model checking of services workflow reconfiguration

11 downloads 1108 Views 912KB Size Report
Reconfiguration is achieved through use of. BPMN elements. ○ Verification of required properties is achieved by the verification of the BPMN workflow.
MODEL CHECKING OF SERVICES WORKFLOW RECONFIGURATION: A PERSPECTIVE ON DEPENDABILITY 1

Juan Carlos Polanco Aguilar 1 Koji Hasebe 1 Manuel Mazzara 2 Kazuhiko Kato 1 1 University of Tsukuba – Department of Computer Science 2 Newcastle University – School of Computing Science

BACKGROUND WHAT IS WORKFLOW? •  A workflow is a model defined by a series of tasks to produce an outcome. •  Typical examples of workflow include: •  Business office workflow. •  Web services workflow. •  Mobile workflow.

2

BACKGROUND AN EXAMPLE OF WORKFLOW User

Invoke Process

N User Response

Shop

Payment Company

Order Process

Process Payment

Payment Received Y 3

BUSINESS PROCESS MODELING NOTATION (BPMN) • 

•  • 

• 

• 

Developed by Business Process Management Initiative (BPMI) in 2004 and maintained by the Object Management Group (OMG) from 2005. Current Version: 2.0 (March 2011). Widely used standard for business process modeling. Simple drawing scheme that is easy to learn and train. Portability for many software vendors implementation 4

EXAMPLE OF BPMN SPECIFICATION

5

WORKFLOW AS A SAFETY-CRITICAL SYSTEM ¢  Workflow —  — 

Internet shopping site. Office workflow.

¢  Safety —  —  — 

application examples

/ security problems

Leakage of Information. Impersonation. Design error and flow bugs.

6

REQUIREMENTS OF THE VERIFICATION PROCEDURE ¢  Reconfiguration

process is often applied in a

workflow. ¢  Safety / security properties might be compromised after reconfiguration (deadlock, security). ¢  Reconfiguration is achieved through use of BPMN elements. ¢  Verification of required properties is achieved by the verification of the BPMN workflow specification. 7

MOTIVATION ¢ 

Reconfiguration of workflow development and verification of requirements through research status.

Verification Procedure

Workflow

Requirements

Formal Language

Revision Verification tool Correct Workflow

8

PURPOSE ¢  Develop

a formal verification for reconfiguration of workflows. — 

Based on model checking technique (SPIN Model Checker).

— 

Introduce a translation algorithm from a BPMN model into Promela code.

9

OVERVIEW OF THE VERIFICATION

Reconfigura7on  

Step 1: Workflow reconfiguration to achieve flexibility.

Step 3: Model checking of the Promela model with a requirement expressed in Linear Temporal Logic (LTL) formulas. Step 4: Recursive reconfiguration to meet all the requirements.

New  BPMN   Diagram  

Automa7c   Transla7on   Procedure  

Formal   Specifica7on  of   BPMN  Model  

Promela   Model  

SPIN  Model   Checker  

Valid     (BPMN  model   sa7sfies  the   requirement.)  

Requirement   (LTL  Formula)  

Revision  

Step 2: Translation from the BPMN model into a formal Promela model (SPIN Specification Language).

Old  BPMN   Diagram  

Verifica7on   Procedure  

Invalid   (There  is  a   counter   example.)  

10

OVERVIEW OF THE VERIFICATION–EXAMPLE: BOOKSHOP Bookshop

Client

Provider

11

STEP 1: WORKFLOW RECONFIGURATION

An Example of Requirements

•  Client sends an order, the bookshop verifies supply in the warehouse and then sends the order to client.

12

STEP 1: WORKFLOW RECONFIGURATION Introduce a parallel branching

13

STEP 2: TRANSLATION PROCEDURE (1) OVERVIEW OF THE PROCEDURE ¢  Specification

of the BPMN diagram by using set theoretical notation. ¢  Develop and introduction of the translation algorithm by using primary elements obtained after specification. ¢  Modification of the translated model for a challenging verification. ¢  Procedure Limitations —  — 

Translation procedure not fully automated. After training on set theory basic concepts and Promela language, handling can be achieved. 14

