Modelling and verifying contract-oriented systems in Maude Massimo Bartoletti

Maurizio Murgia

Alceste Scalas

Universit` a degli Studi di Cagliari, Italy

Roberto Zunino Universit` a di Trento, Italy

Abstract We address the problem of modelling and verifying contract-oriented systems, wherein distributed agents may advertise and stipulate contracts, but — differently from most other approaches to distributed agents — are not assumed to always behave “honestly”. We describe an executable specification in Maude of the semantics of CO2 , a calculus for contract-oriented systems [5]. The honesty property [4] characterises those agents which always respect their contracts, in all possible execution contexts. Since there is an infinite number of such contexts, honesty cannot be directly verified by model-checking the state space of an agent (indeed, honesty is an undecidable property in general [4]). The main contribution of this paper is a sound verification technique for honesty. To do that, we safely over-approximate the honesty property by abstracting from the actual contexts a process may be engaged with. Then, we develop a model-checking technique for this abstraction, we describe an implementation in Maude, and we discuss some experiments with it.

1

Introduction

Contract-oriented computing is a software design paradigm where the interaction between clients and services is disciplined through contracts [5, 3]. Contract-oriented services start their life-cycle by advertising contracts which specify their required and offered behaviour. When compliant contracts are found, a session is created among the respective services, which may then start interacting to fulfil their contracts. Differently from other design paradigms (e.g. those based on the session types discipline [9]), services are not assumed to be honest, in that they might not respect the promises made [4]. This may happen either unintentionally (because of errors in the service specification), or because of malicious behaviour. Dishonest behaviour is assumed to be automatically detected and sanctioned by the service infrastructure. This gives rise to a new kind of attacks, that exploit possible discrepancies between the promised and the actual behaviour. If a service does not behave as promised, an attacker can induce it to a situation where the service is sanctioned, while the attacker is reckoned honest. A crucial problem is then how to avoid that a service results definitively culpable of a contract violation, despite of the honest intentions of its developer. In this paper we present an executable specification in Maude [8] of CO2 , a calculus for contractoriented computing [3]. Furthermore, we devise and implement a sound verification technique for honesty. We start in § 2 by introducing a new model for contracts. Borrowing from other approaches 1

to behavioural contracts [7, 4], ours are bilateral contracts featuring internal/external choices, and recursion. We define and implement in Maude two crucial primives on contracts, i.e. compliance and culpability testing, and we study some relevant properties. In § 3 we present CO2 (instantiated with the contracts above), and an executable specification of its semantics in Maude. In § 4 we formalise a weak notion of honesty, i.e. when a process P is honest in a given context, and we implement and experiment with it through the Maude model checker. The main technical results follow in § 5, where we deal with the problem of checking honesty in all possible contexts. To do that, we start by defining an abstract semantics of CO2 , which preserves the transitions of a participant A[P ], while abstracting those of the context wherein A[P ] is run. Building upon the abstract semantics, we then devise an abstract notion of honesty (α-honesty, Def. 5.6), which neglects the execution context. Theorem 5.7 states that α-honesty correctly approximates honesty, and that — under certain hypotheses — it is also complete. We then propose a verification technique for α-honesty, and we provide an implementation in Maude. Some experiments have then been carried out; quite notably, our tool has allowed us to determine the dishonesty of a supposedly-honest CO2 process appeared in [4] (see Ex. 5.12).

2

Modelling contracts

We model contracts as processes in a simple algebra, with internal/external choice and recursion. Compliance between contracts ensures progress, until a successful state is reached. We prove that our model enjoys some relevant properties. First, in each non-final state of a contract there is exactly one participant who is culpable, i.e., expected to make the next move (Theorem 2.9). Furthermore, a participant always recovers from culpability in at most two steps (Theorem 2.10). Syntax. We assume a finite set of participant names (ranged over by A, B, . . .) and a denumerable set of atoms (ranged over by a, b, . . .). We postulate an involution co(a), also written as ¯a, extended to sets of atoms in the natural way. Def. 2.1 introduces the syntax of contracts. We distinguish between (unilateral ) contracts c, which model the promised behaviour of a single participant, and bilateral contracts γ, which combine the contracts advertised by two participants. Definition 2.1. Unilateral contracts are defined by the following grammar: P L ready a.c rec X. c X c, d ::= i∈I ai ; ci i∈I ai . ci where (i) the index set I is finite; (ii) the “ready” prefix may appear at the top-level, only; (iii) recursion is guarded. Bilateral contracts γ are terms of the form A says c | B says d, where A 6= B and at most one occurrence of “ready” is present. The order of unilateral contracts in γ is immaterial, i.e. A says c | B says d ≡ B says d | A says c. L An internal sum i∈I ai ; ci allows to choose one of the branches P ai ; ci , to perform the action ai , and then to behave according to ci . Dually, an external sum i∈I ai . ci allows to wait for the other participant to choose one of the branches ai . ci , then to perform the corresponding ai and behave according to ci . Separators ; and . allow for distinguishing singleton internal sums a ; c from singleton external sums a . c. Empty internal/external sums are denoted with 0. We will only consider contracts without free occurrences of recursion variables X. Example 2.2. An online store A has the following contract: buyers can iteratively add items to the shopping cart (addToCart); when at least one item has been added, the client can either cancel

2

A says a

A says (a ; c ⊕ c0 ) | B says (¯a . d + d0 ) −−−−−→ → A says a

A says ready a. c | B says d −−−−−→ →

A says c | B says ready ¯a.d

[IntExt]

A says c | B says d

[Rdy]

Figure 1: Semantics of contracts (symmetric rules for B actions omitted) the order or pay; then, the store can accept (ok) or decline (no) the payment. Such a contract may be expressed as cA below:
cpay = pay . ok ; 0 ⊕ no ; 0 cA = addToCart . (rec Z. addToCart . Z + cpay + cancel . 0) Instead, a buyer contract could be expressed as: cB

=

rec Z. addToCart ; Z ⊕ pay ; (ok . 0 + no . 0)




The Maude specification of the syntax of contracts is defined as follows: sorts Atom UniContract Participant AdvContract BiContract IGuarded EGuarded IChoice EChoice Var Id RdyContract . subsort Id < IGuarded < IChoice < UniContract < RdyContract . subsort Id < EGuarded < EChoice < UniContract < RdyContract . subsort Var < UniContract .

The sorts IGuarded and EGuarded represent singleton internal/external sums, respectively, while IChoice and EChoice are for arbitrary internal/external sums. Id represents empty sums, and it is a subsort of internal and external sums (either singleton or not). RdyContract if for contracts which may have a top-level ready , while AdvContract is a unilateral contract advertised by some participant. op eq op op op op op op op op op op

-_ : Atom -> Atom [ctor] . - - a:Atom = a:Atom . 0 : -> Id [ctor] . _._ : Atom UniContract -> EGuarded [frozen ctor] . _;_ : Atom UniContract -> IGuarded [frozen ctor] . _+_ : EChoice EChoice -> EChoice [frozen comm assoc id: 0 _(+)_ : IChoice IChoice -> IChoice [frozen comm assoc id: ready _._ : Atom UniContract -> RdyContract [frozen ctor] rec _._ : Var IChoice -> UniContract [frozen ctor] . rec _._ : Var EChoice -> UniContract [frozen ctor] . _ says _ : Participant RdyContract -> AdvContract [ctor] _ | _ : AdvContract AdvContract -> BiContract [comm ctor]

ctor] . 0 ctor] . . . .

The operator - models the involution on atoms, with eq - - a:Atom = a:Atom. The other operators are rather standard, and they guarantee that each UniContract respects the syntactic constraints imposed by Def. 2.1. µ

Semantics. The evolution of bilateral contracts is modelled by − → →, the smallest relation closed under the rules in Fig. 1 and under ≡. The congruence ≡ is the leastL relation including P α-conversion of recursion variables, and satisfying rec X. c ≡ c{rec X. c/X } and i∈∅ ai ; ci ≡ i∈∅ ai . ci . The label µ = A says a models A performing action a. Hereafter, we shall consider contracts up-to ≡. In rule [IntExt], participant A selects the branch a in an internal sum, and B is then forced to commit to the corresponding branch ¯a in his external sum. This is done by marking that branch with

3

ready ¯a, while discarding all the other branches; B will then perform his action in the subsequent step, by rule [Rdy]. In Maude, the semantics of contracts is an almost literal translation of that in Fig. 1 (except that labels are moved to configurations). The one-step transition relation is defined as follows: crl [IntExt]: A says a ; c (+) c’ | B says b . d + d’ => {A says a} A says c | B says ready b . d

if a = - b .

rl [Rdy]: A says ready a.c | B says d => {A says a} A says c | B says d .

Compliance. Two contracts are compliant if, whenever a participant A wants to choose a branch in an internal sum, then participant B always offers A the opportunity to do it. To formalise compliance, we first define a partial function rdy from bilateral contracts to sets of atoms. Intuitively, if the unilateral contracts in γ do not agree on the first step, then rdy(γ) is undefined (i.e. equal to ⊥). Otherwise, rdy(γ) contains the atoms which could be fired in the first step. Definition 2.3 (Compliance). Let the partial function rdy be defined as:   M X ¯j }j∈J if {ai }i∈I ⊆ {b rdy A says ai ; ci | B says bj . cj = {ai }i∈I and (I = ∅ =⇒ J = ∅) i∈I

j∈J

rdy(A says ready a.c | B says d)

= {a}

Then, the compliance relation ./ between unilateral contracts is the largest relation such that, whenever c ./ d: (1) rdy(A says c | B says d) 6= ⊥ µ

(2) A says c | B says d − → → A says c0 | B says d0 =⇒ c0 ./ d0 Example 2.4. Let γ = A says c | B says d, where c = a ; c1 ⊕ b ; c2 and d = ¯a . d1 + ¯c . d2 . If the participant A internally chooses to perform a, then γ will take a transition to A says c1 | B says ready ¯a.d1 . Suppose instead that A chooses to perform b, which is not offered by B in his A says b external choice. In this case, γ − 6 −−−−→ →. We have that rdy(γ) = ⊥, which does not respect item (1) of Def. 2.3. Therefore, c and d are not compliant. We say that a contract is proper if the prefixes of each summation are pairwise distinct. The next lemma states that each proper contract has a compliant one. Lemma 2.5. For all proper contracts c, there exists d such that c ./ d. Def. 2.3 cannot be directly exploited as an algorithm for checking compliance. Lemma 2.6 gives an alternative, model-checkable characterisation of ./ . Lemma 2.6. For all bilateral contracts γ = A says c | B says d: c ./ d ⇐⇒ (∀γ 0 . γ → − →∗ γ 0 =⇒ rdy(γ 0 ) 6= ⊥) In Maude, the compliance relation is defined as suggested by Lemma 2.6. The predicate isBottom is true for a contract γ whenever rdy(γ) = ⊥. The operator <> used below allows for the transitive closure of the transition relation. The relation c |X| d is implemented by verifying that the contract A says c | B says d satisfies the LTL formula 2¬ isBottom. This is done through the Maude model checker.

4

eq <{l} g> |= isBottom = is rdy(g) eq bottom . op _|X|_ : UniContract UniContract -> Bool . eq c |X| d = modelCheck(, [] ~isBottom) == true .

Example 2.7. Recall the store contract cA in Ex. 2.2. Its Maude version is: op Z : -> Var . ops addToCart pay ok no cancel : -> Atom . ops CA CPay CB : -> UniContract . eq CPay = pay . (- ok ; 0 (+) - no ; 0) . eq CA = addToCart . (rec Z . addToCart . Z + CPay + cancel . 0) .

Instead, the Maude implementation of the buyer contract cB in Ex. 2.2 is: eq CB = rec Z . ( - addToCart ; Z (+) - pay ; (ok . 0 + no . 0)) .

We can verify with Maude that CA and CB are not compliant: red CA |X| CB . result Bool: false

The problem is that CB may choose to pay even when the cart is empty. We can easily fix the buyer contract as follows, and then obtain compliance: red CA |X| (- addToCart ; CB) . result Bool: true

Culpability We now tackle the problem of determining who is expected to make the next step for the fulfilment of a bilateral contract. We call a participant A culpable in γ if she is expected to perform some actions so to make γ progress. A says a

Definition 2.8. A participant A is culpable in γ (A a ˙ ˙ γ in symbols) iff γ −−−−−→ → for some a. When A is not culpable in γ we write A ` ˙ ˙ γ. Theorem 2.9 below establishes that, when starting with compliant contracts, exactly one participant is culpable in a bilateral contract. The only exception is A says 0 | B says 0, which represents a successfully terminated interaction, where nobody is culpable. Theorem 2.9. Let γ = A says c | B says d, with c ./ d. If γ → − →∗ γ 0 , then either γ 0 = A says 0 | 0 B says 0, or there exists a unique culpable in γ . The following theorem states that a participant is always able to recover from culpability by performing some of her duties. This requires at most two steps. Theorem 2.10 (Contractual exculpation). Let γ = A says c | B says d. For all γ 0 such that γ→ − →∗ γ 0 , we have that: (1) γ 0 → 6− → =⇒ A ` ˙ ˙ γ 0 and B ` ˙ ˙ γ0 (2) A a ˙ ˙ γ 0 =⇒ ∀γ 00 .γ 0 → − → γ 00

( A` ˙ ˙ γ 00 , or =⇒ ∀γ 000 .γ 00 → − → γ 000 =⇒ A ` ˙ ˙ γ 000

Item (1) of Theorem 2.10 says that, in a stuck contract, no participant is culpable. Item (2) says that if A is culpable, then she can always exculpate herself in at most two steps, i.e.: one step if A has an internal choice, or a ready followed by an external choice; two steps if A has a ready followed by an internal choice. We specify culpability in Maude as follows. The formula {l} g |= --A-->> is true whenever g has been reached by some transitions of A. The participant A is culpable in g, written A :C g, if g satisfies the LTL formula O --A-->> (where O is the “next” operator of LTL). This is verified through the Maude model checker. 5

commutative monoidal laws for | on processes and systems A[(v)P ] ≡ (v) A[P ] (u)(v)Z ≡ (v)(u)Z

Z | (u)Z 0 ≡ (u)(Z | Z 0 ) if u 6∈ fv(Z) ∪ fn(Z) (u)Z ≡ Z if u 6∈ fv(Z) ∪ fn(Z)

{↓s c}A ≡ 0

Figure 2: Structural equivalence for CO2 (Z, Z 0 range over systems or processes). op eq eq op eq

3

--_->> : Participant -> Prop . {A says a} g |= -- A ->> = true . {l} g |= -- A ->> = false [owise] . _ :C _ : Participant BiContract -> Bool . A :C g = modelCheck(g, O -- A ->>) == true .

