skip to main content
10.1145/2393596.2393667acmconferencesArticle/Chapter ViewAbstractPublication PagesfseConference Proceedingsconference-collections
research-article

Rubicon: bounded verification of web applications

Published: 11 November 2012 Publication History

Abstract

Rubicon is a verifier for web applications. Specifications are written in an embedded domain-specific language and are checked fully automatically. Rubicon is designed to fit with current practices: its language is based on RSpec, a popular testing framework, and its analysis leverages the standard Ruby interpreter to perform symbolic execution (generating verification conditions that are checked by the Alloy Analyzer). Rubicon has been evaluated on five open-source applications; in one, a widely used customer relationship management system, a previously unknown security flaw was revealed.

References

[1]
L. Alfaro. Model checking the world wide web. In Proceedings of the 13th International Conference on Computer Aided Verification, pages 337--349. Springer-Verlag, 2001.
[2]
A. A. Andrews, J. Offutt, and R. T. Alexander. Testing web applications by modeling with fsms. Software and Systems Modeling, 4(3):326--345, 2005.
[3]
M. Benedikt, J. Freire, and P. Godefroid. Veriweb: Automatically testing dynamic web sites. In In Proceedings of 11th International World Wide Web Conference (WWW'2002). Citeseer, 2002.
[4]
B. Bordbar and K. Anastasakis. Mda and analysis of web applications. Trends in Enterprise Application Architecture, pages 44--55, 2006.
[5]
D. Castelluccia, M. Mongiello, M. Ruta, and R. Totaro. Waver: A model checking-based tool to verify web application design. Electronic Notes in Theoretical Computer Science, 157(1):61--76, 2006.
[6]
A. Chaudhuri and J. S. Foster. Symbolic security analysis of ruby-on-rails web applications. In Proceedings of the 17th ACM conference on Computer and communications security, pages 585--594. ACM, 2010.
[7]
D. Chelimsky, D. Astels, Z. Dennis, A. Hellesoy, B. Helmkamp, and D. North. The rspec book: Behaviour driven development with rspec, cucumber, and friends. Pragmatic Bookshelf, 2010.
[8]
J. Chen and X. Zhao. Formal models for web navigations with session control and browser cache. Formal Methods and Software Engineering, pages 46--60, 2004.
[9]
A. Chlipala and LLC Impredicative. Static checking of dynamically-varying security policies in database-backed applications. In Proceedings of the 9th USENIX conference on Operating systems design and implementation, page 1. USENIX Association, 2010.
[10]
K. Claessen and J. Hughes. QuickCheck: a lightweight tool for random testing of Haskell programs. Acm sigplan notices, 35(9):268--279, 2000.
[11]
P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages, pages 238--252. ACM, 1977.
[12]
L. De Alfaro, T. A. Henzinger, and F. Y. C. Mang. Mcweb: A model-checking tool for web site debugging. In Poster presented at WWW, volume 10. Citeseer, 2001.
[13]
M. Haydar, A. Petrenko, and H. Sahraoui. Formal verification of web applications modeled by communicating automata. Formal Techniques for Networked and Distributed Systems--FORTE 2004, pages 115--132, 2004.
[14]
D. Jackson. Software Abstractions: logic, language, and analysis. The MIT Press, 2006.
[15]
S. Khurshid, C. Păsăreanu, and W. Visser. Generalized symbolic execution for model checking and testing. Tools and Algorithms for the Construction and Analysis of Systems, pages 553--568, 2003.
[16]
J. C. King. Symbolic execution and program testing. Communications of the ACM, 19(7):385--394, 1976.
[17]
Dr Licata and S. Krishnamurthi. Verifying interactive web programs. In Automated Software Engineering, 2004. Proceedings. 19th International Conference on, pages 164--173. IEEE.
[18]
Jaideep Nijjar and Tevfik Bultan. Bounded verification of ruby on rails data models. In Matthew B. Dwyer and Frank Tip, editors, ISSTA, pages 67--77. ACM, 2011.
[19]
Filippo Ricca and Paolo Tonella. Analysis and testing of web applications. In Hausi A. Müller, Mary Jean Harrold, and Wilhelm Schäfer, editors, ICSE, pages 25--34. IEEE Computer Society, 2001.
[20]
J. Syriani and N. Mansour. Modeling web systems using sdl. Computer and Information Sciences-ISCIS 2003, pages 1019--1026, 2003.
[21]
Nikolai Tillmann and Wolfram Schulte. Parameterized unit tests. SIGSOFT Softw. Eng. Notes, 30(5):253--262, September 2005.
[22]
P. Tonella and F. Ricca. Dynamic model extraction and statistical analysis of web applications. 2002.
[23]
E. Torlak and D. Jackson. Kodkod: A relational model finder. Tools and Algorithms for the Construction and Analysis of Systems, pages 632--647, 2007.
[24]
M. Winckler and P. Palanque. Statewebcharts: A formal description technique dedicated to navigation modelling of web applications. Interactive Systems. Design, Specification, and Verification, pages 279--288, 2003.

