Sylvain Hallé
Sylvain Hallé and Roger Villemaire
Runtime Verification for the Web
A Tutorial Introduction to Interface Con...
Sylvain Hallé
Web applications and cloud computing: a growing part of
computing systems
Very simple protocols: no state, o...
Sylvain Hallé
Part One: The basics of web applications
?What is a web application?
An example: the Beep Store
Constraints ...
Sylvain Hallé
Part One
The basics of web applications
Sylvain Hallé
Desktop computing
Sylvain Hallé
Desktop computing
Sylvain Hallé
Cloud computingCloud computing
Sylvain Hallé
Cloud computingCloud computing
Sylvain Hallé
Cloud computingCloud computing
Network connection
Sylvain Hallé
Cloud computingA static web site
Sylvain Hallé
Cloud computingA static web site
Bee G
Beatles
Camel
Caravan
Sylvain Hallé
Cloud computingA static web site
Bee G
Beatles
Camel
Caravan
beatles.html
Sylvain Hallé
Cloud computingA static web site
Sylvain Hallé
Cloud computingA static web site
Sylvain Hallé
Cloud computingA static web site
Sea
rc
h
The
Beep
Store
W
ha
t is
th
is?
Lo
gin
As
k fo
r ac
co
un
t
Con
ta...
Sylvain Hallé
Cloud computingA static web site
Sea
rc
h
The
Beep
Store
W
ha
t is
th
is?
Lo
gin
As
k fo
r ac
co
un
t
Con
ta...
Sylvain Hallé
Cloud computingA static web site
Sea
rc
h
The
Beep
Store
W
ha
t is
th
is?
Lo
gin
As
k fo
r ac
co
un
t
Con
ta...
Sylvain Hallé
Cloud computingA dynamic web site
Bee G
Beatles
Camel
Caravan
Sylvain Hallé
Cloud computing
Bee G
Beatles
Camel
Caravan
page.php?artist beatles=
A dynamic web site
Sylvain Hallé
Cloud computingA dynamic web site
Sylvain Hallé
Cloud computingA dynamic web site
Sylvain Hallé
Cloud computingA dynamic web site
Sylvain Hallé
Cloud computingA dynamic web site
artist
beatles=
Sylvain Hallé
Cloud computingA dynamic web site
artist
beatles=
Sylvain Hallé
Cloud computingA dynamic web site
artist
beatles=
Sylvain Hallé
Cloud computingA dynamic web site
artist
beatles=
Sea
rc
h
The
Beep
Store
W
ha
t is
th
is?
Lo
gin
As
k fo
r ...
Sylvain Hallé
Cloud computingA dynamic web site
C
Content is generated
programatically based on
user input
artist
beatles=...
Sylvain Hallé
Cloud computingAjax web application
Sylvain Hallé
Cloud computingAjax web application
JavaScript
Sylvain Hallé
Cloud computingAjax web application
Bee G
Beatles
Camel
Caravan
Sylvain Hallé
Cloud computingAjax web application
Bee G
Beatles
Camel
Caravan
<a onclick=
>
"javascript:
findBand(’ ’)"Bea...
Sylvain Hallé
Cloud computingAjax web application
findBand(’Beatles’)
Sylvain Hallé
Cloud computingAjax web application
findBand(’Beatles’)
Sylvain Hallé
Cloud computingAjax web application
findBand(’Beatles’)
artist
beatles=
Sylvain Hallé
Cloud computingAjax web application
findBand(’Beatles’)
artist
beatles=
Sylvain Hallé
Cloud computingAjax web application
document.innerHTML = findBand(’Beatles’)
artist
beatles=
Sylvain Hallé
Cloud computingAjax web application
document.innerHTML = findBand(’Beatles’)
artist
beatles=
CPage is update...
Sylvain Hallé
Cloud computingAjax web application
findBand(’Beatles’)
artist
beatles=
CServer response only provides
updat...
Sylvain Hallé
Ajax web applications: examples
Microsoft Office Live
Sylvain Hallé
Ajax web applications: examples
eyeOS
Sylvain Hallé
Ajax web applications: examples
Chrome OS
Sylvain Hallé
Cloud computingAjax web application
Does not need
to be a URL
Does not need
to be HTML
Sylvain Hallé
Cloud computingAjax web application
Does not need
to be a URL
Does not need
to be HTML
<Search>
</Search>
be...
Sylvain Hallé
Cloud computingAjax web application
Does not need
to be a URL
Does not need
to be HTML
<SearchResults>
</Sea...
Sylvain Hallé
Cloud computingAjax web application
<Search>
</Search>
beatles
<Artist>
</Artist> XML
The eXtensible Markup
...
Sylvain Hallé
Cloud computingConceptually...
Sylvain Hallé
Cloud computingConceptually...
Sylvain Hallé
Cloud computingConceptually...
Sylvain Hallé
Cloud computingConceptually...
Sylvain Hallé
Cloud computingConceptually...
Sylvain Hallé
Cloud computingConceptually...
Sylvain Hallé
Cloud computingConceptually...
Web service
Web client
Sylvain Hallé
An example: the Beep Store
? tutorial application
?Fake CD catalog + web service
+ web client
?Functionaliti...
Sylvain Hallé
Main issue
Possible
between messages sent
and messages expected
mismatch
Not like traditional programming: a...
Sylvain Hallé
Defining message formats
?
Sylvain Hallé
1.
2.
...
?
Defining message formats
Sylvain Hallé
1.
2.
...
<ItemSearch>
</ItemSearch>
beatles<Artist> </object>
Defining message formats
Sylvain Hallé
<ItemSearch>
</ItemSearch>
beatles<Artist> </object>
<ItemSearchResponse>
<Items>
</Items>
</ItemSearchRespo...
Sylvain Hallé
<ItemSearch>
</ItemSearch>
beatles<Artist> </object>
<ItemSearchResponse>
<Items>
</Items>
</ItemSearchRespo...
Sylvain Hallé
<ItemSearch>
</ItemSearch>
beatles<Artist> </object>
ItemSearch[
[string]
]
Artist
<ItemSearchResponse>
<Ite...
Sylvain Hallé
<ItemSearch>
</ItemSearch>
beatles<Artist> </object>
ItemSearch[
[string]
]
Artist
ItemSearchResponse[
[
Ite...
Sylvain Hallé
ItemSearch[
[string]
]
Artist
ItemSearchResponse[
[
Item[
Title[string],
Artist[string]
]{0,¥}
]
]
Items
?
!...
Sylvain Hallé
Defining message formats
WSDL: Web Service Description Language
ItemSearch[
[string]
]
Artist
CartCreate[
[i...
Sylvain Hallé
http://webservices.amazon.com/AWSECommerceService/
AWSECommerceService.wsdl
https://www.paypal.com/wsdl/PayP...
Sylvain Hallé
<ItemSearch>
</ItemSearch>
beatles
1234
<Artist> </Artist>
<Bizbiz> </Bizbiz>
Defining message formats
Sylvain Hallé
<ItemSearch>
</ItemSearch>
beatles
1234
<Artist> </Artist>
<Bizbiz> </Bizbiz>
Defining message formats
ItemS...
Sylvain Hallé
<ItemSearch>
</ItemSearch>
beatles
1234
<Artist> </Artist>
<Bizbiz> </Bizbiz>
Defining message formats
ItemS...
Sylvain Hallé
<ItemSearch>
</ItemSearch>
beatles
1234
<Artist> </Artist>
<Bizbiz> </Bizbiz>
Defining message formats
ItemS...
Sylvain Hallé
<CartCreateResponse>
<SessionKey>
</SessionKey>
<CartId> </CartId>
<Items>
</Items>
</ItemSearchResponse>
12...
Sylvain Hallé
<CartCreateResponse>
<SessionKey>
</SessionKey>
<CartId> </CartId>
<Items>
</Items>
</ItemSearchResponse>
12...
