Dr. Xiang Fu Assistant Professor Department of Computer Science Hofstra University.
-
date post
19-Dec-2015 -
Category
Documents
-
view
219 -
download
1
Transcript of Dr. Xiang Fu Assistant Professor Department of Computer Science Hofstra University.
Relational Constraint Driven Test Case Synthesis for Web Applications
Dr. Xiang Fu
Assistant ProfessorDepartment of Computer Science
Hofstra University
Introduction Path Transducer Model Relational Constraint Call Sequence Synthesis Detecting Workflow Attack Related Work and Conclusion
Outline
Web Application and Database
Web Server
Databases
Traditionally, SQLUnit & DBUnit◦Manual Test Case Design
Reverse Inference of DB State◦ Given Query & Expected Result◦ Generate Initial DB Instance
Our Problem: Synthesis Problem◦ Given Database State◦ Synthesize Call Sequence of Servlets
Testing Web App & DB
White-box Analysis (1) Interface Extraction Path Transducers (2) Coverage Goal Extraction (3) Call Sequence Generation Adaptation Discover Workflow Attacks
Our Proposal
Servlet Path Transducers Relational Transducer that Models One
Execution Path◦ Path Condition◦ Side Effects to DB
Path Transducer Model
Servlet
Relational Data Schema Input Domain Finite Set of Session Variables Boolean Combination of Terms
◦ Equality v’ = v + 1
◦ Satisfiability Check
Path Transducer Model
))(( SAT ''21 Ta
Selection
Projection
Cross Product
Union
Difference
Relational Algebra Formula)(21
)(2
21
21
21
Motivating ExampleSimpleScarf
ShowSessions.php
InsertSession.phpAddMember.php
GenOptions.php
Login.php
Database Schema
Users
vchar uname
vchar pwd
Sessions
int sid
vchar sname
Members
int sid
vchar uname
ShowSessions.php
Check Valid Session Var #uname Select Session Info No Side Effects
Path Transducer of ShowSession
User Specify New Session Name $SI
Update Relation Sessions
InsertSession.php
Takes Two Parameters◦ $uA: User Name
◦ $sA: Session Name Add Membership Info
AddMember.php
Add User: One of Many Functions Available Takes Two Parameters
◦ $uG: User name
◦ $pG: Password
Generaloptions.php
Encrypt Password
Password RulesEncoded Using String
Constraint
Given Two Parameters◦ $uL: user name
◦ $pL: password When Success, Update Session Variable
◦ #u: Session Variable on user name
Login.php
Key to Synthesis Khurshid’s Approach [ASE’08] Translate to Alloy
Solving Relational Constraint
Pre/Post Images
Transition System Post Image
Key Problem: Satisfiability Check
Join of Session and Membership
Select Session Name ‘s1’
Project to uname Find users in paper session ‘s1’ but not in ‘s2’
Goal: Find DB Instance Satisfies query
Translation of Data Schema
Translation Part II
Experimental Results
Vars Clauses Trans_Time Solve_Time
4833 7876 829ms 78ms
Call Sequence Synthesis
Coverage Goal: Line
# 45
Path Transducers
CALL SeqSynthesis Algorithm
List of HTTP
Requests
(Η’,ϒ’)
Knowledge In Advance:◦ (1) Each Path Transducer – Transition System
(Relational Logic)◦ (2) Relations being Modified (add, drop, modify)◦ (3) Session Vars being Modified
Algorithm: Backtrack
Heuristic Algorithm
(Η,ϒ)
HTTP Reques
t
Current Constraint
ϒ’ = Pre(H’, ϒ)
Heuristic to pick to the next servlet: watch the difference between the relations in the current constraints and target constraints. “Insertion” has priority
Example: Coverage Target
Coverage Goal
Target Constraint: True
Initial Constraint:
Path Transducer:
Pre-Image ComputationTransition Post-Image
Standard Existential Quantification
Initial Constraint:
CompareM and #u modified! Next servlet: AddMember or Login
Constraint in Last Step
1.07 seconds for generating the model by ALLOY
Workflow Attack
EnterAddr
ChargeCC
GenReceipt PrintShipping
How to Detect Workflow Attack?
(1)Static Analysis for ALL URLS that could be generated by a servlet
(2)Modify the Backtrack algorithm for locating an “abnormal” link not in the ALL_URLs set
Database manipulation TAKEN CARE OF.
Proposal of Several Interesting Directions◦ Extraction of Path Transducer Model◦ Solving Relational Constraints◦ Call Sequence Synthesis Algorithm◦ Extension for Detecting Workflow Attacks
Future Directions◦ Implementation …
Conclusion
Interface Extraction◦ [Halfond’FSE07], [Halfond’FSE’08]
Relational Transducer◦ [Abiteboul’JCSS00]
Query Aware Relational Constraint Solving◦ [Binnig’ICDE07, Khalek’ICSE08]
Session Based Testing of Web App◦ [Elbaum’TSE05, Sampath’ASE05, Sprenkle’FSE05]
Related Work