UNIVERSITY OF OSLODepartment of Informati sContra t-basedInternet Servi eSoftware Development:A ProposalResear h Report No.333Pablo GiambiagiOlaf OweGerardo S hneiderAnders P. RavnIsbn 82-7368-288-9Issn 0806-3036January 2006

Contra t-based Internet Servi e SoftwareDevelopment: A ProposalPablo Giambiagi∗ Olaf Owe† Gerardo S hneider‡Anders P. Ravn§January 2006Abstra tThe fast evolution of the Internet has popularized servi e-orientedar hite tures dynami IT-supported inter-business ollaborations. Yet,interoperability between di�erent organizations, requires ontra ts toredu e risks. Thus, high-level models of ontra ts are making theirway into servi e-oriented ar hite tures, but appli ation developers arestill left to their own devi es when it omes to writing ode that will omply with a ontra t. This paper surveys existing and proposesnew language-based solutions to the above problem. Contra ts areformalized as behavioral interfa es, and abstra tion me hanisms mayguide the developer in the produ tion of ontra t-aware appli ations.We on entrate on ontra ts dealing with performan e (real-time) andinformation �ow ( on�dentiality).1 Introdu tionAlready several years ago, te hnology gurus predi ted that the next big trendin software system development would be the servi e-oriented ar hite ture,SOA. A su essful integration of loosely- oupled servi es belonging to dif-ferent, sometimes ompeting, but always ollaborating organizations would∗SICS, P.O. Box 1263, SE-16429 Kista, Sweden. E-mail: pablo�si s.se†Dept. of Informati s � Univ. of Oslo, P.O. Box 1080 Blindern, N-0316 Oslo, Norway.E-mail: olaf�i�.uio.no‡Dept. of Informati s � Univ. of Oslo, P.O. Box 1080 Blindern, N-0316 Oslo, Norway.E-mail: gerardo�i�.uio.no§Dept. of Computer S ien e � Aalborg University, Fredrik Bajers vej 7E, DK-9220Aalborg, Denmark. E-mail: apr� s.aau.dk 1

storm the world. It would reate a myriad of new business opportunities, en-abling the formation of virtual organizations where SMEs1 would join for esto thrive in ever in reasingly ompetitive global markets. While the dreamlives on, and the industry develops and deploys web servi es, the degree ofintegration a hieved between di�erent organizations remains low. Collabo-ration presumes a minimum level of mutual trust, and wherever trust is not onsidered su� ient, businesspeople turn to ontra ts as a me hanism to re-du e risks. In other terms, for the SOA to deliver its promised advantages,developers need ost e�e tive ontra t management solutions.Resear hers and industries alike have began addressing this very essentialissue with a top-down approa h. Several ele troni ontra t languages, theirmodels and reasoning te hniques are in the pro ess of being dis ussed andre�ned. While this is a natural approa h, we see the absolute need to providethe a tual system developer with the means to implement their servi es tomeet the requirements di tated by the ontra ts.At the moment the developer fa es a situation where the programminglanguages originally used to produ e intra-organization, non-distributed ap-pli ations are already overstret hed to ope with issues of distribution a rossorganizational domains. When it omes to ontra ts, the abstra tion me ha-nisms of urrent languages give almost no assistan e to the developer. There-fore we propose to use a ri her language, based on the on epts of Creol [18℄,whi h allows formal veri� ation of requirements of a ontra t to be done oreven automated using the Maude tool [38℄.1.1 Related WorkThe programming language ommunity has long identi�ed the need to pro-vide easier ways to extend the abstra tion me hanisms of a language. Oneof the main approa hes of the day is that of Aspe t-Oriented Programming(AOP) [26℄, whi h helps separate ross- utting on erns (like logging anda ess ontrol) from the main business logi . AOP is omposed of a set ofte hniques, in luding ode instrumentation and runtime inter eptors.A similar approa h uses omposition �lters (CF) [2℄, where the idea isnot to repla e the programming paradigm but to enhan e the expressivepower and maintainability of urrent obje t-oriented languages. CF may be onsidered as a modular extension to the obje t-oriented model with inter-fa e layers in luding the so- alled �lters. Advantages of CFs with respe t toaspe ts are exposed in [12℄.An alternative approa h aims at de�ning new kinds of languages that1SME: small and medium enterprise. 2

