A theorem proving framework for the formal verification of Web Services Composition

L. K ov acs, R.Pugliese, and F . T iezzi (Eds.): W orkshop on Automated Specification and V erification of W eb Systems (WWV 2011) EPTCS 61, 2011, pp. 1–16, doi:10.4204/EPTCS.61.1 c  P . P apapanagiotou, J.D. Fleuriot This work is licensed under the Creativ e Commons Attribution License. A theor em pr oving framew ork f or the f ormal verification of W eb Services Composition Petros Papapanagiotou Jacques D. Fleuriot School of Informatics Univ ersity of Edinbur gh Informatics Forum, 10 Crichton Street Edinbur gh EH8 9AB, UK P.Papapanagiotou@sms.ed.ac.uk jdf@inf.ed.ac.uk W e present a rigorous framework for the composition of W eb Services within a higher order logic theorem prover . Our approach is based on the proofs-as-processes paradigm that enables inference rules of Classical Linear Logic (CLL) to be translated into π -calculus processes. In this setting, composition is achiev ed by representing av ailable web services as CLL sentences, proving the re- quested composite service as a conjecture, and then extracting the constructed π -calculus term from the proof. Our framew ork, implemented in HOL Light, not only uses an expressi v e logic that allows us to incorporate multiple W eb Services properties in the composition process, but also provides guarantees of soundness and correctness for the composition. 1 Intr oduction The general aim of the current research is to design and implement a rigorous frame w ork for the compo- sition and formal verification of W eb Services based on higher order logic. Our approach is moti v ated by recent work on the automated composition of Semantic W eb Services using Intuitionistic Linear Logic that has sho wn promising results [22, 23]. W e focus mainly on the complex task of quality-driv en W eb Services composition. This in v olves the appropriate collection and combination of multiple W eb Services in order to achie ve a composite service that can perform a complex task. The composition needs to take into consideration non-functional restrictions, including location, cost, and time, and be quality-dri ven because the system should ensure a user-specified Quality of Service based on the quality provided in each of the participating W eb Services descriptions. The complexity of the task is compounded by the dramatic increase in av ailable W eb Services, as well as the great v ariety of conceptual models used for the descriptions of the services. 1.1 Overview Our aim is to deploy our system as an automated, offline (as opposed to on-the-fly) W eb services com- poser . Using an expressi ve logic allows the system to incorporate all of the aforementioned information when composing the services. Howe v er , this also means a need to maintain a balance in the tradeoff between e xpressi veness and decidability . W e belie v e the latter to be important since decidability directly af fects the degree of automation and, therefore, the user -friendliness of the system. The compositions are accomplished using the proofs-as-processes paradigm as introduced by Abram- sky [1] and Bellin and Scott [3]. Abramsky sho wed the relev ance between a Classical Linear Logic (CLL) [8] proof and the π -calculus [17] by modifying the Curry-How ard isomorphism and using the formulae- as-types paradigm [12]. Proofs are vie wed as π -calculus processes (instead of λ -calculus functions). 2 A theorem proving frame work for the formal v erification of web services composition Bellin and Scott formalised Abramsk y’ s translation of a fragment of CLL to π -calculus and provided proofs of soundness and correctness of the translation. W e exploit this translation by producing W eb Services compositions as CLL proofs, with the re- quested service set as a conjecture in each case. The π -calculus representation of the composite service is then extracted by translating the proof based on the proofs-as-processes paradigm. Our implementation is being de veloped within the higher order proof assistant HOL Light [10]. The system has equality as the only primitiv e concept and a few primiti ve inference rules that form the basis of more complex rules and tactics. Built on top of these, HOL Light has automated methods for proofs such as model elimination [9] and decision procedures. Additionally , it has an array of conver sion methods that allow for v ery efficient and fine-grained manipulation (such as re writing or numerical reduction) and automatic proofs of formulas. The system is based on the LCF approach [19], which, guarantees that any pro ved theorem is a logical consequence of the primiti v e axioms. 1.2 Motivating Example W e consider the case of ordering a ski set, as presented by Rao et al. [23]. In this, we compose a core service with v alue-adding services, ie. services that hav e minor, independent functionality , such as currency or measurement conv ersion, that can be used as addons to the core functionality . The core service “selectSki”, returns the price in US dollars of a ski set using the ski length, brand, and model as input parameters. There are also v arious value-adding services whose functionality is demonstrated in the diagram provided in Figure 1. The requested composite service must return the price of a ski set in Figure 1: Diagrams of the av ailable services for the Ski e xample. Norwegian Cro wns (NOK) gi ven the user’ s height, weight, and skill level as well as a price limit. The diagram of the requested service can be found in Figure 2. Some non-functional attributes have been Figure 2: Diagram of the requested service for the Ski example. attached to the services. A cost of 10 NOK is attached to “selectBrand” and 20 NOK for “selectModel”, the “USD2NOK” service only replies to requests that are certified by Microsoft and the “selectSki” service is located in Norway (note that this information is not apparent in the diagrams). In Section 2, we will describe the theoretical background of our w ork by briefly explaining the main concepts of CLL and the π -calculus. Then, in Section 3, we introduce the CLL to π -calculus translations of the original proofs-as-processes paradigm and giv e an intuiti ve interpretation for some of the rules. P . P apapanagiotou, J.D. Fleuriot 3 In Section 4 we present the results we obtained from our system for the Ski example, follo wed by an ov ervie w of the related work in Section 5. W e conclude in Section 6 with our plans for future work. 2 Backgr ound In this section, we discuss some of the theoretical background of the proofs-as-processes paradigm. In particular , we briefly explain the main concepts of Classical Linear Logic in Section 2.1 and π -calculus in Section 2.2. W e focus on ho w these two languages can be used to describe W eb Services, which is the first step to wards achie ving W eb services composition using the proofs-as-processes paradigm. 