a theory of dbc for multiparty distributed interactions · a theory of dbc for multiparty...
TRANSCRIPT
![Page 1: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/1.jpg)
A theory of DbC for multiparty distributed
interactions
Emilio TuostoUniversity of Leicester
Nobuko YoshidaImperial College London
Kohei HondaQueen Mary, University of London
Laura BocchiUniversity of Leicester
![Page 2: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/2.jpg)
Aims & ObjectivesSupport description/engineering of multiparty protocols
format of messages
discipline interactions in conversations
values carried in messages
Devise a theoretical framework
analyze protocols
specify obligations/guarantees of participants
![Page 3: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/3.jpg)
Reading listAssertion methods
Design by Contract (DbC)
Multiparty Asynchronous Session Types
Global assertions
K. Honda, N. Yoshida and M. Carbone Multyparty Asynchronous Session Types In POPL 2008.
B. MeyerApplying “Design by Contract”In Computer (IEEE), 25, 1992.
C. A. R. HoareAn axiomatic basis of computer programmingIn CACM, 12, 1969.
L. Bocchi, K. Honda, E. Tuosto, and N. Yoshida A theory of DbC for multiparty distributedhttp://www.cs.le.ac.uk/people/lb148/assertedtypes.html
![Page 4: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/4.jpg)
Outline
Global Type
0. Assert
Global Assertion
Well-asserted
Global Assertion
1. Check 2. ProjectWell-asserted
Endpoint Assertions
Well-asserted
Endpoint Assertions
Well-asserted
Endpoint Assertions
T1
T2
T3
G
G
Asserted
ProcessP1
Asserted
ProcessP2
Asserted
ProcessP3
3. Validate
4. Erase
Processerase(P3)
Processerase(P2)
Processerase(P1)
sa
fe i
n u
ntr
us
ted
en
vs
afe
in
tru
ste
d e
nv
![Page 5: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/5.jpg)
Design by ContractType signatures to constraint computation
the method m of an object of class C should be invoked with a string and an integer; m will return (if ever) a string
DbC = Types + Assertions
if m is invoked with a string representing a date 2007 ≤ d ≤ 2008 and an integer n ≤ 1000 then it will (if ever) return the date n days after d
In a distributed setting each party has
guarantees (e.g., on the content of the received messages)
obligations (e.g., on the content of the sent messages)
![Page 6: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/6.jpg)
A simple global type
µ t(p_o : int)〈100〉.Buyer → Seller : ChSeller (o : int).Seller → Buyer : ChBuyer {
ok: Buyer → Bank : ChBank (p : int). Bank → Seller : ChSeller(a : bool), hag: t〈o〉
}
Buyer Seller
o:int
hag
ok
Bank
bra
nch
def t(p_o:int)!100"
t !o"
p:int
a:bool
![Page 7: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/7.jpg)
Outline
Global Type
0. Assert
Global Assertion
Well-asserted
Global Assertion
1. Check 2. ProjectWell-asserted
Endpoint Assertions
Well-asserted
Endpoint Assertions
Well-asserted
Endpoint Assertions
T1
T2
T3
G
G
Asserted
ProcessP1
Asserted
ProcessP2
Asserted
ProcessP3
3. Validate
4. Erase
Processerase(P3)
Processerase(P2)
Processerase(P1)
sa
fe i
n u
ntr
us
ted
en
vs
afe
in
tru
ste
d e
nv
![Page 8: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/8.jpg)
Syntax for Global Assertions
S ::= bool | int | . . . | G
L ::= {p, p!}
What is A?
