Formal Methods for Service Composition Maurice H. ter Beek (ISTI–CNR, Pisa, Italy) Saturday, December 1 SEEFM 2007 joint work with: Antonio Bucchiarone

Formal Methods for Service Composition

Maurice H. ter Beek (ISTI–CNR, Pisa, Italy)

Saturday, December 1

SEEFM 2007

joint work with: Antonio Bucchiarone (IMT Institute for Advanced Studies, Lucca, Italy

and Nokia Siemens Networks, Lisbon, Portugal)

Stefania Gnesi (ISTI–CNR, Pisa, Italy)

SEEFM’07 - 2 December 1, 2007December 1, 2007Maurice ter Beek (ISTI-CNR)FFFF

FFFF Outline

• Background

• Service composition approaches• Syntactic service composition• Semantic service composition

• Service composition characteristics• Connectivity, correctness and QoS

• Compare standardization approaches w.r.t. characteristics

• Formal methods for service composition• Automata, Petri nets and process algebras

• Compare formal methods w.r.t. characteristics

• Conclusions


FFFF Background

• Service-Oriented Computing (SOC)• An emerging cross-disciplinary paradigm for distributed

computing • Changes the way in which software applications are designed,

architected (SOA), delivered and consumed

• Web Services (WSs)• Autonomous, platform-independent computational elements,

possibly managed by different organizations• Described, published, discovered, orchestrated and programmed

to build networks of collaborating applications, distributed both within and across organizational boundaries

We survey and compare service composition approaches (both industrial and academic)


FFFF Syntactic Service Composition Approaches

• Service Orchestration (like BPEL4WS)

• Combines available services by adding a central coordinator• This orchestrator is responsible for invoking + combining

services

• Service Choreography (like WS-CDL)

• No central coordinator• Complex tasks defined by conversations of participating services• Composition of peer-to-peer interactions among the collaborating

services


FFFF BPEL vs. WS-CDL

• Both XML-based

• BPEL: coordination/composition of services (WSDL-based)• Processes model the flow of services by connecting activities that

communicate with external service providers

• WS-CDL: choreography description of services • Interactions describe the information exchange by specifying

participants, information and channel• Exception handling and compensations supported through

exception and finalizer work units

Contrary to BPEL, WS-CDL describes a global view of the behavior of the message exchanges of all services (rather than behavior defined from viewpoint of one service)


FFFF Semantic Service Composition Approaches

• Aim: the automation of service discovery, invocation, composition, interoperation and execution monitoring

• Describe services by explicit, machine-understandable semantics

• Often rely on ontologies to formalize the domain concepts shared among services (like OWL-S and WSMO)

• The Internet is seen as a globally linked database in which web pages are marked with semantic annotations


FFFF OWL-S vs. WSMO

• Both ontology-based

• OWL-S• Defines a service ontology with four main elements: service

concept, service profile, service model and service grounding• No clear distinction between choreography and orchestration

• WSMO• Defines a model to describe semantic web services with four

main elements: ontologies, WSs, goals and mediators• Conceptual design in WSMF, annotations in WSML, execution

environment WSMX for dynamic discovery/selection/invocation

OWL-S more mature in certain aspects (choreography), while WSMO provides a more complete conceptual model


FFFF Service Composition Characteristics I

Connectivity:

• Reliability• The ability to deliver responses continuously in time• The ability to correctly deliver messages between two

endpoints

• Accessibility• The percentage of responses per service request

• Exception handling/Compensations• What happens in case of an error and how to undo the already

completed activities• The ability to manage compensations of service invocations

(in case of a failure)


FFFF Service Composition Characteristics II

Correctness:

• Safety/Liveness

• The assertion that some bad event never happens in the course of a computation

• The assertion that some event does eventually happen in the course of a computation

• Security/Trust• The ability of a service (composition) to provide proper

authentication, authorization, confidentiality and data encryption• The assurance that a service (composition) will perform as

expected despite possible environmental disruptions, human and operators errors, hostile attacks and design and implementation errors


FFFF Service Composition Characteristics III

Quality of Service (QoS):

• Accuracy• The error rate of a service, measured as the number of errors

generated by a service in a certain time interval

• Availability• The probability that a service is available at any given time,

measured as the percentage of time a service is available over an extended time period

• Performance• Measured as the success rate of service requests:

– Maximum time needed to complete a request (response time)– Number of completed requests over a period of time (throughput)– Time needed by a service to process a request (latency)


FFFFComparing Standardization

Approaches

Neither of these approaches offer any direct support for the verification of service compositions at design time

This is where formal methods come into play !


FFFF Formal Methods for Service Composition I

• Automata

• Well-known model underlying formal specifications• I/O automata, timed automata, team automata, etc.• Their formal basis allows for automatic tool support

• Exemplary approaches (see paper for references)

• Frameworks to analyze and verify properties of service compositions of BPEL processes

• Translations from BPEL to Promela (finite automata) to use the SPIN model checker to verify LTL properties

• Translations from WS-CDL to timed automata to use the UPPAAL model checker to verify (timed) CTL properties


FFFF Formal Methods for Service Composition II

• Petri nets

• Well-known framework for modeling concurrent systems• Their ease of conceptual modeling (graphical notation) has

made Petri nets the model of choice in many applications• Their formal basis allows for automatic tool support


• Mapping of all BPEL control-flow constructs into labeled Petri nets (including the dead-path-elimination technique)

• Open-source tools BPEL2PNML and WofBPEL automatically transform BPEL processes in Petri nets and analyze them (including reachability analysis)


FFFF Formal Methods for Service Composition III

• Process Algebras

• Precise and well-studied set of formalisms• CCS, π-calculus (which inspired BPEL to a certain extent),

LOTOS, etc.• Their formal basis allows automatic verification of behavioral

properties• Rich theory on bisimulation analysis for equivalence testing

(to verify substitutivity + redundancy in service compositions)


• Specify and compose services in CCS to use Concurrency Workbench to validate correctness properties

• Translations from BPEL to LOTOS to use CADP model-checking toolbox to verify temporal properties


FFFF Comparing Approaches in Formal Methods

Paper provides a reference for service composition designers and developers willing to use formal methods and tools


FFFF Conclusions

• Most standardization approaches to service composition lack:• Support to verify the (behavioral) correctness of service compositions• Support to perform quantitative analysis of QoS aspects

• Formal Methods and tools allow one to simulate and verify the behavior of one’s model at design time

• Thus enable the detection and correction of errors as early as possible and in any case before implementation !

The use of formal methods can increase the confidence in the correctness of one’s (service composition) design

Documents

Formal Methods for Service Composition Maurice H. ter Beek (ISTI–CNR, Pisa, Italy) Saturday, December 1 SEEFM 2007 joint work with: Antonio Bucchiarone