Tisa: A Language Design and Modular Verification Technique for Temporal Policies in Web Services

  • Hridesh Rajan
  • Jia Tao
  • Steve Shaner
  • Gary T. Leavens
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5502)


Web services are distributed software components, that are decoupled from each other using interfaces with specified functional behaviors. However, such behavioral specifications are insufficient to demonstrate compliance with certain temporal non-functional policies. An example is demonstrating that a patient’s health-related query sent to a health care service is answered only by a doctor (and not by a secretary). Demonstrating compliance with such policies is important for satisfying governmental privacy regulations. It is often necessary to expose the internals of the web service implementation for demonstrating such compliance, which may compromise modularity. In this work, we provide a language design that enables such demonstrations, while hiding majority of the service’s source code. The key idea is to use greybox specifications to allow service providers to selectively hide and expose parts of their implementation. The overall problem of showing compliance is then reduced to two subproblems: whether the desired properties are satisfied by the service’s greybox specification, and whether this greybox specification is satisfied by the service’s implementation. We specify policies using LTL and solve the first problem by model checking. We solve the second problem by refinement techniques.


  1. 1.
    Papazoglou, M.P., Georgakopoulos, D.: Service-oriented computing: Introduction. Commun. ACM 46(10), 24–28 (2003)CrossRefGoogle Scholar
  2. 2.
    Christensen, E., Curbera, F., Meredith, G., Weerawarana, S.: Web services description language (WSDL) 1.1. Technical report, World Wide Web Consortium (March 2001)Google Scholar
  3. 3.
    Barth, A., Mitchell, J., Datta, A., Sundaram, S.: Privacy and utility in business processes. In: CSF 2007, pp. 279–294 (2007)Google Scholar
  4. 4.
    Leavens, G.T., Baker, A.L., Ruby, C.: Preliminary design of JML: a behavioral interface specification language for Java. SIGSOFT Softw. Eng. Notes 31(3), 1–38 (2006)CrossRefGoogle Scholar
  5. 5.
    Barbon, F., Traverso, P., Pistore, M., Trainotti, M.: Run-time monitoring of instances and classes of web service compositions. In: ICWS 2006, pp. 63–71 (2006)Google Scholar
  6. 6.
    Baresi, L., Ghezzi, C., Guinea, S.: Smart monitors for composed services. In: ICSOC 2004, pp. 193–202 (2004)Google Scholar
  7. 7.
    Castagna, G., Gesbert, N., Padovani, L.: A theory of contracts for web services. In: POPL 2008, pp. 261–272 (2008)Google Scholar
  8. 8.
    Kuo, D., Fekete, A., Greenfield, P., Nepal, S., Zic, J., Parastatidis, S., Webber, J.: Expressing and reasoning about service contracts in service-oriented computing. In: ICWS 2006, pp. 915–918 (2006)Google Scholar
  9. 9.
    Wada, H., Suzuki, J., Oba, K.: Modeling non-functional aspects in service oriented architecture. In: IEEE International Conference on Services Computing (SCC 2006), pp. 222–229 (2006)Google Scholar
  10. 10.
    Parnas, D.L.: On the criteria to be used in decomposing systems into modules 15(12), 1053–1058 (1972)Google Scholar
  11. 11.
    Büchi, M., Weck, W.: The greybox approach: When blackbox specifications hide too much. Technical Report 297, Turku Center for Computer Science (August 1999)Google Scholar
  12. 12.
    Back, R.J.R., von Wright, J.: Refinement calculus, part i: sequential nondeterministic programs. In: REX workshop, pp. 42–66 (1990)Google Scholar
  13. 13.
    Morris, J.M.: A theoretical basis for stepwise refinement and the programming calculus. Sci. Comput. Program. 9(3), 287–306 (1987)MathSciNetCrossRefMATHGoogle Scholar
  14. 14.
    Edmund, M., Clarke, J., Grumberg, O., Peled, D.A.: Model checking. MIT Press, Cambridge (1999)Google Scholar
  15. 15.
    Shaner, S.M., Leavens, G.T., Naumann, D.A.: Modular verification of higher-order methods with mandatory calls specified by model programs. In: OOPSLA 2007, pp. 351–368 (2007)Google Scholar
  16. 16.
    Necula, G.C.: Proof-carrying code. In: POPL 1997, pp. 106–119 (1997)Google Scholar
  17. 17.
    Rajan, H., Hosamani, M.: Tisa: Towards trustworthy services in a service-oriented architecture. IEEE Transactions on Services Computing (SOC) 1(2) (2008)Google Scholar
  18. 18.
    Hosamani, M., Narayanappa, H., Rajan, H.: How to trust a web service monitor deployed in an untrusted environment? In: NWESP 2007: Proceedings of the Third International Conference on Next Generation Web Services Practices, pp. 79–84 (2007)Google Scholar
  19. 19.
    Liskov, B., Scheifler, R.: Guardians and actions: Linguistic support for robust, distributed programs. TOPLAS 5(3), 381–404 (1983)CrossRefMATHGoogle Scholar
