Department of Informatis
Contrat-b ased
Internet Servie
Software Development:
A Proposal
Researh Report No.
333
Pablo Giambiagi
Olaf Owe
Gerardo Shneider
Anders P. Ravn
Isbn 82-7368-288-9
Issn 0806-3036
January 2006
Development: A Proposal
Pablo Giambiagi
∗
Olaf Owe
†
Gerardo Shneider
‡
Anders P. Ravn
§
January 2006
Abstrat
Thefastevolution of the Internet haspopularized servie-oriented
arhiteture sdynamiIT-supportedinter-businessollaborations. Yet,
interoperability between dierent organizations, requires ontrats to
redue risks. Thus, high-level models of ontrats are making their
wayintoservie-oriented arhitetures, butappliation developers are
still left to their owndevies when it omes to writing ode that will
omply with a ontrat. This paper surveys existing and proposes
new language-ba sed solutions to the above problem. Contrats are
formalized asbehavioral interfaes, and abstration mehanisms may
guide the developer in the prodution of ontrat-awar e appliations.
Weonentrateonontratsdealingwithperformane(real-time)and
information ow(ondentia lity).
1 Introdution
Alreadyseveralyearsago,tehnologyguruspreditedthatthenextbigtrend
in software system development would be the servie-oriented arhiteture,
SOA. A suessful integration of loosely-oupled servies belonging to dif-
ferent, sometimes ompeting, but always ollaborating organizations would
∗
SICS,P.O.Box1263,SE-16429Kista,Sweden. E-mail: pablosis.se
†
Dept. ofInformatisUniv. ofOslo, P.O.Box1080Blindern, N-0316Oslo,Norway.
E-mail: olafi.uio.no
‡
Dept. ofInformatisUniv. ofOslo, P.O.Box1080Blindern, N-0316Oslo,Norway.
E-mail: gerardoi.uio.no
§
Dept. of Computer Siene Aalborg University, Fredrik Bajers vej 7E, DK-9220
Aalborg,Denmark. E-mail: aprs.aau.dk
abling the formationof virtualorganizationswhereSMEs 1
would join fores
to thrive in ever inreasinglyompetitive global markets. Whilethe dream
lives on, and the industry develops and deploys web servies, the degree of
integration ahieved between dierent organizations remains low. Collabo-
ration presumes a minimum levelof mutual trust, and wherever trust is not
onsidered suient,businesspeopleturn toontratsas amehanism tore-
due risks. In other terms, for the SOA to deliver its promised advantages,
developers need ost eetive ontrat managementsolutions.
Researhersandindustries alikehavebeganaddressingthis veryessential
issue with atop-down approah. Several eletroni ontratlanguages, their
models and reasoning tehniques are in the proess of being disussed and
rened. Whilethisisanaturalapproah,weseetheabsoluteneedtoprovide
the atual system developer with the means to implement their servies to
meet the requirements ditated by the ontrats.
At the moment the developer faes a situation where the programming
languages originally used to produe intra-organization, non-distributed ap-
pliationsarealreadyoverstrethed toopewith issuesofdistributionaross
organizationaldomains. Whenitomestoontrats, theabstrationmeha-
nismsofurrentlanguagesgivealmostnoassistanetothedeveloper. There-
forewepropose touse ariherlanguage, basedontheonepts ofCreol[18℄,
whih allows formal veriation of requirements of a ontrat to be done or
even automated using the Maude tool [38℄.
1.1 Related Work
The programming language ommunity has long identied the need to pro-
vide easier ways to extend the abstration mehanisms of a language. One
of the main approahes of the day is that of Aspet-Oriented Programming
(AOP) [26℄, whih helps separate ross-utting onerns (like logging and
aess ontrol) from the main business logi. AOP is omposed of a set of
tehniques, inludingode instrumentation and runtime intereptors.
A similar approah uses omposition lters (CF) [2℄, where the idea is
not to replae the programming paradigm but to enhane the expressive
power and maintainability of urrent objet-oriented languages. CF may be
onsidered as a modular extension to the objet-oriented model with inter-
fae layers inludingthe so-alled lters. Advantages of CFswith respet to
aspets are exposed in [12℄.
An alternative approah aims at dening new kinds of languages that
1
SME: smallandmediumenterprise.
entrate onbridgingthe gap between the programlanguage objets and the
XML objets that web servies should exhange [27, 28, 39℄, others provide
abstrations to manipulateinterfaes [17℄, and others address asynhronous
ommuniation by means of message passing [14℄. In [17℄, for instane, a
newlanguageproposalhasbeenpresented, whihombinesXQuery'sseman-
tis withimperative onstruts and ajoin alulus-style onurreny model.
The proposed language seems tosolvesome of the problems of mainstream
languages, like onurreny and message orrelation problems, whih arises
for instane in Java and C#. It laks, however, useful features likeinterfae
inheritaneandtheurrentimplementationisbasedontheshared-stateon-
urreny and does not inludesorrelated messages nor garbageolletion.
Thesolutionsmentionedsofarstilllaksupportfordisovery,monitoring
and managementofontrats. Approahes likeAOPand CFan potentially
provide some help here (see e.g. [10℄), but they fail to abstrat low-level
issues andbasially leavetoomuhfreedomtothe programmer(whihleads
to ode maintenane and analysis issues).
