Semantics & Verification Research Group Department of Computer Science University of Malta 2008 Runtime Verification of Contracts for Java Programs Christian Colombo Gordon J. Pace Gerardo Schneider FLACOS - November 2008
Semantics & Verification Research Group Department of Computer Science University of Malta RV & Contracts In SOA we are concerned with security and trust. Model checking is not scalable. Testing lacks coverage. Particular behaviour only emerges during normal use of service composition. Runtime verification monitors the behaviour during runtime, scales up. Real-time properties / overheads. Contracts may have conflicts.
Semantics & Verification Research Group Department of Computer Science University of Malta Runtime Verification Specification
Semantics & Verification Research Group Department of Computer Science University of Malta Runtime Verification Contracts
Semantics & Verification Research Group Department of Computer Science University of Malta Runtime Verification Deontic Contracts Deontic Contracts
Semantics & Verification Research Group Department of Computer Science University of Malta Dynamic Automata with Timers & Events (DATE) Communicating symbolic automata enriched with events and timers. Automata are automatically replicated according to context: hence dynamic. Supports: Conditions and actions on transitions Real-time Communication between automata
Semantics & Verification Research Group Department of Computer Science University of Malta An Example (1)
Semantics & Verification Research Group Department of Computer Science University of Malta An Example (2)
Semantics & Verification Research Group Department of Computer Science University of Malta LARVA - Architecture AspectJ Matching method names AspectJ Matching method names USER
Semantics & Verification Research Group Department of Computer Science University of Malta Contract Language Example
Semantics & Verification Research Group Department of Computer Science University of Malta Contract Language to Automata
Semantics & Verification Research Group Department of Computer Science University of Malta Contract Language to LARVA EVENTS { login = {*.login()} logout= {*.logout()} request= {*.requestItem()} } PROPERTY clcontract { STATES { BAD { V } NORMAL { S1 S2 } STARTING { Init } } TRANSITIONS { Init -> S1 [login] Init -> V [request] Init -> S2 [logout] S1 -> S1 [login] S1 -> S1 [request] S1 -> S2 [logout] S2 -> S2 [logout] S2 -> V [request] S2 -> S1 [login] }
Semantics & Verification Research Group Department of Computer Science University of Malta Contradictions in Contracts O(request) request Contradiction Detected!
Semantics & Verification Research Group Department of Computer Science University of Malta Ongoing Work Working closely with industry Guarantees on the effect of monitoring – memory and time Identifying better notations Investigating compensable actions
Semantics & Verification Research Group Department of Computer Science University of Malta Conclusions Mathematical framework – DATE Implemented useable tool – LARVA Highly expressive (incl. real-time) Evolving theory with practical guarantees Can monitor contracts Find contradictions in contracts Future prospects of collaboration and improvement of current framework
Semantics & Verification Research Group Department of Computer Science University of Malta Questions ??
Semantics & Verification Research Group Department of Computer Science University of Malta
Semantics & Verification Research Group Department of Computer Science University of Malta A Scenario – Dynamic Triggers Imagine we need to check login/logout for each user. We have to trigger an automaton for every user, to keep track whether each user is logged in or not. Use method parameters to get context.
Semantics & Verification Research Group Department of Computer Science University of Malta Specifying Properties Intuitive, clear and succinct logic. Understandable and useable by developers. Includes all the required expressive power. Automatically instrumentable in the target system. Low overheads (eg. Determinism)
Semantics & Verification Research Group Department of Computer Science University of Malta Simple Examples Ensuring that only authorised users access reserved areas in the system. Checking that a train gate which started closing has indeed closed after a number of seconds. Monitoring the life-cycle of an object (such as a transaction), ensuring it goes through its stages properly.
Semantics & Verification Research Group Department of Computer Science University of Malta Specifying Context Actions and conditions on transitions can access the context (User). A context can be nested to have a more specific context within it: Eg: Check login for each site of each individual user.
Semantics & Verification Research Group Department of Computer Science University of Malta LARVA - Architecture LARVA EVENTS & PROPERTIES LARVA EVENTS & PROPERTIES USER
Semantics & Verification Research Group Department of Computer Science University of Malta LARVA - Architecture (2) LARVA EVENTS & PROPERTIES LARVA EVENTS & PROPERTIES AspectJ Matching method names AspectJ Matching method names COMPILER
Semantics & Verification Research Group Department of Computer Science University of Malta Recall Scenario Load Site Prompt for PW Good Login PressOK \ checkUserName() PressOK \ checkPassword() \ Goodlogin ! Trigger new automaton FOREACH user PressOK Logged in Logged out Bad logins Logged out ChGoodlogin? Badlogin
Semantics & Verification Research Group Department of Computer Science University of Malta LARVA – Script GLOBAL { FOREACH (User u) { VARIABLES { Channel gl; } EVENTS { goodlogin() = {gl.receive(User u1)} where {u = u1;} pressOK() = {*.pressedOK(u1)} where {u = u1;} badlogin() = {*.loginTry(u1)} where {u = u1;} } PROPERTY one { STATES { BAD { badlogins } NORMAL { loggedout2 loggedout3 loggedin } STARTING { loggedout1 } } TRANSITIONS { loggedout1 -> loggedin [goodlogin] loggedout2 -> loggedin [goodlogin] loggedout3 -> loggedin [goodlogin] loggedout1 -> loggedout2 [badlogin] loggedout2 -> loggedout3 [badlogin] loggedout3 -> badlogins [badlogin] } PROPERTY two { STATES { NORMAL { promptPW goodlogin } STARTING { loadsite } } TRANSITIONS { loadsite -> promptPW [PressOK\checkUserName()] promptPW -> goodlogin [PressOK\checkPassword()\gl.send(u);] promptPW -> loadsite [PressOK] } METHODS { boolean checkUserName(){return true;} boolean checkPassword(){return true;} }
Semantics & Verification Research Group Department of Computer Science University of Malta LARVA - Compilation into Java AOP to capture events. A hierarchy of classes: one for each context. Each class has a reference to its parent context. (E.g. The account context, have access to the user context.) A hashmap to keep track of the distinct objects which we are checking.