adapt themselves better to the hallenges posed by web servi es. Some on- entrate on bridging the gap between the program language obje ts and theXML obje ts that web servi es should ex hange [27, 28, 39℄, others provideabstra tions to manipulate interfa es [17℄, and others address asyn hronous ommuni ation by means of message passing [14℄. In [17℄, for instan e, anew language proposal has been presented, whi h ombines XQuery's seman-ti s with imperative onstru ts and a join al ulus-style on urren y model.The proposed language seems to solve some of the problems of main streamlanguages, like on urren y and message orrelation problems, whi h arisesfor instan e in Java and C#. It la ks, however, useful features likeinterfa einheritan e and the urrent implementation is based on the shared-state on- urren y and does not in ludes orrelated messages nor garbage olle tion.The solutions mentioned so far still la k support for dis overy, monitoringand management of ontra ts. Approa hes like AOP and CF an potentiallyprovide some help here (see e.g. [10℄), but they fail to abstra t low-levelissues and basi ally leave too mu h freedom to the programmer (whi h leadsto ode maintenan e and analysis issues).Despite of the urrent wide a eptan e of AOP as a good paradigm for im-proving reusability and modularity, there is no onvin ing and �nal solutionto the appli ation of aspe ts to real-time systems. In some ases [55℄, aspe t-orientation seems to perform better than obje t-orientation when dealingwith real-time spe i� ation, regarding system properties su h as testabilityand maintainability. On the other hand, in [7℄, there is a formal frameworkfor multi-threaded software and multi-pro essor ar hite ture software synthe-sis using timing onstraints, where it is shown that aspe t-oriented softwaredevelopment is not suitable for su h ases.A new on ept for real-time system development (ACCORD) is presentedin [53℄, ombining both omponent-based and aspe t-oriented software de-velopment (CBSD and AOSD, respe tively). ACCORD bridges the gap be-tween modern software engineering methods �fo used mainly on omponentmodels, interfa es and separation of on erns� and real-time design meth-ods, by proposing a model for software development using the advantages ofboth ommunities. As far as we know, the fo us is primarily on the designmethodology of real-time systems by using CBSD and AOSD, but not onanalysis (e.g. veri� ation) of real-time systems. It is not lear, either, howthe methodology ould be used in asyn hronous open distributed systemssu h as the Internet.Programs using real-time features are, in general, di� ult to design andverify, even more when ombined with an inheritan e me hanism. Chang-ing appli ation requirements or real-time spe i� ations in real-time obje t-oriented languages may produ e unne essary rede�nitions. This is alled the3

real-time spe i� ation inheritan e anomaly. To our knowledge, [3℄ is the onlywork trying to solve this problem; it does so by proposing real-time ompo-sition �lters. The idea seems attra tive and ould be in orporated within a ontra t-based approa h.A ontribution towards verifying properties of ontra ts involving real-time as formulated in existing languages is found in [24, 23℄. They use atranslation to a real-time model he ker to verify the ooperation aspe t of ontra ts.In on lusion, there is still plenty of work to do in dire tly supportingdevelopment of servi es that an be trusted to implement their ontra ts.1.2 OverviewIn the following se tion, we introdu e Servi e Oriented Ar hite tures (SOA)and Contra ts. In Se tion 3, we dis uss Programming Languages and SOAimplementation. In Se tion 4, we identify open problems. In Se tion 5 weoutline our resear h agenda while Se tion 6 on ludes on its feasibility.2 Servi e-OrientedAr hite turesIn a Servi e-Oriented Ar hite ture (SOA), appli ations are essentially dis-tributed systems omposed of servi es (see Fig. 1, borrowed from [44℄).A servi e is a loosely- oupled, te hnology neutral and self-des ribing om-putation element. Loose oupling is a hieved through en apsulation and ommuni ation through message passing; te hnology neutrality results fromadopting standardized me hanisms; and ri h interfa e languages permit theservi e to export su� ient information so that eventual lients an dis overand onne t to it [44℄.A SOA an be implemented in many di�erent ways. A urrently very pop-ular approa h uses a spe i� kind of servi e alled web servi e. Web servi esex hange SOAP [51℄ messages over standard Internet proto ols (e.g. HTTP)whi h arry a payload built from a sta k of open XML standards [58℄. Thereare strong similarities between servi es and omponents in a omponent-based system [52℄. However, servi es usually have a oarser granularity andthe ommuni ation medium (the Internet) with its high laten y and open-ness onstrains reliability and se urity in ways that easily go beyond what an be found in most omponent-based systems.4

Figure 1: The basi Servi e Oriented Ar hite ture2.1 Contra tsThe servi es in a SOA usually belong to di�erent organizational domains andtherefore there is no single line of authority regulating their intera tions. Inprin iple a onsumer must trust the provider to deliver the expe ted servi e,or establish a ontra t with it. For our purpose, a ontra t is a generi termfor the spe i� ation of a servi e whi h is negotiable and either stati ally en-for eable or monitorable. In other words, a ontra t des ribes an agreementbetween distin t servi es that determines rights and obligations on its signa-tories, and for whi h there exists a programmati way of identifying ontra tviolations. In the ase of a bilateral ontra t, one usually talks about the rolesof servi e provider and servi e onsumer; but multi-lateral ontra ts are alsopossible where the parti ipants may play other roles. A servi e provider mayalso use a ontra t template (i.e. a yet-to-be-negotiated ontra t) to publishthe servi es it is willing to provide. As a servi e spe i� ation, a ontra t maydes ribe many di�erent aspe ts of a servi e, in luding fun tional properties(i.e. behavior) and also non-fun tional properties like se urity (e.g. a ess ontrol), quality of servi e (QoS), information �ow and reputation.Following [13℄, ontra ts may be lassi�ed in four levels2:�The �rst level, basi , or synta ti , ontra ts, is required sim-2This lassi� ation refers to level 2 ontra ts as �behavioral ontra ts�. When we usethe same name in the rest of the do ument we a tually mean level 4 ontra ts. The readershould be aware that from now on, when we refer to �behavioral ontra ts� we are notrestri ted to sequential systems and mean level 4 ontra ts.5