STEP 2: TRANSLATION PROCEDURE (2) TRANSLATION APPLICATION EXAMPLE Labels e1

e2

t1

t3

t4

Partitioning of Workflow into processes

t2

t5

t8

t7

t6 t9

t10 t14

t12

t11

e3

t13

t15

t16

t17

t19

t18

e4

15

STEP 2: TRANSLATION PROCEDURE (2) TRANSLATION APPLICATION EXAMPLE t3

t4

t5

t8

t7

t6 t9

e3

t11

BPMN formal specification •Tasks = {t3,t4 , t5 , t6, t7, t8, t9, t11} •Events = {e3} •Objects ={e3, t3,t4 , t5 , t6, t7, t8, t9, t11} •Relation = {(t3, t6), (t6, t4), (t6, t5), (t5, t7) , (t5, t8), (t7, e3) , (t7, t9), (t9, t11)} •Connect = {(t4, e2), (t8, t2), (t11, t15)}

Translation Translation algorithm

for all a∈Connect(a,b) print “chan a[buf]” … for all (a,b)∈Connect(a,b) print “a!msg” print “a?msg”   …

Primary Promela code

Complete Promela code chan t4[1] of mtype chan t8[1] of mtype

chan t4[1] of mtype chan t8[1] of mtype chan t11[1] of mtype

chan t11[1] of mtype bool flag1 = 0; bool flag2 = 0; bool flag3 = 0;

active proctype P4() { t1?msg; t4!msg; atomic{ t8!msg; t11!msg; } }

active proctype P3() { t1?msg; flag1= 1; t4!msg; atomic{ 16 t8!msg; flag2= 1; t11!msg; flag3= 1; } }

STEP 2: TRANSLATION PROCEDURE (3) COMPLETE PROMELA CODE mtype = {msg}; chan t1 = [1] of {mtype} chan e2 = [1] of {mtype} chan t4 = [1] of {mtype} chan t8 = [1] of {mtype} chan t11 = [1] of {mtype} chan t12 = [1] of {mtype} chan t13 = [1] of {mtype} chan t18= [1] of {mtype} chan t19 = [1] of {mtype} active proctype P1() { t1!msg; } active proctype P2() { e2?msg; } active proctype P3() { t8?msg; }

active proctype P4() { t1?msg; do t4!msg; atomic { t8!msg; t11!msg } od } active proctype P5() { do :: t12!msg; t13!msg; od } active proctype P6() { t4?msg; } active proctype P7() { t13?msg; t18!msg }

active proctype P8() { t12?msg; do :: t18!msg :: t19!msg od } active proctype P9() { t11?msg; } active proctype P10() { t18?msg; } active proctype P11() { t19?msg; } 17

STEP 2: TRANSLATION PROCEDURE (3) COMPLETE PROMELA CODE mtype = {msg, amount};

mtype chan t1 = = {msg}; [1] of {mtype}

chan e2 = [1] of {mtype} chan t4 chan t1==[1] [1]ofof{mtype} {mtype} chan t8 = [1] of {mtype} chan e2 = [1] of {mtype} chan = [1] [1] of chant16 t4 = of{int} {mtype} chan t11 = [1] of {mtype} chan t8 = [1] of {mtype} chan t12 = [1] of {mtype} chan t11 = [1] of {mtype} chan t13 = [1] of {mtype} chan t12 = {mtype} chan t18= [1][1] of of {mtype} chan t13==[1] [1]ofof {mtype} chan t19 {mtype}

chan t18= [1] of {mtype} chanflagA t19 = 0; [1] of {mtype} bool bool flagB = 0; bool flag1 =0; active proctype P1() bool flag2 =0; { t1!msg; bool flag3 =0; } bool flag4 =0; active proctype P2() bool flag5 =0; {bool e2?msg; flagX =0; }bool flagY = 0;

active proctype P3() active proctype P1() { t8?msg; }{ t1!msg; } active proctype P2() { e2?msg; }

active proctype P3() active proctype P4() { t8?msg; flagA = 1; {} t1?msg; do proctype P4() active { t1?msg; t4!msg;flag1 = 1 do atomic { t4!msg t8!msg; atomic{ t11!msg t8!msg; flag2=1; } t11!msg flag3=1; od } } od active proctype P5() } {active do proctype P5() {t16?amount; :: t12!msg; t13!msg; (amount >= 4000) -> od } t12!msg; flagX = 1 (amount < 4000) -> active proctype P6() t13!msg; flagY=1 { do t4?msg; } :: t12!msg; flag4= 1 active proctype P7() :: t13!msg; flag5= 1 { od } t13?msg; t18!msg }active proctype P6() { t4?msg; }

