Timed Automata for Web Services Verification∗

M. Emilia Cambronero, Juan J. Pardo, Gregorio Dıaz, Valentın ValeroComputing Systems DepartmentUniversity of Castilla-la ManchaAvda. Espana s/n 02071 Albacete

Spain {emicp,jpardo,gregorio,valentin}@dsi.uclm.es

Abstract: Timed Automata is a well known formalism for the descriptionof Real-Time System. In this paper weshow that it is useful for modelling and analyzing Web Services with time constraints. For our purposes it is enoughwith the choreography level of the Web Services Architecture, so Web Services descriptions written in WSCDL(a XML-based description languages) are translated to timed automata models. Then, the UPPAAL tool is usedto simulate and analyse the behavior of the system. The process is illustrated with a case study, an airline ticketreservation system. The example shows the systematic translation process, and the resulting model is checked fora suite of rather generic safeness and liveness properties.

Key–Words:WS-CDL, Timed Automata, Web Services,Verification, Model Checking

1 Introduction

Web Services are a key component of the emerging,loosely coupled, Web-based computing architecture.A Web Service is an autonomous, standards-basedcomponent whose public interfaces are defined anddescribed using XML [6]. Other systems may inter-act with a Web Service in a manner prescribed by itsdefinition, using XML based messages conveyed byInternet protocols.

The Web Services specifications offer a commu-nication bridge between the heterogeneous computa-tional environments used to develop and host applica-tions. The future of E-Business applications requiresthe ability to perform long-lived, peer-to-peer collab-orations between the participating services, within oracross the trusted domains of an organization.

Web Services cover a wide range of systems,which in many cases have strict time constraints, e.g.,peer-to-peer collaborations may have time limits oncompletion. They are described in the top level layersof Web Services architectures [6] with elements suchas time-outsand alignments. Time-outs allow eachparty to fix the time for an action to occur, while align-ments are synchronizations between two peer-to-peerparties. Businesses rely on Web Services, it is there-fore important that the Web Services framework en-sure the correctness of systems with time constraints.Verification of real-time properties is especially im-

∗This work has been supported by the CICYT project “De-scription and Evaluation of Distributed Systems and Applicationto Multimedia Systems”,TIC2003-07848-C02-02.

portant for Web sites that offer services with somekind of time restrictions, such a maximum times tokeep a reservation of a flight seat, or maximum delaysto order fund transfers, etc. Since model checking oftimed automata has proven to be very useful for simi-lar problems in other areas, we investigate, how it canbe applied for Web Services.

This verification process starts from the top levellayers of Web Services architectures [6] and morespecifically from the choreography level, thus we usethe Web Service Choreography Description Language(WS-CDL) [6] as input for this verification process.Therefore, the starting point are specification docu-ments written in WS-CDL. Then, these descriptionsare translated into timed automata, and the UPPAALtool is used to simulate and verify the correctness ofthe system.

We illustrate the approach with a particular casestudy: an airline ticket reservation system, which con-tains some time constraints.

Related Work

There is a growing consensus that the use of for-mal methods, and the development of methodologiesbased on these formalisms, could have significant ben-efits in developing E-business systems, due to the en-hanced rigor these methods bring. Some of these ap-proaches have used logics to formalize and reasonabout the contracts specified by the description lan-guages [1], [2] or [3]. They have the flexibility andexpressive power of logics, but it is well known that

Proceedings of the 6th WSEAS International Conference on Applied Computer Science, Tenerife, Canary Islands, Spain, December 16-18, 2006 531

in general such logics are not decidable, and thus ver-ification requires expert knowledge. Closer to our ap-proach are formalizations based on finite state ma-chines [4, 8] and Petri Nets [5], they allow auto-mated verification using model checking tools; butthey differ from our work in not treating timing con-straints. Our approach is based directly on the theoryof timed automata [7], and we use the UPPAAL tool[10, 11, 12], although other similar tools like KRO-NOS [13] would apply.

Overview

The paper is structured as follows. In Section 2 wepresent the case study, and how it is described withWSCDL. Translation from WS-CDL to Timed au-tomata is described in Section 3, and then in Section 4we show how we can use this tool to model, simulateand verify the system behavior. Finally, conclusionsand future work are presented in Section 5.

