1
A Formal Approach to Developing Reliable Service-
based Systems
Supratik Mukhopadhyay
2
Middleware/Service-based Systems:
The CORBA Approach What we want:
3
Adaptable Service-based Systems
4
Requirements of Service-based Systems
Adaptability Provide acceptable failures, overload, or damages Rapid reconfiguration to achieve users’ new
missions Security
Authentication for both users performance in the presence of system and service providers
Protection of critical information infrastructure of distributed services based on flexible security policies
For example, access control requirements Situation-Awareness (SAW) – capability of
being aware of complex situations for Service coordination Adapting workflows when situations change Enforcing situation-aware security policies
5
Outline of the Talk Motivations A Running Example Formal Architecture Modeling of Service-based Systems
A calculus (with semantics) and a logic Automated Synthesis of Processes (agents)
from logical specifications Synthesis by natural deduction using Curry-
Howard like correspondence Demo
6
Motivations Grand Challenges in Computing Research
Edited by Hoare and MilnerScience for Global Ubiquitous Computing (GUC)
Develop models for systems composed of ad-hoc networks of diverse components
Models need to support context-awareness, adaptive behavior, loose coupling, security, …
Develop calculi and logics to formalize notions of self and context-awareness, migration, …
Develop models for acquisition, distribution, management and sharing of knowledge, and building trust based on such knowledge …
Develop new type systems, new static analysis techniques, new verification techniques suitable for the GUC
7
A Simple Example
L
call 911
Police Dept. (PD)
Fire Dept.(FD)
AMS
Accident Report
Accid
ent
ReportA
ccid
ent
Rep
ort
PCAR
Send Patrol Car
FESend
Fire Engine
AMB
Send
Ambulance
911
8
Requirements of the AS3 System in the Example
Service coordination requirements 911 center (911) receives information
about accident from observer 911 sends accident report (including
accident location) to the city fire department (FD), the city police department (PD), and the city ambulance management system (AMS)
FD, PD, and AMS send a fire engine (FE), a police car (PCAR), and an ambulance (AMB) respectively to the accident location
9
Major Components of Our Approach
Service Specifications
Workflow &Backup Workflow Agents
AnnotatedWorkflow Agents
Distributed SINS Agents
Customizable Failure Handling
Specifications
Timing & Resource
Specifications
ExecutionMonitoring
Goal
Security Policy Specifications
Security Agents
SAW Specifications
SAW Agents
AS3 Logic
Resource Agents
Workflow Scheduler
AS3Cal2SOLCompiler
SOL2JavaCompiler
NMR Axioms
Natural Deduction-Based Proof System Kernel
Failure Handling Axioms
Coordination Axioms
Security Policy Axioms
SAW Axioms
10
Existing Standards for Service-based Systems
1. BPEL/BPEL4WS: Industry standard For modeling and executing workflows Lacks formal semantics Does not provide automatic service composition
and adaptation
2. OWL-S, Web Components: Provides constructs for unambiguously
describing the properties and capabilities of Web services
Provides limited formal guarantees Does not provide automatic service composition
11
The AS3 Calculus Provide a formal programming model for service-
based systems Is based on classical process calculi, and has
operational semantics involving interactions between: external actions: communication, leaving and joining
groups internal computations: method calls of named services Continuation passing used to provide semantics of
asynchronous service-invocations Can model timeouts and failures (in monadic
style)
12
A Calculus for Service-based Systems: The AS3 Calculus
(System) S::= fix I=P (recursion)
N[S] (named domain) S||S (Sys. Comp.)
N ::= x (variable) n (name)
(Process)P::=
(new n) P (name restriction) 0 (inactive process) P par P (par. composition) I (identifier) E.P (external action) C.P (int. computation) P1+P2 (nondet. choice) fail(I) (failure) catch(I).P (failure handler)
time t.P (timeout)P{l1(x1),…;…ln(xn)} (method
export)
External action involves communication, leaving or joining groups, removing firewalls Internal computation takes place by calling methods of identified services
13
External ActionsE ::= M (Domain) K (Comm.)