2.1 Classical Linear Logic Girard proposed linear logic (LL) as a refinement to classical logic [8]. In LL, the emphasis is not merely on the truth of a statement as in the classical logic b ut also on formulas that represent resources. The classical rules of contraction and weakening are not allo wed in LL and therefore assumptions cannot be ignored or copied. F or example, if a constant A is assumed twice, it is considered a distinct case than when it is assumed once. In order to achiev e a proof, all assumptions must be “consumed” as resources. Contraction and weakening rules are only used on assumptions with additional modal connecti ves called exponentials, such as the “of-course” operator “!”. The use of these connecti v es allows for classical logic to be encoded within LL. In computer science, LL has been used as a direct and declarative approach to reasoning about v arious computational models related to services such as Petri Nets [18]. 2.1.1 Description For the purposes of W eb Services representation and composition, we aim to use propositional Classical Linear Logic (CLL). This version of LL includes multiplicative conjunction and disjunction, additiv e conjunction and disjunction, linear negation and the of-course and why-not operators (also referred to as exponentials). All these operators can be intuitively interpreted in the context of resources for W eb services and we informally discuss the semantics for some of them next: • Multiplicati ve conjunction or the “tensor” operator ( A ⊗ B ) indicates a simultaneous operation which, in the context of resources, refers to the simultaneous production of A and B . In order to prov e A ⊗ B , the set of av ailable resources must be split in two subsets, one that can achiev e A and one that can achiev e B . Multiplicative conjunction can be seen as the counterpart of conjunction in classical logic. In the context of W eb Services, multiplicativ e conjunction can also be used to represent quantities of consumable resources such (most typically) money and time. In our Ski example, the selectModel service outputs the selected brand and a particular model simultaneously . If we represent these outputs as resources in CLL, the selectModel service output would be ( BRAN D ⊗ M ODE L ) . • Additi ve disjunction or the “plus” operator ( A ⊕ B ) can be viewed as the equiv alent of exclusiv e disjunction in classical logic and indicates that either of A or B are produced but not both. When representing W eb Services, additiv e disjunction can be used to indicate alternativ e results. Most typically it is used to express the possibility of a W eb Service throwing an exception instead of producing the expected result. It is worth mentioning that most web services composition method- ologies do not take e xceptions into consideration. 4 A theorem proving frame work for the formal v erification of web services composition In our example, the selectSki service may fail to return the price of the selected ski if, for example, the particular model is out of stock or is not av ailable for the giv en length. In this case, selectSki will output an exception. In CLL we can represent the output of selectSki as ( PRICE U SD ⊕ E X CE PT I ON ) . • Linear negation ( · ⊥ ) in CLL obeys similar laws to those of classical negation. The symmetry of CLL becomes evident in the connection of the dual operators through linear negation. For example, negating the tensor operator ( ( A ⊗ B ) ⊥ ) results in a “par” operator ( A ⊥ ` B ⊥ ). In general, we use negated CLL terms to represent input (as opposed to output for non-negated terms). For e xample, the input of the Cm2Inch process can be represented as ( LE N GT H C M ⊥ ) . • The of-course (! A ) and why-not (? A ) operators (also refered to as “exponentials”) are used to represent unlimited resources. They allo w controlled versions of the weakening and contraction rules. Essentially , these correspond to the replication of a resource as many times as necessary . For example, in the context of W eb Services, functional parameters such as input and output are reusable in contrast to states which, once “consumed” through a state transition, are no longer applicable. Generally , a two-sided sequent calculus is used for the representation of the CLL inference rules. The left and right versions of each inference rule serve the purpose of handling a connectiv e on the left or right hand side of the turnstyle respectiv ely . Howe v er , given the observation that Γ ` ∆ is equi valent to ` Γ ⊥ , ∆ we can eliminate half of the rules by using a one-sided sequent calculus representation. This has an important impact in the automation of CLL proofs, as the number of av ailable inference rules in the proof search is ef fecti v ely halved. W e note that Bellin and Scott also use a one-sided sequent calculus representation for CLL in their work. The one-sided sequent calculus versions of the inference rules for the multiplicativ e-additi ve frag- ment (MALL) of CLL (ie. without the exponentials) are presented in Figure 5. W e note that, in this particular figure, the rules are annotated using process calculus channel names (see Section 3 for more details). From here on in this paper , unless otherwise stated, e very reference to CLL corresponds to MALL as this is the fragment we are currently focused on. In the future, we plan to increase the expre- si veness of our system by e xtending the logic to the full CLL, although the latter is undecidable [13]. 