Supratik Mukhopadhyay
1

What we want:
2

3




Adaptability


Provide acceptable failures, overload, or damages
Rapid reconfiguration to achieve users’ new missions
Security


Authentication for both users performance in the presence of system and service providers
Protection of critical information infrastructure of distributed services based on flexible security policies

For example, access control requirements
Situation-Awareness (SAW) – capability of being aware of complex situations for


Service coordination
Adapting workflows when situations change

Enforcing situation-aware security policies
4







Motivations
A Running Example
Formal Architecture
Modeling of Service-based Systems

A calculus (with semantics) and a logic
Automated Synthesis of Processes (agents) from logical specifications

Synthesis by natural deduction using Curry-Howard like correspondence
Demo
5





Grand Challenges in Computing Research

Edited by Hoare and Milner
Science for Global Ubiquitous Computing (GUC)
Develop models for systems composed of ad-hoc networks of diverse components
Models need to support context-awareness, adaptive behavior, loose coupling, security, …
Develop calculi and logics to formalize notions of self and context-awareness, migration, …
Develop models for acquisition, distribution, management and sharing of knowledge, and building trust based on such knowledge …
Develop new type systems, new static analysis techniques, new verification techniques suitable for the GUC
6

Accident Report
911
AMS
AMB
Police Dept.
(PD)
Send
Patrol Car
PCAR
Fire Dept.
(FD)
L
FE
7

3
 Service coordination requirements
 911 center (911) receives information about accident from observer
 911 sends accident report (including accident location) to the city fire department (FD), the city police department (PD), and the city ambulance management system (AMS)
 FD, PD, and AMS send a fire engine (FE), a police car (PCAR), and an ambulance (AMB) respectively to the accident location
8

Goal
Timing &
Resource
Specifications
Service
Specifications
SAW
Specifications
Security Policy
Specifications
Customizable
Failure Handling
Specifications
NMR
Axioms
Workflow &
Coordination
Axioms
SAW
Axioms
Security Policy
Axioms
Natural Deduction-Based Proof System Kernel
Failure Handling
Axioms
Backup Workflow Agents
SAW
Agents
Security
Agents
AS
3
Logic
Execution
Monitoring
Workflow Scheduler
Resource
Agents
Annotated
Workflow Agents
AS
3
Cal2SOL
Compiler
SOL2Java
Compiler
Distributed
SINS Agents
9

1.
2.



BPEL/BPEL4WS: Industry standard
For modeling and executing workflows
Lacks formal semantics
Does not provide automatic service composition and adaptation



OWL-S, Web Components:
Provides constructs for unambiguously describing the properties and capabilities of Web services
Provides limited formal guarantees
Does not provide automatic service composition
10

3



Provide a formal programming model for servicebased systems
Is based on classical process calculi, and has operational semantics involving interactions between:
 external actions: communication, leaving and joining groups

 internal computations: method calls of named services
Continuation passing used to provide semantics of
asynchronous service-invocations
Can model timeouts and failures (in monadic style)
11

3
(System)
S::= fix I=P (recursion)
N[S] (named domain)
S||S (Sys. Comp.)
N ::= x (variable) n (name)
(Process)
P::=
(new n) P (name restriction)
0 (inactive process)
P par P (par. composition)
I (identifier)
E.P (external action)
C.P (int. computation)
P1+P2 (nondet. choice) fail(I) (failure) catch(I).P (failure handler)
P{l
1
(x
1 time t.P (timeout)
),…;…l n
(x n
)} (method export)
 External action involves communication, leaving or joining groups, removing firewalls
 Internal computation takes place by calling methods of identified services
12

E ::=
M (Domain)
K (Comm.)
M ::= in N (enter a dom.) out N (exit a dom.) open N (open firewall)
ε (no action)
K::= (Comm.)
Ch(x) (input)
Ch<Str> (output) mc(C
1
,…,C n
)<Str> (multicast)
Ch::= N (Channel)
13

C::= let x=D instantiate C (let reduction) if ρ then P else P’ (conditional) replace(I:l i l ← l i
) (method replacement) j
(method modification)
ρ (constraint evaluation)
ε (no-computation) tt (constant true) ff (constant false)
⊥ (failed computation) pre::=  [y]  ρ[y] post::= (  [x]  ρ[x]) x
 ::= b (base type)
 →  (function type)
D::=
I:l i
(y) (method invocation for identified service)
I:l i
= pre i
::post i
[y]
ρ::= x  y+c x>y+c x  y+c x<y+c
14

