1 / 30

Relational Constraint Driven Test Case Synthesis for Web Applications

Relational Constraint Driven Test Case Synthesis for Web Applications. Dr. Xiang Fu Assistant Professor Department of Computer Science Hofstra University. Outline. Introduction Path Transducer Model Relational Constraint Call Sequence Synthesis Detecting Workflow Attack

tory
Download Presentation

Relational Constraint Driven Test Case Synthesis for Web Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Relational Constraint Driven Test Case Synthesis for Web Applications Dr. Xiang FuAssistant ProfessorDepartment of Computer ScienceHofstra University

  2. Outline • Introduction • Path Transducer Model • Relational Constraint • Call Sequence Synthesis • Detecting Workflow Attack • Related Work and Conclusion

  3. Web Application and Database Databases Web Server

  4. Testing Web App & DB • Traditionally, SQLUnit & DBUnit • ManualTest Case Design • Reverse Inference of DB State • Given Query & Expected Result • Generate Initial DB Instance • Our Problem: Synthesis Problem • Given Database State • Synthesize Call Sequence of Servlets

  5. Our Proposal • White-box Analysis • (1) Interface Extraction  Path Transducers • (2) Coverage Goal Extraction • (3) Call Sequence Generation • Adaptation  Discover Workflow Attacks

  6. Path Transducer Model • Servlet  Path Transducers • Relational Transducer that Models One Execution Path • Path Condition • Side Effects to DB Servlet

  7. Path Transducer Model • Relational Data Schema • Input Domain • Finite Set of Session Variables • Boolean Combination of Terms • Equality • v’ = v + 1 • Satisfiability Check

  8. Relational Algebra Formula • Selection • Projection • Cross Product • Union • Difference

  9. Motivating Example SimpleScarf Login.php ShowSessions.php GenOptions.php AddMember.php InsertSession.php

  10. Database Schema Users Sessions vchar uname intsid vcharpwd vcharsname Members intsid vchar uname

  11. ShowSessions.php

  12. Path Transducer of ShowSession • Check Valid Session Var#uname • Select Session Info • No Side Effects

  13. InsertSession.php • User Specify New Session Name $SI • Update Relation Sessions

  14. AddMember.php • Takes Two Parameters • $uA: User Name • $sA: Session Name • Add Membership Info

  15. Generaloptions.php • Add User: One of Many Functions Available • Takes Two Parameters • $uG: User name • $pG: Password Encrypt Password Password Rules Encoded Using String Constraint

  16. Login.php • Given Two Parameters • $uL: user name • $pL: password • When Success, Update Session Variable • #u: Session Variable on user name

  17. Solving Relational Constraint • Key to Synthesis • Khurshid’s Approach [ASE’08] • Translate to Alloy

  18. Pre/Post Images Post Image Transition System

  19. Key Problem: Satisfiability Check Join of Session and Membership Select Session Name ‘s1’ Project to uname Find users in paper session ‘s1’ but not in ‘s2’ Goal: Find DB Instance Satisfies query

  20. Translation of Data Schema

  21. Translation Part II

  22. Experimental Results

  23. Call Sequence Synthesis Coverage Goal: Line # 45 CALL SeqSynthesis Algorithm List of HTTP Requests Path Transducers

  24. Heuristic Algorithm • Knowledge In Advance: • (1) Each Path Transducer – Transition System (Relational Logic) • (2) Relations being Modified (add, drop, modify) • (3) Session Varsbeing Modified • Algorithm: Backtrack ϒ’ = Pre(H’, ϒ) Current Constraint Heuristic to pick to the next servlet: watch the difference between the relations in the current constraints and target constraints. “Insertion” has priority HTTP Request (Η’,ϒ’) (Η,ϒ)

  25. Example: Coverage Target Coverage Goal Target Constraint: True Initial Constraint: Path Transducer:

  26. Pre-Image Computation Transition Post-Image Standard Existential Quantification M and #u modified! Next servlet: AddMember or Login Compare Initial Constraint:

  27. Constraint in Last Step 1.07 seconds for generating the model by ALLOY

  28. Workflow Attack EnterAddr ChargeCC GenReceipt PrintShipping How to Detect Workflow Attack? Static Analysis for ALL URLS that could be generated by a servlet Modify the Backtrack algorithm for locating an “abnormal” link not in the ALL_URLs set Database manipulation TAKEN CARE OF.

  29. Conclusion • Proposal of Several Interesting Directions • Extraction of Path Transducer Model • Solving Relational Constraints • Call Sequence Synthesis Algorithm • Extension for Detecting Workflow Attacks • Future Directions • Implementation …

  30. Related Work • Interface Extraction • [Halfond’FSE07], [Halfond’FSE’08] • Relational Transducer • [Abiteboul’JCSS00] • Query Aware Relational Constraint Solving • [Binnig’ICDE07, Khalek’ICSE08] • Session Based Testing of Web App • [Elbaum’TSE05, Sampath’ASE05, Sprenkle’FSE05]

More Related