Modelling contracting processes

We model agents and systems through the process calculus CO2 [2], which we instantiate with the contracts introduced in § 2. The primitives of CO2 allow agents to advertise contracts, to open sessions between agents with compliant contracts, to execute them by performing some actions, and to query contracts. Syntax. Let V and N be disjoint sets of session variables (ranged over by x, y, . . .) and session names (ranged over by s, t, . . .). Let u, v, . . . range over V ∪ N , and ~u, ~v range over 2V∪N . Definition 3.1. The syntax of CO2 is given as A[P ] Systems S ::= 0 P Processes P ::= P |P i πi .Pi tell ↓u c Prefixes π ::= τ

follows: s[γ] (u)P dou a



S|S



(u)S



{↓u c}A

X(~u) asku φ

Systems are the parallel composition of participants A[P ], delimited systems (u)S, sessions s[γ] and latent contracts {↓u c}A . A latent contract {↓x c}A represents a contract c (advertised by A) which has not been stipulated yet; upon stipulation, the variable x will be instantiated to a fresh session name. We assume that, in a system of the form (~u)(A[P ] | B[Q]) | · · · ), A 6= B. We denote with K a special participant name (playing the role of contract broker) such that, in each system (~u)(A[P ] | ·P · · ), A 6= K. We allow for P prefix-guarded finite sums of processes, and write π1 .P1 + π2 .P2 for i∈{1,2} πi .Pi , and 0 for ∅ P . Recursion is allowed only for processes; def

we stipulate that each process identifier X has a unique defining equation X(x1 , . . . , xj ) = P such that fv(P ) ⊆ {x1 , . . . , xj } ⊆ V, and each occurrence of process identifiers in P is prefix-guarded. We will sometimes omit the arguments of X(~u) when they are clear from the context. Prefixes include silent action τ , contract advertisement tell ↓u c, action execution dou a, and contract query asku φ (where φ is an LTL formula on γ). In each prefix π 6= τ , u refers to the target session involved in the execution of π. In Maude, we translate the syntax of CO2 almost literally. Here we just show the sorts used; see § C for the full details. sorts System Process Prefix SessionName SessionVariable SessionIde GuardProc Sum IdeVec ProcIde ParamList . subsort SessionName < SessionIde < IdeVec . subsort Qid < SessionVariable < SessionIde < IdeVec . subsort GuardProc < Sum < Process . subsort SessionIde < ParamList .

6

A: τ

A[τ.P + P 0 | Q] −−−→ A[P | Q]

[Tau]

A: tell ↓u c

A[tell ↓u c.P + P 0 | Q] −−−−−−→ A[P | Q] | {↓u c}A c ./ d

γ = A says c | B says d

σ = {s/x,y}

[Tell]

s fresh [Fuse]

K: fuse

(x, y)(S | {↓x c}A | {↓y d}B ) −−−−→ (s)(Sσ | s[γ]) A says a

γ −−−−−→ → γ0 [Do]

A: do a

s A[dos a.P + P 0 | Q] | s[γ] −−−−− → A[P | Q] | s[γ 0 ]

γ`φ [Ask]

A: asks φ

0

A[asks φ.P + P | Q] | s[γ] −−−−−→ A[P | Q] | s[γ] µ

def

A: π

S −−−→ S 0 A: delu (π)

(u)S −−−−−−→ (u)S 0

[Del]

µ

S− → S0 µ S | S 00 − → S 0 | S 00 ( τ if u ∈ fnv(π) where delu (π) = π otherwise

X(~u) = P A[P {~v/~u} | Q] | S − → S0 µ A[X(~v ) | Q] | S − → S0

[Def]

[Par]

Figure 3: Reduction semantics of CO2 . The sort SessionIde is a super sort of both SessionVariable and SessionName. Session variables can be of sort Qid; session names can not. Sort IdeVec models sets of SessionIde (used as syntactic sugar for delimitations), while ParamList models vectors of SessionIde (used for parameters of defining equations). Semantics.

µ

The CO2 semantics is formalised by the relation − → in Fig. 3, where µ ∈ {A : π | A 6= K} ∪ {K : fuse}

We will consider processes and systems up-to the congruence relation ≡ in Fig. 2. The axioms for ≡ are fairly standard — except the last one: it collects garbage terms possibly arising from variable substitutions. Rule [Tau] just fires a τ prefix. Rule [Tell] advertises a latent contract {↓x c}A . Rule [Fuse] finds agreements among the latent contracts: it happens when there exist {↓x c}A and {↓y d}B such that A 6= B and c ./ d. Once the agreement is reached, a fresh session containing γ = A says c | B says d is created. Rule [Do] allows a participant A to perform an action in the session s containing γ (which, accordingly, evolves to γ 0 ). Rule [Ask] allows A to proceed only if the contract γ at session s satisfies the property φ. The last three rules are mostly standard. In rule [Del] the label π fired in the premise becomes τ in the consequence, when π contains the delimited name/variable. This transformation is defined by the function delu (π), where the set fnv(π) contains the free names/variables in π. For A: τ

instance, (x) A[tell ↓x c.P ] −−−→ (x) (A[P ] | {↓x c}A ). Here, it would make little sense to have the label A : tell ↓x c, as x (being delimited) may be α-converted. Implementing in Maude the semantics of CO2 is almost straightforward [18]; here we show only the main rules (see § C for the others). Rule [Do] uses the transition relation => on bilateral contracts. Rule [Ask] exploits the Maude model checker to verify if the bilateral contract g satisfies the LTL formula phi. Rule [Fuse] uses the operator |X| to check compliance between the contracts 7

c and d, then creates the session s[A says c | B says d] (with s fresh), and finally applies the substitution {s / x}{s / y} (delimitations are dealt with as in Fig. 3). crl [Do] : A[do s a . P + P’ | Q] | s[g] => {A : do s a} (A[P | Q] | s[g’]) if g => {A says a} g’ . crl [Ask] : A[ask s phi . P + P’ | Q] | s[g] => {A : ask s phi} A[P | Q] if g |- phi . crl [Fuse] : (uVec , vVec) ({x c}A | {y d}B | S) => {K : fuse} (s , vVec) (s[A says c | B says d] | S{s / x}{s / y}) if uVec == (x , y) / c |X| d / s := fresh(0 , S) .

4

Honesty

A remarkable feature of CO2 is that it allows for writing dishonest agents which do not keep their promises. Intuitively, a participant is honest if she always fulfils her contractual obligations, in all possible contexts. Below we formalise the notion of honesty, by slightly adapting the one appeared in [2]. Then, we show how we verify in Maude a weaker notion, i.e. honesty in a given context. We start by defining the set OAs (S) of obligations of A at s in S. Whenever A is culpable at some session s, she has to fire one of the actions in OAs (S). Definition 4.1. We define the set of atoms OAs (S) as: n o A says a OAs (S) = a | ∃γ, S 0 . S ≡ s[γ] | S 0 and γ −−−−−→ → We say that A is culpable at s in S iff OAs (S) 6= ∅. The set of atoms RDAs (S) (“Ready Do”) defined below comprises all the actions that A can perform at s in one computation step within S (note that, by rule [Del], if s is a bound name then RDAs (S) = ∅). The set WRDA s (S) (“Weak Ready Do”) contains all the actions that A may possibly perform at s after a finite sequence of transitions of A not involving any do at s. Definition 4.2. For all S, A and s, we define the sets of atoms: n o A: dos a → S0 RDAs (S) = a | ∃S 0 . S −−−−− o n A: 6=dos WRDAs (S) = a | ∃S 0 . S −−−−−→∗ S 0 ∧ a ∈ RDAs (S 0 ) A: 6=dos

A: π

where we write S −−−−−→ S 0 if ∃π. S −−−→ S 0 ∧ ∀a. π 6= dos a. A participant is ready in a systemif she can fulfil some of her obligations. To check if A is ready in S, we consider all the sessions s in S involving A. For each of them, we check that some obligations of A at s are exposed after some steps of A not preceded by other dos of A. We can now formalise when a participant is honest. Roughly, A[P ] is honest in a given system S when A is ready in all evolutions of A[P ] | S. Then, A[P ] is honest when she is honest in all systemsS. Definition 4.3 (Honesty). We say that: 1. S is A-free iff it has no latent/stipulated contracts of A, nor processes of A 2. A is ready in S iff S ≡ (~u)S 0 ∧ OAs (S 0 ) 6= ∅ =⇒ WRDAs (S 0 ) ∩ OAs (S 0 ) 6= ∅ 3. P is honest in S iff ∀A : (S is A-free ∧ A[P ] | S → − ∗ S 0 ) =⇒ A is ready in S 0 8

4. P is honest iff, for all S, P is honest in S We have implemented items 2 and 3 of the above definition in Maude (item 4 is dealt with in the next section). CO2 can simulate Turing machines [4], hence reachability in CO2 is undecidable, and consequently WRD, readiness and honesty are undecidable as well. To recover decidability, we then restrict to finite state processes: roughly, these are the processes with neither delimitations nor parallel compositions under process definitions. In Maude we verify readiness in a session s by searching if A can reach (with her moves only), a state which allows for a dos a move, for some a. op ready? : Participant SessionName System Module -> Bool . eq ready?(A,s,S,M:Module) = metaSearch(M:Module, upTerm(< S > A s), ’<_>__[’S1:System , upTerm(A) , upTerm(s)], ’S1:System => ’‘_‘_[’l:SLabel,’S2:System] /\ ’_:_[upTerm(A),’do__[upTerm(s),’a:Atom]] := ’l:SLabel, ’*, unbounded, 0 ) =/= failure .

We start the search from the term < S > A s, whose meta-representation is obtained through the upTerm function. The search is performed according to the A-solo semantics of CO2 (see Definition 5.3), which blocks all do at s. This is done by the operator < > . Then, we look for reachable systems S1 where A can fire a do at s. If the search succeeds, ready? returns true. Note that if A has no obligations at s in S, ready? returns false — uncoherently with Def. 4.3. To correctly check readiness, we define the function ready (see § C), which invokes ready? only when OAs (S) 6= ∅. Verifying honesty in a context is done similarly. We use metaSearch to check that A is ready in all reachable states. The operator < > gives the CO2 semantics. op search-honest-ctx : Participant System Module -> ResultTriple? . eq search-honest-ctx(A,S,M:Module) = metaSearch(M:Module, upTerm(< S >), ’<_>[’S:System], ’ready[upTerm(A), ’S:System,’S:System, upTerm(M:Module)] = ’false.Bool, ’*, unbounded, 0) . op honest-ctx : Participant System Module -> Result . ceq honest-ctx (A , S , M:Module) = true if search-honest-ctx (A , S , M:Module) == failure . ceq honest-ctx (A , S , M:Module) = downTerm (T:Term , < (0).System > ) if {T:Term,Ty:Type,S:Substitution} := search-honest-ctx (A,S,M:Module) .

Example 4.4. A travel agency A queries in parallel an airline ticket broker F and a hotel reservation service H in order to organise a trip for some user U. The agency first requires U to pay, and then chooses either to commit the reservation or to issue a refund (contract CU). When querying the ticket broker (contract CF), the agency first receives a quotation, and then chooses either to commit and pay the ticket, or to abort the transaction. The contract CH between A and H is similar. eq CU = pay . (commit ; 0 (+) refund ; 0) . eq CF = ticket . ( commitF ; payF ; 0 (+) abortF ; 0) . eq CH = hotel . ( commitH ; payH ; 0 (+) abortH ; 0) .

In addition to the contracts above, the agency should respect the following constraints: (a) the agency refunds U only if both the transactions with F and H are aborted; (b) A pays the ticket and the hotel reservation only after it has committed the transaction with U; (c) either both the transactions with F or H are committed, or they are both aborted. A possible specification in Maude respecting the above constraints is given by the following process P: eq P = ( xu , xf , xh ) ( tell xu CU . do xu pay . ( (tell xf CF . PF) | (tell xh CH . PH) | PU ) ) . eq PF = do xf ticket . (do xh commitH . 0 + do xf abortF . 0) . eq PH = do xh hotel . (do xf commitF . 0 + do xh abortH . 0) . eq PU = ask xh ([] ~ payH) . do xu refund . 0 + t . do xu commit . (do xf payF . 0 | do xh payH . 0) .

9

The process P first opens a session with U, and then advertises the contracts CF and CH, and in parallel executes PU. The process PF gets the ticket quotation, then either commits the hotel reservation, or aborts the flight reservation. Dually, PH gets the hotel quotation, then either commits the flight reservation, or aborts the hotel reservation. Note that the two choices in PF and PH ensure that constraint (c) above is satisfied: e.g., if PF fires the commitH (resp. abortF) prefix, the abortH (resp. commitF) branch in PH is disabled, and only commitF (resp. abortH) can be selected. The process PU checks if a refund is due to U. When the atom payH is no longer reachable in session xh, the ask passes, and the refund is issued. This guarantees constraint (a). In the τ -branch, PU commits the transaction with U, and then proceeds to pay both F and H. This satisfies constraint (b). Note that it may happen that PU chooses to commit even when CF or CH are not stipulated. Although this behaviour is conceptually wrong, it does not affect honesty. Indeed, honesty does not consider the domain-specific constraints among actions (e.g. (a), (b), (c) above), but only that the advertised contracts are respected. We have experimented the function honest-ctx by inserting P in some contexts S where all the other participants U, F and H are honest (see §B for details). The Maude model checker has correctly determined that P is honest in S. red honest-ctx(A , S , [’TRAVEL-AGENCY-CTX]) . rewrites: 53950741 in 38062ms cpu (38058ms real) (1417429 rewrites/second) result Bool: true

Even though we conjecture that P is honest (in all contexts), we anticipate here that the verification technique proposed in § 5 does not classify P as honest. This is because the analysis is (correct but) not complete in the presence of ask: indeed, the precise behaviour of an ask is lost by the analysis, because it abstracts from the contracts of the context. Example 4.5. Consider the following contracts and processes: c = a; 0 P = (x) tell ↓x c. dox a

d = ¯a . 0 Q = (y) tell ↓y d. X

def

where X = τ.X

We have the following (concrete) computation in the system S = A[P ] | B[Q]: A: τ

S −−−−→(x)(A[dox a] | B[Q] | {↓x c}A ) B: τ

−−−−→(x, y)(A[dox a] | B[X] | {↓x c}A | {↓y d}B ) K: fuse

B: τ

B: τ

−−−−→(s) (A[dos a] | B[X] | s[A says c | B says d]) = S 0 −−−→ S 0 −−−→ · · · In the above computation, an unfair scheduler prevents A from making her moves, and so A remains persistently culpable in such computation. However, A is ready in S 0 (because the dos a is enabled), and therefore P is honest according to Def. 4.3. This is coherent with our intuition about honesty: an honest participant will always exculpate herself in all fair computations, but she might stay culpable in the unfair ones, because an unfair scheduler might always give precedence to the actions of the context.