K::= (Comm.) Ch(x) (input) Ch<Str> (output) mc(C1,…,Cn)<Str>
(multicast) Ch::= N (Channel)
M ::= in N (enter a dom.) out N (exit a dom.) open N (open firewall) ε (no action)
14
Internal ComputationC::= let x=D instantiate C (let reduction)
if ρ then P else P’ (conditional) replace(I:li) (method replacement) li ← lj (method modification)
ρ (constraint evaluation)
ε (no-computation) tt (constant true) ff (constant false) ⊥ (failed computation)
D::= I:li(y) (method invocation for identified
service)
I:li= prei::posti[y]
pre::=[y] ρ[y]
post::= ([x] ρ[x]) x
::= b (base type) → (function type)
ρ::= x y+c x>y+c x y+c x<y+c
15
Operational Semantics of the AS3 Calculus
Γ Γ/I’├ I:li=pre::post[xi]__________________________________________ (service invocation 1)Γ Γ Γ/I’├ I:li(y) → pre::post[y/xi]
Γ/I’,N├ pre[y/xi]→tt__________________________________________ (service invocation 2) Γ/I’├ pre::post[y/xi]→post[y/xi]
Γ/I’,N├ pre[y/xi]→ff___________________________________________ (service inv. fail) Γ/I’∪{failure(I’)}├ pre::post[y/xi]→⊥
16
AS3 Processes for the Example
System
fix 911= tel(x). fd<x>.pd<x>.ams<x>.911
fix PD=pd(x).let y= pcar:dispatchCAR(x) instantiate if y== ‘car_sent’ then PDelse fail(PD)
fix AMS=ams(x).let y= amb:dispatchAMB(x) instantiate if y== ‘amb_sent’ then AMSelse fail(AMS)
911
Police Dept. (PD) AMS
17
AS3 Processes for the Example (cont.)
L
AMS
fix 911= tel(x). fd<x>.pd<x>.ams<x>.911
Police Dept. (PD)
Fire Dept.(FD)
(x)
<x><x><x><x>
18
AS3 Processes for the Example (cont.)
Police Dept. (PD)
fix PD=pd(x).let y= pcar:dispatchCAR(x) instantiate if y== ‘car_sent’ then PDelse fail(PD)
PCAR
<x>
Car Sent
19
Synthesis of AS3 Processes Can we synthesize AS3 processes
automatically from declarative specifications? Yes
20
Our Approach: Logic-based Synthesis of Process Terms
1. Services described in AS3 logic along with proof rules of the logic form a theory of AS3
systems2. Functional requirements of the mission along
with QoS (real-time, security, situation-awareness) described as formulae in AS3 logic
3. Synthesis amounts to a natural deduction of the requirements using the AS3 theory with service discovery and composition being the computation of a Craig interpolant
4. Calculus terms directly synthesized from the proof using Curry-Howard like correspondence
21
AS3 Logic Hybrid Modal Logic talking both about
time and space Sometime modality for temporal evolution,
somewhere modality for spatial location Nominals standing for state
Modalities for communication, leaving joining domains
Atomic formulas for describing relations among variables
22
AS3 Logic Syntaxφ ::= 0 (inactivity) pred(x1,…,xn) (user defined atoms) t~c (atomic constraint)
φ1∨φ2 (disjunction) ┐φ (negation) ◊ φ (sometime) Θ φ (somewhere) I (identifier/nominal match) ~::=> | <| ≤| ≥c: Natural Number
23
AS3 Logic Syntax (Contd.) φ1|| φ2 (parallel composition) η[φ] (named domain) φ@η (behavior within domain) K(u; φ) (knowledge of an object)serv(u;v; Φ,I) (recording of an object) n φ (quantification over names) t φ (quantification over real variables)
