Model Checking Database Applications

We describe the design of DPF, an explicit-state model checker for database-backed web applications. DPF interposes between the program and the database layer, and precisely tracks the effects of queries made to the database. We experimentally explore several implementation choices for the model checker: stateful vs. stateless search, state storage and backtracking strategies, and dynamic partial-order reduction. In particular, we define independence relations at different granularity levels of the database (at the database, relation, record, attribute, or cell level), and show the effectiveness of dynamic partial-order reduction based on these relations. We apply DPF to look for atomicity violations in web applications. Web applications maintain shared state in databases, and typically there are relatively few database accesses for each request. This implies concurrent interactions are limited to relatively few and well-defined points, enabling our model checker to scale. We explore the performance implications of various design choices and demonstrate the effectiveness of DPF on a set of Java benchmarks. Our model checker was able to find new concurrency bugs in two open-source web applications, including in a standard example distributed with the Spring framework.

[1]  Patrice Godefroid,et al.  Model checking for programming languages using VeriSoft , 1997, POPL '97.

[2]  Rupak Majumdar,et al.  Dynamic test input generation for database applications , 2007, ISSTA '07.

[3]  David L. Dill,et al.  An Incremental Heap Canonicalization Algorithm , 2005, SPIN.

[4]  Sarfraz Khurshid,et al.  Systematic Testing of Database Engines Using a Relational Constraint Solver , 2011, 2011 Fourth IEEE International Conference on Software Testing, Verification and Validation.

[5]  Christopher Krügel,et al.  Toward Automated Detection of Logic Vulnerabilities in Web Applications , 2010, USENIX Security Symposium.

[6]  Michael Burrows,et al.  Eraser: a dynamic data race detector for multithreaded programs , 1997, TOCS.

[7]  Tao Xie,et al.  Database state generation via dynamic symbolic execution for coverage criteria , 2011, DBTest '11.

[8]  Christel Baier,et al.  Principles of Model Checking (Representation and Mind Series) , 2008 .

[9]  Klaus Havelund,et al.  Model checking programs , 2000, Proceedings ASE 2000. Fifteenth IEEE International Conference on Automated Software Engineering.

[10]  Manu Sridharan,et al.  Race detection for web applications , 2012, PLDI.

[11]  Tao Xie,et al.  Generating program inputs for database application testing , 2011, 2011 26th IEEE/ACM International Conference on Automated Software Engineering (ASE 2011).

[12]  Mattia Monga,et al.  On Race Vulnerabilities in Web Applications , 2008, DIMVA.

[13]  Hiroshi Inamura,et al.  Dynamic test input generation for web applications , 2008, ISSTA '08.

[14]  Patrice Godefroid,et al.  Dynamic partial-order reduction for model checking software , 2005, POPL '05.

[15]  Pavel Laskov,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment: 19th International Conference, DIMVA 2022, Cagliari, Italy, June 29 –July 1, 2022, Proceedings , 2022, International Conference on Detection of intrusions and malware, and vulnerability assessment.

[16]  Andreas Podelski,et al.  ACSAR: Software Model Checking with Transfinite Refinement , 2007, SPIN.

[17]  Panagiotis Katsaros,et al.  Model checking and code generation for transaction processing software , 2012, Concurr. Comput. Pract. Exp..

[18]  Cheng Li,et al.  Finding complex concurrency bugs in large multi-threaded applications , 2011, EuroSys '11.

[19]  Monica S. Lam,et al.  Automatic Generation of XSS and SQL Injection Attacks with Goal-Directed Model Checking , 2008, USENIX Security Symposium.

[20]  Corina S. Pasareanu,et al.  Interface Generation and Compositional Verification in JavaPathfinder , 2009, FASE.

[21]  Radu Iosif Exploiting heap symmetries in explicit-state model checking of software , 2001, Proceedings 16th Annual International Conference on Automated Software Engineering (ASE 2001).

[22]  Madan Musuvathi,et al.  Iterative context bounding for systematic testing of multithreaded programs , 2007, PLDI '07.

[23]  Frank Tip,et al.  Finding Bugs in Web Applications Using Dynamic Test Generation and Explicit-State Model Checking , 2010, IEEE Transactions on Software Engineering.

[24]  Patrice Godefroid,et al.  Partial-Order Methods for the Verification of Concurrent Systems , 1996, Lecture Notes in Computer Science.

[25]  Perdita Stevens,et al.  Modelling Recursive Calls with UML State Diagrams , 2003, FASE.

[26]  Xiangyu Zhang,et al.  Static detection of resource contention problems in server-side scripts , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[27]  Chen Fu,et al.  Is Data Privacy Always Good for Software Testing? , 2010, 2010 IEEE 21st International Symposium on Software Reliability Engineering.

[28]  Christel Baier,et al.  Principles of model checking , 2008 .

[29]  Yu Yang,et al.  Efficient Stateful Dynamic Partial Order Reduction , 2008, SPIN.

[30]  Stephen N. Freund,et al.  Atomizer: A dynamic atomicity checker for multithreaded programs , 2008, Sci. Comput. Program..

[31]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..