5

Model checking honesty

We now address the problem of automatically verifying honesty. As mentioned in § 1, this is a desirable goal, because it alerts system designers before they deploy services which could violate contracts at run-time (so possibly incurring in sanctions). Since honesty is undecidable in general [4], our goal is a verification technique which safely over-approximates honesty, i.e. it never classifies a 10

process as honest when it is not. The first issue is that Def. 4.3 requires readiness to be preserved in all possible contexts, and there is an infinite number of such contexts. To overcome this problem, we present below an abstract semantics of CO2 which preserves the honesty property, while neglecting the actual context where the process A[P ] is executed. The definition of the abstract semantics of CO2 is obtained in two steps. First, we provide the projections from concrete contracts/systems to the abstract ones. Then, we define the semantics of abstract contracts and systems, and we relate the abstract semantics with the concrete one. The abstraction is always parameterised in the participant A the honesty of which is under consideration. The abstraction αA (γ) of a bilateral contract γ = A says c | B says d (Definition 5.1 below) is either c, or ctx .c when d has a ready . Definition 5.1. For all γ, we define the abstract contract αA (γ) as: ( c if d is ready-free αA (A says c | B says d) = ctx a.c if d = ready a.d0 We now define the abstraction αA of concrete systems, which just discards all the components not involving A, and projects the contracts involving A. Definition 5.2. For all A, S we define the abstract system αA (S) as: αA (A[P ]) = A[P ]

αA (s[γ]) = s[αA (γ)] if γ = A says c | B says d

αA ({↓x c}A ) = {↓x c}A

αA (S | S 0 ) = αA (S) | αA (S 0 )

αA ((u)S) = (u)(αA (S))

αA (S) = 0, otherwise

Abstract semantics. We now introduce the semantics of abstract contracts and systems. For µ ` all participants A, the abstract LTSs → − →A and − →A on abstract contracts and systems, respectively, are defined by the rules in Fig. 4. Labels ` are atoms, with or without the special prefix ctx — which indicates a contractual action performed by the context. Labels µ are either ctx or they have the form A : π, where A is the participant in → − A , and π is a CO2 prefix. Rules for abstract contracts (first row in Fig. 4) are simple: in an internal sum, A chooses a branch; in an external sum, the choice is made by the context; in a ready a.c the atom a is fired. The rightmost rule handles a ready in the context contract. For abstract systems, some rules are similar to the concrete ones, hence we discuss only the most relevant ones. Rule [α-Do] involves the abstract transitions of contracts. The behaviour of abstract systems also considers context actions, labelled with ctx . If c ` φ, then the ask φ passes, indepedently from the context (rule [α-Ask]). If c 6` ¬φ, then the ask φ may pass or not, depending and the context (rule [α-AskCtx]). The correctness of these rules is guaranteed by Lemma 5.11. Rule [α-Fuse] says that a latent contract of A may always be fused (the context may choose whether this is the case or not). The context may also decide whether to perform actions within sessions ([α-DoCtx]). Unobservable context actions are modelled by rules [α-Ctx] and [α-DelCtx]. To check if A[P ] is honest, we must only consider those A-free contexts not already containing advertised/stipulated contracts of A. Such systems will always evolve to a system which can be split in two parts: an A-solo system SA containing the process of A, the contracts advertised by A and all the sessions containing contracts of A, and an A-free system Sctx . Definition 5.3. We say that a system S is A-solo iff one of the following holds: S≡0

S ≡ A[P ]

S ≡ s[A says c | B says d]

S ≡ S 0 | S 00 where S 0 and S 00 A-solo 11

S ≡ {↓x c}A

S ≡ (u)S 0 where S 0 A-solo

a

a ; c ⊕ c0 → − →A ctx ¯a.c

ctx : ¯ a

a . c + c0 −−−→ →A ready a. c

a

ctx : a

ready a. c → − →A c

ctx a.c −−−→ →A c

a

c→ − →A c0 A: do a

s A[dos a.P + P 0 | Q] | s[c] −−−−− →A A[P | Q] | s[c0 ]

s fresh ctx ˜ s/x}) (x)(S˜ | {↓x c}A ) −−→A (s)(s[c] | S{

[α-Do]

[α-Fuse]

c`φ A: asks φ

0

A[asks φ.P + P | Q] | s[c] −−−−−→A A[P | Q] | s[c] c 6` ¬φ ctx A[asks φ.P + P | Q] | s[c] −−→A A[P | Q] | s[c] 0

ctx

c −−→ →A c0 ctx s[c] −−→A s[c0 ]

S −−→A S

[α-AskCtx]

ctx S˜ −−→A S˜0 ctx (u)S˜ −−→A (u)S˜0

ctx

[α-DoCtx]

[α-Ask]

[α-Ctx]

[α-DelCtx]

Figure 4: Abstract LTSs for contracts and systems (full set of rules in § B). We say that S is A-safe iff S ≡ (~s)(SA | Sctx ), with SA A-solo and Sctx A-free. The following theorems establish the relations between the concrete and the abstract semantics of CO2 . Theorem 5.4 states that the abstraction is correct, i.e. for each concrete computation there exists a corresponding abstract computation. Theorem 5.5 states that the abstraction is also complete, provided that a process has neither ask nor non-proper contracts. Theorem 5.4. For all A-safe systems S, and for all concrete traces η: η

S −→∗ S 0

=⇒

η ˜

∃˜ η : αA (S) −→A∗ αA (S 0 )

Furthermore, if η is A-solo and S is ask-free, then η = η˜. Theorem 5.5. For all ask-free abstract system S˜ with proper contracts only: S˜ → − A∗ S˜0 =⇒ ∃S, S 0 A-safe. αA (S) = S˜ ∧ S → − ∗ S 0 ∧ αA (S 0 ) = S˜0 The abstract counterparts of Ready Do, Weak Ready Do, and readiness are defined as expected, by using the abstract semantics instead of the concrete one (see §B for details). The notion of honesty for abstract systems, namely α-honesty, follows the lines of that of honesty in Def. 4.3. ˜ A is Definition 5.6 (α-honesty). We say that P is α-honest iff for all S˜ such that A[P ] → − A∗ S, ˜ ready in S. The main result of this paper follows. It states that α-honesty is a sound approximation of honesty, and — under certain conditions — it is also complete. Theorem 5.7. If P is α-honest, then P is honest. Conversely, if P is honest, ask-free, and has proper contracts only, then P is α-honest. In Maude, we implement abstract semantics for system and contracts for one-step transitions. We obtain their transitive closure, discarding labels, with the operator < >. The function ready in search-honest computes abstract readiness. 12

op search-honest : Process Module -> ResultTriple? . eq search-honest(P , M:Module) = metaSearch(M:Module, upTerm(< A[P] >), ’<_>[’S:System], ’ready[’S:System,’S:System, upTerm(M:Module)] = ’false.Bool, ’*, unbounded, 0) . op honest : Process Module -> Result . ceq honest (P, M:Module) = true if search-honest (P,M:Module) == failure . ceq honest (P, M:Module) = downTerm (T:Term , < (0).System > ) if {T:Term, Ty:Type, S:Substitution} := search-honest (P , M:Module) .

Honesty is checked by searching for states such that A is not ready. If the search fails, then As in § 4, this function is decidable for finite state processes, i.e. those without delimitation/parallel under process definitions. A is honest.

On the verification of ask We now formalise the meaning of the relation ` used in the concrete and abstract semantics of ask . Let A be the set of atoms, and let ε 6∈ A. Let a, b, · · · range over A ∪ {ε}. In the following all γ are assumed to be compositions of compliant unilateral contracts. Definition 5.8. We define the (unlabelled) transition system TS = (Σ, →, I, A, L) as follows: • S = {(a, γ) | γ is a bilateral contract and a ∈ A ∪ {ε}}, • I = {(a, γ) ∈ S | a = ε} • the transition relation →⊆ S × S is defined by the following rule: A says a

(b, γ) → (a, γ 0 )

if γ −−−−−→ → γ0

• the labelling function L : S → A ∪ {ε} is defined as L((a, γ)) = a. f = (Σ, → , I, A, L) as follows: Definition 5.9. We define the (unlabelled) transition system TS • S = {(a, c˜) | c˜ is an abstract contract and a ∈ A ∪ {ε}}, • I = {(a, c˜) ∈ S | a = ε} • the transition relation →⊆ S × S is defined by the following rule: a

(b, c˜) → (a, c˜0 )

ctx :a

if c → − →A c0 ∨ c˜ −−−→ →A c˜0

• the labelling function L : S → A ∪ {ε} is defined as L((a, c˜)) = a. Definition 5.10. We define the set Paths(s0 ) of maximal traces from a state s0 as: {L(s0 )L(s1 ) · · · | ∀i > 0. si−1 → si } ∪ {L(s0 ) · · · L(sn ) | (∀i ∈ 1..n. si−1 → si ) ∧ sn 6→} Then, we write: • γ ` φ whenever ∀π ∈ Paths((, γ)). π |= φ in LTL. • c˜ ` φ whenever ∀π ∈ Paths((, c˜)). π |= φ in LTL. Lemma 5.11 below guarantees the correctness of the abstract semantics of ask. Item (1) shows the correctness of rule [α-ask]: if c˜ ` φ, then the rule allows for a transition of A, and then by Lemma 5.11 we know that ask φ will pass in each possible concrete context. Rule [α-askCtx] allows the context to fire the ask φ only if c˜ 6` ¬φ. Item (2) of Lemma 5.11 shows that this condition is correct, because whenever the ask φ may pass in some concrete context, then c˜ 6` ¬φ holds. Lemma 5.11. For all abstract contracts c˜ and for all LTL formulae φ: (1) c˜ ` φ ⇐⇒ ∀γ . αA (γ) = c˜ =⇒ γ ` φ (2) ∃γ . αA (γ) = c˜ ∧ γ ` φ =⇒ c˜ 6` ¬φ 13

Experiments The following example shows a process which was erroneously classified as honest in [4]. The Maude model checker has determined the dishonesty of that process, and by exploiting the Maude tracing facilities we managed to fix it. Example 5.12. A store A offers buyers two options: clickPay or clickVoucher. If a buyer B chooses clickPay, A requires a payment (pay) otherwise A checks the validity of the voucher with V, an online voucher distribution system. If V validates the voucher (ok), B can use it (voucher), otherwise (no) B must pay. We specify in Maude the contracts CB (between A and B) and CV (between A and V) as: eq CB

= clickPay . pay . 0 + clickVoucher . (- reject ; pay . 0 (+) - accept ; voucher . 0) . eq CV = ok . 0 + no . 0 .

We can specify in Maude a CO2 process for A as follows: eq P = (x)(tell x CB . (do x clickPay . do x pay . 0 + do x clickVoucher . ((y) tell y CV . Q))) . eq Q = do y ok . do x - accept . do x voucher . 0 + do y no . do x - reject . do x pay . 0 + R . eq R = t . (do x - reject . do x pay . 0) .

Variables x and y in P correspond to two separate sessions, where A respectively interacts with B and V. The advertisement of CV causally depends on the stipulation of the contract CB, because A must fire clickVoucher before tell y CV. In process Q the store waits for the answer of V: if V validates the voucher (first branch), then A accepts it from B; otherwise (second branch), A requires B to pay. The third branch R allows A to fire a τ action, and then reject the voucher. The intuition is that τ models a timeout, to deal with the fact that CV might not be stipulated. When we check the honesty of P with Maude, we obtain: red honest(P , [’STORE-VOUCHER]) . rewrites: 31649 in 72ms cpu (77ms real) (439545 rewrites/second) result TSystem: < ($ 0,$ 1)(A[do $ 0 - reject . do $ 0 pay . (0).Sum] | $ 0[- accept ; voucher . 0(+)- reject ; pay . 0] | $ 1[ready ok . 0]) >

This means that the process P is dishonest: actually, the output provides a state where A is not ready. There, A must do ok in session y ($1), while A is only ready to do a -reject at session x ($0). This problem occurs when the branch R is chosen. To recover honesty, it suffices to replace R with the following process R’: eq R’ = t . (do x - reject . do x pay . 0 | (do y no . 0 + do y ok . 0)) . red honest(P’ , [’STORE-VOUCHER]) . rewrites: 44009 in 32ms cpu (30ms real) (1375195 rewrites/second) result Bool: true

Example 5.13. Recall the contract of the store in Example 2.7. A possible specification of the store is the following one: eq PA = (x) (tell x CA . do x addToCart . X(x)) . eq PPay = do x pay . (t . do x - ok . 0 + t . do x - no . 0) . eq env = (X(x) =def do x addToCart . X(x) + PPay + do x cancel . 0) .

The process PA first advertises the contract CA, and when the session x is created, it waits that the user performs the first addToCart. Then, the store enters a recursive process X. In the body of X, the store accepts three actions from the user: an addToCart, which is followed by a recursive call to X, a cancel, which terminates the store process, or a pay from the user, which is handled by the process PPay. Within PPay, after the payment is received the store internally chooses whether to accept it or not, by firing the actions - ok or - no, respectively. The Maude model checker correctly classifies the process PA as honest: 14

red honest(PA , [’STORE-CART]) . rewrites: 2895 in 40ms cpu (39ms real) (72371 rewrites/second) result Bool: true

Example 5.14. Consider an on-line food store A, which sells apples (a) and bottles of an expensive italian Brunello wine (b). Selling apples is quite easy: once an order is placed, A accepts it (with the feedback - ok) and waits for a payment (pay) before shipping the goods (- ship-a). However, if expensive bottles of Brunello are ordered, the store is entitled to either decline the order (by answering - no), or accept it (and, as above, ship the item after the payment). The store contract can be modelled in Maude as follows: eq CA = a . - ok ; pay . - ship-a ; 0 + b . (- no ; 0 (+) - ok ; pay . - ship-b ; 0) .

and a possible specification of the store A is: eq ship-a? = <> (- ship-a) . eq PA = (x) (tell x CA . do x a . X(x) + do x b . X(x)) . eq env = (X(x) =def do x - ok . do x pay . ask x ship-a? . do x - ship-a . 0) .

Here, A creates a private channel x, and advertises the contract CA. Once the session at x is initiated, PA can accept an order for a or b on x. In both cases, the process X(x) is invoked. There, A accepts the transaction with ok, and waits for payment. Then A checks whether the contract requires to ship apples: if the query ask x ship-a? passes, the goods are shipped. Otherwise, when the customer B orders Brunello, A maliciously gets stuck, and so B has paid for nothing. Clearly, this store is dishonest, as it does not respect its own contract CA. The Maude model checker gives: red honest(PA , [’FOOD-STORE-MALICIOUS]) . rewrites: 1433 in 20ms cpu (20ms real) (71646 rewrites/second) result TSystem: < ($ 0)(A[do $ 0 a . X($ 0)] | $ 0[ready b . (- ok ; pay . ship-b ; 0(+)- no ; 0)]) >

At session $ 0 (i.e., x), the store A must perform a b (because of the ready b), while the process of A is only ready to perform an a. Consider now a non-malicious implementation of the store. Here, before accepting orders the store requires an insurance to cover shipment damages. — which may be particularly useful for the expensive (and fragile) Brunello bottles. The contract between A and the insurance company is: eq CI = - payI . (- cover ; 0 (+) - cancel ; 0) .

