Towards a design-by-contract based approach for realizable connector-centric software architectures

Despite being a widely-used language for specifying software systems, UML remains less than ideal for software architectures. Architecture description languages (ADLs) were developed to provide more comprehensive support. However, so far the application of ADLs in practice has been impeded by at least one of the following problems: (i) advanced formal notations, (ii) lack of support for complex connectors, and (iii) potentially unrealizable designs. In this paper we propose a new ADL that is based on Design-by-Contract (DbC) for specifying software architectures. While DbC promotes a formal and precise way of specifying system behaviours, it is more familiar to practising developers, thus allowing for a more comfortable way of specifying architectures than using process algebras. Furthermore, by granting connectors a first-class status, our ADL allows designers to specify not only simple interaction mechanisms as connectors but also complex interaction protocols. Finally, in order to ensure that architectural designs are always realizable we eliminate potentially unrealizable constructs in connector specifications (the connector “glue”)

Xcd - Modular, Realizable Software Architectures

Connector-Centric Design (Xcd) is centred around a new formal architectural description language, focusing mainly on complex connectors. Inspired by Wright and BIP, Xcd aims to cleanly separate in a modular manner the high-level functional, interaction, and control system behaviours. This can aid in both increasing the understandability of architectural specifications and the reusability of components and connectors themselves. Through the independent specification of control behaviours, Xcd allows designers to experiment more easily with different design decisions early on, without having to modify the functional behaviour specifications (components) or the interaction ones(connectors). At the same time Xcd attempts to ease the architectural specification by following (and extending) a Design-by-Contract approach, which is more familiar to software developers than process algebras like CSP or languages like BIP that are closer to synchronous/hardware specification languages. Xcd extends Design-by-Contract (i) by separating component contracts into functional and interaction sub-contracts, and (ii) by allowing service consumers to specify their own contractual clauses. Xcd connector specifications are completely decentralized, foregoing Wright’s connector glue, to ensure their realizability by construction

Design-by-contract for reusable components and realizable architectures

Architectural connectors can increase the modularity and reusability benefits of Component-based Software Engineering, as they allow one to specify the general case of an interaction pattern and reuse it from then on. At the same time they enable components to be protocol-independent – components do not need to know under which interaction patterns they will be used, as long as their minimal, local interaction constraints are satisfied. Without connectors one can specify only specific instances of such patterns and components need to specify themselves the interaction protocols that they will follow, thus reducing their reusability. Connector frameworks so far allow designers to specify systems that are unrealizable in a decentralized manner, as they allow designers to impose global interaction constraints. These frameworks either ignore the realizability problem altogether, ignore connector behaviour when generating code, or introduce a centralized controller that enforces these global constraints but does so at the price of invalidating any decentralized properties of the architecture. We show how the XCD ADL extends Design-by-Contract (DbC) for specifying (i) protocol-independent components, and (ii) arbitrary connectors that are always realizable in a decentralized manner as specified by an architecture – XCD connectors impose local constraints only. Use of DbC will hopefully make it easier for practitioners to use the language, compared to languages using process algebras. We show how XCD specifications can be translated to ProMeLa so as to verify that (i) provided services local interaction constraints are satisfied, (ii) provided services functional pre-conditions are complete, (iii) there are no race-conditions, (iv) event buffer sizes suffice, and (v) there is no global deadlock. Without formally analyzable architectures errors can remain undiscovered for a long time and cost too much to repair

Architectural specification and analysis with XCD: The aegis combat system case study

Despite promoting precise modelling and analysis, architecture description languages (ADLs) have not yet gained the expected momentum. Indeed, practitioners prefer using far less formal languages like UML, thus hindering formal verification of models. One of the main issues with ADLs derives from process algebras which practitioners view as having a steep learning curve. In this paper, we introduce a new ADL called XCD which enables designers to model their software architectures through a Design-by-Contract approach, as for example in the Java Modelling Language (JML). We illustrate how XCD can be used in architectural modelling and analysis using the Aegis combat software system

Bootstrapping trust in service oriented architecture

Services in a service-oriented architecture are designed to meet desired functional and non-functional requirements. Conformance of a service implementation to its functional requirements can be tested by observing the interface of the service but it is hard to enforce non-functional requirements such as data privacy and safety properties by monitoring the interface alone. Instead the implementation of the service need to be monitored for its conformance to the non-functional properties. A requirement\u27s monitor can be deployed to check this conformance. A key problem is that such monitor must execute in an untrustworthy environment (at the service provider\u27s location).;We argue that the integrity of the reported results of such a monitor crucially depends on the integrity of the monitor itself. Previous research results on trustworthy computing has shown that static properties, such as the checksum, of a remote program can be verified using a hardware-based mechanism called trusted platform module.;This thesis makes two contributions. First, we extend the traditional notion of a service-oriented architecture to accommodate the requirements for trust. Second, we propose a dynamic attestation mechanism that serves to support our extensions. To evaluate our approach, we have conducted a case study using a commercial requirements monitor and a collection of web service implementations available with Apache Axis implementation. Our case study demonstrates the feasibility of verifying the conformance of a web service executing in an untrusted environment with respect to a class of non-functional requirements using our approach. Lack of data privacy during online transactions is a major cause of concern among e-commerce users. By providing a technique to monitor such properties in a decoupled environment our work promises to address the issue of guaranteeing the privacy of confidential client data on the provider\u27s side in a Service Oriented Architecture

A Design-by-Contract based Approach for Architectural Modelling and Analysis

Research on software architectures has been active since the early nineties, leading to a number of different architecture description languages (ADL). Given their importance in facilitating the communication of crucial system properties to different stakeholders and their analysis early on in the development of a system this is understandable. However, practitioners rarely use ADLs, and, instead, they insist on using the Unified Modelling Language (UML) for specifying software architectures. I attribute this to three main issues that have not been addressed altogether by the existing ADLs. Firstly, in their attempt to support formal analysis, current ADLs employ formal notations (i.e., mostly process algebras) that are rarely used among practitioners. Secondly, many ADLs focus on components in specifying software architectures, neglecting the first-class specification of complex interaction protocols as connectors. They view connectors as simple interaction links that merely identify the communicating components and their basic communication style (e.g., procedure call). So, complex interaction protocols are specified as part of components, which however reduce the re-usability of both. Lastly, there are also some ADLs that do support complex connectors. However, these include a centralised glue element in their connector structure that imposes a global ordering of actions on the interacting components. Such global constraints are not always realisable in a decentralised manner by the components that participate in these protocols. In this PhD thesis, I introduce a new architecture description language called XCD that supports the formal specification of software architectures without employing a complex formal notation and offers first-class connectors for maximising the re-use of components and protocols. Furthermore, by omitting any units for specifying global constraints (i.e., glue), the architecture specifications in XCD are guaranteed to be realisable in a decentralised manner. I show in the thesis how XCD extends Design-by-Contract (DbC) for specifying (i) protocol-independent components and (ii) complex connectors, which can impose only local constraints to guarantee their realisability. Use of DbC will hopefully make it easier for practitioners to use the language, compared to languages using process algebras. I also show the precise translation of XCD into SPIN’s formal ProMeLa language for formally verifying software architectures that (i) services offered by components are always used correctly, (ii) the component behaviours are always complete, (iii)there are no race-conditions, (iv) there is no deadlock, and (v) for components having event communications, there is no overflow of event buffers. Finally, I evaluate XCD via five well-known case studies and illustrate XCD’s enhanced modularity, expressive DbC-based notation, and guaranteed realisability for architecture specifications

Project Final Report Final Publishable Summary Report

This document is the final publishable summary report, part of the CONNECT final report