动态web应用中的缺陷定位研究

在动态web应用中,动态生成的HTML页面产生的缺陷难以定位并且会严重影响web应用程序的可用性和稳定性。针对以上问题,本文提出了一种基于符号约束集的web缺陷定位方法,通过对web服务端程序的动态符号执行生成一个带有符号约束的树模型,并给出了一个高效的缺陷映射定位算法。为验证该方法的有效性,本文对几个基于PHP的开源web程序进行实验,结果表明该方法在web应用的HTML缺陷检测定位覆盖率和准确率方面都有所改进。     

A formal approach for run-time verification of web applications using scope-extended LTL

ContextIn the past decade, the World Wide Web has been subject to rapid changes. Web sites have evolved from static information pages to dynamic and service-oriented applications that are used for a broad range of activities on a daily basis. For this reason, thorough analysis and verification of Web Applications help assure the deployment of high quality applications.ObjectivesIn this paper, an approach is presented to the formal verification and validation of existing web applications. The approach consists of using execution traces of a web application to automatically generate a communicating automata model. The obtained model is used to model checking the application against predefined properties, to perform regression testing, and for documentation.MethodsTraces used in the proposed approach are collected by monitoring a web application while it is explored by a user or a program. An automata-based model is derived from the collected traces by mapping the pages of the application under test into states and the links and forms used to browse the application into transitions between the states. Properties, meanwhile, express correctness and quality requirements on web applications and might concern all states of the model; in many cases, these properties concern only a proper subset of the states, in which case the model is refined to designate the subset of the global states of interest. A related problem of property specification in Linear Temporal Logic (LTL) over only a subset of states of a system is solved by means of specialized operators that facilitate specifying properties over propositional scopes in a concise and intuitive way. Each scope constitutes a subset of states that satisfy a propositional logic formula.ResultsAn implementation of the verification approach that uses the model checker Spin is presented where an integrated toolset is developed and empirical results are shown. Also, Linear Temporal Logic is extended with propositional scopes.Conclusiona formal approach is developed to build a finite automata model tuned to features of web applications that have to be validated, while delegating the task of property verification to an existing model checker. Also, the problem of property specification in LTL over a subset of the states of a given system is addressed, and a generic and practical solution is proposed which does not require any changes in the system model by defining specialized operators in LTL using scopes.     

A simulation-based approach for dynamic process management at web service platforms

Web services technology is being adopted as a viable deployment approach for future distributed software systems that enable business-to-business and business-to-consumer interactions across the open and dynamic internet environment. Recent research is focused on developing support technologies for web service discovery, on-demand service composition, and robust execution to facilitate web services based deployment of business processes. Developing techniques to cope with the volatile and open nature of the web during execution of composite services at the service platform is essential for delivering reliable and acceptable performance in this new process delivery framework. In this paper, we propose a simulation-based framework to guide scheduling of composite service execution. Online simulation of the dynamics of the open environment is used for scheduling service requests at the service platform. Comparison of the look-ahead simulation for different scheduling policies with the current execution state provides guidelines for service execution in order to cope with system volatility. We have implemented a prototype of the proposed framework and illustrate the feasibility of our approach with experimental studies.     

An extended XACML model to ensure secure information access for web services

More and more software systems based on web services have been developed. Web service development techniques are thus becoming crucial. To ensure secure information access, access control should be taken into consideration when developing web services. This paper proposes an extended XACML model named EXACML to ensure secure information access for web services. It is based on the technique of information flow control. Primary features offered by the model are: (1) both the information of requesters and that of web services are protected, (2) the access control of web services is more precise than just “allow or reject” policy in existing models, and (3) the model will deny non-secure information access during the execution of a web service even when a requester is allowed to invoke the web service.     