There, A promises to pay (payI) and then choose between getting the coverage, or cancelling the request. The new specification of the store process is: eq PA = (x , y) (tell y CI . do y - payI . tell x CA . (do x a . do x - ok . X(x) + do x b . Y(x ; y))) . eq env = ( X(x) =def do x pay . (do x - ship-a . 0 + do x - ship-b . 0) & Y(x ; y) =def do y - cover . (do x - ok . X(x) + t . do x - no . 0) ) .

The store A first requests an insurance by advertising CI. Once an insurance company C agrees, A pays the premium (on channel y), and then advertises CA; once an agreement with a customer B is reached, A waits for a or b orders. If apples are requested, A acknowledges (- ok) and invokes X(x); there, A waits for payment, checks which good has to be shipped, and actually ships it. Otherwise, if Brunello is requested, Y(x,y) is invoked: there, A requests the insurance coverage paid in advance; then, either the order is accepted and X(x) is invoked for payment and shipment (as above), or the transaction is declined after an internal τ -action (e.g. a wake up after a timeout). When we check PA for honesty, we obtain: 15

red honest(PA , [’FOOD-STORE-NAIVE]) . rewrites: 9377 in 20ms cpu (23ms real) (468803 rewrites/second) result TSystem: < (x,$ 0)(A[tell x (a . - ok ; pay . - ship-a ; 0 + b . (- ok ; pay . - ship-b ; 0(+)- no ; 0)) . (do x a . do x - ok . X(x) + do x b . Y(x ; $ 0))] | $ 0[- cover ; 0(+)- cancel ; 0]) >

The specification of PA does not seem malicious: however, it is keen to ship the goods, but it is not honest either due to the interaction between A and the insurance company. Actually, if C does not execute cover, then A gets stuck on do y - cover, unable to honour CA by providing the expected ok or no. Furthermore, A is dishonest w.r.t. CI: the premium is paid in advance, but A may never perform do y - cover nor do y - cancel — e.g. if no agreement on CA is found, or if the customer B is stuck, or if B simply chooses to buy apples. Thus, due to implementation na¨ıveties, A may be blamed due to the unexpected (or malicious) behaviour of other participants. Finally, a honest implementation of the food store is the following: eq PA = (x) (tell x CA . (do x a . X(x) + do x b . Y(x))) . eq env = ( X(x) =def do x - ok . do x pay . (ask x (O - ship-a) . do x - ship-a . 0 + ask x (O - ship-b) . do x - ship-b . 0) & Y(x) =def (y) (tell y CI . do y - payI . 0 | (do y - cover . X(x) + t . (do x - no . 0 | do y - cancel . 0))) ) .

Indeed, the Maude model checker gives: red honest(PA , [’FOOD-STORE-HONEST]) . rewrites: 35872 in 48ms cpu (48ms real) (747286 rewrites/second) result Bool: true

6

Conclusions

We have described an executable specification in Maude of a calculus for contract-oriented systems. This has been done in two steps. First, we have specified a model for contracts, and we have formalised in Maude their semantics, and the crucial notions of compliance and culpability (§ 2). This specification has been exploited in § 3 to implement in Maude the calculus CO2 [3]. Then, we have considered the problem of honesty [4], i.e. that of deciding when a participant always respects the contracts she advertises, in all possible contexts (§ 4). Writing honest processes is not a trivial task, especially when multiple sessions are needed for realising a contract (see e.g. Ex. 4.4 and Ex. 5.12). We have then devised a sound verification technique for deciding when a participant is honest, and we have provided an implementation of this technique in Maude (§ 5). Related work. Rewriting logic [11] has been successfully used for more than two decades as a semantic framework wherein many different programming models and logics are naturally formalised, executed and analysed. Just by restricting to models for concurrency, there exist Maude specifications and tools for CCS [16], the π-calculus [15], Petri nets [14], Erlang [13], Klaim [17], adaptive systems [6], etc. A more comprehensive list of calculi, programming languages, tools and applications implemented in Maude is collected in [12]. The contract model presented in § 2 is a refined version of the one in [4], which in turn is an alternative formalisation of the one in [7]. Our version is simpler and closer to the notion of session behaviour [1], and enjoys several desirable properties. Theorem 2.9 establishes that only one participant may be culpable in a bilateral contract, whereas in [4] both participants may be culpable, e.g. in A says a ; c | B says ¯a ; d. In our model, if both participants have an internal (or external) 16

choice, then their contracts are not compliant, whereas e.g. a.c and ¯a.d (both external choices) are compliant in [4, 7] whenever c and d are compliant. The exculpation property established by Theorem 2.10 is stronger than the corresponding one in [4]. There, a participant A is guaranteed to exculpate herself by performing (at most) two consecutive actions of A, while in our model two any actions (of whatever participant) suffice. As far as we know, the concept of contract-oriented computing (in the meaning used in this paper) has been introduced in [5]. CO2 , a contract-agnostic calculus for contract-oriented computing, has been instantiated with several contract models — both bilateral [4, 2] and multiparty [10, 3]. Here we have instantiated it with the contracts in § 2. A minor difference w.r.t. [4, 2, 10] is that here we no longer have fuse as a language primitive, but rather the creation of fresh sessions is performed non-deterministically by the context (rule [Fuse]). This is equivalent to assume a contract broker which collects all contracts, and may establish sessions when compliant contracts are found. In [4], a participant A is considered honest when, in each possible context, she can always exculpate herself by a sequence of A-solo moves. Here we require that A is ready (i.e. some of her obligations are in the Weak Ready Do set) in all possible contexts, as in [2]. We conjecture that these two notions are equivalent. In [2] a type system has been proposed to safely over-approximate honesty. The type of a process P is a function which maps each variable to a channel type. These are behavioural types (in the form of Basic Parallel Processes) which essentially preserve the structure of P , by abstracting the actual prefixes as “non-blocking” and “possibly blocking”. The type system relies upon checking honesty for channel types, but no actual algorithm is given for such verification, hence type inference remains an open issue. In contrast, here we have directly implemented in Maude a verification algorithm for honesty, by model checking the abstract semantics in § 5. Acknowledgments. This work has been partially supported by Aut. Region of Sardinia under grants L.R.7/2007 CRP-17285 (TRICS) and P.I.A. 2010 project “Social Glue”, and by MIUR PRIN 2010-11 project “Security Horizons”, and by EU COST Action IC1201 “Behavioural Types for Reliable Large-Scale Software Systems” (BETTY).

References [1] F. Barbanera and U. de’Liguoro. Two notions of sub-behaviour for session-based client/server systems. In PPDP, 2010. [2] M. Bartoletti, A. Scalas, E. Tuosto, and R. Zunino. Honesty by typing. In FMOODS/FORTE, volume 7892 of LNCS, 2013. [3] M. Bartoletti, E. Tuosto, and R. Zunino. Contract-oriented computing in CO2 . Sci. Ann. Comp. Sci., 22(1), 2012. [4] M. Bartoletti, E. Tuosto, and R. Zunino. On the realizability of contracts in dishonest systems. In COORDINATION, volume 7274 of LNCS, 2012. [5] M. Bartoletti and R. Zunino. A calculus of contracting processes. In LICS, 2010. [6] R. Bruni, A. Corradini, F. Gadducci, A. Lluch-Lafuente, and A. Vandin. Modelling and analyzing adaptive self-assembly strategies with Maude. In WRLA, volume 7571 of LNCS, 2012. [7] G. Castagna, N. Gesbert, and L. Padovani. A theory of contracts for web services. ACM Transactions on Programming Languages and Systems, 31(5), 2009.

17

[8] M. Clavel, F. Dur´ an, S. Eker, P. Lincoln, N. Mart´ı-Oliet, J. Meseguer, and J. F. Quesada. Maude: Specification and programming in rewriting logic. TCS, 2001. [9] K. Honda, V. T. Vasconcelos, and M. Kubo. Language primitives and type disciplines for structured communication-based programming. In ESOP, volume 1381 of LNCS, 1998. [10] J. Lange and A. Scalas. Choreography synthesis as contract agreement. In ICE, 2013. [11] J. Meseguer. Rewriting as a unified model of concurrency. In CONCUR, volume 458 of LNCS, 1990. [12] J. Meseguer. Twenty years of rewriting logic. JLAP, 81(7-8), 2012. [13] M. Neuh¨ außer and T. Noll. Abstraction and model checking of core Erlang programs in Maude. ENTCS, 176(4), 2007. ¨ [14] M.-O. Stehr, J. Meseguer, and P. C. Olveczky. Rewriting logic as a unifying framework for Petri nets. In Unifying Petri Nets, 2001. [15] P. Thati, K. Sen, and N. Mart´ı-Oliet. An executable specification of asynchronous pi-calculus semantics and may testing in Maude 2.0. ENTCS, 71, 2002. [16] A. Verdejo and N. Mart´ı-Oliet. Implementing CCS in Maude 2. ENTCS, 71, 2002. [17] M. Wirsing, J. Eckhardt, T. M¨ uhlbauer, and J. Meseguer. Design and analysis of cloud-based architectures with KLAIM and Maude. In WRLA, volume 7571 of LNCS, 2012. [18] T. F. S ¸ erb˘ anut¸˘ a, G. Ro¸su, and J. Meseguer. A rewriting logic approach to operational semantics. Information and Computation, 207(2):305 – 340, 2009.

18

Proofs for § 2

A

Lemma A.1. For all γ, if γ → − → A says ready a.c | B says d, then d is ready -free. Proof. By the semantics of contracts, a ready can only occur at top-level of a contract. By Definition 2.1, only one ready can occur in γ. The thesis then follows by straightforward analysis of the rules in Figure 1. Below we establish that contracts are deterministic, under the condition that contracts are proper, i.e. the prefixes of each summation are pairwise distinct. Determinism ensures that the obligations of a participant at any given time are uniquely determined by their past actions. Lemma A.2 (Determinism). Let c, d be proper contracts, and let γ = A says c | B says d. Then, for all labels µ, and for all bilateral contracts γ 0 and γ 00 : µ

µ

γ− → → γ0 ∧ γ − → → γ 00

=⇒

γ 0 = γ 00

Proof. Let γ = A says c | B says d, and w.l.o.g. assume that µ = A says a. Each rule in Figure 1 may generate at most one µ transition for γ. It is therefore enough to consider the set of applicable rules. We have the following two cases: µ

[Rdy]

We have that γ = A says ready a. c0 | B says d. The only possible transition is γ − → → A says c0 | B says d, so we are done. We have that γ = A says (a ; c ⊕ c0 ) | B says (¯a . d + d0 ). The rule gives the transition µ γ− → → A says c | B says ready ¯a.d, which is unique because the contracts are proper.

[IntExt]

Note that the cases where A cannot perform any action need not be considered. Lemma A.3. Let γ = A says c | B says d. Then: c ./ d ⇐⇒

∀c0 , d0 . γ → − →∗ A says c0 | B says d0 =⇒ c0 ./ d0




Proof. The “if” direction is trivial. For the “only if” direction, we proceed by induction on the length n of the derivation γ → − →n A says c0 | B says d0 . Suppose that c ./ d. The base case (n = 0) holds trivially. Now, suppose that γ → − →n−1 A says c00 | B says d00 → − → A says c0 | B says d0 . By the 00 00 induction hypothesis, c ./ d . Then, by item (2) of Definition 2.3 we conclude that c0 ./ d0 . The following lemma shows that rdy(γ) produces the same output for equivalent contracts. Lemma A.4. γ ≡ γ 0 =⇒ rdy(γ) = rdy(γ 0 ). Proof. Straightforward by Def. 2.3 and by the definition of the equivalence ≡. The following lemma guarantees, for all proper contracts c, the existence of a contract d compliant with c. Intuitively, we can construct d from c by turning internal choices into external ones (and viceversa), and by turning actions into co-actions. Lemma 2.5. For all proper contracts c, there exists d such that c ./ d. Proof. For all proper contracts c, let the contract dual(c) be inductively defined as follows: ! M X ¯ai . dual(ci ) dual ai ; ci = dual(rec X. c) = rec X. dual(c) i∈I

i∈I

! dual

X i∈I

ai . ci

=

M

¯ai ; dual(ci )

dual(X) = X

i∈I

19

Now, let R be the smallest relation such that, for all ready-free c and for all atoms a: (c , dual(c)) ∈ R

(1)

(c , ready a. dual(c)) ∈ R

(2)

(ready a. dual(c) , c) ∈ R

(3)

Also, for all pair X of proper contracts, let:   rdy(A says c | B says d) 6= ⊥, and F (X) = (c, d) | A says c | B says d → − → A says c0 | B says d0 =⇒ (c0 , d0 ) ∈ X By the coinduction proof principle, we have to show that R ⊆ F (R). Suppose that (c, d) ∈ R. The three equations defining R satisfy the first requirement of F , i.e. rdy(A says c | B says d) 6= ⊥: it is trivial for 2 and 3, while for 1 it can be easily proved by cases on the structure of c. We now prove that (c, d) satisfies the second requirement of F . We have the following three cases, according to the equation used to prove (c, d) ∈ R. • (1), d = dual(c). We have two subcases, according to the form of c. Suppose first that c is an external sum, i.e. c = (a ; c0 ) + c00 . Then d = ¯a . dual(c0 ) ⊕ dual(c00 ). By rule [IntExt], A says c | B says d → − → A says c0 | B says ready ¯a. dual(c0 ), We obtain the thesis by observing 0 that (c , ready ¯a. dual(c0 )) ∈ R follows by (2). The case where c is an internal sum is similar. • (2), d = ready a. dual(c). By rule [Rdy], A says c | B says d → − → A says c | B says dual(c). The thesis follows by observing that (c0 , dual(c0 )) ∈ R follows by 1. • (3), c = ready a. dual(d). Similar to the previous case. Summing up, R is a compliance relation, hence by item (1) it follows that c ./ dual(c). Lemma 2.6. For all bilateral contracts γ = A says c | B says d: c ./ d ⇐⇒ (∀γ 0 . γ → − →∗ γ 0 =⇒ rdy(γ 0 ) 6= ⊥) Proof. The “only if” part follows directly by Lemma A.3 and by Definition 2.3. For the “if” part, assume that c ./ d, and let: n o ˆ | γ→ R = (ˆ c, d) − →∗ A says cˆ | B says dˆ ( F (X)

=

  ) ˆ 6= ⊥, and rdy A says c ˆ | B says d ˆ | (ˆ c, d) A says cˆ | B says dˆ → − → A says cˆ0 | B says dˆ0 =⇒ (ˆ c0 , dˆ0 ) ∈ X

ˆ ∈ R. By the “only By the coinduction proof principle, we have to show that R ⊆ F (R). c, d)  Let (ˆ if” direction of Lemma 2.6, it follows that rdy A says cˆ | B says dˆ 6= ⊥ (thus satisfying the first condition of F ), and either:   ˆ vacuously • rdy A says cˆ | B says dˆ = ∅. Then, A says cˆ | B says dˆ → 6− →, and thus (ˆ c, d) satisfies the second clause of F ;   • rdy A says cˆ | B says dˆ 6= ∅. Then, A says cˆ | B says dˆ → − → A says cˆ0 | B says dˆ0 , for some ˆ satisfies the second clause of F . c0 , dˆ0 ) ∈ R. Thus, (ˆ c, d) cˆ0 , dˆ0 , and so also (ˆ

20

ˆ ∈ R =⇒ (ˆ ˆ ∈ F (R). Therefore, in both cases, we have that (ˆ c, d) c, d) Theorem 2.9. Let γ = A says c | B says d, with c ./ d. If γ → − →∗ γ 0 , then either γ 0 = A says 0 | 0 B says 0, or there exists a unique culpable in γ . Proof. By Lemma 2.6 it follows that rdy(γ 0 ) 6= ⊥. So, by Definition 2.3 we have the following three cases (symmetric ones are omitted): • γ 0 = A says 0 | B says 0, from which the thesis follows directly. • γ 0 = A says ready a.c0 | B says d0 , with d0 ready-free (Lemma A.1). We have only one transition from γ 0 , given by rule [Rdy], which prescribes a move of A. By Definition 2.8, we have that A a ˙ ˙ γ 0 and B ` ˙ ˙ γ0. L P P • γ 0 = A says i∈I ai ; ci | B says i∈I ¯ai . di + j∈J bj . dj . Only rule [IntExt] can be applied, and it prescribes a move of A. By Definition 2.8, we conclude that A a ˙ ˙ γ 0 and B ` ˙ ˙ γ0. Theorem 2.10. Let γ = A says c | B says d. For all γ 0 such that γ → − →∗ γ 0 , we have that: (1) γ 0 → 6− → =⇒ A ` ˙ ˙ γ 0 and B ` ˙ ˙ γ0 0

00

0

(2) A a ˙ ˙ γ =⇒ ∀γ .γ → − →γ

00

( A` ˙ ˙ γ 00 , or =⇒ ∀γ 000 .γ 00 → − → γ 000 =⇒ A ` ˙ ˙ γ 000

Proof. Item (1) follows directly from Definition 2.8. For item (2), we proceed by cases on the rule used to deduce γ 0 → − → γ 00 (the symmetric cases are omitted). We have that γ 0 = A says a ; c0 ⊕ c00 | B says ¯a . d0 + d00 , and γ 00 = A says c0 | B says ready ¯a.d0 . By rule [Rdy], γ 00 can only take a move of B. Therefore, A ` ˙ ˙ γ 00 .

