Operating guidelines for services

In the paradigm of service-oriented computing, companies organize their core competencies as services and may request other functionalities from services of other companies. Services provide high flexibility, platform independent loose coupling, and distributed execution. They may thus help to reduce the complexity of dynamically binding and integrating heterogenous processes within and across organizations. The vision of service-oriented architectures is to provide a framework for publishing new services, for on demand searching for and discovery of existing services, and for dynamically binding services to achieve common business goals. That way, each individual organization gains more flexibility to dynamically react on new challenges. As services may be created or modified, or collaborations may be restructured at any point in time, a new challenge arises in this setting—the challenge for deciding the compatibility of the composed services before their actual binding. Recent literature distinguishes four different aspects of service compatibility: syntactical, behavioral, semantical, and non-functional compatibility. In this thesis, we focus on behavioral compatibility and abstract from the other aspects. Potential behavioral incompatibilities between services include deadlocks (two services wait for a message of each other), livelocks (two services keep exchanging messages without progressing), and pending messages that have been sent but cannot be received anymore. For stateful services that interact via asynchronous message passing, deciding behavioral compatibility is far from trivial. Local changes to one service may introduce errors in some or even all other services of an interaction. The verification of behavioral compatibility suffers from state explosion problems and is restricted by privacy issues. That is, the parties of an interaction are essentially autonomous and may be competitors in other business fields. Consequently, they do not want to reveal the internals of their processes to the other participants in order to hide trade secrets. To systematically approach this challenge, we introduce a formal framework based on Petri nets and automata for service modeling and formalize behavioral compatibility as deadlock freedom of the composition of the services. The main contribution of this thesis is to introduce the concept of the operating guideline of a service. Operating guidelines provide a formal characterization of the set of all behaviorally compatible services R for a given service S. Usually, this set is infinite. However, the operating guideline OGS of a service S serves as a finite representation of this infinite set. Furthermore, the operating guideline of S reveals only internals that are inevitably necessary to decide behavioral compatibility with S. We provide a construction method of operating guidelines for finite-state services with bounded communication. Operating guidelines can be used in many applications in the context of serviceoriented computing. The most fundamental application is to support the discovery of behaviorally compatible services. To this end, we develop a matching procedure that efficiently decides whether a given service R is characterized by the operating guideline OGS of a service S. If R matches, then both services R and S are behaviorally compatible and can be bound together to interact with each other. If R does not match with OGS, then the services are behaviorally incompatible and may run into severe behavioral errors and not reach their common business goal. Operating guidelines can furthermore be applied in the novel research areas of service substitutability and the generation of adapter services, for instance. To this end, we develop methods to compare the sets of services characterized by the operating guidelines OGS and OGS0 . If OGS0 characterizes more services than OGS, then the service S can be substituted by the service S0 without loosing any behaviorally compatible interaction partner R. Furthermore, we show how to synthesize a service R from the operating guideline OGS such that R is behaviorally compatible to S by construction. All results presented in this thesis are implemented in our service analysis tool Fiona. Fiona may compute operating guidelines for services modeled as Petri nets. It may match a service with an operating guideline, compare operating guidelines for equivalence or an inclusion relation, and synthesize service adapters for behaviorally incompatible services. Together with the tool BPEL2oWFN— which translates web services specified in BPEL into Petri net models of the services—we can immediately apply our results to services that stem from practic

Service substitution : a behavioral approach based on Petri Nets

Service-Oriented Computing is an emerging computing paradigm that supports the modular design of (software) systems. Complex systems are designed by composing less complex systems, called services. Such a (complex) system is a distributed application often involving several cooperating enterprises. As a system usually changes over time, individual services will be substituted by other services. Substituting one service by another one should not affect the correctness of the overall system. Assuring correctness becomes particularly challenging, as the services rely on each other, and each of the involved enterprises only oversees a part of the overall system. In addition, services communicate asynchronously which makes the analysis even more difficult. For this reason, formal methods to support service substitution are indispensable. In this thesis, we study service substitution at the level of service models. Thereby we restrict ourselves to service behavior. As a formalism to model service behavior, we use Petri nets. The first contribution of this thesis is the definition of several substitutability criteria that are suitable in the context of Service-Oriented Computing. Substituting a service S by a service S0 should preserve some behavioral properties of the overall system. For each set of behavioral properties and a given service S, there exists a set of behaviorally compatible services for S. A substitutability criterion defines which of these behaviorally compatible services of S have to be preserved by S0. We relate our substitutability criteria to preorders and equivalences known from process theory. The second contribution of this thesis is to present, for each substitutability criterion, a procedure to decide whether a service S0 can substitute a service S. The decision requires the comparison of the in general infinite sets of behaviorally compatible services for the services S and S0. Hence, we extend existing work on an abstract representation of all behaviorally compatible services for a given service. For each notion of behavioral compatibility, we present an algorithmic solution to represent all behaviorally compatible services. Based on these representations, we can decide substitutability of a service S by a service S0. The third contribution of this thesis is a method to support the design of a service S0 that can substitute a service S according to a substitutability criterion. Our approach is to derive a service S0 from the service S by stepwise transformation. To this end, we present several transformation rules. Finally, we formalize and we extend the equivalence notion for services specified in the language WS-BPEL. That way, we demonstrate the applicability of our work

Towards Compliance of Cross-Organizational Processes and their Changes

Businesses require the ability to rapidly implement new processes and to quickly adapt existing ones to environmental changes including the optimization of their interactions with partners and customers. However, changes of either intra- or cross-organizational processes must not be done in an uncontrolled manner. In particular, processes are increasingly subject to compliance rules that usually stem from security constraints, corporate guidelines, standards, and laws. These compliance rules have to be considered when modeling business processes and changing existing ones. While change and compliance have been extensively discussed for intra-organizational business processes, albeit only in an isolated manner, their combination in the context of cross-organizational processes remains an open issue. In this paper, we discuss requirements and challenges to be tackled in order to ensure that changes of cross-organizational business processes preserve compliance with imposed regulations, standards and laws