in(n) φ (behavior after entering domain) out(n) φ (behavior after leaving domain) <u> φ (behavior after sending message) T (constant true) I φ (quantification over nominals)
24
AS3 Logic: Facts We provide a constructive
interpretation of the logic for process synthesis
Sound (and complete) proof theory (natural deduction-based)
25
The Running Example in AS3
LogicEntities: (Nominals/Identifiers)911, PD, AMS, FDFE, AMB, PCARCoordination Requirements:◇K(“accident”,x; 911) (◇<x>911 ))
C1: <x>911 → ◇K(x; PD) ◇K(x; AMS) ◇K(x; FD) C2: K(x; PD) →◇serv(pcar_response; x; PD ; W) C3: K(x; AMS) →◇serv(amb_response; x; AMS; S) C4: K(x; FD) →◇serv(fe_response; x; FD; U) C5: serv(“car_sent”; x; PD ; W) →◇TC6: serv(“amb_sent”; x; AMS ; S) →◇TC7: serv(“fe_sent”; x; FD ; U) →◇T
26
Service Specifications in AS3 Logic
S1: dispatchAMB(x;amb;W)→◇serv(amb_response;x;W;amb)S2: dispatchCAR(x;pcar; S)→
◇serv(pcar_response;x;U;pcar) and one other axiom
27
Natural Deduction and Process Synthesis
K(“accident”,x; 911)
<x>911
C1: <x>911 → ◇K(x; PD) ◇K(x; AMS) ◇K(x; FD)
K(x; PD)K(x; AMS)K(x; FD)
fix 911=tel(z).tel(x).pd<x>.ams<x>.fd<x>.
fix PD=pd(x).
fix AMS=ams(x).
fix FD=fd(x).
28
Natural Deduction and Process Synthesis
G: serv(amb_response; x; AMS; amb)
α: dispatchAMB(x;amb;AMS)
[α: dispatchAMB(x;amb;AMS)]
S1: dispatchAMB(x;amb;AMS)→◇serv(amb_response;x;AMS;amb)
D1: ◊serv(amb_response; x; AMS; amb)
…
fix AMS=… let y= amb:dispatchAMB(x)
instantiate
29
ENDEND
30
References[1] Distributed control and co-ordination of autonomous agents in a dynamic, reconfigurable system “US Patent
Number: 6336781”[2] Process and system for managing run-time adaptation for general purpose distributed adaptive applications “US
Patent Number: 6324619”[3] Servlet-based architecture for dynamic service composition “US Patent Number: 6330710”[4] Method and apparatus for providing a dynamic service composition software architecture “US Patent Number:
6256771”[5] Security and emergency communication service coordination system and notification control method therefore
“US Patent Number: 6337621”[6] Generic service coordination mechanism for solving supplementary service interaction problems in
communication system “US Patent Number: 5742673”[7] S. Yau et al., Reconfigurable Context-Sensitive Middleware for Pervasive Computing, IEEE Pervasive Computing,
vol. 1(3), 2002, pp. 33-40.[8] M. Mikic-Rakic, N. Medvidovic: Adaptable Architectural Middleware for Programming-in-the-Small-and-Many.
Middleware 2003: 162-181.[9] A. Ranganathan, R. H. Campbell: A Middleware for Context-Aware Agents in Ubiquitous Computing Environments.
Middleware 2003: 143-161.[10] A. Popovici, A. Frei, G. Alonso: A Proactive Middleware Platform for Mobile Computing. Middleware 2003: 455-
473.[11] U. Lang, Access Policies in Middleware, PhD Thesis, University of Cambridge, 2003[12] T. Abdelzaher, B. Blum B, Q. Cao, Y. Chen, D. Evans, J. George, S. George, L. Gu, T. He, S. Krishnamurthy, L. Luo,
S. Son, J. Stankovic, R. Stoleru and A. Wood, EnviroTrack: Towards an Environmental Computing Paradigm for Distributed Sensor Networks , The 24th International Conference on Distributed Computing Systems. Tokyo, Japan. March 23-26, 2004.
