research-article

Dataflow tunneling: mining inter-request data dependencies for request-based applications

Authors:

Guoliang JinAuthors Info & Claims

ICSE '18: Proceedings of the 40th International Conference on Software Engineering

Pages 586 - 597

https://doi.org/10.1145/3180155.3180171

Published: 27 May 2018 Publication History

Abstract

Request-based applications, e.g., most server-side applications, expose services to users in a request-based paradigm, in which requests are served by request-handler methods. An important task for request-based applications is inter-request analysis, which analyzes request-handler methods that are related by inter-request data dependencies together. However, in the request-based paradigm, data dependencies between related request-handler methods are implicitly established by the underlying frameworks that execute these methods. As a result, existing analysis tools are usually limited to the scope of each single method without the knowledge of dependencies between different methods.

In this paper, we design an approach called dataflow tunneling to capture inter-request data dependencies from concrete application executions and produce data-dependency specifications. Our approach answers two key questions: (1) what request-handler methods have data dependencies and (2) what these data dependencies are. Our evaluation using applications developed with two representative and popular frameworks shows that our approach is general and accurate. We also present a characteristic study and a use case of cache tuning based on the mined specifications. We envision that our approach can provide key information to enable future inter-request analysis techniques.

References

[1]

Abeer Alhuzali, Birhanu Eshete, Rigel Gjomemo, and V.N. Venkatakrishnan. 2016. Chainsaw: Chained Automated Workflow-based Exploit Generation. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). ACM, New York, NY, USA, 641--652.

Digital Library

[2]

Anneliese A. Andrews, Jeff Offutt, Curtis Dyreson, Christopher J. Mallery, Kshamta Jerath, and Roger Alexander. 2010. Scalability Issues with Using FSMWeb to Test Web Applications. Information and Software Technology 52, 1 (Jan. 2010), 52--66.

Digital Library

[3]

Apache. 2010. The Apache Velocity Project. (2010). Retrieved March 8, 2017 from http://velocity.apache.org/

[4]

Apache. 2016. Apache FreeMarker. (2016). Retrieved March 8, 2017 from http://freemarker.org/

[5]

Apache. 2017. Apache Struts. (2017). Retrieved March 8, 2017 from https://struts.apache.org

[6]

Snigdha Athaiya. 2017. Inferring Page Models for Web Application Analysis. In Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2017). ACM, New York, NY, USA, 412--415.

Digital Library

[7]

Snigdha Athaiya and Raghavan Komondoor. 2017. Testing and Analysis of Web Applications Using Page Models. In Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2017). ACM, New York, NY, USA, 181--191.

Digital Library

[8]

Jonathan Bell and Gail Kaiser. 2014. Phosphor: Illuminating Dynamic Data Flow in Commodity JVMs. In Proceedings of the 2014 ACM International Conference on Object Oriented Programming Systems Languages & Applications (OOPSLA '14). ACM, New York, NY, USA, 83--101.

Digital Library

[9]

Ivan Beschastnikh, Yuriy Brun, Jenny Abrahamson, Michael D. Ernst, and Arvind Krishnamurthy. 2013. Unifying FSM-inference Algorithms Through Declarative Specification. In Proceedings of the 2013 International Conference on Software Engineering (ICSE '13). IEEE Press, Piscataway, NJ, USA, 252--261. http://dl.acm.org/citation.cfm?id=2486788.2486822

Digital Library

[10]

Ivan Beschastnikh, Yuriy Brun, Sigurd Schneider, Michael Sloan, and Michael D. Ernst. 2011. Leveraging Existing Instrumentation to Automatically Infer Invariant-constrained Models. In Proceedings of the 19th ACM SIGSOFT Symposium and the 13th European Conference on Foundations of Software Engineering (ESEC/FSE '11). ACM, New York, NY, USA, 267--277.

Digital Library

[11]

Eric Bodden. 2017. Soot - A framework for analyzing and transforming Java and Android Applications. (2017). Retrieved April 15, 2017 from https://sable.github.io/soot/

[12]

Martin Bravenboer and Yannis Smaragdakis. 2009. Strictly Declarative Specification of Sophisticated Points-to Analyses. In Proceedings of the 24th ACM SIGPLAN Conference on Object Oriented Programming Systems Languages and Applications (OOPSLA '09). ACM, New York, NY, USA, 243--262.