2.1.2 Describing W eb Services using CLL Inspired by the translation of W eb Services to Intuitionistic Linear Logic (ILL) proposed by Rao [22], we utilise a similar approach for CLL. The CLL syntax has significant differences from ILL though; the most important being the lack of linear implication. As already mentioned, we hav e chosen to interpret negated terms as input and normal terms as output since this appears somewhat more intuiti ve 1 . The resulting formula is shown in Figure 3. Note that we have only kept functional properties of web services, ie. input ( ~ I ), output ( ~ O ), preconditions ( ~ P ) and effects ( ~ F ). This formula can be expanded to incorporate non-functional properties, such as cost and time. Follo wing this formula, the translation of the av ailable services and the request service of the Ski example (see Figures 1 and 2) in CLL are shown in Figure 4. W e note that these translations are annotated with process calculus terms using the “: : ” and “:” operators. These are explained in Section 3.1. This formula also forms the basis for the translation of W eb Services described in a variety of lan- guages, including WSDL [6], BPEL4WS [2] or, in the case of Semantic W eb Services, OWL-S [15], 1 The duality of the CLL connectiv es allo ws this arbitrary choice [3]. P . P apapanagiotou, J.D. Fleuriot 5 ` ~ P , ~ I , (( ⊗ i ~ F ) ⊗ ( ⊗ i ~ O )) ⊕ E ) Where: ⊗ i ( a 1 , a 2 , ..., a n ) = a 1 ⊗ a 2 ⊗ ... ⊗ a n Figure 3: The CLL representation of a W eb Service. A v ailable services: ` Sel ect M od el : : sm p : PRIC E LI M I T ⊥ , sms : S K I LL L EV E L ⊥ , sso : ( BRAN D ⊗ M ODE L ) ` Sel ect Lengt h : : sl h : H E I GH T CM ⊥ , sl w : W E I GH T K G ⊥ , sl l : LE N GT H C M ` Cm 2 I nch : : cic : LE N GT H C M ⊥ , cii : L E N GT H I N ` U sd 2 N ok : : unu : PRICE U SD ⊥ , unn : PRI C E N OK ` Sel ect Sk i : : ssl : LE N GT H I N ⊥ , ssb : BRAN D ⊥ , ssm : M ODE L ⊥ , sso : ( PRIC E U SD ⊕ E X CE PT I ON ) Request: ` P : : x : PRIC E LI M I T ⊥ , y : S K I LL L EV E L ⊥ , z : H E I GH T CM ⊥ , w : W E I GH T K G ⊥ , t : ( PRIC E N OK ⊕ E X C E PT I ON ) Figure 4: The av ailable services and the request for the Ski example translated into CLL with process annotations. the follow-up of DAML-S [7] (used by Rao et al. as part of their work), into CLL. The details of these translations are beyond the scope of the current paper though. 2.2 The π -calculus The π -calculus is a formalism aimed at the description of concurrent processes [17]. The name is used to sho w the connection to the λ -calculus as a minimal, abstract representation. In the π -calculus, processes are described atomically as independent entities. They are attached to channels that use variables to denote the input or output of the process. 2.2.1 Description The syntax of the polyadic π -calculus is presented by the following grammar: P :: = x ( ~ y ) . P | x h ~ y i . P | P || P | P + P | ( ν ~ x ) P | ! P | 0 A channel x attached to process P that allo ws it to receive a message that will be bound to the vector of names ~ y is represented as x ( ~ y ) . P . Similarly , x h ~ y i . P depicts a process with channel x that can send a mes- sage through name ~ y as output. It is worth noting that the infix dots in these two cases are often omitted for simplicity . The expression P || P describes the parallel composition of two processes whereas ( ν ~ x ) P describes a vector of names ~ x that is local to P . Finally , ! P describes a process P that can be replicated and 0 represents the “ nil ” process that has no functionality . Note that in some more minimal versions, the non-deterministic choice P + Q between two processes P and Q is excluded from the syntax. It is w orth remarking also, that there is no e xplicit representation of sequential processes. Interactions between par - allel processes are represented as reductions of the π -calculus terms (similar in form to the reductions of λ -calculus). There are other extensions to the π -calculus syntax and other important concepts such as bisimulation equi valence (or bisimilarity) [26] which go be yond the scope of the current work. 6 A theorem proving frame work for the formal v erification of web services composition Reductions of π -calculus terms are defined formally using a set of rules. W e will only present the most significant reduction rule that describes the interaction between two parallel processes: ( ... + x ( ~ a ) . F ) || ( ... + x h ~ b i . C ) → F [ ~ b / ~ a ] || C (1) The communication described here happens between process C with output ~ b over channel x and process F with input ~ a over the same channel x . The processes run in parallel (denoted by the “ || ” symbol) and for their interaction C sends ~ b to F over x yielding F || C where each free occurence of the names in ~ a in F is replaced by the names in ~ b . It must be noted that the abo v e interaction is only allo wed if the two in volved v ectors ~ a and ~ b have the same size. Moreov er , in addition to the reduction rule, a set of rules is defined that allow us to e xpress structural congruence ( ≡ ) relations between processes. For example, P + 0 ≡ 0 + P ≡ P , P || 0 ≡ 0 || P ≡ P and ! P ≡ P || ! P are all defined as structural congruence rules. This concludes a general ov ervie w of the π -calculus, its reductions, and its intuitiv e interpretation. The π -calculus has formed the basis for a v ariety of process algebras used to describe the communi- cation between agents, including LCC [24] and BPEL4WS [2]. Additionally , there are multiple av ailable tools that perform a v ariety of tasks in v olving π -calculus terms. For example, the Mobility W orkbench (MWB) [29] performs checks for open bisimulation equiv alences [26] (which roughly corresponds to checking agents for equi v alent behaviour) and the PiV izT ool [4] is a tool written in Jav a that can graph- ically represent agents described in π -calculus and allows a step by step, user-controlled monitoring of the interactions in a multi-agent en vironment. 3 The pr oofs-as-processes paradigm In the proofs-as-processes paradigm, Bellin and Scott [3] give a corresponding π -calculus term for each of the CLL inference rules. As the inference rules are applied within a proof, these correspondences allo w the construction of a π -calculus term that corresponds to the entire proof. At the end of the proof, it is guaranteed that applying the possible reductions at the resulting π -calculus term corresponds to the process of cut-elimination in the proof. This means that the cut-free version of the proof corresponds to an equi valent π -calculus term that cannot be reduced further . 