[13] S. Yau, H. Davulcu, S. Mukhopadhyay, D. Huang and Y. Yao, Adaptable, Situation-aware, Secure Service-based (AS3) Systems, Proceedings of the IEEE International Symposium Object-oriented, Real-time, Distributed Computing (ISORC’05), 2005.
[14] R. Bharadwaj, S. Mukhopadhyay and N. Padh, “Service Composition in a Secure Agent-based Architecture”, Proceedings of the IEEE International Conference on E-Technologies, E-commerce and E-Service (EEE’05), pp 787—788, 2005
[15] Internet2 Medical Middleware (MedMid) Working Group: Draft Workplan Scenarios, 2003
31
References (cont.)[16] E. Sirin, J. A. Hendler, B. Parsia: Semi-automatic Composition of Web Services using Semantic Descriptions. WSMAI 2003: 17-24[17] Z. Duan, A. J. Bernstein, P. M. Lewis, S. Lu: Semantics Based Verification and Synthesis of BPEL4WS Abstract Processes.
ICWS 2004: 734-737[18] G. C. Necula: Enforcing Security and Safety with Proof-Carrying Code. Electr. Notes Theor. Comput. Sci. 20: (1999).[19] B. Li, K. Nahrstedt, A Control-based Middleware Framework for Quality of Service Adaptations, IEEE Journal on Selected Areas
in Communication, vol 17, No. 9, September, 1999[20] K. Roemer, O. Kasten, F. Mattern, Middleware Challenges in Wireless Sensor Networks, Mobile Computing and
Communications Review, vol 3, No. 2, 2002[21] F. Curbera et. al., Business Process Execution Language for Web Services, 2002[22] E. Christensen et. al, The Web Services Description Language (WSDL), IBM[23] T. Berners-Lee et. al, The semantic web, Scientific American, May 2003[24] A. Ankolekar, F. Huch and K. Sycara. Concurrent Execution Semantics for DAML-S with Subtypes. In Proceedings of The First
International Semantic Web Conference (ISWC), 2002[25] E. Newcomer. Understanding Web Services. Addison Wesley, 2002. [26] Endrei, M.; Ang, J.; Arsanjani, A.; Chua, Sook; Comte, P; Krogdahl, P; Luo, M; and Newling, T. (2004)
Patterns: Service-oriented Architecture and Web Services. IBM Redbook, ISBN 073845317X[27] D. Bell and L. La Padula. Secure Computer Systems: Unified Exposition and Multics Interpretation, Technical Report, Mitre
Corporation, 1975[28] S. Ponnekanti and A. Fox, SWORD: A Developer Toolkit for Web Service Composition, In Proceedings of WWW 2002[29] J. Rao et. al, Application of Linear Logic to Web Service Composition, 2004[30] Gruia-Catalin Roman, Jamie Payton: Mobile UNITY Schemas for Agent Coordination. Abstract State Machines 2003: 126-150. [31] Cédric Fournet, Georges Gonthier: The Join Calculus: A Language for Distributed Mobile Programming. APPSEM 2000: 268-332. [32] L. Cardelli, A. D. Gordon: Mobile ambients. Theor. Comput. Sci. 240(1): 177-213 (2000)[33] Woodman, S.J., Palmer, D.J., Shrivastava, S.K, and Wheater, S.M.: Notations for the Specification and Verification of Composite
Web Services, In Proc. of 8th IEEE Int’l Enterprise Distributed Object Computing Conf. (EDOC '04)[34] R. Milner: Communication and Concurrency, Prentice Hall, 1989[35] Gérard Berry, Gérard Boudol: The Chemical Abstract Machine. In Proceedings of POPL 1990: 81-94[36] N. Milanovic and M. Malek: Current Solutions for Web Service Composition, IEEE Internet ComputingNovember/December 2004
(Vol. 8, No. 6) pp. 51-59[37] R. Bharadwaj, “SOL: A Verifiable Synchronous Language for Reactive Systems,” Proc. Synchronous Languages, Applications,
and Programming (SLAP’ 02). http://chacs.nrl.navy.mil/publications/ CHACS/2002/2002bharadwaj-entcs.pdf
32
Operational Semantics of AS3 Calculus
______________________________ (fail computation) ⊥.P→fail
C→a_______________________________ (beta reduction) let x=C instantiate P →P[a/x]
C(x)→true_______________________________ (cond eval. true) if C(x) then P else P’ →P
33
Operational Semantics of AS3 Calculus
C(x)→false ____________________________ (cond. Eval. false) if C(x) then P else P’ →P’
C(x)→a _____________________________ a {true,false} (cond fail) if C(x) then P else P’ → ⊥
34
Operational Semantics (cont.)