[IntExt]

[Rdy]

B

We have that γ 0 = A says ready a.c0 | B says d0 , and γ 00 = A says c0 | B says d0 . Now we have two further subcases. If A ` ˙ ˙ γ 00 , then we have the thesis. Otherwise, if A a ˙ ˙ γ 00 , since c0 and 0 00 0 00 d are ready -free, then γ must have the form A says a ; c ⊕ c | B says ¯a . d0 + d00 . By rule 00 A says b ¯ 000 , [IntExt] we have that, if γ −−−−−→ → γ 000 for some b, then γ 000 will have the form ready b.d 000 000 for some d . Therefore, A ` ˙˙ γ .

Proofs for § 5

Remark B.1 (On contextes and closed participants). When defining honesty, we limit ourselves to closed participants (i.e., participants whose processes have no free variables). This is necessary in order to rule out tricky cases in which a context with properly crafted delimitations would make a participant trivially dishonest. Consider, for instance, the process P = tell ↓x c, where c = a ; 0. Let S = (x)(A[P ] | B[tell ↓x d]), where d = a . 0. The system S is not A-safe. Indeed, since the delimitation (x) appears in both A’s and B’s processes, then S cannot be rewritten (via congruence rules) in the form (~s)(SA | Sctx ) with SA A-solo and Sctx A-free, as required by Def. 5.3. However, the above process P is trivially honest, since it advertises the contract c using a free variable x, and c will never be stipulated if A[P ] is composed in parallel with some A-free system (as per Def. 4.3). But if A[P ] is put in a context which delimits x, such as in S above, then c may indeed be stipulated: S → − ∗ (s)(A[0] | B[0] | s[A says c | B says d]) = S 0 , and A is not ready in S 0 . 21

a

a ; c ⊕ c0 → − →A ctx ¯a.c

ctx : ¯ a

a . c + c0 −−−→ →A ready a. c

a

ready a. c → − →A c

ctx : a

ctx a.c −−−→ →A c

A: τ

A[τ.P + P 0 | Q] −−−→A A[P | Q]

[α-Tau]

A: tell ↓x c

A[tell ↓x c.P + P 0 | Q] −−−−−−→A A[P | Q] | {↓x c}A

[α-Tell]

a

c→ − →A c0 [α-Do]

A: do a

s s[c] | A[dos a.P + P 0 | Q] −−−−− →A s[c0 ] | A[P | Q]

s fresh ctx ˜ ˜ s/x}) (x)(S | {↓x c}A ) −−→A (s)(s[c] | S{

[α-Fuse]

c`φ [α-Ask]

A: asks φ

0

A[asks φ.P + P | Q] | s[c] −−−−−→A A[P | Q] | s[c] c 6` ¬φ ctx A[asks φ.P + P 0 | Q] | s[c] −−→A A[P | Q] | s[c] µ def X(~u) = P A[P {~v/~u} | Q] | S˜ − →A S˜0 µ A[X(~v ) | Q] | S˜ − →A S˜0 A: π S˜ −−−→A S˜0 A: delu (π)

(u)S˜ −−−−−−→A (u)S˜0

[α-Def]

[α-Del]

[α-AskCtx]

µ S˜ − → S˜0 µ S˜ | S˜00 − →A S˜0 | S˜00

ctx S˜ −−→A S˜0 ctx (u)S˜ −−→A (u)S˜0

[α-Par]

[α-DelCtx]

ctx

c −−→ →A c0 ctx s[c] −−→A s[c0 ]

ctx

[α-DoCtx]

S −−→A S

[α-Ctx]

Figure 5: Abstract LTSs for contracts and systems (full set of rules). In Lemma B.2 below we show that A-safety is preserved by transitions. Consequently, we can safely consider A-safe systems only. Lemma B.2. For all systems S, S 0 such that S → − S0: (1) If S is A-solo, then S 0 is A-solo. (2) If S is A-free, then S 0 is A-free. (3) If S is A-safe, then S 0 is A-safe. Proof. Items (1) and (2) are straightforward by Def. 5.3 and by the semantics of CO2 . For item (3), we proceed by induction on the depth of the derivation of S → − S 0 . Let S be A-safe. Then, by Def. 5.3, S ≡ (~s)(SA | Sctx ), for some A-solo SA and A-free Sctx . By repeatedly applying rule [Del], we have that: .. . SA | Sctx → − S00 [Del] .. . [Del] S ≡ (~s)(SA | Sctx ) → − (~s)S00 = S 0 We have then the following cases, according to the rule used to deduce SA | Sctx → − S00 . 22

[Do]

There are the following three subcases. • The do is fired by A. Then, S00 = SA0 | Sctx . By item (1), SA0 is A-solo, hence S 0 is A-safe. 0 • The do is fired by some B 6= A, in a session not involving A. Then, S00 = SA | Sctx . By 0 0 item (2), Sctx is A-free, hence S is A-safe.

• The dos a is fired by some B 6= A, in a session s involving A. We have that SA ≡ SA00 | s[γ], 0 with γ = A says c | B says d, and Sctx = B[dos a.P + Q | R] | Sctx . Then, by rule [Do]: B says a

SA | Sctx

γ −−−−−→ → γ0 00 0 0 → − SA | s[γ ] | B[P | R] | Sctx

0 We have that SA00 | s[γ 0 ] is A-solo, and B[P | R] | Sctx is A-free. Therefore, S 0 is A-safe.

Similar to the case

[Ask] [Fuse]

[Do].

0 We have SA ≡ (x)(SA0 | {↓x c}A ), Sctx ≡ (y)(Sctx | {↓y d}B ), and:

c ./ d

γ = A says c | B says d σ = {s/x,y} 0 0 σ) = S 0 SA | Sctx → − (s)(SA σ | s[γ] | Sctx 0

s fresh

0 σ is A-free, then by Def. 5.3, S00 is A-safe. Therefore, We have that SA0 σ | s[γ] is A-solo, and Sctx S = (~s)S00 is A-safe as well. [Par]

There are the following two subcases. • SA → − SA0 , and S00 = SA0 | Sctx . By item (1), SA0 is A-solo, hence S 0 is A-safe. 0 0 is A-free, hence S 0 is A-safe. . By item (2), Sctx • Sctx → − Sctx

[Def]

There are two subcases, according to which participant has moved. • move of A. We have that SA = A[X(~v ) | Q] | SA0 , for some A-solo SA0 , and: def

X(~u) = P

µ

A[P {~v/~u} | Q] | SA0 | Sctx − → S00 µ 0 SA | Sctx − → S0

[Def]

Since A[P {~v/~u} | Q] | SA0 is A-solo, then by the induction hypothesis it follows that S00 is A-safe. Therefore, S 0 is A-safe as well. • move of some B 6= A. Similar to the previous case. Definition B.3. We define the following sets: n o a ˜ = a | S˜ ≡ s[c] | S˜0 ∧ c → OAs (S) − →A n o A: dos a ˜ = a | ∃S˜0 . S˜ − RDAs (S) −−−−→A S˜0 n o A: 6= dos ˜ = a | ∃S 0 . S − WRDAs (S) −−−−−→A∗ S˜0 ∧ a ∈ RDAs (S˜0 ) and we say that A is ready in S˜ iff: S˜ ≡ (~u)S˜0 ∧ OAs (S˜0 ) 6= ∅ =⇒ WRDAs (S˜0 ) ∩ OAs (S˜0 ) 6= ∅ The following lemmata state the correspondence between the concrete and the abstract semantics of contracts. 23

Lemma B.4. For all bilateral contracts γ, γ 0 : A says a

(1) γ −−−−−→ → γ0 B says a

(2) γ −−−−−→ → γ0

a

=⇒

αA (γ) → − →A αA (γ 0 )

=⇒

αA (γ) −−−→ →A αA (γ 0 )

ctx : a

Proof. For (1) we proceed by cases on the rule being used: [IntExt]

By the semantics of concrete and abstract contracts and by Def. 5.1, we have: γ = A says (a ; c ⊕ c0 ) | B says (¯a . d + d0 ) → − → αA (γ) = a ; c ⊕ c0

[Rdy]

A says c | B says ready ¯a.d = γ 0

a

= αA (γ 0 )

→ − →A ctx a.c

Since d is ready-free, we have: γ = A says ready a.c | B says d → − →

A says c | B says d = γ 0

a

= αA (γ 0 )

→ − →A c

αA (γ) = ready a.c For (2) we proceed by cases on the rule being used: [IntExt]

We have: γ = A says (¯a . c + c0 ) | B says (a ; d ⊕ d0 ) → − → ctx : a

αA (γ) = ¯a . c + c0 [Rdy]

A says ready ¯a.c | B says d = γ 0 = αA (γ 0 )

−−−→ →A ready ¯a.c

We have: γ = A says c | B says ready a.d → − →

A says c | B says d = γ 0

ctx : a

−−−→ →A c

αA (γ) = ctx a.c

= αA (γ 0 )

Definition B.5. Let γB be a function defined as follows: γB (ctx a.c) = A says c | B says ready a. dual(c) γB (ready a.c) = A says ready a.c | B says dual(c) γB (c) = A says c | B says dual(c) otherwise Lemma B.6. For all proper abstract contracts c˜: A says a

a

(1) c˜ → − →A c˜0 =⇒ γB (˜ c) −−−−−→ → γB (˜ c0 ) B says a

ctx : a

(2) c˜ −−−→ →A c˜0 =⇒ γB (˜ c) −−−−−→ → γB (˜ c0 ) (3) αA (γB (˜ c)) = c˜ Proof.

(1) There are two cases: a

• c˜ = a ; c ⊕ c0 → − →A ctx ¯a . c = c˜0 γB (˜ c) = A says a ; c ⊕ c0 | B says ¯a . dual(c) + dual(c0 ) γB (˜ c0 ) = A says c | B says ready ¯a . dual(c) A says a

Clearly: γB (˜ c) −−−−−→ → γB (˜ c0 ) 24

a

• c˜ = ready a . c0 → − →A c0 = c˜0 A says a γB (˜ c) = A says ready a . c0 | B says dual(c0 ) −−−−−→ → A says c0 | B says dual(c0 ) = γB (˜ c0 ) (2) There are two cases: ctx : a

• c˜ = ¯a . c + c0 −−−→ →A ready ¯a . c = c˜0 γB (˜ c) = A says ¯a . c + c0 | B says a ; dual(c) ⊕ dual(c0 ) γB (˜ c0 ) = A says ready ¯a .c | B says dual(c) B says a

Clearly: γB (˜ c) −−−−−→ → γB (˜ c0 ) ctx : a

• c˜ = ctx a . c −−−→ →A c = c˜0 B says a γB (˜ c) = A says c | B says ready a . dual(c) −−−−−→ → A says c | B says dual(c) (3) By cases on the form of c˜: • αA (γB (ctx a.c)) = αA (A says c | B says ready a.dual(c)) = ctx a.c = c˜ • αA (γB (ready a.c)) = αA (A says ready a.c | B says dual(c)) = ready a.c = c˜ • αA (γB (c)) = αA (A says c | B says dual(c)) = c = c˜, with c ready-free.

Lemma B.7. For all proper abstract contracts c˜, we have: a

(1) c˜ → − →A c˜0

=⇒

ctx : a

(2) c˜ −−−→ →A c˜0

∀γ . αA (γ) = c˜

=⇒

=⇒

A says a

∃γ 0 . γ −−−−−→ → γ 0 ∧ αA (γ 0 ) = c˜0

B says a

∃γ, γ 0 . γ −−−−−→ → γ 0 ∧ αA (γ) = c˜ ∧ αA (γ 0 ) = c˜0

Proof. For (1), we have two cases: a

i. For c˜ = a ; c0 ⊕ c00 we have that c˜ → − →A ctx a.c0 = c˜0 . Let γ = A says c | B says d, with c = c˜, 0 00 0 d = ¯a . dual(c ) + dual(c ) + d , and d0 ranges over all external sums such that d does not A says a

contain duplicate atoms at top level. Clearly γ −−−−−→ → A says c0 | B says ready ¯a.d0 = γ 0 . 0 0 Of course αA (γ) = c˜ and αA (γ ) = c˜ . a

ii. For c˜ = ready a.c0 we have that c˜ → − →A c0 = c˜0 . Let γ = A says c˜ | B says d, with d ready-free A says a

and d ./ c0 . γ −−−−−→ → A says c0 | B says d = γ 0 . Clearly αA (γ) = c˜ and αA (γ 0 ) = c˜0 . For (2) we already know, by items (2) and (3) of Lemma: B.6, that thesis holds, and in particular γ = γB (˜ c). Lemma B.8. For all substitutions σ, (αA (S))σ = αA (Sσ). Proof. Straightforward structural induction. Lemma B.9. For all systems S: fv(αA (S)) ∪ fn(αA (S)) ⊆ fv(S) ∪ fn(S) Proof. We proceed by induction on the structure of S. There are the following cases: • αA (S) = 0. • A[P ].