G ::= p! p! : k (v : S){A}.G| p! p! : k {{Aj}lj : Gj}j"J
| µ t(. . . vi : Si @ Li . . .)"e#{A}.G| t"e#| G,G!
| end
![Page 9: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/9.jpg)
Logical Language
A ::= e1 = e2 | e1 > e2 | !(e1, . . . , en) | A1 !A2 | ¬A | "v(A)
The investigation of the most suitable logic is left as a future work
The logical language is likely to be application dependent
good candidates are first-order decidable logics (e.g. Presburger arithmetic)
![Page 10: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/10.jpg)
A global assertionGhag = μ t(o : int@{Buyer, Seller})〈10〉{o≥10}.
Buyer → Seller: ChSeller (p : int) {p≥10}.Seller → Buyer: ChBuyer{
{true} ok:Buyer → Bank: ChBank (c : int) {c=p}.Bank → Seller: ChSeller (a : bool) {true},
{p>o} hag: t〈p〉}
Buyer Seller
o:int
hag
ok
Bank
bra
nch
def t(p_o:int)!100"
t !o"
p:int
a:bool
![Page 11: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/11.jpg)
Correctness of Global Assertions
Global assertions must respect 3 principles
History sensitivity
Locality
Temporal satisfiability
![Page 12: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/12.jpg)
History sensitivity principle
Alice → Bob : ChB (u:int) {true}. Bob → Carol : ChC (v:int) {true}. Carol → Alice : ChA (z:int) {z<u}
Alice → Bob : ChB (u:int) {true}. Bob → Carol : ChC (v:int) {v<u}. Carol → Alice : ChA (z:int) {z<v}
z indirectly depends on u...
An interaction predicate can only constraint variables known by the sender
Carol cannot guarantee z<u as she doesn’t know u
...but Carol can choose the right value since she knows v and the predicates
ensure that the dependencies are respected
![Page 13: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/13.jpg)
Locality principlePredicates can only constraint variables which they introduce
Alice → Bob : ChB (u:int) {u>0}. Bob → Carol : ChC (v:int) {true}. Carol → Alice : ChA (z:int) {z≥v ∧ v>1}
Carol strengthens the constraints on v withough being
entitled
Alice → Bob : ChB (u:int) {u>0}. Bob → Carol : ChC (v:int) {true}. Carol → Alice : ChA (z:int) {z≥v ∧ z>1}
![Page 14: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/14.jpg)
Temporal-satisfiability principle
Alice → Bob : ChB (u:int) {u<10}. Bob → Alice : ChA (v:int) {v<u ∧ v>6}
had Alice sent 6 or 7, Bob couldn’t meet his obbligation!
For each value satisfying a predicate A
there is always a branch enabled
for each subsequent predicate A’, it is always possible to find values that satisfy A’
![Page 15: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/15.jpg)
Being true to our principles
HSP can be statically checked
!, v : S @ {p, p!} ! G "u # var(A) \ v,! ! u @ p
! ! p$ p! : k (v : S){A}.G"j # J, ! ! Gj "u #
!j"J var(Aj)! ! u @ p
! ! p$ p! : k {{Aj}lj : Gj}j"J
! ! G ! ! G!
! ! G,G! ! ! end
! ! e1 : S1 @ L1 · · · ! ! en : Sn @ Ln!, t : S1 @ L1 . . . Sn @ Ln ! t%e&
!! = !, t : S1 @ L1 . . . Sn @ Ln !! ! G dom(!!) ' var(A) "i.! ! vi : Si @ Li, ei : Si @ Li! ! µt%e&(v1 : S1 @ L1, . . . , vn : Sn @ Ln){A}.G
![Page 16: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/16.jpg)
Being true to our principles
TSP implies LP, and we give a checker GSat(G,A)
1. G = p1 ! p2 : k(v : S){A!}.G!
!if A " #v(A!) then GSat(G, A) = GSat(G!, A $A!)otherwise GSat(G, A) = false
2. G = p1 ! p2 : k{{Aj}lj : Gj}j"J
!if A " (
"j"J Aj) then GSat(G, A) =
#j"J GSat(Gj , A $Aj)
otherwise GSat(G, A) = false
3. G = G1,G2 then GSat(G, A) = GSat(G1, A) $GSat(G2, A)
4. G = µt%e&(v : S){A!}.G!
!if A " A![e/v] then GSat(G, A) = GSat(G!, A $A!)otherwise GSat(G, A) = false
5. G = tA!(v)%e& then GSat(G, A) = true provided that A " A![e/v]
6. G = end then GSat(G, A) = true
1. G = p1 ! p2 : k (v : S){A!}.G!!
if A " #v(A!) then GSat(G, A) = GSat(G!, A $A!)otherwise GSat(G, A) = false
2. ...