Sylvain Hallé
<CartCreateResponse>
<SessionKey>
</SessionKey>
<CartId> </CartId>
<Items>
</Items>
</ItemSearchResponse>
12...
Sylvain Hallé
<CartCreateResponse>
<SessionKey>
</SessionKey>
<CartId> </CartId>
<Items>
</Items>
</ItemSearchResponse>
12...
Sylvain Hallé
What happened?
Sylvain Hallé
?
What happened?
Sylvain Hallé
?
What happened?
Sylvain Hallé
1.
2.
...
What happened?
Sylvain Hallé
1.
2.
...
What happened?
Sylvain Hallé
2
What happened?
Sylvain Hallé
c
What happened?
Sylvain Hallé
2
c
What happened?
Sylvain Hallé
What happened?
Sylvain Hallé
?
2
c
2
c
Interface contracts
All messages comply with the WSDL but...
1.
2.
...
Sylvain Hallé
?
2
c
2
c
Interface contracts
You cannot add the same item
twice to the shopping cart
All messages comply wi...
Sylvain Hallé
?
2
c
2
c
Interface contracts
???
You cannot add the same item
twice to the shopping cart
All messages compl...
Sylvain Hallé
Interface contracts
???
Sylvain Hallé
???
Interface contracts
Sylvain Hallé
Free-form messages
Stateful interactions, stateless protocols
No uniform contract notation
Constraints at me...
Sylvain Hallé
The big question
Prevent
contract
violations
Sylvain Hallé
1. A priori certification
A trustworthy authority
assesses the client’s
compliance to the contract...
A firs...
Sylvain Hallé
1. A priori certification
A trustworthy authority
assesses the client’s
compliance to the contract...
...and...
Sylvain Hallé
1. A priori certification
A+
The service needs a certificate to
start an exchange with a client
A first solu...
Sylvain Hallé
The service needs a certificate to
start an exchange with a client
Example: iPhone app certification
1. A pr...
Sylvain Hallé
1. A priori certification
Z+
Problem: the client can change after
certification
iPhone jailbreaking,
Javascr...
Sylvain Hallé
Proposed approach
2. Client-side Runtime
Monitoring
A separate process checks
each message...
CONTRACT
Sylvain Hallé
A
2. Client-side Runtime
Monitoring
A separate process checks
each message...
CONTRACT
Proposed approach
Sylvain Hallé
A
The message is relayed to the web service
proper when it complies with the contract
2. Client-side Runtime...
Sylvain Hallé
2. Client-side Runtime
Monitoring
A separate process checks
each message...
...and is discarded when it viol...
Sylvain Hallé
A web service interacts with a web client through the exchange
of semi-structured XML documents called
The s...
Sylvain Hallé
Part Two
Interface contracts in
web applications
Sylvain Hallé
Interface contracts
All possible sequences
of all possibles messages
with all possible values
Sylvain Hallé
Interface contracts
Constraints
on individual
messages
Sylvain Hallé
Interface contracts
Constraints
on sequencesConstraints
on individual
messages
Sylvain Hallé
Interface contracts
Constraints
on sequences
Data-aware
sequential constraints
Constraints
on individual
mes...
Sylvain Hallé
Interface contracts
Interface contract =
valid (error-free) interactions
Constraints
on sequences
Data-aware...
Sylvain Hallé
Interface contracts
As a tutorial tool, the Beep Store’s JavaScript client can be told
to ‘‘forget’’ element...
Sylvain Hallé
Interface contracts
Dave, my mind
is going...
As a tutorial tool, the Beep Store’s JavaScript client can be ...
Sylvain Hallé
Constraints on individual messages
Examples:
Three types of constraints (I)
<Message>
<Action>ItemSearch</Ac...
Sylvain Hallé
Constraints on individual messages
Examples:
Three types of constraints (I)
1. The element must be an intege...
Sylvain Hallé
Three types of constraints (I)
1. The element must be an integer between 1 and 20.
2. The element is mandato...
Sylvain Hallé
Expressing data constraints
Simple XPath
Fetches portions of an XML document according to a
query path = seq...
Sylvain Hallé
Expressing data constraints
XPath term
Expresses properties over values fetched by XPath expressions
For som...
Sylvain Hallé
Expressing data constraints
2
1. The element must be an integer between 1 and 20.
2. The element is mandator...
Sylvain Hallé
Expressing data constraints
2
1. " x : x > 0 Ùx < 21/Message/Page
2. The element is mandatory only if is pre...
Sylvain Hallé
Expressing data constraints
2
1. " x : x > 0 Ùx < 21/Message/Page
2. $ x : Û$ y :/Message/Page /Message/Resu...
Sylvain Hallé
Constraints on message sequences
Examples:
2
<Message>
<Action>
Login
</Action>
...
</Message>
<Message>
<Ac...
Sylvain Hallé
Constraints on message sequences
Examples:
2
3. The request cannot be resent if its response is
successful.
...
Sylvain Hallé
Constraints on message sequences
Examples:
2
3. The request cannot be resent if its response is
successful.
...
Sylvain Hallé
Linear Temporal Logic
Alphabet (A)
Set of possible messages
Trace (A*)
Sequence of messages
Sylvain Hallé
LTL formula = assertion on the of states in a tracesequence
a "always a"
a "a in the next"
a "eventually a"
...
Sylvain Hallé
Well-known results:
1. For every LTL formula j, there exists a Büchi automaton A
such that for every (infini...
Sylvain Hallé
Constraints on message sequences
Examples:
2
3. The request cannot be resent if its response is
successful.
...
Sylvain Hallé
Constraints on message sequences
Examples:
2
3. (" a : a = LoginResponse ®/Message/Action
( " a’ : a’ ¹Login...
Sylvain Hallé
Constraints on message sequences
Examples:
2
3. (" a : a = LoginResponse ®/Message/Action
( " a’ : a’ ¹Login...
Sylvain Hallé
Constraints on message sequences
Examples:
2
3. (" a : a = LoginResponse ®/Message/Action
( " a’ : a’ ¹Login...
Sylvain Hallé
The verification can be separated in two steps
Three types of constraints (II)
G
X
Ú
"$
$ G
F
®
1. Temporal ...
Sylvain Hallé
Runtime monitoring
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automaton from a given L...
Sylvain Hallé
Runtime monitoring
j
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automaton from a given...
Sylvain Hallé
Runtime monitoring
s=
j
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automaton from a gi...
Sylvain Hallé
Runtime monitoring
s=a
j
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automaton from a g...
Sylvain Hallé
Runtime monitoring
s=a
j
a
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automaton from a...
Sylvain Hallé
Runtime monitoring
s=ab
j
a
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automaton from ...
Sylvain Hallé
Runtime monitoring
s=ab
j
a b
b
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automaton f...
Sylvain Hallé
Runtime monitoring
s=aba
j
a b
b
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automaton ...
Sylvain Hallé
Runtime monitoring
s=aba
j
a
a
a
b
b
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automa...
Sylvain Hallé
Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a
Büchi automaton from a given LTL formula j
Benefi...
Sylvain Hallé
Runtime monitoring
Algorithm overview:
1. An LTL formula is decomposed into nodes of the form
sub-formulas t...
Sylvain Hallé
Algorithm overview:
1. An LTL formula is decomposed into nodes of the form
Example:
sub-formulas that
must b...
Sylvain Hallé
2. Negations pushed inside (classical identities +
dual of U = V)
3. At the leaves, Gcontains atoms + negati...
Sylvain Hallé
Example: G (a ®b)X
Runtime monitoring
Sylvain Hallé
Example: G (a ®b)X
G (a ®b)X ?
Runtime monitoring
Sylvain Hallé
Example: G (a ®b)X
G (a ®b)X ?
a ®bX G (a ®b)X?
Runtime monitoring
Sylvain Hallé
Example: G (a ®b)X
G (a ®b)X ?
Øa G (a ®b)X?
a ®bX G (a ®b)X?