2 Case Study

Reservation System to verify the availability of seats(Verify Seats Availability). WhenOrder Triphas beencompleted, the Traveller has the choice of acceptingor rejecting the proposed itinerary, and he can also de-cide not to take the trip at all.

• In case he rejects the proposed itinerary, he maysubmit the modifications (Change Itinerary), andwait for a new proposal from the Travel Agent.

• In case he decides not to take the trip, he informsthe Travel Agent (Cancel Itinerary) and the pro-cess ends.

• In case he decides to accept the proposeditinerary (Reserve Tickets), he will provide theTravel Agent with his Credit Card informationin order to book the itinerary.

Once the Traveller has accepted the proposeditinerary, the Travel Agent connects with the AirlineReservation System in order to reserve the seats (Re-serve Seats). However, it may occur that at that mo-ment no seat is available for a particular leg of thetrip, because some time has elapsed from the momentin which the availability check was made. In that casethe Travel Agent is informed by the Airline Reserva-tion System of that situation (No seats), and the TravelAgent informs the Traveller that the itinerary is notpossible (Notify of Cancellation). When the reserva-tion is made, the Travel Agent informs the Traveller(Seats Reserved). This reservation is valid fr one day,

Fig. 1: Plan and Book Trip: Message Flow.

if a final confirmation has not been received beforethat day is over, the seats are released, and the TravelAgent is informed. Thus, the Traveller can now eitherfinalize the reservation or cancel it. If he confirms thereservation (Book Tickets), the Travel Agent asks theAirline Reservation System to finally book the seats(Book Seats).

The high level flow of the messages exchangedwithin the global process (which is calledPlanAnd-BookTrip) is shown in Fig. 1.

2.1 WSCDL Description

In Figure 2 we can see a detailed piece of the WS-CDL document describing our case study. It describesa part of the relationship between the Airline and theTravel Agent. The interaction determines that thereservation is available for one day.

2.1.1 The travel Agent

In Figure 3 we can see a part of the travel agent spec-ification. This particular piece defines an exception tohandle the reservation timeout. Overall the model forthe travel agent has the following elements:

• The main activities of the travel agent are repre-sented by nested processes.

• The iterative processes are described by meansof while activities.

• Exceptions capture the withdrawal of the trip re-quest or the reservation request.

Proceedings of the 6th WSEAS International Conference on Applied Computer Science, Tenerife, Canary Islands, Spain, December 16-18, 2006 532

<interaction name="reservation&booking"

channelVariable="travelAgentAirlineChannel" operation="reservation&booking"

align="true"

initiate="true" > <participate relationshipType="TravelAgentAirline"

fromRole="TravelAgent" toRole="Airline" />

<exchange name="reservation"

informationType="reservation" action="request" > <send variable="tns:reservationOrderID" causeException="true" />

<receive variable="tns:reservationAckID" causeException="true" />

</exchange> <exchange name="booking" informationType="booking" action="respond" >

<send variable="tns:bookingRequestID" causeException="true" />

<receive variable="bookingAckID" causeException="true" /> </exchange>

<timeout time-to-complete="24:00" />

<record name="bookingTimeout" when="timeout" causeException="true" />

<source variable="AL:getVariable('tns:reservationOrderCancel', '', '')" />

<target

variable="TA:getVariable('tns:reservationOrderCancel', '', '')" /> </record>

</interaction>

Fig. 2: A Part of the WS-CDL Specification

...

<context> <process name ="BookSeats" instantiation="other">

<action name="bookSeats"

role="tns:travelAgent" operation="tns:TAtoAirline/bookSeats">

</action>

</process>

<exception> <onMessage>

<action name="ReservationTimeOut"

role="tns:TravelAgent" operation="tns:TAtoAirline/AcceptCancellation">

<correlate

correlation="defs:reservationCorrelation"/> </action>

<action name="NotifyOfTimeOut"

role="tns:TravelAgent"

operation="tns:TAtoTraveller/NotifyofCancellation"/> <fault code="tns:reservationTimedOut"/>

</onMessage>

... </exception>

...

</context>

Fig. 3: A Part of the Travel Agent Specification

• The interface uses two different correlations,which identify the same conversation involvingthe travel agent with both the traveller and theairline reservation system.

