Title: Verifying Commitment Based Business Protocols and their Compositions: Model Checking using Promela a
1Verifying Commitment Based Business Protocols and
their CompositionsModel Checking using Promela
and SPIN
- Zhengang Cheng
- Advisors
- Dr. Munindar P. Singh
- Dr. Mladen A. Vouk
2Biography
- BS, Nanjing University of Aeronautics and
Astronautics, July 1995 - MS, Nanjing University Aeronautics and
Astronautics, March 1998 - Zhengang Cheng, Incorporating Agent Behavior into
Web Services, Proceedings of the 40th Annual ACM
SouthEast Conference, ACM, pp. 87-96, 2002 - Zhengang Cheng, Munindar P. Singh, and Mladen A.
Vouk, "Composition Constraints for Semantic Web
Services," WWW2002 Workshop on Real World RDF and
Semantic Web Applications, May 7, 2002 - Zhengang Cheng, Munindar P. Singh, and Mladen A.
Vouk, "Composition Constraints for Semantic Web
Services," accepted for publication as a chapter
in the book "Real World Semantic Web
Applications", IOS Press, editor V. Kashyap, 2002
- A Modeling and Execution Environment for
Distributed Scientific Workflows, contributor
SSDBM 2003 247-250
3Outline-Motivation
- Motivation
- Research Background
- Research challenge
- Approach
- Results
- Discussion
4Background
- Service-based infrastructure represented by the
adoption of a suite of Web service standards.
This enables the services to interact with
services different organizations. - Business automationThis enables the possibility
for business and research organization to use the
Internet to transact with other partners. - Research Automation It will enable scientists to
utilize tools and data owned by different
organizations.
5Service Oriented Architecture
- Service A unit of work done by a service
provider to achieve desired end results for a
service consumer - Service-Oriented Architecture (SOA) is a way of
designing a software system from published and
discoverable services - Benefits
- Loose coupling among interacting software agents
(services) - Integration of heterogeneous platforms
- Supports non-intrusive reuse of software
components in ways not specifically predicted at
development time
6Business Processes and Protocols
- Service A unit work or function, like an
operation defined in a WSDL file. - Business Protocol formalization of the
interaction between participants in a business
process, utilizing the individual services - Business Process the way an organization
conducts it business, is an realization of
business protocol, achieving task like
purchasing, selling etc - Protocol Composition the composition of
individual protocols, achieving a larger business
task. It is more complex and involve more
participants
7Research Motivation
- Verify protocol composition with commitment
modeling in a service oriented environment - Business protocols are prevalent, its composition
achieves bigger goals, but it is complex. - Business process implies exchange of money, goods
or services among participants. It implies
obligation and its fulfillment. - Need to discover errors or inconsistency as early
as possible
8Research Challenges
- Given a set of business protocols and a set of
composition constraints, we would like to find
possible errors. - Specifically I want to answer the questions
- Q1 Are composition constraints adequate to
ensure the correct composition of a business
process. - Q2 Are the commitments in a business process
well observed?