![Page 17: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/17.jpg)
Well-assertedness
A global assertion G is well-asserted when
G is history-sensitive and
GSat(G,true) = true
![Page 18: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/18.jpg)
Outline
Global Type
0. Assert
Global Assertion
Well-asserted
Global Assertion
1. Check 2. ProjectWell-asserted
Endpoint Assertions
Well-asserted
Endpoint Assertions
Well-asserted
Endpoint Assertions
T1
T2
T3
G
G
Asserted
ProcessP1
Asserted
ProcessP2
Asserted
ProcessP3
3. Validate
4. Erase
Processerase(P3)
Processerase(P2)
Processerase(P1)
sa
fe i
n u
ntr
us
ted
en
vs
afe
in
tru
ste
d e
nv
![Page 19: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/19.jpg)
End-point assertions
Endpoint assertions specify the behaviour of processes involved in a session.
T ::= k!(v : S){A}; T| k?(v : S){A}; T| k ! {{Aj}li : Ti}i!I
| k&{{Ai}li : Ti}i!I
| µt"e#(v : S){A}.T| t"e#| end
![Page 20: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/20.jpg)
Projections & “third parties”Seller → Buyer : ChBuyer(p : int) {p > 10}.Buyer → Bank : ChBank (c : int) {c ≥ p}
A too naive projection wrt Bank would giveChBank?(c:Int) {c ≥ p}
which is meaningless because Bank ignores the value of p so it cannot check if Buyer meets its obbligation.
![Page 21: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/21.jpg)
Projecting global assertions
Proj (p1 ! p2 : k (v : S){A}.G!, AProj , p) =!"#
"$
k!(v : S){A}.GProj if p = p1
k?(v : S){"Vext(A #AProj )}.GProj if p = p2
GProj otw
GProj = Proj (G!, A #AProj , p) and Vext = var(AProj) \ I(G)!p
Seller → Buyer : ChBuyer(p : int) {p > 10}.Buyer → Bank : ChBank (c : int) {c ≥ p}
ChBank?(c:Int) {∃p. p≥10 ∧ c ≥ p}
projected wrt Bank
![Page 22: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/22.jpg)
Projection in actionThag = μ t(o : int)〈10〉 {o≥10}.
