Section: New Results
Verification of Web Services
Towards An Automatic Analysis of Web Services Security
Web services send and receive messages in XML syntax with some parts hashed, encrypted or signed, according to the WS-Security standard. We have introduced [Oops!] a model to formally describe the protocols that underly these services, their security properties and the rewriting attacks they might be subject to. Unlike other protocol models (in symbolic analysis) ours can handle non-deterministic receive/send actions and unordered sequence of XML nodes. Then to detect the attacks we have to consider the services as combining multiset operators and cryptographic ones and we have to solve specific satisfiability problems in the combined theory. By non-trivial extension of the combination techniques of  we obtain a decision procedure for insecurity of Web services with messages built using encryption, signature, and other cryptographic primitives. This combination technique allows one to decide insecurity in a modular way by reducing the associated constraint solving problems to problems in simpler theories.
Known protocol analysis techniques consider protocols where some piece of information expected in a protocol message is located at a fixed position. However this is too restrictive to model web-services where messages are XML semi-structured documents and where significant information (such as name, signature, ...) has to be extracted from nodes occurring at flexible positions. Therefore we have extended the Dolev Yao model by a subterm predicate [Oops!] that allows one to express data extraction by subterm matching. This also allows one to detect so-called rewriting attacks that are specific to web-services.
Composition of Web Services
Participant : Christophe Ringeissen.
In collaboration with the ECOO project, we are working on a framework for Web services composition, including both temporal and security aspects. In our model, the composition is based on the coordination of Web services seen as a product of “conversational” automata having the capability of exchanging messages. If the coordination does not satisfy the awaited composition, we synthesize a new service, called mediator. This service aims at generating the missing messages required for the coordination so that it mimics the awaited composition [Oops!] .
The compatibility of services is a key issue for the composition problem. We are studying the compatibility problem for timed conversational automata. Our proposal relies on the inference of temporal requirements derived from local timed transitions of services. According to those inferred requirements, we can consider different forms of compatibility [Oops!] .
We are also working on applying constraint programming techniques for the composition problem. Our first contribution allows us to use a constraint modelling to instantiate a given abstract composition by selecting the most appropriate concrete Web services with respect to a query. Then, the concrete composition is built in an incremental way by propagating constraints attached to Web services. Moreover, the instantiation can be dynamically updated during the execution via a monitoring phase. This ongoing work is done in the context of the project INRIA-CONICYT CoreWeb.
Formalizing QoS of Web Services with Weighted Automata
Web services are used more and more as components of distributed applications with a goal to resolve complex tasks that simple services cannot. This use of Web services is connected to the emergence of languages like WS-BPEL which allows describing the external behaviour of Web services on top of the service interfaces. The use of Web services as components of distributed applications implies the possibility to change a failing service for another which can do at least the same things as the replaced service. The composition issues are also of particular interest to Web services users. Different solutions have been proposed during the last years to check such properties, but, to our knowledge, none of them takes QoS aspects into account. In [Oops!] we introduce underpinnings and a tool for verifying Web services substitutivity and well-formed composition while considering Web services costs such as the execution time of the different operations provided by Web services.
In this direction, the starting point of our work and the first contribution is BPEL and WSDL language extensions including several service cost notions. In [Oops!] , we have proposed to extend BPEL with a notion of service costs. In [Oops!] we go further and consider both BPEL and WSDL specifications for being closer to the Web services reality. The main purpose of these extensions is to be able to simply specify QoS aspects of Web services. Moreover, more verification problems, e. g. strong substitutivity, well-formed composition, etc., are studied for different models, and new decision results are presented. From a theoretical point of view, we show that in a general case the substitutivity problem is undecidable, but we also point out several interesting decidable restricted cases. We also proved that the strong substitutivity problem is PSPACE-complete while it is polynomial time decidable for some interesting subclasses.
The new algorithms have been implemented in a Java based prototype that successfully works on small examples. This tool allows to automate the translation from extended BPEL/WSDL specifications into weighted automata and to automatically check Web services substitutivity and composition while considering Web services costs such as the execution time of the different operations provided by Web services. Currently, the prototype works on deterministic weighted automata (this is a very common case in practice), but in the near future we plan to extend algorithms in order to manage more general cases. The tests have been achieved on different versions of several examples like a book store example provided by Oracle (http://www.oracle.com/technology/pub/articles/matjaz_bpel2.html )or the classical loan approval example.