DespiteoftheurrentwideaeptaneofAOPasagoodparadigmforim-
proving reusabilityand modularity, thereis noonvining and nal solution
totheappliationofaspetstoreal-timesystems. Insomeases [55℄,aspet-
orientation seems to perform better than objet-orientation when dealing
with real-time speiation, regarding system properties suh as testability
and maintainability. On the other hand, in [7℄, there is a formal framework
formulti-threadedsoftwareandmulti-proessorarhiteturesoftwaresynthe-
sis using timingonstraints, where itis shown that aspet-oriented software
developmentis not suitable forsuh ases.
Anewoneptforreal-timesystemdevelopment(ACCORD)ispresented
in [53℄, ombining both omponent-based and aspet-oriented software de-
velopment (CBSD and AOSD, respetively). ACCORD bridgesthe gap be-
tween modern software engineeringmethods foused mainly onomponent
models, interfaes and separation of onerns and real-time design meth-
ods, by proposing amodel for software developmentusing theadvantages of
both ommunities. As far as we know, the fous is primarily on the design
methodology of real-time systems by using CBSD and AOSD, but not on
analysis (e.g. veriation) of real-time systems. It is not lear, either, how
the methodology ould be used in asynhronous open distributed systems
suh asthe Internet.
Programsusing real-time features are, in general,diult to design and
verify, even more when ombined with an inheritane mehanism. Chang-
ing appliation requirements or real-time speiations in real-time objet-
orientedlanguages mayprodueunneessaryredenitions. This isalledthe
work trying tosolve this problem; it does so by proposing real-timeompo-
sition lters. The idea seems attrative and ould be inorporated within a
ontrat-based approah.
A ontribution towards verifying properties of ontrats involving real-
time as formulated in existing languages is found in [24, 23℄. They use a
translation to a real-timemodel heker to verify the ooperation aspet of
ontrats.
In onlusion, there is still plenty of work to do in diretly supporting
developmentof servies that an betrusted toimplement their ontrats.
1.2 Overview
In the followingsetion,weintrodue Servie Oriented Arhitetures (SOA)
and Contrats. In Setion 3, we disuss Programming Languages and SOA
implementation. In Setion 4, we identify open problems. In Setion 5 we
outline our researh agendawhile Setion 6onludes on itsfeasibility.
2 Servie-Orient ed
Arhitetures
In a Servie-Oriented Arhiteture (SOA), appliations are essentially dis-
tributed systems omposed of servies (see Fig. 1, borrowed from [44℄).
A servie is a loosely-oupled, tehnology neutral and self-desribing om-
putation element. Loose oupling is ahieved through enapsulation and
ommuniation through message passing;tehnology neutrality results from
adopting standardized mehanisms; and rih interfae languages permit the
servie to export suient information so that eventual lients an disover
and onnet toit [44℄.
ASOAanbeimplementedinmanydierentways. Aurrentlyverypop-
ular approahuses a speikind ofservie alled webservie. Web servies
exhange SOAP[51℄messages overstandard Internetprotools(e.g. HTTP)
whiharryapayloadbuiltfromastak ofopen XMLstandards [58℄. There
are strong similarities between servies and omponents in a omponent-
based system [52℄. However, servies usually have a oarsergranularity and
the ommuniation medium (the Internet) with its high lateny and open-
ness onstrains reliability and seurity in ways that easily go beyond what
an befound inmost omponent-based systems.
2.1 Contrats
TheserviesinaSOAusuallybelongtodierentorganizationaldomainsand
therefore there is nosingle lineof authority regulating their interations. In
prinipleaonsumer must trustthe providertodelivertheexpete d servie,
or establishaontratwith it. Forour purpose, a ontrat isa generiterm
for the speiation of a servie whih is negotiableand either statially en-
foreable ormonitorable. Inother words, a ontrat desribesan agreement
between distintservies thatdetermines rightsandobligationsonitssigna-
tories,and forwhihthere existsaprogrammatiwayof identifyingontrat
violations. Intheaseofabilateralontrat,oneusuallytalksabouttheroles
of servie providerand servie onsumer; but multi-lateralontratsare also
possiblewherethe partiipantsmayplayotherroles. Aservie providermay
alsouse aontrattemplate (i.e. ayet-to-be-negotiatedontrat)topublish
the serviesitiswillingtoprovide. Asaserviespeiation, aontratmay
desribe many dierent aspets of a servie, inluding funtional properties
(i.e. behavior) and also non-funtional properties like seurity (e.g. aess
ontrol), quality of servie (QoS), informationowand reputation.
Following[13℄,ontrats may be lassied in fourlevels 2
:
The rst level, basi, or syntati, ontrats, is required sim-
2
This lassiationreferstolevel2ontratsas behavioralontrats. Whenweuse
thesamenameintherestofthedoumentweatuallymeanlevel4ontrats. Thereader
should beaware that from nowon, when we refer to behavioral ontrats weare not
restritedtosequentialsystemsandmeanlevel4ontrats.
trats, improves the level of ondene in a sequential ontext.
The third level, synhronization ontrats, improves ondene
indistributedoronurreny ontexts. Thefourth level,quality-
of-servie ontrats, quanties quality of servie and is usually
negotiable.
2.1.1 Contrat Models
There exists a number of ontrat models forservies. The business proess
standardebXML[25℄desribesaCollaborationProtoolAgreementasaon-
tratbetweenbusinesspartnersthatspeiesthebehaviorofeahservie(by
simply stating its role) and how information exhanges are to be enoded.