Digital Library

[13]

Alvin Cheung, Samuel Madden, Owen Arden, and Andrew C. Myers. 2012. Automatic Partitioning of Database Applications. Proceedings of the VLDB Endowment 5, 11 (July 2012), 1471--1482.

Digital Library

[14]

Alvin Cheung, Samuel Madden, and Armando Solar-Lezama. 2014. Sloth: Being Lazy is a Virtue (when Issuing Database Queries). In Proceedings of the 2014 ACM SIGMOD International Conference on Management of Data (SIGMOD '14). ACM, New York, NY, USA, 931--942.

Digital Library

[15]

Lazaro Clapp, Saswat Anand, and Alex Aiken. 2015. Modelgen: Mining Explicit Information Flow Specifications from Concrete Executions. In Proceedings of the 2015 International Symposium on Software Testing and Analysis (ISSTA 2015). ACM, New York, NY, USA, 129--140.

Digital Library

[16]

James Clause, Wanchun Li, and Alessandro Orso. 2007. Dytan: A Generic Dynamic Taint Analysis Framework. In Proceedings of the 2007 International Symposium on Software Testing and Analysis (ISSTA '07). ACM, New York, NY, USA, 196--206.

Digital Library

[17]

Tom Deering, Ganesh Ram Santhanam, and Suresh Kothari. 2015. FlowMiner: Automatic Summarization of Library Data-Flow for Malware Analysis. In Proceedings of the 11th International Conference on Information Systems Security -Volume 9478 (ICISS 2015). Springer-Verlag New York, Inc., New York, NY, USA, 171--191.

Digital Library

[18]

Mark Gabel and Zhendong Su. 2008. Javert: Fully Automatic Mining of General Temporal Properties from Dynamic Traces. In Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of Software Engineering (SIGSOFT '08/FSE-16). ACM, New York, NY, USA, 339--349.

Digital Library

[19]

Wei Huang, Yao Dong, and Ana Milanova. 2014. Type-Based Taint Analysis for Java Web Applications. In Proceedings of the 17th International Conference on Fundamental Approaches to Software Engineering - Volume 8411. Springer-Verlag New York, Inc., New York, NY, USA, 140--154.

Digital Library

[20]

itracker. 2016. itracker. (2016). Retrieved March 8, 2017 from http://itracker.sourceforge.net/

[21]

Guoliang Jin, Linhai Song, Xiaoming Shi, Joel Scherpelz, and Shan Lu. 2012. Understanding and Detecting Real-world Performance Bugs. In Proceedings of the 33rd ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI '12). ACM, New York, NY, USA, 77--88.

Digital Library

[22]

Ivo Krka, Yuriy Brun, and Nenad Medvidovic. 2014. Automatic Mining of Specifications from Invocation Traces and Method Invariants. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE 2014). ACM, New York, NY, USA, 178--189.

Digital Library

[23]

Ivo Krka, Yuriy Brun, Daniel Popescu, Joshua Garcia, and Nenad Medvidovic. 2010. Using Dynamic Execution Traces and Program Invariants to Enhance Behavioral Model Inference. In Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering - Volume 2 (ICSE '10). ACM, New York, NY, USA, 179--182.

Digital Library

[24]

Guodong Li, Esben Andreasen, and Indradeep Ghosh. 2014. SymJS: Automatic Symbolic Testing of JavaScript Web Applications. In Proceedings of the 22Nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE 2014). ACM, New York, NY, USA, 449--459.

Digital Library

[25]

Yue Li, Tian Tan, Yulei Sui, and Jingling Xue. 2014. Self-inferencing Reflection Resolution for Java. In Proceedings of the 28th European Conference on ECOOP 2014 --- Object-Oriented Programming - Volume 8586. Springer-Verlag New York, Inc., New York, NY, USA, 27--53.

