CS 290C - Formal Models for Web Software - Spring 2013
Office Hours: Tuesday/Thursday 10:00-11:00,
Tuesday/Thursday 11:00-12:50, PHELP 1401
The web has evolved into an ubiquitous medium for computing and communication
services that both businesses and individuals rely on extensively.
There is reason to be concerned about this ever-increasing reliance on
web applications. Web application development is an error-prone process
that produces a complicated distributed software system with complex
interactions among many components.
In this course we will investigate recent advances in formal
specification, modeling and analysis of web software. The common goal of
these techniques is improving the dependability of web software.
The areas that we will focus on include:
- navigation modeling with extended state machines and hierarchical state machines
- automata based analysis of input validation and sanitization operations
- process-algebra and automata based formal models for interactions among software services, orchestration, choreography
- formal data models
- specification and analysis of access control policies
There will be several homeworks and the
students will be required to do a course project.
The papers related to the
topics discussed in the class will be given as reading assignments.
There will be a course project. The goal of the
projects is to extract formal models from existing web applications and
analyze it using formal analysis tools. Here are three possible types of
and analysis that can be done in this project
(you are welcome to come up with other types of projects as long as they
involve formal modeling and analysis of web software using an automated tool):
- Navigation Analysis:
models from web applications and analyze them using the
NuSMV model checkers.
- Data Model Analysis:
Extract data models from web applications
and analyze them using the
- Behavior Analysis:
Extract behavior models from web applications and analyze them
CADP Toolbox or
- Access Control Analysis:
Extract access control models from web applications and
analyze them using
- Input Validation Analysis:
Extract input validation policies from web applications and
analyze them using string analysis tools such as
- There will be an extra lecture on Monday June 10th, at 2:00pm at PHELPS 1401.
- No lecture on June 4th.
- Homework 4
Due: Thursday, June 6th.
Due: Thursday, May 30th.
- Each project team will give a 15 minutes presentation about their project
during the final week. The project presentations will be on
June 12th, Wednesday, 12:00-3:00 in Phelps 1401.
- Final project reports are due on Friday, June 14th.
Due: Tuesday May 21st (Extended).
You can download the Alloy Analyzer from
- Project Progress Report Due: Friday, May 10th. Prepare a
3-5 page progress report about your project. In the progress report you
should explain the topic of your study, and discuss your findings so far.
You should discuss any roadblocks you face in finishing the project
and how you plan to handle them.
- We will not have lectures on April 23rd and April 25th.
Due: Thursday, April 18th.
You can submit your homeworks by either turning in a printed copy or
sending an electronic copy via email (use the subject line: 290C Homework).
- Project Description Due: Friday, April 12th. A couple of paragraphs describing the
project you plan to do. What web applications are you panning to analyze? What aspect of the
web application are you planning to analyze? How are you going to extract the analysis model?
Which verification tool are you going to use to analyze it?
Lectures and Reading Assignments
Lecture 1: Introduction
Lecture 2: Navigation Modeling with Statecharts
- Lecture 3:
Verification of Navigation Models with the Spin Model Checker
- Lecture 4:
Implementing and Verifying Statecharts Specifications Using the Spin Model Checker
- Lecture 5:
Automated Extraction and Verification of Navigation Behavior
- Lecture 6:
Language and Model-Based Solutions to Navigation Errors
- Lectures 7 and 8:
Alloy, Alloy Analyzer, Data Modeling and Analysis with Alloy
"Alloy: a lightweight object modelling notation"
Daniel Jackson, ACM Transactions on Software Engineering and Methodology (TOSEM),
Volume 11 Issue 2, April 2002
Pages 256 - 290.
(The Alloy language syntax used in this paper has been deprecated, use the tutorial below
to learn the current Alloy syntax).
Alloy 4 Tutorial
- Lecture 9:
Analyzing Data Models Using Alloy Analyzer and SMT-Solvers
- Lecture 10
Web application modeling, analysis and synthesis with Alloy
- Lecture 11: Model Driven Development for
Web Applications Using WebML
- Lecture 12: Modeling and Analyzing
Access Control Policies
XML Security: Control information access with XACML:
The objectives, architecture, and basic concepts of eXtensible Access Control Markup Language,
"Verification and Change-Impact Analysis of Access-Control Policies."
Kathi Fisler, Shriram Krishnamurthi, Leo A. Meyerovich, Michael Carl Tschantz,
Proceedings of the 27th International Conference on Software Engineering
(ICSE 2005), pp. 196-205.