3
Γ
Γ
Γ/I’ ├ I:l i
=pre::post[x i
]
__________________________________________ (service invocation 1)
Γ
Γ/I’ ├ I:l i
(y) → pre::post[y/x i
]
Γ/I’,N ├ pre[y/x i
]→tt
__________________________________________ (service invocation 2)
Γ/I’ ├ pre::post[y/x i
]→post[y/x i
]
Γ/I’,N ├ pre[y/x i
]→ff
___________________________________________ (service inv. fail)
Γ/I’ ∪{ failure(I’)} ├ pre::post[y/x i
]→ ⊥
15

911
3
System fix 911= tel(x). fd<x>.
pd<x>.ams<x>.
911
Police Dept.
(PD) fix PD= pd(x).
let y= pcar:dispatchCAR(x) instantiate if y== ‘car_sent’ then PD else fail(PD)
AMS fix AMS= ams(x).
let y= amb:dispatchAMB(x) instantiate if y== ‘amb_sent’ then AMS else fail(AMS)
16

3
L
(x) fix 911= tel(x). fd<x>.
pd<x>.
ams<x>.
911
AMS
Police Dept.
(PD)
Fire Dept.
(FD)
17

3
Car Sent
PCAR
Police Dept.
(PD)
<x> fix PD= pd(x).
let y= pcar:dispatchCAR(x) instantiate if y== ‘car_sent’ then
PD else fail(PD)
18

3

Can we synthesize AS 3 processes automatically from declarative specifications?

Yes
19

2.
3.
1.
4.
Services described in AS 3 logic along with proof rules of the logic form a theory of AS 3 systems
Functional requirements of the mission along with QoS (real-time, security, situationawareness) described as formulae in AS 3 logic
Synthesis amounts to a natural deduction of
the requirements using the AS 3 theory with service discovery and composition being the computation of a Craig interpolant
Calculus terms directly synthesized from the proof using Curry-Howard like correspondence
20

3



Hybrid Modal Logic talking both about time and space


Sometime modality for temporal evolution, somewhere modality for spatial location
Nominals standing for state
Modalities for communication, leaving joining domains
Atomic formulas for describing relations among variables
21

3
φ ::= pred(x
1
,…,x n
0 (inactivity)
) (user defined atoms) t~c (atomic constraint)
φ
1
∨
φ
2
(disjunction)
┐ φ (negation)
◊ φ (sometime)
Θ φ (somewhere)
I (identifier/nominal match)
~::=> | <| ≤| ≥ c: Natural Number
22

3
φ1|| φ2 (parallel composition)
η[φ] (named domain)
φ@η (behavior within domain)
K(u; φ) (knowledge of an object) serv(u;v; Φ,I) (recording of an object)
 n φ
 t φ
(quantification over names)
(quantification over real variables) in(n) φ (behavior after entering domain) out(n) φ (behavior after leaving domain)
<u> φ
(behavior after sending message)
T (constant true)

I φ (quantification over nominals)
23

3


We provide a constructive interpretation of the logic for process synthesis
Sound (and complete) proof theory (natural
deduction-based)
24

3
Entities: (Nominals/Identifiers)
911, PD, AMS, FD
FE, AMB, PCAR
Coordination Requirements:
◇ K(“accident”,x; 911) 
( ◇<x>911 
))
C1: <x>911 → ◇ K(x; PD)  ◇ K(x; AMS)  ◇ K(x; FD)
C2: K(x; PD) →◇ serv(pcar_response; x; PD ; W)
C3: K(x; AMS) →◇ serv(amb_response; x; AMS; S)
C4: K(x; FD) →◇ serv(fe_response; x; FD; U)
C5: serv(“car_sent”; x; PD ; W) →◇T
C6: serv(“amb_sent”; x; AMS ; S) →◇T
C7: serv(“fe_sent”; x; FD ; U) →◇T
25

Service Specifications in
AS 3 Logic
S1: dispatchAMB(x;amb;W) →
◇ serv(amb_response;x;W;amb)
S2: dispatchCAR(x;pcar; S) →
◇ serv(pcar_response;x;U;pcar)
and one other axiom
26

K(“accident”,x; 911)
<x>911 fix 911= tel(z).tel(x).
pd<x>.ams<x>.fd<x>.
C1: <x>911 → ◇ K(x; PD)  ◇ K(x;
AMS)  ◇ K(x; FD) fix PD=pd(x).
K(x; PD)
K(x; AMS)
K(x; FD) fix AMS=ams(x).
fix FD=fd(x).
27