基于文档分层表示的恶意网页快速检测方法

近年来,恶意网页检测主要依赖于语义分析或代码模拟执行来提取特征,但是这类方法实现复杂,需要高额的计算开销,并且增加了攻击面.为此,提出了一种基于深度学习的恶意网页检测方法,首先使用简单的正则表达式直接从静态HTML文档中提取与语义无关的标记,然后采用神经网络模型捕获文档在多个分层空间尺度上的局部性表示,实现了能够从任意长度的网页中快速找到微小恶意代码片段的能力.将该方法与多种基线模型和简化模型进行对比实验,结果表明该方法在0.1%的误报率下实现了96.4%的检测率,获得了更好的分类准确率.本方法的速度和准确性使其适合部署到端点、防火墙和Web代理中.     

Responsive interaction for a large Web application: the meteor shower architecture in the WebWriter II Editor

Traditional server-based web applications allow access to server-hosted resources, but often exhibit poor responsiveness due to server load and network delays. Client-side web applications, on the other hand, provide excellent interactivity at the expense of limited access to server resources. The WebWriter II Editor, a direct manipulation HTML editor that runs in a web browser, uses both server-side and client-side processing in order to achieve the advantages of both. In particular, this editor downloads the document data structure to the browser and performs all operations locally. The user interface is based on HTML frames and includes individual frames for previewing the document and displaying general and specific control panels. All editing is done by JavaScript code residing in roughly twenty HTML pages that are downloaded into these frames as needed. Such a client — server architecture, based on frames, client-side data structures, and multiple JavaScriptenhanced HTML pages' appears promising for a wide variety of applications. This paper describes this architecture, the Meteor Shower Application Architecture, and its use in the WebWriter II Editor.     

PAN: A portable,parallel Prolog: Its design,realisation and performance

PAN is a general purpose, portable environment for executing logic programs in parallel. It combines a flexible, distributed architecture which is resilient to software and platform evolution with facilities for automatically extracting and exploiting AND and OR parallelism in ordinary Prolog programs. PAN incorporates a range of compile-time and run-time techniques to deliver the performance benefits of parallel execution while rertaining sequential execution semantics. Several examples illustrate the efficiency of the controls that facilitate the execution of logic programs in a distributed manner and identify the class of applications that benefit from distributed platforms like PAN. George Xirogiannis, Ph.D.: He received his B.S. in Mathematics from the University of Ioannina, Greece in 1993, his M.S in Artificial Intelligence from the University of Bristol in 1994 and his Ph.D. in Computer Science from Heriot-Watt University, Edinburgh in 1998. His Ph.D. thesis concerns the automated execution of Prolog on distributed heterogeneous multi-processors. His research interests have progressed from knowledge-based systems to distributed logic programming and data mining. Currently, he is working as a senior IT consultant at Pricewaterhouse Coopers. He is also a Research Associate at the National Technical University of Athens, researching in knowledge and data mining. Hamish Taylor, Ph.D.: He is a lecturer in Computer Science in the Computing and Electrical Engineering Department of Heriot-Watt University in Edinburgh. He received M.A. and MLitt degrees in philosophy from Cambridge University and an M.S. and a Ph.D. degree in computer science from Heriot-Watt University, Scotland. Since 1985 he has worked on research projects concerned with implementing concurrent logic programming languages, developing formal models for automated reasoning, performance modelling parallel relational database systems, and visualisizing resources in shared web caches. His current research interests are in applications of collaborative virtual environments, parallel logic programming and networked computing technologies.     

基于标记图的Web数据模型

本文详细探讨了一种新的Ｗｅｂ数据模型－标记图,给类格的形式化描述。     

Composing web services enacted by autonomous agents through agent-centric contract net protocol

