CS 595C
Analysis and Verification Techniques for Improving Dependability of Web Software
Fall 2011


Web software development is an error prone process due to the distributed nature of web applications. As a consequence web applications are notorious for security vulnerabilities and unreliable behavior. In this seminar we will discuss recently proposed automated analysis and verification techniques for improving the dependability of web software.

Instructor: Tevfik Bultan
Meeting time: 3:00pm, Wednesday
Location: HFH 1132
Enrollment Code: 73536
Units: This will be a 2 unit seminar

Paper Reviews

Each week, each student is required to write a review of the paper that will be presented and submit the review to the instructors before the class. Here is a paper review template. In each review you are asked to 1) summarize the results presented in the paper, 2) identify the novelty of the proposed approach, 3) discuss any flaws that you see in the proposed approach and, 4) ask at least two questions about the paper.



  1. (Jaideep Nijjar will present) Jaideep Nijjar and Tevfik Bultan. "Bounded Verification of Ruby on Rails Data Models." To appear in the Proceedings of the 2011 International Symposium on Software Testing and Analysis (ISSTA 2011).
  2. (Muath Alkhalaf will present) Fang Yu, Muath Alkhalaf and Tevfik Bultan. "Patching Vulnerabilities with Sanitization Synthesis." To appear in the Proceedings of the 33rd International Conference on Software Engineering (ICSE 2011).
  3. (Victor Amelkin will present) Takaaki Tateishi, Marco Pistoia, Omer Tripp: Path- and index-sensitive string analysis based on monadic second-order logic. ISSTA 2011: 166-176
  4. (Saeed Mahani will present) Salvatore Guarnieri, Marco Pistoia, Omer Tripp, Julian Dolby, Stephen Teilhet, Ryan Berg: Saving the world wide web from vulnerable JavaScript. ISSTA 2011: 177-187
  5. Matthew J. McGill, Laura K. Dillon, R. E. Kurt Stirewalt: Scalable analysis of conceptual data models. ISSTA 2011: 56-66
  6. Y. Smaragdakis, C. Csallner, and R. Subramanian. Scalable satisfiability checking and test data generation from modeling diagrams. Automated Softw. Eng., 16:73–99, 2009.
  7. (Devdeep Roy Choudhury will present) Shay Artzi, Julian Dolby, Simon Holm Jensen, Anders Moller, Frank Tip: A framework for automated testing of javascript web applications. ICSE 2011: 571-580
  8. (Adam Doupe will present) Avik Chaudhuri, Jeffrey S. Foster: Symbolic security analysis of ruby-on-rails web applications. ACM Conference on Computer and Communications Security 2010: 585-594
  9. Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, V. N. Venkatakrishnan: NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications. ACM Conference on Computer and Communications Security 2010: 607-618
  10. (Ivan Bocic will present) Uri Klein, Kedar S. Namjoshi: Formalization and Automated Verification of RESTful Behavior. CAV 2011: 541-556
  11. Gregor Richards, Sylvain Lebresne, Brian Burg, Jan Vitek: An analysis of the dynamic behavior of JavaScript programs. PLDI 2010: 1-12
  12. Using Static Analysis for Ajax Intrusion Detection Arjun Guha, Shriram Krishnamurthi, Trevor Jim International World Wide Web Conference, 2009
  13. (Abdulbaki Aydin will present) Prateek Saxena, Devdatta Akhawe, Steve Hanna, Feng Mao, Stephen McCamant, Dawn Song: A Symbolic Execution Framework for JavaScript. IEEE Symposium on Security and Privacy 2010: 513-528
  14. Prateek Saxena, Steve Hanna, Pongsin Poosankam, Dawn Song: FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications. NDSS 2010
  15. Prithvi Bisht, Tim Hinrichs, Nazari Skrupsky and V.N. Venkatakrishnan: WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction. To appear 18th ACM Conference on Computer and Communications Security (CCS'2011)
  16. Sylvain Halle, Taylor Ettema, Chris Bunch and Tevfik Bultan. "Eliminating Navigation Errors in Web Applications via Model Checking and Runtime Enforcement of Navigation State Machines." To appear in the Proceedings of the 25th IEEE/ACM International Conference on Automated Software Engineering (ASE 2010), Antwerp, Belgium, 20-24 September 2010.
  17. Brian J. Corcoran, Nikhil Swamy, and Michael Hicks. Cross-tier, Label-based Security Enforcement for Web Applications. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD), pages 269-282, June 2009.