jsp buyPolicy.jsp Quote Information http://host/getQuote.jsp?action=doquote&car=jeep

3 Interface Identification 3 public void write(File outfile, String buffer, int length) Domain information Grouping of parameters 1.Names of parameters 2.Grouping of parameters 3.Domain information Parameter names

4 Example Web Application Interface Domain Constraints action = “checkeligibility”  integer(age)  age < 16 action = “checkeligibility”  integer(age)  age  16 4 public void service (HttpRequest req) 1. String aValue = req.getIP( “action” ) 2. if (aValue.equals( “checkeligibility” )) 3. int userAge = getNumIP( “age” ) 4. if (userAge < 16) 5. displayErrorMsg(“Too young.” ) 6. else 7. displayQuotePage( ) 8. if (aValue.equals( “doquote” )) 9. String nValue = req.getIP( “name” ) 10. String carType = req.getIP( “type” ) 11. int carYear = getNumIP( “year” ) 12. calculateQuote(carType, carYear) … public int getNumIP(String name) 1. String value = getIP(name) 2. int param = Integer.parse(value) 3. return param 1.Names of parameters 2.Grouping of parameters 3.Domain information Parameter Names action, age, name, type, year Groupings of Parameters action action, age action, name, type, year

5 Dynamic Spider Web spider crawls pages of application Limitation: No guarantee of completeness Static DFW 1 : Identify parameter names via static analysis Limitation: Only identifes parameter names WAM DF 2 : Uses iterative data-flow analysis Limitation: Assumes all paths feasible Previous Approaches: Interface Identification 5 1.Deng, Frankl, Wang, SEN 2004. 2.Halfond and Orso, FSE 2007. (action, age, name, type, year) 1. String aValue = req.getIP( “action” ) 2. if (aValue.equals( “checkeligibility” )) … 8. if (aValue.equals( “doquote” )) 4. if (userAge < 16) 5. displayErrorMsg(“Too young.” ) 6. else 7. displayQuotePage( )

6 Our Approach Statically identify interfaces by using symbolic execution to model input parameters and domain constraining operations. 1.Program transformation 2.Symbolic execution 3.Interface identification 6

7 1 – Program Transformation 1. Introduce symbolic values 2. Replace domain-constraining operations value  getIP(name) s  new SymbolicValue() s.assignName( name ) SymbolicState.add(s, value ) return s 7 1. Accessing an input parameter 2. Conversion to numeric type 3. String comparison 4. Arithmetic constraints

8 2 – Symbolic Execution Symbolically execute the transformed web application -- track path conditions and symbolic state. 8 Symbolic Execution Transformed Web Application getQuote.jsp buyPolicy.jsp Path Conditions c 1  c 2  c 3 c 3  c 4  c 5 Symbolic States s action  aValue s year  carYear

9 2 – Access Input Parameters 1. String aValue = req.getIP( “action” ) (PC, SS) (PC, SS[s action  aValue ]) 9 PC = Path Condition SS = Symbolic State

10 2 – String Comparison (PC  s action  “checkeligibility”, SS[s action  aValue ]) (PC, SS[s action  aValue ]) 2. if (aValue.equals( “checkeligibility” )) 8. if (aValue.equals( “doQuote” )) 1. String aValue = req.getIP( “action” ) 10 (PC  s action  “checkeligibility”, SS[s action  aValue ]) TRUE FALSE

11 3 – Interface Identification PC1  s action  “checkeligibility”  integer(s age )  s age  16 PC2  s action  “checkeligibility”  integer(s age )  s age  16 SS  [s action  aValue, s age  userAge ] 1. String aValue = req.getIP( “action” ) 2. if (aValue.equals( “checkeligibility” )) 3. int userAge = getNumIP( “age” ) 4. if (userAge < 16) 5. displayErrorMsg(“Too young.” ) 6. else 7. displayQuotePage( ) … 11

12 Empirical Evaluation Research Questions (RQ): 1.Efficiency -- Is the new approach efficient in terms of its analysis time requirements? 2.Precision -- Is the new approach more precise than previous approaches? 3.Usefulness -- Does the new approach improve the performance of quality assurance techniques? 12

13 Implementation: WAM SE Written in Java for Java Enterprise Edition (JEE) based web applications Implementation Modules 1. TRANSFORM Customized JEE libraries Stinger for analysis and automated transformation 2. SE ENGINE Symbolic execution engine built on JavaPathFinder Constraint solver is YICES 3. PC ANALYSIS 13

14 Implementation: Other Approaches 14 Dynamic Spider Web spider crawls pages of application OWASP Web Scarab Project Static DFW 1 : Identify parameter names via static analysis Reimplementation of the author-provided code WAM DF 2 : Uses iterative data-flow analysis Implementation from previous work 1.Deng, Frankl, Wang, SEN 2004. 2.Halfond and Orso, FSE 2007.

