precise interface identification to improve testing and analysis of web applications
DESCRIPTION
Precise Interface Identification to Improve Testing and Analysis of Web Applications. William G.J. Halfond, Saswat Anand , and Alessandro Orso Georgia Institute of Technology. End Users. Web Server. Example Web Application. Initial Visit. Web Application. getQuote.jsp. buyPolicy.jsp. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Precise Interface Identification to Improve Testing and Analysis of Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062520/56816376550346895dd453f6/html5/thumbnails/1.jpg)
Precise Interface Identification to Improve Testing and Analysis of
Web Applications
William G.J. Halfond,Saswat Anand, and Alessandro Orso
Georgia Institute of Technology
![Page 2: Precise Interface Identification to Improve Testing and Analysis of Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062520/56816376550346895dd453f6/html5/thumbnails/2.jpg)
2
Example Web Application
Web Server
End Users
Initial Visit Web Application
getQuote.jsp
buyPolicy.jspQuote Information
http://host/getQuote.jsp?action=doquote&car=jeep
![Page 3: Precise Interface Identification to Improve Testing and Analysis of Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062520/56816376550346895dd453f6/html5/thumbnails/3.jpg)
3
Interface Identification
public void write(File outfile, String buffer, int length)
Domain information
Grouping of parameters
1. Names of parameters2. Grouping of parameters3. Domain information
Parameter names
![Page 4: Precise Interface Identification to Improve Testing and Analysis of Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062520/56816376550346895dd453f6/html5/thumbnails/4.jpg)
4
Example Web Application
Interface Domain Constraints
action = “checkeligibility” integer(age) age < 16
action = “checkeligibility” integer(age) age 16
public void service (HttpRequest req) 1. String aValue = req.getIP( “action” ) 2. if (aValue.equals( “checkeligibility” )) 3. int userAge = getNumIP( “age” ) 4. if (userAge < 16) 5. displayErrorMsg(“Too young.” ) 6. else 7. displayQuotePage( ) 8. if (aValue.equals( “doquote” )) 9. String nValue = req.getIP( “name” )
10. String carType = req.getIP( “type” )11. int carYear = getNumIP( “year” )12. calculateQuote(carType, carYear)
…
public int getNumIP(String name) 1. String value = getIP(name) 2. int param = Integer.parse(value) 3. return param
1. Names of parameters2. Grouping of parameters3. Domain information
Parameter Namesaction, age, name, type, year
Groupings of Parameters action
action, age
action, name, type, year
![Page 5: Precise Interface Identification to Improve Testing and Analysis of Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062520/56816376550346895dd453f6/html5/thumbnails/5.jpg)
DynamicSpider
• Web spider crawls pages of application• Limitation: No guarantee of completeness
StaticDFW1:
• Identify parameter names via static analysis• Limitation: Only identifes parameter names
WAMDF2:
• Uses iterative data-flow analysis• Limitation: Assumes all paths feasible
Previous Approaches: Interface Identification
5
1. Deng, Frankl, Wang, SEN 2004.2. Halfond and Orso, FSE 2007.
(action, age, name, type, year)
1. String aValue = req.getIP( “action” ) 2. if (aValue.equals( “checkeligibility” ))
… 8. if (aValue.equals( “doquote” ))
4. if (userAge < 16) 5. displayErrorMsg(“Too young.” ) 6. else 7. displayQuotePage( )
![Page 6: Precise Interface Identification to Improve Testing and Analysis of Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062520/56816376550346895dd453f6/html5/thumbnails/6.jpg)
Our Approach
Statically identify interfaces by using symbolic execution to model input parameters and domain constraining operations.
1. Program transformation2. Symbolic execution3. Interface identification
6
![Page 7: Precise Interface Identification to Improve Testing and Analysis of Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062520/56816376550346895dd453f6/html5/thumbnails/7.jpg)
7
1 – Program Transformation
1. Introduce symbolic values
2. Replace domain-constraining operations
value getIP(name)
s new SymbolicValue()s.assignName(name)SymbolicState.add(s, value)return s
1. Accessing an input parameter2. Conversion to numeric type3. String comparison4. Arithmetic constraints
![Page 8: Precise Interface Identification to Improve Testing and Analysis of Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062520/56816376550346895dd453f6/html5/thumbnails/8.jpg)
8
2 – Symbolic Execution
Symbolically execute the transformed web application -- track path conditions and symbolic state.
SymbolicExecution
Transformed Web Application
getQuote.jsp
buyPolicy.jsp
Path Conditionsc1 c2 c3
c3 c4 c5
Symbolic Statessaction aValuesyear carYear
![Page 9: Precise Interface Identification to Improve Testing and Analysis of Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062520/56816376550346895dd453f6/html5/thumbnails/9.jpg)
9
2 – Access Input Parameters
1. String aValue = req.getIP( “action” )
(PC, SS)
(PC, SS[saction aValue])
PC = Path ConditionSS = Symbolic State
![Page 10: Precise Interface Identification to Improve Testing and Analysis of Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062520/56816376550346895dd453f6/html5/thumbnails/10.jpg)
10
2 – String Comparison
(PC saction “checkeligibility”, SS[saction aValue])
(PC, SS[saction aValue])
2. if (aValue.equals( “checkeligibility” ))
8. if (aValue.equals( “doQuote” ))
1. String aValue = req.getIP( “action” )
(PC saction “checkeligibility”, SS[saction aValue])
TRUEFALSE
![Page 11: Precise Interface Identification to Improve Testing and Analysis of Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062520/56816376550346895dd453f6/html5/thumbnails/11.jpg)
11
3 – Interface Identification
PC1 saction “checkeligibility” integer(sage) sage 16
PC2 saction “checkeligibility” integer(sage) sage 16
SS [saction aValue, sageuserAge]
1. String aValue = req.getIP( “action” ) 2. if (aValue.equals( “checkeligibility” )) 3. int userAge = getNumIP( “age” ) 4. if (userAge < 16) 5. displayErrorMsg(“Too young.” ) 6. else 7. displayQuotePage( )
…
![Page 12: Precise Interface Identification to Improve Testing and Analysis of Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062520/56816376550346895dd453f6/html5/thumbnails/12.jpg)
12
Empirical Evaluation
Research Questions (RQ):1. Efficiency -- Is the new approach efficient in
terms of its analysis time requirements?
