1

A Formal Approach to Developing Reliable Service-

based Systems

Supratik Mukhopadhyay

2

Middleware/Service-based Systems:

The CORBA Approach What we want:

3

Adaptable Service-based Systems

4

Requirements of Service-based Systems

Adaptability Provide acceptable failures, overload, or damages Rapid reconfiguration to achieve users’ new

missions Security

Authentication for both users performance in the presence of system and service providers

Protection of critical information infrastructure of distributed services based on flexible security policies

For example, access control requirements Situation-Awareness (SAW) – capability of

being aware of complex situations for Service coordination Adapting workflows when situations change Enforcing situation-aware security policies

5

Outline of the Talk Motivations A Running Example Formal Architecture Modeling of Service-based Systems

A calculus (with semantics) and a logic Automated Synthesis of Processes (agents)

from logical specifications Synthesis by natural deduction using Curry-

Howard like correspondence Demo

6

Motivations Grand Challenges in Computing Research

Edited by Hoare and MilnerScience for Global Ubiquitous Computing (GUC)

Develop models for systems composed of ad-hoc networks of diverse components

Models need to support context-awareness, adaptive behavior, loose coupling, security, …

Develop calculi and logics to formalize notions of self and context-awareness, migration, …

Develop models for acquisition, distribution, management and sharing of knowledge, and building trust based on such knowledge …

Develop new type systems, new static analysis techniques, new verification techniques suitable for the GUC

7

A Simple Example

L

call 911

Police Dept. (PD)

Fire Dept.(FD)

AMS

Accident Report

Accid

ent

ReportA

ccid

ent

Rep

ort

PCAR

Send Patrol Car

FESend

Fire Engine

AMB

Send

Ambulance

911

8

Requirements of the AS3 System in the Example

Service coordination requirements 911 center (911) receives information

about accident from observer 911 sends accident report (including

accident location) to the city fire department (FD), the city police department (PD), and the city ambulance management system (AMS)

FD, PD, and AMS send a fire engine (FE), a police car (PCAR), and an ambulance (AMB) respectively to the accident location

9

Major Components of Our Approach

Service Specifications

Workflow &Backup Workflow Agents

AnnotatedWorkflow Agents

Distributed SINS Agents

Customizable Failure Handling

Specifications

Timing & Resource

Specifications

ExecutionMonitoring

Goal

Security Policy Specifications

Security Agents

SAW Specifications

SAW Agents

AS3 Logic

Resource Agents

Workflow Scheduler

AS3Cal2SOLCompiler

SOL2JavaCompiler

NMR Axioms

Natural Deduction-Based Proof System Kernel

Failure Handling Axioms

Coordination Axioms

Security Policy Axioms

SAW Axioms

10

Existing Standards for Service-based Systems

1. BPEL/BPEL4WS: Industry standard For modeling and executing workflows Lacks formal semantics Does not provide automatic service composition

and adaptation

2. OWL-S, Web Components: Provides constructs for unambiguously

describing the properties and capabilities of Web services

Provides limited formal guarantees Does not provide automatic service composition

11

The AS3 Calculus Provide a formal programming model for service-

based systems Is based on classical process calculi, and has

operational semantics involving interactions between: external actions: communication, leaving and joining

groups internal computations: method calls of named services Continuation passing used to provide semantics of

asynchronous service-invocations Can model timeouts and failures (in monadic

style)

12

A Calculus for Service-based Systems: The AS3 Calculus

(System) S::= fix I=P (recursion)

N[S] (named domain) S||S (Sys. Comp.)

N ::= x (variable) n (name)

(Process)P::=

(new n) P (name restriction) 0 (inactive process) P par P (par. composition) I (identifier) E.P (external action) C.P (int. computation) P1+P2 (nondet. choice) fail(I) (failure) catch(I).P (failure handler)

time t.P (timeout)P{l1(x1),…;…ln(xn)} (method

export)

External action involves communication, leaving or joining groups, removing firewalls Internal computation takes place by calling methods of identified services

13

External ActionsE ::= M (Domain) K (Comm.)