ply to make the system work. The se ond level, behavioral on-tra ts, improves the level of on�den e in a sequential ontext.The third level, syn hronization ontra ts, improves on�den ein distributed or on urren y ontexts. The fourth level, quality-of-servi e ontra ts, quanti�es quality of servi e and is usuallynegotiable.�2.1.1 Contra t ModelsThere exists a number of ontra t models for servi es. The business pro essstandard ebXML [25℄ des ribes a Collaboration Proto ol Agreement as a on-tra t between business partners that spe i�es the behavior of ea h servi e (bysimply stating its role) and how information ex hanges are to be en oded.IBM's Web Servi e Level Agreement (WSLA [60℄) is an XML spe i� ationof performan e onstraints asso iated with the provision of a web servi e.It de�nes the sour es of monitoring data, a set of metri s (i.e. fun tions)to be evaluated on the data, and obligations on the signatories to maintainthe metri values within ertain ranges. The set of prede�ned metri s andthe stru ture of WSLA ontra ts are designed for servi es involving job sub-missions in a grid omputing environment. The later WS-Agreement [59℄, aGlobal Grid Forum re ommendation that has not rea hed the standard statusyet, is based on WSLA, but adapted to more re ent web-servi es standards,e.g. WS-Addressing and WS-Resour e Framework. WS-Agreement is alsoparametri on the language used to spe ify the metri s; but it must be anXML diale t.A number of problems have previously been identi�ed for these standardsand spe i� ations: They are restri ted to bilateral ontra ts, la k formalsemanti s (and therefore it is di� ult to reason about them), their treatmentof fun tional behavior is rather limited and the sub-languages used to spe ifyQoS and se urity onstraints are usually limited to small appli ation-spe i� domains.In order to remedy the situation the resear h ommunity has produ ed ontra t taxonomies [1, 13, 54℄, formalizations using logi s (e.g. lassi al[22℄, modal [21℄, deonti [46℄ and defeasible logi [31℄) and formalizationbased on models of omputation (e.g. �nite state ma hines [16℄ and PetriNets [20℄). The diversity of ontra t types, their appli ations and propertiesposes a serious hallenge to the de�nition of a generi ontra t model. This,however, has been identi�ed as a major pre ondition for the advan ement ofthe area [15℄.6

2.1.2 Dis overy and NegotiationIn a setup for ontra t-enhan ed servi e provision, providers are expe tedto make servi e des riptions available for onsumers to dis over and hooseamong them. The des ription takes the form of a proto- ontra t, or template,setting the basis for negotiating the provision of the servi e. Spe i� ationslike ebXML and WS-Agreement de�ne sub-languages for su h ontra t tem-plates, though they are usually atta hed to a very spe i� negotiation model.There is, however, a large body of resear h on ontra t negotiation pro-to ols under di�erent threat models, parti ularly in the area of agent-basedsystems [6, 48, 35℄.2.1.3 MonitoringMonitoring presents an important list of hallenges. First, monitoring data(in luding exe ution events and samplings of ontinuous pro esses) needs tobe olle ted in a timely, reliable and trustworthy manner. A set of ollab-orating Internet servi es forms a distributed system, and so must be themonitoring subsystem itself, with the onsequent di� ulties regarding o-ordination and dependability. Moreover, monitors are usually weaved intothe appli ation ode by spe ialists (not by ordinary programmers), reating omplex dependen ies that seriously a�e t the software development pro ess.2.1.4 Quality of Servi eA ording to the ARTIST road-map [15℄, quality of servi e is a �fun tionmapping a given system instan e with its full behavior onto some [quantita-tive℄ s ale�. Typi al QoS measures for web servi es in lude average responsetime, minimum ommuni ation bandwidth and peak CPU usage. Contra tlanguages like WSLA and WS-Agreement permit spe i� ation of QoS on-straints for web servi es. QoS measures usually depend on the behavior of theenvironment as well as of the servi e, thus models tend to have a sto hasti nature, although this is not really ne essary for monitoring purposes.Typi ally, ontra t languages for QoS of Internet servi es onsist of threemain sub-languages. Their purpose is to spe ify:1. The QoS measures (i.e. fun tions) in luding their domains;2. A mapping between elements in the exe ution model (e.g. observableevents) and the domains of QoS measures; and3. The onstraints on QoS measurements (i.e. the obligations).7

The design of these ontra t languages is therefore entered around the on- ept of QoS measure. However, realisti ontra ts are not easily modeledas a set of fun tions. Instead, they are built upon the fundamental on eptof obligation, to whi h other on epts (like QoS measures) be ome a es-sory. For instan e, the ful�llment or violation of an obligation may triggerother obligations. Fun tion-based approa hes need then to en ode obligationperforman es as elements in the domains of QoS measures.The in lusion of time s ales into these domains also ompli ates the designin ways we onsider unne essary. For example, WSLA and WS-Agreementuse the on ept of time series to de�ne time points where measurements needto be olle ted and then aggregated.2.1.5 Information FlowInformation �ow on erns issues like on�dentiality and integrity of infor-mation. Contra t languages for se urity (e.g. [8℄) do not usually addressinformation �ow, putting the stress instead on a ess ontrol. Regardingenfor ement of information �ow, there are ertainly stati solutions; but, infa t, we are not aware of any that use runtime methods. The stati approa husually omes in the shape of a type-system to enfor e noninterferen e [50℄,where the idea is to prevent all �ow of information from the domain of se- rets to the publi -domain. It has been noted however that noninterferen eis unsuitable in most real-life situations. There, an appli ation is expe tedto de lassify some well-de�ned pie e of information, thus reating the needto admit some �ows of se ret information to the publi -domain. Type sys-tems that try to a ommodate de lassi� ation, e.g. [43℄, soon su�er from theso- alled label reeping problem: A se urity type system, whi h asso iates a lassi� ation (or se urity label) to ea h pie e of data, ne essarily des ribes anabstra tion of a set of values, possibly losing pre ision every time the valueparti ipates in a omputation. The a umulation of these losses results intype systems that, in order to remain se ure, reje t too many se ure systems[19℄.On the other side, it is well-known that information �ow properties area tually not safety properties (in fa t, they do not even qualify as propertiesin the Alpern-S hneider lassi� ation [5℄). Therefore, runtime approa hesare generally onsidered inappropriate, sin e they are naturally asso iatedwith the enfor ement of safety properties.Re ent results by Hamlen et al. [42℄ and by Ligatti et al. [36℄ hint at thepotential of ode rewriting te hniques as a framework to a ommodate severalenfor ement me hanisms. There is a profusion of work on ode rewritingte hniques (see [57, 56℄ for two thorough surveys) with appli ations ranging8

