Scalability issues with using FSMWeb to test web applications

Web applications are fast becoming more widespread, larger, more interactive, and more essential to the international use of computers. It is well understood that web applications must be highly dependable, and as a field we are just now beginning to understand how to model and test Web applications. One straightforward technique is to model Web applications as finite state machines. However, large numbers of input fields, input choices and the ability to enter values in any order combine to create a state space explosion problem. This paper evaluates a solution that uses constraints on the inputs to reduce the number of transitions, thus compressing the FSM. The paper presents an analysis of the potential savings of the compression technique and reports actual savings from two case studies.     

A Flexible Integration Framework for Semantic Web 2.0 Applications

The Semantic Web application framework extends Ruby on Rails to enable rapid development of integrated Semantic Web mash-ups. Web applications are mostly database driven. Developers design a database schema and then construct the application logic (which generates Web pages for user interaction) on top of the schema. These applications are centralized and rely on their own relational database, limiting the possibilities for data integration. Mash-ups (often called Web 2.0 applications) are an emerging Web development paradigm that combines functionality from different Web applications.     

Beyond soundness: on the verification of semantic business process models

The verification of control-flow soundness is well understood as an important step before deploying business process models. However, the control flow does not capture what the process activities actually do when they are executed. Semantic annotations offer the opportunity to take this into account. Inspired by semantic Web service approaches such as OWL-S and WSMO, we consider process models in which the individual activities are annotated with logical preconditions and effects, specified relative to an ontology that axiomatizes the underlying business domain. Verification then addresses the overall process behavior, arising from the interaction between control-flow and behavior of individual activities. To this end, we combine notions from the workflow community with notions from the AI actions and change literature. We introduce a formal execution semantics for annotated business processes. We point out four verification tasks that arise, concerning precondition/effect conflicts, reachability, and executability. We examine the borderline between classes of processes that can, or cannot, be verified in polynomial time. For precondition/effect conflicts, we show that the borderline is the same as that of the logic underlying the ontology axioms. For reachability and executability, we identify a class of processes that can be verified in polynomial time by a fixpoint algorithm which we design for that purpose. We show that this class of processes is maximal in the sense that, when generalizing it in any of the most relevant directions, the validation tasks become computationally hard.     

Building a Usable and Accessible Semantic Web Interaction Platform

Semantic Web applications take off is being slower than expected, at least with respect to “real-world” applications and users. One of the main reasons for this lack of adoption is that most Semantic Web user interfaces are still immature from the usability and accessibility points of view. This is due to the novelty of these technologies, but this also motivates the exploration of alternative interaction paradigms, different from the “traditional” Web or Desktop applications ones. Our proposal is realized in the Rhizomer platform, which explores the possibilities of the object–action interaction paradigm at the Web scale. This paradigm is well suited for heterogeneous resource spaces such as those common in the Semantic Web. Resources, described by metadata, correspond to the objects in the paradigm. Semantic web services, which are dynamically associated to these objects, correspond to the actions. The platform is being put into practice in the context of a research project in order to build an open application for media distribution based on Semantic Web technologies. Moreover, its usability and accessibility have been evaluated in this real setting and compared to similar systems.     

MatSeek: An Ontology-Based Federated Search Interface for Materials Scientists

The MatSeek system is an ontology-based federated search interface to key materials science databases and analytical tools. By combining Semantic Web and Web 2.0 technologies, MatSeek provides materials scientists with a single Web interface that enables them to search across disparate databases containing crystal-structure data, ionic-conductivity data, and phase stability data; render 3D crystal-structure images; calculate bond lengths and angles; retrieve relevant scholarly references; and identify potential new materials with the structure and properties required to satisfy specific applications. The MatOnto ontology underlying MatSeek enables integration of data across disparate databases, and Web 2.0 technologies enable iterative searching across the databases. The results retrieved from searching the previous database are used as input to the query on the next database. By providing materials scientists with a single, integrated Web interface to the critical materials science databases and analytical tools, MatSeek represents a significant advance toward a full-fledged materials-informatics workbench.     