K::= (Comm.) Ch(x) (input) Ch<Str> (output) mc(C1,…,Cn)<Str>

(multicast) Ch::= N (Channel)

M ::= in N (enter a dom.) out N (exit a dom.) open N (open firewall) ε (no action)

14

Internal ComputationC::= let x=D instantiate C (let reduction)

if ρ then P else P’ (conditional) replace(I:li) (method replacement) li ← lj (method modification)

ρ (constraint evaluation)

ε (no-computation) tt (constant true) ff (constant false) ⊥ (failed computation)

D::= I:li(y) (method invocation for identified

service)

I:li= prei::posti[y]

pre::=[y] ρ[y]

post::= ([x] ρ[x]) x

::= b (base type) → (function type)

ρ::= x y+c x>y+c x y+c x<y+c

15

Operational Semantics of the AS3 Calculus

Γ Γ/I’├ I:li=pre::post[xi]__________________________________________ (service invocation 1)Γ Γ Γ/I’├ I:li(y) → pre::post[y/xi]

Γ/I’,N├ pre[y/xi]→tt__________________________________________ (service invocation 2) Γ/I’├ pre::post[y/xi]→post[y/xi]

Γ/I’,N├ pre[y/xi]→ff___________________________________________ (service inv. fail) Γ/I’∪{failure(I’)}├ pre::post[y/xi]→⊥

16

AS3 Processes for the Example

System

fix 911= tel(x). fd<x>.pd<x>.ams<x>.911

fix PD=pd(x).let y= pcar:dispatchCAR(x) instantiate if y== ‘car_sent’ then PDelse fail(PD)

fix AMS=ams(x).let y= amb:dispatchAMB(x) instantiate if y== ‘amb_sent’ then AMSelse fail(AMS)

911

Police Dept. (PD) AMS

17

AS3 Processes for the Example (cont.)

L

AMS

fix 911= tel(x). fd<x>.pd<x>.ams<x>.911

Police Dept. (PD)

Fire Dept.(FD)

(x)

<x><x><x><x>

18

AS3 Processes for the Example (cont.)

Police Dept. (PD)

fix PD=pd(x).let y= pcar:dispatchCAR(x) instantiate if y== ‘car_sent’ then PDelse fail(PD)

PCAR

<x>

Car Sent

19

Synthesis of AS3 Processes Can we synthesize AS3 processes

automatically from declarative specifications? Yes

20

Our Approach: Logic-based Synthesis of Process Terms

1. Services described in AS3 logic along with proof rules of the logic form a theory of AS3

systems2. Functional requirements of the mission along

with QoS (real-time, security, situation-awareness) described as formulae in AS3 logic

3. Synthesis amounts to a natural deduction of the requirements using the AS3 theory with service discovery and composition being the computation of a Craig interpolant

4. Calculus terms directly synthesized from the proof using Curry-Howard like correspondence

21

AS3 Logic Hybrid Modal Logic talking both about

time and space Sometime modality for temporal evolution,

somewhere modality for spatial location Nominals standing for state

Modalities for communication, leaving joining domains

Atomic formulas for describing relations among variables

22

AS3 Logic Syntaxφ ::= 0 (inactivity) pred(x1,…,xn) (user defined atoms) t~c (atomic constraint)

φ1∨φ2 (disjunction) ┐φ (negation) ◊ φ (sometime) Θ φ (somewhere) I (identifier/nominal match) ~::=> | <| ≤| ≥c: Natural Number

23

AS3 Logic Syntax (Contd.) φ1|| φ2 (parallel composition) η[φ] (named domain) φ@η (behavior within domain) K(u; φ) (knowledge of an object)serv(u;v; Φ,I) (recording of an object) n φ (quantification over names) t φ (quantification over real variables)

in(n) φ (behavior after entering domain) out(n) φ (behavior after leaving domain) <u> φ (behavior after sending message) T (constant true) I φ (quantification over nominals)

