Verifying Commitment Based Business Protocols and their Compositions: Model Checking using Promela a

1
Verifying Commitment Based Business Protocols and
their CompositionsModel Checking using Promela
and SPIN

• Zhengang Cheng
• Advisors
• Dr. Munindar P. Singh
• Dr. Mladen A. Vouk

2
Biography

• BS, Nanjing University of Aeronautics and
  Astronautics, July 1995
• MS, Nanjing University Aeronautics and
  Astronautics, March 1998
• Zhengang Cheng, Incorporating Agent Behavior into
  Web Services, Proceedings of the 40th Annual ACM
  SouthEast Conference, ACM, pp. 87-96, 2002
• Zhengang Cheng, Munindar P. Singh, and Mladen A.
  Vouk, "Composition Constraints for Semantic Web
  Services," WWW2002 Workshop on Real World RDF and
  Semantic Web Applications, May 7, 2002
• Zhengang Cheng, Munindar P. Singh, and Mladen A.
  Vouk, "Composition Constraints for Semantic Web
  Services," accepted for publication as a chapter
  in the book "Real World Semantic Web
  Applications", IOS Press, editor V. Kashyap, 2002
  
• A Modeling and Execution Environment for
  Distributed Scientific Workflows, contributor
  SSDBM 2003 247-250

3
Outline-Motivation

• Motivation
• Research Background
• Research challenge
• Approach
• Results
• Discussion

4
Background

• Service-based infrastructure represented by the
  adoption of a suite of Web service standards.
  This enables the services to interact with
  services different organizations.
• Business automationThis enables the possibility
  for business and research organization to use the
  Internet to transact with other partners.
• Research Automation It will enable scientists to
  utilize tools and data owned by different
  organizations.

5
Service Oriented Architecture

• Service A unit of work done by a service
  provider to achieve desired end results for a
  service consumer
• Service-Oriented Architecture (SOA) is a way of
  designing a software system from published and
  discoverable services
• Benefits
• Loose coupling among interacting software agents
  (services)
• Integration of heterogeneous platforms
• Supports non-intrusive reuse of software
  components in ways not specifically predicted at
  development time

6
Business Processes and Protocols

• Service A unit work or function, like an
  operation defined in a WSDL file.
• Business Protocol formalization of the
  interaction between participants in a business
  process, utilizing the individual services
• Business Process the way an organization
  conducts it business, is an realization of
  business protocol, achieving task like
  purchasing, selling etc
• Protocol Composition the composition of
  individual protocols, achieving a larger business
  task. It is more complex and involve more
  participants

7
Research Motivation

• Verify protocol composition with commitment
  modeling in a service oriented environment
• Business protocols are prevalent, its composition
  achieves bigger goals, but it is complex.
• Business process implies exchange of money, goods
  or services among participants. It implies
  obligation and its fulfillment.
• Need to discover errors or inconsistency as early
  as possible

8
Research Challenges

• Given a set of business protocols and a set of
  composition constraints, we would like to find
  possible errors.
• Specifically I want to answer the questions
• Q1 Are composition constraints adequate to
  ensure the correct composition of a business
  process.
• Q2 Are the commitments in a business process
  well observed?

9
Outline-Approach

• Motivation
• Approach
• Commitments to model obligations
• OWL-P to define business protocols and their
  composition constraints
• Verification based-on model checking techniques
• Results
• Discussion

10
Commitments

• A commitment is an obligation from a debtor x to
  a creditor y about a particular condition p. A
  commitment has the following two basic forms
• Unconditional or base-level commitment C(x y
  p). A commitment whose condition p will be
  brought about unconditionally. For example,
  C(buyer seller pay) denotes that the buyer
  promises to pay the seller
• Conditional Commitment CC(x y p q). A
  commitment whose condition q will be brought
  about if the precondition p becomes true. The
  base-level commitment C(x y q) comes into being
  when the precondition p holds. For example,
  CC(buyer seller ship pay) denotes that the
  buyer promises to pay the seller if the goods are
  shipped to him

