Analysis and Verification of Service Interaction Protocols - A Brief Survey

Modeling and analysis of interactions among services is a crucial issue in Service-Oriented Computing. Composing Web services is a complicated task which requires techniques and tools to verify that the new system will behave correctly. In this paper, we first overview some formal models proposed in the literature to describe services. Second, we give a brief survey of verification techniques that can be used to analyse services and their interaction. Last, we focus on the realizability and conformance of choreographies.Comment: In Proceedings TAV-WEB 2010, arXiv:1009.330

A mechanized proof of loop freedom of the (untimed) AODV routing protocol

The Ad hoc On-demand Distance Vector (AODV) routing protocol allows the nodes in a Mobile Ad hoc Network (MANET) or a Wireless Mesh Network (WMN) to know where to forward data packets. Such a protocol is 'loop free' if it never leads to routing decisions that forward packets in circles. This paper describes the mechanization of an existing pen-and-paper proof of loop freedom of AODV in the interactive theorem prover Isabelle/HOL. The mechanization relies on a novel compositional approach for lifting invariants to networks of nodes. We exploit the mechanization to analyse several improvements of AODV and show that Isabelle/HOL can re-establish most proof obligations automatically and identify exactly the steps that are no longer valid.Comment: The Isabelle/HOL source files, and a full proof document, are available in the Archive of Formal Proofs, at http://afp.sourceforge.net/entries/AODV.shtm

Set Partition and Trace Based Verification of Web Service Composition

AbstractDe*signing and running Web services compositions are error-prone as it is difficult to determine the behavior of web services during execution and their conformance to functional requirements. Interaction among composite Web services may cause concurrency related issues. In this paper, we present a formal model for reasoning and verifying Web services composition at design level. We partition the candidate services being considered for composition into several subsets on the basis of their service invocation order. We arrange these subsets to form a Web services set partition graph and transform to a set of interacting traces. Then, we propose a novel methodology for service interaction verification that uses service description (from WSDL file) to extract the necessary information and facilitates the process of modeling, analyzing, and reasoning the composite services. As a part of verification technique, we use two levels of modeling. This includes abstract modeling that further leads to detailed modeling if required, thereby reducing the computation time and modeling complexity

Formally designing and implementing cyber security mechanisms in industrial control networks.

This dissertation describes progress in the state-of-the-art for developing and deploying formally verified cyber security devices in industrial control networks. It begins by detailing the unique struggles that are faced in industrial control networks and why concepts and technologies developed for securing traditional networks might not be appropriate. It uses these unique struggles and examples of contemporary cyber-attacks targeting control systems to argue that progress in securing control systems is best met with formal verification of systems, their specifications, and their security properties. This dissertation then presents a development process and identifies two technologies, TLA+ and seL4, that can be leveraged to produce a high-assurance embedded security device. The method presented in this dissertation takes an informal design of an embedded device that might be found in a control system and 1) formalizes the design within TLA+, 2) creates and mechanically checks a model built from the formal design, and 3) translates the TLA+ design into a component-based architecture of a native seL4 application. The later chapters of this dissertation describe an application of the process to a security preprocessor embedded device that was designed to add security mechanisms to the network communication of an existing control system. The device and its security properties are formally specified in TLA+ in chapter 4, mechanically checked in chapter 5, and finally its native seL4 architecture is implemented in chapter 6. Finally, the conclusions derived from the research are laid out, as well as some possibilities for expanding the presented method in the future

Components, contracts, and connectors for the Unified Modelling Language UML

The lack of a component concept for the UML is widely ac-\ud knowledged. Contracts between components can be the starting point for introducing components and component interconnections. Contracts between service providers and service users are formulated based on abstractions of action and operation behaviour using the pre- and postcon-\ud dition technique. A valid contract allows to establish an interconnection- a connector - between the provider and the user. The contract concept supports the re-use of components by providing means to establish and modify component interconnections. A flexible contract concept shall be based on a renement relation for operations and classes, derived from operation abstractions. Abstract behaviour, expressed by pre- and post-conditions, and renement are the key elements in the denition of a formal and flexible component and component interconnection approach