_____________________________ (migration inside a domain)
in n.P || n[Q] →n[P||Q]
______________________________ (communication) <m>.P || (x).Q→ P||Q[m/x]
Back
35
Structural Congruence A process is congruent to its alpha-renamed variant
If P≌Q then 1. C.P ≌ C.Q2. A.P ≌ A.Q3. P||R ≌ Q||R4. R||P ≌ R||Q5. N[P] ≌ N[Q]6. (new n) P ≌ (new n) Q7. fix I=P ≌ fix I=Q8. P+R ≌ Q+R
36
Image Finiteness of Processes
We impose the following restrictions on processes Recursive processes are guarded Parallel composition through recursion is not
allowed (similar to Pi-calculus [Dam 93]) A type system can check for well-formedness
of processes Image Finiteness: A closed process term can
only evolve (in zero or more steps) into finitely many non-congruent process terms using the reduction rules
Restrictions ensure that every process is image finite
Back
37
Model Theoretic Semantics of AS3 Logic
P ╞ I if fix I=P
P ╞ <u> φ if there exists Q, R,S,T P≌<u>Q,R ≌ (x).S,T= P||R and Q╞ φ
P ╞ pred(u1,…,un) if for any Q, with P ≦Q, Q is annotated with pred(u1,…,un)
P ╞ in(n) φ if there exists Q, n, R, S, P ≌ in n.Q, Q╞ φ @n, S ≌ P || n[R]
Back
38
Transformation Rules for Access Control (Cont.)
A3: ┐restrict(I,σ)→Θ(I ||σ)
A4: Θn[ρ || σ] ∧ Θ(φ || σ)→Θn[φ || σ || ρ]
A5: restrict(φ,σ)∧┐restrict(φ,ρ)→restrict(φ || ρ,σ)
A6: next_hierarchy(I,σ)→restrict(I,σ)
A7: restrict(I,σ) /\ Θ(I || J)→restrict(J,σ) A8: restrict(σ,φ)→restrict(φ,σ)
A9: Θn[φ || J] /\ restrict(K,J)→Θn[φ ||m[K] || J] V Θ(n[φ || J] || m[K])
[Back]
39
Service Descriptions in AS3 Logic
S3: dispatchFE(x;fe;S)→ ◇serv(fe_response;x;S;fe)
back
40
Policy Enforcement: Model-based Diagnosis and Recovery
System was synthesized based on the assumption that services do not behave maliciously: Unrealistic assumption
Runtime enforcement ensures diagnosis of malicious behavior on the part of services and subsequent recovery
Service specifications used to generate symptoms
Abduction based diagnosis uses the models (process terms) to diagnose breach of trust by services and ensure recovery
41
Requirements of AS3 Systems
Adaptability Provide acceptable performance in the presence of
system failures, overload, or damages Rapid reconfiguration to achieve users’ new
missions Security
Authentication for both users and service providers Protection of critical information infrastructure of
distributed services based on flexible security policies
For example, access control requirements Situation-Awareness (SAW) – capability of
being aware of complex situations for Service coordination Adapting workflows when situations change Enforcing situation-aware security policies
42
A Simple Example A simplified version of the ship
scenario in the overview slides Intrusion of enemy detected by Monitoring
Agent that reports to the CMD The CMD directly asks shipA (or shipB) to
destroy the enemy ship rather than sending a warning
We assume no failures take place The Combat System Agent has been
eliminated
43
AS3 Processes for the Example
System = MA || CMD || fleet [shipA || shipB] fix MA =
if MA: detect_intrusion() then let <x,y>= MA: get_enemy_coordinates()
instantiate <x,y>.MA else
MA
fix CMD = (x,y). in fleet.<x,y>.<destroy>.out fleet.CMD
fix shipA= (x,y).(d). if d=“destroy” then
(shipA:lock_radar(x,y).shipA:load_missile().(let z=shipA:fire() instantiate if z= enemy_destroyed then <z> ) then shipA)