Cited By

View all
  • (2023)Grisette: Symbolic Compilation as a Functional Programming LibraryProceedings of the ACM on Programming Languages10.1145/35712097:POPL(455-487)Online publication date: 11-Jan-2023
  • (2022)Verification of ORM-based controllers by summary inferenceProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510148(2340-2351)Online publication date: 21-May-2022
  • (2019)Synthesizing database programs for schema refactoringProceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation10.1145/3314221.3314588(286-300)Online publication date: 8-Jun-2019
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
FSE '12: Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering
November 2012
494 pages
ISBN:9781450316149
DOI:10.1145/2393596
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 November 2012

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Alloy analyzer
  2. Alloy language
  3. RSpec
  4. Ruby on rails
  5. lightweight formal methods
  6. programming languages
  7. symbolic execution
  8. web applications

Qualifiers

  • Research-article

Funding Sources

Conference

SIGSOFT/FSE'12
Sponsor:

Acceptance Rates

Overall Acceptance Rate 17 of 128 submissions, 13%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)9
  • Downloads (Last 6 weeks)1
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2023)Grisette: Symbolic Compilation as a Functional Programming LibraryProceedings of the ACM on Programming Languages10.1145/35712097:POPL(455-487)Online publication date: 11-Jan-2023
  • (2022)Verification of ORM-based controllers by summary inferenceProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510148(2340-2351)Online publication date: 21-May-2022
  • (2019)Synthesizing database programs for schema refactoringProceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation10.1145/3314221.3314588(286-300)Online publication date: 8-Jun-2019
  • (2019)Inductive verification of data model invariants in web applications using first-order logicAutomated Software Engineering10.1007/s10515-018-0249-226:2(379-416)Online publication date: 1-Jun-2019
  • (2019)A Bounded Model Checking Technique for Higher-Order ProgramsDependable Software Engineering. Theories, Tools, and Applications10.1007/978-3-030-35540-1_1(1-18)Online publication date: 18-Nov-2019
  • (2018)A Documentation-based Constraint Generation Method for Java APIsProceedings of the 10th Asia-Pacific Symposium on Internetware10.1145/3275219.3275229(1-10)Online publication date: 16-Sep-2018
  • (2017)Verifying equivalence of database-driven applicationsProceedings of the ACM on Programming Languages10.1145/31581442:POPL(1-29)Online publication date: 27-Dec-2017
  • (2017)Symbolic types for lenient symbolic executionProceedings of the ACM on Programming Languages10.1145/31581282:POPL(1-29)Online publication date: 27-Dec-2017
  • (2017)Insertion of PETSc in the OpenFOAM FrameworkACM Transactions on Modeling and Performance Evaluation of Computing Systems10.1145/30988212:3(1-19)Online publication date: 8-Aug-2017
  • (2017)Fast Power and Energy Management for Future Many-Core SystemsACM Transactions on Modeling and Performance Evaluation of Computing Systems10.1145/30865042:3(1-31)Online publication date: 5-Sep-2017
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media