G: serv(amb_response; x; AMS; amb)
α: dispatchAMB(x;amb;AMS)
[α: dispatchAMB(x;amb;AMS)
]
S1: dispatchAMB(x;amb;AMS) →
◇ serv(amb_response;x;AMS;amb)
D1: ◊ serv(amb_response; x; AMS; amb) fix AMS=
… let y= amb:dispatchAMB(x) instantiate
…
28

END
29

[
1] Distributed control and co-ordination of autonomous agents in a dynamic, reconfigurable system “US Patent Number:
6336781”
[2] Process and system for managing run-time adaptation for general purpose distributed adaptive applications “US Patent
Number: 6324619”
[3] Servlet-based architecture for dynamic service composition “US Patent Number: 6330710”
[4] Method and apparatus for providing a dynamic service composition software architecture “US Patent Number: 6256771”
[5] Security and emergency communication service coordination system and notification control method therefore “US
Patent Number: 6337621”
[6] Generic service coordination mechanism for solving supplementary service interaction problems in communication system “US Patent Number: 5742673”
[7] S. Yau et al., Reconfigurable Context-Sensitive Middleware for Pervasive Computing, IEEE Pervasive Computing, vol.
1(3), 2002, pp. 33-40.
[8] M. Mikic-Rakic, N. Medvidovic: Adaptable Architectural Middleware for Programming-in-the-Small-and-Many. Middleware
2003: 162-181.
[9] A. Ranganathan, R. H. Campbell: A Middleware for Context-Aware Agents in Ubiquitous Computing Environments.
Middleware 2003: 143-161.
[10] A. Popovici, A. Frei, G. Alonso: A Proactive Middleware Platform for Mobile Computing. Middleware 2003: 455-473.
[11] U. Lang, Access Policies in Middleware, PhD Thesis, University of Cambridge, 2003
[12] T. Abdelzaher, B. Blum B, Q. Cao, Y. Chen, D. Evans, J. George, S. George, L. Gu, T. He, S. Krishnamurthy, L. Luo, S.
Son, J. Stankovic, R. Stoleru and A. Wood, EnviroTrack: Towards an Environmental Computing Paradigm for Distributed
Sensor Networks , The 24th International Conference on Distributed Computing Systems. Tokyo, Japan. March 23-26,
2004.
[13] S. Yau, H. Davulcu, S. Mukhopadhyay, D. Huang and Y. Yao, Adaptable, Situation-aware, Secure Service-based (AS3)
Systems, Proceedings of the IEEE International Symposium Object-oriented, Real-time, Distributed Computing
(ISORC’05), 2005.
[14] R. Bharadwaj, S. Mukhopadhyay and N. Padh, “Service Composition in a Secure Agent-based Architecture”, Proceedings of the IEEE International Conference on E-Technologies, E-commerce and E-Service (EEE’05), pp 787—788, 2005
[15] Internet2 Medical Middleware (MedMid) Working Group: Draft Workplan Scenarios, 2003
30

[16] E. Sirin, J. A. Hendler, B. Parsia: Semi-automatic Composition of Web Services using Semantic Descriptions. WSMAI 2003: 17-24
[17] Z. Duan, A. J. Bernstein, P. M. Lewis, S. Lu: Semantics Based Verification and Synthesis of BPEL4WS Abstract Processes. ICWS 2004: 734-737
[18] G. C. Necula: Enforcing Security and Safety with Proof-Carrying Code. Electr. Notes Theor. Comput. Sci. 20: (1999).
[19] B. Li, K. Nahrstedt, A Control-based Middleware Framework for Quality of Service Adaptations, IEEE Journal on Selected Areas in
Communication, vol 17, No. 9, September, 1999
[20] K. Roemer, O. Kasten, F. Mattern, Middleware Challenges in Wireless Sensor Networks, Mobile Computing and Communications Review, vol 3,
No. 2, 2002
[21] F. Curbera et. al., Business Process Execution Language for Web Services, 2002
[22] E. Christensen et. al, The Web Services Description Language (WSDL), IBM
[23] T. Berners-Lee et. al, The semantic web, Scientific American, May 2003
[24] A. Ankolekar, F. Huch and K. Sycara. Concurrent Execution Semantics for DAML-S with Subtypes. In Proceedings of The First International
Semantic Web Conference (ISWC), 2002
[25] E. Newcomer. Understanding Web Services. Addison Wesley, 2002.
[26] Endrei, M.; Ang, J.; Arsanjani, A.; Chua, Sook; Comte, P; Krogdahl, P; Luo, M; and Newling, T. (2004) Patterns: Service-oriented Architecture and Web Services.
IBM Redbook, ISBN 073845317X
[27] D. Bell and L. La Padula. Secure Computer Systems: Unified Exposition and Multics Interpretation, Technical Report, Mitre Corporation, 1975
[28] S. Ponnekanti and A. Fox, SWORD: A Developer Toolkit for Web Service Composition, In Proceedings of WWW 2002
[29] J. Rao et. al, Application of Linear Logic to Web Service Composition, 2004
[30] Gruia-Catalin Roman, Jamie Payton: Mobile UNITY Schemas for Agent Coordination. Abstract State Machines 2003: 126-150.
[31] Cédric Fournet, Georges Gonthier: The Join Calculus: A Language for Distributed Mobile Programming. APPSEM 2000: 268-332.
[32] L. Cardelli, A. D. Gordon: Mobile ambients. Theor. Comput. Sci. 240(1): 177-213 (2000)
[33] Woodman, S.J., Palmer, D.J., Shrivastava, S.K, and Wheater, S.M.: Notations for the Specification and Verification of Composite Web
Services, In Proc. of 8th IEEE Int’l Enterprise Distributed Object Computing Conf.
(SLAP’ 02).
(EDOC '04)
[34] R. Milner: Communication and Concurrency, Prentice Hall, 1989
[35] Gérard Berry, Gérard Boudol: The Chemical Abstract Machine. In Proceedings of POPL 1990: 81-94
[36] N. Milanovic and M. Malek: Current Solutions for Web Service Composition, IEEE Internet ComputingNovember/December 2004 (Vol. 8, No.
6) pp. 51-59
[37] R. Bharadwaj, “SOL: A Verifiable Synchronous Language for Reactive Systems,” Proc. Synchronous Languages, Applications, and Programming http://chacs.nrl.navy.mil/publications/ CHACS/2002/2002bharadwaj-entcs.pdf
31