IBM's Web Servie Level Agreement (WSLA [60℄) is an XML speiation
of performane onstraints assoiated with the provision of a web servie.
It denes the soures of monitoring data, a set of metris (i.e. funtions)
to be evaluated onthe data, and obligationson the signatoriesto maintain
the metri values within ertain ranges. The set of predened metris and
the struture ofWSLA ontratsare designed forservies involvingjobsub-
missions in agrid omputing environment. The later WS-Agreement [59℄,a
GlobalGridForumreommendationthathasnotreahedthestandardstatus
yet, is based onWSLA, but adapted tomore reentweb-servies standards,
e.g. WS-Addressing and WS-Resoure Framework. WS-Agreement is also
parametri on the language used to speify the metris; but it must be an
XML dialet.
Anumberofproblemshavepreviouslybeen identiedforthesestandards
and speiations: They are restrited to bilateral ontrats, lak formal
semantis(andthereforeitisdiulttoreasonaboutthem),theirtreatment
offuntionalbehaviorisratherlimitedandthesub-languagesusedtospeify
QoS andseurity onstraintsareusuallylimitedtosmallappliation-spei
domains.
In order to remedy the situation the researh ommunity has produed
ontrat taxonomies [1, 13, 54℄, formalizations using logis (e.g. lassial
[22℄, modal [21℄, deonti [46℄ and defeasible logi [31℄) and formalization
based on models of omputation (e.g. nite state mahines [16℄ and Petri
Nets [20℄). The diversity of ontrattypes, theirappliationsandproperties
poses aserious hallenge tothe denition of a generi ontrat model. This,
however, has been identiedas amajor preonditionforthe advanementof
the area [15℄.
In a setup for ontrat-enhaned servie provision, providers are expeted
to make servie desriptions available for onsumers to disover and hoose
amongthem. Thedesriptiontakestheformofaproto-ontrat,ortemplate,
setting the basis for negotiating the provision of the servie. Speiations
likeebXMLand WS-Agreementdene sub-languagesforsuh ontrat tem-
plates,thoughtheyareusuallyattahedtoaveryspeinegotiationmodel.
There is, however, a large body of researh on ontrat negotiation pro-
tools under dierent threat models, partiularly in the area of agent-based
systems [6, 48, 35℄.
2.1.3 Monitoring
Monitoring presents an important list of hallenges. First, monitoring data
(inluding exeutionevents and samplings ofontinuous proesses) needs to
be olleted in a timely, reliable and trustworthy manner. A set of ollab-
orating Internet servies forms a distributed system, and so must be the
monitoring subsystem itself, with the onsequent diulties regarding o-
ordination and dependability. Moreover, monitors are usually weaved into
the appliation ode by speialists (not by ordinary programmers), reating
omplexdependen iesthatseriouslyaetthesoftwaredevelopmentproess.
2.1.4 Quality of Servie
Aording to the ARTIST road-map [15℄, quality of servie is a funtion
mappinga given system instane with itsfullbehavior ontosome [quantita-
tive℄sale. TypialQoS measures for web servies inludeaverage response
time , minimum ommuniation bandwidth and peak CPU usage. Contrat
languages like WSLA and WS-Agreement permit speiation of QoS on-
straintsforwebservies. QoSmeasuresusuallydependonthebehaviorofthe
environmentas well asof the servie, thus models tend to have a stohasti
nature, although this is not reallyneessary for monitoringpurposes.
Typially,ontratlanguages forQoSof Internetservies onsistofthree
main sub-languages. Their purpose is tospeify:
1. The QoS measures (i.e. funtions)inludingtheir domains;
2. A mapping between elements in the exeution model (e.g. observable
events)and the domainsof QoS measures; and
3. The onstraints onQoS measurements (i.e. the obligations).
ept of QoS measure. However, realisti ontrats are not easily modeled
as a set of funtions. Instead, they are built uponthe fundamental onept
of obligation, to whih other onepts (like QoS measures) beome aes-
sory. For instane, the fulllment or violation of an obligation may trigger
otherobligations. Funtion-basedapproahes needthentoenode obligation
performanes as elementsin the domainsof QoS measures.
Theinlusionoftimesalesintothesedomainsalsoompliatesthedesign
in ways we onsider unneessary. For example, WSLA and WS-Agreement
usetheoneptoftimeseriestodenetimepointswheremeasurementsneed
to be olleted and then aggregated.
2.1.5 Information Flow
Information ow onerns issues like ondentiality and integrity of infor-
mation. Contrat languages for seurity (e.g. [8℄) do not usually address
information ow, putting the stress instead on aess ontrol. Regarding
enforement of information ow, there are ertainly stati solutions; but, in
fat,wearenot awareofany thatuseruntimemethods. Thestatiapproah
usually omes in the shape of atype-syste m to enfore noninterferene [50℄,
where the idea is to prevent all ow of information from the domain of se-
rets to the publi-domain. It has been noted however that noninterferene
is unsuitable in most real-life situations. There, an appliation is expeted
to delassify some well-dened piee of information, thus reating the need
to admit some ows of seret information to the publi-domain. Type sys-
tems thattrytoaommodatedelassiation,e.g. [43℄,soonsuer fromthe
so-alled label reeping problem : A seurity type system, whih assoiates a
lassiation(orseuritylabel)toeahpieeofdata,neessarilydesribesan
abstration of a set of values, possibly losing preision every time the value
partiipates in a omputation. The aumulation of these losses results in
typesystems that,inordertoremainseure, rejet toomany seuresystems
[19℄.
