synapseindia monjurul-bugs in dynamic web applications -part
TRANSCRIPT
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part
1/19
Example: Execution 2 (The Opposite
Path)
NotSet(page)page2 1337 login = 1
Constraint solver may get page2 0; login
1
true
true
HTML validation tool discovers failure and
generates bug reportadded to output set
of bug reports
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part
2/19
Minimization on Path Constraints
Find shorter path constraint for a given bug
report
Eliminates irrelevant constraintsbetter assist
programmer to detect location of the fault
Solution for a shorter path constraint is often
a smaller input
Does not guarantee returned path constraint
is shortest that exposes failure
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part
3/19
Minimization Example
HTML malformation from previous example could
have been reached from different execution
paths
NotSet(page) page2 1337 login = 1
Set(page) page = 0 page2 1337 login = 1
page2 1337 login = 1
page2 1337 login = 1 (login1)
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part
4/19
parameters: Program P, oracle O, bug report b
result : Short path constraint that exposes b.failure
1. c1 . . . cn intersect(b.pathConstraints);
2. pc true;
3. foreach i = 1, . . . , n do
4. pci c1 . . . ci1 ci+1 . . . cn;
5. input solve(pci);
6. if input not equals then
7. output executeConcrete(P, input);
8. failures getFailures(O, output);
9. if b.failure not belongs to failures then
10. pc pc ci;
11. input pcsolve(pc);
12. if inputpcnot equals to then
13. outputpcexecuteConcrete(P, inputpc);
14. failurespcgetFailures(O, outputpc);
if b.failure failurespcthen
returnpc;
1. return shortest(b.pathConstraints);
Path Constraint Minimization
Algorithm
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part
5/19
Apollo
User Input Simulator
Executor
Bug Finder
Oracle Bug Report Repository
Input minimizer
Input Generator Symbolic Finder
Constraint Solver
Value Generator
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part
6/19
Apollo
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part
7/19
Executor: Shadow
Interpreter Shadow Interpreter
Modified Zend PHP interpreter 5.2.2 to recordpath constraints and information associated with
output Performs symbolic execution along with concrete
execution
Records conditions for PHP-specific comparison
operations such as isset and empty
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part
8/19
Executor: Database Manager
Database Manager
(Re) initializes DB used by a PHP application.
Restores DB before each execution
Supply additional information about
username/password pairs
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part
9/19
BugFinder
Bug Report = Failure + Path constraint + Input
inducing failure
Failure= Type of Failure + Corresponding
Message + PHP statement generating bad
HTML
OracleHTML validation tool (WDG and WC3)
Input Minimizeruses the path constraints
minimization algorithm
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part
10/19
Input Generator
Symbolic Drivergenerates new pathconstraints and select next path constraint
Constraint Solvercomputes an assignment
of values to input parameters that satisfies agiven path constraint.
Choco constraint solver
Value Generatorgenerates value forparameters
Combines random value generation and constantvalues mined from source code
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part
11/19
Experimentation
Program #files LOC PHP LOC # DLs
faqforge 19 1712 734 14164
webchess 24 4718 2226 32352
schoolmate 63 8181 4263 4466
phpsysinfo 73 16634 7745 492217
total 179 31245 14968 543199
faqforge = Tool for creating and managing documents
webchess = Online chess game
schoolmate = PHP/MySQL solution for administering schools
phpsysinfo = Displays system info
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part
12/19
Generation Strategies
Compared to two other approaches
Halfond and Orso (Randomized)
Random values to the parameters
Proposed for JavaScript
Minamides static analysis
Approximates the string output of program with a
context-free grammar
Discovers malformed HTML faults
Apollos test input generation previously
discussed
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part
13/19
Methodology
10-minute runs on each program
Generation of hundreds of inputs
Ran on both Apollo and Random test input
generation strategies
WDG offline HTML validation tool
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part
14/19
Results Classification
Execution crash: PHP interpreter terminateswith exception
Execution error: PHP interpreter emits
warning visible in generated HTML Execution warning: PHP interpreter emits
warning invisibleto HTML output
HTML error: program generates HTML for
which validation tool produces error report HTML warning: program generates HTML for
which validation produces a warningreport
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part
15/19
Randomized
Results Analysis
Apollo
Average line coverage58.0%Faults Found on Subject Apps214 Average line coverage15.0%Faults Found on Subject Apps59
Tries to load two missing files
Database related
Unset Time-zone
Resulted in Malformed HTML
Line Coverage = Number of executed lines / Total lines with executable PHP code in application
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part
16/19
Results Analysis
Apollo Vs Randomized
58% line coverage Vs 15.2% line coverage
214 faults Vs 59 faults
Apollo Vs Minamides tool 2.7more HTML validation faults (120 Vs 45)
83additional execution faults
104 faults (10 minutes) Vs 14 faults (126 minutes)
Apollo is more effective and efficient thanboth
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part
17/19
Results Analysis: Path Constraint
Minimization
Program Success rate %
Path Constraints Inputs
Orig. Size Reduction Orig. Size Reduction
faqforge 64 22.3 0.22 9.3 0.31
webchess 91 23.4 0.19 10.9 0.40
schoolmate 51 22.9 0.38 11.5 0.58
phpsysinfo 82 24.3 0.18 17.5 0.26Reduces size of inputs by up to factor of 0.18 for
more than 50% of faults
Success ratePercentage of faults whose exposing input was minimized
Orig. sizeAverage size of original path constraints (# of conjuncts) and inputs (# of key-value
pairs)
Reduction columnsRatio of minimized to un-minimized size. The lower the ratio, the more
successful the minimization
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part
18/19
Limitations
Simulating user inputs statically
JavaScript code in the generated HTML not
tracked
Limited line coverage for native C methods Limited sources of input parameters
Only inputs from global arrays (_POST, _GET
and _REQUEST)
-
8/10/2019 Synapseindia Monjurul-Bugs in Dynamic Web Applications -Part
19/19