Formal Description and Model Cheching of Web Service (WS) Protocol

stizzahaddockSoftware and s/w Development

Dec 14, 2013 (3 years and 7 months ago)

56 views

1

Formal De
scription and Model Checking of

W
eb

S
ervice (WS)

Protocols



Friedrich Vogt


Head of
Telematik Group

Technische Universität Hamburg
-
Harburg, Germany

http://www.ti5.tu
-
harburg.de/Staff/Vogt/





Abstract



Applying For
mal Description Techniques (FDT
) in the realm of protocol design
and development is an ongoing attempt with
many partial results. In this paper we advocate
a rigorous approach suitable to increase the confidence that

a particula
r

design of a
proposed protocol standard is

provable

correct.
This is of vital interest now
,

since a large
number of WS Protocols are currently in the pipe to be standardized.

Since there is no FDT
which fits all requirements, the

focus

of this paper

is on

the verification of design d
ecisions in
an

early state of the specification process.

The judgement of suitability was

therefore
narrowed to the question
how easy it

is to find design flaws
besides the overall claim that the
application of

an

FDT
always

le
ad

to a more thorough understanding of the protocol
under
consideration
.




1.

Introduction

Service based architectures to cope with the increasing need for an interoperability framework
between applications
are currently state of the art
.
In particular, the
advent of XML schema
based interface standards like Web

Services are investigated broadly from standardization
organisations and vendors

on a global scale
. That led

and will further lead

to a large number
of

standards

considered (
e.g.
basic

Web Service s
pe
cifications

like SOAP, WSDL and UDDI
as well as advanced Web Service
specifications like

WS
-
Federation, WS
-
ReliableMessaging,
WS
-
Security, WS
-
Transaction
or even

WS
-
Application specification
like
BPEL4WS).


It’s obvious that the need to proof the correctne
ss of the design of these protocols is emerging,
since
most of the advanced and application specific WS protocols are not yet implemented,
but

will be in the near future. In order to avoid implementing design flaws
a rigorous proof of
important

properties
has

to be
applied at the level of design abstractions. Since most of the
currently used FDT
’s

are focusing either on implementation abstractions or on interaction
abstractions

(
e.g.
Hoare style abstractions)
, a specific need to support

design abstractions
is
evident.


This observation lead to the investigation of using the

in my opinion

most advanced and tool
supported specification approach called

Temporal Logic of Actions (TLA
) developed by
Leslie Lamport
[Lamport 2003] and
http://research.microsoft.com/users/lamport/tla/tla.html

2

for pro
v
ing safety

and liveness

properties of WS design specifications. As a starting point the
WS Atomic Transaction specification was chosen.



2.

Specificat
ion of the WS Atomic Transaction protocol


The WS Atomic Transaction protocol
specification as published e.g. under
http://www
-
106.ibm.com/developerworks/library/ws
-
transpec/

was u
sed as a sample specification to
exemplify the
proposed approach. Applying TLA

to an informal specification consisting of
simple state diagrams is pretty straight forward as long as the overall message flow is
understood and the states of the components ar
e clear (initially they may be taken directly
from the informal specification with some minor changes
if necessary
for clarity).




3.

Model Checking


After having
created the TLA+ specification

in cooperation with Leslie Lamport
, it can be
checked by running

the model checker TLC. This check usually leads to several corrections
of the specification which at the level of non trivial failures are semantic
misinterpretations

and/or flaws in the informal specification.



4.

Conclusions


The exercise showed that by
u
sing TLA

as a method to proof
properties like “the protocol is
not in an inconsistent final or finishing state” i
s possible with a relative moderate

effort. It
also showed that the proposed state tables attached to the informal specification was not
correc
t and had several states not relevant at the design specification level. That indicates that
the
TLA+

language

can be successfully applied to non trivial informal protocol specifications
as usually produced by different standardization committees. Particul
arly useful for this
exercise was the
tool which is part of the TLA
approach, the model checker (TLC).

Since it
did prove that TLA+ is very much suitable as a design abstraction specification language it is
hoped, that many more will take up this approach
for protocol verification
/model checking
.



References


[Lamport 2003]

Leslie Lamport

“Specifying Systems”




The TLA+ Language and Tools for Hardware and Software Engineers




Addison
-
Wesley, 2003, ISBN 0
-
321
-
14306
-
X