3.1 Description Bellin and Scott attach free v ariables as proof annotations to ev ery CLL sequent. Each of these v ariables corresponds to a π -calculus communication port. Moreo ver , the process calculus term attached to the rule is dependent on the processes attached to each of the premises of the rule and the process annotations of the in volv ed sequents. For example, let us consider the “tensor” rule for CLL including the process annotations as sho wn below: . . . . F ` ~ w : Γ , x : A . . . . G ` ~ u : ∆ , y : B ` ~ w : Γ , ~ u : ∆ , z : A ⊗ B ⊗ (2) Processes F and G are attached to the two premises of the rule based on any previous proof steps. The process calculus term attached to the rule, also refered as the “translation” of the rule to the π -calculus P . P apapanagiotou, J.D. Fleuriot 7 is gi ven by the follo wing term: x , y O z ( F , G ) ~ w ~ uz ≡ ν xy ( z h x y i ( F ~ wx || G ~ uy )) (3) W e note that term (3) is dependent on processes F and G and also on the channel names x , y , ~ w and ~ u attached to the inv olv ed sequents. The free variables found in the annotations of the sequents of a conclusion of an inference rule are ensured to be exactly the same as the free names of the corresponding π -calculus term for that rule, in this case z , ~ w , and ~ u . Follo wing a syntax closer to the one used in type theory , we can also represent the same annotated rule and corresponding translation using the : : operator as follo ws: ` F : : ~ w : Γ , x : A ` G : : ~ u : ∆ , y : B ` x , y N z ( F , G ) ~ w ~ uz : : ~ w : Γ , ~ u : ∆ , z : A ⊗ B ⊗ (4) The sev en basic CLL inference rules and their process correspondences are shown in Figure 5. Before analyzing and giving a practical, intuiti ve explanation for some of these correspondences, we should note the two choices made in them. The symmetry of CLL allo ws for two equiv alent, symmetric π -calculus translations for the identity axiom and the ⊗ and ` operators. W e have chosen to translate positi ve atoms and the ⊗ operator as senders while we translate negati ve atoms and the ` operator as receivers. W e examine some of these rules from Figure 5 and their translations more closely ne xt: The identity axiom The identity axiom ` x : A , y : A ⊥ can be intuiti v ely translated gi ven the aforemen- tioned choices to y ( a ) x h a i . The resulting process recei ves a message a through the channel y of the negati v e literal and sends the same message a through the channel of the positi ve atom x . Such a process is refered to as an axiom buffer . The ⊗ rule The “tensor” rule must intuitiv ely correspond to a channel z that sends two messages x and y corresponding to the literals A and B (that are in v olved in F and G respectiv ely) simultaneously . The gi ven translation satisfies our intuition. It sends both x and y through channel z followed by the parallel ex ecution of F and G . The ⊕ rules The ⊕ operator provides the means to ignore an argument or , consequently , a channel. In the first rule, for example, we expect to receive two names u and v corresponding to the channels for A and B respectiv ely through a common channel z . The process ignores the second name v and uses the first one u to send x before in voking P . The process for the second rule is symmetric as it ignores the first name u and sends y through v . The Cut rule The C ut rule is perhaps the most significant rule as far as process interactions are con- cerned. W e already discussed that applying cut-elimination to the proof corresponds to performing re- ductions in its π -calculus translation. Therefore, the Cut rule corresponds to a reduction/interaction between processes F and G . Additionally , the interaction will take place through the ports corresponding to the literal being cut, namely C . Thus, port x will be connected to port y to form a common channel z . The two processes are expected to interact through this common channel z when in v oked in parallel. It is worth noting that there are no assumptions made whatsoever about which of the two services will be the recei ver and which will be the sender . 8 A theorem proving frame work for the formal v erification of web services composition CLL inference rule π -calculus translation ` x : A , y : A ⊥ I xy ≡ y ( a ) x h a i . . . . F ` ~ w : Γ , x : A . . . . G ` ~ u : ∆ , y : B ` ~ w : Γ , ~ u : ∆ , z : A ⊗ B ⊗ x , y N z ( F , G ) ~ w ~ uz ≡ ν xy ( z h xy i ( F ~ wx || G ~ uy )) . . . . F ` ~ w : Γ , x : A , y : B ` ~ w : Γ , z : A ` B ` x , y ˙ z ( F ) ~ wz ≡ z ( xy ) F ~ wxy . . . . P ` ~ w : Γ , x : A ` ~ w : Γ , z : A ⊕ B ⊕ x L z ( P ) ~ wz ≡ ν x ( z ( uv ) u h x i P ~ wx ) . . . . Q ` ~ w : Γ , y : B ` ~ w : Γ , z : A ⊕ B ⊕ y R z ( Q ) ~ wy ≡ ν y ( z ( uv ) v h y i Q ~ wy ) . . . . P ` ~ w : Γ , x : A . . . . Q ` ~ w : Γ , y : B ` ~ w : Γ , z : A & B & x , y ˘ z ( P , Q ) ~ wz ≡ ν uv ( z h uv i [ u ( x ) P ~ wx + v ( y ) Q ~ wy ]) . . . . F ` ~ u : Γ , x : C . . . . G ` ~ v : ∆ , y : C ⊥ ` ~ u : Γ , ~ v : ∆ Cut Cut z ( F , G ) ~ u ~ v ≡ ν z ( F ~ u [ z / x ] || G ~ v [ z / y ]) Figure 5: The CLL inference rules annotated with channel names and the corresponding π -calculus processes. Similar informal justifications can be gi v en for rules in volving ` and &, b ut will be omitted here due to space limitations. W e should also note that π -calculus replication (! P ) is only used in the translations of the of-course and why-not rules which, as mentioned previously , are not currently part of our system. Despite that fact, our language is sufficiently expressi ve to describe useful W eb Services compositions, as demonstrated in Section 4. 3.2 Achieving W eb Services composition The proofs-as-processes paradigm allows us to create W eb Services compositions described using the π -calculus by performing CLL proofs. In short, the av ailable W eb Services descriptions are specified as CLL sentences as we discussed in Section 2.1.2. Then we construct a CLL description of the requested composite service and attempt to prove it as a conjecture. Using our defined logic, proving the requested service R from the av ailable services A i corresponds to proving the follo wing goal: A 1 A 2 ... A n R P . P apapanagiotou, J.D. Fleuriot 9 Assuming the proof (ie. the composition) can be accomplished, the resulting lemma will correspond to a v alid logical representation of the requested service. W e will have, therefore, prov en that such a service exists and can be constructed using the set of av ailable W eb Services. Moreov er , the π -calculus translation of the proof will provide a full description of the structure of the composite service. 