The thesis holds trivially.

Obvious, by the fact that αA (A[P ]) = A[P ].

• s[A says c | B says d]. We have αA (S) = s[c]. Clearly u not free in S only if u 6= s. But this holds also for αA (S). 25

• {↓x c}A . We have αA (S) = {↓x c}. Clearly u is not free in S only if x 6= s. But this holds also for αA (S). • S 0 | S 00 . We have αA (S) = αA (S 0 ) | αA (S 00 ). By induction hypothesis we have that u not 0 free in S =⇒ u not free in αA (S 0 ) ∧ u not free in S 00 =⇒ u not free in αA (S 00 ). Assume that u is not free in S, so u must be not free in S 0 and in S 00 , but then, by induction hypotesis, we have that u is not free in αA (S 0 ) and in αA (S 00 ), which implies u not free in αA (S). • (u0 )S 0 . We have αA (S) = (u0 )(αA (S 0 )). Under the assumption that u is not free in S, we have that u = u0 or u is not free in S 0 . If the first holds we are done. If u is not free in S 0 the thesis follows by induction hypothesis. Lemma B.10. Let Γc˜ = {γ | αA (γ) = c˜}. Then, for all a ∈ A ∪ {ε}, and for all c˜: [ Paths((a, γ)) Paths((a, c˜)) = γ∈Γc˜

Proof. ⊇: Suppose that: a0 a1 ... ∈

[

Paths((a, γ))

γ∈Γc˜

i.e.: ∃γ ∈ Γc˜. a0 a1 ... ∈ Paths((a, γ)) Let s0 = (a0 , γ0 ), with a0 = a and γ0 = γ. By Definition 5.10, L(si ) = ai and si−1 → si , for all i. For all i, s˜i = (ai , αA (γi )). L(si ) = L(s˜i ). We have to show that s˜i → s˜i+1 , i.e., by Definition µ ˜

5.9, αA (γi ) − → →A αA (γi+1 ) with µ ˜ = ai+1 or µ ˜ = ctx : ai+1 . Since si → si+1 holds by hypothesis, µ by Definition 5.8 we have that γi − → → γi+1 , with µ = A says ai+1 or µ = B says ai+1 . But then, by Lemma B.4, the thesis follows. In case of finite paths, the proof above is still valid, except that sn 6→ for some n, and we have to show that s˜n 6→. By Definition 5.8, we have that γn → 6− , which is only possible when γn = A says 0 | B says 0. But then αA (γn ) = 0 and, clearly, (a, 0) 6→. ⊆: Suppose that a0 a1 ... ∈ Paths((a, c˜)). Let s˜0 = (a, c˜). By Definition 5.10, L(˜ si ) = ai and s˜i−1 → s˜i for all i. Let si = (ai , γB (˜ ci )), for all i. Clearly, L(si ) = L(s˜i ). We have to show µ that, for all i > 0, γB (˜ ci−1 ) − → → γB (˜ ci ), with µ = A says ai or B says ai . This follows by Definition 5.9 and items (1) and (2) of Lemma B.6. In case of finite paths, we have to show that (an , c˜n ) 6→ =⇒ (an , γB (˜ cn )) 6→. By Definitions 5.9 and 5.8 it holds when c˜n → 6− →A =⇒ γB (˜ cn ) → 6− →. But this follows by item (3) of Lemma B.6 and Lemma B.4. Lemma 5.11. For all abstract contracts c˜ and for all LTL formulae φ: (1) c˜ ` φ ⇐⇒ ∀γ . αA (γ) = c˜ =⇒ γ ` φ (2) ∃γ . αA (γ) = c˜ ∧ γ ` φ =⇒ c˜ 6` ¬φ Proof. (1) =⇒ :Suppose c˜ ` φ. By the definition of ` follows that ∀π ∈ Paths(ε, c˜) . π ` φ. Let γ be a contract such that αA (γ) = c˜. Suppose π ∈ Paths(ε, γ). Thanks to Lemma B.10 we can conclude that π ∈ Paths(ε, c˜) and then π ` φ. ⇐=:Suppose c˜ 6` φ. By the definition of ` follows that ∃π ∈ Paths(ε, c˜) . π 6` φ. By Lemma B.10 we know that ∃γ . π ∈ Paths(ε, γ). But then γ 6` φ. (2) Assume that ∃γ . αA (γ) = c˜ ∧ γ ` φ. Then also holds that ∃γ . αA (γ) = c˜ ∧ γ 6` ¬φ. By item (1) we obtain the thesis.

26

Lemma B.11. For all A-safe systems S, whenever S ≡ (x1 , ..., xn , ~s)(SA | Sctx ): xi is free in SA =⇒ xi is not free in Sctx Proof. Suppose, by contradiction, that there exists i such that xi is free in both SA and Sctx . Then 0 no rule of Table: 2 allows to put S in the form (~s)(SA0 | Sctx ), and so S is not A-safe. Lemma B.12. For all systems S, S 0 , and for all labels µ: µ

(1) S − → S0

=⇒

µ ˜

∃˜ µ . αA (S) − →A αA (S 0 )

(2) furthermore, if µ = A : dos a or (µ = A : π ∧ S ask -free) then µ = µ ˜. µ

Proof. By induction on the depth of the derivation of S − → S 0 . According to the last rule used in such derivation, we have the following exhaustive cases: We have two subcases, according to which participant has moved:

[Tau]

A: τ

• S ≡ A[τ.P + P 0 | Q] −−−→ A[P | Q] = S 0 . Both the theses (1) and (2) follow because A: τ

αA (S) = S, αA (S 0 ) = S 0 , and S −−−→A S 0 by rule

[α-Tau].

B: τ

• S ≡ B[τ.P + P 0 | Q] −−−→ B[P | Q] = S 0 . The thesis (1) follows because, by rule ctx αA (S) = 0 −−→A 0 = αA (S 0 ). The thesis (2) follows trivially. [Tell]

[α-Ctx],

We have two subcases, according to which participant has moved: A: tell ↓x c

• S ≡ A[tell ↓x c.P + P 0 | Q] −−−−−−→ A[P | Q] | {↓x c}A = S 0 . Both the theses (1) and (2) A: tell ↓x c

follow because αA (S) = S, αA (S 0 ) = S 0 , and S −−−−−−→A S 0 by rule

[α-Tell].

B: tell ↓x c

• S ≡ B[tell ↓x c.P + P 0 | Q] −−−−−−→ B[P | Q] | {↓x c}B = S 0 . The thesis (1) follows ctx because, by rule [α-Ctx], αA (S) = 0 −−→A 0 = αA (S 0 ). The thesis (2) follows trivially. [Do]

We have three subcases, the first for A moves, the others for context moves: A says a

A: do a

s • S ≡ s[γ] | A[dos a.P + P 0 | Q] −−−−− → s[γ 0 ] | A[P | Q] = S 0 , where γ −−−−−→ → γ 0 . By a 0 item (1) of Lemma B.4 we have αA (γ) → − →A αA (γ ). Therefore both the theses (1) and (2)

A: do a

s follow because αA (S) = s[αA (γ)] | A[dos a.P + P 0 | Q] −−−−− →A s[αA (γ 0 )] | A[P | Q] = 0 0 S˜ = αA (S ), by rule [α-Do].

B: do a

B says a

B: do a

B says a

s • S ≡ s[γ] | B[dos a.P + P 0 | Q] −−−−− → s[γ 0 ] | B[P | Q] = S 0 , where γ −−−−−→ → γ 0 and ctx γ = B says c | B0 says d. The thesis (1) follows because αA (S) = 0 −−→A 0 = αA (S 0 ), by rule [α-Ctx]. The thesis (2) holds trivially. s • S ≡ s[γ] | B[dos a.P + P 0 | Q] −−−−− → s[γ 0 ] | B[P | Q] = S 0 , where γ −−−−−→ → γ 0 and ctx : a γ = A says c | B says d. By item (2) of Lemma B.4, αA (γ) −−−→ →A αA (γ 0 ). The thesis (1) ctx follows because αA (S) = s[αA (γ)] −−→A s[αA (γ 0 )] = S˜0 = αA (S 0 ), by rule [α-DoCtx]. The thesis (2) holds trivially.

[Del]

We have two subcases, according to which participant has moved: A: π 0

A: π

• S ≡ (u)S0 −−−→ (u)S00 = S 0 , with S0 −−−→ S00 and π = delu (π 0 ). By the induction µ ˜0

hypothesis, there exists µ ˜0 such that αA (S0 ) −→A αA (S00 ). There are two further subcases, according to the form of the label π: 27

– π = dos a. Then it must be π = π 0 . By the induction hypothesis of item (2), it follows that µ ˜0 = A : π 0 . Then, by rule [α-Del]: A: π 0

αA (S0 ) −−−→A αA (S00 ) µ ˜

(u)αA (S0 ) − →A (u)αA (S00 )

where µ ˜ = A : delu (π 0 )

The thesis (1) follows because αA (S) = (~u)αA (S0 ) and αA (S 0 ) = (~u)αA (S00 ). The thesis (2) follows because µ ˜ = A : delu (π 0 ) = A : delu (π) = µ. – µ = A : π and S ask -free. Similar to the previous case. – Otherwise, by rule [α-DelCtx]: ctx

αA (S0 ) −−→A αA (S00 ) ctx (u)αA (S0 ) −−→A (u)αA (S00 ) The thesis (1) follows because αA (S) = (~u)αA (S0 ) and αA (S 0 ) = (~u)αA (S00 ). The thesis (2) follows trivially. B: π 0

B: π

• S ≡ (u)S0 −−−→ (u)S00 = S 0 . Then S0 −−−→ S00 , with π = delu (π 0 ). By the induction ctx ctx hypothesis αA (S0 ) −−→A αA (S00 ), so αA (S) −−→A αA (S 0 ). µ

[Par]

µ

Let S ≡ S 00 | S 000 . Assuming that S 00 − → S 0000 we have S − → S 0000 | S 000 = S 0 , and by induction hypothesis for thesis (1), we have: µ ˜

αA (S 00 ) − →A αA (S 0000 ) µ ˜

αA (S 00 )|αA (S 000 ) − →A αA (S 00 )|αA (S 0000 )

[α-Par]

Using the induction hypothesis for thesis (2): A: π

αA (S 00 ) −−−→A αA (S 0000 ) A: π

αA (S 00 )|αA (S 000 ) −−−→A αA (S 00 )|αA (S 0000 ) [Def]

[α-Par]

We can have two subcases: A: π

def

• Let X(~u) = P , S ≡ A[X(~v ) | Q] | S 00 , and assume that A[P {~v/~u} | Q] | S 00 −−−→ S 0 . Both the theses (1) and (2) hold, assuming they hold in the premise of the rule: def A: π X(~u) = P A[P {~v/~u} | Q] | S˜ −−−→A S˜0 [α-Def]. A: π A[X(~v ) | Q] | S˜ −−−→A S˜0 µ

def

• Let X(~u) = P , S ≡ B[X(~v ) | Q] | S 00 , and assume that B[P {~v/~u} | Q] | S 00 − → S 0 . By the µ ˜

induction hypothesis αA (B[P {~v/~u} | Q] | S 00 ) = αA (S 00 ) − →A αA (S 0 ). But then both the µ ˜

theses (1) and (2) hold: αA (S) = αA (S 00 ) − →A αA (S 00 ) = αA (S 0 ). [Fuse]

There are two cases: 0 i. Let S ≡ (x, y)(SA | Sctx ), with Sctx ≡ Sctx | {↓x c}B | {↓y d}B0 . Suppose:

c ./ d

γ = B says c | B0 says d K: fuse

S −−−−→ (s)((SA |

0 Sctx )σ

σ = {s/x,y} | s[γ]) = S

s fresh 0

[Fuse]

By Lemma: B.11 both x and y are not free in SA , and then S 0 ≡ (s)(SA | Sctx σ | s[γ]). ctx By rule [α-Fuse]: αA (S) = αA (SA ) −−→A αA (SA ) = S˜0 . 0 αA (S ) = αA ((s)(SA )) ≡ αA (SA ) = S˜0 . 28

0 ii. Let S ≡ (x, y)(SA | Sctx ), with SA ≡ SA0 | {↓x c}A and Sctx ≡ Sctx | {↓y d}B . Suppose:

γ = A says c | B says d

c ./ d

K: fuse

(s)((SA0

S −−−−→

|

σ = {s/x,y}

0 Sctx )σ

| s[γ]) = S

s fresh 0

[Fuse]

By Lemma: B.11 y is not free in SA and then αA (S) = (x, y)(αA (SA0 ) | {↓x c}A ) ≡ ctx (x)(αA (SA0 ) | {↓x c}A ). By rule [α-Fuse]: αA (S) −−→A (s)(αA (SA0 ){s/x} | s[c]) = S˜0 . αA (S 0 ) = (s)(αA (S 0 A σ) | s[c]) ≡ (s)(αA (S 0 A {s/x}) | s[c]) ≡

because y is not free in αA (S 0 A )

(s)(αA (SA0 ){s/x} | s[c]) = S˜0 . [Ask]

by Lemma: B.8

There are two cases, according to the participant which has moved: A: asks φ

• S ≡ A[asks φ.P + P 0 | Q] | s[γ] −−−−−→ A[P | Q] | s[γ]. Let γ = A says c | B says d. By item (2) of Lemma 5.11, c 6` ¬φ. The thesis (1) holds because, by rule [α-AskCtx]: c 6` ¬φ ctx αA (S) = A[asks φ.P + P | Q] | s[αA (γ)] −−→A A[P | Q] | s[αA (γ)] 0

The thesis (2) follows trivially. B: asks φ

• S ≡ B[asks φ.P + P 0 | Q] | s[γ] −−−−−→ B[P | Q] | s[γ]. The thesis (1) follows by rule Ctx]: ctx αA (S) =−−→A αA (S) = αA (S 0 )

[α-

The thesis (2) follows trivially.

Theorem 5.4. For all A-safe systems S, and for all concrete traces η: η

S −→∗ S 0

=⇒

η ˜

∃˜ η : αA (S) −→A∗ αA (S 0 )

Furthermore, if η is A-solo and S is ask-free, then η = η˜. Proof. We proceed by induction on the length of the derivation. The base case holds trivially. For η0

the inductive case, suppose that S −−−→n S 00 , for n > 0. By the induction hypothesis, we have: η˜0

∃˜ η 0 : αA (S) −−−→An αA (S 00 ) 0

(4) 0

0

η A-solo and S ask -free =⇒ η = η˜

(5)

00 µ

Now, assume that S − → S 0 , and let η = η 0 µ. By Lemma B.12, it follows that: µ ˜

∃˜ µ : αA (S 00 ) − →A αA (S 0 )

(6)

µ = A : π ∧ S ask -free =⇒ µ = µ ˜

(7)

By (4) and (6), it follows that: η˜

µ ˜

αA (S) −−→An αA (S 00 ) − →A αA (S 0 ) For the “furthermore” part, let η˜ = η˜0 µ ˜, and assume that η is A-solo and S is ask -free. Therefore, by (5) and (7) we conclude that: η = η 0 µ = η˜0 µ ˜ = η˜. 29

A: π A: π Lemma B.13. αA (S) −−−→A S˜0 =⇒ ∃S 0 A-safe . S −−−→ S 0 ∧ αA (S 0 ) = S˜0

Proof. Let Sctx be an A-free system. By rule induction: A: τ Let S ≡ A[τ.P + P 0 | Q] | Sctx , and let αA (S) ≡ A[τ.P + P 0 | Q] −−−→A A[P | Q] = S˜0 . We A: τ have S −−−→ A[P | Q] | Sctx = S 0 = αA (S 0 ) = S˜0 .

