NorduNet 2008Helsinki .April 2008

Olaf Owe, Cristian Prisacariu,, Gerardo Schneider, Oslo UniversitySeif Haridi, Pablo Giambiagi, Swedish Institute of Computer ScienceJoseph C. Okika, and Anders P. Ravn, Aalborg University

www.ifi.uio.no/cosodis/

NorduNet3 Project 2006 - 2010

Contract-Oriented Software Developmentfor Internet Services

Why Contracts ?

Collaboration across organizational domains presumes trust, but…

When trust is insufficient, use contracts

SOA and contracts• The consumer either trusts the provider…• … or they sign a contract which:– Determines the rights and obligations of each signatory– Usually states how the contract is to be monitored– Specify functional but also extra-functional qualities of the

service: e.g. security, performance

How ?• Developers need language support to program

services that are:

– Distributed– Interoperable– Discoverable– Contract-aware

The Marketplace

Language/Approach

Aspect Web Services (WS-*)

Semantic Web (*-S)

Electronic Business (eb-*)

Interface WSDL OWL-S ebBSI

Functionality WS-BPEL, WSOL OWL-S (IOPE), WSMO

ebBPSS

Protocol WS-BPEL, WS-CDL WSMO, OWL-S ebBPSS

Security WS-Security OWL-S ebCPA(SecurityPolicy)

QoS WS-PolicyWS-TrustWSOLWSLA

OWL-SWSMOWSML

ebCPP(XMLDSIG)ebCPA

Key Issues for Contracts

• Definition• Feasibility checking• Compatibility checking• Conformance checking• Monitoring

C

C ≠Ø

C1 ≤ C2

P |= C

P || I(C)

COSoDIS Mission

• develop novel approaches to implement and reason about contracts in a service oriented architecture.

• design and give proof of usefulness of system modeling tools and programming language tools

• to empower SOA developers to deploy highly-dynamic, negotiable and monitorable Internet services.

Formal modeling of contracts

• develop a model of contracts in a SOA • A minimum requirement is to combine QoS specification and

behavioral models (essential to constrain protocol implementation and to enforce confidentiality).

• develop practical and efficient methods to enforce information flow properties of realistic code, including cryptographic protocol implementations.

1. Johs H. Hammer and Gerardo Schneider, On the definition and policies of confidentiality2. Cristian Prisacariu and Gerardo Schneider, A Formal Language for Electronic Contracts3. Pablo Giambiagi, Olaf Owe, Anders P. Ravn, and Gerardo Schneider, Language-Based Support for

Service Oriented Architectures: Future Directions

C

Deontic LogicThe logic of obligation (ought-to), permission, and prohibition • is based on propositional and modal logics.

• ought-to-do expressions consider names of actions:”The Internet Provider ought to send a password to the Client”

• ought-to-be expressions consider results of actions”The average bandwidth ought to be more than 20kb/s”

• Georg H. von Wright started to sustain a logic of actions

We consider Obligation, Permission and Prohibition over actions only

Programming language support for contracts

• extend Creol with “wrapper” primitives for correct-by-construction wrapped code.

• contracts for QoS and confidentiality will be modeled as first-class entities

• develop techniques for constructing monitors from contracts.

1. A. Torjusen, Olaf Owe, and Gerardo Schneider, Towards integration of XML in the Creol object-oriented language

2. Olaf Owe, Gerardo Schneider, and Martin Steffen, Components, Objects, and Contracts

P |= C

P || I(C)

Reasoning about contracts

• extraction of models to facilitate reasoning about contracts.

• timing constraints will be mapped to timed automata • using the Maude tools for model checking and

exhaustive search.

1. Emilia Cambronero, Joseph C. Okika, and Anders P. Ravn, Analyzing Web Service Contracts - An Aspect Oriented Approach

2. Gordon Pace, Cristian Prisacariu, and Gerardo Schneider, Model Checking Contracts -a case study

C ≠ØC1 ≤ C2

Web Service Analyses

WS-BPEL WS-CDL

(Timed) Automata

translation

TimedAutomata

translation

C ≠Ø

Compatibility

WS-BPEL WS-CDL

(Timed) Automata

TimedAutomata

?

C1 ≤ C2

Contract Patterns and Case Studies

• establishing representative examples, equipping them with suitable contracts.

• distill some useful contract patterns • provide corresponding verification patterns.

1. Zhenbang Chen, Zhiming Liu, Volker Stolz, Lu Yang, and Anders P. Ravn, A refinement driven component-based design

2. Sakyibea Darko-Ampem, Maria Katsoufi, and Pablo Giambiagi, Secure Negotiation in Virtual Organizations

Fitting it Together

Applications

Models WS-CDL

Implement-ations.

Creol, Java, etc

WS-BPEL

Platform

Policies(Contract templates)

Service-Level Agreement

Contracts (e.g. CL)

Verification certificatesRV -> monitors

∏|

∏|

∏|

Logics.

Expected Results - 2010

• A modal logic for defining high level contracts

• Model checking tools for checking WS*-style contracts

• Larger Case Study? CoCoME• Monitoring?

C

C ≠Ø

C1 ≤ C2

P |= C

P || I(C)

Conclusion

• SOA is here to stay• Independent development needs contracts• Contracts must be checkable• Checking tools are reaching maturity

• The challenge: Fit the pieces together

www.ifi.uio.no/cosodis/