On the other side, it is well-known that information ow properties are
atually not safety properties (infat,they donot even qualify asproperties
in the Alpern-Shneider lassiation [5℄). Therefore, runtime approahes
are generally onsidered inappropriate, sine they are naturally assoiated
with the enforement of safety properties.
Reent results by Hamlen etal.[42℄and by Ligattiet al.[36℄ hintat the
potentialofoderewritingtehniquesasaframeworktoaommodateseveral
enforement mehanisms. There is a profusion of work on ode rewriting
tehniques (see [57, 56℄ for two thorough surveys) with appliations ranging
reverse engineering. However, not muh researh has been devoted to study
ode rewriting for poliyenforement. A remarkable exeptionis [42℄where
it isshown that RW-enforeablepoliies(i.e. poliiesenforeable using ode
rewriting) stritly inludethose enforeable usingreferene monitorsand/or
stati analysis. These results provide strong evidene that approximations
of informationow properties may be RW-enforeable, i.e. poliiesthat an
be enfored using ode rewriting, f. the Seret File Poliy example [42℄
and [29℄.
3 Programming langua ges and
SOA
Current programming language abstrations are not good enough for SOA,
muh less for web-servie development. The industry develops web-servies
using the objet-oriented programming (OOP) paradigmwhih maps badly
todoument-basedommuniation,i.e. SOAP-transported XMLdouments
, required by web-servies [39℄ Besides, many urrent prodution OOP lan-
guages (e.g. Java and C#) are based on the shared-state model of on-
urreny so they do not handle onurreny and message passing partiu-
larly well. Another ritiism toOOP onerns the possibility of reusability.
Objet-orientationprovidestwodistintmehanismsforomposingonerns:
aggregation and inheritane. Some examples show [4℄ that reusing ompo-
nentsthroughaggregationandinheritanemehanismsmaynotbesuessful
whentheobjetsimplementonernslikehistoryinformation,multipleviews
and synhronization. OOP needs therefore better abstration mehanisms.
The Creol projet [18℄ has been addressing many of the objetions to
objet-orientation. Essentially, a Creol program onsists of onurrent ob-
jets ommuniating asynhronously and with internal proess ontrol. By
means of mehanisms for onditional proessor release points, passive wait-
ing, andtime-out[33, 34℄,expliit synhronizationprimitivesare notneeded
in the language. An abstrat representation of the Creol arhiteture is
shown in Fig. 2. Compared to for instane Polyphoni C#, Creol has a
simpler set of ommuniationprimitives using the onept of asynhronous
methodall. Bystaying withinthe method paradigm,inheritane and over-
loading is unproblemati. Creol allows multiple inheritane, whih is not
supported by Java, Polyphoni C#, nor join alulus based languages. In-
stead of the standard AOP mehanisms, whih hinder program reasoning,
Creol oers a synhronized merge operator whih may be seen as a high-
0000000 0000000 0000000 0000000 1111111 1111111 1111111 1111111
00000000 00000000 00000000 00000000 11111111 11111111 11111111 11111111
0000000 0000000 0000000 0000000 0000000 1111111 1111111 1111111 1111111 1111111 0000000
0000000 0000000 0000000 1111111 1111111 1111111
1111111 00000000 00000000 00000000 00000000 11111111 11111111 11111111 11111111 00000000
00000000 00000000 00000000 11111111 11111111 11111111 11111111
0000000 0000000 0000000 0000000 0000000 1111111 1111111 1111111 1111111 1111111
O 1
O 5
O 6 O 4
O 7 O 2
O 3
I 1,1
I 2,1
I 2,2
I 3,1
I 3 , 2
I 3,3
I 5,1
I 4,1
I 5 , 2
I 6,2
I 6 , 1
I 6,3
q 4
q 6
q 5
q 3
q 1
q 2
I 7,1
q 7
N
Figure 2: The Creol Arhiteture. For eah objet
O i: I i,j are its interfaes
and
q i its messagequeue. N
is the network.
levelAOP-likeonstrut, andeetively redues the problems relatedtothe
so-alled inheritaneanomaly [37℄, while allowingreasoning.
XML douments are not yet integrated in the Creol language, however,
one may easily model an abstration of XML douments in Creol, using
Creol'sdatatypes, whihinludesindutivelydened datatypesandafun-
tional sub-language (similar to, for instane, Haskell). Sine all messages
and immutablevaluesare dened by data typesinCreol, itisnot naturalto
dene XML douments by the lass mehanism, as would be the option in
most other objet-oriented languages.
4 Researh diretions
The main problems and open issues identied for supporting web servies
developmentinlude:
•
Formal denition of generi ontrats. Currently, there is no uniedformal denition of ontrats (in partiular for QoS and ondential-
ity).
•
Negotiable and monitorable ontrats. Contrats must be negotiated till both parts agree ontheir nal formand they must bemonitorablein the sense that there must bea way to detet violations.
•
Language-based support for ontrats. In the literature (e.g., [39℄) it hasbeenidentiedthatthefollowingthreeareasmusthavealanguage-based support: (a) data-aess, (b) onurreny and () seurity. A
fourth area has to be onsidered: (d) ontrats; urrently, no existing
programminglanguagesupportsnegotiableand monitorableontrats.
•
Combination of objet-orientation and onurreny models based on asynhronous message-passing. The shared-state based onurrenymodel is not suitable for web servie development.