ChSeller?(p : int) {p≥10 ∧ o≥10};ChBuyer⊕{
{true} ok: ChSeller?(a : bool) {∃c. p≥10 ∧ o≥10 ∧ c=p}{p>o} hag: t〈o〉,
} Buyer Seller
o:int
hag
ok
Bank
bra
nch
def t(p_o:int)!100"
t !o"
p:int
a:bool
Ghag = μ t(o : int@{Buyer, Seller})〈10〉{o≥10}.Buyer → Seller: ChSeller (p : int) {p≥10}.Seller → Buyer: ChBuyer{
{true} ok:Buyer → Bank: ChBank (c : int) {c=p}.Bank → Seller: ChSeller (a : bool) {true},
{p>o} hag: t〈p〉}
![Page 23: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/23.jpg)
Well-assertedness for endpoint assertions
Similarly to global assertions, we define LSat(T,A) to check if T is satisfiable under assertion A
Notice that for endpoint assertions only TSP is important as
TSP implies LPHSP is vacuously guaranteed
Proj(G,true,p) preserves well-assertedness
![Page 24: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/24.jpg)
Asserted processes
P ::= a[2..n] (s).P request
| a[p] (s).P accept
| s!!e"(v){A};P send
| s?(v){A};P reception
| s ! {A}l;P select
| s " {{Ai}li : Pi}i!I branch
D ::= {!Xi(visi) = Pi"}i!I rec dec
e ::= n | e # e" | ¬e ... expressions
| if e then P else Q conditional
| errH | errT error
| P | Q parallel
| 0 | s : h idle/queue
| (!a)P | (!s)P hiding
| def D in P | X!es" rec def/call
n ::= a | true | false values
h ::= l | n | s msg
![Page 25: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/25.jpg)
Semanticsa[2..n] (s).P | a[2] (s).P2 | ... | a[n] (s).Pn ! (!s)(P1 | P2 | ... | Pn | s1 :" | ... | sn :")
s!#e$(v){A};P | s : h ! P [n/v] | sk : h · n (e % n &A[n/v] % true)
s?(v){A};P | s : n · h ! P [n/v] | s : h (A[n/v] % true)
s ! {{Ai}li : Pi}i!I | s : lj · h ! Pj | s : h (j ' I and Aj % true)
s " {A}l;P | s : h ! P | s : h · l (A % true)
if e then P else Q ! P (e % true) if e then P else Q ! Q (e % false)
def D in C[X#es$] ! def D in Q(where #X#vs$ = P $ ' D and C[P [e/v]] ! Q)
s!#n$(v){A};P ! errH (A[n/v] % false)
s?(v){A};P | s : n · h ! errT | s : h (A[n/v] % false)
s ! {{Ai}li : Pi}i!I | s : lj · h ! errT | s : h (j ' I and Aj % false)
s " {A}l;P ! errH (A % false)
![Page 26: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/26.jpg)
Outline
Global Type
0. Assert
Global Assertion
Well-asserted
Global Assertion
1. Check 2. ProjectWell-asserted
Endpoint Assertions
Well-asserted
Endpoint Assertions
Well-asserted
Endpoint Assertions
T1
T2
T3
G
G
Asserted
ProcessP1
Asserted
ProcessP2
Asserted
ProcessP3
3. Validate
4. Erase
Processerase(P3)
Processerase(P2)
Processerase(P1)
sa
fe i
n u
ntr
us
ted
en
vs
afe
in
tru
ste
d e
nv
![Page 27: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/27.jpg)
Validating asserted processes
C;! ! P ! "under the assertion environment C and the sorting Γ, P is validated w.r.t. the assertion assignment Δ
C ! A[e/v] C;! " P [e/v] ! ", s : T [e/v] @ p
C;! " sk!#e$(v){A};P ! ", s :k!(v : S){A}; T @ p
C %Ai,! " Pi ! ", s : Ti @ p &i ' IC;! " sk ! {{Ai}li : Pi}i!I ! ", s : k&{{Ai}li : Ti}i!I @ p
![Page 28: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/28.jpg)
Main Results
Validated processes can be “simulated” by their end-point assertions
End-point assertions do not yield errors (by construction)
A validated process never reaches errors
Validation is decidable
![Page 29: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/29.jpg)
Main results 2
In a trusted environment, all assertions of validate processes can be turned into true
A monitor can be automatically deduced from validated processes (it has to check sent/selection messages)
In an untrusted environment, the monitor may guard processes and help in debugging
![Page 30: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/30.jpg)
Future work
Study properties of suitable logics for global assertions
tractability/decidability
complexity
Play with implementations
Apply this context to financial protocols
![Page 31: A theory of DbC for multiparty distributed interactions · A theory of DbC for multiparty distributed interactions Emilio Tuosto University of Leicester Nobuko Yoshida Imperial College](https://reader031.vdocuments.net/reader031/viewer/2022040622/5d22b27d88c993722e8e1f8f/html5/thumbnails/31.jpg)
Thank you...