二阶SQL注入攻击防御模型

随着互联网技术的快速发展,Web应用程序的使用也日趋广泛,其中基于数据库的Web应用程序己经广泛用于企业的各种业务系统中。然而由于开发人员水平和经验参差不齐,使得Web应用程序存在大量安全隐患。影响Web应用程序安全的因素有很多,其中SQL注入攻击是最常见且最易于实施的攻击,且SQL注入攻击被认为是危害最广的。因此,做好SQL注入攻击的防范工作对于保证Web应用程序的安全十分关键,如何更有效地防御SQL注入攻击成为重要的研究课题。SQL注入攻击利用结构化查询语言的语法进行攻击。传统的SQL注入攻击防御模型是从用户输入过滤和SQL语句语法比较的角度进行防御,当数据库中的恶意数据被拼接到动态SQL语句时,就会导致二阶SQL注入攻击。文章在前人研究的基础上提出了一种基于改进参数化的二阶SQL注入攻击防御模型。该模型主要包括输入过滤模块、索引替换模块、语法比较模块和参数化替换模块。实验表明,该模型对于二阶SQL注入攻击具有很好的防御能力。     

A Rule-based System for Web site Verification

In this paper, we describe a system, written in Haskell, for the automated verification of Web sites which can be used to specify (partial) correctness and completeness properties of a given Web site, and then automatically check whether these properties are actually fulfilled. It provides a rule-based, formal specification language which allows us to define syntactic/semantic conditions for the Web site by means of a user-friendly graphical interface as well as a verification facility for recognizing forbidden/incorrect patterns and incomplete/missing Web pages.     

Web user clustering and Web prefetching using Random Indexing with weight functions

Users of a Web site usually perform their interest-oriented actions by clicking or visiting Web pages, which are traced in access log files. Clustering Web user access patterns may capture common user interests to a Web site, and in turn, build user profiles for advanced Web applications, such as Web caching and prefetching. The conventional Web usage mining techniques for clustering Web user sessions can discover usage patterns directly, but cannot identify the latent factors or hidden relationships among users?? navigational behaviour. In this paper, we propose an approach based on a vector space model, called Random Indexing, to discover such intrinsic characteristics of Web users?? activities. The underlying factors are then utilised for clustering individual user navigational patterns and creating common user profiles. The clustering results will be used to predict and prefetch Web requests for grouped users. We demonstrate the usability and superiority of the proposed Web user clustering approach through experiments on a real Web log file. The clustering and prefetching tasks are evaluated by comparison with previous studies demonstrating better clustering performance and higher prefetching accuracy.     

Research on the dynamic reconfiguration of Web application using two-phase compatibility verification

Implemented by dynamic service composition and integration, Web application has significantly affected our daily life, such as e-commerce and e-government. However, the open and ever-changing environment makes Web users more vulnerable to the usability problem, i.e. unreachable pages and reduced responsiveness. Accordingly, there is a need to deliver reliable Web application with attributes that cover the correctness and reliability. For the efficient handling of failures, the compatibility verification of dynamic reconfiguration strategies is attached great importance since it can guarantee the robustness and high quality of Web-based software. This paper extends the classical finite state machine (FSM) to formalize the behaviour of Web application, namely the extended FSM for Web applications (EFSM4WA) model. This model is also suitable to formally describe the interaction behaviours of dynamic reconfiguration when Web application encountered failure. Then, the compatibility verification of dynamic reconfiguration is carried out in two phases. During the first phase, it adopts the trace projection approach to check the compatibility against the synchronized product model in a qualitative way, which will select a set of candidate Web applications. During the second phase, it takes performance into consideration to choose a high-reliability Web application in a quantitative way. Finally, a case study is demonstrated to show the applicability of our approach.     

