Eliminating navigation errors in web applications via model checking and runtime enforcement of navigation state machines

Authors:
Sylvain Hallé;Taylor Ettema;Chris Bunch;Tevfik Bultan
Affiliations:
Université du Québec à Chicoutimi, Chicoutimi, PQ, Canada;University of California Santa Barbara, Santa Barbara, CA, USA;University of California Santa Barbara, Santa Barbara, CA, USA;University of California Santa Barbara, Santa Barbara, CA, USA
Venue:
Proceedings of the IEEE/ACM international conference on Automated software engineering
Year:
2010

Citing 17
Cited 10

Hyperdocuments as automata: verification of trace-based browsing properties by model checking

ACM Transactions on Information Systems (TOIS)
Interface automata

Proceedings of the 8th European software engineering conference held jointly with 9th ACM SIGSOFT international symposium on Foundations of software engineering
NuSMV 2: An OpenSource Tool for Symbolic Model Checking

CAV '02 Proceedings of the 14th International Conference on Computer Aided Verification
Modeling Web-Based Dialog Flows for Automatic Dialog Control

Proceedings of the 19th IEEE international conference on Automated software engineering
Formal Framework for Automated Analysis and Verification of Web-Based Applications

Proceedings of the 19th IEEE international conference on Automated software engineering
Verifying Interactive Web Programs

Proceedings of the 19th IEEE international conference on Automated software engineering
Verifiable Web Services with Hierarchical Interfaces

ICWS '05 Proceedings of the IEEE International Conference on Web Services
A system for specification and verification of interactive, data-driven web applications

Proceedings of the 2006 ACM SIGMOD international conference on Management of data
Model Checking-based Verification of Web Application

ICECCS '07 Proceedings of the 12th IEEE International Conference on Engineering Complex Computer Systems
Provable Protection against Web Application Vulnerabilities Related to Session Data Dependencies

IEEE Transactions on Software Engineering
Aspect-Oriented Programming for Web Controller Layer

APSEC '08 Proceedings of the 2008 15th Asia-Pacific Software Engineering Conference
Using static analysis for Ajax intrusion detection

Proceedings of the 18th international conference on World wide web
Browser-Based Enforcement of Interface Contracts in Web Applications with BeepBeep

CAV '09 Proceedings of the 21st International Conference on Computer Aided Verification
A Model Checking-based Method for Verifying Web Application Design

Electronic Notes in Theoretical Computer Science (ENTCS)
Specification and Control of Interface Responses to User Input in Rich Internet Applications

ASE '09 Proceedings of the 2009 IEEE/ACM International Conference on Automated Software Engineering
Design verification of web applications using symbolic model checking

ICWE'05 Proceedings of the 5th international conference on Web Engineering
Relating navigation and request routing models in web applications

MODELS'07 Proceedings of the 10th international conference on Model Driven Engineering Languages and Systems

Runtime verification for the web: a tutorial introduction to interface contracts in web applications

RV'10 Proceedings of the First international conference on Runtime verification
Automated driver generation for analysis of web applications

FASE'11/ETAPS'11 Proceedings of the 14th international conference on Fundamental approaches to software engineering: part of the joint European conferences on theory and practice of software
Bounded verification of Ruby on Rails data models

Proceedings of the 2011 International Symposium on Software Testing and Analysis
Static detection of access control vulnerabilities in web applications

SEC'11 Proceedings of the 20th USENIX conference on Security
Unbounded data model verification using SMT solvers

Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering
Extracting EFSMs of web applications for formal requirements specification

SAFECOMP'12 Proceedings of the 31st international conference on Computer Safety, Reliability, and Security
Metamodeling to Control and Audit E-Commerce Web Applications

International Journal of Electronic Commerce
Control-Flow integrity in web applications

ESSoS'13 Proceedings of the 5th international conference on Engineering Secure Software and Systems
Data model property inference and repair

Proceedings of the 2013 International Symposium on Software Testing and Analysis
Automated exploration and analysis of ajax web applications with WebMole

Proceedings of the 22nd international conference on World Wide Web companion

Quantified Score

Hi-index	0.00

Visualization

Abstract

The enforcement of navigation constraints in web applications is challenging and error prone due to the unrestricted use of navigation functions in web browsers. This often leads to navigation errors, producing cryptic messages and exposing information that can be exploited by malicious users. We propose a runtime enforcement mechanism that restricts the control flow of a web application to a state machine model specified by the developer, and use model checking to verify temporal properties on these state machines. Our experiments, performed on three real-world applications, show that 1) our runtime enforcement mechanism incurs negligible overhead under normal circumstances, and can even reduce server processing time in handling unexpected requests; 2) by combining runtime enforcement with model checking, navigation correctness can be efficiently guaranteed in large web applications.