else shipA
shipB ≌shipA
44
Workflow Synthesis by Proof
A proof engine for the AS3 logic Design of efficient proof strategies that
involves: proof by deduction proof as a satisfiability problem
efficient SAT solvers efficient automata theoretic procedures
45
Synthesis of AS3 Processes Security (access control) model
synthesized through formula rewriting using sound transformation rules in AS3 logic
Service specifications including QoS properties axiomatized in AS3 logic
Functional as well as QoS goals of a mission expressed in AS3 logic
46
Proof Theory of AS3 Logic All axioms of constructive propositional modal logic
and the following axioms:
T1: Θ(σ || n[φ]) next_hierarchy(σ,φ)
T2: next_hierarchy(φ,σ)→Θσ
T3: Θ◊φ→◊Θφ
T4: φ→Θφ
T5: ΘΘφφ
47
Operational Semantics of the AS3 Calculus (Contd.)
Failure semantics specified as a monad
type M a = uP | uC | failure(I) | ⊥
Γ/I’├ Comp(x) Γ/I’├ val x = t Γ/I’├ post::= ([x] ρ[x]) x ┐(Γ/I’∪N ├ ([x] ρ[x])[t/x]) _________________________________________________ __________________________________________________________________________ ______________ (service fail)
Γ ∪{failure(I)}├ post →⊥
Γ├ failure(I) _____________________________________________________________________________________________ ___________________- (failure compusitio 1)
Γ/I’├ catch(I).P → fail(I)
┐(Γ ├ failure(I))__________________________________________________________________________________ ______________________________ (failure composition 2)
Γ/I├⊥.P → P
48
Operational Semantics of the AS3 Calculus (Contd.)
Γ├ Comp(x) Γ├ val x = t Γ├ post::= ([x] ρ[x]) x Γ∪N├ ([x] ρ[x])[t/x] _________________________________________________ ______________________________________________________________ _______________ (post ev)
Γ ∪{x=t}├ post → t
Γ├ Comp(x) Γ├ post → t ________________________________________________________________________________________________________ (let reduct)
Γ├ let x=D instantiate C → C[t/x]
Γ├ Comp(x) Γ├ Comp(y) Γ,N├ ρ[x,y] ________________________________________________________________________________________________________ (cond eval. true)
Γ├ if ρ[x,y] then P else P’ → P
back
49
Requirements of Service-based Systems
Adaptability Provide acceptable failures, overload, or damages Rapid reconfiguration to achieve users’ new
missions Security
Authentication for both users performance in the presence of system and service providers
Protection of critical information infrastructure of distributed services based on flexible security policies
For example, access control requirements Situation-Awareness (SAW) – capability of
being aware of complex situations for Service coordination Adapting workflows when situations change Enforcing situation-aware security policies
50
Existing Formal Approaches
Rule-based Modeling (SWORD) [28]: Does not allow services having side effects Currently, no work is known that uses SWORD for modeling
situation-awareness or security policies Classical Process Calculi and Synchronous
Programming Languages: Pi calculus [33,34], Ambient Calculus [32], Chemical
Abstract Machine [35]: Does not provide facilities for processing situation information and reacting to it
SOL [37]: Does not provide facilities for automatic service composition
Provides ways for formal reasoning Linear Logic [29]:
Undecidable: provides only semi-automated service composition