[α-Tau]

A: tell ↓x c

Let S ≡ A[tell ↓x c.P + P 0 | Q] | Sctx , and also let αA (S) ≡ A[tell ↓x c.P + P 0 | Q] −−−−−−→A A: tell ↓x c A[P | Q] | {↓x c}A = S˜0 . We have S −−−−−−→ A[P | Q] | {↓x c}A | Sctx = S 0 = αA (S 0 ) = S˜0 .

[α-Tell]

A says a a Let αA (γ) → − →A c˜0 — which, by item (1) of Lemma B.7, implies γ −−−−−→ → γ 0 , with αA (γ 0 ) = c˜0 .

[α-Do]

A: do a

s Furthermore, let S ≡ s[γ] | A[dos a.P + P 0 | Q] | Sctx , and S −−−−− → s[γ 0 ] | A[P | Q] | Sctx = A: dos a 0 0 0 S . We have αA (S) = s[c] | A[dos a.P + P | Q] −−−−−→ s[c ] | A[P | Q] = αA (S 0 ) = S˜0 .

A

[α-Ask]

0

We have S ≡ s[γ] | A[asks φ.P + P | Q] | Sctx , c ` φ and: A: asks φ αA (S) = s[c] | A[asks φ.P + P 0 | Q] −−−−−→A s[c0 ] | A[P | Q] = αA (S 0 ) = S˜0

By item (1) of Lemma 5.11, since c ` φ and αA (γ) = c, then γ ` c. Then, by rule

[Ask]:

A: asks φ

S −−−−−→ s[γ] | A[P | Q] | Sctx = S 0 A: π

Let S ≡ (u)S 00 and S −−−→ (u)S 000 = S 0 . Also, let αA (S) ≡ (u)αA (S 00 ). Assuming A: π 0 A: π 0 αA (S 00 ) −−−→ S˜000 , we have, by induction hypothesis, S 00 −−−→ S 000 and αA (S 000 ) = S˜000

[α-Del]

A

A: π

(note that π and π 0 may differ, depending on whether u ∈ fnv(π 0 )). But then αA (S) −−−→A (u)αA (S 000 ) = S˜0 . Clearly αA (S 0 ) = S˜0 . A: π

A: π

Let S ≡ S 00 | S 000 and S 00 −−−→A S 0000 — and therefore, S −−−→ S 0000 | S 000 = S 0 . We A: π have αA (S) ≡ αA (S 00 ) | αA (S 000 ). Assuming that αA (S 00 ) −−−→ S˜0000 we have, by induction A: π hypothesis, αA (S 0000 ) = S˜0000 . But then αA (S) −−−→A αA (S 0000 ) | αA (S 000 ) = S˜0 . Clearly αA (S 0 ) = S˜0 .

[α-Par]

A: π

def

Let X(~u) = P . Also, let S ≡ A[X(~v ) | Q] | S 00 and A[P {~v/~u}) | Q] | S 00 −−−→ S 0 . We have A: π αA (S) ≡ A[X(~v ) | Q] | αA (S 00 ). Suppose A[P {~v/~u}) | Q] | αA (S 00 ) −−−→A S˜0 . By applying the 0 0 ˜ induction hypothesis, we have αA (S ) = S . Then the thesis follows trivially.

[α-Def]

Lemma B.14. For all A-safe systems S, and for all A-solo traces η: η

αA (S) − →A∗ S˜0

=⇒

η ∃S 0 A-safe . S − →∗ S 0 ∧ αA (S 0 ) = S˜0

Proof. By induction on the length of the derivation. Base case holds trivially. Suppose that η0 η0 A: π αA (S) −→n S˜00 , with η 0 A-solo. By inductive hypothesis S −→n S 00 ∧αA (S 00 ) = S˜00 . Let αA (S 00 ) −−−→A A: π S˜0 . By Lemma B.13 it trivially follows that ∃S 0 A-safe . S 00 −−−→ S 0 ∧ αA (S 0 ) = S˜0 . ˜ Lemma B.15. For all A-safe systems S 0 , and for all ask -free abstract systems S: S˜ → − A S˜0 ∧ αA (S 0 ) = S˜0 =⇒ ∃S A-safe . S → − S 0 ∧ αA (S) = S˜ 30

Proof. In the following Sctx is a generic A-free system. We show that lemma holds by rule induction: Let S˜ = A[τ.P + P 0 | Q] → − A A[P | Q] = S˜0 . S 0 must be in the form A[P | Q] | Sctx . 0 Then S = A[τ.P + P | Q] | Sctx .

[α-Tau]

Let S˜ = A[tellx c.P + P 0 | Q] → − A A[P | Q] | {↓x c}A = S˜0 . S 0 must be in the form A[P | Q] | {↓x c}A | Sctx . Then S = A[tellx c.P + P 0 | Q] | Sctx .

[α-Tell]

[α-Do]

a Let c˜, c˜0 be abstract contracts such that c˜ → − →A c˜0 , and let S˜ = s[˜ c] and S˜0 = s[˜ c0 ]. We have 0 0 0 0 0 0 ˜ ˜ that S → − A s[˜ c ] = S . Then S = s[γ ] | Sctx , with αA (γ ) = c˜ . Let γ be a bilateral contract such that αA (γ) = c˜. By Lemma B.7γ → − → γ 0 . So S = s[γ] | Sctx → − s[γ 0 ] | Sctx .

s fresh [α-Fuse]. ctx S˜ = (x)(S˜0 | {↓x c}A ) −−→A (s)(s[c] | S˜0 {s/x}) = S˜0 0 S 0 must be in the form (s0 )(s0 [γ] | SA0 | Sctx ), with s0 not free in S˜0 , γ = A says c | B says d 0 0 and αA (SA ) = S˜0 {s /x}.

[α-Fuse]

Suppose:

αA (S 0 ) = 0 (s0 )(s0 [c] | S˜0 {s /x}) = 0 (s)(s[c]) | (S˜0 {s /x}){s/s0 }) =

s is fresh then trivially not free in S˜0

(s)(s[c]) | (S˜0 {s/s0 }){s/x}) = (s)(s[c] | S˜0 {s/x}) =

s0 is not free in S˜0

S˜0 . S can be as follows: S = (x, y)(SA | {↓x c}A | Sctx | {↓y d}B ), with αA (SA ) = S˜0 , y not free in 0 0 {y/s0 }, x not free in Sctx and s0 fresh. , Sctx = Sctx both SA and Sctx c ./ d

γ = A says c | B says d

0

σ = {s /x,y}

K: fuse

s fresh

0

(x, y)(SA | {↓x c}A | Sctx | {↓y d}B ) −−−−→ (s )((SA | Sctx )σ | s0 [γ])

[Fuse]

αA (S) = (x, y)(S˜0 | {↓x c}A ) = (x)(S˜0 | {↓x c}A ) = S˜0 . [α-Def]

since y not free in SA , by Lemma:B.9, y is not free in S0

Assume αA (S 0 ) = S˜0 and suppose: def X(~u) = P A[P {~v/~u} | Q] | S˜0 → − A S˜0 0 ˜ ˜ ˜ S = A[X(~v ) | Q] | S0 → −A S

Let S0 be a system such that αA (S0 ) = S˜0 . Since the thesis holds, by induction hypothesis, for the premise of the rule above, we have: def

X(~u) = P A[P {~v/~u} | Q] | S0 → − S0 S = A[X(~v ) | Q] | S0 → − S0

31

[Def]

[α-Par]

Assume αA (S1 ) = S˜1 , αA (S2 ) = S˜2 and suppose: S˜0 → − S˜1 ˜ ˜ ˜ S = S0 | S2 → − A S˜1 | S˜2

By induction hypothesis αA (S0 ) = S˜0 . Then we have: S0 → − S1 S = S0 | S2 → − S1 | S2

[Par]

These cases can be treated together, since we are ignoring labels. Assume αA (S1 ) = S˜1 and suppose: S˜0 → − A S˜1 ˜ (u)S0 → − A (u)S˜1

[α-Del][α-DelCtx]

By induction hypothesis αA (S0 ) = S˜0 and: S0 → − S1 (u)S0 → − (u)S1 ctx : a Let c˜, c˜0 be abstract contracts such that c˜ −−−→ →A c˜0 , and let S˜ = s[˜ c] and S˜0 = s[˜ c0 ]. We 0 0 0 0 0 0 ˜ ˜ have that S → − A s[˜ c ] = S . Then S = s[γ ] | Sctx , with αA (γ ) = c˜ . By Lemma B.7 we have that there exists a γ such that αA (γ) = c˜ and γ → − → γ 0 . So S = s[γ] | Sctx → − s[γ 0 ] | Sctx .

[α-DoCtx]

µ 0 . Clearly αA (S 0 ) = S˜0 . Then S = SA | Sctx , with Suppose S˜ − →A S˜0 . Must be: S 0 = SA | Sctx ctx 0 0 . Clearly S −−→ S 0 . | B[τ ] such that B do not appear in Sctx Sctx = Sctx

[α-Ctx]

Theorem 5.5. For all ask-free abstract system S˜ with proper contracts only: S˜ → − A∗ S˜0 =⇒ ∃S, S 0 A-safe. αA (S) = S˜ ∧ S → − ∗ S 0 ∧ αA (S 0 ) = S˜0 Proof. By induction on the length n of the derivation. For n = 0 (base case), the thesis holds trivially. For the inductive step, suppose that S˜ → − A S˜00 → − An S˜0 . By the induction hypothesis, 00 0 00 0 00 ˜ there exist S , S A-safe such that αA (S ) = S , αA (S ) = S˜0 , and S 00 → − ∗ S 0 . Since S˜ → − A S˜00 , ∗ 00 ˜ Lemma B.15 guarantees that there exists S A-safe such that αA (S) = S and S → − S . Summing up, we conclude that S → − ∗ S0. Lemma B.16. For all A-safe S, and for all s: (1) OAs (S) = OAs (αA (S)), (2) RDAs (S) = RDAs (αA (S)), (3) WRDAs (αA (S)) ⊆ WRDAs (S). (4) WRDAs (αA (S)) ⊇ WRDAs (S) if S is ask -free.

32

Proof. For item (1), we have that OAs (S) ⊆ OAs (αA (S)) follows by item (1) of Lemma B.4. The reverse inclusion holds by item (1) of Lemma B.7. For item (2), we first show the inclusion ⊇. Assume that a ∈ RDAs (αA (S)). By Def. B.3, there A: dos a A: dos a exists S˜0 such that αA (S) −−−−− →A S˜0 . By Lemma B.13, there exists S 0 such that S −−−−− → S0 A 0 0 ˜ and αA (S ) = S . Then, by Def. 4.2, it follows that a ∈ RDs (S). For the inclusion ⊆, assume that A: do a

s a ∈ RDAs (S). By Def. 4.2, there exists S 0 such that S −−−−− → S 0 . By Lemma B.12 it follows that

A: do a

s αA (S) −−−−− →A αA (S 0 ). Therefore, by Def. B.3 we conclude that a ∈ RDAs (αA (S)).

η For item (3), assume that a ∈ WRDAs (αA (S)). By Def. B.3, there exists S˜0 such that αA (S) − →A∗ S˜0 , A ˜0 where a ∈ RDs (S ), and η is an A-solo trace without dos . By Lemma B.14, there exists S 0 such η that S − →∗ S 0 and αA (S 0 ) = S˜0 . By Lemma B.16(2), RDAs (S˜0 ) = RDAs (S 0 ). Therefore, by Def. 4.2 we conclude that a ∈ WRDAs (S). η

For item (4), assume that a ∈ WRDAs (S). By Def. 4.2, there exists S 0 such that S − → ∗ S 0 , where A 0 a ∈ RDs (S ), and η is an A-solo trace without dos . By Theorem 5.4, there exists a trace η˜ η˜

such that αA (S) − →A ∗ αA (S 0 ). Furthermore, since S is ask -free, then η˜ = η. By Lemma B.16(2), A 0 RDs (αA (S )) = RDAs (S 0 ). Therefore, by Def. B.3 we conclude that a ∈ WRDAs (S). Lemma B.17. For all A-safe S: (1) if A is α-ready in αA (S), then A is ready in S. (2) if A is ready in S and S is ask -free, then A is α-ready in αA (S). Proof. For item (1), suppose that A is α-ready in S˜ = αA (S), and assume that S ≡ (~u)S0 . By Def. 4.3, we have to show that WRDAs (S0 ) ∩ OAs (S0 ) 6= ∅ whenever OAs (S0 ) 6= ∅. Suppose that OAs (S0 ) 6= ∅. Then, by Lemma B.16(1), OAs (αA (S0 )) 6= ∅. We have that: WRDAs (S0 ) ∩ OAs (S0 ) = WRDAs (S0 ) ∩ OAs (αA (S0 )) ⊇

WRDAs (αA (S0 ))

∩

OAs (αA (S0 ))

6= ∅

by Lemma B.16(1) by Lemma B.16(3) since A is α-ready in αA (S)

For item (2), suppose that A is ready in S, and assume that αA (S) ≡ (~u)S˜0 . Then, by Def. 5.2, there exists S0 such that S˜0 = αA (S0 ) and S = (~u)S0 . By Def. B.3, we have to show that WRDAs (S˜0 ) ∩ OAs (S˜0 ) 6= ∅ whenever OAs (S˜0 ) 6= ∅. Suppose that OAs (S˜0 ) 6= ∅. Then, by Lemma B.16(1), OAs (S0 ) = OAs (S˜0 ) 6= ∅. We have that: WRDAs (S˜0 ) ∩ OAs (S˜0 ) = WRDAs (S˜0 ) ∩ OAs (S0 ) ⊇

WRDAs (S0 )

∩

OAs (S0 )

6= ∅

by Lemma B.16(1) by Lemma B.16(4) since A is ready in S

Theorem 5.7. If P is α-honest, then P is honest. Conversely, if P is honest, ask-free, and has proper contracts only, then P is α-honest. Proof. For the first part, suppose that P is α-honest. Let Sctx be an A-free system, and assume that A[P ] | Sctx → − ∗ S for some S. Since A[P ] | Sctx is A-safe, then by item (3) of Lemma B.2 it ˜ Since P is follows that S is A-safe. Let S˜ = αA (S). By Theorem 5.4 it follows that A[P ] → − A ∗ S. ˜ α-honest, then A is α-ready in S. Therefore, item (1) of Lemma B.17 guarantees that A is ready in S. Hence, by Def. 4.3 it follows that P is honest.