from ompilation, program synthesis and optimization to refa toring andreverse engineering. However, not mu h resear h has been devoted to study ode rewriting for poli y enfor ement. A remarkable ex eption is [42℄ whereit is shown that RW-enfor eable poli ies (i.e. poli ies enfor eable using oderewriting) stri tly in lude those enfor eable using referen e monitors and/orstati analysis. These results provide strong eviden e that approximationsof information �ow properties may be RW-enfor eable, i.e. poli ies that anbe enfor ed using ode rewriting, f. the �Se ret File Poli y� example [42℄and [29℄.3 Programming languages andSOACurrent programming language abstra tions are not good enough for SOA,mu h less for web-servi e development. The industry develops web-servi esusing the obje t-oriented programming (OOP) paradigm whi h maps badlyto do ument-based ommuni ation, i.e. SOAP-transported XML do uments, required by web-servi es [39℄ Besides, many urrent produ tion OOP lan-guages (e.g. Java and C#) are based on the shared-state model of on- urren y so they do not handle on urren y and message passing parti u-larly well. Another riti ism to OOP on erns the possibility of reusability.Obje t-orientation provides two distin t me hanisms for omposing on erns:aggregation and inheritan e. Some examples show [4℄ that reusing ompo-nents through aggregation and inheritan e me hanisms may not be su essfulwhen the obje ts implement on erns like history information, multiple viewsand syn hronization. OOP needs therefore better abstra tion me hanisms.The Creol proje t [18℄ has been addressing many of the obje tions toobje t-orientation. Essentially, a Creol program onsists of on urrent ob-je ts ommuni ating asyn hronously and with internal pro ess ontrol. Bymeans of me hanisms for onditional pro essor release points, passive wait-ing, and time-out [33, 34℄, expli it syn hronization primitives are not neededin the language. An abstra t representation of the Creol ar hite ture isshown in Fig. 2. Compared to for instan e Polyphoni C#, Creol has asimpler set of ommuni ation primitives using the on ept of asyn hronousmethod all. By staying within the method paradigm, inheritan e and over-loading is unproblemati . Creol allows multiple inheritan e, whi h is notsupported by Java, Polyphoni C#, nor join al ulus based languages. In-stead of the standard AOP me hanisms, whi h hinder program reasoning,Creol o�ers a syn hronized merge operator whi h may be seen as a high-9

����������������������������

����������������������������

��������������������������������

��������������������������������

�����������������������������������

�����������������������������������

����������������������������

����������������������������

��������������������������������

��������������������������������

��������������������������������

��������������������������������

�����������������������������������

�����������������������������������

O1

O5

O6

O4

O7

O2

O3

I1,1

I2,1

I2,2

I3,1

I3,2

I3,3

I5,1

I4,1

I5,2

I6,2

I6,1

I6,3

q4

q6

q5

q3

q1

q2

I7,1

q7

N

Figure 2: The Creol Ar hite ture. For ea h obje t Oi: Ii,j are its interfa esand qi its message queue. N is the network.level AOP-like onstru t, and e�e tively redu es the problems related to theso- alled inheritan e anomaly [37℄, while allowing reasoning.XML do uments are not yet integrated in the Creol language, however,one may easily model an abstra tion of XML do uments in Creol, usingCreol's data types, whi h in ludes indu tively de�ned data types and a fun -tional sub-language (similar to, for instan e, Haskell). Sin e all messagesand immutable values are de�ned by data types in Creol, it is not natural tode�ne XML do uments by the lass me hanism, as would be the option inmost other obje t-oriented languages.4 Resear h dire tionsThe main problems and open issues identi�ed for supporting web servi esdevelopment in lude: 10

