CS 290C Spring 2010 Home Page

CS 290C - Formal Models for Web Software - Spring 2010

Instructor: Tevfik Bultan Office: Eng. I 2123 Office Hours: Tuesday/Thursday 11:00-12:00
Class Times: Tuesday/Thursday 1:00-3:00 Location: 932 101

Course Topics

Web applications play a significant role in many aspects of everyday life including commerce, entertainment and social interaction. Moreover, web applications are replacing desktop applications at a fast pace and are likely to play a critical role in improving the efficiency of national infrastructures such as healthcare, national security, and the power grid. There is a large stumbling-block to this ever increasing reliance on web applications: Web applications are not dependable. For example, web applications are known to consistently mishandle unexpected user actions caused by unanticipated use of a browser's back-button or multiple browser windows. Web applications are also notorious for security vulnerabilities that can be exploited by malicious users.

This course will cover recent advances in formal modeling of web applications in order to improve their dependability. The areas that we will focus on include modeling and analysis of:

user interaction, navigation constraints
input validation operations
interactions among software services
data models
access control policies

Announcements

There will not be any lectures on Thursday May 27th and Tuesday June 1st (I will be out of town in a program committee meeting).
The project presentations will be on: Monday, June 7th at 12:00pm. Each team will give a 15-20 minute presentation about their project.
Third homework is due June 3rd (the pdf file is below).
The final project reports will be due June 10th.

Course Work

There will be several homeworks and the students will be required to do a course project. The papers related to the topics discussed in the class will be given as reading assignments.

Assignments

Homework 1 (due April 20th)
Project progress report (due April 29th): Each project team has to submit a 3-5 page project progress report. In your progress report please discuss: 1) The web application that you plan to analyze for the project. 2) How do you plan to model the navigation constraints of this application using Promela/Spin? What type of navigation properties do you plan to check (give examples)? 3) How do you plan to model the data constraints of this application using Alloy? What type of data model properties do you plan to check (give examples)? 4) What are the challenges you expect in navigation and data model analyses? How do you plan to solve them?
Homework 2 (due May 6th)
Homework 3 (due June 3rd)
The project presentations on Monday, June 7th at 12:00pm: Each team will give a 15-20 minute presentation about their project.
Final project reports are due on June 10th

Course Project

There will be a course project (two student per project). The goal of the projects is to extract a formal model from an existing web application and analyze it using formal analysis tools. There are two types of modeling and analysis that can be done in each project:

Navigation Analysis: Extract a navigation model and analyze it using the Spin, SMV or NuSMV model checkers.
Data Model Analysis: Extract a data model and analyze it using the Alloy analyzer.

Project teams

Lectures and Reading Assignments

Lecture 1: Introduction
Lecture 2: Statecharts
- Reading Assignment: "Statecharts: A Visual Formulation for Complex Systems." David Harel. Sci. Comp ut. Program. 8(3): 231-274 (1987)
Lecture 3: Modeling Navigation
- Reading Assignment: "Modeling Web Navigation by Statechart." Karl R.P.H. Leung, Lucas C.K. Hui, S.M. Yiu, and Ricky W.M. Tang. The Twenty-Fourth Annual International Computer Software and Applications Conference (COMPSAC 2000).
Lecture 4: Model Checking Navigation Models with Spin
- Reading Assignment: "Automatic Extraction and Verification of Page Transitions in aWeb Application." Atsuto Kubo, Hironori Washizaki, Yoshiaki Fukazawa. 14th Asia-Pacific Software Engineering Conference (APSEC'07), 2007.
- Reading Assignment: Basic Spin Manual
Lecture 5: Model Checking Adaptive Navigation Models with SMV
- Reading Assignment: "Modeling and verification of adaptive navigation in web applications" Minmin Han and Christine Hofmeister. Proceedings of the 6th International Conference on Web Engineering (ICWE 2006).
- Reading Assignment: SMV Manual
Lecture 6: Model Driven Development for Web Applications Using WebML
- Reading Assignment: "Conceptual Modeling of Data-Intensive Web Applications." Stefano Ceri, Piero Fraternali, Maristella Matera. IEEE Internet Computing 6(4): 20-30 (2002)
- WebML slides
Lectures 7 and 8: Alloy, Alloy Analyzer, Data Modeling and Analysis with Alloy
- Reading Assignment: Alloy 4 Tutorial
Lecture 9: Navigation Modeling and Analysis Based on MVC Architecture
- Reading Assignment: "Eliminating Navigation Errors in Web Applications via Model Checking and Runtime Enforcement of Navigation State Machines" Sylvain Halle, Taylor Ettema, Chris Bunch and Tevfik Bultan
Lecture 10: Language Based Modeling of Navigation Errors
- Reading Assignment: "Modeling Web Interactions and Errors," Shriram Krishnamurthi, Robert Bruce Findler, Paul Graunke, and Matthias Felleisen.
Lectures 11 and 12: Formal Modeling and Verification of Web Services, Orchestration and Choreography
- Reading Assignment: "WSAT: A Tool for Formal Analysis of Web Services," Xiang Fu, Tevfik Bultan, and Jianwen Su.
- Reading Assignment: "Analyzing Conversations of Web Services," Tevfik Bultan, Xiang Fu, Jianwen Su.
Lecture 13: Visual Models for Choreography: Message Sequence Charts and Collaboration Diagrams
Lectures 14 and 15: Process Algebras for Choreography and Orchestration
- Reading Assignment: Read at least pages 3 to 15 from "A Theoretical Basis of Communication-Centred Concurrent Programming," Marco Carbone, Kohei Honda, Nobuko Yoshida, Robin Milner, Gary Brown, and Steve Ross-Talbot.
Lecture 16: Modeling and Analysis of Access Control Policies
- Reading Assiginment: XML Security: Control information access with XACML: The objectives, architecture, and basic concepts of eXtensible Access Control Markup Language, Manish Verma
- Reading Assignment: "Verification and Change-Impact Analysis of Access-Control Policies." Kathi Fisler, Shriram Krishnamurthi, Leo A. Meyerovich, Michael Carl Tschantz
Lecture 17: Web application modeling, analysis and synthesis with Alloy
- Reading Assiginment: Chapter 2 from "Generation of Policy-rich Websites from Declarative Models." Felix Chang, MIT PhD Thesis, February 2009.
Lecture 18: Verification of Data Driven Web Applications
- Reading Assiginment: "A Verifier for Interactive, Data-Driven Web Applications." Alin Deutsch, Monica Marcus, Liying Sui, Victor Vianu, Dayou Zhou. Proceedings of the 2005 ACM SIGMOD international conference on Management of data.