•
Integration of XML into a host language. There is a big mismath between XML and objetdata-models.•
Harmonious oexistene at the language level of real-time and inheri-tane mehanisms.
•
Veriation of ontrat properties. The integration of ontrats in a programming language should be aompanied by good support forproving/guaranteeing essential ontrat properties. Guaranteeing the
non-violation of ontrats might be done in (at least) four dierent
ways: 1. enforement at runtime, through monitors, for instane; 2.
by onstrution, e.g. through low-levellanguage mehanisms;3. stati
analysis withstandardprogramanalysis tehniques; or4. model hek-
ing. None of the above an be used as a generi, universal tool for
inferring all the properties of ontrats. Dierent approahes must be
used for dierentproperties.
Addressing these issues and problems, we need to develop a model of on-
trats in a SOA that is broad enough to ater for at least ontrats for
QoS andondentiality. Aminimumrequirementisthe abilitytoseamlessly
ombine real-timemodels (forQoS speiation)and behavioralmodels (es-
sential toonstrain protoolimplementationand to enfore ondentiality).
Contrat models should also address disovery and negotiation. Regarding
ondentiality,itseemsthatmore experimentswith RW-enforeablepoliies
aged. The objetive should be todevelop pratialand eient methods to
enfore informationowpropertiesof realistiode, inludingryptographi
protoolimplementations.
Yet, the formaldenitionof ontratsshouldbeonlyarst step towards
a more ambitious task, namely a language-based support for programming
and eetively use suh ontrats. Some ontratsmay beseen asa wrapper
whih envelopes the ode/objet under the sope of the ontrat. Fire-
walls, for instane, may be seen as a kind of ontrat between the mahine
and the external appliations wanting to run on that mahine. It ould
beinteresting to investigatea language primitive toreate wrapped objets
whih are orret-by-onstrution. Firewalls may then be implemented in
this way. On the other hand,ontrats for QoS and ondentialityould be
modeled as rst-lass entities using a behavioral approah, through inter-
faes. In order to takle timed onstraints (related to QoS) suh interfaes
need also toinorporatetime. As learly exposed in the ARTIST road-map
[15℄,ndinglanguages ornotations for desribingtimingbehaviorsand tim-
ing requirements is easy; the real hallenges are in analysis, i.e. to hek
that the requirements are guaranteed. So, besides the syntati extensions
mentioned above, the language needs tohave timingsemanti extensions in
order to allow extration of a timed model, e.g. a timed automaton. It
may behekedwith existing toolse.g.,Kronos[61℄and Uppaal [11℄. Model
heking tools willhelp toprovereal-time properties, likeguaranteeing that
a given promiseservie will,forinstane, satisfy itresponse-time onstraint.
Other propertiesmay, instead,beproved to be orret-by-onstrution (e.g.
wrappers, asmentioned above).
In pratie, many properties annot be proved orret using orret-by-
onstrution or model heking tehniques. In suh ases only a runtime
approah may be used. It seems that a promising diretion is to develop
tehniques for onstruting runtime monitors from ontrats. In this ase,
monitors willbe used toenfore the non-violationof ontrats.
5 A spei proposal
Webelieveobjet-orientationisstillagoodparadigmformodelingopen dis-
tributedsystems. Themainproblemswithobjet-orientationomefromlan-
guage designandimplementationdeisions, not fromitsoriginalphilosophy.
The Creolprojethas addressedmanyofthese problems. Creolhas aformal
semantisdened inrewritinglogi[40℄andimplementedinMaude [38℄,and
supports ompositional program reasoning. In addition, the dynami lass
0000000 0000000 0000000 0000000 1111111 1111111 1111111 1111111
00000000 00000000 00000000 00000000 11111111 11111111 11111111 11111111
0000000 0000000 0000000 0000000 0000000 1111111 1111111 1111111 1111111 1111111 0000000
0000000 0000000 0000000 1111111 1111111 1111111
1111111 00000000 00000000 00000000 00000000 11111111 11111111 11111111 11111111 00000000
00000000 00000000 00000000 11111111 11111111 11111111 11111111
0000000 0000000 0000000 0000000 0000000 1111111 1111111 1111111 1111111 1111111
O 1
N
O 5
O 6 O 4
O 7 O 2
O 3 I 1,1
I 2,1
I 2,2
I 3,1
I 3,2
I 3,3
I 5,1
I 4,1
I 5,2
I 6,2
I 6,1
I 6,3
q 4
q 6
q 5
q 3
q 1
q 2
I 7,1
q 7
LN W
LN ′ W ′
Figure3: The ExtendedCreol Arhiteture
onstrutofCreoliswellsuitedfordynamireongurationandmaintenane
of servies in large networks. In itsurrent state, Creol has basi onstruts
thataresuitableforprogrammingtheInternetinanobjet-orientedmanner.
Sine its operationalsemantis is exeutable in the Maude tool, a language
interpreter is readily available. In addition, the various Maude ommands
for model heking and exhaustive searh are availablefor Creol programs.
Byusing Creol and itsdenition in rewriting logias our framework,we
propose the following:
•
Formalizationofontrats(forondentialityand QoS)usingatiming extension of rewriting logi.•
Use of the meta-levelapabilitiesof rewriting logito speify ontrat negotiationprotools.•
Syntati extension of Creol toinlude ontrats as interfaes.•
Integration of XML inCreol.•
Syntati and semanti extension of Creol aimingat extrating timedmodels amenable to model heking.