Semantics & Verification Research Group Department of Computer Science University of Malta Case-Study (2): Properties Logging of credit card numbers – no risk of exposing sensitive information. Execution of transactions – correct progress through states. Authorisation transaction – transaction consistency. Backlog – retries in case of failure.
Semantics & Verification Research Group Department of Computer Science University of Malta Case-Study (3): - Experience A lot of interesting properties are relatively simple. Intuitive definition of properties. Identified shortcomings of Larva and it was extended. RV helps in clearly identifying requirements. Integration in system life cycle.
Semantics & Verification Research Group Department of Computer Science University of Malta Benchmark – Expressivity
Semantics & Verification Research Group Department of Computer Science University of Malta Benchmark – Performance Dummy transaction processing system (4 properties – 2 real-time) Memory and time required is considerable but linear to the number of objects being monitored (replication of automata). Compares well with Java-MOP which is the most similar work available for usage.
Semantics & Verification Research Group Department of Computer Science University of Malta
Semantics & Verification Research Group Department of Computer Science University of Malta AOP Automatic code weaving using pointcuts and advises. Pointcut: call(* *.*(..)) d.bark(b) && target(d) && args(b) Advise: before, after, around before (Dog d, Bark b): pointcut(d,b){ spotACat(); }
Semantics & Verification Research Group Department of Computer Science University of Malta Other Events Upon return: upon the return of a method (rather than the entry of the method). Upon exception thrown: rather than simple method call, we can trigger the automaton upon an exception throw.
Semantics & Verification Research Group Department of Computer Science University of Malta Other Events (2) Upon exception handling: rather than simple method call, we can trigger the automaton upon the start of a catch block. Clocks: trigger the automaton upon the elapse of an amount of time. Channels: an automaton can trigger another automaton.
Semantics & Verification Research Group Department of Computer Science University of Malta Object Equality What if an object does not implement an equals method? The user can specify which attributes of the object constitute the context. E.g. A transaction is the same as long as it has the same id.
Semantics & Verification Research Group Department of Computer Science University of Malta Invariants What if some attributes of an object should not change? The user can specify these attributes. E.g. A transaction should remain with the same amount once the amount is set.
Semantics & Verification Research Group Department of Computer Science University of Malta Chained Transitions Should we allow transitions to trigger other transitions? This could lead to an infinite loop! So we disable aspects within the aspect code itself. But we allow the user to take the risk with channels...
Semantics & Verification Research Group Department of Computer Science University of Malta Determinism For easier execution of the automaton, we opted for determinism. The user specifies the order of transitions as they are written down in the script file.
Semantics & Verification Research Group Department of Computer Science University of Malta Overhead of Verification (1) Depends on a number of factors: The actions the user puts on transitions. The statements in the where clauses. The amount of objects that the user keeps context of. Very difficult to give an upper-bound because of the amount of freedom we give the user.
Semantics & Verification Research Group Department of Computer Science University of Malta Overhead of Verification (2) But we can guarantee the maximum memory overhead of our system… …given that the user does not add other method calls on transitions. We use Lustre so that the memory can be calculated at compile-time.
Semantics & Verification Research Group Department of Computer Science University of Malta Real-Time Issues Because of the Java Garbage Collection there is a limit to accuracy that we can give. Using Java wait method is quite good within a certain number of milliseconds.
Semantics & Verification Research Group Department of Computer Science University of Malta Real-Time Issues (2) Consider a system which satisfies all its properties. Will the properties still hold if we introduce the monitoring? We provide a fragment of Duration Calculus which is “slow-down invariant”.
Semantics & Verification Research Group Department of Computer Science University of Malta Compiler The Compiler and Parser Manual are available at: christiancolombo.com/academic-masters-tools.html Feel free to use it and give us feedback.
Semantics & Verification Research Group Department of Computer Science University of Malta Nesting – Context within Context FOREACH (User u){ ... FOREACH (Site s) { EVENTS{ Login() = {User u1.login(Site s1)} where {u = u1; s=s1;} } ... }
Semantics & Verification Research Group Department of Computer Science University of Malta Events System Events – method call, method return, exception throw, exception handling. Channel Communication. Clock Timeouts.