CS 290C: Formal Models for Web Software
Lecture 1: Introduction
Instructor: Tevfik Bultan
Web Software Everywhere
• Commerce, entertainment, social interaction
• We will rely on web apps more in the future
• Web apps + cloud will make desktop apps obsolete
Why are web applications so popular?
• Ease of access
– You can access a web application from any computer
with an internet connection
– A lot of them are free
• Centralized data storage
– You do not need to keep carrying a memory stick with
you and keep copying files
• Easy to upgrade and maintain
– Do not need to keep re-installing the new versions
– Developers can update the software on the server side
NSF website
HTTP Status 500 type Exception report
message
description The server encountered an internal error () that prevented it from fulfilling this request.
exception
javax.servlet.ServletException: flp.fl_appl_stts not found. Specify owner.objectname or use sp_help to check whether the object e
org.apache.jasper.runtime.PageContextImpl.doHandlePageException(PageContextImpl.java:830)
org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImpl.java:763)
org.apache.jsp.fastlane_jsp._jspService(fastlane_jsp.java:242)
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:105)
javax.servlet.http.HttpServlet.service(HttpServlet.java:860)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:336)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:302)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:251)
javax.servlet.http.HttpServlet.service(HttpServlet.java:860)
org.apache.jasper.runtime.PageContextImpl.doForward(PageContextImpl.java:675)
org.apache.jasper.runtime.PageContextImpl.forward(PageContextImpl.java:642)
org.apache.jsp.index_jsp._jspService(index_jsp.java:44)
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:105)
javax.servlet.http.HttpServlet.service(HttpServlet.java:860)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:336)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:302)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:251)
javax.servlet.http.HttpServlet.service(HttpServlet.java:860)
root cause
java.sql.SQLException: flp.fl_appl_stts not found. Specify owner.objectname or use sp_help to check whether the object exists (sp
gov.nsf.fastlane.util.ApplicationStatus.<init>(ApplicationStatus.java:95)
org.apache.jsp.fastlane_jsp._jspService(fastlane_jsp.java:79)
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:105)
javax.servlet.http.HttpServlet.service(HttpServlet.java:860)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:336)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:302)
Trying to book a flight from Lufthansa
Bank of America website
Youtube website
An open source invoicing application
An open source document management system
An open source todo list management application
Web applications are not dependable!
• Many web applications have navigation errors where they
mishandle unexpected user requests
• Web applications have data model errors
• Web applications are notorious for security vulnerabilities
• As web applications are becoming increasingly dominant
and as their use in safety critical areas is increasing, their
dependability is becoming a critical issue
Web applications are not secure
• There are many well-known security vulnerabilities that
exist in many web applications. Here are some examples:
– Malicious file execution: where a malicious user causes
the server to execute malicious code
– SQL injection: where a malicious user executes SQL
commands on the back-end database by providing
specially formatted input
– Cross site scripting (XSS): causes the attacker to
execute a malicious script at a user’s browser
• These vulnerabilities are typically due to errors in user input
validation or lack of user input validation
Web application vulnerabilities are common
Web application vulnerabilities as a percentage
of all vulnerabilities (reported by CVE)
50%
File Inclusion
XSS
SQL Injection
45%
40%
35%
30%
25%
20%
15%
10%
5%
0%
2001 2002 2003 2004 2005 2006 2007 2008 2009
OWASP Top 10 in 2007:
1. Cross Site Scripting
2. Injection Flaws
OWASP Top 10 in 2010:
1. Injection Flaws
2. Cross Site Scripting
Web applications are error prone
• Most web applications have navigation errors where an
unexpected user request can cause a web application to
– display cryptic error messages
– display sensitive information that might be exploited by
malicious users
– execute an unintended action
Navigation errors: Bamboo Invoice
Navigation errors: Bamboo Invoice
Navigation errors: Digitalus
Navigation errors: Digitalus
Navigation errors: Digitalus
Navigation errors: Orbitz
Customer enters the date and destination information to look
for flights and receives a list of flight choices
Customer uses the “open link in new window” option to open
a new window and study the details of an evening flight
Switching back to the original window, the customer inspects
a morning flight.
After comparing the flight details, the customer decides to take
the evening flight and switches to the window with the
evening flight and presses the purchase button.
However, the reservation system instead selects the morning
flight! If not careful, the customer will purchase the wrong
flight.
Data model errors
•
•
•
•
Tracks: A todo list application
Todos can be organized by Contexts
Users can also create Recurring Todos
Delete the Context. Then edit the Recurring Todo.
Data model errors
•
•
•
•
LovdByLess: A social networking application
Users can write blog entries
Users can comment on a friend’s blog entry
Friend deletes blog entry
Why are web applications error prone?
• Here are three main reasons that I think make web
application development error prone:
– Interactivity
– Changeability
– Diversity
– Script-oriented programming
– Extensive string manipulation
Interactivity
• Web applications are interactive applications
– Many errors are due to improper handling of interactions
• User interaction is not under the control of the developer
– The back button of the browser
– The user can open a new window
– The user can cut and paste the url
• There are interactions between different software
components
– browser, server, back-end database
• One web application can be integration of many
applications
– Mash-ups, web services
Changeability
• Web applications are updated frequently since the code
resides on the server side
• This is convenient for uploading a new version when there
is a change
• However, this is also a challenge, since frequent updates
mean that each new version has to be checked against
potential errors
Diversity
• Web applications are developed using a diverse set of
languages and technologies.
– On the server side: Java, Perl, PHP, Python, Ruby, …
– On the client side: HTML, XML, JAvaScript, …
– On the back-end database: SQL, Xquery, …
• There are many web application development frameworks
(based on model-view-controller architecture)
– Ruby: Ruby on Rails
– PHP: CakePHP, Zend
– Python: Django, Pylons
– Java: Spring, Struts
Script-oriented Programming
• A web application consists of a collection of scripts with no
explicit control flow
• It is hard to figure our the control flow, it is hard to figure out
the information passed among different scripts
– Due to stateless nature of the http protocol the
application state is stored and passed in weird ways
Extensive string manipulation
• Web applications use extensive string manipulation
– To construct html pages, to construct database queries
in SQL, etc.
• The user input comes in string form and must be validated
and sanitized before it can be used
– This requires the use of complex string manipulation
functions such as string-replace
• String manipulation is error prone
So what is this course about?
Web Software
ruby, php, MVC
frameworks, …
Formal Models
state machine
models, logics,
process algebras, …
Analysis Tools
model checkers,
theorem provers, …
Course topics
We will discuss papers on formal modeling of
• Navigation constraints
• interactions
• Data model
• Access control
• Input validation
We will use some formal models
• Hierarchical state machines (statecharts)
• Relational modeling (Alloy)
• Process algebras
We will use some analysis tools
• Alloy analyzer
• Spin model checker
Course work
• I will give several homeworks
• There will be a class project
– Extract a formal model from an existing web application
and analyze it using an analysis tool
– Some possibilities:
• Extract a navigation model and analyze it using the
Spin model checker
• Extract a data model and analyze it using the Alloy
analyzer
• Extract a behavior model in the form of a process
algebra and use the CADP Toolbox to analyze