• Formal de�nition of generi ontra ts. Currently, there is no uni�edformal de�nition of ontra ts (in parti ular for QoS and on�dential-ity).• Negotiable and monitorable ontra ts. Contra ts must be negotiatedtill both parts agree on their �nal form and they must be monitorablein the sense that there must be a way to dete t violations.• Language-based support for ontra ts. In the literature (e.g., [39℄) ithas been identi�ed that the following three areas must have a language-based support: (a) data-a ess, (b) on urren y and ( ) se urity. Afourth area has to be onsidered: (d) ontra ts; urrently, no existingprogramming language supports negotiable and monitorable ontra ts.• Combination of obje t-orientation and on urren y models based onasyn hronous message-passing. The shared-state based on urren ymodel is not suitable for web servi e development.• Integration of XML into a host language. There is a big mismat hbetween XML and obje t data-models.• Harmonious oexisten e at the language level of real-time and inheri-tan e me hanisms.• Veri� ation of ontra t properties. The integration of ontra ts in aprogramming language should be a ompanied by good support forproving/guaranteeing essential ontra t properties. Guaranteeing thenon-violation of ontra ts might be done in (at least) four di�erentways: 1. enfor ement at runtime, through monitors, for instan e; 2.by onstru tion, e.g. through low-level language me hanisms; 3. stati analysis withstandard program analysis te hniques; or 4. model he k-ing. None of the above an be used as a generi , universal tool forinferring all the properties of ontra ts. Di�erent approa hes must beused for di�erent properties.Addressing these issues and problems, we need to develop a model of on-tra ts in a SOA that is broad enough to ater for at least ontra ts forQoS and on�dentiality. A minimum requirement is the ability to seamlessly ombine real-time models (for QoS spe i� ation) and behavioral models (es-sential to onstrain proto ol implementation and to enfor e on�dentiality).Contra t models should also address dis overy and negotiation. Regarding on�dentiality, it seems that more experiments with RW-enfor eable poli ies11

giving su� ient onditions for admissible information �ow [30℄ an be envis-aged. The obje tive should be to develop pra ti al and e� ient methods toenfor e information �ow properties of realisti ode, in luding ryptographi proto ol implementations.Yet, the formal de�nition of ontra ts should be only a �rst step towardsa more ambitious task, namely a language-based support for programmingand e�e tively use su h ontra ts. Some ontra ts may be seen as a wrapperwhi h �envelopes� the ode/obje t under the s ope of the ontra t. Fire-walls, for instan e, may be seen as a kind of ontra t between the ma hineand the external appli ations wanting to run on that ma hine. It ouldbe interesting to investigate a language primitive to reate wrapped obje tswhi h are orre t-by- onstru tion. Firewalls may then be implemented inthis way. On the other hand, ontra ts for QoS and on�dentiality ould bemodeled as �rst- lass entities using a �behavioral� approa h, through inter-fa es. In order to ta kle timed onstraints (related to QoS) su h interfa esneed also to in orporate time. As learly exposed in the ARTIST road-map[15℄, �nding languages or notations for des ribing timing behaviors and tim-ing requirements is easy; the real hallenges are in analysis, i.e. to he kthat the requirements are guaranteed. So, besides the synta ti extensionsmentioned above, the language needs to have timing semanti extensions inorder to allow extra tion of a timed model, e.g. a timed automaton. Itmay be he ked with existing tools e.g., Kronos [61℄ and Uppaal [11℄. Model he king tools will help to prove real-time properties, like guaranteeing thata given promise servi e will, for instan e, satisfy it response-time onstraint.Other properties may, instead, be proved to be orre t-by- onstru tion (e.g.wrappers, as mentioned above).In pra ti e, many properties annot be proved orre t using orre t-by- onstru tion or model he king te hniques. In su h ases only a runtimeapproa h may be used. It seems that a promising dire tion is to developte hniques for onstru ting runtime monitors from ontra ts. In this ase,monitors will be used to enfor e the non-violation of ontra ts.5 A spe i� proposalWe believe obje t-orientation is still a good paradigm for modeling open dis-tributed systems. The main problems with obje t-orientation ome from lan-guage design and implementation de isions, not from its original philosophy.The Creol proje t has addressed many of these problems. Creol has a formalsemanti s de�ned in rewriting logi [40℄ and implemented in Maude [38℄, andsupports ompositional program reasoning. In addition, the dynami lass12

����������������������������

����������������������������

��������������������������������

��������������������������������

�����������������������������������

�����������������������������������

����������������������������

����������������������������

��������������������������������

��������������������������������

��������������������������������

��������������������������������

�����������������������������������

�����������������������������������

O1

N

O5

O6

O4

O7

O2

O3

I1,1

I2,1

I2,2

I3,1

I3,2

I3,3

I5,1

I4,1

I5,2

I6,2

I6,1

I6,3

q4

q6

q5

q3

q1

q2

I7,1

q7

WLN

LN ′

W′

Figure 3: The Extended Creol Ar hite ture onstru t of Creol is well suited for dynami re on�guration and maintenan eof servi es in large networks. In its urrent state, Creol has basi onstru tsthat are suitable for programming the Internet in an obje t-oriented manner.Sin e its operational semanti s is exe utable in the Maude tool, a languageinterpreter is readily available. In addition, the various Maude ommandsfor model he king and exhaustive sear h are available for Creol programs.By using Creol and its de�nition in rewriting logi as our framework, wepropose the following:• Formalization of ontra ts (for on�dentiality and QoS) using a timingextension of rewriting logi .• Use of the meta-level apabilities of rewriting logi to spe ify ontra tnegotiation proto ols.• Synta ti extension of Creol to in lude ontra ts as interfa es.13