24

AS3 Logic: Facts We provide a constructive

interpretation of the logic for process synthesis

Sound (and complete) proof theory (natural deduction-based)

25

The Running Example in AS3

LogicEntities: (Nominals/Identifiers)911, PD, AMS, FDFE, AMB, PCARCoordination Requirements:◇K(“accident”,x; 911) (◇<x>911 ))

C1: <x>911 → ◇K(x; PD) ◇K(x; AMS) ◇K(x; FD) C2: K(x; PD) →◇serv(pcar_response; x; PD ; W) C3: K(x; AMS) →◇serv(amb_response; x; AMS; S) C4: K(x; FD) →◇serv(fe_response; x; FD; U) C5: serv(“car_sent”; x; PD ; W) →◇TC6: serv(“amb_sent”; x; AMS ; S) →◇TC7: serv(“fe_sent”; x; FD ; U) →◇T

26

Service Specifications in AS3 Logic

S1: dispatchAMB(x;amb;W)→◇serv(amb_response;x;W;amb)S2: dispatchCAR(x;pcar; S)→

◇serv(pcar_response;x;U;pcar) and one other axiom

27

Natural Deduction and Process Synthesis

K(“accident”,x; 911)

<x>911

C1: <x>911 → ◇K(x; PD) ◇K(x; AMS) ◇K(x; FD)

K(x; PD)K(x; AMS)K(x; FD)

fix 911=tel(z).tel(x).pd<x>.ams<x>.fd<x>.

fix PD=pd(x).

fix AMS=ams(x).

fix FD=fd(x).

28

Natural Deduction and Process Synthesis

G: serv(amb_response; x; AMS; amb)

α: dispatchAMB(x;amb;AMS)

[α: dispatchAMB(x;amb;AMS)]

S1: dispatchAMB(x;amb;AMS)→◇serv(amb_response;x;AMS;amb)

D1: ◊serv(amb_response; x; AMS; amb)

…

fix AMS=… let y= amb:dispatchAMB(x)

instantiate

29

ENDEND

30

References[1] Distributed control and co-ordination of autonomous agents in a dynamic, reconfigurable system “US Patent

Number: 6336781”[2] Process and system for managing run-time adaptation for general purpose distributed adaptive applications “US

Patent Number: 6324619”[3] Servlet-based architecture for dynamic service composition “US Patent Number: 6330710”[4] Method and apparatus for providing a dynamic service composition software architecture “US Patent Number:

6256771”[5] Security and emergency communication service coordination system and notification control method therefore

“US Patent Number: 6337621”[6] Generic service coordination mechanism for solving supplementary service interaction problems in

communication system “US Patent Number: 5742673”[7] S. Yau et al., Reconfigurable Context-Sensitive Middleware for Pervasive Computing, IEEE Pervasive Computing,

vol. 1(3), 2002, pp. 33-40.[8] M. Mikic-Rakic, N. Medvidovic: Adaptable Architectural Middleware for Programming-in-the-Small-and-Many.

Middleware 2003: 162-181.[9] A. Ranganathan, R. H. Campbell: A Middleware for Context-Aware Agents in Ubiquitous Computing Environments.

Middleware 2003: 143-161.[10] A. Popovici, A. Frei, G. Alonso: A Proactive Middleware Platform for Mobile Computing. Middleware 2003: 455-

473.[11] U. Lang, Access Policies in Middleware, PhD Thesis, University of Cambridge, 2003[12] T. Abdelzaher, B. Blum B, Q. Cao, Y. Chen, D. Evans, J. George, S. George, L. Gu, T. He, S. Krishnamurthy, L. Luo,

S. Son, J. Stankovic, R. Stoleru and A. Wood, EnviroTrack: Towards an Environmental Computing Paradigm for Distributed Sensor Networks , The 24th International Conference on Distributed Computing Systems. Tokyo, Japan. March 23-26, 2004.