4 Results W e be gin the result analysis by explaining the setup of our implementation for the ski example in Section 4.1. This is followed by a brief description of the obtained results in Section 4.2 and by a description of the ex ecution of the resulting π -calculus process as an empirical verification in Section 4.3. 4.1 Setup Our system is built within the higher order logic (HOL) proof assistant HOL Light. More specifically , we hav e embedded MALL and the π -calculus syntax within HOL Light, while making sure proof anno- tations and process calculus term construction are supported. The embedding of the π -calculus is based on the work of Melham in HOL88 [16]. It includes the basic, polyadic π -calculus syntax, a few simple functions about names, and substitution. Formalising re- ductions, structural congruence rules, and bisimulation rules may prove useful for further meta-theoretic reasoning, but is currently be yond the scope of our project. For the MALL embedding we followed the work of Po wer et al. [21] and Sadrzadeh [25] in Coq. W e follo w a similar methodology , although we use multisets instead of lists of sequents, and thus have no need for an Exchange rule to swap the order of sequents in a sentence. Supporting π -calculus proof annotations and enabling process calculus term construction in the style of type theory was a fairly challenging task. W e achieved this by including the channel names and the proofs-as-processes translations as logical terms within the embedding of each MALL inference rules. Our custom tactics allow us to accomplish CLL proofs of CLL statements with π -calculus annotations using these combined rules while constructing the π -calculus translation simultaneously . Their function- ality is based on the use of metav ariables as we further e xplain in the next section. Having implemented this system as an embedded logic within HOL Light guarantees the correctness of the in volv ed proofs. Giv en the soundness and correctness proofs of Bellin and Scott for the proofs-as- processes paradigm, this also guarantees the correctness of the composite service, ie. that the resulting π -calculus service will indeed hav e the expected beha viour . W e will use the Ski example to demonstrate the functionality of our system. In Section 2.1.2 we presented the CLL translations of the av ailable services as well as the translation of the requested service. Based on the scheme described in Section 3.2, achieving the desired services composition is equiv alent to proving the requested service as a conjecture. W e, therefore, need to prov e the follo wing lemma: ∃ P . ` P : : x : PRICE LI M I T ⊥ , y : S K I LL LE V E L ⊥ , z : H E I GH T C M ⊥ , w : W E I GH T K G ⊥ , t : ( PRIC E N OK ⊕ E X C E PT I ON ) (5) W e note that the existential quantification of P is not at the embedded level of CLL but rather at the HOL (meta) le vel. It allows us to find the process P for which this sentence holds, ie. the composite service that satisfies this specification. 10 A theorem proving frame work for the formal v erification of web services composition 4.2 Proof and obtained r esults The proof of (5) is shown in Figure 6. Note that the CLL propositions are abbreviated, eg. H C stands for H E I GH T CM , and the process calculus annotations have been omitted for a cleaner presentation. Moreov er , the neg eq step in the proof is an abbre viation of the usage of the C ut rule with a lemma in v olving negation. As each of the CLL inference rules is applied in the proof, the composite process P is gradually constructed based on the corresponding process calculus translations of the proofs-as- processes paradigm (see Figure 5). ` PL ⊥ , SL ⊥ , BR ⊗ M O Sel M od ` HC ⊥ , W K ⊥ , L C Sel Len ` L C ⊥ , LI Cm 2 I nch ` HC ⊥ , W K ⊥ , LI Cut ` PL ⊥ , SL ⊥ , H C ⊥ , W K ⊥ , ( BR ⊗ M O ) ⊗ LI ⊗ (6) ` BR ⊥ , M O ⊥ , LI ⊥ , P U ⊕ E X E Sel S ki ` BR ⊥ ` M O ⊥ , LI ⊥ , P U ⊕ E X E ` ` ( BR ⊥ ` M O ⊥ ) ` LI ⊥ , P U ⊕ E X E ` ` P U ⊥ , PN U sd 2 N ok ` P U ⊥ , PN ⊕ E X E ⊕ ` E X E ⊥ , E X E I d ` E X E ⊥ , PN ⊕ E X E ⊕ ` P U ⊥ & E X E ⊥ , PN ⊕ E X E & ` ( P U ⊕ E X E ) ⊥ , PN ⊕ E X E ne g eq ` ( BR ⊥ ` M O ⊥ ) ` LI ⊥ , PN ⊕ E X E Cut ` (( BR ⊗ M O ) ⊗ LI ) ⊥ , PN ⊕ E X E ne g eq ` PL ⊥ , SL ⊥ , H C ⊥ , W K ⊥ , PN ⊕ E X E Cut wit h ( 6 ) (7) Figure 6: The proof of the requested service of the Ski example in CLL. W ithout delving into too many technical details, we accomplish this by introducing P as a metav ari- able that is matched to the translation of the first rule being applied to the goal (assuming we are following the proof backwards), ie. the C ut rule. This turns P into an instantiation of ν z ( F ~ u [ z / x ] || G ~ v [ z / y ]) where any matched v ariables ha ve also been instantiated. Any unmatched variables in this new form are also introduced as metav ariables that are in turn instantiated in the next proof steps. For example, G ev entually becomes the process corresponding to part (6) of the proof (see Figure 6). It is first introduced as a new metav ariable that is gradually instantiated as the proof progresses. If one of the a v ailable services’ CLL statements (see Figure 4) is used to match one of the CLL sentences at the top of the proof tree, this will instantiate one of the metav ariables and the service will then be introduced as a component in the π -calculus representation of the composite service. Any unmatched metav ariables at the end of the proof are left as fresh, free variables in the π -calculus result. In the above example of ν z ( F ~ u [ z / x ] || G ~ v [ z / y ]) , z is the variable representing the channel connecting F and G and will never be matched as it nev er appears in the proof. It is in fact kept as a fresh variable and renamed to z 1 to av oid v ariable clashes in our result. The π -calculus term that was constructed follo wing this methodology by our proof for the Ski example (denoted as C om posit ion ( sm p , sms , sl h , sl w , t , puc , exc ) ) is presented in Figure 7. It is im- mediately apparent that the complexity of this term prohibits any attempt to fully analyse its func- tionality on paper . Only some of its parts are clear and can be analysed. For example, the subterm ( ν z 3 )( Sel Len [ z 3 / sl l ] || C m 2 I nch [ z 3 / cic ]) represents the interaction between port sl l of the S el Len ser- P . P apapanagiotou, J.D. Fleuriot 11 Com posit ion ( sm p , sms , sl h , sl w , t , puc , exc ) ≡ ( ν z 1 ) (( ν smo , cii ) ( z 1 h smo , cii i . ( Sel M od || ( ν z 3 )( Sel Len [ z 3 / sl l ] || C m 2 I nch [ z 3 / cic ])) ) || ( ν z 4 ) ((( z 1 ( x 5 , ssl ) . x 5 ( ssb , ssm ) . Sel S ki [ z 4 / sso ]) || ( ν u 7 , v 7 ) (( z 4 h ( u 7 , v 7 ) i . (( u 7 ( unu ) . ( ν unn )( t ( u 8 , v 8 ) . u 8 h unn i . U sd 2 N ok ))+ ( v 7 ( y 7 ) . ( ν y 9 )( t ( u 9 , v 9 ) . v 9 h y 9 i . y 7 ( a 10 ) . y 9 h a 10 ) . 