Runtime monitoring
Sylvain Hallé
Example: G (a ®b)X
G (a ®b)X ?
a, X b G (a ®b)X?Øa G (a ®b)X?
a ®bX G (a ®b)X?
Runtime monitoring
Sylvain Hallé
Example: G (a ®b)X
G (a ®b)X ?
a, X b G (a ®b)X?
a G (a ®b), bX?
Øa G (a ®b)X?
a ®bX G (a ®b)X?
Runtime moni...
Sylvain Hallé
Example: G (a ®b)X
a G (a ®b), bX?
Øa G (a ®b)X?
Runtime monitoring
Sylvain Hallé
Example: G (a ®b)X
s= a
a G (a ®b), bX?
Øa G (a ®b)X?
Runtime monitoring
Sylvain Hallé
Example: G (a ®b)X
s= a
a G (a ®b), bX?
Øa G (a ®b)X?
Runtime monitoring
Sylvain Hallé
Example: G (a ®b)X
s= a
a G (a ®b), bX?
Runtime monitoring
Sylvain Hallé
Example: G (a ®b)X
s= a
G (a ®b), bX?
Runtime monitoring
Sylvain Hallé
Example: G (a ®b)X
s= a
?G (a ®b), bX
G (a ®b), bX?
Runtime monitoring
Sylvain Hallé
Example: G (a ®b)X
s= a
a, X b, b G (a ®b)X?
a, b G (a ®b), bX?
Øa, b G (a ®b)X?
a ®b, bX G (a ®b)X?
?G (a ®...
Sylvain Hallé
Example: G (a ®b)X
s= a
a, b G (a ®b), bX?
Øa, b G (a ®b)X?
Runtime monitoring
Sylvain Hallé
Example: G (a ®b)X
s= a
a, b G (a ®b), bX?
Øa, b G (a ®b)X?
Runtime monitoring
Sylvain Hallé
Example: G (a ®b)X
s= a
Øa, b G (a ®b)X?
Runtime monitoring
Sylvain Hallé
Example: G (a ®b)X
s= ac
Øa, b G (a ®b)X?
Runtime monitoring
Sylvain Hallé
Example: G (a ®b)X
s= ac
Øa, b G (a ®b)X?
Runtime monitoring
Sylvain Hallé
Example: G (a ®b)X
s= ac
No way to extend the trace:
formula is false
Runtime monitoring
Sylvain Hallé
Data-aware sequential constraints
Examples:
2
5. There can be at most one active cart ID per session key."/
...
Sylvain Hallé
Data-aware sequential constraints
Examples:
2
5. (" k : " c :/Message/SessionKey /Message/CartId
(" k’ : " c...
Sylvain Hallé
Data-aware sequential constraints
Examples:
2
5. (" k : " c :/Message/SessionKey /Message/CartId
(" k’ : " c...
Sylvain Hallé
Data-aware sequential constraints
Three types of constraints (III)
2
5. (" k : " c :/Message/SessionKey /Mes...
Sylvain Hallé
Data-aware sequential constraints
·XPath terms and temporal operators are
mixed
.
·Not just ‘‘LTL with synta...
Sylvain Hallé
Data-aware sequential constraints
Examples:
2
6. You cannot add the same item twice to the shopping cart."/
...
Sylvain Hallé
Data-aware sequential constraints
Examples:
2
6. (" a : a = CartAdd ®/Message/Action
" i : (" a’ :/Message/I...
Sylvain Hallé
Quantification must be relative to the values in the current
message, and not the whole set V of possible va...
Sylvain Hallé
LTL-FO+
current
(Hallé & Villemaire, EDOC 2008)
Extension of LTL with (limited) first-order quantification o...
Sylvain Hallé
Adaptation of the runtime monitoring algorithm to handle
LTL-FO+:
1. Atoms become equality tests
2. Decompos...
Sylvain Hallé
Six constraints for the Beep Store
Data-aware constraints
Constraints on message sequences
Constraints on in...
Sylvain Hallé
Six constraints for the Beep Store
1. The element must be an integer between 1 and 20.
2. The element is man...
Sylvain Hallé
Six constraints for the Beep Store
1. The element must be an integer between 1 and 20.
2. The element is man...
Sylvain Hallé
1. The element must be an integer between 1 and 20.
2. The element is mandatory only if is present,
otherwis...
Sylvain Hallé
Why are web service contracts special?
1. Presence of data-aware constraints
·Cannot separate data part from...
Sylvain Hallé
Enforcing interface contracts at runtime
XMLHttpRequest
·JavaScript object
·Provided by the browser
·All com...
Sylvain Hallé
Enforcing interface contracts at runtime
XMLHttpRequestBB
Sylvain Hallé
Enforcing interface contracts at runtime
XMLHttpRequestBB
XMLHttpRequest
LTL-FO+
algorithm
·Wrapper around o...
Sylvain Hallé
Add BeepBeep to an application
myapplication.html
<html>
<head>
<title>
</title>
<script type=" "
href=" "/>...
Sylvain Hallé
Add BeepBeep to an application
myapplication.html
<html>
<head>
<title>
</title>
<script type=" "
href=" "/>...
Sylvain Hallé
Add BeepBeep to an application
myapplication.html myapplication.js
<html>
<head>
<title>
</title>
<script ty...
Sylvain Hallé
Add BeepBeep to an application
beepstore.html beepstore.js
<html>
<head>
<title>
</title>
<script type=" "
h...
Sylvain Hallé
Create a with LTL-FO+ formulascontract file?
Add BeepBeep to an application
# ------------------------------...
Sylvain Hallé
Add BeepBeep to an application
When loading the application, BeepBeep starts as a small
Java applet inside t...
Sylvain Hallé
Add BeepBeep to an application
When loading the application, BeepBeep starts as a small
Java applet inside t...
Sylvain Hallé
BeepBeep’s visible interface
?/?/?/?/?/?:0:0
Current state of monitor
for each property
Number of
messages
p...
Sylvain Hallé
An interface contract provides constraints cover the of
each XML message, their and their
An extension of Li...
Sylvain Hallé
Bounded-memory fragments of LTL
The forward-only fragment of LTL
(Hallé & Villemaire, SAC 2009)
Applications...
Sylvain Hallé
Open issues and interesting questions
In client-side monitoring...
10
Sylvain Hallé
Open issues and interesting questions
In client-side monitoring...
...the server has no guarantee that
monit...
Sylvain Hallé
In server-side monitoring...
9
Open issues and interesting questions
Sylvain Hallé
In server-side monitoring...
Too many clients may overwhelm the
server’s verification process
9
Open issues ...
Sylvain Hallé
Processing savings of
client-side monitoring
Guarantees of server-side
monitoring
11
Open issues and interes...
Sylvain Hallé
Processing savings of
client-side monitoring
11
Open issues and interesting questions
COOPERATIVE
RUNTIME MO...
Upcoming SlideShare
Loading in …5
×

Runtime Verification for the Web (RV 2010 Tutorial)

981 views

Published on

Web service message contracts are constraints on the values and sequences of XML messages that can be exchanged between a client’s web browser and an application server. This tutorial presents BeepBeep, a lightweight Java monitor that can check and enforce message contracts expressed as LTL formulae with first-order quantification over data fields. Its use is illustrated on real world web applications submitted to these kinds of contracts.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
981
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Runtime Verification for the Web (RV 2010 Tutorial)

  1. 1. Sylvain Hallé Sylvain Hallé and Roger Villemaire Runtime Verification for the Web A Tutorial Introduction to Interface Contracts in Web Applications . Université du Québec à Chicoutimi CANADA Université du Québec à Montréal CANADA Fonds de recherche sur la nature et les technologies CRSNG NSERC
  2. 2. Sylvain Hallé Web applications and cloud computing: a growing part of computing systems Very simple protocols: no state, only basic type checking, the rest is up to the developers Loose couplingg of components: nice but comes with problems! Few works on verification / enforcement of web applications A ‘‘call to arms’’ to the community: interesting opportunities for application of RV Why this tutorial?
