verifying interactive web programs l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Verifying Interactive Web Programs PowerPoint Presentation
Download Presentation
Verifying Interactive Web Programs

Loading in 2 Seconds...

play fullscreen
1 / 66

Verifying Interactive Web Programs - PowerPoint PPT Presentation


  • 310 Views
  • Uploaded on

Verifying Interactive Web Programs Daniel R. Licata Shriram Krishnamurthi Brown University Popular Press Quote:

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Verifying Interactive Web Programs' - bernad


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
verifying interactive web programs

Verifying Interactive Web Programs

Daniel R. Licata Shriram Krishnamurthi

Brown University

popular press
Popular Press

Quote:

But when I clicked on the National [car rental] price […], the site responded with this message: “You have back-buttoned too far”. This was my first experience with “back-button” as a verb. […] Since that was patently untrue, I decoded its true meaning: “We ran out [of cars]”.

–M. Slatalla, New York Times, 2003-07-17

a headache for companies
A Headache for Companies
  • Minor problem: Users might get booked into the wrong hotels, onto the wrong flights, etc.
  • Major problem: People might embarass you in newspapers and in public talks
the orbitz property
The Orbitz Property
  • Orbitz Property: the user should receive a reservation at the hotel that was displayed on the page he submitted
  • In other words, the result does not depend on the page on which you did not click “Reserve”

Should all sites have this property?

question
Question

What would Amazon want?

the amazon property
The Amazon Property

Amazon property: at the end, every book the user added to his shopping cart is actually in his shopping cart

These properties are

  • not fixed in number
  • temporal in nature

 model checking

model checking
Model Checking
  • From the source code of a program, generate a model that captures the behaviors of interest
  • Consume properties written by the developer
  • Automatically check whether or not the model satisfies the properties
model checking31
Model Checking
  • From the source code of a program, generate a model that captures the behaviors of interest
  • Consume properties written by the developer
  • Automatically check whether or not the model satisfies the properties
modelling web programs
Modelling Web Programs

Model = control-flow graph (CFG)

What would a model of Orbitz look like?

modelling orbitz
Modelling Orbitz

display

hotel list

set chosen

use chosen

to compute

displayed

use chosen

to compute

reserved

display

reservation

display details

for displayed

user operations add control flow
User Operations add Control Flow
  • The browser's back-button introduced control flow not present in the original CFG
  • Other browser operations do the same

How many operations do today's browsers provide?

one browser
One Browser

How can we model all of these operations?

Alt+Tab

user operation calculus
User Operation Calculus
  • Express all browser operations in terms of primitive user operations:
    • submit form to server
    • switch to previously-visited page

[Graunke et al., 2003]

  • Only need to account for these two operations' control flow
our model the webcfg
Our Model: the WebCFG
  • submit corresponds to program's control flow

Already in the CFG

  • switch permits returning to any previously-visited Web-interaction point

Add edges from each Web-interaction node to the successors of all the others (WebCFG)

the orbitz cfg
The Orbitz CFG

display

hotel list

set chosen

use chosen

to compute

displayed

use chosen

to compute

reserved

display

reservation

display details

for displayed

the orbitz webcfg
The Orbitz WebCFG

display

hotel list

set chosen

use chosen

to compute

displayed

use chosen

to compute

reserved

display

reservation

display details

for displayed

model checking40
Model Checking
  • From the source code of a program, generate a model that captures the behaviors of interest
  • Consume properties written by the developer
  • Automatically check whether or not the model satisfies the properties
properties
Properties

We want to state properties about Web pages

properties42
<html>

<body bgcolor=yellow>

<table>

<td>

<p>

Residence Inn by

Marriot Charleston

Downtown

...

</html>

Properties

Web pages are written as HTML source

properties43
Properties

We want to reason about Web page texts

<html>

<body bgcolor=yellow>

<table>

<td>

<p>

Residence Inn by

Marriot Charleston

Downtown

...

</html>

properties44
Properties

How can we associate these texts with

the corresponding HTML source?

<html>

<body bgcolor=yellow>

<table>

<td>

<p>

Residence Inn by

Marriot Charleston

Downtown

...

</html>

relating web page content to source
Relating Web Page Content to Source
  • Parse the text?

Too hard

  • Static-distance coordinates?

Too brittle

What else can we do?

relating web page content to source46
<html>

<body bgcolor=yellow>

<table>

<td>

<p id=”reserved”>

Residence Inn by

Marriot Charleston

Downtown

...

