Abstract Model Checking of Web Applications Using Java PathFinder



Similar documents
Towards a Framework for Generating Tests to Satisfy Complex Code Coverage in Java Pathfinder

Introduction of Virtualization Technology to Multi-Process Model Checking

Trace Server: A Tool for Storing, Querying and Analyzing Execution Traces

Model Checking: An Introduction

Building Java Servlets with Oracle JDeveloper

If you wanted multiple screens, there was no way for data to be accumulated or stored

Teaching Software Model Checking

ACM Crossroads Student Magazine The ACM's First Electronic Publication

Model Checking of Software

WIRIS quizzes web services Getting started with PHP and Java

VIRTUAL LABORATORY: MULTI-STYLE CODE EDITOR

Announcements. Comments on project proposals will go out by in next couple of days...

Java 2 Web Developer Certification Study Guide Natalie Levi

Building a Multi-Threaded Web Server

Using DOTS as Apache Derby System Test

Java C# Tutorial on Thread Management and Network Marketing Model

Description: Maintenance review of the JDBC RowSets 1.0 Specification. Feedback: Comments should be sent to

Database Applications Recitation 10. Project 3: CMUQFlix CMUQ s Movies Recommendation System

ABSTRACT INTRODUCTION. driver for Java is capable of sending SQL statements, to access and update SAS data.

Web Service Caching Using Command Cache

Java 7 Recipes. Freddy Guime. vk» (,\['«** g!p#« Carl Dea. Josh Juneau. John O'Conner

Toward Automated Detection of Logic Vulnerabilities in Web Applications

Java Application Developer Certificate Program Competencies

Glassfish, JAVA EE, Servlets, JSP, EJB

Synthesizing Monitors for Safety Properties

HW3: Programming with stacks

Java EE Introduction, Content. Component Architecture: Why and How Java EE: Enterprise Java

SQL and Java. Database Systems Lecture 19 Natasha Alechina

CS 2112 Spring Instructions. Assignment 3 Data Structures and Web Filtering. 0.1 Grading. 0.2 Partners. 0.3 Restrictions

Optimizing Generation of Object Graphs in Java PathFinder

Web Programming: Announcements. Sara Sprenkle August 3, August 3, Assignment 6 due today Project 2 due next Wednesday Review XML

Applying Model Checking in Java Verification

Database Access from a Programming Language: Database Access from a Programming Language

Database Access from a Programming Language:

Abstract. Introduction. Web Technology and Thin Clients. What s New in Java Version 1.1

Model Checking based Software Verification

Software safety - DEF-STAN 00-55

Journal of Mathematics Volume 1, Number 1, Summer 2006 pp

Model Checking of Concurrent Algorithms: From Java to C

1. Introduction 1.1 Methodology

The HTTP Plug-in. Table of contents

Usability. Usability

Generating Automated Test Scripts for AltioLive using QF Test

CS346: Database Programming.

What Is Specific in Load Testing?

Comparing the Effectiveness of Penetration Testing and Static Code Analysis

TABLE OF CONTENTS...2 INTRODUCTION...3 APPLETS AND APPLICATIONS...3 JAVABEANS...4 EXCEPTION HANDLING...5 JAVA DATABASE CONNECTIVITY (JDBC)...

Creating Java EE Applications and Servlets with IntelliJ IDEA

2.8. Session management

Japan Communication India Skill Development Center

HP OO 10.X - SiteScope Monitoring Templates

Python Checker. Computer Science Department

Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification

Servlets. Based on Notes by Dave Hollinger & Ethan Cerami Also, the Online Java Tutorial by Sun

No no-argument constructor. No default constructor found

Ch-03 Web Applications

Using Database Metadata and its Semantics to Generate Automatic and Dynamic Web Entry Forms

Basic Unix/Linux 1. Software Testing Interview Prep

Chapter 5. Regression Testing of Web-Components

CS506 Web Design and Development Solved Online Quiz No. 01

CSI 2132 Lab 8. Outline. Web Programming JSP 23/03/2012

Web Services Development Kit

Building Web Applications, Servlets, JSP and JDBC

Merkle Hash Trees for Distributed Audit Logs

2 Introduction to Java. Introduction to Programming 1 1

EVALUATION ONLY. WA2088 WebSphere Application Server 8.5 Administration on Windows. Student Labs. Web Age Solutions Inc.