2.1.2 Traveller

The main top-level process describing the travelleris declared with an ”instantiation=other” at-tribute to describe the fact that the traveller is actuallythe one who starts the message exchange.

To model the possibility of cancelling the reserva-tion or the book the tickets we use a new context witha new exception.

We use a correlation to ensure that both the travelagent and the airline reservation system know how to

...

<sequence> <context>

<exception>

<onTimeout property ="tnsd:expireTime" type="duration"

reference="tns:ReserveSeats@end">

<compensate name="CompensateReservation"

transaction="seatReservation"/> </onTimeout>

</exception>

</context> ...

</sequence>

Fig. 4: Part of the Travel Agent Specification

fulfill the correlation requirements exhibited by thetraveller interface.

2.1.3 Airline Reservation System

The airline reservation system interface is modeled byan interface with two top-level processes, both withthe ”instatiation=message” attribute.

The reservation of seats for each leg is defined asa transaction defining a compensation activity whichprobably will withdraw the reservations for all seats.

Fig. 4 shows the part of the specification used tocontrol the timeout.

3 Modelling with Timed Automata

For each component of a WS-CDL description wehave the following correspondences in timed au-tomata:

Role : They describe the behaviour of each classof party that we are using in the choreography.Thus, this definition matches with the definitionof a automatontemplatein timed automata ter-minology.

Relation type : They define the communications be-tween two roles, and the needed channels forthese communications. In timed automata we as-sign a new channel for each one of these chan-nels, which are the parameters of the templatesthat take part in the communication.

Participant type : They define the different partiesthat participate in the choreography. In timed au-

Proceedings of the 6th WSEAS International Conference on Applied Computer Science, Tenerife, Canary Islands, Spain, December 16-18, 2006 533

tomata they areprocessesor automata participat-ing in the system.

Channel types : A channel is a point of collaborationbetween parties, together with the specificationof how the information is exchanged. As saidbefore, channels of WS-CDL correspond withchannels of timed automata.

Variables : They are easily translated, as timed au-tomata in UPPAAL support (bounded integer)variables, which are used to represent informa-tion.

At this point it is necessary to define the be-haviour of each template. This behaviour is defined byusing the information provided by the flow of chore-ographies. Choreographies are sets of workunits orsets of activities. Thus, activities and workunits arethe basic components of the choreographies, and theycapture the behavior of each component. Activitiescan be obtained as result of a composition of otheractivities, by using sequential, parallel or choice com-positions. In terms of timed automata these operatorscan be easily translated:

• Sequential composition of activities is translatedby concatenating the corresponding timed au-tomata.

• Parallel activities are translated to the flat paral-lel composition of the corresponding timed au-tomata.

• Choices are translated by adding a node intothe automata which is connected with the initialnodes of the alternatives.

Finally, time restrictions are associated in WS-CDL with workunits and interaction activities. Thesetime restrictions are introduced in timed automata bymeans of a local clock, guards and invariants. There-fore, when a workunit of an activity has a time restric-tion, we associate a guard to the edge that correspondto the initial point of this workunit in the correspond-ing timed automaton.

In Fig. 5 we can see the schematic presentationof the correspondence between WS-CDL and timedautomata.

Now, we can see this correspondence for our ex-ample. When we model our case Study by usingTimed Automata we have 3 automata, the automatonof the traveler, the automaton of travel agent and an-other one for the airline company.

In Fig. 6 we can see the timed automaton cor-responding to the airline reservation system. In this

Role −→ Template

RelationType −→ Channel+

ParticipantType −→ Process+

ChannelType −→ Channel

V ariables −→ V ariables

Choreography −→ Choreography+ | ActivityActivity −→ WorkUnit | Sequence|

Paralelism| ChoiceSequence −→ Activity+

Paralelism −→ Activity+

Choice −→ Activity+

WorkUnit −→ State&Guard&Invariant

Fig. 5: Schematic view of the translation

automaton we use the clockx to control when thereservation expires. This clock is initialized when areservedseat is done.

x<24

check_seats? available_seat! reserve_seat?

reserve_seat_ok!x:=0

x<24book_seat?

no_available_seat!

x==24timeout!

x<24cancel_reserve_seat?

cancel_reserve_seat_ok!

book_seat_ok!

receive_tickets!

book_seat_no!

reserve_seat_no!