• Integration of XML in Creol.• Synta ti and semanti extension of Creol aiming at extra ting timedmodels amenable to model he king.• Analysis of the timed models using urrent model he king tools.• Runtime monitoring of ontra ts.Below we explain in more details the items above.Regarding the formal de�nition of ontra ts, many formalisms may beused, but we believe su h a generi model an be des ribed harmoniouslyusing real-time extensions of rewriting logi [62℄. This is in line with re entinvestigations in the use of rule languages to model ontra ts [32, 45℄. Whilethese rule-based languages are essentially ad-ho , we expe t to pro�t fromthe existing large body of resear h in rewriting logi s.The rule-based approa h promoted by the resear h mentioned above bringsalong new hallenges in the de�nition of appropriate negotiation s hemes [49,9, 47℄. Here again, rewriting logi an give invaluable help. Its re�e tion andmeta-level omputation properties may help de�ne and stru ture the negoti-ation proto ol.After de�ning ontra ts with suitable negotiation proto ols in a solid for-mal theory, we would like to on entrate on Creol extensions. By de�ninginterfa es on omponents onsisting of a olle tion of obje ts, we developa notion of ontra t for su h interfa es that integrates the main expressivepower of omposition �lters. In addition, the implementation of rewritinglogi by the Maude tool enables rapid prototyping and evaluation of alter-native designs, whi h is essential for �nding pra ti ally useful solutions. Theanalysis tools of Maude will be valuable when assessing their properties. Theinterfa e on ept of Creol is oriented towards spe i� ation of observable be-havior, expressed by means of the intera tion history, i.e. the sequen e of all(visible) messages to or from an obje t.A full integration of XML do uments in Creol would require an exten-sion of the language. In parti ular, the use of regular expressions should beintegrated in the fun tional sub-language, to allow �exible retrieval.When adding real-time, Creol interfa es may be used to spe ify stati anddynami ontra ts. Furthermore, semanti s extensions of Creol are neededin order to extra t a timed automaton amenable to be model he ked.Another interesting extension of Creol would be to augment the interfa esyntax with me hanisms for spe ifying dynami ontra t monitoring. More-over, the exe utable operational semanti s of Creol ould be used to testthe approa h in situations where formal veri� ation is pra ti ally impossible14

(e.g., on�dentiality properties). Additionally, the meta level of Maude maywell be used for monitoring without a�e ting the appli ation ode.The proposed extended Creol ar hite ture is shown in Fig. 3. Comparingwith Fig. 2, the extension onsists of wrappers enveloping sets of obje ts,possibly of di�erent lasses and ommuni ating through their own lo al net-works (LN and LN ′). The a ess from outside the wrapper will be regulatedby the wrapper interfa e W . Contra ts will be de�ned both at lo al (obje t)interfa es as well as at wrapper interfa es.6 Con lusionThe web is mostly used nowadays for retrieving remote information, but thereis a high demand for more hallenging appli ations that o�er, negotiate anddis over web servi es through XML interfa es. This new dire tion requiresredesigning software ar hite tures and revising the existing foundations of omputer s ien e. Software Engineering deals with the �rst aspe t while these ond one is on erned with models of omputation involving expressivenessresults, veri� ation and se urity [41℄.Moreover, in order to make ollaboration a reality among di�erent web-servi es, the formal de�nition of monitorable and negotiable ontra ts hasbe ome an imperative.In this paper we have surveyed main urrent approa hes to program web-servi es and the features of state-of-the-art programming languages used.We have identi�ed some problems and open issues of urrent approa hes (seeSe tion 4) and we have proposed general resear h dire tions and a parti ularroad-map based on Creol (Se tion 5).The next natural step is to map the expe ted results into real languages.One possibility would be to translate Creol programs into existing web-servi es languages. However, this approa h does not seem realisti , mainlybe ause the urrently available target languages are far from being suitablefor su h ambitious task. In our opinion the right approa h would be todevelop a ontra t-based language from s rat h, apitalizing on the Creolexperien e.Referen es[1℄ J. Aagedal. Quality of Servi e Support in Development of DistributedSystems. PhD thesis, Dept. of Informati s, University of Oslo, 2001.15

[2℄ M. Aksit, L. Bergmans, and S. Vural. An obje t-oriented language-database integration model: The omposition-�lters approa h. InECOOP '92: Pro eedings of the European Conferen e on Obje t-Oriented Programming, pages 372�395, London, UK, 1992. Springer-Verlag.[3℄ M. Aksit, J. Bos h, W. van der Sterren, and L. Bergmans. Real-timespe i� ation inheritan e anomalies and real-time �lters. Le ture Notesin Computer S ien e, 821:386�??, 1994.[4℄ M. Aksit and B. Tekinerdogan. Solving the modeling problems of obje t-oriented languages by omposing multiple aspe ts using omposition�lters, 1998.[5℄ B. Alpern and F. B. S hneider. De�ning liveness. Information Pro essingLetters, 21(4):181�185, O t. 1985.[6℄ J. M. Andreoli and S. Castellani. Towards a Flexible Middleware Nego-tiation Fa ility for Distributed Components. In DEXA '01: 12th Inter-national Workshop on Database and Expert Systems Appli ations, page732. IEEE Computer So iety, 2001.[7℄ I. Assayad, V. Bertin, F.-X. Defaut, P. Gerner, O. Quevreux, andS. Yovine. Jahuel: A formal framework for software synthesis. InICFEM, LNC, 2005. To appear.[8℄ J. S. B. de Win, F. Piessens and W. Joosen. Towards a Unifying Viewon Se urity Contra ts. In Software Engineering for Se ure Systems �Building Trustworthy Appli ations (SESS'05). ACM, 2005.[9℄ C. Bartolini, C. Preist, and N. R. Jennings. A Generi Software Frame-work for Automated Negotiation. Te hni al Report HPL-2002-2, HPLaboratories Bristol, Jan. 2002.[10℄ C. Be ker and K. Geihs. Quality of Servi e and Obje t-OrientedMiddleware-Multiple Con erns and their Separation. In 21st Interna-tional Conferen e on Distributed Computing Systems Workshops (ICD-CSW '01), 2001.[11℄ J. Bengtsson, K. Larsen, F. Larsson, P. Pettersson, and W. Yi. Uppaal� a Tool Suite for Automati Veri� ation of Real�Time Systems. InPro . of Workshop on Veri� ation and Control of Hybrid Systems III,number 1066 in LNCS, pages 232�243. Springer�Verlag, O tober 1995.16