11
Commitment Life Cycle
12
OWL-P Primer

• OWL-P (OWL for Protocols and Processes) is a
  practical framework and an associated language
  for specifying, combining, and enacting
  commitment protocols
• OWL-P Composition Profile describes the
  relationships among protocols that must be
  preserved when composing protocols. These
  relationships are called axioms in OWL-P
  terminology

13
Purchase Example

• We use the well-understood purchase to illustrate
  protocol composition
• The purchase process involves the customer,
  merchant, payment gateway, shipper roles
• It consists of order, payment, shipment protocols

14
Order Protocol
15
Payment Protocol
16
Shipment Protocol
17
OWL-P Example for Order
18
OWL-P Composition Axioms

• Role Definition. A role definition axiom defines
  composed protocol in terms of roles in the
  protocols being composed. Each role definition
  axiom has exactly one value for the defined
  property
• Data Flow. A dataflow axiom provides the bindings
  for external slots in protocols, since an
  external slot's value has to be bound outside the
  scope of the protocol in which it is declared to
  be external
• Implication. An implication axiom is used to
  denote propositions in different protocols that
  have the same meaning. The properties of an
  implication axiom are antecedent and consequent,
  the value of the former property logically
  implies the value of the latter property
• Event Order. An event order axiom species
  temporal ordering among messages in the protocols
  being composed

19
Axioms for Purchase Protocol
20
Model Checking

• Checks whether an implementation satisfies
  properties specified as temporal logic formulas
• Representative model checkers
• SPIN An explicit state model checker
• SMV Symbolic Model Checker

21
SPIN and Promela

• Promela is the modeling language of SPIN.
• Process an instance proctype
• Data object two scope levels global and local.
  Only global veriables can participates in LTL
  formulas
• Message channel models communication between
  processes.

22
My Detailed Approach
OWL-P Protocols
OWL-P Role Skeleton
OWL-P Composition Profile
Promela Models
Composition
Commitments
Composite Promela Model
Verification Properties
Model Checker SPIN
Verification Results
23
SPIN Model Checker
24
Translate Role Skeleton

• Translation procedure from OWL-P
• Translating a role Each role skeleton is mapped
  to a Promela process, enclosed in a dood loop.
• Translating messages a Boolean variable records
  whether the message has already been observed
  (sent or received) by the role.
• Mapping of role skeleton rule Each rule is
  mapped to a case statement in the skeleton loop.

25
Example for Order Protocol

• Buyer Skeleton
• bit seller_rfq
• bit seller_quote
• bit seller_acceptQuote
• bit seller_rejectQuote
• proctype seller()
• bit rule11, rule21, rule31
• chan me 0 of mtype, byte
• do
• start rule1 to_seller?reqForQuote-gt
  
• to_seller?reqForQuote(seller_rfq_itemID,
  tmp3, tmp4)
• seller_rfq1
• start 0
• rule10
• seller_quote rule3 to_seller?rejectQuote
  -gt
• to_seller?rejectQuote(seller_rejectQuote_itemID,
  seller_rejectQuote_itemPrice, tmp3)
• seller_rejectQuote1
• rule30

26
Translate Composition Axioms

• Role definition axioms
• roleDefinition(definePurchase.customer,
  unifyOrder.buyer, unifyShipping.receiver,
  unifyPayment.payer)
• Translated to
• proctype customer()
• run buyer()
• run payer()
• run receiver()

27
Translate other Axioms

• Data Flow Axiom use a message channel to
  transfer the data.
• Implication Axiom use a boolean bit to sync. one
  role of the Axiom can set it, while the other
  role will stuck till it is set.
• Event Order Axiom use a boolean to sync.

28
OWL-P Axiom to Promela
29
Modeling Commitment

• Each commitment is different in terms of its
  behavior with its own state transition diagram.
• Option 1 Model commitment as process is the
  first option. However it is very difficult to
  automate. As each process is different and
  customized.
• Option 2 Model commitment as data structure,
  where a common commitment process (CCP) manages
  its state transition.

