1 / 23

Precise Interface Identification to Improve Testing and Analysis of Web Applications

Precise Interface Identification to Improve Testing and Analysis of Web Applications. William G.J. Halfond, Saswat Anand , and Alessandro Orso Georgia Institute of Technology. End Users. Web Server. Example Web Application. Initial Visit. Web Application. getQuote.jsp. buyPolicy.jsp.

asis
Download Presentation

Precise Interface Identification to Improve Testing and Analysis of Web Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Precise Interface Identification to Improve Testing and Analysis of Web Applications William G.J. Halfond, SaswatAnand, and Alessandro Orso Georgia Institute of Technology

  2. End Users Web Server Example Web Application Initial Visit Web Application getQuote.jsp buyPolicy.jsp Quote Information http://host/getQuote.jsp?action=doquote&car=jeep

  3. Parameter names Domain information Interface Identification publicvoid write(Fileoutfile, String buffer, int length) Grouping of parameters Names of parameters Grouping of parameters Domain information

  4. Example Web Application public void service (HttpRequestreq) 1. String aValue = req.getIP( “action” ) 2. if (aValue.equals( “checkeligibility” )) 3. int userAge = getNumIP( “age” ) 4. if (userAge < 16) 5. displayErrorMsg(“Too young.” ) 6. else 7. displayQuotePage( ) 8. if (aValue.equals( “doquote” )) 9. String nValue = req.getIP( “name” ) 10. String carType = req.getIP( “type” ) 11. int carYear = getNumIP( “year” ) 12. calculateQuote(carType, carYear) … publicint getNumIP(String name) 1. String value = getIP(name) 2. int param = Integer.parse(value) 3. return param Names of parameters Grouping of parameters Domain information

  5. Previous Approaches: Interface Identification Dynamic Spider • Web spider crawls pages of application • Limitation: No guarantee of completeness Static • DFW1: • Identify parameter names via static analysis • Limitation: Only identifes parameter names WAMdf2: • Uses iterative data-flow analysis • Limitation: Assumes all paths feasible 1. String aValue = req.getIP( “action” ) 2. if (aValue.equals( “checkeligibility” )) … 8. if (aValue.equals( “doquote” )) 4. if (userAge < 16) 5. displayErrorMsg(“Too young.” ) 6. else 7. displayQuotePage( ) (action, age, name, type, year) Deng, Frankl, Wang, SEN 2004. Halfond and Orso, FSE 2007.

  6. Our Approach • Program transformation • Symbolic execution • Interface identification Statically identify interfaces by using symbolic execution to model input parameters and domain constraining operations.

  7. 1 – Program Transformation • 1. Introduce symbolic values • s  new SymbolicValue() • s.assignName(name) • SymbolicState.add(s, value) • return s • value  • getIP(name) 2. Replace domain-constraining operations • Accessing an input parameter • Conversion to numeric type • String comparison • Arithmetic constraints

  8. 2 – Symbolic Execution Symbolically execute the transformed web application -- track path conditions and symbolic state. Transformed Web Application getQuote.jsp buyPolicy.jsp Path Conditions c1 c2 c3 c3 c4 c5 Symbolic Execution Symbolic States saction aValue syear carYear

  9. 2 – Access Input Parameters PC = Path Condition SS = Symbolic State • (PC, SS) 1. String aValue = req.getIP( “action” ) • (PC, SS[saction aValue])

  10. 2 – String Comparison 1. String aValue = req.getIP( “action” ) • (PC, SS[sactionaValue]) 2. if (aValue.equals( “checkeligibility” )) TRUE FALSE • (PC  saction  “checkeligibility”, SS[sactionaValue]) • (PC  saction  “checkeligibility”, SS[sactionaValue]) 8. if (aValue.equals( “doQuote” ))

  11. 3 – Interface Identification 1. String aValue = req.getIP( “action” ) 2. if (aValue.equals( “checkeligibility” )) 3. intuserAge = getNumIP( “age” ) 4. if (userAge < 16) 5. displayErrorMsg(“Too young.” ) 6. else 7. displayQuotePage( ) … SS  [sactionaValue, sageuserAge] PC1  saction  “checkeligibility”  integer(sage)  sage  16 PC2  saction  “checkeligibility” integer(sage)  sage  16

  12. Empirical Evaluation • Research Questions (RQ): • Efficiency -- Is the new approach efficient in terms of its analysis time requirements? • Precision -- Is the new approach more precise than previous approaches? • Usefulness -- Does the new approach improve the performance of quality assurance techniques?

  13. Implementation: WAMse • Written in Java for Java Enterprise Edition (JEE) based web applications • Implementation Modules • transform • Customized JEE libraries • Stinger for analysis and automated transformation • se engine • Symbolic execution engine built on JavaPathFinder • Constraint solver is YICES • pc analysis

  14. Implementation: Other Approaches Dynamic Spider • Web spider crawls pages of application • OWASP Web Scarab Project • Static • DFW1: • Identify parameter names via static analysis • Reimplementation of the author-provided code WAMdf2: • Uses iterative data-flow analysis • Implementation from previous work Deng, Frankl, Wang, SEN 2004. Halfond and Orso, FSE 2007.

  15. Subject Applications • Subjects available online from GotoCode.com

  16. RQ1: Efficiency Spider DFW WAMDF WAMSE • High amount of infeasible paths in subjects • Low number of constraints per parameter • Web applications highly modular

  17. RQ2: Precision WAMDF WAMSE On average, 80% of WAMDF interfaces were spurious

  18. RQ3: Usefulness Measure improvement of three quality assurance techniques: • Invocation Verification • Penetration Testing • Test Input Generation

  19. RQ3a – Invocation Verification Web Application getQuote.jsp buyPolicy.jsp X Verification of invocations for subject Bookstore

  20. RQ3b – Penetration Testing Spider Number of vulnerabilities: 2X – 6X higher for WAMSE DFW WAMDF WAMSE

  21. RQ3c – Test Input Generation % Stmt. Coverage Statement coverage increase: 3%-25% Spider DFW WAMDF % Branch Coverage Branch coverage increase: 3%-67% WAMSE # Command Forms Command form increase: 651%-1,577%

  22. RQ3c – Test Suite Size Spider DFW WAMDF Test suite decrease in size: 4X – 10X WAMSE RQ3c results: • Higher coverage for measured metrics • Smaller average test suite

  23. Summary of Results • Developed interface identification technique for web applications based on symbolic execution. • Empirical evaluation: • Similar analysis time to other techniques • More precise than current techniques • Improves quality assurance techniques

More Related