[12℄ L. Bergmans and M. Aksit. Composing ross utting on erns using omposition �lters. Commun. ACM, 44(10):51�57, 2001.[13℄ A. Beugnard, J.-M. Jézéquel, and N. Plouzeau. Making omponents ontra t aware. IEEE Computer, 32(7):38�45, 1999.[14℄ G. Bierman, E. Meijer, and W. S hulte. The essen e of data a ess inCω. In European Conferen e on Obje t-Oriented Programming, 2005.[15℄ B. Bouyssounouse and J. Sifakis, editors. Embedded System Design:The ARTIST Roadmap for Resear h and Development, volume 3436 ofLe ture Notes in Computer S ien e. Springer-Verlag, 2005.[16℄ E. S. C. Molina-Jimenez, S. Shrivastava and J. Warne. Run-time Mon-itoring and Enfor ement of Ele troni Contra ts. Ele troni Commer eResear h and Appli ations, 3(2), 2004.[17℄ D. Cooney, M. Dumas, and P. Roe. A programming language for web ser-vi e development. In CRPIT '38: Pro eedings of the Twenty-eighth Aus-tralasian onferen e on Computer S ien e, pages 143�150, Darlinghurst,Australia, Australia, 2005. Australian Computer So iety, In .[18℄ Creol Homepage. http://www.ifi.uio.no/~ reol/.[19℄ M. Dam and P. Giambiagi. SPC 01-4025 Mobile Language Study, FinalTe hni al Report. Te hni al report, EOARD, 2003. http://www.si s.se/~pgiamb/Publi ations/eoard-TR2003.ps.gz.[20℄ A. Daskalopulu. Model Che king Contra tual Proto ols. In L. Breukerand Winkels, editors, Legal Knowledge and Information Systems, JU-RIX 2000: The 13th Annual Conferen e, Frontiers in Arti� ial Intelli-gen e and Appli ations Series, pages 35�47. IOS Press, 2000.[21℄ A. Daskalopulu and T. S. E. Maibaum. Towards Ele troni Contra tPerforman e. In Legal Information Systems Appli ations, 12th Interna-tional Conferen e and Workshop on Database and Expert Systems Ap-pli ations, pages 771�777. IEEE C.S. Press, 2001.[22℄ H. Davul u, M. Kifer, and I. V. Ramakrishnan. CTR-S: A Logi for Spe ifying Contra ts in Semanti Web Servi es. In Pro eedings ofWWW2004, pages 144�153, May 2004.[23℄ G. Diaz, J.-J. Pardo, M. E. Cambronero, V. Valero, and F. Cuartero.Automati translation of WS-CDL horeogra�es to timed automata. In17

Pro eedings of 2nd International Workshop on Web Servi es and FormalMethods (WS-FM 2005), September 2005.[24℄ G. Diaz, J.-J. Pardo, M. E. Cambronero, V. Valero, and F. Cuartero.Veri� ation of web servi es with timed automata. In Pro eedings of 1stInternational Workshop on Automated Spe i� ation And Veri� ation ofWeb, Mar h 2005.[25℄ ebXML: Ele troni Business using eXtensible Markup Language. www.ebxml.org.[26℄ R. E. Filman, T. Elrad, S. Clarke, and M. Ak³it, editors. Aspe t-OrientedSoftware Development. Addison-Wesley, Boston, 2005.[27℄ D. Flores u, A. Grünhagen, and D. Kossman. XL: An XML program-ming language for web servi e spe i� ation and omposition. In Pro .The Eleventh Int'l World Wide Web Conferen e, pages 65�76, May 2002.[28℄ D. Flores u, A. Grünhagen, and D. Kossman. XL: A platform for Webservi es. In Conferen e on Innovative Data Systems Resear h (CIDR),2003.[29℄ P. Giambiagi. Controlled De lassi� ation of Information. PhD thesis,Royal Te hni al University, Sto kholm, Sweden, In preparation 2005.[30℄ P. Giambiagi and M. Dam. On the Se ure Implementation of Se urityProto ols. S ien e of Computing Programming, 50:73�99, 2004.[31℄ G. Governatori. Representing business ontra ts in RuleML. Interna-tional Journal of Cooperative Information Systems, 14:181�216, 2005.[32℄ B. Grosof and T. Poon. Representing Agent Contra ts with Ex eptionsusing XML Rules, Ontologies, and Pro ess Des riptions. In RuleML,2002.[33℄ E. B. Johnsen and O. Owe. An asyn hronous ommuni ation model fordistributed on urrent obje ts. In Pro . 2nd Intl. Conf. on Software En-gineering and Formal Methods (SEFM'04), pages 188�197. IEEE Com-puter So iety Press, Sept. 2004.[34℄ E. B. Johnsen and O. Owe. Obje t-oriented spe i� ation and opendistributed systems. In O. Owe, S. Krogdahl, and T. Ly he, editors,From Obje t-Orientation to Formal Methods: Essays in Memory of Ole-Johan Dahl, volume 2635 of Le ture Notes in Computer S ien e, pages137�164. Springer-Verlag, 2004. 18