9Outline-Approach
- Motivation
- Approach
- Commitments to model obligations
- OWL-P to define business protocols and their
composition constraints - Verification based-on model checking techniques
- Results
- Discussion
10Commitments
- A commitment is an obligation from a debtor x to
a creditor y about a particular condition p. A
commitment has the following two basic forms - Unconditional or base-level commitment C(x y
p). A commitment whose condition p will be
brought about unconditionally. For example,
C(buyer seller pay) denotes that the buyer
promises to pay the seller - Conditional Commitment CC(x y p q). A
commitment whose condition q will be brought
about if the precondition p becomes true. The
base-level commitment C(x y q) comes into being
when the precondition p holds. For example,
CC(buyer seller ship pay) denotes that the
buyer promises to pay the seller if the goods are
shipped to him
11Commitment Life Cycle
12OWL-P Primer
- OWL-P (OWL for Protocols and Processes) is a
practical framework and an associated language
for specifying, combining, and enacting
commitment protocols - OWL-P Composition Profile describes the
relationships among protocols that must be
preserved when composing protocols. These
relationships are called axioms in OWL-P
terminology
13Purchase Example
- We use the well-understood purchase to illustrate
protocol composition - The purchase process involves the customer,
merchant, payment gateway, shipper roles - It consists of order, payment, shipment protocols
14Order Protocol
15Payment Protocol
16Shipment Protocol
17OWL-P Example for Order
18OWL-P Composition Axioms
- Role Definition. A role definition axiom defines
composed protocol in terms of roles in the
protocols being composed. Each role definition
axiom has exactly one value for the defined
property - Data Flow. A dataflow axiom provides the bindings
for external slots in protocols, since an
external slot's value has to be bound outside the
scope of the protocol in which it is declared to
be external - Implication. An implication axiom is used to
denote propositions in different protocols that
have the same meaning. The properties of an
implication axiom are antecedent and consequent,
the value of the former property logically
implies the value of the latter property - Event Order. An event order axiom species
temporal ordering among messages in the protocols
being composed
19Axioms for Purchase Protocol
20Model Checking
- Checks whether an implementation satisfies
properties specified as temporal logic formulas - Representative model checkers
- SPIN An explicit state model checker
- SMV Symbolic Model Checker
21SPIN and Promela
- Promela is the modeling language of SPIN.
- Process an instance proctype
- Data object two scope levels global and local.
Only global veriables can participates in LTL
formulas - Message channel models communication between
processes.
22My Detailed Approach
OWL-P Protocols
OWL-P Role Skeleton
OWL-P Composition Profile
Promela Models
Composition
Commitments
Composite Promela Model
Verification Properties
Model Checker SPIN
Verification Results
23SPIN Model Checker
24Translate Role Skeleton
- Translation procedure from OWL-P
- Translating a role Each role skeleton is mapped
to a Promela process, enclosed in a dood loop. - Translating messages a Boolean variable records
whether the message has already been observed
(sent or received) by the role. - Mapping of role skeleton rule Each rule is
mapped to a case statement in the skeleton loop.
25Example for Order Protocol
- Buyer Skeleton
- bit seller_rfq
- bit seller_quote
- bit seller_acceptQuote
- bit seller_rejectQuote
- proctype seller()
- bit rule11, rule21, rule31
- chan me 0 of mtype, byte
- do
- start rule1 to_seller?reqForQuote-gt
- to_seller?reqForQuote(seller_rfq_itemID,
tmp3, tmp4) - seller_rfq1
- start 0
- rule10
-
- seller_quote rule3 to_seller?rejectQuote
-gt - to_seller?rejectQuote(seller_rejectQuote_itemID,
seller_rejectQuote_itemPrice, tmp3) - seller_rejectQuote1
- rule30
26Translate Composition Axioms
- Role definition axioms
- roleDefinition(definePurchase.customer,
unifyOrder.buyer, unifyShipping.receiver,
unifyPayment.payer) - Translated to
- proctype customer()
- run buyer()
- run payer()
- run receiver()
27Translate other Axioms
- Data Flow Axiom use a message channel to
transfer the data. - Implication Axiom use a boolean bit to sync. one
role of the Axiom can set it, while the other
role will stuck till it is set. - Event Order Axiom use a boolean to sync.
28OWL-P Axiom to Promela
29Modeling Commitment
- Each commitment is different in terms of its
behavior with its own state transition diagram. - Option 1 Model commitment as process is the
first option. However it is very difficult to
automate. As each process is different and
customized. - Option 2 Model commitment as data structure,
where a common commitment process (CCP) manages
its state transition.
30Common Commitment Model
CCP
Commitments
Commitments
1. Query
Customer
Merchant
2. Quote
Money Auth
Ship Req.