RenderStorm Cloud Render (Powered by Squidnet Software): Getting started.

SysPatrol - Server Security Monitor

JDBC (Java / SQL Programming) CS 377: Database Systems

The Model Checker SPIN

Java Server Pages and Java Beans

Experimental Comparison of Concolic and Random Testing for Java Card Applets

EVALUATION. WA1844 WebSphere Process Server 7.0 Programming Using WebSphere Integration COPY. Developer

SAP Business Objects Business Intelligence platform Document Version: 4.1 Support Package Data Federation Administration Tool Guide

COSC344 Database Theory and Applications. Java and SQL. Lecture 12

Delivering Quality in Software Performance and Scalability Testing

CSc 230 Software System Engineering FINAL REPORT. Project Management System. Prof.: Doan Nguyen. Submitted By: Parita Shah Ajinkya Ladkhedkar

Japan Communication India Skill Development Center

Automata-Based Verification of Temporal Properties on Running Programs Dimitra Giannakopoulou Klaus Havelund

How To Understand The Architecture Of Java 2Ee, J2Ee, And J2E (Java) In A Wordpress Blog Post

ONLINE EXERCISE SYSTEM A Web-Based Tool for Administration and Automatic Correction of Exercises

2. Follow the installation directions and install the server on ccc

Model Checking II Temporal Logic Model Checking

Replication on Virtual Machines

Listeners. Formats. Free Form. Formatted

Introduction to Automated Testing

11.1 Web Server Operation

Migrating to vcloud Automation Center 6.1

CS 377 Database Systems SQL Programming. Li Xiong Department of Mathematics and Computer Science Emory University

UML-based Test Generation and Execution

VeriTech - A Framework for Translating among Model Description Notations

Using Netbeans and the Derby Database for Projects Contents

An Overview of Java. overview-1

Japan Communication India Skill Development Center

Applets, RMI, JDBC Exam Review

7 Web Databases. Access to Web Databases: Servlets, Applets. Java Server Pages PHP, PEAR. Languages: Java, PHP, Python,...

An Oracle White Paper July Oracle Primavera Contract Management, Business Intelligence Publisher Edition-Sizing Guide

Formal Verification by Model Checking

Integrated Error-Detection Techniques: Find More Bugs in Java Applications

White Paper March 1, Integrating AR System with Single Sign-On (SSO) authentication systems

Transcription:

1 26 (2009 ) Abstract Model Checking of Web Applications Using Java PathFinder Vinh Cuong Tran Yoshinori Tanabe Masami Hagiya Due to the interleaving of clients and servers, verifying web applications is a hard task. Bugs may occur only on particular scenarios, but testing all of them manually is almost impossible. To overcome the difficulty, we propose a framework for source code model checking of web applications. We use abstraction techniques to avoid state explosion. When model checking is conducted, various libraries including those for database access are replaced with their abstract versions so that the code of the target application can be verified without modification. Web clients are replaced with driver classes, which automatically generate possible scenarios with the help of the model checker. In this paper, we report a first verification attempt based on the proposed framework with a small web application built on the J2EE framework. We create abstract classes for servlets, HTTP requests and responses, SQL result sets, and so on, and the driver is executed by the model checker Java PathFinder to test all possible execution scenarios. 1 Introduction With the rapid spread of the internet, more and more systems have been re-engineered into web applications (WA), such as online banking systems and e-payment systems. Since WAs are multithreaded by nature, model checking is a powerful technique for verification of WAs. In this paper, we propose a framework for verification of Java WAs at the source code level. Specifically, we deal with WAs that are implemented using the J2EE servlet technology [2]. Although much work has been done on model checking of WAs, most of the previous work focuses on verifying the relationship among web pages in a WA [7] [3]. MCWEB [3] models web pages in a WA with a graph called webgraph. Every node in the webgraph represents a web page with edges, each of which is labeled with the name of a frame or an Java PathFinder,,,, Graduate School of Information Science and Technology, The University of Tokyo anchor. MCWEB can analyze path properties of pages in the WA, such as the connectivity of pages, i.e., whether there is a path from every page to the home page, and cost properties, e.g., the number of pages to be downloaded. The work by Donini, et al. [7] employs Computation Tree Logic to verify the design of a WA written in UML using the SMV model checker [8]. In contrast to the above approaches, our framework directly verifies Java implementation of a WA using Java PathFinder (JPF), which is a generalpurpose extensible model checker for Java bytecode [11]. When model checking is conducted, various libraries including those for J2EE servlets are replaced with their abstract versions, while the source code of the WA is not changed. The abstract versions of the servlet libraries automatically analyze possible links between servlets. Web clients are replaced with driver classes, which automatically generate possible scenarios with the help of the model checker. As far as we know, the most extensive work on verification of WAs was done in the development of the SAVE environment by Fujitsu Ltd [9]. In their environment, a WA is model-checked together with drivers and stubs, where the drivers are automatically generated to cover a suitable set of user inter-

