Causal Consistency for Reversible Multiparty Protocols

In programming models with a reversible semantics, computational steps can be undone. This paper addresses the integration of reversible semantics into process languages for communication-centric systems equipped with behavioral types. In prior work, we introduced a monitors-as-memories approach to seamlessly integrate reversible semantics into a process model in which concurrency is governed by session types (a class of behavioral types), covering binary (two-party) protocols with synchronous communication. The applicability and expressiveness of the binary setting, however, is limited. Here we extend our approach, and use it to define reversible semantics for an expressive process model that accounts for multiparty (n-party) protocols, asynchronous communication, decoupled rollbacks, and abstraction passing. As main result, we prove that our reversible semantics for multiparty protocols is causally-consistent. A key technical ingredient in our developments is an alternative reversible semantics with atomic rollbacks, which is conceptually simple and is shown to characterize decoupled rollbacks.Comment: Extended, revised version of a PPDP'17 paper (https://doi.org/10.1145/3131851.3131864

Combining behavioural types with security analysis

Today's software systems are highly distributed and interconnected, and they increasingly rely on communication to achieve their goals; due to their societal importance, security and trustworthiness are crucial aspects for the correctness of these systems. Behavioural types, which extend data types by describing also the structured behaviour of programs, are a widely studied approach to the enforcement of correctness properties in communicating systems. This paper offers a unified overview of proposals based on behavioural types which are aimed at the analysis of security properties

On duality relations for session types

Session types are a type formalism used to describe communication protocols over private session channels. Each participant in a binary session owns one endpoint of a session channel. A key notion is that of duality: the endpoints of a session channel should have dual session types in order to guarantee communication safety. Duality relations have been independently defined in different ways and different works, without considering their effect on the type system. In this paper we systematically study the existing duality relations and some new ones, and compare them in order to understand their expressiveness. The outcome is that those relations are split into two groups, one related to the na¨ıve inductive duality, and the other related to a notion of mutual compliance, which we borrow from the literature on contracts for web-services

Contract agreements via logic

We relate two contract models: one based on event structures and game theory, and the other one based on logic. In particular, we show that the notions of agreement and winning strategies in the game-theoretic model are related to that of provability in the logical model.Comment: In Proceedings ICE 2013, arXiv:1310.401

Lending Petri nets and contracts

Choreography-based approaches to service composition typically assume that, after a set of services has been found which correctly play the roles prescribed by the choreography, each service respects his role. Honest services are not protected against adversaries. We propose a model for contracts based on a extension of Petri nets, which allows services to protect themselves while still realizing the choreography. We relate this model with Propositional Contract Logic, by showing a translation of formulae into our Petri nets which preserves the logical notion of agreement, and allows for compositional verification

Contractual Testing

Variants of must testing approach have been successfully applied in Service Oriented Computing for capturing compliance between (contracts exposed by) a client and a service and for characterising safe replacement, namely the fact that compliance is preserved when a service exposing a ’smaller’ contract is replaced by another one with a ’larger’ contract. Nevertheless, in multi-party interactions, partners often lack full coordination capabilities. Such a scenario calls for less discriminating notions of testing in which observers are, e.g., the description of uncoordinated multiparty contexts or contexts that are unable to observe the complete behaviour of the process under test. In this paper we propose an extended notion of must preorder, called contractual preorder, according to which contracts are compared according to their ability to pass only the tests belonging to a given set. We show the generality of our framework by proving that preorders induced by existing notions of compliance in a distributed setting are instances of the contractual preorder when restricting to suitable sets of observers

Orchestrated Session Compliance

We investigate the notion of orchestrated compliance for client/server interactions in the context of session contracts. Devising the notion of orchestrator in such a context makes it possible to have orchestrators with unbounded buffering capabilities and at the same time to guarantee any message from the client to be eventually delivered by the orchestrator to the server, while preventing the server from sending messages which are kept indefinitely inside the orchestrator. The compliance relation is shown to be decidable by means of 1) a procedure synthesising the orchestrators, if any, making a client compliant with a server, and 2) a procedure for deciding whether an orchestrator behaves in a proper way as mentioned before.Comment: In Proceedings ICE 2015, arXiv:1508.0459

Choreographies in the wild

We investigate the use of choreographies in distributed scenarios where, as in the real world, mutually distrusting (and possibly dishonest) participants may be unfaithful to their expected behaviour. In our model, each participant advertises its promised behaviour as a contract. Participants may interact through multiparty sessions, created when their contracts allow to synthesise a choreography. We show that systems of honest participants (which always adhere to their contracts) enjoy progress and session fidelity

Preliminary Results Towards Contract Monitorability

This paper discusses preliminary investigations on the monitorability of contracts for web service descriptions. There are settings where servers do not guarantee statically whether they satisfy some specified contract, which forces the client (i.e., the entity interacting with the server) to perform dynamic checks. This scenario may be viewed as an instance of Runtime Verification, where a pertinent question is whether contracts can be monitored for adequately at runtime, otherwise stated as the monitorability of contracts. We consider a simple language of finitary contracts describing both clients and servers, and develop a formal framework that describes server contract monitoring. We define monitor properties that potentially contribute towards a comprehensive notion of contract monitorability and show that our simple contract language satisfies these properties.Comment: In Proceedings PrePost 2016, arXiv:1605.0809