30
Common Commitment Model
CCP
Commitments
Commitments
1. Query
Customer
Merchant
2. Quote
Money Auth
Ship Req.
Money
Goods
Gateway
Shipper
31
Common Commitment Process

• With one commone process that manage all the
  commitments has following pros and cons
• Pros
• Reduced process number in system from N to 1,
  thus easier to debug, track, and verify.
• Generic model, enable code reuse, only need to
  include ccp.pml
• Cons Each process has to update the CCP on
  events that affect commitment state.

32
Outline-Results

• Motivation
• Approach
• Results
• Verification for generic properties
• Verification for protocol specific properties
• Discussion

33
LTL Formulas
34
General Properties

• Deadlock and Livelock Freedom SPIN verifies
  deadlock and livelock freedom by default if end
  states are identified
• Using this property we can check whether there
  are deadlocks in the composition of the protocols
• Commitments in Good States All commitments are
  discharged (or cancelled) there are no
  base-level commitments
• This states that eventually all commitments
  should not be in their BASE state
• The message channels are empty Eventually there
  should be no message in any Promela message
  channel

35
Protocol-Specific Properties

• Such properties use information specific to a
  protocol.
• Ensure Goods if Pay After the buyer sends the
  payment, the buyer should eventually receive a
  corresponding shipment
• Ensure Pay if Goods Shipped If the shipment is
  sent, the buyer pays eventually
• No Shipment if Reject The buyer can choose to
  accept or reject a quote. However, when it
  rejects a quote, the goods would not be shipped

36
Demo Requirements

• Following software are required to run the demo
  on windows
• Cygwin with c compiler GCC installed
• Tcl/Tk for xspin to run, a GUI tool for spin
• Xspin

37
Demo 1

• Verification of Commitments We need to check
  that all the commitment data structure of CCP are
  eventually not in base level need to enumerate
  that a commitment is not in base level
• ltgt(CC1.state ! cc_base .. CCN.state !
  cc_base)

38
Demo 2

• Ensure Goods if Payment
• (gateway_authOK -gtltgt(shipper shipOrder)

39
Demo 3

• If Reject Quote, then no payment
• !(buyer rejectQuote gateway_captured)

40
Outline-Discussion

• Motivation
• Approach
• Results
• Discussion

41
Discussion

• Commitment propagation difficult due to the
  limitation of Promela in dynamically create new
  commitments
• Difficulty to write concise formula for
  commitment checking

42
Related Works

• Service Composition VV
• Foster et al. Verify BPEL implementation against
  specification in MSC and FSP with focus on
  control flow logic
• Xu et al. use model checker SPIN to verify
  properties of BPEL implementation
• Behavior compatibility
• Interface compatibility checking focus on method
  call dependencies between software modules
  (Chakrabati et al. 2002)

43
Contributions

• Modeling of commitments in business process
• Modeling of protocols and their composition
• A general way to uncover inconsistency and errors
  in protocol composition

44
Thanks
45
Service Characteristics in SOA

• Openness cross enterprise boundaries
• Autonomy Comprise autonomous resources that
  belong to different parties and have sole control
  of the service
• Heterogeneity resulted from political reasons
  like ownership and technical reasons like
  implementation
• Loose Coupling resulted from the autonomy of
  services.

46
Current Practice of Checking Service Composition

• As error can happen anywhere in a service
  composition
• Syntactic errors Can be checked by automatically
  by the compiler or IDE
• Semantics Done mainly by the human to verify and
  debug whether it behave as it should.

47
Why this is a research Issue

• Practical Value uncover protocol composition
  errors as early as possible
• Why not solve already Most verification research
  follow the model checking approach. The solution
  (LTL formula for properties) are specific to the
  model under investigation
• General Approach Given a composition and the
  services it uses, we can answer whether there are
  any compatibility errors.

48
My Current Approach

• Utilize as much as possible the tools and
  algorithms of state reduction for Model Checking
• Formalized approach to solve the problem in at
  least a large category of general scenarios

49
Purchase Example
50
Service Composition

• Build new application or service from existing
  services.
• In Business Purchasing is one of the most common
  process in business. Travel agent that provide a
  flexible travel planning to customer by utilizing
  services from Hotel, Car Rental, and Airline
  companies.
• In Science Build scientific workflows by
  flexibly combining services, databases, and tools
  available from many research organizations.