1 / 34

Client and Server Verification for Web Services Using Interface Grammars

Client and Server Verification for Web Services Using Interface Grammars. Graham Huges, Tevfik Bultan, Muath Alkhalaf Department of Computer Science University of California, Santa Barbara. Outline. Motivation Interface Grammars Interface Compiler Interface Grammars for Web Services

guido
Download Presentation

Client and Server Verification for Web Services Using Interface Grammars

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Client and Server Verification for Web Services Using Interface Grammars Graham Huges, Tevfik Bultan, Muath Alkhalaf Department of Computer Science University of California, Santa Barbara

  2. Outline • Motivation • Interface Grammars • Interface Compiler • Interface Grammars for Web Services • A Case Study • Conclusions

  3. Model Checking Software • Model checking • An automated software verification technique • Exhaustive exploration of the state space of a program to find bugs • Systematically explore all possible behaviors of a program • look for violations of the properties of interest • assertion violations, deadlock • Software model checkers: Verisoft, Java PathFinder (JPF), SLAM, BLAST, CBMC

  4. Two Challenges in Model Checking • State space explosion • Exponential increase in the state space with increasing number of variables and threads • State space includes everything: threads, variables, control stack, heap • Environment generation • Finding models for parts of software that are • either not available for analysis, or • are outside the scope of the model checker

  5. Modular Verification • Modularity is key to scalability of any verification technique • Moreover, it can help isolatingthe behavior you wish to focus on, removing the parts that are beyond the scope of your verification technique • Modularity is also a key concept for successful software design • The question is finding effective ways of exploiting the modularity in software during verification

  6. Interfaces for Modularity • How do we do modular verification? • Divide the software to a set of modules • Check each module in isolation • How do we isolate a module during verification/testing? • Provide stubs representing other modules (environment) • How do we get the stubs representing other modules? • Write interfaces • Interfaces specify the behavior of a module from the viewpoint of other modules • Generate stubs from the interfaces

  7. Our Approach: Interface Grammars Here is the basic use case for our approach: • User writes an interface grammar specifying the interface of a component • Our interface compiler automatically generates a stub from the interface grammar • Automatically generated stub provides the environment during modular verification

  8. Interface Grammars Interface Compiler Interface Grammar Component B Interface Grammar Component B Stub Component A Model Checker Component A

  9. An Example • An interface grammar for transactions • Specifies the appropriate ordering for calls to a transaction manager • Calls are the terminal symbols of the interface grammar Start→Base Base→beginTailBase | ε Tail→commit | rollback

  10. An Example • Consider the call sequence begin rollback begin commit • Here is a derivation: Start • Base • beginTail Base • begin rollbackBase • begin rollback beginTail Base • begin rollback begin commitBase • begin rollback begin commit Start→Base Base→beginTailBase | ε Tail→commit | rollback

  11. Another Example • This example can also be specified as a Finite State Machine (FSM) • However, the following grammar which specifies nested transactions cannot be specified as a FSM begin commit rollback Start→Base Base→beginBaseTailBase | ε Tail→commit | rollback

  12. Yet Another Example • Let’s add another operation called setrollbackonlywhich forces all the pending transactions to finish with rollback instead of commit • We achieve this by extending the interface grammars with semantic predicates and semantic actions Start→«r:=false; l:=0»Base Base→begin«l:=l+1»BaseTail «l:=l-1; if l=0 then r:=false»Base | setrollbackonly«r:=true»Base | ε Tail→«r=false»commit | rollback

  13. Interface Grammar Translation • Our interface compiler translates interface grammars to executable code: • the generated code is the stub for the component • The generated code is a parser that • parses the incoming calls • while making sure that the incoming calls conform to the interface grammar specification

  14. Verification with Interface Grammars Interface Compiler Interface Grammar Top-down parser Program parser stack invocation (lookahead) Component Stub parse table semantic predicates and semantic actions Model Checker

  15. Interface Grammars: Client vs. Server • Interface grammars can be used for • Client verification: Generate a stub for the server • Server verification: Generate a driver for the server Parser Client Stub Interface Compiler Interface Server Driver Sentence Generator

  16. Interface Grammars and Data • A crucial part of the interface specification is specifying the allowable values for the arguments and generating allowable return values • Approach 1: These can be specified in the semantic actions and semantic predicates of the interface grammars • Approach 2: Can we specify the constraints about the arguments and return values using the grammar rules? • Yes, grammar productions can be used to specify the structure of most recursive data structures.