2 26 (2009 ) Fig. 1 WA deployed in the J2EE framework actions and the stubs implement external functions such as databases and file systems. Their verification relies on symbolic execution of JPF, which was recently introduced [4]. On the other hand, we only use the ordinary finite model checking of JPF, which is stable and efficient. Abstraction is realized in the abstract versions of libraries, including the drivers and the stubs, e.g., the abstract library for database access. For each kind of abstraction, we prepare the abstract libraries that realize the abstraction. For example, in the case study presented below, we realize the specific-generic abstraction to verify the behavior of a student in a report-submission web application. In our framework, although the source code of the WA is not changed, the entire application can be model-checked using JPF, yielding a finite state space. 2 Framework The structure of a WA, which is implemented using the servlet technology, can be depicted as in Figure 1. A WA basically consists of a set of classes called servlets, which usually extend the HttpServlet class in the J2EE framework. Clients can access the WA, which is deployed in a web server, through applications such as browsers and applets. Between the WA and the web server is the J2EE platform, which provides a container for servlets [1]. The container provides environmental information in the web server, extracts inputs from a client, and sends outputs to the web server on behalf of servlets. Beside the libraries provided by J2EE, the WA may use other libraries, e.g., the JDBC for accessing a database management system. All the application classes and framework classes on the server side are executed by a normal Java Virtual Machine (JVM), which is usually called host JVM. Fig. 2 WA verified by Java PathFinder When we verify the WA by JPF, we replace the libraries in the J2EE framework and other libraries including the library for database access with the corresponding abstract libraries. Note that the source code of the servlets of the WA is not touched for verification. We explain the abstract libraries used for the case study in the next section. They realize the specificgeneric abstraction as we mentioned in the previous section. In order to verify a WA, it is necessary to cover all possible scenarios of interactions between the clients and the server. We gather the clients (browsers), the HTTP server and the J2EE platform in Figure 1 into one system, called the driver, which simulates all (or more than) possible scenarios between the clients and the server, and behaves as the abstract container, by calling the servlets of the WA and interpreting (abstract) outputs from the servlets. The entire system is then executed for verification on a customized JVM, which is a part of JPF. In summary, the proposed framework uses Java as the only language both for implementation and abstraction, and uses JPF as the only tool. We hope that this monolithic nature will make the framework practical. 3 Case Study To show the rationale behind our approach, we choose to verify a simple real-world reportsubmission system. The system allows students to submit reports, and a teacher to grade submitted reports. Students data and submitted reports are stored in a database table. After login, the teacher gets a list of reports which have been submitted but not graded. The fragment of code in Listing 1 is an implementation of a servlet that displays the