"Automated Veriﬁcation of Access Control Policies Using a SAT
Solver," Graham Hughes and Tevfik Bultan,
International Journal on Software Tools for Technology Transfer (STTT),
vol. 10, no. 6, pp. 473 – 534, December 2008.
- Lecture 13: An Overview of Web Services
"Web Services Orchestration and Choreography,"
Chris Peltz, IEEE Computer, vol. 36, no. 10, pp. 46 – 52, October 2003.
- To learn more about XML, XML Schema, XPath, WSDL, SOAP etc. you can
look at the tutorials here.
- Lecture 14: Formal Modeling and Analysis of
Orchestration and Choreography Specifications
- Lecture 15: Visual Models for Choreography:
Message Sequence Charts and Collaboration Diagrams
- Lecture 16: Process Algebras for Choreography
- Lecture 17:
Analyzing Input Validation and Sanitization in Web Applications
Tentative Reading List (subject to change)
- Navigation Modeling and Analysis
"Statecharts: A Visual Formulation for Complex Systems." David Harel. Sci. Comp
ut. Program. 8(3): 231-274 (1987)
"Modeling Web Navigation by Statechart."
Karl R.P.H. Leung,
Lucas C.K. Hui,
S.M. Yiu, and
Ricky W.M. Tang.
The Twenty-Fourth Annual International Computer Software and Applications Conference (COMPSAC 2000).
"Automatic Extraction and Verification of Page Transitions in a Web Application."
14th Asia-Pacific Software Engineering Conference (APSEC'07), 2007.
"Modeling and verification of adaptive navigation in web applications"
Minmin Han and
Proceedings of the 6th International Conference on Web Engineering (ICWE 2006).
"Eliminating Navigation Errors in Web Applications via
Model Checking and Runtime Enforcement of Navigation
Sylvain Halle, Taylor Ettema, Chris Bunch and Tevfik Bultan
"Modeling Web Interactions and Errors,"
Robert Bruce Findler,
Paul Graunke, and
D. R. Licata and S. Krishnamurthi. Verifying interactive
web programs. In
19th IEEE International Conference on Automated
Software Engineering (ASE 2004), 20-25 September 2004,
Linz, Austria. pages 164–173.
S. Halle and R. Villemaire. Browser-based enforcement of
interface contracts in web applications with BeepBeep. In
A. Bouajjani and O. Maler, editors, CAV, volume 5643 of
Lecture Notes in Computer Science, pages 648–653.
Multi-Module Vulnerability Analysis of Web-based Applications
D. Balzarotti, M. Cova, V. Felmetsger, G. Vigna
Proceedings of the ACM Conference on Computer and Communications Security (CCS) Alexandria, VA October 2007
P. D. Stotts, R. Furuta, and C. R. Cabarrus.
Hyperdocuments as automata: Verification of trace-based
browsing properties by model checking. ACM Trans. Inf.
Syst., 16(1):1–30, 1998
S. Yuen, K. Kato, D. Kato, , and K. Agusa. Web automata:
A behavioral model of web applications based on the MVC
model. Information and Media Technologies, 1(1):66–79,
- Service Interactions
"WSAT: A Tool for Formal Analysis of Web Services,"
Xiang Fu, Tevfik Bultan, and Jianwen Su.
"Analyzing Conversations of Web Services,"
Tevfik Bultan, Xiang Fu, Jianwen Su.
Xiang Fu, Tevfik Bultan, Jianwen Su.
Analysis of interacting BPEL web services. WWW 2004: 621-630
"A Theoretical Basis of
Marco Carbone, Kohei Honda, Nobuko Yoshida,
Robin Milner, Gary Brown, and Steve Ross-Talbot.
K. Honda, V. T. Vasconcelos, and M. Kubo. Language
primitives and type discipline for structured
communication-based programming. In 7th European
Symp. on Programming on Programming Languages
and Systems (ESOP'98), pages 122-138, 1998
K. Honda, N. Yoshida, and M. Carbone. Multiparty
asynchronous session types. In G. C. Necula and
P. Wadler, editors, POPL, pages 273-284. ACM, 2008.
- R. Kazhamiakin and M. Pistore. Analysis of
realizability conditions for web service choreographies.
In FORTE, pages 61-76, 2006.
J. M. Zaha, M. Dumas, A. ter Hofstede, A. Barros,
and G. Decker. Service interaction modeling: Bridging
global and local views. In EDOC, pages 45-55. IEEE
Computer Society, 2006.