•
Analysis of the timed models using urrent model hekingtools.•
Runtime monitoringof ontrats.Belowwe explain in moredetails the items above.
Regarding the formal denition of ontrats, many formalisms may be
used, but we believe suh a generi model an be desribed harmoniously
using real-time extensions of rewriting logi [62℄. This is in line with reent
investigationsintheuse of rulelanguages tomodelontrats[32,45℄. While
these rule-based languages are essentially ad-ho, we expet to prot from
the existing largebody of researh inrewriting logis.
Therule-basedapproahpromotedbytheresearhmentionedabovebrings
alongnewhallengesinthedenitionofappropriatenegotiationshemes[49,
9,47℄. Here again,rewritinglogiangiveinvaluablehelp. Itsreetion and
meta-levelomputationpropertiesmayhelpdene andstruture thenegoti-
ation protool.
Afterdeningontratswith suitablenegotiationprotoolsinasolidfor-
mal theory, we would like to onentrate on Creol extensions. By dening
interfaes on omponents onsisting of a olletion of objets, we develop
a notion of ontrat for suh interfaes that integrates the main expressive
power of omposition lters. In addition, the implementation of rewriting
logi by the Maude tool enables rapid prototyping and evaluation of alter-
nativedesigns,whihisessentialfor ndingpratiallyuseful solutions. The
analysistoolsofMaudewillbevaluablewhenassessing theirproperties. The
interfae onept of Creol isoriented towards speiation of observable be-
havior, expressed by means ofthe interation history,i.e. the sequen e of all
(visible) messages toor fromanobjet.
A full integration of XML douments in Creol would require an exten-
sion of the language. In partiular, the use of regularexpressions should be
integrated inthe funtional sub-language,to allowexible retrieval.
Whenaddingreal-time,Creolinterfaesmaybeusedtospeifystatiand
dynami ontrats. Furthermore, semantis extensions of Creol are needed
in order toextrat a timedautomaton amenable to be model heked.
Anotherinterestingextensionof Creolwouldbetoaugmentthe interfae
syntaxwith mehanisms forspeifying dynami ontrat monitoring. More-
over, the exeutable operational semantis of Creol ould be used to test
the approahinsituationswhereformalveriationis pratiallyimpossible
well be used for monitoringwithout aetingthe appliationode.
Theproposed extendedCreolarhitetureisshowninFig. 3. Comparing
with Fig. 2, the extension onsists of wrappers enveloping sets of objets,
possibly ofdierentlasses and ommuniatingthrough theirown loalnet-
works(
LN
andLN ′). The aessfromoutsidethewrapperwillberegulated
bythe wrapperinterfae
W
. Contratswillbedened bothatloal(objet)interfaesas well asat wrapperinterfaes.
6 Conlusion
Thewebismostlyusednowadaysforretrievingremoteinformation,butthere
is ahigh demand formore hallenging appliationsthat oer,negotiate and
disover web servies through XML interfaes. This new diretion requires
redesigning software arhitetures and revising the existing foundations of
omputer siene. SoftwareEngineering dealswith the rst aspet while the
seondoneisonernedwithmodelsofomputationinvolvingexpressiveness
results, veriation and seurity [41℄.
Moreover, in order to make ollaboration a reality among dierent web-
servies, the formal denition of monitorable and negotiable ontrats has
beomean imperative.
Inthispaperwehavesurveyedmainurrentapproahes toprogramweb-
servies and the features of state-of-the-art programming languages used.
Wehaveidentiedsomeproblemsand openissuesofurrentapproahes (see
Setion4)andwehaveproposedgeneralresearhdiretions andapartiular
road-map based on Creol(Setion 5).
Thenext naturalstep istomap the expete dresults intoreal languages.
One possibility would be to translate Creol programs into existing web-
servies languages. However, this approah does not seem realisti, mainly
beause the urrently availabletarget languages are far from being suitable
for suh ambitious task. In our opinion the right approah would be to
develop a ontrat-based language from srath, apitalizing on the Creol
experiene.
Referenes
[1℄ J. Aagedal. Quality of Servie Support in Development of Distributed
Systems. PhD thesis, Dept. of Informatis, University of Oslo, 2001.
database integration model: The omposition-lters approah. In
ECOOP '92: Proeedings of the European Conferene on Objet-
Oriented Programming , pages 372395, London, UK, 1992. Springer-
Verlag.
[3℄ M. Aksit, J. Bosh, W. van der Sterren, and L. Bergmans. Real-time
speiation inheritane anomalies and real-time lters. Leture Notes
in Computer Siene, 821:386??, 1994.
[4℄ M.AksitandB.Tekinerdogan. Solvingthemodelingproblemsofobjet-
oriented languages by omposing multiple aspets using omposition
lters, 1998.
[5℄ B.AlpernandF.B.Shneider. Deningliveness.InformationProessing
Letters , 21(4):181185, Ot. 1985.
[6℄ J. M.Andreoliand S.Castellani. Towardsa FlexibleMiddleware Nego-
tiationFaility forDistributed Components. In DEXA '01: 12th Inter-
national Workshop on Database and Expert Systems Appliations , page
732. IEEE Computer Soiety, 2001.
[7℄ I. Assayad, V. Bertin, F.-X. Defaut, P. Gerner, O. Quevreux, and
S. Yovine. Jahuel: A formal framework for software synthesis. In
ICFEM, LNC,2005. To appear.