[13] S. Yau, H. Davulcu, S. Mukhopadhyay, D. Huang and Y. Yao, Adaptable, Situation-aware, Secure Service-based (AS3) Systems, Proceedings of the IEEE International Symposium Object-oriented, Real-time, Distributed Computing (ISORC’05), 2005.

[14] R. Bharadwaj, S. Mukhopadhyay and N. Padh, “Service Composition in a Secure Agent-based Architecture”, Proceedings of the IEEE International Conference on E-Technologies, E-commerce and E-Service (EEE’05), pp 787—788, 2005

[15] Internet2 Medical Middleware (MedMid) Working Group: Draft Workplan Scenarios, 2003

31

References (cont.)[16] E. Sirin, J. A. Hendler, B. Parsia: Semi-automatic Composition of Web Services using Semantic Descriptions. WSMAI 2003: 17-24[17] Z. Duan, A. J. Bernstein, P. M. Lewis, S. Lu: Semantics Based Verification and Synthesis of BPEL4WS Abstract Processes.

ICWS 2004: 734-737[18] G. C. Necula: Enforcing Security and Safety with Proof-Carrying Code. Electr. Notes Theor. Comput. Sci. 20: (1999).[19] B. Li, K. Nahrstedt, A Control-based Middleware Framework for Quality of Service Adaptations, IEEE Journal on Selected Areas

in Communication, vol 17, No. 9, September, 1999[20] K. Roemer, O. Kasten, F. Mattern, Middleware Challenges in Wireless Sensor Networks, Mobile Computing and

Communications Review, vol 3, No. 2, 2002[21] F. Curbera et. al., Business Process Execution Language for Web Services, 2002[22] E. Christensen et. al, The Web Services Description Language (WSDL), IBM[23] T. Berners-Lee et. al, The semantic web, Scientific American, May 2003[24] A. Ankolekar, F. Huch and K. Sycara. Concurrent Execution Semantics for DAML-S with Subtypes. In Proceedings of The First

International Semantic Web Conference (ISWC), 2002[25] E. Newcomer. Understanding Web Services. Addison Wesley, 2002. [26] Endrei, M.; Ang, J.; Arsanjani, A.; Chua, Sook; Comte, P; Krogdahl, P; Luo, M; and Newling, T. (2004)

Patterns: Service-oriented Architecture and Web Services. IBM Redbook, ISBN 073845317X[27] D. Bell and L. La Padula. Secure Computer Systems: Unified Exposition and Multics Interpretation, Technical Report, Mitre

Corporation, 1975[28] S. Ponnekanti and A. Fox, SWORD: A Developer Toolkit for Web Service Composition, In Proceedings of WWW 2002[29] J. Rao et. al, Application of Linear Logic to Web Service Composition, 2004[30] Gruia-Catalin Roman, Jamie Payton: Mobile UNITY Schemas for Agent Coordination. Abstract State Machines 2003: 126-150. [31] Cédric Fournet, Georges Gonthier: The Join Calculus: A Language for Distributed Mobile Programming. APPSEM 2000: 268-332. [32] L. Cardelli, A. D. Gordon: Mobile ambients. Theor. Comput. Sci. 240(1): 177-213 (2000)[33] Woodman, S.J., Palmer, D.J., Shrivastava, S.K, and Wheater, S.M.: Notations for the Specification and Verification of Composite

Web Services, In Proc. of 8th IEEE Int’l Enterprise Distributed Object Computing Conf. (EDOC '04)[34] R. Milner: Communication and Concurrency, Prentice Hall, 1989[35] Gérard Berry, Gérard Boudol: The Chemical Abstract Machine. In Proceedings of POPL 1990: 81-94[36] N. Milanovic and M. Malek: Current Solutions for Web Service Composition, IEEE Internet ComputingNovember/December 2004

(Vol. 8, No. 6)   pp. 51-59[37] R. Bharadwaj, “SOL: A Verifiable Synchronous Language for Reactive Systems,” Proc. Synchronous Languages, Applications,

and Programming (SLAP’ 02). http://chacs.nrl.navy.mil/publications/ CHACS/2002/2002bharadwaj-entcs.pdf