Automated Validation of State-Based Client-Centric Isolation with TLA ⁺

Clear consistency guarantees on data are paramount for the design and implementation of distributed systems. When implementing distributed applications, developers require approaches to verify the data consistency guarantees of an implementation choice. Crooks et al. define a state-based and client-centric model of database isolation. This paper formalizes this state-based model in, reproduces their examples and shows how to model check runtime traces and algorithms with this formalization. The formalized model in enables semi-automatic model checking for different implementation alternatives for transactional operations and allows checking of conformance to isolation levels. We reproduce examples of the original paper and confirm the isolation guarantees of the combination of the well-known 2-phase locking and 2-phase commit algorithms. Using model checking this formalization can also help finding bugs in incorrect specifications. This improves feasibility of automated checking of isolation guarantees in synthesized synchronization implementations and it provides an environment for experimenting with new designs.</p

Correctness of model-based software composition (CMC). Proceedings. ECOOP 2003 Workshop #11 in association with the 17th European Conference on Object-Oriented Programming, Darmstadt, Germany, July 22, 2003

This proceedings contains the contributions to the Workshop on Correctness of Model-based Software Composition, held in conjunction with the 17th European Conference on Object-Oriented Programming (ECOOP), Darmstadt, Germany on July 22, 2003. While most events concentrate on realisations of composition on the technological level this workshop aims at closing the gap of ensuring the intended composition result supported by the usage of models. Two important problems in composition are first how to model the different assets (such as components, features or aspects) and second the composition of assets such that consistency and correctness is guaranteed. The first problem has been addressed in the Workshop on Model-based Software Reuse (ECOOP 2002). The latter problem occurs when dealing with, e.g., component interoperability, aspect weaving, feature interaction and (on a more abstract level) traceability between different views or models. One approach to deal with the composition problem is to use models allowing to model the composition. This allows checking the interoperability of the different assets to compose, the correctness of the configuration of assets and predicting properties of the assembled system (especially compliance with user requirements). In case of problem detection suitable resolution algorithms can be applied. 10 reviewed contributions give an overview about current research directions in correctness of model-based software compositions. Results from the discussions during the workshop may be found in the ECOOP 2003 workshop reader to be published by Springer LNCS. The web page of the workshop as well as the contributions of this proceedings may be found at URL: http://ssel.vub.ac.be/workshops/ECOOP2003/ Affiliated to previous ECOOP conferences a related workshop about feature interaction (ECOOP 2001) and an additional about model-based software reuse (ECOOP 2002) have been held. Their contributions are published as technical report No. 2001-14 and as technical report No. 2002-4, respectively, at the Universitaet Karlsruhe, Fakultaet fuer Informatik. URLs: http://www.info.uni-karlsruhe.de/~pulvermu/workshops/ecoop2001/ http://www.ubka.uni-karlsruhe.de/cgi-bin/psview?document=/ira/2001/14 http://www.info.uni-karlsruhe.de/~pulvermu/workshops/ECOOP2002/ http://www.ubka.uni-karlsruhe.de/cgi-bin/psview?document=/ira/2002/4 We would like to thank the program committee for their support as well as the authors and participants for their engaged contributions. The Workshop Organisers Ragnhild Van Der Straeten, Andreas Speck, Elke Pulvermueller, Matthias Clauss, Andreas Pleus

Verifying Strong Eventual Consistency in Distributed Systems

Data replication is used in distributed systems to maintain up-to-date copies of shared data across multiple computers in a network. However, despite decades of research, algorithms for achieving consistency in replicated systems are still poorly understood. Indeed, many published algorithms have later been shown to be incorrect, even some that were accompanied by supposed mechanised proofs of correctness. In this work, we focus on the correctness of Conflict-free Replicated Data Types (CRDTs), a class of algorithm that provides strong eventual consistency guarantees for replicated data. We develop a modular and reusable framework in the Isabelle/HOL interactive proof assistant for verifying the correctness of CRDT algorithms. We avoid correctness issues that have dogged previous mechanised proofs in this area by including a network model in our formalisation, and proving that our theorems hold in all possible network behaviours. Our axiomatic network model is a standard abstraction that accurately reflects the behaviour of real-world computer networks. Moreover, we identify an abstract convergence theorem, a property of order relations, which provides a formal definition of strong eventual consistency. We then obtain the first machine-checked correctness theorems for three concrete CRDTs: the Replicated Growable Array, the Observed-Remove Set, and an Increment-Decrement Counter. We find that our framework is highly reusable, developing proofs of correctness for the latter two CRDTs in a few hours and with relatively little CRDT-specific code