+ All Categories
Home > Documents > Precise Interface Identification to Improve Testing and Analysis of Web Applications

Precise Interface Identification to Improve Testing and Analysis of Web Applications

Date post: 23-Feb-2016
Category:
Upload: asis
View: 43 times
Download: 0 times
Share this document with a friend
Description:
Precise Interface Identification to Improve Testing and Analysis of Web Applications. William G.J. Halfond, Saswat Anand , and Alessandro Orso Georgia Institute of Technology. End Users. Web Server. Example Web Application. Initial Visit. Web Application. getQuote.jsp. buyPolicy.jsp. - PowerPoint PPT Presentation
Popular Tags:
23
Precise Interface Identification to Improve Testing and Analysis of Web Applications William G.J. Halfond, Saswat Anand, and Alessandro Orso Georgia Institute of Technology
Transcript
Page 1: Precise Interface Identification to Improve Testing and Analysis of Web Applications

Precise Interface Identification to Improve Testing and Analysis of

Web Applications

William G.J. Halfond,Saswat Anand, and Alessandro Orso

Georgia Institute of Technology

Page 2: Precise Interface Identification to Improve Testing and Analysis of Web Applications

2

Example Web Application

Web Server

End Users

Initial Visit Web Application

getQuote.jsp

buyPolicy.jspQuote Information

http://host/getQuote.jsp?action=doquote&car=jeep

Page 3: Precise Interface Identification to Improve Testing and Analysis of Web Applications

3

Interface Identification

public void write(File outfile, String buffer, int length)

Domain information

Grouping of parameters

1. Names of parameters2. Grouping of parameters3. Domain information

Parameter names

Page 4: Precise Interface Identification to Improve Testing and Analysis of Web Applications

4

Example Web Application

Interface Domain Constraints

action = “checkeligibility” integer(age) age < 16

action = “checkeligibility” integer(age) age 16

public void service (HttpRequest req) 1. String aValue = req.getIP( “action” ) 2. if (aValue.equals( “checkeligibility” )) 3. int userAge = getNumIP( “age” ) 4. if (userAge < 16) 5. displayErrorMsg(“Too young.” ) 6. else 7. displayQuotePage( ) 8. if (aValue.equals( “doquote” )) 9. String nValue = req.getIP( “name” )

10. String carType = req.getIP( “type” )11. int carYear = getNumIP( “year” )12. calculateQuote(carType, carYear)

public int getNumIP(String name) 1. String value = getIP(name) 2. int param = Integer.parse(value) 3. return param

1. Names of parameters2. Grouping of parameters3. Domain information

Parameter Namesaction, age, name, type, year

Groupings of Parameters action

action, age

action, name, type, year

Page 5: Precise Interface Identification to Improve Testing and Analysis of Web Applications

DynamicSpider

• Web spider crawls pages of application• Limitation: No guarantee of completeness

StaticDFW1:

• Identify parameter names via static analysis• Limitation: Only identifes parameter names

WAMDF2:

• Uses iterative data-flow analysis• Limitation: Assumes all paths feasible

Previous Approaches: Interface Identification

5

1. Deng, Frankl, Wang, SEN 2004.2. Halfond and Orso, FSE 2007.

(action, age, name, type, year)

1. String aValue = req.getIP( “action” ) 2. if (aValue.equals( “checkeligibility” ))

… 8. if (aValue.equals( “doquote” ))

4. if (userAge < 16) 5. displayErrorMsg(“Too young.” ) 6. else 7. displayQuotePage( )

Page 6: Precise Interface Identification to Improve Testing and Analysis of Web Applications

Our Approach

Statically identify interfaces by using symbolic execution to model input parameters and domain constraining operations.

1. Program transformation2. Symbolic execution3. Interface identification

6

Page 7: Precise Interface Identification to Improve Testing and Analysis of Web Applications

7

1 – Program Transformation

1. Introduce symbolic values

2. Replace domain-constraining operations

value getIP(name)

s new SymbolicValue()s.assignName(name)SymbolicState.add(s, value)return s

1. Accessing an input parameter2. Conversion to numeric type3. String comparison4. Arithmetic constraints

Page 8: Precise Interface Identification to Improve Testing and Analysis of Web Applications

8

2 – Symbolic Execution

Symbolically execute the transformed web application -- track path conditions and symbolic state.

SymbolicExecution

Transformed Web Application

getQuote.jsp

buyPolicy.jsp

Path Conditionsc1 c2 c3

c3 c4 c5

Symbolic Statessaction aValuesyear carYear

Page 9: Precise Interface Identification to Improve Testing and Analysis of Web Applications

9

2 – Access Input Parameters

1. String aValue = req.getIP( “action” )

(PC, SS)

(PC, SS[saction aValue])

PC = Path ConditionSS = Symbolic State

Page 10: Precise Interface Identification to Improve Testing and Analysis of Web Applications

10

2 – String Comparison

(PC saction “checkeligibility”, SS[saction aValue])

(PC, SS[saction aValue])

2. if (aValue.equals( “checkeligibility” ))

8. if (aValue.equals( “doQuote” ))