0 ))) )) ) ) Figure 7: The resulting π -calculus formula from the Ski proof. vice and port cic of the C m 2 I nch service 2 . Essentially , this is a composite subprocess that selects the ski length in inches (rather than in centimeters). It resulted from the application of the C u t rule using lemma (6) in the proof. It is worth noting that the resulting services composition makes no assumptions about the form of the component services. In our example from Figure 7, the π -calculus term includes component processes such as Sel Len , Sel M od , Sel S ki , etc. as “black boxes” with hidden functionality . The only kno wn properties of the component services are the input and output ports as defined in their CLL representation. For e xample, Sel Len is defined as follows (see Figure 4): ` S el Len : : sl h : H C ⊥ , sl w : W K ⊥ , sl l : L C Therefore, it is only assumed that it has input ports sl h and sl w and output port sl l . 4.3 Execution Once the π -calculus composition is extracted, the next step is to execute the composed service. This can be accomplished by translating the π -calculus representation in a more commonly used, executable W eb Services description language such as the pre viously mentioned WSDL, BPEL4WS, or O WL-S. In our project so far , before undertaking the formal translation of π -calculus to any other model, we are focusing on visualising and checking the results empirically . This is accomplished by introducing concrete π -calculus representations for each of the av ailable services and simulating their execution by in v oking the π -calculus reductions. W e hav e, therefore, constructed a set of mappings for a systematic interpretation of CLL judgements to π -calculus processes. These mappings pro vide an intuitiv e interpretation that satisfies the correspond- ing properties and follows the expected behaviour (as far as π -calculus reductions are concerned). W e present them in Figure 8. Follo wing these empirical translations, we introduce π -calculus terms for each of the av ailable ser- vices. W e, therefore, instantiate the “black boxes” in our initial result with an ex ecutable π -calculus term. 2 Note how both sll and cic are substituted by z 3 in order to accomplish this interaction. 12 A theorem proving frame work for the formal v erification of web services composition A a h ... i . 0 A ⊥ a ( ... ) . 0 A ⊗ B ( ν a , b )( z h a , b i . ( a h ... i . 0 || b h ... i . 0 )) A ⊥ ` B ⊥ z ( a , b ) . ( a ( ... ) . 0 || b ( ... ) . 0 ) A ⊕ B ( ν a , b )( z ( u , v ) . ( u h x i . x h ... i . 0 + v h y i . y h ... i . 0 )) A ⊥ & B ⊥ ( ν a , b )( z h u , v i . ( u ( x ) . x ( ... ) . 0 + v ( y ) . y ( ... ) . 0 )) Figure 8: T ranslations of CLL terms to π -calculus. Moreov er , we introduce a π -calculus term for a Reques t service. This service can be viewed as the client for the requested composite service. It will interact with the π -calculus term of the latter to verify its functionality . In this particular example, it will provide the expected input, ie. the price limit, skill lev el, height and weight, and expect the desired output, namely the price in NOK or an exception. W e present the introduced π -calculus services in Figure 9. The parallel composition of the Request service and the deri ved composite service C om posit ion from Figure 7 is introduced as the M ain service to complete our model. Sel Len ( sl h , sl w , sl l , l c ) ≡ sl h ( hc ) . sl w ( wk ) . sl l h l c i . 0 Cm 2 I n ( cic , cl i , l i ) ≡ cic ( l c ) . cl i h l i i . 0 U sd 2 N ok ( unu , unn , pn ) ≡ unu ( pu ) . unn h pn i . 0 Sel M od ( sm p , sms , smm , br , mo ) ≡ sm p ( pl ) . sms ( sl ) . ( ν smb , smo )( smm h smb , smo i . smb h br i . smo h mo i . 0 ) Sel Ski ( ssb , ssm , ssl , sso , pu , ex ) ≡ ( ν ss p , sse )( ssb ( br ) . ssm ( mo ) . ssl ( l i ) . sso ( u , v ) . ( u h ss p i . ss p h pu i . 0 + v h sse i . sse h ex i . 0 )) Request ( sm p , pl , sms , sl , sl h , hc , sl w , wk , t , puc , exc ) ≡ sm p h pl i . sms h sl i . sl h h hc i . sl w h wk i . t h puc , exc i . ( puc ( x ) . x ( pu ) . 0 + exc ( y ) . y ( e x ) . 0 ) M ain () ≡ Request ( sm p , pl , sms , sl , sl h , hc , sl w , wk , t , puc , exc ) || C om posit ion ( sm p , sms , sl h , sl w , t , puc , exc ) Figure 9: The av ailable services and the Request service for the Ski example defined as π -calculus processes. It is important to note that these particular concrete representations are not unique in π -calculus. Ho wev er , they were designed to be as simple and straightforward as possible. Our aim is to empirically confirm the correctness of the constructed composition and its associated information flo w . Since the composition makes no assumptions about the inv olv ed component services (apart from the names of the channels through which the services can be interfaced), any valid π -calculus representation of these services is acceptable. Our complete set of services was given as input to the PiV izT ool (see Section 2.2.1). This system allo ws the visualisation of the various services and their interactions (corresponding to π -calculus reduc- tions). Eight consecuti ve snapshots (out of a total of 17) from the resulting visualisation are sho wn in Figure 10. Each edge represents a possible interaction between two agents. The grey edges represent interactions that are currently blocked whereas the black edges represent interactions that can occur im- mediately on the next ex ecution step. Each snapshot is the result of applying one π -calculus reduction in the pre vious state. For example, in snapshot 6 of Figure 10, the S el Len service interacts with C m 2 I n through channel z 3 (automatically renamed to z 3#8 by