Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 Verification of Data-Intensive Web Services Grigoris Karvounarakis University of Pennsylvania.

Published byEvelyn Norton Modified over 9 years ago

Similar presentations

Presentation on theme: "1 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 Verification of Data-Intensive Web Services Grigoris Karvounarakis University of Pennsylvania."— Presentation transcript:

1 1 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 Verification of Data-Intensive Web Services Grigoris Karvounarakis University of Pennsylvania presented at: CIS 650 December 17, 2004

2 2 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 Data-Intensive Web Services Web services supported by databases  Large amount of data (e.g., for product catalogs)  Common database features (transactions, concurrency control)  State transitions involve database operations (e.g., queries)  Control flow depends on data values (results of queries) As services become more complex, it is important to be able to verify their correctness automatically.  But verification models/techniques cannot handle programs that involve “external” data in their transitions

3 3 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 The database approach Instead of trying to extend program models to handle interaction with databases, use databases to encode program specifications!  Express state transitions, input/output in a database (high-level, declarative) language  E.g., datalog-like rules  Adding dynamic aspect to databases, reminiscent of active databases

4 4 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 Relevant papers Several papers on this problem in database theory conferences in the last several years:  Relational Transducers for Electronic Commerce: Abiteboul, Vianu, Fordham, Yesha, PODS’98 & JCSS’00  Verification of Relational Transducers for Electronic Commerce: Spielmann, PODS’00 & JCSS’03  Specification and Verification of Data-driven Web Services: Deutsch, Sui, Vianu, PODS’04

5 5 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 Example Online bookstore that allows users to order books, sends them a bill for their order, receives a payment and, if the amount is correct, ships the product

6 6 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 Outline High-level Specification models  Relational Transducers  ASM Transducers  Web Page Schemas Automatic Verification  Past input  FO-LTL  CTL/CTL* Conclusions

7 7 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 Relational transducers Transducers: automata with output  Transition function  Output function Use datalog : rules to express transition and output functions  RHS: Conjunction of (positive or negative) relational atoms  State rules: inflationary, asserted atoms are accumulated  Output rules: non-inflationary, at every step only newly inferred facts are retained

8 8 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 Example Schema Database: price(product,price) Input: order(user,product), pay(user,product,price) Output: sendbill(user,product,price), ship(user,product) State: past-order(user,product) Color code: input state action data

9 9 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 Example Specification State rules:  past-order(U,X) +:- order(U,X) Output rules:  sendbill(U,X,Y) :- order(U,X) Æ price(X,Y) Problem: orders cannot be removed from past-order  We cannot go back to a previous state, i.e., we cannot express loops  The rule above would sendbill again and again for every future step

10 10 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 A way to side-step the problem Database: price(product,price) Input: order(user,product), pay(user,product,price) Output: sendbill(user,product,price), ship(user,product) State: past-order(user,product), past-pay(user,product,price)

11 11 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 Example Specification State rules:  past-order(U,X) +:- order(U,X)  past-pay(U,X,Y) +:- pay(U,X,Y) Output rules:  sendbill(U,X,Y) :- order(U,X) Æ price(X,Y) Æ : past-pay(U,X,Y)  ship(U,X) :- past-order(U,X) Æ price(X,Y) Æ pay(U,X,Y) Æ : past-pay(U,X,Y)

12 12 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 But there are still problems State rules:  past-order(U,X) +:- order(U,X)  past-pay(U,X,Y) +:- pay(U,X,Y) Output rules:  sendbill(U,X,Y) :- order(U,X) Æ price(X,Y) Æ : past-pay(U,X,Y)  ship(U,X) :- past-order(U,X) Æ price(X,Y) Æ pay(U,X,Y) Æ : past-pay(U,X,Y)

13 13 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 But there are still problems State rules:  past-order(U,X) +:- order(U,X)  past-pay(U,X,Y) +:- pay(U,X,Y) Output rules:  sendbill(U,X,Y) :- order(U,X) Æ price(X,Y) Æ : past-pay(U,X,Y)  ship(U,X) :- past-order(U,X) Æ price(X,Y) Æ pay(U,X,Y) Æ : past-pay(U,X,Y) After payment has been received and entered in past-pay, a user cannot buy the same item again (sendbill, ship cannot be fired!)