26 (2009 ) 3 Listing 1 A fragment of a teacher s servlet the J2EE framework and for database access. public class TeacherHomeServlet extends HttpServlet { protected void processrequest ( HttpServletRequest request, response. setcontenttype (" text / html ; charset =UTF -8"); PrintWriter out = response. getwriter (); try { out. println ("<html >"); out. println ("<head >"); out. println ("<title > </ title >\n"); out. println (" </head >\n"); out. println ("<body >\n"); out. println ("<h2 > </h2 >\n"); try { String query =" SELECT S. stuid FROM stmana S " + " WHERE S. grade = -1 "; Object flag = getservletcontext (). getattribute ("flag "); if ( flag!= null && ( Boolean ) flag ) { ResultSet result = executequery ( query ); while ( result. next ()) { String stuid = result. getstring (1); out. println ("<a href =\" " + response. encodeurl (" gradereport? sid ="+ stuid ) +"\" >"+ stuid +" </a><br >"); out. println ("<br >"); result. close (); else { out. println (" <br >\n"); out. println ("<a href =\" " + request. getcontextpath () + "/ logout \" > </a><br >\n"); out. println (" </body >"); out. println (" </html >"); finally { out. close (); catch ( SQLException ex) { Logger. getlogger ( TeacherHomeServlet. class. getname ()). log ( Level. SEVERE, null, ex ); protected void doget ( HttpServletRequest request, processrequest ( request, response ); protected void dopost ( HttpServletRequest request, processrequest ( request, response ); public String getservletinfo () { return " Teacher Home servlet "; reports that have not been graded. Beside the default detection of JPF for deadlocks, uncaught exceptions, etc., we want to check if there is any student whose report is not graded when the student list displayed to the teacher is empty and all students have finished submission. To reduce the size of state space significantly without overlooking possible bugs, we employ the specificgeneric abstraction explained in the next section. 4 Abstraction Abstraction is not only useful but also crucial in model checking [5], because it can reduce an infinite state space into a finite one. In this work, we apply abstraction to the driver and the libraries in 4. 1 Specific-Generic Abstraction In the report-submission system, since there can be any number of students who submit reports and there can be any number of reports submitted, the state space of the system is virtually infinite without abstraction. The specific-generic abstraction is a method that focuses on one particular element of a set, which is called the Specific object, and maps the remaining elements to one object, which is called the Generic object. In the report-submission system, we want to check if there exists any student whose report has been submitted but has not been graded yet. The specific-generic abstraction is applicable because the specific student that the method focuses on is represented by the Specific Object, while other students are represented by the Generic object. A set of students is then abstracted to a set of the Specific object and the Generic object. 4. 2 Abstract classes in the reportsubmission system Whenever the teacher queries for reports that have not been graded, there are two possible cases. The first case is that the specific student has not submitted a report, or the report of the specific student has already been graded. Thus the result of the teacher s query does not contain the report of the specific student. The second case is that the specific student has submitted a report and the report has not been graded yet. In both cases, the generic student may or may not have submitted a report. Thus, we need only two states as the contents of the abstract version of the database. The (concrete) database access class is abstracted to a class, which has the same interface as the concrete one. The executequery method of the abstract database access class checks whether a query is UPDATE, INSERT or SELECT, and then takes appropriate actions on the database. For a SE- LECT query, one of the two objects of a class implementing the java.sql.resultset interface is returned. Each object corresponds to the two states of the database. The object is then returned to the servlet that makes the SELECT query. Since

4 26 (2009 ) Listing 2 A class implementing ResultSet public class ResultSetWSpecific implements ResultSet { enum State {BOTH, GENERIC_ONLY, EMPTY ; private State curstate ; private String returnstring ; public ResultSetWSpecific () { this. curstate = State. BOTH ; this. returnstring = null ; public String getstring ( int columnindex ) { if ( columnindex > 1) assert false ; return returnstring ; public boolean next () throws SQLException { boolean ret = curstate!= State. EMPTY ; switch ( curstate ) { case BOTH : int nextstate = Verify. getint (0,2); switch ( nextstate ) { case 0: returnstring = genericstring ; case 1: returnstring = specificstring ; curstate = State. GENERIC_ONLY ; case 2: returnstring = specificstring ; curstate = State. EMPTY ; default : assert false ; case GENERIC_ONLY : if ( Verify. getint (0,1) == 0) { else { curstate = State. EMPTY ; returnstring = genericstring ; case EMPTY : returnstring = null ; return ret ; these abstract classes conform to the J2EE API, we do not need to rewrite the source code of the WA. Listing 2 shows one of the classes that implement the ResultSet interface. After receiving the abstract result of the query, the servlet calls the next method on the result to retrieve its elements. Each element contains a student as the owner of the report, and the student is determined by a transition system depicted in Figure 3. The servlet then generates the output to the client by calling the print and println methods on the writer associated with the response of the servlet. The writer class is also replaced with an abstract class for verification. The print and println methods of the abstract class parse the output onthe-fly to get the relevant information for building the input to the next servlet. Unimportant inputs to servlets are abstracted to a dummy string, and outputs from servlets are parsed on-the-fly as explained above and imme- Fig. 3 Transition System of Abstract Student Set. diately discarded after relevant information is obtained. 5 Result We prepared two versions of the application. In one version, a bug was implemented so that in some sequences of submission, a report may not be graded by the teacher. In the other version, the bug was fixed. Our system detected the bug in the first version almost immediately. For the second version, the model checker ran for four minutes and thirty-four seconds to explore all 2360 states, and reported that there was no bug remained. The experiment was conducted on a laptop PC with PentiumM 1.7GHz CPU with 1GB memory. 6 Future work Through the case study, we have identified several pieces of work that are needed to be done before model-checking real-world WAs in the proposed approach. In the case study, scenarios of interactions between the clients and the server are generated, as the output from a servlet is parsed to build the input to the next servlet. Although the generation of scenarios was automatic, their coverage depended on an initial setting, which specifies the order of execution of servlets, the number of threads, and so