Reading List (subject to change)

Navigation Constraints
- S. Krishnamurthi, R. B. Findler, P. Graunke, and M. Felleisen. Modeling Web Interactions and Errors. pages 255–275. Springer, 2006.
- D. R. Licata and S. Krishnamurthi. Verifying interactive web programs. In 19th IEEE International Conference on Automated Software Engineering (ASE 2004), 20-25 September 2004, Linz, Austria. pages 164–173.
- P. D. Stotts, R. Furuta, and C. R. Cabarrus. Hyperdocuments as automata: Verification of trace-based browsing properties by model checking. ACM Trans. Inf. Syst., 16(1):1–30, 1998
- S. Yuen, K. Kato, D. Kato, , and K. Agusa. Web automata: A behavioral model of web applications based on the MVC model. Information and Media Technologies, 1(1):66–79, 2006.
- S. Halle and R. Villemaire. Browser-based enforcement of interface contracts in web applications with BeepBeep. In A. Bouajjani and O. Maler, editors, CAV, volume 5643 of Lecture Notes in Computer Science, pages 648–653. Springer, 2009
Service Interactions
- Xiang Fu, Tevfik Bultan, Jianwen Su. Analysis of interacting BPEL web services. WWW 2004: 621-630
- A. Betin-Can and T. Bultan. Verifiable web services with hierarchical interfaces. In Proceedings of the IEEE International Conference on Web Services (ICWS 2005, pages 85–94, 2005.
- K. Honda, V. T. Vasconcelos, and M. Kubo. Language primitives and type discipline for structured communication-based programming. In 7th European Symp. on Programming on Programming Languages and Systems (ESOP'98), pages 122-138, 1998
- K. Honda, N. Yoshida, and M. Carbone. Multiparty asynchronous session types. In G. C. Necula and P. Wadler, editors, POPL, pages 273-284. ACM, 2008.
- M. Carbone, K. Honda, N. Yoshida, R. Milner, G. Brown, and S. Ross-Talbot. A theoretical basis of communication-centred concurrent programming.
- R. Kazhamiakin and M. Pistore. Analysis of realizability conditions for web service choreographies. In FORTE, pages 61-76, 2006.
- J. M. Zaha, M. Dumas, A. ter Hofstede, A. Barros, and G. Decker. Service interaction modeling: Bridging global and local views. In EDOC, pages 45-55. IEEE Computer Society, 2006.
- N. Lohmann, O. Kopp, F. Leymann, and W. Reisig. Analyzing BPEL4Chor: Verication and participant synthesis. In M. Dumas and R. Heckel, editors, WS-FM, volume 4937 of Lecture Notes in Computer Science, pages 46-60. Springer, 2007.
Data Model
- Alin Deutsch, Liying Sui, Victor Vianu, Dayou Zhou. A system for specification and verification of interactive, data-driven web applications. SIGMOD Conference 2006, pages 772-774.
- Alin Deutsch, Victor Vianu: WAVE: Automatic Verification of Data-Driven Web Services. IEEE Data Eng. Bull. 31(3): 35-39 (2008)
- Lin Wang, Gillian Dobbie, Jing Sun, Lindsay Groves. Validating ORA-SS Data Models using Alloy. ASWEC 2006, pages 231-242.
Access Control
- Kathi Fisler, Shriram Krishnamurthi, Leo A. Meyerovich, Michael Carl Tschantz: Verification and change-impact analysis of access-control policies. ICSE 2005: 196-205
- Graham Hughes and Tevfik Bultan. "Automated Verification of Access Control Policies Using a SAT Solver" International Journal on Software Tools for Technology Transfer (STTT), vol. 10, no. 6, pp. 473 – 534, December 2008.
Web Application Modeling
- Stefano Ceri, Marco Brambilla, Piero Fraternali: The History of WebML Lessons Learned from 10 Years of Model-Driven Development of Web Applications. Conceptual Modeling: Foundations and Applications 2009: 273-292
- Stefano Ceri, Piero Fraternali, Aldo Bongio: Web Modeling Language (WebML): a modeling language for designing Web sites. Computer Networks 33(1-6): 137-157 (2000)
- S Ceri, P Fraternali, M Matera. Conceptual modeling of data-intensive Web applications. IEEE Internet Computing (2002), volume: 6 issue: 4 page: 20.
- Avraham Leff, James T. Rayfield, "Web-Application Development Using the Model/View/Controller Design Pattern," Enterprise Distributed Object Computing Conference, IEEE International, pp. 0118, Fifth IEEE International Enterprise Distributed Object Computing Conference, 2001.