  20. 20.
    Gordon, A.D., Pucella, R.: Validating a web service security abstraction by typing. Formal Aspects of Computing 17(3), 277–318 (2005)CrossRefMATHGoogle Scholar
  21. 21.
    Rajan, H., Leavens, G.T.: Ptolemy: A language with quantified typed events. In: Vitek, J. (ed.) ECOOP 2008. LNCS, vol. 5142, pp. 155–179. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  22. 22.
    Clifton, C., Leavens, G.T.: MiniMAO1: Investigating the semantics of proceed. Science of Computer Programming 63(3), 321–374 (2006)MathSciNetCrossRefGoogle Scholar
  23. 23.
    Igarashi, A., Pierce, B., Wadler, P.: Featherweight Java: A minimal core calculus for Java and GJ. In: OOPSLA 1999, pp. 132–146 (1999)Google Scholar
  24. 24.
    Flatt, M., Krishnamurthi, S., Felleisen, M.: A programmer’s reduction semantics for classes and mixins. In: Formal Syntax and Semantics of Java, pp. 241–269 (1999)Google Scholar
  25. 25.
    Clifton, C.: A design discipline and language features for modular reasoning in aspect-oriented programs. Technical Report 05-15, Iowa State University (Jul 2005)Google Scholar
  26. 26.
    Wright, A.K., Felleisen, M.: A syntactic approach to type soundness. Information and Computation 115(1), 38–94 (1994)MathSciNetCrossRefMATHGoogle Scholar
  27. 27.
    Rajan, H., Tao, J., Shaner, S.M., Leavens, G.T.: Reconciling trust and modularity in web services. Technical Report 08-07, Dept. of Computer Sc., Iowa State U. (July 2008)Google Scholar
  28. 28.
    Vardi, M.Y., Wolper, P.: An automata-theoretic approach to automatic program verification. In: Proceedings of the First Symposium on Logic in Computer Science, pp. 322–331 (1986)Google Scholar
  29. 29.
    Buchi, J.: On a decision method in restricted second order arithmetic. In: Proc. Internat. Congr. Logic, Method. and Philos. Sci., pp. 1–12 (1960)Google Scholar
  30. 30.
    Barnett, M., Schulte, W.: Runtime verification of .net contracts. Journal of Systems and Software 65(3), 199–208 (2003)CrossRefGoogle Scholar
  31. 31.
    Barnett, M., Schulte, W.: Spying on components: A runtime verification technique. In: Workshop on Specification and Verification of Component-Based Systems (2001)Google Scholar
  32. 32.
    Barnett, M., Schulte, W.: The ABCs of specification: AsmL, Behavior, and Components. Informatica 25(4), 517–526 (2001)MATHGoogle Scholar
  33. 33.
    Wasserman, H., Blum, M.: Software reliability via run-time result-checking. J. ACM 44(6), 826–849 (1997)MathSciNetCrossRefMATHGoogle Scholar
  34. 34.
    Tyler, B., Soundarajan, N.: Black-box testing of grey-box behavior. In: Petrenko, A., Ulrich, A. (eds.) FATES 2003. LNCS, vol. 2931, pp. 1–14. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  35. 35.
    Bravetti, M., Zavattaro, G.: Towards a unifying theory for choreography conformance and contract compliance. In: Lumpe, M., Vanderperren, W. (eds.) SC 2007. LNCS, vol. 4829, pp. 34–50. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  36. 36.
    Acciai, L., Boreale, M.: XPi: A typed process calculus for XML messaging. Science of Computer Programming 71(2), 110–143 (2008)MathSciNetCrossRefMATHGoogle Scholar
  37. 37.
    Bartoletti, M., Degano, P., Ferrari, G.L.: Types and effects for secure service orchestration. In: CSFW, pp. 57–69 (2006)Google Scholar
  38. 38.
    Bartoletti, M., Degano, P., Ferrari, G.L., Zunino, R.: Semantics-based design for secure web services. IEEE Trans. Software Eng. 34(1), 33–49 (2008)CrossRefGoogle Scholar
  39. 39.
    Wei, J., Singaravelu, L., Pu, C.: Guarding sensitive information streams through the jungle of composite web services. In: ICWS 2007, pp. 455–462 (2007)Google Scholar
  40. 40.
    Srivatsa, M., Iyengar, A., Mikalsen, T., Rouvellou, I., Yin, J.: An access control system for web service compositions. In: ICWS 2007, pp. 1–8 (2007)Google Scholar
  41. 41.
    Skalka, C., Wang, X.S.: Trust but verify: authorization for web services. In: SWS, pp. 47–55 (2004)Google Scholar
  42. 42.
    Skalka, C., Smith, S.F.: History effects and verification. In: Chin, W.-N. (ed.) APLAS 2004. LNCS, vol. 3302, pp. 107–128. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  43. 43.
    Biskup, J., Carminati, B., Ferrari, E., Muller, F., Wortmann, S.: Towards secure execution orders for composite web services. In: ICWS 2007, pp. 489–496 (2007)Google Scholar
  44. 44.
    Vorobiev, A., Han, J.: Specifying dynamic security properties of web service based systems. In: SKG 2006, p. 34 (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Hridesh Rajan
    • 1
  • Jia Tao
    • 1
  • Steve Shaner
    • 1
  • Gary T. Leavens
    • 2
  1. 1.Iowa State UniversityAmesUSA
  2. 2.University of Central FloridaOrlandoUSA

Personalised recommendations