Verifying Web Applications Using Bounded Model Checking

The authors describe the use of bounded modelchecking (BMC) for verifying Web application code.Vulnerable sections of code are patched automaticallywith runtime guards, allowing both verification andassurance to occur without user intervention. Modelchecking techniques are relatively complex compared tothe typestate-based polynomial-time algorithm (TS) weadopted in an earlier paper, but they offer threebenefits-they provide counterexamples, more precisemodels, and sound and complete verification. Comparedto conventional model checking techniques, BMC offers amore practical approach to verifying programscontaining large numbers of variables, but requires fixedprogram diameters to be complete. Formalizing Webapplication vulnerabilities as a secure information flowproblem with fixed diameter allows for BMC applicationwithout drawback. Using BMC-producedcounterexamples, errors that result from propagations ofthe same initial error can be reported as a single grouprather than individually. This offers two distinct benefits.First, together with the counterexamples themselves, theyallow for more descriptive and precise error reports.Second, it allows for automated patching at locationswhere errors are initially introduced rather than atlocations where the propagated errors cause problems.Results from a TS-BMC comparison test using 230 open-sourceWeb applications showed a 41.0% decrease inruntime instrumentations when BMC was used. In the 38vulnerable projects identified by TS, BMC classified theTS-reported 980 individual errors into 578 groups, witheach group requiring a minimal set of patches for repair.