Digital Library

[26]

Chien-Hung Liu. 2006. Data Flow Analysis and Testing of JSP-based Web Applications. Information and Software Technology 48, 12 (Dec. 2006), 1137--1147.

Digital Library

[27]

Chien-Hung Liu, David C. Kung, Pei Hsia, and Chih-Tung Hsu. 2000. Object-Based Data Flow Testing of Web Applications. In Proceedings of the First Asia-Pacific Conference on Quality Software (APAQS'00) (APAQS '00). IEEE Computer Society, Washington, DC, USA, 7--16. http://dl.acm.org/citation.cfm?id=786446.786478

Digital Library

[28]

Benjamin Livshits, John Whaley, and Monica S. Lam. 2005. Reflection Analysis for Java. In Proceedings of the Third Asian Conference on Programming Languages and Systems (APLAS '05). Springer-Verlag, Berlin, Heidelberg, 139--160.

Digital Library

[29]

Davide Lorenzoli, Leonardo Mariani, and Mauro Pezzè. 2008. Automatic Generation of Software Behavioral Models. In Proceedings of the 30th International Conference on Software Engineering (ICSE 08). ACM, NewYork, NY, USA, 501--510.

Digital Library

[30]

Amit Manjhi, Charles Garrod, Bruce M. Maggs, Todd C. Mowry, and Anthony Tomasic. 2009. Holistic Query Transformations for Dynamic Web Applications. In Proceedings of the 2009 IEEE International Conference on Data Engineering (ICDE 09). IEEE Computer Society, Washington, DC, USA, 1175--1178.

Digital Library

[31]

Michael Martin and Monica S. Lam. 2008. Automatic Generation of XSS and SQL Injection Attacks with Goal-directed Model Checking. In Proceedings of the 17th Conference on Security Symposium (SS'08). USENIX Association, Berkeley, CA, USA, 31--43. http://dl.acm.org/citation.cfm?id=1496711.1496714

Digital Library

[32]

Hung Viet Nguyen, Christian Kästner, and Tien N. Nguyen. 2015. Cross-language Program Slicing for Dynamic Web Applications. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2015). ACM, New York, NY, USA, 369--380.

Digital Library

[33]

OpenMRS. 2016. OpenMRS. (2016). Retrieved March 8, 2017 from http://openmrs.org

[34]

Oracle. 2013. JavaServer Pages Technology. (2013). Retrieved March 8, 2017 from http://www.oracle.com/technetwork/java/javaee/jsp/index.html

[35]

Oracle. 2013. JSP Standard Tag Library. (2013). Retrieved March 8,2017 from https://jstl.java.net/

[36]

Oracle. 2013. Unified Expression Language. (2013). Retrieved March 8, 2017 from https://uel.java.net/

[37]

Pivotal. 2017. Spring Framework. (2017). Retrieved March 8, 2017 from https://projects.spring.io/spring-framework/

[38]

Karthik Ramachandra and S. Sudarshan. 2012. Holistic Optimization by Prefetching Query Results. In Proceedings of the 2012 ACM SIGMOD International Conference on Management of Data (SIGMOD '12). ACM, New York, NY, USA, 133--144.

Digital Library

[39]

RedHat. 2017. Hibernate ORM. (2017). Retrieved March 8, 2017 from http://hibernate.org/orm/

[40]

Thomas Reps, Susan Horwitz, and Mooly Sagiv. 1995. Precise Interprocedural Dataflow Analysis via Graph Reachability. In Proceedings of the 22Nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL 95). ACM, New York, NY, USA, 49--61.

Digital Library

[41]

Atanas Rountev, Scott Kagan, and Thomas Marlowe. 2006. Interprocedural Dataflow Analysis in the Presence of Large Libraries. In Proceedings of the 15th International Conference on Compiler Construction (CC'06). Springer-Verlag, Berlin, Heidelberg, 2--16.

