Tisa: A Language Design and Modular Verification Technique for Temporal Policies in Web Services

Web services are distributed software components, that are decoupled from each other using interfaces with specified functional behaviors. However, such behavioral specifications are insufficient to demonstrate compliance with certain temporal non-functional policies. An example is demonstrating that a patient’s health-related query sent to a health care service is answered only by a doctor (and not by a secretary). Demonstrating compliance with such policies is important for satisfying governmental privacy regulations. It is often necessary to expose the internals of the web service implementation for demonstrating such compliance, which may compromise modularity. In this work, we provide a language design that enables such demonstrations, while hiding majority of the service’s source code. The key idea is to use greybox specifications to allow service providers to selectively hide and expose parts of their implementation. The overall problem of showing compliance is then reduced to two subproblems: whether the desired properties are satisfied by the service’s greybox specification, and whether this greybox specification is satisfied by the service’s implementation. We specify policies using LTL and solve the first problem by model checking. We solve the second problem by refinement techniques

Reconciling Trust and Modularity Goals in Web Services

Web services are distributed software components, that are decoupled from each other using interfaces with specified functional behaviors. However, such behavioral specifications are insufficient to demonstrate compliance with certain temporal non-functional policies. We show an example demonstrating that a patient\u27s health-related query sent to a health care service is answered only by a doctor (and not by a secretary). Demonstrating compliance with such policies is important for satisfying governmental privacy regulations. It is often necessary to expose the internals of the web service implementation for demonstrating such compliance, which may compromise modularity. In this work, we provide a language design that enables such demonstrations, while hiding majority of the service\u27s source code. The key idea is to use greybox specifications to allow service providers to selectively hide and expose parts of their implementation. The overall problem of showing compliance is then reduced to two subproblems: whether the desired properties are satisfied by the service\u27s greybox specification, and whether this greybox specification is satisfied by the service\u27s implementation. We specify policies using LTL and solve the first problem by model checking. We solve the second problem by refinement techniques

Translucid contracts: Expressive specification and modular verification of aspect oriented interfaces

As aspect-oriented (AO) programming techniques become more widely used, their use in critical systems such as aircraft and telephone networks, will become more widespread. However, careful reasoning about AO code seems difficult because: (1) advice may apply in too many places, and (2) standard specification techniques do not limit the control effects of advice. Commonly used black box specification techniques cannot easily specify control effects, such as advice that does not proceed to the advised code. In this work we avoid the first problem by using Ptolemy, a language with explicit event announcement. To solve the second problem we give a simple and understandable specification technique, translucid contracts, that not only allows programmers to write modular specifications for advice and advised code, but also allows them to reason about the code\u27s control effects. We show that translucid contracts support sound modular verification of typical interaction patterns used in AO code. We also show that translucid contracts allow interesting control effects to be specified and enforced

Reverse Engineering Aspects to Derive Application Class Models

Aspects provide a nice way to modify behavior and implement cross-cutting concerns in object-oriented systems. As such, aspects do not have an existence of their own the application classes that the aspects refer to must be present in order to instantiate the aspects. In this research, we present a reverse engineering approach to generate a minimal class model that has all the structural elements necessary in order to complete exercise a set of aspect

Reverse Engineering Aspects to Derive Application Class Models

Aspects provide a nice way to modify behavior and implement cross-cutting concerns in object-oriented systems. As such, aspects do not have an existence of their own the application classes that the aspects refer to must be present in order to instantiate the aspects. In this research, we present a reverse engineering approach to generate a minimal class model that has all the structural elements necessary in order to complete exercise a set of aspect

A Meta-Level Framework for Recording and Utilizing Communication Histories in Maude

The thesis is part of the Creol research project, and considers objects that communicate asynchronously through message passing. Objects and messages are represented by a global state called a configuration. The configuration is a multiset that models a highly non-deterministic system with concurrent objects. This model is well suited for both standard object based Maude specifications and Creol programs executed in Maude by the Creol interpreter. The objects' interaction can be recorded by an external observer in a communication history. By specifying predicates on this history, we can define invariants for an object's behavior, as well as an object's assumptions with regards to the behavior of its surrounding environment. The main goal for this thesis is to develop a formal framework in Maude for executing specifications modeling distributed systems, that can record and utilize a communication history. More specifically, the following points are addressed: - How can we execute Maude specifications and transparently, in the sense that the original specification remains unchanged, build a communication trace as the execution proceeds? - How can we define predicates on this trace, and use such predicates to control and test the behavior of objects? - How can these techniques be applied to the Creol language, and more specifically, to the Creol interpreter developed in Maude? - How can we execute models of highly non-deterministic concurrent systems, such as Creol programs, in the deterministic rewrite tool Maude

Abstract Black-box Testing of Grey-box Behavior

A key aspect of the Object-Oriented (OO) approach is that a designer can enrich an OO system by providing suitable (re-)definitions for some of the methods of the given system. Application frameworks provide good examples of such enrichment. An OO framework typically provides a number of template methods that implement specific patterns of calls to hook methods. An application developer can customize the framework by simply providing definitions, suited to the needs of the particular application, for the hook methods. The calls, made by the template methods of the framework, are dispatched at run-time to the hook methods defined in the application, thereby customizing the behavior of the template methods as well. Testing such systems should include testing the hook method call-patterns of the template methods, that is their grey-box behavior. But software vendors often do not provide the source code of their systems. This poses the challenge, how can we test the grey-box behavior of a system without being able to access and instrument the code? In this paper, we develop an approach that allows us to do this, and demonstrate it on a simple case study.