1. String aValue = req.getIP( “action” )

(PC saction “checkeligibility”, SS[saction aValue])

TRUEFALSE

Page 11: Precise Interface Identification to Improve Testing and Analysis of Web Applications

11

3 – Interface Identification

PC1 saction “checkeligibility” integer(sage) sage 16

PC2 saction “checkeligibility” integer(sage) sage 16

SS [saction aValue, sageuserAge]

1. String aValue = req.getIP( “action” ) 2. if (aValue.equals( “checkeligibility” )) 3. int userAge = getNumIP( “age” ) 4. if (userAge < 16) 5. displayErrorMsg(“Too young.” ) 6. else 7. displayQuotePage( )

Page 12: Precise Interface Identification to Improve Testing and Analysis of Web Applications

12

Empirical Evaluation

Research Questions (RQ):1. Efficiency -- Is the new approach efficient in

terms of its analysis time requirements?

2. Precision -- Is the new approach more precise than previous approaches?

3. Usefulness -- Does the new approach improve the performance of quality assurance techniques?

Page 13: Precise Interface Identification to Improve Testing and Analysis of Web Applications

13

Implementation: WAMSE

• Written in Java for Java Enterprise Edition (JEE) based web applications

• Implementation Modules1. TRANSFORM

• Customized JEE libraries• Stinger for analysis and automated transformation

2. SE ENGINE• Symbolic execution engine built on JavaPathFinder• Constraint solver is YICES

3. PC ANALYSIS

Page 14: Precise Interface Identification to Improve Testing and Analysis of Web Applications

Implementation: Other Approaches

14

DynamicSpider

• Web spider crawls pages of application• OWASP Web Scarab Project

StaticDFW1:

• Identify parameter names via static analysis• Reimplementation of the author-provided code

WAMDF2:

• Uses iterative data-flow analysis• Implementation from previous work

1. Deng, Frankl, Wang, SEN 2004.2. Halfond and Orso, FSE 2007.

Page 15: Precise Interface Identification to Improve Testing and Analysis of Web Applications

15

Subject Applications

Subject LOC Classes Servlets

Bookstore 19,402 28 27

Classifieds 10,702 18 18

Employee Directory 5,529 11 9

Events 7,164 13 12

Subjects available online from GotoCode.com

Page 16: Precise Interface Identification to Improve Testing and Analysis of Web Applications

16

RQ1: Efficiency

Bookstore Classifieds Employee Dir. Events0

1000

2000

3000

4000

5000

Ana

lysi

s Ti

me

(s)

1. High amount of infeasible paths in subjects2. Low number of constraints per parameter3. Web applications highly modular

WAMSE WAMDF DFW Spider

Page 17: Precise Interface Identification to Improve Testing and Analysis of Web Applications

17

RQ2: Precision

Bookstore Classifieds Employee Dir. Events0

100

200

300

400

Num

ber o

f Int

erfa

ces

On average, 80% of WAMDF

interfaces were spurious

WAMSE WAMDF

Page 18: Precise Interface Identification to Improve Testing and Analysis of Web Applications

RQ3: Usefulness

Measure improvement of three quality assurance techniques:

a) Invocation Verificationb) Penetration Testingc) Test Input Generation

18

Page 19: Precise Interface Identification to Improve Testing and Analysis of Web Applications

19

RQ3a – Invocation Verification

Approach False Positives False NegativesWAMDF 0% 50%

Spider 39% 0%

WAMSE 0% 0%

Verification of invocations for subject Bookstore

Web Application

getQuote.jsp buyPolicy.jspX

Page 20: Precise Interface Identification to Improve Testing and Analysis of Web Applications

20

RQ3b – Penetration Testing

Bookstore Classifieds Employee Dir. Events0

10

20

30

40

Num

ber o

f Vul

nera

bilit

ies

WAMSE WAMDF DFW Spider

Number of vulnerabilities: 2X – 6X higher for WAMSE

Page 21: Precise Interface Identification to Improve Testing and Analysis of Web Applications

21

RQ3c – Test Input Generation

Bookstore Classifieds EmployeeDir. Events5060708090

100

% Stmt.Coverage

Bookstore Classifieds EmployeeDir. Events10203040506070

% BranchCoverage

Bookstore Classifieds EmployeeDir. Events10

100

1000

# CommandForms

Branch coverage increase: 3%-67%

Statement coverage increase: 3%-25%

Command form increase: 651%-1,577%

WAMSE WAMDF DFW Spider

Page 22: Precise Interface Identification to Improve Testing and Analysis of Web Applications

22

RQ3c – Test Suite Size

Bookstore Classifieds Employee Dir. Events1000

10000

100000

1000000

Num

ber o

f Tes

t Cas

es

RQ3c results:1. Higher coverage for measured metrics2. Smaller average test suite

WAMSE WAMDF DFW Spider

Test suite decrease in size: 4X – 10X

Page 23: Precise Interface Identification to Improve Testing and Analysis of Web Applications

Summary of Results

• Developed interface identification technique for web applications based on symbolic execution.

• Empirical evaluation:• Similar analysis time to other techniques• More precise than current techniques• Improves quality assurance techniques

23


Recommended