15 Subject Applications SubjectLOCClassesServlets Bookstore19,4022827 Classifieds10,70218 Employee Directory5,529119 Events7,1641312 Subjects available online from GotoCode.com 15

16 RQ1: Efficiency 1.High amount of infeasible paths in subjects 2.Low number of constraints per parameter 3.Web applications highly modular WAM SE WAM DF DFWSpider 16

17 RQ2: Precision On average, 80% of WAM DF interfaces were spurious WAM SE WAM DF 17

18 RQ3: Usefulness Measure improvement of three quality assurance techniques: a)Invocation Verification b)Penetration Testing c)Test Input Generation 18

19 RQ3a – Invocation Verification 19 ApproachFalse PositivesFalse Negatives WAM DF 0%50% Spider39%0% WAM SE 0% Verification of invocations for subject Bookstore Web Application getQuote.jspbuyPolicy.jsp X

20 RQ3b – Penetration Testing WAM SE WAM DF DFWSpider 20 Number of vulnerabilities: 2X – 6X higher for WAM SE

21 RQ3c – Test Input Generation % Stmt. Coverage % Branch Coverage # Command Forms Branch coverage increase: 3%-67% Statement coverage increase: 3%-25% Command form increase: 651%-1,577% WAM SE WAM DF DFWSpider 21

22 RQ3c – Test Suite Size RQ3c results: 1.Higher coverage for measured metrics 2.Smaller average test suite WAM SE WAM DF DFWSpider 22 Test suite decrease in size: 4X – 10X

23 Summary of Results Developed interface identification technique for web applications based on symbolic execution. Empirical evaluation: Similar analysis time to other techniques More precise than current techniques Improves quality assurance techniques 23

24 2 – Conversion to Numeric Type (PC, SS[s action  aValue ]) 3. int userAge = getNumIP( “age” ) … public int getNumIP(String name) 1. String value = getIP(name) 2. int param = Integer.parse(value) 3. return param (PC  integer(s age ), SS[s age  userAge, s action  aValue ]) 24

25 2 – Arithmetic Constraints (PC  integer(s age ), SS[s age  userAge ]) (PC  integer(s age )  s age  16, SS[s age  userAge ]) 4. if (userAge < 16) 3. int userAge = getNumIP( “age” ) 25 (PC  integer(s age )  s age  16, SS[s age  userAge ]) TRUE FALSE

Download ppt "Precise Interface Identification to Improve Testing and Analysis of Web Applications William G.J. Halfond, Saswat Anand, and Alessandro Orso Georgia Institute."

Similar presentations

1 Arrays An array is a special kind of object that is used to store a collection of data. The data stored in an array must all be of the same type, whether.

1 Arrays An array is a special kind of object that is used to store a collection of data. The data stored in an array must all be of the same type, whether.
Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008
Addressing the Challenges of Current Software. Questions to Address Why? What? Where? How?

Addressing the Challenges of Current Software. Questions to Address Why? What? Where? How?
PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)

PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)
DETAILED DESIGN, IMPLEMENTATIONA AND TESTING Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.

DETAILED DESIGN, IMPLEMENTATIONA AND TESTING Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Model Counting >= Symbolic Execution Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.

Model Counting >= Symbolic Execution Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Symbolic execution © Marcelo d’Amorim 2010.

Symbolic execution © Marcelo d’Amorim 2010.
Chapter 7 User-Defined Methods. Chapter Objectives  Understand how methods are used in Java programming  Learn about standard (predefined) methods and.

Chapter 7 User-Defined Methods. Chapter Objectives  Understand how methods are used in Java programming  Learn about standard (predefined) methods and.
Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.

Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.
 2005 Pearson Education, Inc. All rights reserved. 1 1 1 Introduction.

 2005 Pearson Education, Inc. All rights reserved Introduction.
Hybrid Concolic Testing Rupak Majumdar Koushik Sen UC Los Angeles UC Berkeley.

Hybrid Concolic Testing Rupak Majumdar Koushik Sen UC Los Angeles UC Berkeley.
CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.

CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.
Automated Identification of Parameter Mismatches in Web Applications William G.J. Halfond and Alessandro Orso Georgia Institute of Technology.

Automated Identification of Parameter Mismatches in Web Applications William G.J. Halfond and Alessandro Orso Georgia Institute of Technology.
Penetration Testing with Improved Input Vector Identification William G.J. Halfond, Shauvik Roy Choudhary, and Alessandro Orso College of Computing Georgia.

Penetration Testing with Improved Input Vector Identification William G.J. Halfond, Shauvik Roy Choudhary, and Alessandro Orso College of Computing Georgia.
CS107 Introduction to Computer Science Loops. Instructions Pseudocode Assign values to variables using basic arithmetic operations x = 3 y = x/10 z =

CS107 Introduction to Computer Science Loops. Instructions Pseudocode Assign values to variables using basic arithmetic operations x = 3 y = x/10 z =
03 Data types1June 15 03 Data types CE00858-1: Fundamental Programming Techniques.

03 Data types1June Data types CE : Fundamental Programming Techniques.
Developing Verifiable Concurrent Software Tevfik Bultan Department of Computer Science University of California, Santa Barbara

Developing Verifiable Concurrent Software Tevfik Bultan Department of Computer Science University of California, Santa Barbara
11 Methods1June 151 11 Methods CE00858-1: Fundamental Programming Techniques.

11 Methods1June Methods CE : Fundamental Programming Techniques.

Similar presentations

Ads by Google