[8℄ J. S. B. de Win, F. Piessens and W. Joosen. Towards a Unifying View
on Seurity Contrats. In Software Engineering for Seure Systems
Building Trustworthy Appliations (SESS'05).ACM, 2005.
[9℄ C. Bartolini,C. Preist,and N. R.Jennings. A GeneriSoftware Frame-
work for Automated Negotiation. Tehnial Report HPL-2002-2, HP
Laboratories Bristol,Jan. 2002.
[10℄ C. Beker and K. Geihs. Quality of Servie and Objet-Oriented
Middleware-Multiple Conerns and their Separation. In 21st Interna-
tional Conferene on Distributed Computing Systems Workshops (ICD-
CSW '01) , 2001.
[11℄ J.Bengtsson,K.Larsen,F.Larsson,P.Pettersson,and W.Yi. Uppaal
a Tool Suite for Automati Veriation of RealTime Systems. In
Pro. of Workshop on Veriation and Control of Hybrid Systems III ,
number1066 in LNCS, pages 232243.SpringerVerlag, Otober1995.
omposition lters. Commun. ACM, 44(10):5157,2001.
[13℄ A. Beugnard, J.-M. Jézéquel, and N. Plouzeau. Making omponents
ontrat aware. IEEE Computer , 32(7):3845,1999.
[14℄ G. Bierman, E. Meijer, and W. Shulte. The essene of data aess in
C
ω
. In European Conferene on Objet-Oriented Programming , 2005.[15℄ B. Bouyssounouse and J. Sifakis, editors. Embedded System Design:
The ARTIST Roadmap for Researh and Development , volume 3436 of
Leture Notes in ComputerSiene. Springer-Verlag,2005.
[16℄ E. S. C. Molina-Jimenez,S. Shrivastava and J. Warne. Run-time Mon-
itoringand Enforement of Eletroni Contrats. Eletroni Commere
Researh and Appliations ,3(2), 2004.
[17℄ D.Cooney,M.Dumas,andP.Roe.Aprogramminglanguageforwebser-
viedevelopment.InCRPIT'38: ProeedingsoftheTwenty-eighthAus-
tralasianonfereneonComputerSiene,pages143150,Darlinghurst,
Australia, Australia,2005. Australian Computer Soiety, In.
[18℄ Creol Homepage. http://w ww.ifi.uio.no/~reol/.
[19℄ M. DamandP.Giambiagi. SPC 01-4025Mobile LanguageStudy,Final
TehnialReport. Tehnialreport, EOARD, 2003. http://w ww.sis.
se/~pgia mb/Publiations/eoard-TR2003.ps.gz.
[20℄ A. Daskalopulu. Model Cheking ContratualProtools. In L. Breuker
and Winkels, editors, Legal Knowledge and Information Systems, JU-
RIX 2000: The 13th Annual Conferene, Frontiers in Artiial Intelli-
gene and AppliationsSeries, pages 3547. IOSPress, 2000.
[21℄ A. Daskalopulu and T. S. E. Maibaum. Towards Eletroni Contrat
Performane. In Legal Information Systems Appliations,12th Interna-
tional Conferene and Workshop on Database and Expert Systems Ap-
pliations ,pages 771777.IEEE C.S. Press, 2001.
[22℄ H. Davulu, M. Kifer, and I. V. Ramakrishnan. CTR-S: A Logi
for Speifying Contrats in Semanti Web Servies. In Proeedings of
WWW2004 , pages144153, May 2004.
[23℄ G. Diaz, J.-J. Pardo, M. E. Cambronero, V. Valero, and F. Cuartero.
AutomatitranslationofWS-CDL horeograestotimed automata. In
Methods (WS-FM 2005) ,September2005.
[24℄ G. Diaz, J.-J. Pardo, M. E. Cambronero, V. Valero, and F. Cuartero.
Veriation of web servies with timedautomata. In Proeedings of 1st
International Workshopon Automated Speiation And Veriation of
Web,Marh 2005.
[25℄ ebXML: Eletroni Business using eXtensibleMarkup Language. www.
ebxml.or g.
[26℄ R.E.Filman,T.Elrad,S.Clarke,andM.Ak³it,editors.Aspet-Oriented
Software Development . Addison-Wesley,Boston, 2005.
[27℄ D. Floresu, A. Grünhagen, and D. Kossman. XL: An XML program-
ming language for web servie speiation and omposition. In Pro.
TheEleventhInt'lWorldWideWebConferene,pages6576,May2002.
[28℄ D. Floresu, A.Grünhagen, and D. Kossman. XL: A platform for Web
servies. In Conferene on Innovative Data Systems Researh (CIDR),
2003.
[29℄ P. Giambiagi. Controlled Delassiation of Information. PhD thesis,
Royal Tehnial University, Stokholm, Sweden, In preparation2005.
[30℄ P. Giambiagi and M. Dam. On the Seure Implementation of Seurity
Protools. Siene of Computing Programming , 50:7399, 2004.
[31℄ G. Governatori. Representing business ontrats in RuleML. Interna-
tional Journal of Cooperative Information Systems, 14:181216,2005.
[32℄ B. Grosofand T. Poon. Representing Agent Contrats withExeptions
using XML Rules, Ontologies, and Proess Desriptions. In RuleML,
2002.