  3. 3. Sylvain Hallé Part One: The basics of web applications ?What is a web application? An example: the Beep Store Constraints and problems Part Two: Interface contracts in web applications Characterizing constraints Formalizing constraints Monitoring constraints Doing this for real: back to the Beep Store What’s next? ? ? ? ? ? ? ? Tutorial overview
  4. 4. Sylvain Hallé Part One The basics of web applications
  5. 5. Sylvain Hallé Desktop computing
  6. 6. Sylvain Hallé Desktop computing
  7. 7. Sylvain Hallé Cloud computingCloud computing
  8. 8. Sylvain Hallé Cloud computingCloud computing
  9. 9. Sylvain Hallé Cloud computingCloud computing Network connection
  10. 10. Sylvain Hallé Cloud computingA static web site
  11. 11. Sylvain Hallé Cloud computingA static web site Bee G Beatles Camel Caravan
  12. 12. Sylvain Hallé Cloud computingA static web site Bee G Beatles Camel Caravan beatles.html
  13. 13. Sylvain Hallé Cloud computingA static web site
  14. 14. Sylvain Hallé Cloud computingA static web site
  15. 15. Sylvain Hallé Cloud computingA static web site Sea rc h The Beep Store W ha t is th is? Lo gin As k fo r ac co un t Con ta ct us Ve rsion info beatles.html
  16. 16. Sylvain Hallé Cloud computingA static web site Sea rc h The Beep Store W ha t is th is? Lo gin As k fo r ac co un t Con ta ct us Ve rsion info beatles.html <html> <h1> </h1> </html> ... Results for Beatles ...
  17. 17. Sylvain Hallé Cloud computingA static web site Sea rc h The Beep Store W ha t is th is? Lo gin As k fo r ac co un t Con ta ct us Ve rsion info beatles.html <html> <h1> </h1> </html> ... Results for Beatles ... COnly page rendering instructions are sent
  18. 18. Sylvain Hallé Cloud computingA dynamic web site Bee G Beatles Camel Caravan
  19. 19. Sylvain Hallé Cloud computing Bee G Beatles Camel Caravan page.php?artist beatles= A dynamic web site
  20. 20. Sylvain Hallé Cloud computingA dynamic web site
  21. 21. Sylvain Hallé Cloud computingA dynamic web site
  22. 22. Sylvain Hallé Cloud computingA dynamic web site
  23. 23. Sylvain Hallé Cloud computingA dynamic web site artist beatles=
  24. 24. Sylvain Hallé Cloud computingA dynamic web site artist beatles=
  25. 25. Sylvain Hallé Cloud computingA dynamic web site artist beatles=
  26. 26. Sylvain Hallé Cloud computingA dynamic web site artist beatles= Sea rc h The Beep Store W ha t is th is? Lo gin As k fo r ac co un t Con ta ct us Ve rsion info
  27. 27. Sylvain Hallé Cloud computingA dynamic web site C Content is generated programatically based on user input artist beatles= Sea rc h The Beep Store W ha t is th is? Lo gin As k fo r ac co un t Con ta ct us Ve rsion info
  28. 28. Sylvain Hallé Cloud computingAjax web application
  29. 29. Sylvain Hallé Cloud computingAjax web application JavaScript
  30. 30. Sylvain Hallé Cloud computingAjax web application Bee G Beatles Camel Caravan
  31. 31. Sylvain Hallé Cloud computingAjax web application Bee G Beatles Camel Caravan <a onclick= > "javascript: findBand(’ ’)"Beatles
  32. 32. Sylvain Hallé Cloud computingAjax web application findBand(’Beatles’)
  33. 33. Sylvain Hallé Cloud computingAjax web application findBand(’Beatles’)
  34. 34. Sylvain Hallé Cloud computingAjax web application findBand(’Beatles’) artist beatles=
  35. 35. Sylvain Hallé Cloud computingAjax web application findBand(’Beatles’) artist beatles=
  36. 36. Sylvain Hallé Cloud computingAjax web application document.innerHTML = findBand(’Beatles’) artist beatles=
  37. 37. Sylvain Hallé Cloud computingAjax web application document.innerHTML = findBand(’Beatles’) artist beatles= CPage is updated, not reloaded
  38. 38. Sylvain Hallé Cloud computingAjax web application findBand(’Beatles’) artist beatles= CServer response only provides updated contents document.innerHTML =
  39. 39. Sylvain Hallé Ajax web applications: examples Microsoft Office Live
  40. 40. Sylvain Hallé Ajax web applications: examples eyeOS
  41. 41. Sylvain Hallé Ajax web applications: examples Chrome OS
  42. 42. Sylvain Hallé Cloud computingAjax web application Does not need to be a URL Does not need to be HTML
  43. 43. Sylvain Hallé Cloud computingAjax web application Does not need to be a URL Does not need to be HTML <Search> </Search> beatles <Artist> </Artist>
  44. 44. Sylvain Hallé Cloud computingAjax web application Does not need to be a URL Does not need to be HTML <SearchResults> </SearchResults> The Beatles Rubber Soul ... <Item> </Item> <Artist> </Artist> <Title> </Title> <Search> </Search> beatles <Artist> </Artist>
  45. 45. Sylvain Hallé Cloud computingAjax web application <Search> </Search> beatles <Artist> </Artist> XML The eXtensible Markup Language ?Nested collection of elements ?Input/output data is semi-structured . . <SearchResults> </SearchResults> The Beatles Rubber Soul ... <Item> </Item> <Artist> </Artist> <Title> </Title>
  46. 46. Sylvain Hallé Cloud computingConceptually...
  47. 47. Sylvain Hallé Cloud computingConceptually...
  48. 48. Sylvain Hallé Cloud computingConceptually...
  49. 49. Sylvain Hallé Cloud computingConceptually...
  50. 50. Sylvain Hallé Cloud computingConceptually...
  51. 51. Sylvain Hallé Cloud computingConceptually...
  52. 52. Sylvain Hallé Cloud computingConceptually... Web service Web client
  53. 53. Sylvain Hallé An example: the Beep Store ? tutorial application ?Fake CD catalog + web service + web client ?Functionalities typical of applications we studied     ?Examples:  Session login/logout  Shopping cart operations Purpose-built SQLite PHP JavaScript real-world . .. . . The Beep Store GO Sign in or register What is this? Login Ask for account Contact us Fault parameters Search: Your Cart Search results for ‘Beatles’ Rubber Soul The Beatles Yellow Submarine The Beatles
  54. 54. Sylvain Hallé Main issue Possible between messages sent and messages expected mismatch Not like traditional programming: all input-output is exchanged unverified!
  55. 55. Sylvain Hallé Defining message formats ?
  56. 56. Sylvain Hallé 1. 2. ... ? Defining message formats
  57. 57. Sylvain Hallé 1. 2. ... <ItemSearch> </ItemSearch> beatles<Artist> </object> Defining message formats
  58. 58. Sylvain Hallé <ItemSearch> </ItemSearch> beatles<Artist> </object> <ItemSearchResponse> <Items> </Items> </ItemSearchResponse> Help! The Beatles <Item> </Item> ... <Title> </no> <Artist> </Artist> Defining message formats
  59. 59. Sylvain Hallé <ItemSearch> </ItemSearch> beatles<Artist> </object> <ItemSearchResponse> <Items> </Items> </ItemSearchResponse> Help! The Beatles <Item> </Item> ... <Title> </no> <Artist> </Artist> XML request XML response Defining message formats
  60. 60. Sylvain Hallé <ItemSearch> </ItemSearch> beatles<Artist> </object> ItemSearch[ [string] ] Artist <ItemSearchResponse> <Items> </Items> </ItemSearchResponse> Help! The Beatles <Item> </Item> ... <Title> </no> <Artist> </Artist> XML request XML response Defining message formats
  61. 61. Sylvain Hallé <ItemSearch> </ItemSearch> beatles<Artist> </object> ItemSearch[ [string] ] Artist ItemSearchResponse[ [ Item[ Title[string], Artist[string] ]{0,¥} ] ] Items <ItemSearchResponse> <Items> </Items> </ItemSearchResponse> Help! The Beatles <Item> </Item> ... <Title> </no> <Artist> </Artist> XML request XML response Defining message formats
  62. 62. Sylvain Hallé ItemSearch[ [string] ] Artist ItemSearchResponse[ [ Item[ Title[string], Artist[string] ]{0,¥} ] ] Items ? ! Defining message formats
  63. 63. Sylvain Hallé Defining message formats WSDL: Web Service Description Language ItemSearch[ [string] ] Artist CartCreate[ [int], [int], [ Item[ Title[string], Artist[string] ]{0,¥} ] ] Items SessionKey Items ? ? ItemSearchResponse[ [ Item[ Title[string], Artist[string], ]{0,¥} ] ] Items CartCreateResponse[ [int], [int], [ Item[ Title[string], Artist[string] ]{0,¥} ] ] SessionKey CartId Items ! ! . . .