Metamorphic testing for cybersecurity

Metamorphic testing (MT) can enhance security testing by providing an alternative to using a testing oracle, which is often unavailable or impractical. The authors report how MT detected previously unknown bugs in real-world critical applications such as code obfuscators, giving evidence that software testing requires diverse perspectives to achieve greater cybersecurity

A Method of Functional Alignment Verification in Hierarchical Enterprise Models

Enterprise modeling involves multiple domains of expertise: requirements engineering, business process modeling, IT development etc. Our experience has shown that hierarchical enterprise models, made of an assembly of system models, are effective. In these models, two hierarchies exist: an organizational level hierarchy (describing systems' construction) and a functional level hierarchy (describing systems' functionality). Using a uniform hierarchical modeling language, system models at different hierarchical levels can be aligned in the context of the enterprise model. Using an operational semantics, each system model can be translated into executable code for model simulation and testing. The possibility to simulate and test models leads to the alignment verification for all system models across both hierarchies. In this paper we propose a method and tool for functional alignment verification. We use the Abstract State Machine (ASM) and the ASM language (AsmL) to formalize our graphical models for simulation and testing. We illustrate this approach with an example

Extending substitutability in composite services by allowing asynchronous communication

Web services are programs that are self-contained, self-describing, interoperable, platform-independent, and accessible over a network. These properties allow several Web services to be combined together to form a Web service composition. However, when a component service within a Web service composition becomes unavailable or unusable, it is necessary to identify a substitute service that can replace the failed component while preserving the original functionality of the composition. This is the problem of Web service substitution. Most existing work that addresses this problem requires strict functional equivalence between the original component and its substitute. In contrast, Pathak et al. have shown in 2007 that it is sufficient for a substitute service to provide the same functionality with respect to the rest of the composition as the component it is replacing. Pathak et al. apply a technique called quotienting to determine the portion of the composition\u27s overall functionality that is satisfied by the original component. The quotienting operation yields the property that must be satisfied by a substitute for that component. While the use of quotienting allows more possible substitute services to be accepted, it is possible to relax the substitutability condition even further by considering asynchronous communication between component services within the Web service composition model. Our work accomplishes this task by providing a formal framework for representing asynchronous communication within a Web service composition. In our framework, the asynchronous communication is encapsulated in a buffer process, which stores each message until a component is ready to consume it. We prove the correctness of our solution, describe our implementation, and discuss some directions for future research

Detecting component changes at run time with behavior models

Modern software systems are composed of several services which may be developed and maintained by third parties and thus they can change independently and without notice during the system’s runtime execution. In such systems, changes may possibly be a threat to system functional correctness, and thus to its reliability. Hence, it is important to detect them as soon as they happen to enable proper reaction. Change detection can be done by monitoring system execution and comparing the observed execution traces against models of the services composing the application. Unfortunately, formal specifications for services are not usually provided and developers have to infer them. In this paper we propose a methodology which exactly addresses these issues by using software behavior models to monitor component execution and detect changes. In particular, we describe a technique to infer behavior model specifications with a dynamic black box approach, keep them up-to-date with run time observations and detect behavior changes. Finally, we present a case study to validate the effectiveness of the approach in component change detection for a component that implements a complex, real communication protocol.European Commission (Programme IDEAS-ERC, Project 227977-SMScom

Dealing with change in process choreographies: Design and implementation of propagation algorithms

Enabling process changes constitutes a major challenge for any process-aware information system. This not only holds for processes running within a single enterprise, but also for collaborative scenarios involving distributed and autonomous partners. In particular, if one partner adapts its private process, the change might affect the processes of the other partners as well. Accordingly, it might have to be propagated to concerned partners in a transitive way. A fundamental challenge in this context is to find ways of propagating the changes in a decentralized manner. Existing approaches are limited with respect to the change operations considered as well as their dependency on a particular process specification language. This paper presents a generic change propagation approach that is based on the Refined Process Structure Tree, i.e., the approach is independent of a specific process specification language. Further, it considers a comprehensive set of change patterns. For all these change patterns, it is shown that the provided change propagation algorithms preserve consistency and compatibility of the process choreography. Finally, a proof-of-concept prototype of a change propagation framework for process choreographies is presented. Overall, comprehensive change support in process choreographies will foster the implementation and operational support of agile collaborative process scenarios

Formalization and Model Checking of BPMN Collaboration Diagrams with DD-LOTOS

Business Process Model and Notation (BPMN) is a standard graphical notation for modeling complex business processes. Given the importance of business processes, the modeling analysis and validation stage for BPMN is essential. In recent years, BPMN notation has become a widespread practice in business process modeling because of these intuitive diagrams. BPMN diagrams are built from basic elements. The major challenge of BPMN diagrams is the lack of formal semantics, which leads to several interpretations of the concerned diagrams. Hence, this work aims to propose an approach for checking BPMN collaboration diagrams to guarantee some properties of smooth functioning of systems modeled by BPMN notation. The verification approach used in this work is based on model checking techniques. The approach proposes as a first step a formal semantics of the collaboration diagrams in terms of the formal language DD-LOTOS, i.e., a phase of the transformation of collaboration diagrams into DD-LOTOS. This transformation is guided by applying the inference rules of the formal semantics of the DD-LOTOS formal language, and we then use the UPPAAL model checker to check the absence of deadlock, safety properties, and liveness properties