[33℄ E. B.Johnsen andO.Owe. Anasynhronous ommuniationmodel for
distributedonurrentobjets. InPro.2nd Intl.Conf. onSoftwareEn-
gineering and Formal Methods (SEFM'04), pages 188197.IEEE Com-
puter Soiety Press, Sept. 2004.
[34℄ E. B. Johnsen and O. Owe. Objet-oriented speiation and open
distributed systems. In O. Owe, S. Krogdahl, and T. Lyhe, editors,
From Objet-OrientationtoFormalMethods: Essaysin Memoryof Ole-
Johan Dahl , volume 2635 of Leture Notes in Computer Siene, pages
137164. Springer-Verlag,2004.
Environments. Leture Notes in Artiial Intelligene,2086:150, 2001.
[36℄ J.Ligatti,L.Bauer, andD.Walker. Editautomata: Enforementmeh-
anisms forrun-timeseurity poliies. International Journal of Informa-
tion Seurity , 4(12):216, Feb. 2005.
[37℄ S. Matsuoka and A. Yonezawa. Analysis of inheritane anomaly in
objet-oriented onurrent programminglanguages. Researh diretions
in onurrent objet-oriented programming, pages 107150,1993.
[38℄ Maude System. http://m aude.s.uiu.edu/.
[39℄ E. Meijer, W. Shulte, and G. Bierman. Programming with irles,
triangles and retangles. In Proeedingsof the XML Conferene,2003.
[40℄ J. Meseguer. Researh diretions in rewriting logi. In Computational
Logi,volume165ofLetureNotesinComputerSiene,Marktoberdorf,
Germany, 1997. NATO Advaned Study Institute,Springer-Verlag.
[41℄ U. Montanari. Web servies andmodels ofomputation. InFirst Inter-
national Workshop on Web Servies and Formal Methods, volume 105
of Eletroni Notes in Computer Siene. Elsevier, 2004.
[42℄ G.Morrisett,F.B.Shneider,andK.Hamlen.Computabilitylassesfor
enforement mehanisms. Tehnial Report 2003-1908,Cornell,2003.
[43℄ A. C. Myers. JFlow: Pratial mostly-stati information ow ontrol.
InProeedingsofthe26thPOPL,pages228241,SanAntonio,TX,Jan.
1999. ACM.
[44℄ M.P.Papazoglou. Servie-OrientedComputing: Conepts,Charateris-
tisandDiretions.In4thInternationalConfereneonWebInformation
Systems Engineering (WISE). IEEE CS, 2003.
[45℄ A. Pashke, M.Bihler, and J.Dietrih. ContratLog: An Approah to
Rule BasedMonitoring and Exeution of Servie Level Agreements. In
RuleML, 2005.
[46℄ A.Pashke ,J.Dietrih,andK.Kuhla. ALogiBasedSLAManagement
Framework. In 4th Semanti Web Conferene (ISWC 2005) , 2005.
[47℄ A. Pashke,C. Kiss, and S.Al-Hunaty. APatternLanguage for Deen-
tralized Coordination and Negotiation Protools. In EEE, pages 404
407, 2005.
trats. In DEXA '03: 14th International Workshop on Database and
Expert Systems Appliations , page 829. IEEE Computer Soiety,2003.
[49℄ D.M.Reeves,M.P.Wellman,andB.N.Grosof. Automatednegotiation
from delarativeontrat desriptions. InAGENTS '01: Proeedings of
the fth international onferene on Autonomous agents, pages 5158.
ACM Press, 2001.
[50℄ A. Sabelfeldand D. Sands. A PERmodel of seure informationowin
sequential programs. Higher-Order and Symboli Computation, 14(1),
2001.
[51℄ Simple Objet Aess Protool (SOAP). http://w ww.w3.org/TR/
soap/.
[52℄ C. Szyperski. Component tehnology - what, where, and how? In Pro-
eedings of the 25th International Conferene on Software Engineering
(ICSE), pages684693. IEEE,2003.
[53℄ A. Tesanovi, D. Nyström, J. Hansson, and C. Norström. Aspets and
omponents in real-time system development: Towards reongurable
and reusable software. Journal of Embedded Computing , 1(1), 22004.
[54℄ V. Tosi. On Comprehensive ContratualDesriptions of Web Servies.
In IEEE International Conferene on e-Tehnology, e-Commere, and
e-Servie,pages 444449. IEEE,2005.
[55℄ S.L.Tsang,S.Clarke,andE.L.A.Baniassad. Anevaluationofaspet-
orientedprogrammingforjava-basedreal-timesystems development. In
ISORC, pages 291300,2004.
[56℄ E. Visser. A survey of rewriting strategies in program transformation
systems. Eletroni Notes in Theoretial Computer Siene, 57, 2001.
[57℄ E. Visser. A survey of strategies inrule-based programtransformation
systems, Marh 2004. (Draft).
[58℄ WSA. Web ServiesArhiteture. W3C WorkingGroup Note, www.w3.
org/TR/w s-arh/, Feb 2004.
[59℄ Web Servies Agreement Speiation (WS-Agreement).
https:// forge.gridforum.org/projets/graap-wg/doument/
WS-Agree mentSpeifiation/en/7.
[61℄ S. Yovine. Kronos: A veriation tool for real-time systems. Interna-
tional Journal of Software Tools for Tehnology Transfer, 1(1/2):123
133, Otober1997.
[62℄ P. Ölvezky. Speiation of real-timeand hybrid systems in rewriting
logi. Theoretial Computer Siene,285, 2002.