ContextAgents are considered as one of the fundamental technologies underlying open and dynamic systems that are largely enabled by the semantic web and web services. Recently, there is a trend to introduce the notion of autonomy empowered by agents into web services. However, it has been argued that the characteristics of autonomy will make agents become available intermittently and behave variedly over time, which therefore increase the complexity on devising mechanisms for composing services enacted by autonomous agents.ObjectiveIn this work, we propose an extension to Contract Net protocol, called Agent-centric Contract Net Protocol (ACNP), as a negotiation mechanism with three key features for composing web services enacted by autonomous agents.Method(1) A matchmaking mechanism embedded in a middle agent (as a service matchmaker) for discovering web services that are available intermittently is presented based on the concept of agent roles; (2) A selection algorithm based on risk-enabled reputation model (REAL) embedded in a manager agent (as a service composer) is introduced to serve a basis for selecting web services with variant performance; and (3) A negotiation mechanism between a manager agent and contractor agents (as atomic services) is devised and enables both a service composer and the atomic services to request, refuse or agree on adapting changes of services.ResultsThe problem of assembling a computer is discussed in this paper.ConclusionIt is increasingly recognised that web services would become more autonomous by introducing diverse agent technologies to better constitute more complex systems in open and dynamic environments. As web service technologies are best exploited by composite services, it is imperative to devise mechanisms for composing services of autonomy.     

MicroMAIS: executing and orchestrating Web services on constrained mobile devices

Mobile devices with their more and more powerful resources allow the development of mobile information systems in which services are not only provided by traditional systems but also autonomously executed and controlled in the mobile devices themselves. Services distributed on autonomous mobile devices allow both the development of cooperative applications without a back‐end infrastructure and the development of applications blending distributed and centralized services. In this paper, we propose MicroMAIS: an integrated platform for supporting the execution of Web service‐based applications natively on a mobile device. The MicroMAIS platform is composed of mAS and μ‐BPEL. The former allows the execution of a single Web service, whereas the latter permits the orchestration of several Web services according to the WS‐BPEL standard. Copyright © 2011 John Wiley & Sons, Ltd.     

A case study on bypass testing of web applications

Society’s increasing reliance on services provided by web applications places a high demand on their reliability. The flow of control through web applications heavily depends on user inputs and interactions, so user inputs should be thoroughly validated before being passed to the back-end software. Although several techniques are used to validate inputs on the client, users can easily bypass this validation and submit arbitrary data to the server. This can cause unexpected behavior, and even allow unauthorized access. A test technique called bypass testing intentionally sends invalid data to the server by bypassing client-side validation. This paper reports results from a comprehensive case study on 16 deployed, widely used, commercial web applications. As part of this project, the theory behind bypass testing was extended and an automated tool, AutoBypass, was built. The case study found failures in 14 of the 16 web applications tested, some significant. This study gives evidence that bypass testing is effective, has positive return on investment, and scales to real applications.     

Web应用服务器研究综述

Web应用服务器是Web计算环境下产生的新型中间件,为创建、部署、运行、集成和管理事务性Web应用提供一个跨平台的运行环境,被认为是自关系型数据库以来最令人激动的企业应用技术.诸多IT企业纷纷推出其各自的Web应用服务器产品和系统,学术界也对这种热门领域产生了浓厚的兴趣.在分析Web计算环境下传统中间件发展所遇到的问题的基础上,介绍Web应用服务器的起源和发展、运行模式以及评测基准,然后对Web应用服务器研究现状进行综述,主要包括Web应用服务器的定义、体系结构、组件容器、分布事务处理、负载平衡、高速缓存、Web Service等研究热点和关键技术.根据评测基准,对若干主流Web应用服务器从功能和性能两个方面进行分析和比较.此外,还指出了Web应用服务器目前存在的不足以及未来的发展趋势.     

A fast HTML web page change detection approach based on hashing and reducing the number of similarity computations

This paper describes a fast HTML web page detection approach that saves computation time by limiting the similarity computations between two versions of a web page to nodes having the same HTML tag type, and by hashing the web page in order to provide direct access to node information. This efficient approach is suitable as a client application and for implementing server applications that could serve the needs of users in monitoring modifications to HTML web pages made over time, and that allow for reporting and visualizing changes and trends in order to gain insight about the significance and types of such changes. The detection of changes across two versions of a page is accomplished by performing similarity computations after transforming the web page into an XML-like structure in which a node corresponds to an open–close HTML tag. Performance and detection reliability results were obtained, and showed speed improvements when compared to the results of a previous approach.     