32

Operational Semantics of AS3 Calculus

______________________________ (fail computation) ⊥.P→fail

C→a_______________________________ (beta reduction) let x=C instantiate P →P[a/x]

C(x)→true_______________________________ (cond eval. true) if C(x) then P else P’ →P

33

Operational Semantics of AS3 Calculus

C(x)→false ____________________________ (cond. Eval. false) if C(x) then P else P’ →P’

C(x)→a _____________________________ a {true,false} (cond fail) if C(x) then P else P’ → ⊥

34

Operational Semantics (cont.)

_____________________________ (migration inside a domain)

in n.P || n[Q] →n[P||Q]

______________________________ (communication) <m>.P || (x).Q→ P||Q[m/x]

Back

35

Structural Congruence A process is congruent to its alpha-renamed variant

If P≌Q then 1. C.P ≌ C.Q2. A.P ≌ A.Q3. P||R ≌ Q||R4. R||P ≌ R||Q5. N[P] ≌ N[Q]6. (new n) P ≌ (new n) Q7. fix I=P ≌ fix I=Q8. P+R ≌ Q+R

36

Image Finiteness of Processes

We impose the following restrictions on processes Recursive processes are guarded Parallel composition through recursion is not

allowed (similar to Pi-calculus [Dam 93]) A type system can check for well-formedness

of processes Image Finiteness: A closed process term can

only evolve (in zero or more steps) into finitely many non-congruent process terms using the reduction rules

Restrictions ensure that every process is image finite

Back

37

Model Theoretic Semantics of AS3 Logic

P ╞ I if fix I=P

P ╞ <u> φ if there exists Q, R,S,T P≌<u>Q,R ≌ (x).S,T= P||R and Q╞ φ

P ╞ pred(u1,…,un) if for any Q, with P ≦Q, Q is annotated with pred(u1,…,un)

P ╞ in(n) φ if there exists Q, n, R, S, P ≌ in n.Q, Q╞ φ @n, S ≌ P || n[R]

Back

38

Transformation Rules for Access Control (Cont.)

A3: ┐restrict(I,σ)→Θ(I ||σ)

A4: Θn[ρ || σ] ∧ Θ(φ || σ)→Θn[φ || σ || ρ]

A5: restrict(φ,σ)∧┐restrict(φ,ρ)→restrict(φ || ρ,σ)

A6: next_hierarchy(I,σ)→restrict(I,σ)

A7: restrict(I,σ) /\ Θ(I || J)→restrict(J,σ) A8: restrict(σ,φ)→restrict(φ,σ)

A9: Θn[φ || J] /\ restrict(K,J)→Θn[φ ||m[K] || J] V Θ(n[φ || J] || m[K])

[Back]

39

Service Descriptions in AS3 Logic

S3: dispatchFE(x;fe;S)→ ◇serv(fe_response;x;S;fe)

back

40

Policy Enforcement: Model-based Diagnosis and Recovery

System was synthesized based on the assumption that services do not behave maliciously: Unrealistic assumption

Runtime enforcement ensures diagnosis of malicious behavior on the part of services and subsequent recovery

Service specifications used to generate symptoms

Abduction based diagnosis uses the models (process terms) to diagnose breach of trust by services and ensure recovery

41

Requirements of AS3 Systems

Adaptability Provide acceptable performance in the presence of

system failures, overload, or damages Rapid reconfiguration to achieve users’ new

missions Security

Authentication for both users and service providers Protection of critical information infrastructure of

distributed services based on flexible security policies

For example, access control requirements Situation-Awareness (SAW) – capability of

being aware of complex situations for Service coordination Adapting workflows when situations change Enforcing situation-aware security policies