  64. 64. Sylvain Hallé http://webservices.amazon.com/AWSECommerceService/ AWSECommerceService.wsdl https://www.paypal.com/wsdl/PayPalSvc.wsdl http://api.google.com/GoogleSearch.wsdl WSDLs for real world web services
  65. 65. Sylvain Hallé <ItemSearch> </ItemSearch> beatles 1234 <Artist> </Artist> <Bizbiz> </Bizbiz> Defining message formats
  66. 66. Sylvain Hallé <ItemSearch> </ItemSearch> beatles 1234 <Artist> </Artist> <Bizbiz> </Bizbiz> Defining message formats ItemSearch[ [string] ] Artist vs. ?
  67. 67. Sylvain Hallé <ItemSearch> </ItemSearch> beatles 1234 <Artist> </Artist> <Bizbiz> </Bizbiz> Defining message formats ItemSearch[ [string] ] Artist vs. ?
  68. 68. Sylvain Hallé <ItemSearch> </ItemSearch> beatles 1234 <Artist> </Artist> <Bizbiz> </Bizbiz> Defining message formats ItemSearch[ [string] ] Artist vs. ?
  69. 69. Sylvain Hallé <CartCreateResponse> <SessionKey> </SessionKey> <CartId> </CartId> <Items> </Items> </ItemSearchResponse> 1234 abc ... Defining message formats
  70. 70. Sylvain Hallé <CartCreateResponse> <SessionKey> </SessionKey> <CartId> </CartId> <Items> </Items> </ItemSearchResponse> 1234 abc ... Defining message formats CartCreateResponse[ [int], [int], [ Item[ Title[string], Artist[string] ]{0,¥} ] ] SessionKey CartId Items vs. !
  71. 71. Sylvain Hallé <CartCreateResponse> <SessionKey> </SessionKey> <CartId> </CartId> <Items> </Items> </ItemSearchResponse> 1234 abc ... Defining message formats CartCreateResponse[ [int], [int], [ Item[ Title[string], Artist[string] ]{0,¥} ] ] SessionKey CartId Items vs. !
  72. 72. Sylvain Hallé <CartCreateResponse> <SessionKey> </SessionKey> <CartId> </CartId> <Items> </Items> </ItemSearchResponse> 1234 abc ... Defining message formats CartCreateResponse[ [int], [int], [ Item[ Title[string], Artist[string] ]{0,¥} ] ] SessionKey CartId Items vs. !
  73. 73. Sylvain Hallé What happened?
  74. 74. Sylvain Hallé ? What happened?
  75. 75. Sylvain Hallé ? What happened?
  76. 76. Sylvain Hallé 1. 2. ... What happened?
  77. 77. Sylvain Hallé 1. 2. ... What happened?
  78. 78. Sylvain Hallé 2 What happened?
  79. 79. Sylvain Hallé c What happened?
  80. 80. Sylvain Hallé 2 c What happened?
  81. 81. Sylvain Hallé What happened?
  82. 82. Sylvain Hallé ? 2 c 2 c Interface contracts All messages comply with the WSDL but... 1. 2. ...
  83. 83. Sylvain Hallé ? 2 c 2 c Interface contracts You cannot add the same item twice to the shopping cart All messages comply with the WSDL but... 1. 2. ...
  84. 84. Sylvain Hallé ? 2 c 2 c Interface contracts ??? You cannot add the same item twice to the shopping cart All messages comply with the WSDL but... 1. 2. ...
  85. 85. Sylvain Hallé Interface contracts ???
  86. 86. Sylvain Hallé ??? Interface contracts
  87. 87. Sylvain Hallé Free-form messages Stateful interactions, stateless protocols No uniform contract notation Constraints at message level XML, but that’s about it. No assumptions on nesting, degree, etc. HTTP / SOAP define only message structure No protocol enforces sequential constraints Plain-text documentation... but OWL, RDF, ... Components are black boxes (e.g. Amazon) What are the issues?
  88. 88. Sylvain Hallé The big question Prevent contract violations
  89. 89. Sylvain Hallé 1. A priori certification A trustworthy authority assesses the client’s compliance to the contract... A first solution Testing, static verification etc.
  90. 90. Sylvain Hallé 1. A priori certification A trustworthy authority assesses the client’s compliance to the contract... ...and grants a digital certificate A first solution
  91. 91. Sylvain Hallé 1. A priori certification A+ The service needs a certificate to start an exchange with a client A first solution
  92. 92. Sylvain Hallé The service needs a certificate to start an exchange with a client Example: iPhone app certification 1. A priori certification A+ A first solution
  93. 93. Sylvain Hallé 1. A priori certification Z+ Problem: the client can change after certification iPhone jailbreaking, Javascript prototype hijacking, ... A first solution
  94. 94. Sylvain Hallé Proposed approach 2. Client-side Runtime Monitoring A separate process checks each message... CONTRACT
  95. 95. Sylvain Hallé A 2. Client-side Runtime Monitoring A separate process checks each message... CONTRACT Proposed approach
  96. 96. Sylvain Hallé A The message is relayed to the web service proper when it complies with the contract 2. Client-side Runtime Monitoring A separate process checks each message... Proposed approach
  97. 97. Sylvain Hallé 2. Client-side Runtime Monitoring A separate process checks each message... ...and is discarded when it violates the contract Proposed approach
  98. 98. Sylvain Hallé A web service interacts with a web client through the exchange of semi-structured XML documents called The service and client are generally designed by No verification is done on the incoming and outgoing messages: possible between sent and expected messages (in both directions) A priori checking of a client for compliance is very hard, if not impossible Runtime monitoring is a possible solution messages different organisations mismatch . . . . Summary (I)
  99. 99. Sylvain Hallé Part Two Interface contracts in web applications
  100. 100. Sylvain Hallé Interface contracts All possible sequences of all possibles messages with all possible values
  101. 101. Sylvain Hallé Interface contracts Constraints on individual messages
  102. 102. Sylvain Hallé Interface contracts Constraints on sequencesConstraints on individual messages
  103. 103. Sylvain Hallé Interface contracts Constraints on sequences Data-aware sequential constraints Constraints on individual messages
  104. 104. Sylvain Hallé Interface contracts Interface contract = valid (error-free) interactions Constraints on sequences Data-aware sequential constraints Constraints on individual messages
  105. 105. Sylvain Hallé Interface contracts As a tutorial tool, the Beep Store’s JavaScript client can be told to ‘‘forget’’ elements of the service’s interface contract The Beep Store GO Sign in or register What is this? Login Ask for account Contact us Fault parameters Search: Your Cart Fault parameters Don’t check Results’s type In the detailed search form, sends an ItemSearch message without checking that the Results element is an integer. "Add to cart" enabled if item present in cart Makes the "Add to cart" button available for items that are already in the user's cart. Message schemas Cart manipulations Highlights documentation Disables the verification
  106. 106. Sylvain Hallé Interface contracts Dave, my mind is going... As a tutorial tool, the Beep Store’s JavaScript client can be told to ‘‘forget’’ elements of the service’s interface contract
  107. 107. Sylvain Hallé Constraints on individual messages Examples: Three types of constraints (I) <Message> <Action>ItemSearch</Action> <Results>5</Results> <Keyword>beatles</Keyword> <Page>1</Page> </Message>
  108. 108. Sylvain Hallé Constraints on individual messages Examples: Three types of constraints (I) 1. The element must be an integer between 1 and 20.Page "/M <Message> <Action>ItemSearch</Action> <Results>5</Results> <Keyword>beatles</Keyword> <Page>1</Page> </Message>