PiV izT ool to av oid clashes). Essentially , this corresponds to the con v ersion of the output of the S el Len service from centimeters to inches via the C m 2 I n service as we P . P apapanagiotou, J.D. Fleuriot 13 Figure 10: Consecutiv e snapshots of the Ski example π -calculus result taken from PiV izT ool. discussed in the pre vious section. The result after the interaction is shown in snapshot 7. The PiV izT ool simulation plays an important role tow ards empirically verifying that our result sat- isfies the requested service without the initial need for a more concrete execution model. Our process behav es as expected indicating that the a v ailable services ha ve been succesfully composed. Additionally , PiV izT ool provides the definition and execution trees of the composed service. These are tree visualisations of the definitions and ex ecution sequence for each of av ailable services respec- ti vely . These trees are also helpful to wards understanding and analysing the beha viour of the composite service. 5 Related work There are two main directions in the research ov er W eb Services composition: one inv olv es the use of workflo w techniques while the other relies on AI planning [11]. The workflo w techniques rely on the requester building an abstract process model, including a set of required tasks and their data dependencies. The aim is then to build a graph of atomic services that can fulfill this role. An example of such a workflo w-based system is EFlo w [5]. In the AI planning approach, services are considered as actions with specified preconditions and ef fects. A planner then attempts to discov er the appropriate combination of actions that will lead to a goal state starting from an initial state. An example of such system is SWORD [20] which uses rule-based planning for the composition of services. Theorem proving techniques, such as the one used in the current work, are considered part of the planning approach to W eb Services composition. There have been multiple attempts at using theorem prov ers in this context. W aldinger , for instance, based his work on automated deduction and program synthesis [30]. He used the theorem prov er SN ARK [27] to provide proofs for service composition 14 A theorem proving frame work for the formal v erification of web services composition problems described in classical first-order logic. Lammermann work ed on structural synthesis of pro- gram, a deducti ve approach that utilises intuitionistic propositional logic [14]. Finally , Rao et al. used propositional Linear Logic theorem proving with D AML-S based proofs [22, 23]. The latter has been the main motiv ation for this work. Howe v er , after carefully analysing the work of Rao et al., we detected a number of potential inconsistencies. For example, the process calculus being used is an extension of the π -calculus. Howe ver , no guarantees are giv en that the two calculi are equi valent or that the Bellin and Scott proofs are valid for the extended process calculus. Additionally , they use Intuitionistic Linear Logic in a two-sided sequent calculus, which is also not guaranteed to be equiv alent to the one-sided CLL approach of Bellin and Scott. Moreover , a number of so-called “structural congruence rules” that contain both CLL terms and channel names were introduced. These rules were not formally deri ved and their syntax can easily result in an incorrect interpretation. Finally , e ven though the system theoretically supports non-functional properties and exponentials, the proof of the Ski example ignores them. Non-functional properties are crucial to wards a quality-driven composition, whereas adding the exponentials w ould make the logic undecidable. Using our system and the higher order logic backround of HOL Light we were able to provide a rational reconstruction of Rao’ s work. This includes a formal interpretation (using CLL and the π - calculus) of some of Rao’ s introduced concepts such as composite and optional ports and channels and the verification of some their properties and structural congruence rules. The lack of published code and more examples made this a f airly challenging undertaking. 6 Conclusion and Futur e work W e hav e described our ef forts tow ards the implementation of a rigorous framew ork for W eb services composition using the higher order logic proof assistant HOL Light. Our approach is based on the proofs-as-processes paradigm originally introduced by Abramsky , Bellin and Scott. In contrast to the work of Rao et al., we hav e attempted to remain faithful to the original theory of Bellin and Scott by using CLL in conjunction with the standard polyadic π -calculus syntax. Our implementation has sho wn some promising results and there is suf ficient room for improv ements and further work. In particular , interesting properties such as liv eness, safety , and deadlock-freedom hav e not been in vestigated in this work yet. These, along with the automation of our CLL proofs and further e valuation of the system, are part of our ne xt goals. The Bellin and Scott translation has the interesting property of keeping the π -calculus annotations and the CLL proof completely independent of each other . This means that the CLL proof is not affected by the attached process calculus terms. In fact, if we completely remove the annotations, the proofs are perfectly valid CLL proofs. W e plan to exploit this property in our attempt to utilise external tools to automate our proofs. Our effort will focus on finding and using tools (such as llprover [28]) that can perform automated CLL proofs and return the entire proof script, which can then be integrated and verified by our HOL Light frame work. W e will also be focusing on further system e v aluation. Our implementation test set is currently using Rao’ s Ski example as its main case. In the next stages of this work we will gather practical e xamples from existing web services projects, such as the S E N S O R I A Project [31], where verified composition is desirable. Moreover , we will compare our system with related systems in the field. W e also note that it is important to find examples of composable web services with non-functional properties. The potential of our frame work to incorporate such properties in the composition sets it apart from related work. Another important part of our future work is to establish formal translations from the composite P . P apapanagiotou, J.D. Fleuriot 15 services produced by our system in π -calculus to more widely used and more concrete W eb Services description languages, including WSDL and O WL-S. This inv olv es the proper translation of the com- posite service’ s control flow , including notions such as sequence that are not explicitly represented in π -calculus. In conclusion, we believ e that our work contributes to both the W eb Services and theorem prov- ing/formal verification research areas. On the one hand, we are working towards a fully verified W eb services composer using theorem proving techniques while promoting theoretical research in this area. On the other hand, the variety of tools and tactics that we have dev eloped may provide a reusable and extensible library , which may prov e useful in other formal verification or theorem proving projects in the area and beyond. 