A Rewriting-based Framework for Web Sites Verification

In this paper, we develop a framework for the automated verification of Web sites which can be used to specify integrity conditions for a given Web site, and then automatically check whether these conditions are fulfilled. First, we provide a rewriting-based, formal specification language which allows us to define syntactic as well as semantic properties of the Web site. Then, we formalize a verification technique which obtains the requirements not fulfilled by the Web site, and helps to repair the errors by finding out incomplete information and/or missing pages. Our methodology is based on a novel rewriting-based technique, called partial rewriting, in which the traditional pattern matching mechanism is replaced by tree simulation, a suitable technique for recognizing patterns inside semistructured documents. The framework has been implemented in the prototype Web verification system Verdi which is publicly available.     

Verifikation von Webservicekompositionen:

Web service compositions coordinate Web services of different enterprises. They are expected to constitute the foundation of service-oriented architectures, to improve business processes as well as to foster intra- and inter-organizational integration. Especially in inter-organizational contexts, quality of service referring to non-functional requirements and conformance to functional requirements are becoming vital properties. With Web service compositions being asynchronous and distributed systems, the latter property – which is also called correctness – can be shown best by verification. This paper examines from a system-theoretic perspective how correctness can be operationalized for Web service compositions. It also proposes a requirements framework for service-oriented modeling techniques so that correctness can be shown by verification and Web service compositions can be modeled intuitively. In order to show the framework’s principle applicability, an example approach is analyzed with respect to the corresponding requirements.     

A framework for efficient regression tests on database applications

Regression testing is an important software maintenance activity to ensure the integrity of a software after modification. However, most methods and tools developed for software testing today do not work well for database applications; these tools only work well if applications are stateless or tests can be designed in such a way that they do not alter the state. To execute tests for database applications efficiently, the challenge is to control the state of the database during testing and to order the test runs such that expensive database reset operations that bring the database into the right state need to be executed as seldom as possible. This work devises a regression testing framework for database applications so that test runs can be executed in parallel. The goal is to achieve linear speed-up and/or exploit the available resources as well as possible. This problem is challenging because parallel testing needs to consider both load balancing and controlling the state of the database. Experimental results show that test run execution can achieve linear speed-up by using the proposed framework.     

Rule-based verification of Web sites

In this paper, we develop a framework for the automated verification of Web sites, which can be used to specify integrity conditions for a given Web site, and then automatically check whether these conditions are fulfilled. First, we provide a rewriting-based, formal specification language which allows us to define syntactic as well as semantic properties of the Web site. Then, we formalize a verification technique which detects both incorrect/forbidden patterns as well as lack of information, that is, incomplete/missing Web pages inside the Web site. Useful information is gathered during the verification process which can be used to repair the Web site. Our methodology is based on a novel rewriting-based technique, called partial rewriting, in which the traditional pattern matching mechanism is replaced by tree simulation, a suitable technique for recognizing patterns inside semistructured documents. The framework has been implemented in the prototype GVerdi, which is publicly available.     

Testing Web applications by modeling with FSMs

Researchers and practitioners are still trying to find effective ways to model and test Web applications. This paper proposes a system-level testing technique that combines test generation based on finite state machines with constraints. We use a hierarchical approach to model potentially large Web applications. The approach builds hierarchies of Finite State Machines (FSMs) that model subsystems of the Web applications, and then generates test requirements as subsequences of states in the FSMs. These subsequences are then combined and refined to form complete executable tests. The constraints are used to select a reduced set of inputs with the goal of reducing the state space explosion otherwise inherent in using FSMs. The paper illustrates the technique with a running example of a Web-based course student information system and introduces a prototype implementation to support the technique.     