Fig. 6: Timed automaton for Airline Reservation Sys-tem.

Fig. 7 shows the timed automaton of the TravelAgent and Fig. 8 present the automaton for the trav-eler.

4 Simulation and Verification

Once we have constructed the timed automata de-scribing the system, we can use the UPPAAL tool tosimulate and verify the system it.

Simulations can detect some failures in the sys-tem design, and thus, this can be the first step to verifythe system behavior. Simulations are made by choos-ing different transitions and delays along the systemevolution. At any moment during the simulation, you

Proceedings of the 6th WSEAS International Conference on Applied Computer Science, Tenerife, Canary Islands, Spain, December 16-18, 2006 534

ordertrip!

available!

cancel_itinerary?

change_itinerary?

reserve_tickets?

reserve_seat!

reserve_seat_no?

reserve_seat_ok?timeout?

notify_timeout!

check_seats! available_seat?

no_available_seat?

no_available!

book_seat!

book_seat_ok?

receive_statement!

cancel_reserve_seat!

cancel_reserve_seat_ok?

accept_cancel!

book_seat_no?

book_ticket? cancel_reservation?

timeout?

no_reservation!

no_reservation!

Fig. 7: Timed automata for Travel agent web service.

Start

ordertrip?

available?

change_itinerary!

cancel_itinerary!

reserve_tickets!

cancel_reservation!

book_ticket!

receive_statement?

notify_timeout?

receive_tickets?

accept_cancel?

no_available?

no_reservation?

no_reservation?

Fig. 8: Timed automata for traveler.

can see the variable values and the enabled transitions.Thus, you can choose the transition that you want toexecute. Nevertheless, you can also select the randomexecution of transitions, and thus, the system evolvesby executing transitions and delays which are selectedrandomly. We have some other options in the UP-PAAL Simulator. For example, you can save simula-tions traces that can later be used to recover a specificexecution trace. Actually, the simulation is quite flex-ible at this point, and you can back or forward in thesequence.

Then, with respect to our case study, our maingoal in the verification phase is to check the correct-ness of the message flow and time-outs, taking into ac-count the protocol definition. We have made a numberof simulations, and for all of them the system has sat-isfied the expected behavior in terms of the messageflow between the parties.

However, simulations do not guarantee in generalthe correctness of a system, as they cannot be com-plete, so we must also use formal verification tech-

niques to complete the verification process of the sys-tem. But before starting the automatic verification, wemust establish which are the properties that the modelmust fulfill. We have divided these properties intothree classes: Safety, Liveness and Deadlocks. Theseproperties are

Safety Propertiesallow us to check if our modelsatisfies some security restrictions. For example, if wehave two trains that have to cross the same bridge, asecurity property is that both trains can not cross at thesame time the bridge, this is described by a formulalike: ∀�¬(Train1.crossing ∧ Train2.crossing) or¬∃♦(Train1.crossing ∧ Train2.crossing).

In our case study, the main Safety properties thatour system must fulfill are the following:

• The TravelAgent always sends the itinerary ontraveler’s demand:

∀�Traveler.Itinerary ⇒TravelAgent.sendItinerary

(1)

• The TravelAgent always changes the itinerary ontraveler’s demand:

∀�Traveler.ChangeItinerary ⇒TravelAgent.PerformChange

(2)

• The TravelAgent always cancels the reservationon traveler’s demand:

∀�Traveler.CancelReservation →(TravelAgent.CancelReservtRcv∧Airline.PerformCancel∧Airline.Clockx < 24)

(3)

• A reservation is only available 24 hours beforeperforming the booking:

∀�(TravelAgent.Booking∧Airline.ReceiveBoking∧Airline.ClockX <= 24)

(4)

• A Traveler always receives theirs tickets andstatements after performing the payment:

∀�Traveler.PaymentPerform →(Traveler.F inish ∧ Airline.SnddTckt∧TravelAgent.SenddSttment)

(5)

Liveness Properties are used to check thatour model can evolve in the right order. Return-ing to the train example, if a train approaches thebridge, some time later, the train could cross it:Train.approach → Train.crossed.

