Precise Interface Identification to Improve Testing and Analysis of

Web Applications

William G.J. Halfond,Saswat Anand, and Alessandro Orso

Georgia Institute of Technology

2

Example Web Application

Web Server

End Users

Initial Visit Web Application

getQuote.jsp

buyPolicy.jspQuote Information

http://host/getQuote.jsp?action=doquote&car=jeep

3

Interface Identification

public void write(File outfile, String buffer, int length)

Domain information

Grouping of parameters

1. Names of parameters2. Grouping of parameters3. Domain information

Parameter names

4

Example Web Application

Interface Domain Constraints

action = “checkeligibility” integer(age) age < 16

action = “checkeligibility” integer(age) age 16

public void service (HttpRequest req) 1. String aValue = req.getIP( “action” ) 2. if (aValue.equals( “checkeligibility” )) 3. int userAge = getNumIP( “age” ) 4. if (userAge < 16) 5. displayErrorMsg(“Too young.” ) 6. else 7. displayQuotePage( ) 8. if (aValue.equals( “doquote” )) 9. String nValue = req.getIP( “name” )

10. String carType = req.getIP( “type” )11. int carYear = getNumIP( “year” )12. calculateQuote(carType, carYear)

…

public int getNumIP(String name) 1. String value = getIP(name) 2. int param = Integer.parse(value) 3. return param

1. Names of parameters2. Grouping of parameters3. Domain information

Parameter Namesaction, age, name, type, year

Groupings of Parameters action

action, age

action, name, type, year

DynamicSpider

• Web spider crawls pages of application• Limitation: No guarantee of completeness

StaticDFW1:

• Identify parameter names via static analysis• Limitation: Only identifes parameter names

WAMDF2:

• Uses iterative data-flow analysis• Limitation: Assumes all paths feasible

Previous Approaches: Interface Identification

5

1. Deng, Frankl, Wang, SEN 2004.2. Halfond and Orso, FSE 2007.

(action, age, name, type, year)

1. String aValue = req.getIP( “action” ) 2. if (aValue.equals( “checkeligibility” ))

… 8. if (aValue.equals( “doquote” ))

4. if (userAge < 16) 5. displayErrorMsg(“Too young.” ) 6. else 7. displayQuotePage( )

Our Approach

Statically identify interfaces by using symbolic execution to model input parameters and domain constraining operations.

1. Program transformation2. Symbolic execution3. Interface identification

6

7

1 – Program Transformation

1. Introduce symbolic values

2. Replace domain-constraining operations

value getIP(name)

s new SymbolicValue()s.assignName(name)SymbolicState.add(s, value)return s

1. Accessing an input parameter2. Conversion to numeric type3. String comparison4. Arithmetic constraints

8

2 – Symbolic Execution

Symbolically execute the transformed web application -- track path conditions and symbolic state.

SymbolicExecution

Transformed Web Application

getQuote.jsp

buyPolicy.jsp

Path Conditionsc1 c2 c3

c3 c4 c5

Symbolic Statessaction aValuesyear carYear

9

2 – Access Input Parameters

1. String aValue = req.getIP( “action” )

(PC, SS)

(PC, SS[saction aValue])

PC = Path ConditionSS = Symbolic State

10

2 – String Comparison

(PC saction “checkeligibility”, SS[saction aValue])

(PC, SS[saction aValue])

2. if (aValue.equals( “checkeligibility” ))

8. if (aValue.equals( “doQuote” ))

1. String aValue = req.getIP( “action” )

(PC saction “checkeligibility”, SS[saction aValue])

TRUEFALSE

11

3 – Interface Identification

PC1 saction “checkeligibility” integer(sage) sage 16

PC2 saction “checkeligibility” integer(sage) sage 16

SS [saction aValue, sageuserAge]

1. String aValue = req.getIP( “action” ) 2. if (aValue.equals( “checkeligibility” )) 3. int userAge = getNumIP( “age” ) 4. if (userAge < 16) 5. displayErrorMsg(“Too young.” ) 6. else 7. displayQuotePage( )

…

12

Empirical Evaluation

Research Questions (RQ):1. Efficiency -- Is the new approach efficient in

terms of its analysis time requirements?

2. Precision -- Is the new approach more precise than previous approaches?

3. Usefulness -- Does the new approach improve the performance of quality assurance techniques?

13

Implementation: WAMSE

• Written in Java for Java Enterprise Edition (JEE) based web applications

• Implementation Modules1. TRANSFORM

• Customized JEE libraries• Stinger for analysis and automated transformation

2. SE ENGINE• Symbolic execution engine built on JavaPathFinder• Constraint solver is YICES

3. PC ANALYSIS

Implementation: Other Approaches

14

DynamicSpider

• Web spider crawls pages of application• OWASP Web Scarab Project

StaticDFW1:

• Identify parameter names via static analysis• Reimplementation of the author-provided code

WAMDF2:

• Uses iterative data-flow analysis• Implementation from previous work

1. Deng, Frankl, Wang, SEN 2004.2. Halfond and Orso, FSE 2007.

15

Subject Applications

Subject LOC Classes Servlets

Bookstore 19,402 28 27

Classifieds 10,702 18 18

Employee Directory 5,529 11 9

Events 7,164 13 12

Subjects available online from GotoCode.com

16

RQ1: Efficiency

Bookstore Classifieds Employee Dir. Events0

1000

2000

3000

4000

5000

Ana

lysi

s Ti

me

(s)

1. High amount of infeasible paths in subjects2. Low number of constraints per parameter3. Web applications highly modular

WAMSE WAMDF DFW Spider

17

RQ2: Precision

Bookstore Classifieds Employee Dir. Events0

100

200

300

400

Num

ber o

f Int

erfa

ces

On average, 80% of WAMDF

interfaces were spurious

WAMSE WAMDF

RQ3: Usefulness

Measure improvement of three quality assurance techniques:

a) Invocation Verificationb) Penetration Testingc) Test Input Generation

18

19

RQ3a – Invocation Verification

Approach False Positives False NegativesWAMDF 0% 50%

Spider 39% 0%

WAMSE 0% 0%

Verification of invocations for subject Bookstore

Web Application

getQuote.jsp buyPolicy.jspX

20

RQ3b – Penetration Testing

Bookstore Classifieds Employee Dir. Events0

10

20

30

40

Num

ber o

f Vul

nera

bilit

ies

WAMSE WAMDF DFW Spider

Number of vulnerabilities: 2X – 6X higher for WAMSE

21

RQ3c – Test Input Generation

Bookstore Classifieds EmployeeDir. Events5060708090

100

% Stmt.Coverage

Bookstore Classifieds EmployeeDir. Events10203040506070

% BranchCoverage

Bookstore Classifieds EmployeeDir. Events10

100

1000

# CommandForms

Branch coverage increase: 3%-67%

Statement coverage increase: 3%-25%

Command form increase: 651%-1,577%

WAMSE WAMDF DFW Spider

22

RQ3c – Test Suite Size

Bookstore Classifieds Employee Dir. Events1000

10000

100000

1000000

Num

ber o

f Tes

t Cas

es

RQ3c results:1. Higher coverage for measured metrics2. Smaller average test suite

WAMSE WAMDF DFW Spider

Test suite decrease in size: 4X – 10X

Summary of Results

• Developed interface identification technique for web applications based on symbolic execution.

• Empirical evaluation:• Similar analysis time to other techniques• More precise than current techniques• Improves quality assurance techniques

23