Money
Goods
Gateway
Shipper
31Common Commitment Process
- With one commone process that manage all the
commitments has following pros and cons - Pros
- Reduced process number in system from N to 1,
thus easier to debug, track, and verify. - Generic model, enable code reuse, only need to
include ccp.pml - Cons Each process has to update the CCP on
events that affect commitment state.
32Outline-Results
- Motivation
- Approach
- Results
- Verification for generic properties
- Verification for protocol specific properties
- Discussion
33LTL Formulas
34General Properties
- Deadlock and Livelock Freedom SPIN verifies
deadlock and livelock freedom by default if end
states are identified - Using this property we can check whether there
are deadlocks in the composition of the protocols - Commitments in Good States All commitments are
discharged (or cancelled) there are no
base-level commitments - This states that eventually all commitments
should not be in their BASE state - The message channels are empty Eventually there
should be no message in any Promela message
channel
35Protocol-Specific Properties
- Such properties use information specific to a
protocol. - Ensure Goods if Pay After the buyer sends the
payment, the buyer should eventually receive a
corresponding shipment - Ensure Pay if Goods Shipped If the shipment is
sent, the buyer pays eventually - No Shipment if Reject The buyer can choose to
accept or reject a quote. However, when it
rejects a quote, the goods would not be shipped
36Demo Requirements
- Following software are required to run the demo
on windows - Cygwin with c compiler GCC installed
- Tcl/Tk for xspin to run, a GUI tool for spin
- Xspin
37Demo 1
- Verification of Commitments We need to check
that all the commitment data structure of CCP are
eventually not in base level need to enumerate
that a commitment is not in base level - ltgt(CC1.state ! cc_base .. CCN.state !
cc_base)
38Demo 2
- Ensure Goods if Payment
- (gateway_authOK -gtltgt(shipper shipOrder)
39Demo 3
- If Reject Quote, then no payment
- !(buyer rejectQuote gateway_captured)
40Outline-Discussion
- Motivation
- Approach
- Results
- Discussion
41Discussion
- Commitment propagation difficult due to the
limitation of Promela in dynamically create new
commitments - Difficulty to write concise formula for
commitment checking
42Related Works
- Service Composition VV
- Foster et al. Verify BPEL implementation against
specification in MSC and FSP with focus on
control flow logic - Xu et al. use model checker SPIN to verify
properties of BPEL implementation - Behavior compatibility
- Interface compatibility checking focus on method
call dependencies between software modules
(Chakrabati et al. 2002)
43Contributions
- Modeling of commitments in business process
- Modeling of protocols and their composition
- A general way to uncover inconsistency and errors
in protocol composition
44Thanks
45Service Characteristics in SOA
- Openness cross enterprise boundaries
- Autonomy Comprise autonomous resources that
belong to different parties and have sole control
of the service - Heterogeneity resulted from political reasons
like ownership and technical reasons like
implementation - Loose Coupling resulted from the autonomy of
services.
46Current Practice of Checking Service Composition
- As error can happen anywhere in a service
composition - Syntactic errors Can be checked by automatically
by the compiler or IDE - Semantics Done mainly by the human to verify and
debug whether it behave as it should.
47Why this is a research Issue
- Practical Value uncover protocol composition
errors as early as possible - Why not solve already Most verification research
follow the model checking approach. The solution
(LTL formula for properties) are specific to the
model under investigation - General Approach Given a composition and the
services it uses, we can answer whether there are
any compatibility errors.
48My Current Approach
- Utilize as much as possible the tools and
algorithms of state reduction for Model Checking - Formalized approach to solve the problem in at
least a large category of general scenarios
49Purchase Example
50Service Composition
- Build new application or service from existing
services. - In Business Purchasing is one of the most common
process in business. Travel agent that provide a
flexible travel planning to customer by utilizing
services from Hotel, Car Rental, and Airline
companies. - In Science Build scientific workflows by
flexibly combining services, databases, and tools
available from many research organizations.