3
______________________________ (fail computation)
⊥ .P→fail
C→a
_______________________________ (beta reduction) let x=C instantiate P →P[a/x]
C(x)→true
_______________________________ (cond eval. true) if C(x) then P else P’ →P
32

3
C(x)→false
____________________________ (cond. Eval. false) if C(x) then P else P’ →P’
C(x)→a
_____________________________ a  {true,false} (cond fail) if C(x) then P else P’ →
⊥
33

_____________________________ (migration inside a domain) in n.P || n[Q] →n[P||Q]
______________________________ (communication)
<m>.P || (x).Q→ P||Q[m/x]
Back
34


A process is congruent to its alpha-renamed variant
If P ≌Q then
1.
C.P ≌ C.Q
2.
3.
A.P ≌ A.Q
P||R ≌ Q||R
4.
5.
6.
7.
8.
R||P ≌ R||Q
N[P] ≌ N[Q]
(new n) P ≌ (new n) Q fix I=P ≌ fix I=Q
P+R ≌ Q+R
35





We impose the following restrictions on processes


Recursive processes are guarded
Parallel composition through recursion is not allowed
(similar to Pi-calculus [Dam 93])
A type system can check for well-formedness of processes
Image Finiteness: A closed process term can only evolve (in zero or more steps) into finitely many non-congruent process terms using the reduction rules
Restrictions ensure that every process is image finite
Back
36

3
P ╞ I if fix I=P
P ╞ <u> φ if there exists Q, R,S,T P ≌<u>Q,
R ≌ (x).S,T= P||R and Q ╞ φ
P ╞ pred(u
1
,…,u n
) if for any Q, with P ≦ Q, Q is annotated with pred(u
1
,…,u n
)
P ╞ in(n)
φ if there exists Q, n, R, S, P ≌ in n.Q,
Q ╞ φ @n, S ≌ P || n[R]
Back
37

A3: ┐ restrict(I,σ)→Θ(I ||σ)
A4:
Θn[ρ || σ] ∧ Θ(φ || σ)→Θn[φ || σ || ρ]
A5: restrict(
φ,σ) ∧ ┐ restrict( φ,ρ ) → restrict(φ || ρ,σ)
A6: next_hierarchy(I,σ)→restrict(I,σ)
A7: restrict(I,σ) /\ Θ(I || J)→restrict(J,σ)
A8: restrict(σ,φ)→restrict(φ,σ)
A9: Θn[φ || J] /\ restrict(K,J)→Θn[φ ||m[K] || J] V Θ(n[φ || J] || m[K])
[Back]
38

3
S3: dispatchFE(x;fe;S) →
◇ serv(fe_response;x;S;fe)
back
39





System was synthesized based on the assumption that services do not behave maliciously: Unrealistic assumption
Runtime enforcement ensures diagnosis of malicious behavior on the part of services and subsequent recovery
Service specifications used to generate symptoms
Abduction based diagnosis uses the models
(process terms) to diagnose breach of trust by services and ensure recovery
40