[35℄ S. Kraus. Automated Negotiation and De ision Making in MultiagentEnvironments. Le ture Notes in Arti� ial Intelligen e, 2086:150, 2001.[36℄ J. Ligatti, L. Bauer, and D. Walker. Edit automata: Enfor ement me h-anisms for run-time se urity poli ies. International Journal of Informa-tion Se urity, 4(1�2):2�16, Feb. 2005.[37℄ S. Matsuoka and A. Yonezawa. Analysis of inheritan e anomaly inobje t-oriented on urrent programming languages. Resear h dire tionsin on urrent obje t-oriented programming, pages 107�150, 1993.[38℄ Maude System. http://maude. s.uiu .edu/.[39℄ E. Meijer, W. S hulte, and G. Bierman. Programming with ir les,triangles and re tangles. In Pro eedings of the XML Conferen e, 2003.[40℄ J. Meseguer. Resear h dire tions in rewriting logi . In ComputationalLogi , volume 165 of Le ture Notes in Computer S ien e, Marktoberdorf,Germany, 1997. NATO Advan ed Study Institute, Springer-Verlag.[41℄ U. Montanari. Web servi es and models of omputation. In First Inter-national Workshop on Web Servi es and Formal Methods, volume 105of Ele troni Notes in Computer S ien e. Elsevier, 2004.[42℄ G. Morrisett, F. B. S hneider, and K. Hamlen. Computability lasses forenfor ement me hanisms. Te hni al Report 2003-1908, Cornell, 2003.[43℄ A. C. Myers. JFlow: Pra ti al mostly-stati information �ow ontrol.In Pro eedings of the 26th POPL, pages 228�241, San Antonio, TX, Jan.1999. ACM.[44℄ M. P. Papazoglou. Servi e-Oriented Computing: Con epts, Chara teris-ti s and Dire tions. In 4th International Conferen e on Web InformationSystems Engineering (WISE). IEEE CS, 2003.[45℄ A. Pas hke, M. Bi hler, and J. Dietri h. Contra tLog: An Approa h toRule Based Monitoring and Exe ution of Servi e Level Agreements. InRuleML, 2005.[46℄ A. Pas hke, J. Dietri h, and K. Kuhla. A Logi Based SLA ManagementFramework. In 4th Semanti Web Conferen e (ISWC 2005), 2005.[47℄ A. Pas hke, C. Kiss, and S. Al-Hunaty. A Pattern Language for De en-tralized Coordination and Negotiation Proto ols. In EEE, pages 404�407, 2005. 19

[48℄ W. Pi ard. NeSSy: Enabling Mass E-Negotiations of Complex Con-tra ts. In DEXA '03: 14th International Workshop on Database andExpert Systems Appli ations, page 829. IEEE Computer So iety, 2003.[49℄ D. M. Reeves, M. P. Wellman, and B. N. Grosof. Automated negotiationfrom de larative ontra t des riptions. In AGENTS '01: Pro eedings ofthe �fth international onferen e on Autonomous agents, pages 51�58.ACM Press, 2001.[50℄ A. Sabelfeld and D. Sands. A PER model of se ure information �ow insequential programs. Higher-Order and Symboli Computation, 14(1),2001.[51℄ Simple Obje t A ess Proto ol (SOAP). http://www.w3.org/TR/soap/.[52℄ C. Szyperski. Component te hnology - what, where, and how? In Pro- eedings of the 25th International Conferen e on Software Engineering(ICSE), pages 684�693. IEEE, 2003.[53℄ A. Tesanovi , D. Nyström, J. Hansson, and C. Norström. Aspe ts and omponents in real-time system development: Towards re on�gurableand reusable software. Journal of Embedded Computing, 1(1), 2 2004.[54℄ V. Tosi . On Comprehensive Contra tual Des riptions of Web Servi es.In IEEE International Conferen e on e-Te hnology, e-Commer e, ande-Servi e, pages 444�449. IEEE, 2005.[55℄ S. L. Tsang, S. Clarke, and E. L. A. Baniassad. An evaluation of aspe t-oriented programming for java-based real-time systems development. InISORC, pages 291�300, 2004.[56℄ E. Visser. A survey of rewriting strategies in program transformationsystems. Ele troni Notes in Theoreti al Computer S ien e, 57, 2001.[57℄ E. Visser. A survey of strategies in rule-based program transformationsystems, Mar h 2004. (Draft).[58℄ WSA. Web Servi es Ar hite ture. W3C Working Group Note, www.w3.org/TR/ws-ar h/, Feb 2004.[59℄ Web Servi es Agreement Spe i� ation (WS-Agreement).https://forge.gridforum.org/proje ts/graap-wg/do ument/WS-AgreementSpe ifi ation/en/7.20

[60℄ WSLA: Web Servi e Level Agreements. www.resear h.ibm. om/wsla/.[61℄ S. Yovine. Kronos: A veri� ation tool for real-time systems. Interna-tional Journal of Software Tools for Te hnology Transfer, 1(1/2):123�133, O tober 1997.[62℄ P. Ölve zky. Spe i� ation of real-time and hybrid systems in rewritinglogi . Theoreti al Computer S ien e, 285, 2002.

21