In our case study we can consider quite a numberof liveness properties. Then, we have just selected twoof them, which are one of the most important:

Proceedings of the 6th WSEAS International Conference on Applied Computer Science, Tenerife, Canary Islands, Spain, December 16-18, 2006 535

• If a Traveler sends a trip demand, some timelater, the TravelAgent will send the itineraries.Translating it into Temporal Logic we have:

Traveler.P lanOrder −→TravelAgent.SendItinerary

(6)

• If a Traveler makes a book within 24 hours afterthe reservation, the Airline performs the book-ing. Translating it into Temporal Logic we have:

Traveler.BookOdr ∧ Airline.ClockX

< 24 −→ Airline.PerformBook(7)

Deadlocksare clear mistakes. We can check ifour model can deadlock by the formula:

∀�¬Deadlock (8)

5 Conclusions and Future Work

Web Services are widely used to implement a great va-riety of applications on Internet. Many of them havetime restrictions, and then, it becomes important toverify that they will comply with these restrictions,even before these systems are implemented. Then,this paper shows how formal techniques can be usedto this purpose, and particularly timed automata. Wehave seen that the specifications of Web Services ap-plications can be translated into timed automata, andwe have illustrated this translation by means of an ex-ample, and then, we have seen how these automata canbe simulated and how we can verify the main proper-ties of the system by using these automata.

References:

[1] H. Davulcu, M. Kifer, and I. V. Ramakr-ishnan. CTR-S: A Logic for SpecifyingContracts in Semantic Web Services. InProceedings of WWW2004, pages 144–153,May 2004.

[2] A. Paschke, J. Dietrich, and K. Kuhla.A Logic Based SLA Management Frame-work. In 4th Semantic Web Conference(ISWC 2005), 2005.

[3] G. Governatori. Representing business con-tracts in RuleML.International Journal ofCooperative Information Systems, 14:181–216, 2005.

[4] E. S. C. Molina-Jimenez, S. Shrivastavaand J. Warne. Run-time Monitoring and

Enforcement of Electronic Contracts.Elec-tronic Commerce Research and Applica-tions, 3(2), 2004.

[5] A. Daskalopulu. Model Checking Contrac-tual Protocols. In L. Breuker and Winkels,editors,Legal Knowledge and InformationSystems, JURIX 2000: The 13th AnnualConference, Frontiers in Artificial Intelli-gence and Applications Series, pages 35–47. IOS Press, 2000.

[6] Nickolas Kavantzas et al. WebService Choreography Descrip-tion Language (WSCDL) 1.0. Inhttp://www.w3.org/TR/ws-cdl-10/

[7] R. Alur and D. Dill, Automata for model-ing real–time systems, In Proceedings ofthe 17th International Colloquium on Au-tomata, Languages and Programming, vol-ume 443, Editors. Springer–Verlag, 1990.

[8] H. Foster, S. Uchitel, J. Magee, J. Kramer,Leveraging Eclipse for Integrated Model-Based Engineering of Web Service Com-positions, In ETX2005 Workshop at OOP-SLA05, San Diego, CA, October 2005.

[9] Edmund M. Clarke and Jr. and Orna Grum-berg and Doron A. Peled,Model Checking,MIT Press, 1999.

[10] K. Larsen and P. Pettersson and Wang Yi,UPPAAL in a Nutshell, Int. Journal on Soft-ware Tools for Technology Transfer, Edi-tors. Springer–Verlag vol.1, 1997.

[11] G. Diaz, F. Cuartero, V. Valero and F.Pelayo,Automatic Verification of the TLSHandshake Protocol, In proceedings of the2004 ACM Symposium on Applied Com-puting.

[12] G. Diaz, K.G. Larsen, J. Pardo, F. Cuar-tero and V. Valero,An approach to handleReal Time and Probabilistic behaviors in e-commerce: Validating the SET Protocol, Inproceedings of the 2005 ACM Symposiumon Applied Computing.

[13] M. Bozga, C. Daws, O. Maler, A. Oliv-ero, S. Tripakis and S. Yovine,Kronos:A model-checking tool for real-time sys-tems, In Proc. 1998 Computer-Aided Veri-fication, CAV’98, Vancouver, Canada, June1998. Lecture Notes in Computer Science1427, Springer-Verlag.

Proceedings of the 6th WSEAS International Conference on Applied Computer Science, Tenerife, Canary Islands, Spain, December 16-18, 2006 536