Model Checking Approaches for Web Service Verification

1
Model Checking Approaches for Web Service
Verification

• Hidayet Ozgur Sanli
• hedo_at_asu.edu

2
Contents

• Motivation
• Whats model checking?
• Model checking tools
• Model-Based Verification of Web Service
  Compositions
• Verification of Web Service Flows with
  Model-Checking Techniques
• Conclusions
• References

3
Motivation

• Service aggregation
• Combining existing web services
• Robustness against requirements change
• Flow description is used for expressing how
  various web services should be composed
• Faulty flow descriptions is not desirable since
  tremendous amount of shared network resources are
  consumed
• Runtime verification of compositions for
  properties such as deadlocks and usability
  assessment of partnered services is needed

4
Motivation (contd)
Control flow
Data flow
Late Binding in Web Service Composition
5
Motivation (contd)
Ticket Order as a composite web service
6
Whats model checking? 1

• Model checking is a method to algorithmically
  verify finite state systems formally
• Model checking is to verify that, the model,
  often deriving from a hardware or software
  design, satisfies a logical specification
  (determining the truth of formulas)
• The model is usually expressed as a directed
  graph with nodes, representing states of the
  system, and edges represent possible alterations
  of the state

7
What is model checking? (contd)

• Requirements for model checking
• Modelling language to describe the system
• Specification language to formulate properties
• Calculus/Algorithm to verify specification
• Automated model checkers traverse all reachable
  system states
• Many practical applications
• Communication Protocols
• Electrical Circuits
• Digital Controllers

8
What is model checking? (contd)

• Correctness properties
• Safety
• Nothing bad ever happens
• Formalized using state invariants (execution
  never reaches a bad state)
• Liveness
• Something good eventually happens
• Formalized using temporal logic
• (always)
• ltgt (eventually)
• () (next cycle)
• (-) (previous cycle)
• U (strong until)

9
What is model checking? (contd)

• (signalA 1 -gt ()signalB 0)
• It is always the case that signalA equals one
  implies signalB equals zero on the next cycle
• (signalA 1 -gt (-)signalB 0)
• It is always the case that signalA equals one
  implies signalB equals zero on the previous cycle
• ltgt(signalA1()()signalBlt2)
• Eventually, if signalA is equal to one, and then
  two cycles and always after that, signalB is less
  than 2

10
Model Checking Tools (SPIN)

• The most popular model checker (ACM Software
  Award)
• Automata based model checker
• System is described as programs in the Promela
  language which is close to a real programming
  language
• Finite state model is generated from the Promela
  description automatically
• System described as a collection of concurrent
  processes
• Processes communicate and synchronize via message
  channels and global variables

11
Model Checking Tools (contd)

• Promela
• Macro definitions
• define NBUF 1
• Symbolic constants
• inputtype LOW, MEDIUM, HIGH
• Synchronous message channel
• chan sender NBUF of short
• Process Instances
• active proctype Receiver()
• Sending messages
• receiver!MSG0
• Receiving messages
• sender?ACK0

12
Model Checking Tools (contd)
Alternating Bit Protocol in Promela
13
Model Checking Tools (contd)

• Promela code is used to generate Labelled
  Transition System (LTS)
• SWITCH OFF,
• OFF (on -gt ON) ,
• ON (off -gt OFF).

14
Model-Based Verification of Web Service
Compositions 2

• A Comparison based Verification Approach
• Use Labelled Transition System Analyzer (LTSA)
  and Message Sequence Charts (MSC) of UML to
  capture desired user workflow behavior
• Write BPEL4WS implementation
• Generate BPEL4WS model in FSP for use within LTSA
• Use LTSA model checker to detect possible
  scenarios that the model supports but undefined
  by user
• Examine trace results of the FSP model checking
  and iterate tracing until no violations
  deadlocks discovered.

15
Model-Based Verification of Web Service
Compositions (contd)
Model Based Verification Architecture
16
Model-Based Verification of Web Service
Compositions (contd)
Layers of modeling abstraction and implementations
17
Model-Based Verification of Web Service
Compositions (contd)

• Specification is created as part of requirements
  consisting the upper two layers
• The workflow is implemented by the software team
  focusing on the lower two layers
• FSP representation forms the bridge between
  specification and implementation
• Model checking is done on the design and
  implementation models using trace equivalence

18
Model-Based Verification of Web Service
Compositions (contd)
Market Place Context Diagram
19
Model-Based Verification of Web Service
Compositions (contd)
Seller
Market Place
Buyer
offer product
require product
Model the composition using LTSA-MSC scenarios
20
Model-Based Verification of Web Service
Compositions (contd)
LTSA tool provides a translation mechanism to
convert scenarios to FSP
21
Model-Based Verification of Web Service
Compositions (contd)
BPEL4WS Process Token Groups
22
Model-Based Verification of Web Service
Compositions (contd)
Conversion table for BPEL4WS structured and
concurrent groups to Promela
23
Model-Based Verification of Web Service
Compositions (contd)
Verification Process Map
for BPEL4WS Compositions
24
Verification of Web Service Flows with
Model-Checking Techniques 3,4
Verification Process Map
for WSFL based compositions
25
Verification of Web Service Flows with
Model-Checking Techniques
A
Deadlocked Flow Model
26
Verification of Web Service Flows with
Model-Checking Techniques
Promela Process
corresponding to a WSFL activity
27
Verification of Web Service Flows with
Model-Checking Techniques

• Wait loop
• Checks all the channels of the incoming control
  flows and waits until all the channels have
  definite values
• Join Step
• Reads out all logical values from the control
  channels and evaluates the join condition
• Materialize Step
• Extracts the necessary data from the input links
• Perform Step
• Kicks the service provider entry
• Call Exit Step
• Checks exit condition of activity for
  re-execution of Perform Step
• Control Step
• Computes information that will flow along the
  output control links
• Propagate Step
• Propagates information along all the output links
  of both control and data

28
Verification of Web Service Flows with
Model-Checking Techniques
Dead Path
Elimination
29
Conclusion

• Current web composition workflow languages
  lacks verifications testing aspect
• Model checking technique is useful for web
  services testing
• Recent work in verification of web services is
  transformation-based to make use of existing
  tools.

30
References

• 1 J. Magee and J. Kramer, Concurrency State
  Models and Java Programs, John Wiley, 1999
• 2 H. Foster, S. Uchitel, J. Magee, J. Kramer,
  Model-based verification of web service
  compositions, Proceedings of 18th IEEE
  International Conference on Automated Software
  Engineering, 6-10, Oct 2003 ,Pages152 161
• 3 S. Nakajima Model-Checking Verification for
  Reliable Web Services, OOPSLA 2002 Workshop on
  Object-Oriented Web Services, Nov 2002.
• 4 S. Nakajima Verification of Web Services
  Flows with Model-Checking Techniques, Proc. Cyber
  World 2002, pp. 378-385 (November 2002).