42

A Simple Example A simplified version of the ship

scenario in the overview slides Intrusion of enemy detected by Monitoring

Agent that reports to the CMD The CMD directly asks shipA (or shipB) to

destroy the enemy ship rather than sending a warning

We assume no failures take place The Combat System Agent has been

eliminated

43

AS3 Processes for the Example

System = MA || CMD || fleet [shipA || shipB] fix MA =

if MA: detect_intrusion() then let <x,y>= MA: get_enemy_coordinates()

instantiate <x,y>.MA else

MA

fix CMD = (x,y). in fleet.<x,y>.<destroy>.out fleet.CMD

fix shipA= (x,y).(d). if d=“destroy” then

(shipA:lock_radar(x,y).shipA:load_missile().(let z=shipA:fire() instantiate if z= enemy_destroyed then <z> ) then shipA)

else shipA

shipB ≌shipA

44

Workflow Synthesis by Proof

A proof engine for the AS3 logic Design of efficient proof strategies that

involves: proof by deduction proof as a satisfiability problem

efficient SAT solvers efficient automata theoretic procedures

45

Synthesis of AS3 Processes Security (access control) model

synthesized through formula rewriting using sound transformation rules in AS3 logic

Service specifications including QoS properties axiomatized in AS3 logic

Functional as well as QoS goals of a mission expressed in AS3 logic

46

Proof Theory of AS3 Logic All axioms of constructive propositional modal logic

and the following axioms:

T1: Θ(σ || n[φ]) next_hierarchy(σ,φ)

T2: next_hierarchy(φ,σ)→Θσ

T3: Θ◊φ→◊Θφ

T4: φ→Θφ

T5: ΘΘφφ

47

Operational Semantics of the AS3 Calculus (Contd.)

Failure semantics specified as a monad

type M a = uP | uC | failure(I) | ⊥

Γ/I’├ Comp(x) Γ/I’├ val x = t Γ/I’├ post::= ([x] ρ[x]) x ┐(Γ/I’∪N ├ ([x] ρ[x])[t/x]) _________________________________________________ __________________________________________________________________________ ______________ (service fail)

Γ ∪{failure(I)}├ post →⊥

Γ├ failure(I) _____________________________________________________________________________________________ ___________________- (failure compusitio 1)

Γ/I’├ catch(I).P → fail(I)

┐(Γ ├ failure(I))__________________________________________________________________________________ ______________________________ (failure composition 2)

Γ/I├⊥.P → P

48

Operational Semantics of the AS3 Calculus (Contd.)

Γ├ Comp(x) Γ├ val x = t Γ├ post::= ([x] ρ[x]) x Γ∪N├ ([x] ρ[x])[t/x] _________________________________________________ ______________________________________________________________ _______________ (post ev)

Γ ∪{x=t}├ post → t

Γ├ Comp(x) Γ├ post → t ________________________________________________________________________________________________________ (let reduct)

Γ├ let x=D instantiate C → C[t/x]

Γ├ Comp(x) Γ├ Comp(y) Γ,N├ ρ[x,y] ________________________________________________________________________________________________________ (cond eval. true)

Γ├ if ρ[x,y] then P else P’ → P

back

49

Requirements of Service-based Systems

Adaptability Provide acceptable failures, overload, or damages Rapid reconfiguration to achieve users’ new

missions Security

Authentication for both users performance in the presence of system and service providers

Protection of critical information infrastructure of distributed services based on flexible security policies

For example, access control requirements Situation-Awareness (SAW) – capability of

being aware of complex situations for Service coordination Adapting workflows when situations change Enforcing situation-aware security policies

50

Existing Formal Approaches

Rule-based Modeling (SWORD) [28]: Does not allow services having side effects Currently, no work is known that uses SWORD for modeling

situation-awareness or security policies Classical Process Calculi and Synchronous

Programming Languages: Pi calculus [33,34], Ambient Calculus [32], Chemical

Abstract Machine [35]: Does not provide facilities for processing situation information and reacting to it

SOL [37]: Does not provide facilities for automatic service composition

Provides ways for formal reasoning Linear Logic [29]:

Undecidable: provides only semi-automated service composition