Multi-tenant Verification-as-a-Service (VaaS) in a cloud

Formal methods and verification technique are often used to develop mission-critical systems. Cloud computing offers new computation models for applications and the new model can be used for formal verification. But formal verification tools and techniques may need to be updated to exploit the cloud architectures. Multi-Tenant Architecture (MTA) is a design architecture used in SaaS (Software-as-a-Service) where a tenant can customize its applications by integrating either services already stored in the SaaS database or newly supplied services. This paper proposes a new concept VaaS (Verification-as-a-Service), similar to SaaS, by leveraging the computing power offered by a cloud environment with automated provisioning, scalability, and service composition. A VaaS hosts verification software in a cloud environment, and these services can be called on demand, and can be composed to verify a software model. This paper presents a VaaS architecture with components, and ways that a VaaS can be used to verify models. Bigragh is selected as the modeling language for illustration as it can model mobile applications. A Bigraph models can be verified by first converting it to a state model, and the state model can be verified by model-checking tools. The VaaS services combination model and execution model are also presented. The algorithm of distributing VaaS services to a cloud is given and its efficiency is evaluated. A case study is used to demonstrate the feasibility of a VaaS.     

Interval arithmetic techniques for the design of controllers for nonlinear dynamical systems with applications in mechatronics

In this paper, we give an overview of interval arithmetic techniques for both the offline and online verification of robust control strategies. Part 1 of the paper mainly addresses basic interval techniques focusing on offline applications while the focus of Part 2 is their online application. For offline applications, we aim at computing the sets of all admissible control strategies. Admissibility is defined in terms of constraints on, for example, the trajectories of the state variables, the range of control inputs, and the frequency response or eigenvalue regions of linear closed-loop control systems. In contrast to the offline application, the foremost requirement for online applications is the verification of the admissibility of at least one control strategy and to determine a suitable approximate solution to a control task which is both feasible and optimal in some specified sense. In addition to open-loop as well as closed-loop control, the problem of state and parameter estimation is addressed.     

Choquet fuzzy integral based modeling of nonlinear system

For dealing with the adjacent input fuzzy sets having overlapping information, non-additive fuzzy rules are formulated by defining their consequent as the product of weighted input and a fuzzy measure. With the weighted input, need arises for the corresponding fuzzy measure. This is a new concept that facilitates the evolution of new fuzzy modeling. The fuzzy measures aggregate the information from the weighted inputs using the λ-measure. The output of these rules is in the form of the Choquet fuzzy integral. The underlying non-additive fuzzy model is investigated for identification of non-linear systems. The weighted input which is the additive S-norm of the inputs and their membership functions provides the strength of the rules and fuzzy densities required to compute fuzzy measures subject to q-measure are the unknown functions to be estimated. The use of q-measure is a powerful way of simplifying the computation of λ-measure that takes account of the interaction between the weighted inputs. Two applications; one real life application on signature verification and forgery detection, and another benchmark problem of a chemical plant illustrate the utility of the proposed approach. The results are compared with those existing in the literature.     

Provable Protection against Web Application Vulnerabilities Related to Session Data Dependencies

Web applications are widely adopted and their correct functioning is mission critical for many businesses. At the same time, Web applications tend to be error prone and implementation vulnerabilities are readily and commonly exploited by attackers. The design of countermeasures that detect or prevent such vulnerabilities or protect against their exploitation is an important research challenge for the fields of software engineering and security engineering. In this paper, we focus on one specific type of implementation vulnerability, namely, broken dependencies on session data. This vulnerability can lead to a variety of erroneous behavior at runtime and can easily be triggered by a malicious user by applying attack techniques such as forceful browsing. This paper shows how to guarantee the absence of runtime errors due to broken dependencies on session data in Web applications. The proposed solution combines development-time program annotation, static verification, and runtime checking to provably protect against broken data dependencies. We have developed a prototype implementation of our approach, building on the JML annotation language and the existing static verification tool ESC/Java2, and we successfully applied our approach to a representative J2EE-based e-commerce application. We show that the annotation overhead is very small, that the performance of the fully automatic static verification is acceptable, and that the performance overhead of the runtime checking is limited.