  17. Modular Verification of Web Services • We applied our modular verification approach based on interface grammars to client and server side verification of Web services

  18. Interface Grammars for Web Services Our approach: • A WSDL-to-interface grammar translator automatically generates grammar productions that generate and/or validate XML arguments and return values • User adds control flow constraints by modifying the grammar • Interface compiler automatically generates a stub for client side verification and a driver for server-side verification

  19. Interface Grammars for Web Services

  20. A Case Study: AWS-ECS • We performed both client and server side verification for the Amazon E-Commerce Web Service (AWS-ECS) using our approach • AWS-ECS WSDL specification lists 40 operations • that provide differing ways of searching Amazon’s product database • We focused on the following core operations: • ItemSearch, CartCreate, CartAdd, CartModify, CartGet, CartClear

  21. Client Verification • For client verification we used a demonstration client provided by Amazon: AWS-ECS Java Sample • This client does not check any constraints such as • You should not try to insert an item to a shopping cart before creating a shopping cart • When such requests are sent to AWS-ECS they would return an error message • Using our approach we can easily check if the client allows such erroneous requests • We used the Java PathFinder (JPF) model checker • Falsification time changes with the type of faults we are looking for (data or control errors), changes from 10 to 60 seconds

  22. Client Verification Setup Web Service Client • The AWS-ECS Client uses Apache Axis SOAP library • Given a WSDL specification, Apache Axis automatically generates Java classes as wrappers for SOAP calls • We replaced the Java classes generated by Apache Axis and forwarded them to our automatically generated parser/server stub • We wrote a driver which non-deterministically generates input events for the Client, simulating user behavior • JPF model checker exhaustively explores all non-deterministic choices (both in the driver and the stub) Test Driver Server Stub Hand written Driver Automatically Generated Stub/Parser AWS-ECS Java Sample

  23. Input Validation Check • We checked if the client performs input validation upon receiving an input from the user before passing the corresponding request to the server • Possible erroneous inputs by the user • Type errors • For example: Entering a string for a numeric field • Nonsensical data • For example: Adding a nonexistent item to a nonexisting shopping cart • Uncorrelated data • For example: Search for an item but then try to insert another nonexisting one

  24. Input Validation Experiments with JPF

  25. Control-Flow Validation Check • Call sequences that can lead to errors • Such as modifying the contents of a cart after clearing it • We wrote a driver that: • First initializes the cart and • Then generates a sequence of user events non-deterministically • We experimented for different event sequence sizes

  26. Control-Flow Validation Experiments

  27. AWS-ECS: Server Verification • Our interface compiler automatically generates a driver that sends sequences of requests to AWS-ECS server and checks that the return values conform to the interface specification • The driver is a sentence generator • It generates sequences of SOAP requests based on the interface specification • We used two algorithms for sentence generation: • A random sentence generation algorithm • Purdom’s algorithm: A directed sentence generation algorithm that guarantees production coverage

  28. Directed Sentence Generation • Number of sentences generated: 5 • Average derivation length: 24 • Average number of SOAP requests/responses: 3.8 • Verification time: 20 seconds

  29. Random Sentence Algorithm • Number of sentences generated: 100 • Average derivation length: 17.5 • Average number of SOAP requests/responses: 3.2

  30. Server verification • We found two errors during server side verification • Errors were discovered within 10 seconds • These errors indicate a mismatch between the interface specification and the server implementation • It may mean that we misunderstood the description of the Web service interface • It may also mean that there is an error in the service implementation

  31. Conclusions • Modular verification is a necessity • Interfaces are crucial for modular verification • Interface grammars provide a new specification mechanism for interfaces • Interface grammars can be used for automated stub generation leading to modular verification for both client and server for verification of Web Services

  32. THE END

  33. Related Work: Interfaces • L. de Alfaro and T. A. Henzinger. Interface automata. • O. Tkachuk, M. B. Dwyer, and C. Pasareanu. Automated environment generation for software model checking. • A. Betin-Can and T. Bultan. Verifiable concurrent programming using concurrency controllers. • T. Ball and S. K. Rajamani. SLAM interface specification language. • G. T. Leavens et al.: JML

  34. Related: Grammar-based Testing • A. G. Duncan, J. S. Hurchinson: Using attributed grammars to test designs and implementations • P. M. Maurer: Generating test data with enhanced context free grammars • P. M. Maurer: The design and implementation of a grammar-based data generator • E. G. Sirer and B. N. Bershad: Using production grammars in software testing

More Related