2. Precision -- Is the new approach more precise than previous approaches?
3. Usefulness -- Does the new approach improve the performance of quality assurance techniques?
![Page 13: Precise Interface Identification to Improve Testing and Analysis of Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062520/56816376550346895dd453f6/html5/thumbnails/13.jpg)
13
Implementation: WAMSE
• Written in Java for Java Enterprise Edition (JEE) based web applications
• Implementation Modules1. TRANSFORM
• Customized JEE libraries• Stinger for analysis and automated transformation
2. SE ENGINE• Symbolic execution engine built on JavaPathFinder• Constraint solver is YICES
3. PC ANALYSIS
![Page 14: Precise Interface Identification to Improve Testing and Analysis of Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062520/56816376550346895dd453f6/html5/thumbnails/14.jpg)
Implementation: Other Approaches
14
DynamicSpider
• Web spider crawls pages of application• OWASP Web Scarab Project
StaticDFW1:
• Identify parameter names via static analysis• Reimplementation of the author-provided code
WAMDF2:
• Uses iterative data-flow analysis• Implementation from previous work
1. Deng, Frankl, Wang, SEN 2004.2. Halfond and Orso, FSE 2007.
![Page 15: Precise Interface Identification to Improve Testing and Analysis of Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062520/56816376550346895dd453f6/html5/thumbnails/15.jpg)
15
Subject Applications
Subject LOC Classes Servlets
Bookstore 19,402 28 27
Classifieds 10,702 18 18
Employee Directory 5,529 11 9
Events 7,164 13 12
Subjects available online from GotoCode.com
![Page 16: Precise Interface Identification to Improve Testing and Analysis of Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062520/56816376550346895dd453f6/html5/thumbnails/16.jpg)
16
RQ1: Efficiency
Bookstore Classifieds Employee Dir. Events0
1000
2000
3000
4000
5000
Ana
lysi
s Ti
me
(s)
1. High amount of infeasible paths in subjects2. Low number of constraints per parameter3. Web applications highly modular
WAMSE WAMDF DFW Spider
![Page 17: Precise Interface Identification to Improve Testing and Analysis of Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062520/56816376550346895dd453f6/html5/thumbnails/17.jpg)
17
RQ2: Precision
Bookstore Classifieds Employee Dir. Events0
100
200
300
400
Num
ber o
f Int
erfa
ces
On average, 80% of WAMDF
interfaces were spurious
WAMSE WAMDF
![Page 18: Precise Interface Identification to Improve Testing and Analysis of Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062520/56816376550346895dd453f6/html5/thumbnails/18.jpg)
RQ3: Usefulness
Measure improvement of three quality assurance techniques:
a) Invocation Verificationb) Penetration Testingc) Test Input Generation
18
![Page 19: Precise Interface Identification to Improve Testing and Analysis of Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062520/56816376550346895dd453f6/html5/thumbnails/19.jpg)
19
RQ3a – Invocation Verification
Approach False Positives False NegativesWAMDF 0% 50%
Spider 39% 0%
WAMSE 0% 0%
Verification of invocations for subject Bookstore
Web Application
getQuote.jsp buyPolicy.jspX
![Page 20: Precise Interface Identification to Improve Testing and Analysis of Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062520/56816376550346895dd453f6/html5/thumbnails/20.jpg)
20
RQ3b – Penetration Testing
Bookstore Classifieds Employee Dir. Events0
10
20
30
40
Num
ber o
f Vul
nera
bilit
ies
WAMSE WAMDF DFW Spider
Number of vulnerabilities: 2X – 6X higher for WAMSE
![Page 21: Precise Interface Identification to Improve Testing and Analysis of Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062520/56816376550346895dd453f6/html5/thumbnails/21.jpg)
21
RQ3c – Test Input Generation
Bookstore Classifieds EmployeeDir. Events5060708090
100
% Stmt.Coverage
Bookstore Classifieds EmployeeDir. Events10203040506070
% BranchCoverage
Bookstore Classifieds EmployeeDir. Events10
100
1000
# CommandForms
Branch coverage increase: 3%-67%
Statement coverage increase: 3%-25%
Command form increase: 651%-1,577%
WAMSE WAMDF DFW Spider
![Page 22: Precise Interface Identification to Improve Testing and Analysis of Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062520/56816376550346895dd453f6/html5/thumbnails/22.jpg)
22
RQ3c – Test Suite Size
Bookstore Classifieds Employee Dir. Events1000
10000
100000
1000000
Num
ber o
f Tes
t Cas
es
RQ3c results:1. Higher coverage for measured metrics2. Smaller average test suite
WAMSE WAMDF DFW Spider
Test suite decrease in size: 4X – 10X
![Page 23: Precise Interface Identification to Improve Testing and Analysis of Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062520/56816376550346895dd453f6/html5/thumbnails/23.jpg)
Summary of Results
• Developed interface identification technique for web applications based on symbolic execution.
• Empirical evaluation:• Similar analysis time to other techniques• More precise than current techniques• Improves quality assurance techniques
23