Relational Constraint Driven Test Case Synthesis for Web Applications

Dr. Xiang Fu

Assistant ProfessorDepartment of Computer Science

Hofstra University

Introduction Path Transducer Model Relational Constraint Call Sequence Synthesis Detecting Workflow Attack Related Work and Conclusion

Outline

Web Application and Database

Web Server

Databases

Traditionally, SQLUnit & DBUnit◦Manual Test Case Design

Reverse Inference of DB State◦ Given Query & Expected Result◦ Generate Initial DB Instance

Our Problem: Synthesis Problem◦ Given Database State◦ Synthesize Call Sequence of Servlets

Testing Web App & DB

White-box Analysis (1) Interface Extraction Path Transducers (2) Coverage Goal Extraction (3) Call Sequence Generation Adaptation Discover Workflow Attacks

Our Proposal

Servlet Path Transducers Relational Transducer that Models One

Execution Path◦ Path Condition◦ Side Effects to DB

Path Transducer Model

Servlet

Relational Data Schema Input Domain Finite Set of Session Variables Boolean Combination of Terms

◦ Equality v’ = v + 1

◦ Satisfiability Check

Path Transducer Model

))(( SAT ''21 Ta

Selection

Projection

Cross Product

Union

Difference

Relational Algebra Formula)(21

)(2

21

21

21

Motivating ExampleSimpleScarf

ShowSessions.php

InsertSession.phpAddMember.php

GenOptions.php

Login.php

Database Schema

Usersvchar uname

vchar pwd

Sessionsint sid

vchar sname

Membersint sid

vchar uname

ShowSessions.php

Check Valid Session Var #uname Select Session Info No Side Effects

Path Transducer of ShowSession

User Specify New Session Name $SI Update Relation Sessions

InsertSession.php

Takes Two Parameters◦ $uA: User Name◦ $sA: Session Name

Add Membership Info

AddMember.php

Add User: One of Many Functions Available Takes Two Parameters

◦ $uG: User name◦ $pG: Password

Generaloptions.php

Encrypt PasswordPassword Rules

Encoded Using String Constraint

Given Two Parameters◦ $uL: user name◦ $pL: password

When Success, Update Session Variable◦ #u: Session Variable on user name

Login.php

Key to Synthesis Khurshid’s Approach [ASE’08] Translate to Alloy

Solving Relational Constraint

Pre/Post Images

Transition System Post Image

Key Problem: Satisfiability Check

Join of Session and Membership

Select Session Name ‘s1’

Project to uname Find users in paper session ‘s1’ but not in ‘s2’

Goal: Find DB Instance Satisfies query

Translation of Data Schema

Translation Part II

Experimental Results

Vars Clauses Trans_Time Solve_Time

4833 7876 829ms 78ms

Call Sequence Synthesis

Coverage Goal: Line

# 45

Path Transducers

CALL SeqSynthesis Algorithm

List of HTTP

Requests

(Η’,ϒ’)

Knowledge In Advance:◦ (1) Each Path Transducer – Transition System

(Relational Logic)◦ (2) Relations being Modified (add, drop, modify)◦ (3) Session Vars being Modified

Algorithm: Backtrack

Heuristic Algorithm

(Η,ϒ)

HTTP Reques

t

Current Constraint

ϒ’ = Pre(H’, ϒ)

Heuristic to pick to the next servlet: watch the difference between the relations in the current constraints and target constraints. “Insertion” has priority

Example: Coverage Target

Coverage Goal

Target Constraint: TrueInitial Constraint:Path Transducer:

Pre-Image ComputationTransition Post-Image

Standard Existential Quantification

Initial Constraint:

Compare M and #u modified! Next servlet: AddMember or Login

Constraint in Last Step

1.07 seconds for generating the model by ALLOY

Workflow Attack

EnterAddr

ChargeCC

GenReceipt PrintShipping

How to Detect Workflow Attack?

(1)Static Analysis for ALL URLS that could be generated by a servlet

(2)Modify the Backtrack algorithm for locating an “abnormal” link not in the ALL_URLs set

Database manipulation TAKEN CARE OF.

Proposal of Several Interesting Directions◦ Extraction of Path Transducer Model◦ Solving Relational Constraints◦ Call Sequence Synthesis Algorithm◦ Extension for Detecting Workflow Attacks

Future Directions◦ Implementation …

Conclusion

Interface Extraction◦ [Halfond’FSE07], [Halfond’FSE’08]

Relational Transducer◦ [Abiteboul’JCSS00]

Query Aware Relational Constraint Solving◦ [Binnig’ICDE07, Khalek’ICSE08]

Session Based Testing of Web App◦ [Elbaum’TSE05, Sampath’ASE05, Sprenkle’FSE05]

Related Work