Digital Library

[42]

Atanas Rountev, Mariana Sharp, and Guoqing Xu. 2008. IDE Dataflow Analysis in the Presence of Large Object-oriented Libraries. In Proceedings of the Joint European Conferences on Theory and Practice of Software 17th International Conference on Compiler Construction (CC'08/ETAPS'08). Springer-Verlag, Berlin, Heidelberg, 53--68. http://dl.acm.org/citation.cfm?id=1788374.1788380

Digital Library

[43]

Mooly Sagiv, Thomas Reps, and Susan Horwitz. 1996. Precise Interprocedural Dataflow Analysis with Applications to Constant Propagation. In Selected Papers from the 6th International Joint Conference on Theory and Practice of Software Development (TAPSOFT '95). Elsevier Science Publishers B. V., Amsterdam, The Netherlands, The Netherlands, 131--170. http://dl.acm.org/citation.cfm?id=243753.243762

Digital Library

[44]

Sreedevi Sampath, Valentin Mihaylov, Amie Souter, and Lori Pollock. 2004. A Scalable Approach to User-Session Based Testing of Web Applications Through Concept Analysis. In Proceedings of the 19th IEEE International Conference on Automated Software Engineering (ASE '04). IEEE Computer Society, Washington, DC, USA, 132--141.

Digital Library

[45]

Jason Sawin and Atanas Rountev. 2009. Improving Static Resolution of Dynamic Class Loading in Java Using Dynamically Gathered Environment Information. Automated Software Engineering 16, 2 (June 2009), 357--381.

Digital Library

[46]

Selenium. 2016. Selenium WebDriver. (2016). Retrieved March 8, 2017 from http://www.seleniumhq.org/projects/webdriver/

[47]

Manu Sridharan, Shay Artzi, Marco Pistoia, Salvatore Guarnieri, Omer Tripp, and Ryan Berg. 2011. F4F: Taint Analysis of Framework-based Web Applications. In Proceedings of the 2011 ACM International Conference on Object Oriented Programming Systems Languages and Applications (OOPSLA '11). ACM, New York, NY, USA, 1053--1068.

Digital Library

[48]

Juan M. Tamayo, Alex Aiken, Nathan Bronson, and Mooly Sagiv. 2012. Understanding the Behavior of Database Operations Under Program Control. In Proceedings of the ACM International Conference on Object Oriented Programming Systems Languages and Applications (OOPSLA '12). ACM, New York, NY, USA, 983--996.

Digital Library

[49]

TechEmpower. 2016. Framework Benchmarks for Java Web Applications. (2016). Retrieved March 8, 2017 from https://github.com/TechEmpower/FrameworkBenchmarks/tree/master/frameworks/Java

[50]

Andreas Thies and Eric Bodden. 2012. RefaFlex: Safer Refactorings for Reflective Java Programs. In Proceedings of the 2012 International Symposium on Software Testing and Analysis (ISSTA 2012). ACM, New York, NY, USA, 1--11.

Digital Library

[51]

Paolo Tonella and Filippo Ricca. 2005. Web Application Slicing in Presence of Dynamic Code Generation. Automated Software Engineering 12, 2 (April 2005), 259--288.

Digital Library

[52]

Omer Tripp, Marco Pistoia, Patrick Cousot, Radhia Cousot, and Salvatore Guarnieri. 2013. ANDROMEDA: Accurate and Scalable Security Analysis of Web Applications. In Proceedings of the 16th International Conference on Fundamental Approaches to Software Engineering (FASE'13). Springer-Verlag, Berlin, Heidelberg, 210--225.

Digital Library

[53]

Omer Tripp, Marco Pistoia, Stephen J. Fink, Manu Sridharan, and Omri Weisman. 2009. TAJ: Effective Taint Analysis of Web Applications. In Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI '09). ACM, New York, NY, USA, 87--97.

Digital Library

[54]

D. A. Turner, M. Park, J. Kim, and J. Chae. 2008. An Automated Test Code Generation Method for Web Applications Using Activity Oriented Approach. In Proceedings of the 2008 23rd IEEE/ACM International Conference on Automated Software Engineering (ASE '08). IEEE Computer Society, Washington, DC, USA, 411--414.

Digital Library

[55]

Gary Wassermann and Zhendong Su. 2007. Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI '07). ACM, New York, NY, USA, 32--41.

