Workshop presentation given by Niels Lohmann on September 28, 2009 in Brisbane, Australia at the 4th International Workshop on Web Services and Formal Methods (WS-FM 2007).
All These Sophisticated Attacks, Can We Really Detect Them - PDF
Analyzing BPEL4Chor: Verification and Participant Synthesis
1.
2. BPEL
Analyzing BPEL4Chor - Verification and Partner Synthesis
designed to describe a service orchestration
… respectively a single service
invoked services’ behaviors are not described
BPEL
processes can be automatically analyzed
(BPM 2006; project Tools4BPEL)
2
3. BPEL4Chor
Analyzing BPEL4Chor - Verification and Partner Synthesis
extension to describe choreographies
behaviors topology grounding
3
4. An Example Choreography
Analyzing BPEL4Chor - Verification and Partner Synthesis
taken from the paper introducing BPEL4Chor
one traveler, one agency, several airline instances
4
6. Analyzing BPEL4Chor Choreographies
Analyzing BPEL4Chor - Verification and Partner Synthesis
“Classical” properties:
deadlock-freedom, livelock-freedom,
no dead activities (a.k.a. Soundness)
Messages:
Does there exist a state in which more than one
message is pending on a communication channel?
What is the minimal/maximal number of messages
to be sent to reach a final state?
Behavior:
Will a participant always receive an answer?
Can a participant enforce the execution of an
activity?
6
7. Translating BPEL4Chor into a Petri Net
Analyzing BPEL4Chor - Verification and Partner Synthesis
Extend compiler BPEL2oWFN
BPEL2oWFN
Static Analysis
BPEL processes Translation
Instantiation
Composition
Structural Reduction
Petri net
topology
BPEL4Chor requires instantiation and composition
7
9. Composition
Analyzing BPEL4Chor - Verification and Partner Synthesis
each service is translated into an open workflow net
with an interface
open workflow nets can be composed
resulting net has no interface (standard Petri net)
9
10. Analysis Result
Analyzing BPEL4Chor - Verification and Partner Synthesis
Choreography can deadlock!
each participant is correct (controllable, sound…)
deadlock very subtle!
10
11. Case Study
airline instances
Analyzing BPEL4Chor - Verification and Partner Synthesis
1 5 10 100 1000
places 20 63 113 1013 10013
transitions 10 41 76 706 7006
states 14 3483 9806583
exponential
states 14 561 378096 growth
states 11 86 261 18061 1752867
states 11 30 50 410 4010
complete/unreduced linear
symmetry reduction growth
partial order reduction
symmetry reduction and partial order reduction
out of memory (>2 GB)
11
13. Partner Synthesis
Analyzing BPEL4Chor - Verification and Partner Synthesis
new setting: design phase of choreography
one participant description is missing
goal: synthesize missing participant description
13
14. Translation
Analyzing BPEL4Chor - Verification and Partner Synthesis
incomplete
choreography is translated with
BPEL2oWFN
translationyields an open workflow net
with interface to missing participant
14
15. Partner Synthesis (1)
Analyzing BPEL4Chor - Verification and Partner Synthesis
Fiona
Partner synthesis
open workflow net open workflow net
(incomplete choreography) (synthesized participant)
Fiona can synthesize a partner if one exists
partner is correct by design
partner’s behavior is based on communication
no internal behavior is synthesized
order of messages is as relaxed as possible
15
16. Partner Synthesis (2)
Analyzing BPEL4Chor - Verification and Partner Synthesis
oWFN2BPEL
Retranslation
open workflow net abstract BPEL process
(synthesized participant) (synthesized participant)
partner’s behavior can be described using BPEL
derived BPEL process is abstract
has to be refined to an executable process
16
17. Limits of the Partner Synthesis
Analyzing BPEL4Chor - Verification and Partner Synthesis
can only synthesize one partner:
If more than one airline instance is synthesized, the
generated partners explicitly synchronize.
airline instances would communicate timeouts:
one instance would be forced to wait for a message
can be a starting point for diagnosis
causalitiesof messages might be ignored
order and invoice messages might be concurrent
can be fixed using constraints
17
18. Take-home Points
Analyzing BPEL4Chor - Verification and Partner Synthesis
BPEL4Chor choreographies can be analyzed
… to find very subtle errors
… even with thousands of participants
… automatically using the proposed tool chain
BPEL4Chor choreographies can be completed
… by synthesizing the missing participant
… to guarantee a deadlock-free choreography
... automatically using the proposed tool chain
Thank you very much!
18