  109. 109. Sylvain Hallé Three types of constraints (I) 1. The element must be an integer between 1 and 20. 2. The element is mandatory only if is present, otherwise it is forbidden. Page Page Results "/M <Message> <Action>ItemSearch</Action> <Results>5</Results> <Keyword>beatles</Keyword> <Page>1</Page> </Message> Constraints on individual messages Examples:
  110. 110. Sylvain Hallé Expressing data constraints Simple XPath Fetches portions of an XML document according to a query path = sequence of tags :set of messages : set of XML query paths : set of atomic values : ´®2 Examples: (‘‘/a/b/c’’, m) = {1,2,4} (‘‘/a/b/d’’, m) = Æ M M Q Q V V p p p m { <a> <b> <c>1</c> <c>2</c> </b> <d> <c>9</c> </d> <b> <c>3</c> </b> </a>
  111. 111. Sylvain Hallé Expressing data constraints XPath term Expresses properties over values fetched by XPath expressions For some message Î, path Î, "x : j(x) Ûj(v) for every Î( , ) $x : j(x) Ûj(v) for some Î( , ) Examples: "x : x < 5/a/b/c $x :/a/b $x : "y : y £x/a/b/c /a/b/c m M mq mq q Q q q v v p p 2 <a> <b> <c>1</c> <c>2</c> </b> <d> <c>9</c> </d> <b> <c>3</c> </b> </a> m {
  112. 112. Sylvain Hallé Expressing data constraints 2 1. The element must be an integer between 1 and 20. 2. The element is mandatory only if is present, otherwise it is forbidden. Page Page Results "/M <Message> <Action>ItemSearch</Action> <Results>5</Results> <Keyword>beatles</Keyword> <Page>1</Page> </Message>
  113. 113. Sylvain Hallé Expressing data constraints 2 1. " x : x > 0 Ùx < 21/Message/Page 2. The element is mandatory only if is present, otherwise it is forbidden. Page Results <Message> <Action>ItemSearch</Action> <Results>5</Results> <Keyword>beatles</Keyword> <Page>1</Page> </Message>
  114. 114. Sylvain Hallé Expressing data constraints 2 1. " x : x > 0 Ùx < 21/Message/Page 2. $ x : Û$ y :/Message/Page /Message/Results <Message> <Action>ItemSearch</Action> <Results>5</Results> <Keyword>beatles</Keyword> <Page>1</Page> </Message>
  115. 115. Sylvain Hallé Constraints on message sequences Examples: 2 <Message> <Action> Login </Action> ... </Message> <Message> <Action> LoginResponse </Action> ... </Message> <Message> <Action> CartCreate </Action> ... </Message> Three types of constraints (II)
  116. 116. Sylvain Hallé Constraints on message sequences Examples: 2 3. The request cannot be resent if its response is successful. . Login "/ "/ <Message> <Action> Login </Action> ... </Message> <Message> <Action> LoginResponse </Action> ... </Message> <Message> <Action> CartCreate </Action> ... </Message> Three types of constraints (II) X
  117. 117. Sylvain Hallé Constraints on message sequences Examples: 2 3. The request cannot be resent if its response is successful. . 4. must follow a successful LoginResponse. Login CartCreate "/ "/ "/ <Message> <Action> Login </Action> ... </Message> <Message> <Action> LoginResponse </Action> ... </Message> <Message> <Action> CartCreate </Action> ... </Message> Three types of constraints (II) X
  118. 118. Sylvain Hallé Linear Temporal Logic Alphabet (A) Set of possible messages Trace (A*) Sequence of messages
  119. 119. Sylvain Hallé LTL formula = assertion on the of states in a tracesequence a "always a" a "a in the next" a "eventually a" a b "a until b" G X F W Linear Temporal Logic G (a ®b)X (d cÚe) WØFALSE TRUE . . .A A EC CDB B
  120. 120. Sylvain Hallé Well-known results: 1. For every LTL formula j, there exists a Büchi automaton A such that for every (infinite) trace s: i.e. LTL describes languages 2. The alphabet symbols can be generalized to finite sets of Boolean propositions w-regular ÞLet’s use XPath terms as our Boolean propositions Linear Temporal Logic j s|= jÛsÎL(A )j
  121. 121. Sylvain Hallé Constraints on message sequences Examples: 2 3. The request cannot be resent if its response is successful. . 4. must follow a successful LoginResponse. Login CartCreate "/ "/ "/ <Message> <Action> Login </Action> ... </Message> <Message> <Action> LoginResponse </Action> ... </Message> <Message> <Action> CartCreate </Action> ... </Message> Three types of constraints (II) X
  122. 122. Sylvain Hallé Constraints on message sequences Examples: 2 3. (" a : a = LoginResponse ®/Message/Action ( " a’ : a’ ¹Login))/Message/Action . 4. must follow a successful LoginResponse. G X G CartCreate "/ <Message> <Action> Login </Action> ... </Message> <Message> <Action> LoginResponse </Action> ... </Message> <Message> <Action> CartCreate </Action> ... </Message> Three types of constraints (II) X
  123. 123. Sylvain Hallé Constraints on message sequences Examples: 2 3. (" a : a = LoginResponse ®/Message/Action ( " a’ : a’ ¹Login))/Message/Action . 4. must follow a successful LoginResponse. G X G CartCreate "/ <Message> <Action> Login </Action> ... </Message> <Message> <Action> LoginResponse </Action> ... </Message> <Message> <Action> CartCreate </Action> ... </Message> Three types of constraints (II) X Xpath terms
  124. 124. Sylvain Hallé Constraints on message sequences Examples: 2 3. (" a : a = LoginResponse ®/Message/Action ( " a’ : a’ ¹Login))/Message/Action 4. (" a : a ¹CartCreate)/Message/Action (" a’ : a’ =LoginResponse)/Message/Action G X G W . <Message> <Action> Login </Action> ... </Message> <Message> <Action> LoginResponse </Action> ... </Message> <Message> <Action> CartCreate </Action> ... </Message> Three types of constraints (II) X Xpath terms
  125. 125. Sylvain Hallé The verification can be separated in two steps Three types of constraints (II) G X Ú "$ $ G F ® 1. Temporal step Determine termporal relationships to current message 2. Data step Evaluate relevant XPath terms on message
  126. 126. Sylvain Hallé Runtime monitoring Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a Büchi automaton from a given LTL formula j Benefit: " ": automaton states are built as the trace is read on-the-fly
  127. 127. Sylvain Hallé Runtime monitoring j Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a Büchi automaton from a given LTL formula j Benefit: " ": automaton states are built as the trace is read on-the-fly
  128. 128. Sylvain Hallé Runtime monitoring s= j Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a Büchi automaton from a given LTL formula j Benefit: " ": automaton states are built as the trace is read on-the-fly
  129. 129. Sylvain Hallé Runtime monitoring s=a j Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a Büchi automaton from a given LTL formula j Benefit: " ": automaton states are built as the trace is read on-the-fly
  130. 130. Sylvain Hallé Runtime monitoring s=a j a Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a Büchi automaton from a given LTL formula j Benefit: " ": automaton states are built as the trace is read on-the-fly
  131. 131. Sylvain Hallé Runtime monitoring s=ab j a Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a Büchi automaton from a given LTL formula j Benefit: " ": automaton states are built as the trace is read on-the-fly
  132. 132. Sylvain Hallé Runtime monitoring s=ab j a b b Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a Büchi automaton from a given LTL formula j Benefit: " ": automaton states are built as the trace is read on-the-fly