N. Lohmann, O. Kopp, F. Leymann, and W. Reisig.
Analyzing BPEL4Chor: Verication and participant
synthesis. In M. Dumas and R. Heckel, editors,
WS-FM, volume 4937 of Lecture Notes in Computer
Science, pages 46-60. Springer, 2007.
- Data Modeling and Analysis
Jaideep Nijjar and Tevfik Bultan.
"Unbounded Data Model Verification Using SMT Solvers."
To appear in the
Proceedings of the 27th IEEE/ACM International Conference on Automated Software
Engineering (ASE 2012).
- Jaideep Nijjar and
"Bounded Verification of Ruby on Rails Data Models."
Proceedings of the 2011 International Symposium on
Software Testing and Analysis
Toronto, Ontario, Canada, July 17-21, 2011.
for Interactive, Data-Driven Web Applications."
Alin Deutsch, Monica Marcus, Liying Sui, Victor Vianu, Dayou Zhou.
Proceedings of the 2005 ACM SIGMOD international conference on Management
Alin Deutsch, Victor Vianu: WAVE: Automatic Verification of Data-Driven
Web Services. IEEE Data Eng. Bull. 31(3): 35-39 (2008)
Lin Wang, Gillian Dobbie, Jing Sun, Lindsay Groves. Validating ORA-SS Data
Models using Alloy. ASWEC 2006, pages 231-242.
- Input Validation
- Fast and Precise Sanitizer Analysis with BEK
Pieter Hooimeijer, Ben Livshits, David Molnar, Prateek Saxena, Margus Veanes.
20th Usenix Security Symposium (Usenix Security 2011), August 2011.
A Systematic Analysis of XSS Sanitization in Web Application Frameworks
Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Richard Shin, Dawn Song
European Symposium on Research in Computer Security (ESORICS 2011), September 2011.
Prateek Saxena, Devdatta Akhawe, Steve Hanna, Stephen McCamant, Feng Mao, Dawn Song.
31st IEEE Symposium on Security and Privacy (Oakland 2010), May 2010.
Tevfik Bultan, and
Jose L. Gallegos.
"Verifying Client-Side Input Validation Functions Using String Analysis."
Proceedings of the
34th International Conference on Software Engineering (ICSE 2012), pages 947-957,
Zurich, Switzerland, June 2-9, 2012.
Muath Alkhalaf and
"Patching Vulnerabilities with Sanitization Synthesis."
Proceedings of the 33rd International Conference on
Software Engineering (ICSE 2011),
Waikiki, Honolulu , Hawaii, USA, May 21-28, 2011.
Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications
D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, G. Vigna
Proceedings of the IEEE Symposium on Security and Privacy Oakland, CA May 2008
The Essence of Command Injection Attacks in Web Applications.
Zhendong Su and Gary Wassermann.
In Proceedings of POPL'06, Charleston, South Carolina, January 11-13, 2006
- Access Control
Static Detection of Access Control Vulnerabilities in Web Applications.
Fangqi Sun, Liang Xu, and Zhendong Su.
In Proceedings of USENIX Security 2011, San Francisco, CA, August 8-12, 2011
Kathi Fisler, Shriram Krishnamurthi, Leo A. Meyerovich, Michael Carl Tschantz: Verification and change-impact analysis of access-control policies. ICSE 2005: 196-205
Graham Hughes and Tevfik Bultan. "Automated Verification of Access Control Policies Using a SAT Solver" International Journal on Software Tools for Technology Transfer (STTT), vol. 10, no. 6, pp. 473 – 534, December 2008.
- Model Driven Development
Stefano Ceri, Marco Brambilla, Piero Fraternali: The History of WebML
Lessons Learned from 10 Years of Model-Driven Development of Web
Applications. Conceptual Modeling: Foundations and Applications 2009: 273-292
Stefano Ceri, Piero Fraternali, Aldo Bongio: Web Modeling Language (WebML):
a modeling language for designing Web sites. Computer Networks 33(1-6):
- S Ceri, P Fraternali, M Matera.
Conceptual modeling of data-intensive Web applications.
IEEE Internet Computing (2002), volume: 6 issue: 4 page: 20.
Avraham Leff, James T. Rayfield, "Web-Application Development Using the Model/View/Controller Design Pattern," Enterprise Distributed Object Computing Conference, IEEE International, pp. 0118, Fifth IEEE International Enterprise Distributed Object Computing Conference, 2001.