14 14 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 Solutions? Make X in past-order(U,X)/past-pay(U,X,Y) unique for every different item of a product  Then price(X,Y) would have to contain one tuple for every item in the store inventory! Add unique order id: past-order(U,N,X)/past-pay(U,N,X,Y))  However, the fact that it is unique cannot be expressed in the model (and we would not be able to verify properties that depend on this fact)  e.g., the property that “every time an order is submitted and that book is in stock, then eventually a bill will be sent to the customer” holds for this specification under this assumption, but not without it …

15 15 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 Solution: ASM transducers Allow state rules to delete tuples from state relations  datalog ::  Arbitrary FO on right-hand side of rules State rules:  past-order(U,X) +:- order(U,X)  : past-order(U,X) +:- past-order(U,X) Æ pay(U,X,Y) Æ price(X,Y) Output rules:  sendbill(U,X,Y) :- order(U,X) Æ price(X,Y) Æ : past-order(U,X,Y)  ship(U,X) :- past-order(U,X) Æ price(X,Y) Æ pay(U,X,Y)

16 16 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 Solution: ASM transducers Allow state rules to delete tuples from state relations  datalog ::  Arbitrary FO on right-hand side of rules State rules:  past-order(U,X) +:- order(U,X)  : past-order(U,X) +:- past-order(U,X) Æ pay(U,X,Y) Æ price(X,Y) Output rules:  sendbill(U,X,Y) :- order(U,X) Æ price(X,Y) Æ : past-order(U,X,Y)  ship(U,X) :- past-order(U,X) Æ price(X,Y) Æ pay(U,X,Y) Remove order after payment is received and go back to state before the order was received

17 17 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 Web Page Schemas Observation: web services are usually  Sequence of web pages  User input is usually picked from lists of choices compiled by the system (based on information in the database). Adjust ASM transducer model to handle this:  One ASM transducer per page  Rules for page transitions  Rules to pre-populate input options

18 18 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 Page transitions HOMEPAGE (W 0 ) ORDER PAGE Book 1 Book 2 Book 3 ordercancel PAYMENT PAGE Your bill is: $xx.xx Enter payment amount: pay Welcome to Bookstore.com Find books button(“cancel”) order(X) Æ button(“order”) Æ : past- order(U,X) button(“pay”)

19 19 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 WP schema of example Order Page  Input: order(X), button(X)  Input Rules:  Options order (X) Ã price(X,Y)  Options button (X) Ã X=“order” Ç X=“cancel”  State Rules (this example: one state relation error):  past_order(U,X) +:- order(X) Æ U = user Æ : past_order(U,X)  Target WP: PP, HP  Target Rules:  PP :- order(X) Æ button(“order”) Æ : past_order(U,X)  HP Ã button(“cancel”)  Output rules:  sendbill(U,X,Y) :- order(U,X) Æ U = user Æ button(“order”) Æ price(X,Y) Æ : past_order(U,X)

20 20 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 WP schema of example (cont’d) Payment Page  Input: pay(U,X,Y), button(X)  Input Rules:  Options order (X) Ã price(X,Y)  Options button (X) Ã X=“order” Ç X=“cancel”  State Rules (this example: one state relation error):  past_order(U,X) +:- order(X) Æ U = user Æ : past_order(U,X)  Target WP: PP, HP  Target Rules:  HP :- button(“pay”)  Output rules:  ship(U,X,Y) :- past_order(U,X) Æ pay(U,X,Y) Æ button(“pay”) Æ price(X,Y) Æ 9 Z (credit-limit(U,Z) Æ Z >= Y)