Using combinatorial testing to build navigation graphs for dynamic web applications

Modelling a software system is often a challenging prerequisite to automatic test case generation. Modelling the navigation structure of a dynamic web application is particularly challenging because of the presence of a large number of pages that are created dynamically and the difficulty of reaching a dynamic page unless a set of appropriate input values are provided for the parameters. To address the first challenge, some form of abstraction is required to enable scalable modelling. For the second challenge, techniques are required to select appropriate input values for parameters and systematically combine them to reach new pages. This paper presents a combinatorial approach in building a navigation graph for dynamic web applications. The navigation graph can then be used to automatically generate test sequences for testing web applications. The novelty of our approach is twofold. First, we use an abstraction scheme to control the page explosion problem, where pages that are likely to have the same navigation behaviour are grouped together and are represented as a single node in the navigation graph. Second, assuming that values of individual parameters are supplied manually or generated from other techniques, we combine parameter values such that well‐defined combinatorial coverage of input parameter values is achieved. Using combinatorial coverage can significantly reduce the number of requests that have to be submitted while still achieving effective coverage of the navigation structure. We implement our combinatorial approach in a tool, Tansuo, and apply the tool on seven open‐source web applications. We evaluate the effectiveness of Tansuo's exploration process guided by t‐way coverage, for t = 1,2,3, with respect to code coverage, and find that the navigation structure exploration by Tansuo, in general, results in high code coverage (more than 80% statement coverage for most of our subject applications when dead code is removed). We compare Tansuo's effectiveness with two other navigation graph tools and find that Tansuo is more effective. Our empirical results indicate that using pairwise coverage in Tansuo results in the efficient generation of navigation graphs and effective exploration of dynamic web applications. Copyright © 2016 John Wiley & Sons, Ltd.     

A mobile-agent-based approach to software coordination in the HOOPE system

Software coordination is central to the construction of large-scale high-performance distributed applications with software services scattered over the decentralized Internet. In this paper, a new mobile-agent-based architecture is proposed for the utilization and coordination of geographically distributed computing resources. Under this architecture, a user application is built with a set of software agents that can travel across the network autonomously. These agents utilize the distributed resources and coordinate with each other to complete their task. This approach' s advantages include the natural expression and flexible deployment of the coordination logic, the dynamic adaptation to the network environment and the potential of better application performance. This coordination architecture, together with an object-oriented hierarchical parallel application framework and a graphical application construction tool, is implemented in the HOOPE environment, which provides a systematic support for the de     

面向浏览器的医学影像可视化系统

目的 当前各大商业公司和开源社区所提供的医学影像可视化系统依赖于各类平台以及与平台相关的插件,难以实现跨平台访问.为此提出并实现了基于HTML5的面向现代浏览器的医学影像可视化系统.方法 基于B/S(browers/server)模式进行系统整体架构与设计,设计自定义的传输协议提供各种定制的图像可视化服务.对于2维影像,采用HTML的canvas技术和WebGL技术进行浏览器端硬件加速.对于3维医学影像,采用前后端异步操作的策略以提供渐进式可视化.算法构造原始数据的多分辨率采样,并在用户交互过程中实现自适应可视化.结果 在不同的浏览器、多组临床医学影像肝脏数据上测试了系统,表明系统支持跨浏览器的可视化.测试2维和3维可视化的结果表明,系统支持2维影像的实时可视化(25帧/s),支持3维影像的交互可视化.对于512×512×154的医学体数据,低精度绘制模式的可视化效率可以达到60帧/s,高精度绘制模式的可视化效率可达到 1帧/s 的绘制效率.结论 本文面向浏览器的医学影像可视化系统利用当下新兴的WEB技术实现了跨浏览器、跨平台地对用户提供服务,为远程及移动医疗影像可视化系统提供了机会.