  133. 133. Sylvain Hallé Runtime monitoring s=aba j a b b Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a Büchi automaton from a given LTL formula j Benefit: " ": automaton states are built as the trace is read on-the-fly
  134. 134. Sylvain Hallé Runtime monitoring s=aba j a a a b b Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a Büchi automaton from a given LTL formula j Benefit: " ": automaton states are built as the trace is read on-the-fly
  135. 135. Sylvain Hallé Gerth, Peled, Vardi, Wolper (PSTV 1995): construction of a Büchi automaton from a given LTL formula j Benefit: " ": automaton states are built as the trace is read Dead end: formula is false on-the-fly Runtime monitoring s=aba j a a a b b
  136. 136. Sylvain Hallé Runtime monitoring Algorithm overview: 1. An LTL formula is decomposed into nodes of the form sub-formulas that must be true now sub-formulas that must be true in the next state
  137. 137. Sylvain Hallé Algorithm overview: 1. An LTL formula is decomposed into nodes of the form Example: sub-formulas that must be true now sub-formulas that must be true in the next state Runtime monitoring
  138. 138. Sylvain Hallé 2. Negations pushed inside (classical identities + dual of U = V) 3. At the leaves, Gcontains atoms + negations of atoms: we evaluate them Verdict: ! All leaves contain : formula is false ! A leaf is : formula is true ! Otherwise: 4. Next event: Dcopied into Gand we continue FALSE empty Runtime monitoring
  139. 139. Sylvain Hallé Example: G (a ®b)X Runtime monitoring
  140. 140. Sylvain Hallé Example: G (a ®b)X G (a ®b)X ? Runtime monitoring
  141. 141. Sylvain Hallé Example: G (a ®b)X G (a ®b)X ? a ®bX G (a ®b)X? Runtime monitoring
  142. 142. Sylvain Hallé Example: G (a ®b)X G (a ®b)X ? Øa G (a ®b)X? a ®bX G (a ®b)X? Runtime monitoring
  143. 143. Sylvain Hallé Example: G (a ®b)X G (a ®b)X ? a, X b G (a ®b)X?Øa G (a ®b)X? a ®bX G (a ®b)X? Runtime monitoring
  144. 144. Sylvain Hallé Example: G (a ®b)X G (a ®b)X ? a, X b G (a ®b)X? a G (a ®b), bX? Øa G (a ®b)X? a ®bX G (a ®b)X? Runtime monitoring
  145. 145. Sylvain Hallé Example: G (a ®b)X a G (a ®b), bX? Øa G (a ®b)X? Runtime monitoring
  146. 146. Sylvain Hallé Example: G (a ®b)X s= a a G (a ®b), bX? Øa G (a ®b)X? Runtime monitoring
  147. 147. Sylvain Hallé Example: G (a ®b)X s= a a G (a ®b), bX? Øa G (a ®b)X? Runtime monitoring
  148. 148. Sylvain Hallé Example: G (a ®b)X s= a a G (a ®b), bX? Runtime monitoring
  149. 149. Sylvain Hallé Example: G (a ®b)X s= a G (a ®b), bX? Runtime monitoring
  150. 150. Sylvain Hallé Example: G (a ®b)X s= a ?G (a ®b), bX G (a ®b), bX? Runtime monitoring
  151. 151. Sylvain Hallé Example: G (a ®b)X s= a a, X b, b G (a ®b)X? a, b G (a ®b), bX? Øa, b G (a ®b)X? a ®b, bX G (a ®b)X? ?G (a ®b), bX Runtime monitoring
  152. 152. Sylvain Hallé Example: G (a ®b)X s= a a, b G (a ®b), bX? Øa, b G (a ®b)X? Runtime monitoring
  153. 153. Sylvain Hallé Example: G (a ®b)X s= a a, b G (a ®b), bX? Øa, b G (a ®b)X? Runtime monitoring
  154. 154. Sylvain Hallé Example: G (a ®b)X s= a Øa, b G (a ®b)X? Runtime monitoring
  155. 155. Sylvain Hallé Example: G (a ®b)X s= ac Øa, b G (a ®b)X? Runtime monitoring
  156. 156. Sylvain Hallé Example: G (a ®b)X s= ac Øa, b G (a ®b)X? Runtime monitoring
  157. 157. Sylvain Hallé Example: G (a ®b)X s= ac No way to extend the trace: formula is false Runtime monitoring
  158. 158. Sylvain Hallé Data-aware sequential constraints Examples: 2 5. There can be at most one active cart ID per session key."/ Three types of constraints (III) <Message> <SessionKey>123</SessionKey> <CartId>789</CartId> ... </Message> <Message> <SessionKey>123</SessionKey> <CartId>789</CartId> ... </Message>
  159. 159. Sylvain Hallé Data-aware sequential constraints Examples: 2 5. (" k : " c :/Message/SessionKey /Message/CartId (" k’ : " c’ :/Message/SessionKey /Message/CartId k = k’ ®c = c’)) G G Three types of constraints (III) <Message> <SessionKey>123</SessionKey> <CartId>789</CartId> ... </Message> <Message> <SessionKey>123</SessionKey> <CartId>789</CartId> ... </Message>
  160. 160. Sylvain Hallé Data-aware sequential constraints Examples: 2 5. (" k : " c :/Message/SessionKey /Message/CartId (" k’ : " c’ :/Message/SessionKey /Message/CartId k = k’ ®c = c’)) G G Three types of constraints (III) <Message> <SessionKey>123</SessionKey> <CartId>789</CartId> ... </Message> <Message> <SessionKey>123</SessionKey> <CartId>789</CartId> ... </Message>
  161. 161. Sylvain Hallé Data-aware sequential constraints Three types of constraints (III) 2 5. (" k : " c :/Message/SessionKey /Message/CartId (" k’ : " c’ :/Message/SessionKey /Message/CartId k = k’ ®c = c’)) G G
  162. 162. Sylvain Hallé Data-aware sequential constraints ·XPath terms and temporal operators are mixed . ·Not just ‘‘LTL with syntactical sugar’’ . ·Not just a pathological case 5. (" k : " c :/Message/SessionKey /Message/CartId (" k’ : " c’ :/Message/SessionKey /Message/CartId k = k’ ®c = c’)) G G Three types of constraints (III) 2 G G " " k
  163. 163. Sylvain Hallé Data-aware sequential constraints Examples: 2 6. You cannot add the same item twice to the shopping cart."/ Three types of constraints (III) <Message> <Action>CartAdd</Action> <Items> <Item> <ItemId>567</ItemId> ... <Message> <Action>CartAdd</Action> <Items> <Item> <ItemId>567</ItemId> ... X
  164. 164. Sylvain Hallé Data-aware sequential constraints Examples: 2 6. (" a : a = CartAdd ®/Message/Action " i : (" a’ :/Message/ItemId /Message/Action a’ = CartAdd ®" i’ : i ¹i’ ))/Message/ItemId G X G Three types of constraints (III) <Message> <Action>CartAdd</Action> <Items> <Item> <ItemId>567</ItemId> ... <Message> <Action>CartAdd</Action> <Items> <Item> <ItemId>567</ItemId> ... X
  165. 165. Sylvain Hallé Quantification must be relative to the values in the current message, and not the whole set V of possible values! Example: ‘‘In every message, the a parameter must equal the b parameter’’. Suppose V = {1,2}, and classical first-order quantification. Runtime monitoring "x : "y : x = ya b ("y : 1 = y) Ù("y : 1 = y)b b (1 = 1) Ù(1 = 2) Ù(1 = 1) Ù(1 = 2) Contradiction G G G G G G G
  166. 166. Sylvain Hallé LTL-FO+ current (Hallé & Villemaire, EDOC 2008) Extension of LTL with (limited) first-order quantification on message elements ·Boolean and LTL operators keep their original meaning ·An XPath term is always meant to refer to the message in the trace Runtime monitoring
  167. 167. Sylvain Hallé Adaptation of the runtime monitoring algorithm to handle LTL-FO+: 1. Atoms become equality tests 2. Decomposition rules for quantifiers (and vice versa) Runtime monitoring
  168. 168. Sylvain Hallé Six constraints for the Beep Store Data-aware constraints Constraints on message sequences Constraints on individual messages
  169. 169. Sylvain Hallé Six constraints for the Beep Store 1. The element must be an integer between 1 and 20. 2. The element is mandatory only if is present, otherwise it is forbidden. Page Page Results Data-aware constraints Constraints on message sequences