active proctype P7() { active proctype P8() t13?msg; t18!msg {}

t12?msg;

active do proctype P8() { :: t18!msg t12?msg; :: t19!msg do od :: t18!msg } :: t19!msg active od proctype P9() {} t11?msg; }active proctype P9() { t11?msg; active proctype P10() {flagB = 1; }t18?msg; active proctype P10() } { active proctype P11() t18?msg; {} t19?msg; active proctype P11() {} t19?msg; }

18

STEP 3: MODEL CHECKING VERIFICATION (1) PROCEDURE OVERVIEW Introduce Linear Temporal Logic (LTL) formulas to verify the requirement. ¢  Typical examples: deadlock freedom, security, reachability. ¢ 

Promela code

Requirement (LTL)

•  Reachability: •  LTL formula: □(p→□(q→◊r)) •  define p as flag1 == 1; •  define q as flag2 == 1; •  define r as flag3 == 1; 19

STEP 3: MODEL CHECKING VERIFICATION (2) REQUIREMENTS DEFINITION ¢  Typical

requirements can be identified through patterns in LTL formulas: Reachability: “Program always reaches aimed state” •  □(P→□(Q→◊R)) —  Deadlock: “There is no next state” — 

Deadlock: ◊(○⊥∧¬terminal) ¢  Deadlock-freedom: □(○⊥→terminal) ¢ 

¢  Usage

of assertion alternative

active proctype P4() { t3?msg; flag1 = 1; do :: t8!msg; flag2 = 1; :: t11!msg; flag3 = 1; od assert(flag2 == 1 && flag3 == 1) }

20

STEP 3: MODEL CHECKING VERIFICATION (3) VERIFICATION EXAMPLE active proctype P4( ) { t3?msg; flag1= 1; t4!msg; atomic{ t8!msg; flag2= 1; t11!msg; flag3= 1; } }

t3

t6

t4

t5

t8

t7

t9 e3

t11

Promela code

Requirement (LTL)

SPIN model checker

Model Revision

Property INVALID 21

STEP 4: RECURSIVE RECONFIGURATION OF WORKFLOW MODEL active proctype P4() { t3?msg; flag1 = 1; do :: t8!msg; flag2 = 1; :: t11!msg; flag3 = 1; od }

Verify items and stock t3

Verify Supply

t7

Enough Supply

Yes

Prepare and Send Order

No Generate Purchase t11

Promela code

Requirement (LTL)

SPIN model checker 22

Property VALID

t8

RELATED WORK ¢ 

¢ 

¢ 

Model Checking for Web Services: —  S. Nakajima. Model-Checking of Safety and Security Aspects in Web Service Flows, ICWE 2004. —  S. Nakajima. Model-Checking Behavioral Specification of BPEL Applications, WLFM 2005. Translation Procedures: —  C. Ouyang, M. Dumas, A. H. M. ter Hofstede, W. M. P. van der Aalst. From BPMN Process Models to BPEL Web Services. IEEE International Conference on Web Services 2006. —  J. Chen, H. Cui. Translation from Adapted UML to Promela for CORBA-based Applications, SPIN 2004. Reconfiguration in Workflow Systems: —  M.Mazzara, N. Dragoni, M. Zhou. Dependable Workflow Reconfiguration, NODES 2011. —  M.Mazzara, A. Bhattacharyya. On Modeling and Analysis of Dynamic Reconfiguration of Dependable Real-Time Systems, DEPEND 2010.

23

CONCLUSIONS ¢  Verify

the procedure for the reconfiguration of workflows. ¢  Introduce the translation from the BPMN model into a Promela model and use SPIN model checker for verification. ¢  Develop a formal definition of BPMN model and introduce a translation algorithm. ¢  Introduce a recursive process of verification.

24

FUTURE WORK ¢  Develop

the automation of the verification procedure. ¢  Include a GUI environment. ¢  Increase the handle ability: —  — 

Background process of translation and verification. Develop set of templates for requirement patterns (usual LTL formula for deadlock, reachability).

25