1. Dr. Xiang Fu Assistant Professor Department of Computer Science Hofstra University

2.  Introduction  Path Transducer Model  Relational Constraint  Call Sequence Synthesis  Detecting Workflow Attack  Related Work and Conclusion

3. Web Server Databases

4.  Traditionally, SQLUnit & DBUnit ◦ Manual Test Case Design  Reverse Inference of DB State ◦ Given Query & Expected Result ◦ Generate Initial DB Instance  Our Problem: Synthesis Problem ◦ Given Database State ◦ Synthesize Call Sequence of Servlets

5.  White-box Analysis  (1) Interface Extraction  Path Transducers  (2) Coverage Goal Extraction  (3) Call Sequence Generation  Adaptation  Discover Workflow Attacks

6.  Servlet  Path Transducers  Relational Transducer that Models One Execution Path ◦ Path Condition ◦ Side Effects to DB Servlet

7.  Relational Data Schema  Input Domain  Finite Set of Session Variables  Boolean Combination of Terms ◦ Equality  v’ = v + 1 ◦ Satisfiability Check

8.  Selection  Projection  Cross Product  Union  Difference

9. SimpleScarf ShowSessions.php InsertSession.phpAddMember.php GenOptions.php Login.php

10. U sers vchar uname vchar pwd S essions int sid vchar sname M embers int sid vchar uname

12.  Check Valid Session Var #uname  Select Session Info  No Side Effects

13.  User Specify New Session Name $S I  Update Relation Sessions

14.  Takes Two Parameters ◦ $u A : User Name ◦ $s A : Session Name  Add Membership Info

15.  Add User: One of Many Functions Available  Takes Two Parameters ◦ $u G : User name ◦ $p G : Password Encrypt Password Password Rules Encoded Using String Constraint

16.  Given Two Parameters ◦ $u L : user name ◦ $p L : password  When Success, Update Session Variable ◦ #u: Session Variable on user name

17.  Key to Synthesis  Khurshid’s Approach [ASE’08]  Translate to Alloy

18. Transition System Post Image

19. Join of Session and Membership Select Session Name ‘s1’ Project to uname Find users in paper session ‘s1’ but not in ‘s2’ Goal: Find DB Instance Satisfies query

22. VarsClausesTrans_TimeSolve_Time 48337876829ms78ms

23. Coverage Goal: Line # 45 Path Transducers CALL Seq Synthesis Algorithm List of HTTP Requests

24. (Η’,ϒ’)  Knowledge In Advance: ◦ (1) Each Path Transducer – Transition System (Relational Logic) ◦ (2) Relations being Modified (add, drop, modify) ◦ (3) Session Vars being Modified  Algorithm: Backtrack (Η,ϒ)(Η,ϒ) HTTP Request Current Constraint ϒ’ = Pre(H’, ϒ) Heuristic to pick to the next servlet: watch the difference between the relations in the current constraints and target constraints. “Insertion” has priority

25. Coverage Goal Target Constraint: True Initial Constraint: Path Transducer:

26. TransitionPost-Image Standard Existential Quantification Initial Constraint: Compare M and #u modified!  Next servlet: AddMember or Login

27. 1.07 seconds for generating the model by ALLOY

28. EnterAddrChargeCCGenReceiptPrintShipping How to Detect Workflow Attack? (1)Static Analysis for ALL URLS that could be generated by a servlet (2)Modify the Backtrack algorithm for locating an “abnormal” link not in the ALL_URLs set Database manipulation TAKEN CARE OF.

29.  Proposal of Several Interesting Directions ◦ Extraction of Path Transducer Model ◦ Solving Relational Constraints ◦ Call Sequence Synthesis Algorithm ◦ Extension for Detecting Workflow Attacks  Future Directions ◦ Implementation …

30.  Interface Extraction ◦ [Halfond’FSE07], [Halfond’FSE’08]  Relational Transducer ◦ [Abiteboul’JCSS00]  Query Aware Relational Constraint Solving ◦ [Binnig’ICDE07, Khalek’ICSE08]  Session Based Testing of Web App ◦ [Elbaum’TSE05, Sampath’ASE05, Sprenkle’FSE05]