21 21 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 Outline High-level Specification models  Relational Transducers  ASM Transducers  Web Page Schemas Automatic Verification  Past input  FO-LTL  CTL/CTL* Conclusions

22 22 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 Verifying properties about past input Properties of the form: 8 x[φ(state,db,in)(x) ! ψ(state,db,in)(x)] E.g., “Whenever a product is shipped, at some previous step a proper payment has been received” Such properties can be verified on Spocus transducers (in NEXPTIME)  Semi-positive output: every variable appearing in an output rule must occur in at least one positive atom  Cumulative state: state rules can only accumulate previous input

23 23 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 Spocus transducers Cumulative state is a bit too restrictive  Cannot express the following simple machine: because state can only contain past input, and relations are sets (unordered) a a b b c c

24 24 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 Some properties require more expressiveness Cannot express properties like: “if a customer pays for a book, then eventually the book will be shipped to them”

25 25 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 First-Order Linear-time Temporal Logic Temporal operators  Xp: p holds in the next time  pUq: p holds until q holds  Fp: p holds eventually  Gp: p always holds  pBq: either q always holds or p holds before q fails Examples:  if a customer pays for a book, then eventually the book will be shipped to them: 8 u 8 x 8 y[past_order(u,x) Æ price(x,y) Æ pay(u,y) ! F ship(u,x)]  A product must be paid for before it is shipped: 8 u 8 y [pay(u,y) Æ 9 x price(x,y) B : ship(x,y)]

26 26 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 LTL-FO Example Verification is undecidable for ASM transducers: Restrictions:  Maximal input flow  Input-boundedness:  Input rules: 9 *FO with ground state atoms  All other rules: quantification only on variables that are bounded by expressions on (current or last but not further “past”) input relations Given an input bounded Web Service W and an input bounded LTL-FO formula φ, checking W ² φ is in EXPSPACE (PSPACE-complete for fixed schema)

27 27 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 Input-boundedness Not input-bounded formula: 8 u 8 y[pay(u,y) Æ 9 x price(x,y) B : ship(x,y)] Input-bounded formula: 8 u 8 y[last_order(u,x) Æ pay(u,y) Æ 9 x price(x,y) B : ship(x,y)]

28 28 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 Boundaries of decidability Relaxing the requirement that state atoms must be ground in formula defining the input options, by allowing state atoms with variables. Reduction: Does TM halt on input epsilon? Lifting the input-bounded requirement by allowing state projection (i.e., state rules of the form: S(x) :- 9 y S ’ (x,y)). Reduction: Implication for FDs and IDs Allowing variables to be bounded on state relations that hold all past input input (rather than the most recent one). Reduction: Trakhtenbrot ’ s Theorem Extend the LTL-FO formula with path quantification. Reduction: validity of 9 * 8 *FO formulas

29 29 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 Branching-time Temporal Logic CTL (Computation Tree Logic) introduces path quantifiers:  A: ” for every path ”  E: ” there exists a path ” Proposed for Web page schemas (to express properties of transition between pages) Example  From every page (i.e., the target of every path) there always exists a path that eventually reaches HP: A G E F HP

30 30 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 Verification of CTL-FO Input-boundedness is not enough for decidability of CTL-FO verification Further restriction: Propositional input-bounded Web Services  Actions and states are propositional (no data values)  Input rules need not be propositional Propositional CTL formulas  Use input, action, state relation names and WP symbols (viewed as propositions)

31 31 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 Input-bounded propositional CTL-FO Verification of W ² φ for CTL(*) formulas for propositional Web services:  CO-NEXPTIME for CTL  EXPSPACE for CTL* But propositional Web services are not very expressive  Can be viewed as an abstraction  Can express property in previous slide  Cannot express navigational properties that depend on data, e.g.: 8 pid, 8 pr [AG(  (pid,pr) ! A((EF cancel(user,pid))U(ship(user,pid))]