</html>

Relating Web Page Content to Source

Capitalize on Cascading Style Sheet (CSS) ID tags!

relating web page content to source47
Relating Web Page Content to Source
  • If the tag is in the HTML, it must be present in the source of the program that generates the page
  • This relates Web page text to the Web program source expression that generates it
annotating the webcfg
Annotating the WebCFG

Annotate each WebCFG state with the propositions true in that state

<html>

<body bgcolor=yellow>

<table>

<td>

<p id=”reserved”>

Residence Inn by

Marriot Charleston

Downtown

...

</html>

generate reservation page

generate reservation text

tag=reserved

defining our property language
Defining our Property Language
  • The annotated WebCFG describes the set of traces that potentially occur
  • The developer writes an automaton accepting the set of traces that should occur
  • Verification is containment of the former in the latter

[Vardi and Wolper, 1986]

example property
Example Property

Password-Page Property: Before reaching an access-controlled page, the user must go through a password page

tag=password-entry

2

1

violation

tag=access-controlled

Note: In properties,

tags label transitions

expressing the orbitz property
Expressing the Orbitz Property

Orbitz Property: the user should receive a reservation at the hotel that was displayed on the page he submitted

Divide and conquer!

orbitz subproperty 1
Orbitz Subproperty 1

Property:

chosen does not change between the computation of displayedand the computation of reserved

display

hotel list

set chosen

use chosen

to compute

displayed

use chosen

to compute

reserved

display details

for displayed

display

reservation

We need additional propositions to express this property!

orbitz subproperty 153
Orbitz Subproperty 1

Property:

chosen does not change between the computation of displayedand the computation of reserved

display

hotel list

set chosen

use chosen

to compute

displayed

use chosen

to compute

reserved

display details

for displayed

display

reservation

set and join enable reasoning about data

orbitz subproperty 154
Orbitz Subproperty 1

Property:

chosen does not change between the computation of displayed and the computation of reserved

(set,chosen)

(join,chosen)

1

2

violation

tag=reserved

set and join enable reasoning about data

orbitz subproperty 2
Orbitz Subproperty 2

display

hotel list

set chosen

use chosen

to compute

displayed

Property:

the value of reserved comes from the value of displayed

use chosen

to compute

reserved

display details

for displayed

display

reservation

We need additional propositions to express this property!

orbitz subproperty 256
Orbitz Subproperty 2

Property:

the value of reserved comes from the value of displayed

(tagged,displayed,X)

1

2

(tagged,reserved,X)

violation

(tagged,reserved,X)

Augment CSS tagged propositions with additional information for reasoning about value flow

property idioms
Property Idioms
  • Writing these automata correctly is tricky
  • The two Orbitz subproperties and the Amazon property occur repeatedly
  • We provide abstractions of these properties as idioms in our property language
model checking58
Model Checking
  • From the source code of a program, generate a model that captures the behaviors of interest
  • Consume properties written by the developer
  • Automatically check whether or not the model satisfies the properties
verification process
Verification Process

The model and properties we have described

are checkable by language containment

the orbitz webcfg60
The Orbitz WebCFG

display

hotel list

set chosen

use chosen

to compute

displayed

use chosen

to compute

reserved

display

reservation

display details

for displayed

the orbitz webcfg61
The Orbitz WebCFG

display

hotel list

set chosen

use chosen

to compute

displayed

use chosen

to compute

reserved

display

reservation

display details

for displayed

verification process62
Verification Process
  • The model and properties we have described are compatible with the FLAVERS algorithms

[Cobleigh, Naumovich, Clarke, and Osterweil, 2001-2002]

  • FLAVERS supports “constraint” automata
  • We can automatically generate constraints that rule out all the infeasible forward paths
status
Status

We have begun to apply our model checker to CONTINUE, a Web-based conference management application

  • Written in Scheme; send/suspend primitive creates Web-interaction points
  • MrFlow implements SBA

[Heintze, 1994; Flanagan and Felleisen, 1996; Meunier, 2001]

minimization
Minimization
  • Some WebCFG states are not labeled
  • We remove these from the model without affecting results
  • CONTINUE: from ~17,000 to ~300 states
future work
Future Work
  • Better data reasoning (verification conditions)
  • Concurrency
  • Case studies and more idioms
perspective
Perspective
  • Work encompasses traditional verification
  • Structure of Web source programs matters
  • Nature of environment models changes