WaRR: A Tool for High-Fidelity Web Application Record and Replay

We introduce WaRR, a tool that records and replays with high fidelity the interaction between users and modern web applications. WaRR consists of two independent components: the WaRR Recorder and the WaRR Replayer. The WaRR Recorder is embedded in a web browser, thus having access to user actions, and provides a complete interaction trace—this confers high recording fidelity. The WaRR Replayer uses an enhanced, developer-specific web browser that enables realistic simulation of user interaction—this confers high replaying fidelity. We describe two usage scenarios for WaRR that help developers improve the dependability of web applications: testing web applications against realistic human errors and generating user experience reports. WaRR helped us discover bugs in widely-used web applications, such as Google Sites, and offers higher recording fidelity compared to current tools

iProve: A Scalable Approach to Consumer-Verifiable Software Guarantees

Formally proving complex program properties is still considered impractical for systems with over a million lines of code (MLOC). We present iProve, an approach that enables the generation and verification of proofs for interesting program properties in large Java systems. Desired properties are proven in iProve as a combination of two proofs: one of a complex property applied to a very tiny part of the code—a nucleus—and a proof of a simple property applied to the rest of the code—the body. We use iProve to prove properties such as communication security, deadlock immunity, data privacy, and resource usage bounds in Java programs with millions of LOC. iProve scales well, requires no access to source code, and allows nuclei to be reused with an unlimited number of systems and to be written in verification-friendly languages

Mitigating Anonymity Challenges in Automated Testing and Debugging Systems

Modern software often provides automated testing and bug reporting facilities that enable developers to improve the software after release. Alas, this comes at the cost of user anonymity: reported execution traces may identify users. We present a way to mitigate this inherent tension between developer utility and user anonymity: automatically transform execution traces in a way that preserves their utility for testing and debugging while, at the same time, providing k-anonymity to users, i.e., a guarantee that the trace can at most identify the user as being part of a group of k indistinguishable users. We evaluate this approach in the context of an automated testing and bug reporting system for smartphone applications.