32 32 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 Outline High-level Specification models  Relational Transducers  ASM Transducers  Web Page Schemas Automatic Verification  Past input  FO-LTL  CTL/CTL* Conclusions

33 33 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 Conclusions Spocus transducers are probably too restrictive ASM transducers more appropriate for practical use Interesting properties require temporal operators  Decidable for input-bounded specifications/formulas Navigational properties require further restrictions  Trade-off between more expressiveness of model and of property language  Questionable whether the model for which verification is decidable is expressive enough to represent interesting applications

34 34 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 Conclusions Static analysis is decidable under restrictions, but we need practical verification algorithms to build applications  Heuristics could help in achieving good performance  Attempt to implement real-life applications could uncover more limitations of the models  Performance of algorithms for such applications will determine whether this work can be widely used in practice

35 35 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 CIS 650 Extensions Allow updates in database relations  During runs, or  Sessions: verify properties within a session and allow updates between sessions Interacting Web services  Extend models with communication primitives to model web service composition  Discover important properties for composite web services  Devise appropriate restrictions under which verification of those properties is decidable

Download ppt "1 UNIVERSITY of PENNSYLVANIAGrigoris Karvounarakis December 04 Verification of Data-Intensive Web Services Grigoris Karvounarakis University of Pennsylvania."

Similar presentations

Reliable Scripting Using Push Logic Push Logic David Greaves, Daniel Gordon University of Cambridge Computer Laboratory Reliable Scripting.

Reliable Scripting Using Push Logic Push Logic David Greaves, Daniel Gordon University of Cambridge Computer Laboratory Reliable Scripting.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Test-Driven Development and Refactoring CPSC 315 – Programming Studio.

Test-Driven Development and Refactoring CPSC 315 – Programming Studio.
SYSTEMS ANALYSIS AND DESIGN TOOLS

SYSTEMS ANALYSIS AND DESIGN TOOLS
Software Failure: Reasons Incorrect, missing, impossible requirements * Requirement validation. Incorrect specification * Specification verification. Faulty.

Software Failure: Reasons Incorrect, missing, impossible requirements * Requirement validation. Incorrect specification * Specification verification. Faulty.
Learning Objectives Explain similarities and differences among algorithms, programs, and heuristic solutions List the five essential properties of an algorithm.

Learning Objectives Explain similarities and differences among algorithms, programs, and heuristic solutions List the five essential properties of an algorithm.
TFACTS Private Provider Financial/Invoicing Overview 1.

TFACTS Private Provider Financial/Invoicing Overview 1.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.

Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.
CS 290C: Formal Models for Web Software Lecture 10: Language Based Modeling and Analysis of Navigation Errors Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 10: Language Based Modeling and Analysis of Navigation Errors Instructor: Tevfik Bultan.
1 8. Safe Query Languages Safe program – its semantics can be at least partially computed on any valid database input. Safety is tied to program verification,

1 8. Safe Query Languages Safe program – its semantics can be at least partially computed on any valid database input. Safety is tied to program verification,
Chapter 7: Relational Database Design. ©Silberschatz, Korth and Sudarshan7.2Database System Concepts Chapter 7: Relational Database Design First Normal.

Chapter 7: Relational Database Design. ©Silberschatz, Korth and Sudarshan7.2Database System Concepts Chapter 7: Relational Database Design First Normal.
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.

Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.
4/25/08Prof. Hilfinger CS164 Lecture 371 Global Optimization Lecture 37 (From notes by R. Bodik & G. Necula)

4/25/08Prof. Hilfinger CS164 Lecture 371 Global Optimization Lecture 37 (From notes by R. Bodik & G. Necula)
Categories of Aspects Shmuel Katz Computer Science Department The Technion Haifa, Israel.

Categories of Aspects Shmuel Katz Computer Science Department The Technion Haifa, Israel.
Review of the automata-theoretic approach to model-checking.

Review of the automata-theoretic approach to model-checking.

Similar presentations

Ads by Google