Web applications are difficult to analyze using code-based tools because data-flow and control-flow through the application occurs via both server-side code and client-side pages. Client-side pages are typically specified in a scripting language that is different from the main server-side language; moreover, the pages are generated dynamically from the scripts. To address these issues we propose a static-analysis approach that automatically constructs a model of each page in a given application. A page model is a code fragment in the same language as the server-side code, which faithfully over-approximates the possible elements of the page as well as the control-flows and data-flows due to these elements. The server-side code in conjunction with the page models then becomes a standard (non-web) program, thus amenable to analysis using standard code-based tools. We have implemented our approach in the context of J2EE applications. We demonstrate the versatility and usefulness of our approach by applying three standard analysis tools on the resultant programs from our approach: a concolic-execution based model checker (JPF), a dynamic fault localization tool (Zoltar), and a static slicer (Wala).
Tue 11 Jul Times are displayed in time zone: (GMT-07:00) Tijuana, Baja California change
|16:00 - 16:25|
|16:25 - 16:50|
Thomas WalshUniversity of Sheffield, UK, Gregory KapfhammerAllegheny College, USA, Phil McMinnUniversity of SheffieldDOI
|16:50 - 17:15|
Marco GuarnieriETH Zurich, Switzerland, Petar TsankovETH Zurich, Tristan BuchsEPFL, Switzerland, Mohammad Torabi DashtiETH Zurich, Switzerland, David BasinETH Zurich, SwitzerlandDOI