7 Acknowledgement W e would like to thank the anonymous re vie wers for their helpful and constructi ve comments. Refer ences [1] S. Abramsky (1994): Proofs as processes . Theoretical Computer Science 135(1), pp. 5–9, doi:10.1016/0304- 3975(94)00103-0. [2] T . Andre ws, F . Curbera, H. Dholakia, Y . Goland, J. Klein, F . Le ymann, K. Liu, D. Roller , D. Smith, S. Thatte et al. (2003): Business pr ocess execution language for web services, version 1.1 . Standards proposal by BEA Systems, International Business Machines Corporation, and Microsoft Corporation . [3] G. Bellin & PJ Scott (1994): On the π -calculus and linear logic . Theoretical Computer Science 135(1), pp. 11–65, doi:10.1016/0304-3975(94)00104-9. [4] A. Bog & F . Puhlmann (2006): A T ool for the Simulation of π -Calculus Systems . Open. BPM . [5] F . Casati, S. Ilnicki, L.J. Jin, V . Krishnamoorthy & M.C. Shan (2000): eFlow: a platform for developing and managing composite e-services . HP Laboratories T echnical Report HPL . [6] E. Christensen, F . Curbera, G. Meredith & S. W eeraw arana (2001): W eb services description language (WSDL) 1.1 . http://www.w3.org/TR/wsdl . [7] D.S. Coalition, A. Ankolekar , M. Burstein & J.R. Hobbs (2002): DAML-S: W eb service description for the semantic W eb . In: First International Semantic W eb Conference, Sardinia, Italy , Springer . [8] J.Y . Girard (1995): Linear logic: its syntax and semantics . Advances in linear logic 222, pp. 1–42, doi:10.1017/CBO9780511629150.002. [9] J. Harrison (1996): Optimizing pr oof searc h in model elimination . Lecture Notes in Computer Science 1104, pp. 313–327. [10] John Harrison (1996): HOL Light: A tutorial introduction . In: Formal Methods in Computer- Aided Design , Lecture Notes in Computer Science 1166, Springer Berlin / Heidelberg, pp. 265–269, doi:10.1007/BFb0031814. [11] J.A. Hendler , A. T ate & M. Drummond (1990): AI planning: Systems and techniques . AI magazine 11(2), p. 61. [12] W .A. How ard (1980): The formulae-as-types notion of construction . T o HB Curry: essays on combinatory logic, lambda calculus and formalism , pp. 479–490. [13] P .L. John, J. Mitchell, A. Scedrov & N. Shankar (1992): Decision pr oblems for pr opositional linear logic . Annals of Pure and Applied Logic 56(1-3), pp. 239–311. 16 A theorem proving frame work for the formal v erification of web services composition [14] S. L ¨ ammermann, Institutionen f ¨ or mikroelektronik och informationsteknik & Kungliga tekniska h ¨ ogskolan (2002): Runtime service composition via logic-based pr ogr am synthesis . Department of Microelectronics and Information T echnology . [15] D. Martin, M. Burstein, J. Hobbs, O. Lassila, D. McDermott, S. McIlraith, S. Narayanan, M. Paolucci, B. Parsia, T .R. Payne et al. (2004): O WL-S: Semantic markup for web services . http://www.w3.org/Submission/OWL-S/ . [16] T . F . Melham (1994): A Mechanized Theory of the π -calculus in HOL . Nordic Journal of Computing V olume 1, pp. 50–76. [17] R. Milner (1999): Communicating and mobile systems: the π -calculus . Cambridge Univ Pr . [18] T . Murata (1989): P etri nets: Pr operties, analysis and applications . Proceedings of the IEEE 77(4), pp. 541–580. Doi:10.1109/5.24143. [19] L.C. Paulson (1990): Logic and computation: interactive pr oof with Cambridge LCF . Cambridge Univ Pr . [20] S.R. Ponnekanti & A. Fox (2002): Sword: A developer toolkit for web service composition . In: Proc. of the Elev enth International W orld Wide W eb Conference, Honolulu, HI . [21] J. Power , C. W ebster, C. Maynooth & I. Kildare (1999): W orking with Linear Logic in Coq . In: 12th Inter- national Conference on Theorem Proving in Higher Order Logics, W ork-in-Progress Report, Nice, France . [22] J. Rao (2004): Semantic web service composition via logic-based pr ogram synthesis . Dr . Ing Thesis, Norwe- gian Uin versity of Science and T echnology , T rondheim . [23] J. Rao, P . K ¨ ungas & M. Matskin (2006): Composition of semantic web services using linear logic theorem pr oving . Information Systems 31(4-5), pp. 340–360, doi:10.1016/j.is.2005.02.005. [24] D. Robertson (2004): A lightweight coor dination calculus for agent systems . Declarativ e Agent Languages and T echnologies 1, pp. 183–197. [25] M. Sadrzadeh (2003): Modal linear logic in higher order logic: An experiment with Coq . In: In Emerging T rends TPHOLS , pp. 75–93. [26] D. Sangiorgi (1996): A theory of bisimulation for the π -calculus . Acta informatica 33(1), pp. 69–97, doi:10.1007/s002360050036. [27] M.E. Stickel, R.J. W aldinger & V .K. Chaudhri (2000): A guide to SNARK . SRI International, Menlo Park, CA . [28] Naoyuki T amura (1998): User’ s Guide of a Linear Logic Theorem Pr over (llpr over) . T echnical Report, K obe Univ ersity , Japan. [29] Bj ¨ orn V ictor & Faron Moller (1994): The Mobility Workbench — A T ool for the π -Calculus . In David Dill, editor: CA V’94: Computer Aided V erification , Lecture Notes in Computer Science 818, Springer-V erlag, pp. 428–440. [30] Richard W aldinger (2001): W eb Agents Cooperating Deductively . In: Formal Approaches to Agent- Based Systems , Lecture Notes in Computer Science 1871, Springer Berlin / Heidelberg, pp. 250–262, doi:10.1007/3-540-45484-5 20. [31] M. W irsing, A. Clark, S. Gilmore, M. H ¨ olzl, A. Knapp, N. Koch & A. Schroeder (2006): Semantic-based development of service-oriented systems . Formal T echniques for Networked and Distributed Systems-FOR TE 2006 , pp. 24–45.