26 (2009 ) 5 on. Methods to help define an appropriate initial setting need to be investigated. As for abstraction, we need to identify and provide those kinds of abstraction that are useful for verifying WAs. Automation of abstraction is also possible as in Bandera [6]. In particular, we need a method to automatically abstract a database by specifying how to abstract attributes of the database. In the current framework of abstraction, in which concrete classes are replaced with abstract classes, we need to replace basic data with objects in order to apply abstraction to them. We can also use symbolic execution of JPF for integers [4]. However, even more and more advances are made in abstraction, it is not possible to verify all existing WAs in our framework. Instead, we plan to provide a well defined set of concrete/abstract libraries together with design patterns of WAs, so that WAs developed by the design patterns can be verified with the abstract libraries without modification of their source code. In our previous work, we implemented the LTL library to make it possible to verify LTL properties using JPF [10]. We can immediately apply our LTL library to the proposed framework to verify liveness properties of such as if a student submitted report, then that report will eventually be graded. We can also use the LTL library to avoid errors caused by lack of fairness in thread scheduling. References [ 1 ] Java platform, enterprise edition. http://java. sun.com/javaee/technologies/javaee5.jsp. [ 2 ] Java servlet technology. http://java.sun.com/ products/servlet/. [ 3 ] Luca De Alfaro. Model checking the world wide web. In Computer Aided Verification, pages 337 349. Springer-Verlag, 2001. [ 4 ] Saswat Anand, Corina Pasareanu, and Willem Visser. JPF SE: A symbolic execution extension to java pathfinder. In TACAS, volume 4424 of LNCS, pages 134 138. Springer, 2007. [ 5 ] Edmund M. Clarke, Orna Grumberg, and David E. Long. Model checking and abstraction. ACM Transactions on Programming Languages and Systems, 16(5):1512 1542, September 1994. [ 6 ] James C. Corbett, Matthew B. Dwyer, John Hatcliff, Shawn Laubach, Corina S. Pasareanu, Robby, and Hongjun Zheng. Bandera: Extracting finite-state models from java source code. In In Proceedings of the 22nd International Conference on Software Engineering, pages 439 448. ACM Press, 2000. [ 7 ] Francesco M. Donini, Marina Mongiello, Michele Ruta, and Rodolfo Totaro. A model checking-based method for verifying web application design. Electr. Notes Theor. Comput. Sci., 151(2):19 32, 2006. [ 8 ] K. L. McMillan. The SMV system. http: //www.cs.cmu.edu/ modelcheck/smv.html. [ 9 ] Sreeranga P. Rajan, Indradeep Ghosh, Oksana Tkachuk, Mukul R. Prasad, Praveen K. Murthy, Ryusuke Masuoka, Tadahiro Uehara, Kazuki Munakata, Kenji Oki, and Hirotaka Hara. Software applications validation environment: SAVE. In Fujitsu Scientific & Technical Journal (FSTJ), volume 43, 2007. [10] Vinh Cuong Tran, Hideki Hashimoto, Yoshinori Tanabe, and Masami Hagiya. Verification of java programs under fairness assumption. In 25th Japan Society of Software Science and Technology Annual Symposia, 2008. [11] Willem Visser, Klaus Havelund, and Guillaume Brat. Model checking programs. In Automated Software Engineering Journal, pages 3 12, 2000.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information