Formal Models for Web Navigations with Session Control and Browser Cache

1
Formal Models for Web Navigations with Session
Control and Browser Cache

• Jessica Chen Xiaoshan Zhao
• Univ. of Windsor, Canada

2
Motivation

• advances of emerging web technologies
• examples
• dynamic web pages
• session/cookie techniques
• web services
• provide better performance, transparency,
  expressiveness, etc.
• enable diversity and intensive use of web systems

3
Motivation

• advances of emerging web technologies
• also raised important issues and posed additional
  difficulties on testing/verification of web
  applications built on it

4
Motivation

• example re-submit phenomenon

account balance 2,330.35
pay bill ...............
confirm
Page B
Page A
5
Motivation

• example re-submit phenomenon
• this phenomenon will not exhibit itself with
  proper configuration of web browser
• go through a sequence of given links to reach A
  again
• requests for some pages should always be sent to
  server side and re-generated.
• along navigated pages, normally be able to
  observe updated information, e.g. account
  balance

6
Motivation

• source of problem
• the users can interact not only with the web
  pages but also with the web browser itself
• users actions through interface of web browser
  may affect the overall navigations of the web
  pages, which can be quite sensitive to the
  security of the information they carry.

7
Motivation

• what it suggests our formal model used either
  for static analysis or dynamic testing should
  subsume the abstract behavior of the supporting
  environment of web applications.
• example user's possible interactions with the
  web browser should also be modeled and reflected
  in design spec.
• behavior of the web browsers depends on
• how web browser is implemented, configured
• cookie enabled? etc.
• web developers have access to the configurations
• but too demanding for integrated and abstract
  model

8
Motivation

• what we can do
• formal modeling
• automated translation into certain formal
  languages
• what is required
• insight knowledge about web server/browser
• what are discussed here
• dynamic web page generation
• browser cache
• session/cookie mechanism

9
Dynamic Web Page Generation

• web applications
• procedures to generate the web pages
• static page template predefines layout, format,
  and static content
• some code to generate dynamic content
• dynamic links
• dynamic texts symbolic and finite output to be
  checked.
• page template -- a finite set of predefined pages
• navigation among pages determined by requested
  URL
• a hyperlink user has chosen
• some possible input.

10
Modeling of Navigations

• assume page navigation diagrams
• shows all desired/possible navigations among web
  pages.
• fixed number of hyperlinks.
• only closed systems hyperlinks all point to
  pages within the same web application.
• an open system can be similarly modeled by
  augmenting an additional page to represent all
  the internet web pages beyond those in the
  application under consideration.
• fixed actions user's input hyperlink ? page to
  be generated
• same hyperlink with different inputs (such as
  correct/incorrect password) as search parameters
  may lead to different pages

11
Modeling of Navigation

• assume unique page id
• assume entry pages identified in design spec.
• pages uniquely determined by host name path
  name, no search parameters
• direct access by typing in host path names,
  without going through hyperlinks
• example of entry pages home page of a web site
• to access non-entry pages follow page navigation
  diagram

12
Abstraction of Web Browser

• source of abstraction
• implementations of existing commercial web
  browsers e.g. Microsoft's Internet Explorer,
  Netscape's Navigator
• some online documents

13
Web Browser Architecture
History stack
HTML Parser
Browser Cache
Internet

Web Server 2
14
History Stack
navigate to D
currently in A
back to B
C
D
B
A
A
top pointer
current pointer
bottom pointer
15
Web Local Cache

• cache settings (inside browser)
• examples
• automatically all cacheable web pages are valid
• per session in current session, all cacheable
  web pages are valid
• HTTP cache controls (associated with received web
  pages)
• a web page
• cacheable?
• valid period?
• expire time
• in header part of HTTP response message
• in web page itself with META tag.
• uncacheable its expire time as the same time it
  is created.

16
Modeling of Caching Settings

• assume given setting is automatically
• a web page is cacheable if the cacheable setting
  is included in the header part of the HTTP
  message containing the web page.
• For HTTP cache control, no model of expire time
• if a page is cacheable, the page is always fresh.
• each page associated with an attribute for
  cacheability.

17
Session Control

• most web applications need to maintain
  communication sessions with their client
  browsers, and monitor each client's individual
  status and activities.
• example an online banking system should maintain
  a communication session with a specific user
  during the time the user has logged in (and not
  yet logged out).
• HTTP is stateless, no functionality on session
  control.
• cookie technique -- a solution

18
Modeling of Session Control

• only sessions for authentications
• no consideration of relationship between cookie
  and dynamic content/link.
• assume it is given whether a page is secure or
  not.
• secure page should always be accessed with
  authentication session open
• all entry pages are by nature not secure.
• two special actions SignIn and SignOut session
  will remain open for the consecutive accesses to
  secure pages until SignOut performed.

19
The Integrated Model

• given a design specification (P,EP,SP,CP,A,?)
• P, EP, SP, CP finite sets of ids
• A finite set of symbols for user's actions
  including SignIn and SignOut
• ? ? P ? A ? P navigation relation
• construct an integrated model of lts

20
The Integrated Model states

• a page id to denote the current page
• an additional error page err reached for
  example, when attempting to access a secure page
  without an open session.
• a history stack variable for the current status
  of the URLs contained in history stack.
• since in our case there is a one-to-one
  relationship between a URL and a page id, it is a
  stack of page ids
• a variable of a set of page ids to denote the
  current status of the locally cached pages.
• a boolean variable to denote whether the
  authentication session is currently open.

21
The Integrated Model labels

• L (l,f) l ? A ? back,forward,entry,err,
  ffresh or cache
• entry user types in the URL
• back, forward, entry are from browsers interface
• err navigation is directed to a special error
  page err
• fresh/cache whether the accessed page is from
  origin server or from local cache.

22
The Integrated Model ?

• 20 structural rules

previous(hs) q ? q ? CP ? ((q ? SP) ? (q ? SP ?
guardtrue))
(back, fresh)
ltq, moveBack(hs), lc, guardgt
ltp, hs, lc, guardgt
23
The Integrated Model

• the obtained l.t.s. is deterministic.
• the given page navigation diagram is
  deterministic from each page, the input link
  uniquely determines the next page.
• for each state and each given action, there is
  exactly one rule to apply to derive the next
  state.
• no nondeterminism involved ? apply trace
  equivalence for reduction.

24
Recent Related Work

• what we can do
• formal modeling
• automated translation into certain formal
  languages
• integrated model in Extended FSMs and Promela
• related work
• some modeling/translator to use SPIN and SMV
  Sciascio03,Haydar04
• baseline testing strategy Lucca03
• for each navigation path, create a testing model
  with back/forward, not complete model
• no session control, no detailed modeling of
  caching

25
Final Remarks

• to adopt formal methods into a specific app.
  domain
• a deep understanding of the domain itself
• a careful analysis on specific problems
• a proper selection of aspects to be modeled
• state space problem ? render the models
  reasonable for analysis ? abstracting away as
  much un-related details as possible.
• only considered navigation behavior influenced by
  session control and browser caching mechanism.
• the model can be modified upon needs or extended
  to cover more features
• web caching model based on a certain setting of
  browser cache serves as an example (no much
  effort to tailor into other settings)
• information carried on lts labels can be defined
  in different ways, according to the properties to
  be checked.
• currently no consideration of dynamic links

26
Thank You
27
Formal Model

• based on info. on page navigation diagram, we
  define l.t.s.
• provide a formal basis for better understanding
  of the web system itself
• lay the ground work for both model checking and
  specification-based testing on the web
  applications where we take into account the
  affect of the internal session control and
  caching mechanism to the correct web page
  navigations.

28
Motivation

• example unauthorized access phenomenon

User Name
credit card .......
Password
Sign In
Sign Out
Page C
Page B
Page A
Insecure Page
Insecure Page
Secure Page
29
Motivation

• example unauthorized access phenomenon
• this phenomenon can be avoided, for example, if
  page B is defined as un-cacheable.
• it does not appear in all applications
• show in U Windsor Web Mail System
• not show in Microsoft's Hotmail.