  170. 170. Sylvain Hallé Six constraints for the Beep Store 1. The element must be an integer between 1 and 20. 2. The element is mandatory only if is present, otherwise it is forbidden. 3. The request cannot be resent if its response is successful. 4. must follow a successful LoginResponse. Page Page Results Login CartCreate Data-aware constraints
  171. 171. Sylvain Hallé 1. The element must be an integer between 1 and 20. 2. The element is mandatory only if is present, otherwise it is forbidden. 3. The request cannot be resent if its response is successful. 4. must follow a successful LoginResponse. 5. There can be at most one active cart ID per session key. 6. You cannot add the same item twice to the shopping cart. Page Page Results Login CartCreate Six constraints for the Beep Store
  172. 172. Sylvain Hallé Why are web service contracts special? 1. Presence of data-aware constraints ·Cannot separate data part from temporal part in specification AND enforcement 2. Complex messages ·Arbitrary nested structure ·Cannot say ‘ ItemId’’: there are many! ·Rules out languages that merely freeze a value in a variable ‘the <Message> <Action>CartAdd</Action> <Items> <Item> <ItemId>567</ItemId> ... </Item> <Item> <ItemId>789</ItemId> ... </Item> ... </Items> </Message>
  173. 173. Sylvain Hallé Enforcing interface contracts at runtime XMLHttpRequest ·JavaScript object ·Provided by the browser ·All communications to monitor already centralized: ‘‘no’’ instrumentation
  174. 174. Sylvain Hallé Enforcing interface contracts at runtime XMLHttpRequestBB
  175. 175. Sylvain Hallé Enforcing interface contracts at runtime XMLHttpRequestBB XMLHttpRequest LTL-FO+ algorithm ·Wrapper around original ·Provides same methods ·Checks messages before relaying them
  176. 176. Sylvain Hallé Add BeepBeep to an application myapplication.html <html> <head> <title> </title> <script type=" " href=" "/> </head> <body> </body> </html> My Application ... text/javascript myapplication.js ? Include BeepBeep Copy BeepBeep in the application's directory http://beepbeep.sourceforge.net
  177. 177. Sylvain Hallé Add BeepBeep to an application myapplication.html <html> <head> <title> </title> <script type=" " href=" "/> </head> <body> </body> </html> My Application ... text/javascript myapplication.js <script type="text/javascript" href="beepbeep.js"/> ? Include BeepBeep Copy BeepBeep in the application's directory http://beepbeep.sourceforge.net
  178. 178. Sylvain Hallé Add BeepBeep to an application myapplication.html myapplication.js <html> <head> <title> </title> <script type=" " href=" "/> </head> <body> </body> </html> My Application ... text/javascript myapplication.js <script type="text/javascript" href="beepbeep.js"/> // Initializations = (); () { ( ); } ... req XMLHttpRequest ... abc ... req. some_message new function send ? Include BeepBeep Copy BeepBeep in the application's directory http://beepbeep.sourceforge.net
  179. 179. Sylvain Hallé Add BeepBeep to an application beepstore.html beepstore.js <html> <head> <title> </title> <script type=" " href=" "/> </head> <body> </body> </html> My Application ... text/javascript myapplication.js <script type="text/javascript" href="beepbeep.js"/> // Initializations = (); () { ( ); } ... req ... abc ... req. some_message new function send XMLHttpRequestBB Include BeepBeep ?  Copy BeepBeep in the application's directory http://beepbeep.sourceforge.net
  180. 180. Sylvain Hallé Create a with LTL-FO+ formulascontract file? Add BeepBeep to an application # ------------------------------------------------------- # BeepBeep contract file for the Beep Store # ------------------------------------------------------- % The element Page must be an integer between 1 and 20. % The element Page is mandatory only if Results is present, otherwise it is forbidden. % The Login request cannot be resent if its response is successful. ; ( p /Message/Page (((p) > ({0})) ((p) < ({21})))) ; ( a /Message/Action (((a) = ({ItemSearch})) ( (( r /Message/Results ({TRUE})) ( p /Message/Page ({TRUE}))) (( p /Message/Page ({TRUE})) ( r /Message/Results ({TRUE})))))) ; ( a /Message/Action (((a) ({LoginResponse})) ( ( ( b /Message/Action ( ((b) ({Login})))))))) G G G X G [ ] [ ] < > < > < > < > [ ] [ ] & -> -> & -> = -> ! = Caption: used when violations are discovered Plain-text LTL-FO+ (automatically parsed) }
  181. 181. Sylvain Hallé Add BeepBeep to an application When loading the application, BeepBeep starts as a small Java applet inside the page The Beep Store GO Sign in or register What is this? Login Ask for account Contact us Fault parameters Search: Your Cart Search results for ‘Beatles’ Rubber Soul The Beatles Yellow Submarine The Beatles  ?/?/?/?/?/?:0:0
  182. 182. Sylvain Hallé Add BeepBeep to an application When loading the application, BeepBeep starts as a small Java applet inside the page The Beep Store GO Sign in or register What is this? Login Ask for account Contact us Fault parameters Search: Your Cart Search results for ‘Beatles’ Rubber Soul The Beatles Yellow Submarine The Beatles  ?/?/?/?/?/?:0:0
  183. 183. Sylvain Hallé BeepBeep’s visible interface ?/?/?/?/?/?:0:0 Current state of monitor for each property Number of messages processed Cumulative processing time (in ms) T: last message made it true t: is true F: last message made it false f: is false ?: not yet true/false
  184. 184. Sylvain Hallé An interface contract provides constraints cover the of each XML message, their and their An extension of Linear Temporal Logic including a limited form of quantification over message elements specifies them of these constraints can be done efficiently, even with quantification BeepBeep is a tool that allows it with on real applications format contents ordering Runtime monitoring minimal modifications http://beepbeep.sourceforge.net/ Summary (II)
  185. 185. Sylvain Hallé Bounded-memory fragments of LTL The forward-only fragment of LTL (Hallé & Villemaire, SAC 2009) Applications to runtime monitoring of Java programs Java-MOP plugin under construction Symbolic (rather than explicit) handling of quantification LTL with past operators Standard web service mechanism for interface contracts? . . Open issues and interesting questions
  186. 186. Sylvain Hallé Open issues and interesting questions In client-side monitoring... 10
  187. 187. Sylvain Hallé Open issues and interesting questions In client-side monitoring... ...the server has no guarantee that monitoring actually takes place Z Z Z 10
  188. 188. Sylvain Hallé In server-side monitoring... 9 Open issues and interesting questions
  189. 189. Sylvain Hallé In server-side monitoring... Too many clients may overwhelm the server’s verification process 9 Open issues and interesting questions
  190. 190. Sylvain Hallé Processing savings of client-side monitoring Guarantees of server-side monitoring 11 Open issues and interesting questions
  191. 191. Sylvain Hallé Processing savings of client-side monitoring 11 Open issues and interesting questions COOPERATIVE RUNTIME MONITORING Best paper award S. Hallé, Cooperative runtime monitoring of LTL Interface Contracts. Proc. EDOC 2010.Guarantees of server-side monitoring COOPERATIVE RUNTIME MONITORING

×