3



Adaptability

Provide acceptable performance in the presence of system failures, overload, or damages
Rapid reconfiguration to achieve users’ new missions

Security


Authentication for both users and service providers
Protection of critical information infrastructure of distributed services based on flexible security policies

For example, access control requirements
Situation-Awareness (SAW) – capability of being aware of complex situations for


Service coordination
Adapting workflows when situations change

Enforcing situation-aware security policies
41


A simplified version of the ship scenario in the overview slides




Intrusion of enemy detected by Monitoring
Agent that reports to the CMD
The CMD directly asks shipA (or shipB) to destroy the enemy ship rather than sending a warning
We assume no failures take place
The Combat System Agent has been eliminated
42

3
System = MA || CMD || fleet [shipA || shipB] fix MA = if MA: detect_intrusion() then let <x,y>= MA: get_enemy_coordinates()
<x,y>.MA else
MA fix CMD =
(x,y). in fleet.<x,y>.<destroy>.out fleet.CMD
instantiate fix shipA= (x,y).(d).
if d=“destroy” then
(shipA:lock_radar(x,y).shipA:load_missile().(let z=shipA:fire() instantiate if z= enemy_destroyed then <z> ) then shipA) else shipA shipB ≌ shipA
43



A proof engine for the AS 3 logic
Design of efficient proof strategies that involves:

 proof by deduction proof as a satisfiability problem
 efficient SAT solvers
 efficient automata theoretic procedures
44

3



Security (access control) model synthesized through formula rewriting using sound transformation rules in AS 3 logic
Service specifications including QoS properties axiomatized in AS 3 logic
Functional as well as QoS goals of a mission expressed in AS 3 logic
45

3

All axioms of constructive propositional modal logic and the following axioms:
T1: Θ(σ || n[φ])
 next_hierarchy( σ,φ)
T2: next_hierarchy( φ ,σ)→Θσ
T3: Θ◊ φ → ◊Θ φ
T4: φ → Θ φ
T5: ΘΘφ  φ
46

3
Failure semantics specified as a monad type M a = uP | uC | failure(I) | ⊥
Γ/I’ ├ Comp(x)
Γ/I’ ├ val x = t
Γ/I’ ├ post ::= (  [x]  ρ[x]) x ┐ (Γ/I’ ∪ N ├ (  [x]  ρ[x])[t/x])
_________________________________________________ __________________________________________________________________________ ______________ (service fail)
Γ ∪{failure(I)}├ post →⊥
Γ ├ failure(I)
_____________________________________________________________________________________________ ___________________-
Γ/I’ ├ catch(I).P → fail(I)
(failure compusitio 1)
┐ ( Γ ├ failure(I))
__________________________________________________________________________________ ______________________________
Γ/I ├⊥.P → P
(failure composition 2)
47

3
Γ ├ Comp(x)
Γ ├ val x = t
Γ ├ post ::= (  [x]  ρ[x]) x Γ ∪ N ├ (  [x]  ρ[x])[t/x]
_________________________________________________ ______________________________________________________________ _______________ (post ev)
Γ ∪{x=t}├ post → t
Γ ├ Comp(x)
Γ ├ post → t
________________________________________________________________________________________________________ (let reduct)
Γ ├ let x=D instantiate C → C[t/x]
Γ ├ Comp(x)
Γ ├ Comp(y)
Γ,N ├ ρ[x,y]
________________________________________________________________________________________________________ (cond eval. true)
Γ ├ if ρ[x,y] then P else P’ → P
back
48




Adaptability


Provide acceptable failures, overload, or damages
Rapid reconfiguration to achieve users’ new missions
Security


Authentication for both users performance in the presence of system and service providers
Protection of critical information infrastructure of distributed services based on flexible security policies

For example, access control requirements
Situation-Awareness (SAW) – capability of being aware of complex situations for


Service coordination
Adapting workflows when situations change

Enforcing situation-aware security policies
49




Rule-based Modeling (SWORD) [28]:


Does not allow services having side effects
Currently, no work is known that uses SWORD for modeling situation-awareness or security policies
Classical Process Calculi and Synchronous Programming
Languages:



Pi calculus [33,34], Ambient Calculus [32], Chemical Abstract
Machine [35]: Does not provide facilities for processing situation information and reacting to it
SOL [37]: Does not provide facilities for automatic service composition
Provides ways for formal reasoning
Linear Logic [29]:

Undecidable: provides only semi-automated service composition
50