Digital Library

[56]

Rafael Winterhalter. 2017. Byte Buddy. (2017). Retrieved April 15, 2017 from http://bytebuddy.net/

[57]

Dacong Yan, Guoqing Xu, and Atanas Rountev. 2012. Rethinking Soot for Summary-based Whole-program Analysis. In Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program Analysis (SOAP '12). ACM, New York, NY, USA, 9--14.

Digital Library

[58]

Greta Yorsh, Eran Yahav, and Satish Chandra. 2008. Generating Precise and Concise Procedure Summaries. In Proceedings of the 35th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL '08). ACM, New York, NY, USA, 221--234.

Digital Library

[59]

Yunxiao Zou, Zhenyu Chen, Yunhui Zheng, Xiangyu Zhang, and Zebao Gao. 2014. Virtual DOM Coverage for Effective Testing of Dynamic Web Applications. In Proceedings of the 2014 International Symposium on Software Testing and Analysis (ISSTA 2014). ACM, New York, NY, USA, 60--70.

Digital Library

Cited By

Meng HLi HLu JShi CCao LLi LGao L(2024)AutoWeb: Automatically Inferring Web Framework Semantics via Configuration MutationEngineering of Complex Computer Systems10.1007/978-3-031-66456-4_20(369-389)Online publication date: 29-Sep-2024
https://doi.org/10.1007/978-3-031-66456-4_20
Qiu ZShao SZhao QJin GSpinellis DGousios GChechik MDi Penta M(2021)Understanding and detecting server-side request races in web applicationsProceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3468264.3468594(842-854)Online publication date: 20-Aug-2021
https://dl.acm.org/doi/10.1145/3468264.3468594

Recommendations

Design and Evaluation of a Parallel Invocation Protocol for Transactional Applications over the Web

Edge computing is a powerful tool to face the challenging performance requirements of modern Internet applications. By replicating applications' data and logic across a large number of geographically distributed servers, edge computing platforms allow ...
Legion: Enriching Internet Services with Peer-to-Peer Interactions
WWW '17: Proceedings of the 26th International Conference on World Wide Web

Many web applications are built around direct interactions among users, from collaborative applications and social networks to multi-user games. Despite being user-centric, these applications are usually supported by services running on servers that ...
Communicating Web Vessels: Improving the Responsiveness of Mobile Web Apps with Adaptive Redistribution
Web Engineering
Abstract
In a mobile web app, a browser-based client communicates with a cloud-based server across the network. An app is statically divided into client and server functionalities, so the resulting division remains fixed at runtime. However, if such static ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ICSE '18: Proceedings of the 40th International Conference on Software Engineering

May 2018

1307 pages

ISBN:9781450356381

DOI:10.1145/3180155

Conference Chair:
Michel Chaudron
Chalmers University of Technology, University of Gothenburg, Sweden
,
General Chair:
Ivica Crnkovic
Chalmers University of Technology, University of Gothenburg, Sweden
,
Program Chairs:
Marsha Chechik
University of Toronto, Canada
,
Mark Harman
Facebook and University College London, United Kingdom

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering
IEEE-CS: Computer Society

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 May 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ICSE '18

Sponsor:

SIGSOFT
IEEE-CS

ICSE '18: 40th International Conference on Software Engineering

May 27 - June 3, 2018

Gothenburg, Sweden

Acceptance Rates

Overall Acceptance Rate 276 of 1,856 submissions, 15%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
193
Total Downloads

Downloads (Last 12 months)2
Downloads (Last 6 weeks)0

Reflects downloads up to 25 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Meng HLi HLu JShi CCao LLi LGao L(2024)AutoWeb: Automatically Inferring Web Framework Semantics via Configuration MutationEngineering of Complex Computer Systems10.1007/978-3-031-66456-4_20(369-389)Online publication date: 29-Sep-2024
https://doi.org/10.1007/978-3-031-66456-4_20
Qiu ZShao SZhao QJin GSpinellis DGousios GChechik MDi Penta M(2021)Understanding and detecting server-side request races in web applicationsProceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3468264.3468594(842-854)Online publication date: 20-Aug-2021
https://dl.acm.org/doi/10.1145/3468264.3468594

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents