A formal approach for run-time verification of web applications using scope-extended LTL
Introduction
Over the last two decades, the web has undergone a major evolution: from a set of plain hypertext information pages to applications implementing information management/gathering, commerce, software development, learning, and entertainment. Nowadays, the web influences our daily life in many ways, and, consequently, issues like correctness and performance have become key factors in the acceptance of web based applications.
This is particularly true since web applications interact with many components of the underlying infrastructure, have a very short development and evolution life cycle, and have to meet strict time to market requirements. This means that even small errors can have costly consequences as was the case with Microsoft Money in 2004, where many users were prevented from accessing their online portfolios for 4 days due to a server glitch [33]. Meanwhile, the ever growing user base of web applications has made it more difficult to predict the type of interactions users may have with an application [43]. All this motivates the need for thorough analysis and verification of web applications both during development and after deployment to ensure their conformance to high standards of quality, correctness and performance.
Currently, formal methods have gained momentum as a reliable solution to automate the analysis of various systems. In particular, software development communities are increasingly adopting formal techniques to perform different development activities such as requirement definition and elucidation, modeling and model transformation, testing, and property verification.
For example, model checking [11] has been used to verify various properties on models of systems. Model checking can be fully automatic and produce counterexamples that point to the violations when a model does not satisfy a given property. Yet, as is the case for most formal analysis methods, adoption of model checking tools remains relatively limited due mainly to problems like the lack of formal models, the inherent state space explosion problem, and of the lack of proper justification for its use especially for classes of properties whose verification does not explore concurrent behavior of the models.
Yet, for many distributed applications and properties, especially those specified in terms of events issued by concurrent processes, the need for model checking becomes clear and outweighs the doubts cast over its use.
In the case of Web applications (WAs), the reasoning about the use of model checking is similar. While analyzing simple web applications does not necessarily require the use of model checking techniques, the use of model checking in the analysis of web applications featuring multiple windows/tabs or a single window with multiple display areas is clearly needed and justified. The latter is specifically true for applications that use XHTML and the DOM [44], AJAX (Asynchronous Javascript and XML) [45], as well as Xframes (an emerging W3C recommendation that replaces HTML frames [46]). Throughout this paper, Xframes and frames will be used interchangeably.
As to the lack of models, especially in the case of inaccessible code, analysis in general has been applied to the traces an application/system produces when it is used. For this, predefined properties are used to analyze the application under test using model checking, when needed, or other techniques like search based methods [47], [48] or even manual inspection. In this paper, we propose a model checking based approach to the verification of WA with inaccessible source code against user defined properties. The model of the application under test is obtained from traces of the applications while properties of interest relate to both the business logic and ergonomics of the application. More specifically, the proposed approach breaks down into the following main steps:
- 1.
Modeling the Web Application Under Test (WAUT) in a language acceptable by a chosen model checker. We use Spin, the open source model checker that is used in many research and industrial projects. As described earlier, we use the execution traces of the WAUT recorded using a relevant monitoring tool, e.g., a proxy server. The traces are then converted into a communicating automata model representing the behavior of all the components of the WAUT including its windows and frames. In simple terms, the model states represent pages of the application while transitions represent events in the application causing transitions between different pages.
- 2.
Specifying properties of interest. These properties can represent both desired and undesired behaviors of the application. Properties will be mainly user defined and expressed in the property specification language of Spin, LTL.
- 3.
Checking the obtained model against the given properties. To do so, Spin computes the composition of all the component automata in the derived model and builds a graph containing the global states of the application. The graph is then inspected against the language of a property for containment.
Normally, in model checking based verification, all global states of the WAUT model are treated equally. This might trigger questions about the choice of model checking over known reachability algorithms to verify many properties like ones related to existence or occurrence of an event or sequences of events. In this work, we actually do not treat all the states of the obtained model equally. Instead, we distinguish between two types of global states: stable states, which represent pages that are fully loaded and completely displayed to the user; and transient states representing pages incompletely displayed or not fully loaded. Such distinction between stable and transient states is required in applications that use multiple displays, where a global state is stable when the all the pages displayed in windows/display areas are all fully loaded.
We argue in this paper that some properties are relevant to all the global states (stable and transient), while others should be verified only on either stable or transient global states. Thus, the ranges of states of interest become key factor to model checking web applications. For this reason, we propose a refinement of WAUT model by extending it with local variables and updates on them. This extension of the model enables us to properly designate stable and transient global states.
On the other hand, it is understood that specifying meaningful properties using formalisms like temporal logic is not always straightforward for both the novice and the expert. The process can get even more tricky when specifying complex properties that, in addition, need to be verified on certain parts of a given behavior, i.e., on particular subsets of the states of the system model. For this reason, we present, in this paper, a generic and practical method for specifying properties in LTL over subsets of states avoiding any changes to the application model. Our proposal is to extend LTL with designated operators for the specification of properties over a subset of states and use those operators to define the intended scope of a property. The new operators do not affect the expressiveness of LTL, but rather help specifying the properties of interest more intuitively and succinctly.
Finally, as a proof of the feasibility verification, we implement the web application verification approach in prototype tool based on the model checker Spin [24], where traces of a WAUT are used to model the application in Promela [24], and properties are specified using LTL. We also present real case studies from actual web applications to evaluate the approach and the toolset.
The remainder of the paper is organized as follows. Section 2 presents the modeling approach. It also discusses two algorithms. The first is to model an execution trace of a single window web application (explored by a human operator or a crawler) by an automaton. The second algorithm is to convert local traces into communicating automata, where local traces are the result of a proposed partitioning method of a single execution trace of a multi display/multi window web application. Section 3 discusses the features of the extracted models which may comprise stable and transient states. A model refinement is presented, which extends the automata model with variables and updates to designate stable/transient global states. In Section 4, a solution to the problem of specifying properties over subsets of the state space in LTL is discussed, where scope operators are introduced. In Section 5, a theoretical discussion is elaborated on properties of web applications that could be verified on the inferred model, and a proof that this model preserves those properties is presented. Also, the prototype implementation of the approach using Spin is presented and empirical results are discussed. In Section 6, comparison of the proposed approach to related work is presented. Finally, conclusions and contributions of this paper are presented in Section 7 and a future work is outlined. Note that formal proofs of theorems and propositions stated in this paper can be found in [20].
Section snippets
Automata-based modeling of web applications
The purpose of building a formal model for a Web Application Under Test (WAUT) is to verify whether the application exhibits certain predefined properties using model checking techniques. It is assumed in this paper that the properties specified in a temporal logic of a chosen model checker are composed of atomic propositions, and for each page, be it dynamic or static, the value of each proposition is uniquely determined by the content of the page. These propositions refer to the page
Extending web application model
In this section features of the extracted models of multi display applications are explained where some properties need not be verified on all the states. Then a model refinement is proposed by extending the automata model with variables.
Specifying web properties in LTL
Using the web model where stable and transient global states are distinguished, the problem of specifying properties over the scope of stable (transient) states only can now be tackled. To this end, a more general problem of a limited LTL expressiveness is addressed and new LTL operators are introduced, which can be used to specify more succinctly properties of systems over an arbitrary subset of the state space of a given system. Also, few examples of web related properties specified using the
Evaluation of the approach
In this section, we present a theoretical and empirical evaluation of the proposed approach. We first discuss the type of properties that are preserved in the inferred automata model. Then we present the implementation of the approach using Spin as well as the empirical results obtained.
Related work
The related work exists in two main research areas: formal modeling, verification, testing of web applications, and temporal logic extensions with scopes.
Formal modeling and verification of web applications is a relatively new research direction. Previous work on the topic includes modeling approaches that target the verification of such applications. Several results have also been obtained in web applications testing. De Alfaro [15] model a static web application as a directed graph. A node in
Conclusions and future work
In this paper, we presented a formal approach to build a finite automata model tuned to features of web applications that have to be validated, while delegating the task of property verification to an existing model checker. A black-box (dynamic) approach is followed by executing the WAUT and analyzing only its external behavior without any access to server programs or databases. The model built is a system of communicating automata representing all windows and frames of the WAUT. The existence
Acknowledgment
The authors acknowledge the contribution of Philipp Schuegerl (an intern of CRIM) to the development the prototype tool.
References (48)
- et al.
Testing web applications by modeling with FSMs
Software Systems and Modeling
(2005) - C. Artho, V. Schuppan, A. Biere, P. Eugster, M. Baur, B. Zweimüller, JNuke: Efficient Dynamic Analysis for Java, in:...
- H. Barringer, A. Goldberg, K. Havelund, K. Sen, Eagle Does Space Efficient LTL Monitoring, Technical Report, CSPP-25,...
- S.A. Becker, Ar. Hevner, A White Box Analysis of Concurrent System Designs, in: 10th Annual Intl. Phoenix Conf. on...
- I. Beer, S. Ben-David, C. Eisner, The Temporal Logic Sugar, in: 13th Intl. Conf. on Computer Aided Verification, LNCS:...
- M. Benedikt, J. Freire, P. Godefroid, VeriWeb: Automatically Testing Dynamic Web Sites, in: 11th Intl. World Wide Web...
- et al.
Systems and Software Verification: Model-Checking Techniques and Tools
(2001) - S. Boroday, A. Petrenko, J. Sing, H. Hallal, Dynamic Analysis of Java Applications for Multi Threaded Anti patterns,...
- S. Chaki, E.M. Clarke, J. Ouaknine, N. Sharygina, N. Sinha, State/Event-based Software Model Checking, in: 4th Intl....
- et al.
Model checking and abstraction
ACM Transactions on Programming Languages and Systems
(1994)
Model Checking
Automated test generation from a behavioral model
Modeling web application architectures with UML
Communications of the ACM
A graphical interval logic for specifying concurrent systems
ACM Transactions on Software Engineering and Methodology
A formal approach to property testing in causally consistent distributed traces
Formal Aspects of Computing
The Spin Model Checker, Primer and Reference Manual
Cited by (8)
A formal approach for the specification and verification of a Trustworthy Human Resource Discovery mechanism in the Expert Cloud
2015, Expert Systems with ApplicationsCitation Excerpt :The method was substantiated by verifying an automotive braking system model, with respect to particular functional and timing requirements. Haydar, Petrenko, Boroday, and Sahraoui (2013) have proposed an approach to verify and validate the existing web applications formally. The proposed approach executed traces of a web application to automatically generate a communicating automata model.
Behavioral modeling and automated verification of a Cloud-based framework to share the knowledge and skills of human resources
2015, Computers in IndustryCitation Excerpt :Also, automatic translation procedures from the design models in the NuSMV model checker's code are stated. As another research in this scope, Haydar and Petrenko [16] have proposed an approach to verify and validate the existing Web applications formally. The proposed approach executed traces of a web application to automatically generate a communicating automata model.
Efficient vulnerability detection based on an optimized rule-checking static analysis technique
2017, Frontiers of Information Technology and Electronic EngineeringASM-based formal design of an adaptivity component for a Cloud system
2016, Formal Aspects of ComputingModeling and formal analysis of a client-server application for cloud services
2016, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)