33

5.7

B.17

5.5

B.2

B.16

5.4

B.14

B.15

B.13

B.12

5.11

B.7

B.9

B.10

B.8

B.6

B.4

B.11

Figure 6: Dependencies among the proofs .

For the second part, suppose instead that P is honest, ask-free, and with proper contracts only. ˜ By Theorem 5.5 it follows that there exist Let S˜ be an arbitrary system such that A[P ] → − A ∗ S. 0 0 ˜ and S → S, S A-safe such that αA (S) = A[P ], αA (S ) = S, − ∗ S 0 . Since P is honest, then A is ready 0 ˜ Hence, by Def. 5.6 it in S , and so by item (2) of Lemma B.17 it follows that A is α-ready in S. follows that P is α-honest. The diagram in Fig. 6 illustrates the dependencies among the proofs.

C

Maude implementation

The diagram in Fig. 7 illustrates the graph of module importation used in our Maude implementation. The complete code is available at http://tcs.unica.it/software/co2-maude. Here we

34

CONTR − SYNTAX

MODEL − CHECKER CONTR − SEM LTL − SIMPLIFIER SATISFACTION

CONTR − UTILS

ASK

COMPLIANCE

CULPABILITY

CO2 − ABS

CO2 − ABS − SYNTAX

META − LEVEL

CO2 − SYNTAX

CO2 − ABS − SEM

CO2 − SEM

Figure 7: Graph of module importation.

only show the most relevant parts of the implementation. Contracts: syntax. sorts Atom UniContract Participant AdvContract BiContract IGuarded EGuarded IChoice EChoice Var Id RdyContract . subsort Id < IGuarded < IChoice < UniContract < RdyContract . subsort Id < EGuarded < EChoice < UniContract < RdyContract . subsort Var < UniContract . op -_ : Atom -> Atom [prec 20 ctor] . eq - - a:Atom = a:Atom . op op op op op op op op

0 : -> Id [ctor] . _._ : Atom UniContract -> EGuarded [frozen prec 25 ctor] . _;_ : Atom UniContract -> IGuarded [frozen prec 25 ctor] . _+_ : EChoice EChoice -> EChoice [frozen comm assoc id: 0 prec 30 ctor] . _(+)_ : IChoice IChoice -> IChoice [frozen comm assoc id: 0 prec 30 ctor] . ready _._ : Atom UniContract -> RdyContract [frozen prec 25 ctor] . rec _._ : Var IChoice -> UniContract [frozen prec 35 ctor] . rec _._ : Var EChoice -> UniContract [frozen prec 35 ctor] .

op _ says _

: Participant RdyContract -> AdvContract [ctor] .

op _ | _ : AdvContract AdvContract -> BiContract [comm ctor] .

Contracts: semantics. sort LBiContract . subsort BiContract < LBiContract .

35

sort Label . op _ says _ : Participant Atom -> Label [ctor] . ***labelled contracts op {_}_ : Label LBiContract -> LBiContract [frozen ctor] . vars A B : Participant . vars a b : Atom . vars c d : UniContract . var ci : IChoice . var de : EChoice . var X : Var . vars l l’ : Label . vars g g’ : BiContract . ***structural congruence eq A says rec X . ci = A says ci {rec X . ci / X} . eq A says rec X . de = A says de {rec X . de / X} . ***one step semantics crl [IntExt] : A says a ; c (+) ci | B says b {A says a} A says c | B says ready b . d if a = - b .

. d + de =>

rl [Rdy] : A says ready a . c | B says d => {A says a} A says c | B says d . ***semantics sort TBiContract . op <_> : LBiContract -> TBiContract [frozen] . op dummy : -> Label [ctor] . eq < g > = < {dummy} g > . crl [Rifl] : < {l’} g > => < {l} g’ > if g => {l} g’ .

CO2 : syntax. op op op op op op op op op op op op op op op op op op op op op op

empty : -> IdeVec [ctor] . void : -> ParamList [ctor] . 0 : -> System [ctor] . 0 : -> Process [ctor] . t : -> Prefix [ctor] . _;_ : ParamList ParamList -> ParamList [ctor assoc id: void] _,_ : IdeVec IdeVec -> IdeVec [comm assoc ctor id: empty] . _[_] : Participant Process -> System [frozen ctor] . _[_] : SessionName BiContract -> System [frozen ctor] . _|_ : System System -> System [comm assoc frozen ctor id: 0] (_)_ : IdeVec System -> System [frozen ctor] . {__}_ : SessionIde UniContract Participant -> System [frozen _._ : Prefix Process -> GuardProc [frozen ctor] . _+_ : Sum Sum -> Sum [comm assoc frozen ctor id: 0] . _|_ : Process Process -> Process [comm assoc frozen ctor id: (_)_ : IdeVec Process -> Process [frozen ctor] . tell __ : SessionIde UniContract -> Prefix [frozen ctor] . do __ : SessionIde Atom -> Prefix [frozen ctor] . ask __ : SessionIde Formula -> Prefix [frozen ctor] . _(_) : ProcIde ParamList -> Process [frozen ctor] . $_ : Nat -> SessionName [ctor] . _ : Qid Nat -> SessionVariable [ctor] .

CO2 : semantics. sorts LSystem SLabel LPrefix .

36

.

. ctor] . 0] .

subsort System < LSystem . subsort Prefix < LPrefix . op fuse : -> LPrefix . op _:_ : Participant LPrefix -> SLabel [ctor] . op {_}_ : SLabel System -> LSystem [frozen ctor] . op Z : -> Participant . vars A B : Participant . vars P Q P’ R : Process . var u : SessionIde . vars c d : UniContract . vars s s’ : SessionName . vars g g’ : BiContract . var a : Atom . var pi : LPrefix . vars uVec vVec : IdeVec . vars S S’ S’’ : System . vars x y : SessionVariable . var n : Nat . var phi : Formula . var X : ProcIde . var uList : ParamList . vars l l’ : SLabel . op eq eq eq eq

del : IdeVec Prefix -> Prefix . del((u , uVec) , do u a) = t . del((u , uVec) , tell u c) = t . del((u , uVec) , ask u phi) = t . del(uVec , pi) = pi [owise] .

op fresh : Nat System -> SessionName . eq fresh(n , S) = if not is $ n free in S then $ n else fresh(n + 1 , S) fi . rl [Tau] : A[t . P + P’ | Q] => {A : t} A[P | Q] . rl [Tell] : A[tell u c . P + P’ | Q] => {A : tell u c} A[P | Q] | {u c} A . crl [Do] : A[do s a . P + P’ | Q] | s[g] => {A : do s a} (A[P | Q] | s[g’]) if g => {A says a} g’ . crl [Del] : (uVec) S => {A : del(uVec , pi)}(uVec) S’ if S => {A : pi} S’ . crl [Par] : S | S’’ => {A : pi} S’ | S’’ if S =/= 0 /\ S’’ =/= 0 /\ S => {A : pi} S’ . crl [Fuse] : (uVec , vVec) ({x c}A | {y d}B | S) => {Z : fuse}(s , vVec)(s[A says c | B says d] | S{s / x}{s / y}) if uVec == (x , y) /\ c |X| d /\ s := fresh(0 , S) . crl [Ask] : A[ask s phi . P + P’ | Q] | s[g] => {A : ask s phi} A[P | Q] if g |- phi . sort TSystem . op <_> : System -> TSystem [frozen] . crl [Rifl] : < S > => < S’ > if S => {l’} S’ . sort ASystem . op prefCheck : Prefix SessionName -> Bool . eq prefCheck (do s a , s) = false . eq prefCheck (pi , s) = true [owise] .

37

op <_>__ : System Participant SessionName -> ASystem . *** non A-solo semantics: =/= A: do s crl < S > A s => < S’ > A s if S => {B : pi} S’ /\ (B =/= A or prefCheck(pi , s)) . *** A-solo semantics: A: =/= do s *** crl < S > A s => < S’ > A s if S => {A : pi} S’ /\ prefCheck(pi , s) . op ready : Participant SessionName System Module -> Bool . eq ready(A,s,S,M:Module) = metaSearch(M:Module, upTerm(< S > A s), ’<_>__[’S:System , upTerm(A) , upTerm(s)], ’S:System => ’‘{_‘}_[’l:SLabel,’S’:System] /\ ’_:_[upTerm(A),’do__[upTerm(s),’a:Atom]] := ’l:SLabel, ’*, unbounded, 0 ) =/= failure . op ready : Participant System System Module -> Bool . ceq ready(A , S , s[g] , M:Module) = ready(A , s , S’ , M:Module) if A :C g /\ (uVec) S’ := S . ceq ready(A , S , s[g] , M:Module) = true if not A :C g . eq ready(A , S , s[g] , M:Module) = ready(A , s , S , M:Module) [owise] . ceq ready (A , S , S’ | S’’ , M:Module) = ready (A , S , S’ , M:Module) and ready(A , S , S’’ , M:Module) if S’ =/= 0 /\ S’’ =/= 0 . ceq ready (A , S , (uVec) S’ , M:Module) = ready (A , S , S’ , M:Module) if (uVec) =/= empty . eq ready (A , S , 0 , M:Module) = true . eq ready (A , S , B:Participant[P] , M:Module) = true . eq ready (A , S , {u c}B:Participant , M:Module) = true . op search-honest-ctx : Participant System Module -> ResultTriple? . eq search-honest-ctx(A , S , M:Module) = metaSearch(M:Module, upTerm(< S >), ’<_>[’S:System], ’ready[upTerm(A) , ’S:System,’S:System, upTerm(M:Module)] = ’false.Bool, ’*, unbounded, 0) . sort Result . subsort Result < TSystem . subsort Result < Bool . op honest-ctx : Participant System Module -> Result . ceq honest-ctx (A , S , M:Module) = true if search-honest-ctx (A , S , M:Module) == failure . ceq honest-ctx (A , S , M:Module) = downTerm (T:Term , < (0).System > ) if {T:Term , Ty:Type , S:Substitution} := search-honest-ctx (A , S , M:Module) .

CO2 : abstract semantics. op A : -> Participant [ctor] . sorts LSystem ASLabel . subsort System < LSystem . op _:_ : Participant Prefix -> ASLabel [ctor] . op ctx : -> ASLabel [ctor] . op {_}_ : ASLabel System -> LSystem [frozen ctor] . vars P Q : Process .

38

vars S S’ S’’ : System . var P’ : Sum . vars c c’ : UniContract . vars g g’ : RdyContract . vars u v : SessionIde . vars x y : SessionVariable . var s : SessionName . var a : Atom . var pi : Prefix . var uVec : IdeVec . var X : ProcIde . var mu : ASLabel . vars n m : Nat . var uList : ParamList . var fi : Formula . op eq eq eq eq

del : IdeVec Prefix -> Prefix . del((u , uVec) , do u a) = t . del((u , uVec) , tell u c) = t . del((u , uVec) , ask u fi) = t . del(uVec , pi) = pi [owise] .

op fresh : Nat System -> SessionName . eq fresh(n , S) = if not is $ n free in S then $ n else fresh(n + 1 , S) fi . rl [Tau] : A[t . P + P’ | Q] => {A : t} A[P | Q] . rl [Tell] : A[tell u c . P + P’ | Q] => {A : tell u c} A[P | Q] | {u c} A . crl [Do] : A[do s a . P + P’ | Q] | s[g] => {A : do s a} A[P | Q] | s[g’] if g => {a} g’ . crl [Del] : (uVec) S => {A : del(uVec,pi)}(uVec) S’ if S => {A : pi} S’ . crl [Del] : (uVec) S => {ctx}(uVec) S’ if S => {ctx} S’ . crl [Par] : S | S’’ => {mu} (S’ | S’’) if S’’ =/= 0 /\ S => {mu} S’ . crl [DoCTX] : s[g] => {ctx} s[g’] if g => {ctx} g’ . rl [Ask] : s[g] | A[ask s fi . P + P’ | Q] => {ctx} s[g] | A[P | Q] . crl [Fuse] : (x,uVec) (S | {x c}A) => {ctx} (s , uVec)(s[c] | S{s / x}) if s := fresh(0 , S) . *** unlabelled semantics sort TSystem . op <_> : System -> TSystem [ctor frozen] . crl < S > => < S’ > if S => {mu} S’ . *** A-solo semantics without do s op prefCheck : Prefix SessionName -> Bool . eq prefCheck (do s a , s) = false . eq prefCheck (pi , s) = true [owise] . sort ASystem . op <_>_ : LSystem SessionName -> ASystem [ctor frozen] . crl < S > s => < S’ > s if S => {A : pi} S’ /\ prefCheck (pi, s) .

Model checking honesty. op ready : SessionName System Module -> Bool . eq ready(s,S,M:Module) = metaSearch(M:Module, upTerm(< S > s), ’<_>_[’S:System , upTerm(s)],

39

’S:System => ’‘{_‘}_[’l:ASLabel,’S’:System] /\ ’_:_[upTerm(A),’do__[upTerm(s),’a:Atom]] := ’l:ASLabel, ’*, unbounded, 0 ) =/= failure . op culp : RdyContract Module -> Bool . eq culp (g , M:Module) = metaSearch(M:Module, upTerm(g), ’‘{_‘}_[’l:ACLabel,’d:RdyContract], ’a:Atom := ’l:ACLabel, ’+, 1, 0 ) =/= failure . op ready : System System Module -> Bool . ceq ready(S , s[g] , M:Module) = ready(s , S’ , M:Module) if culp(g , M:Module) /\ (uVec) S’ := S . ceq ready(S , s[g] , M:Module) = true if not culp(g , M:Module) . eq ready(S , s[g] , M:Module) = ready(s , S , M:Module) [owise] . ceq ready (S , S’ | S’’ , M:Module) = ready (S , S’ , M:Module) and ready(S , S’’ , M:Module) if S’ =/= 0 /\ S’’ =/= 0 . ceq ready (S , (uVec) S’ , M:Module) = ready (S , S’ , M:Module) if (uVec) =/= empty . eq ready (S , 0 , M:Module) = true . eq ready (S , B:Participant[P] , M:Module) = true . eq ready (S , {u c}B:Participant , M:Module) = true . op search-honest : Process Module -> ResultTriple? . eq search-honest(P , M:Module) = metaSearch(M:Module, upTerm(< A[P] >), ’<_>[’S:System], ’ready[’S:System,’S:System, upTerm(M:Module)] = ’false.Bool, ’*, unbounded, 0) . sort Result . subsort Result < TSystem . subsort Result < Bool . op honest : Process Module -> Result . ceq honest (P , M:Module) = true if search-honest (P , M:Module) == failure . ceq honest (P , M:Module) = downTerm (T:Term , < (0).System > ) if {T:Term , Ty:Type , S:Substitution} := search-honest (P , M:Module) .

Example 4.4 (travel agency). ops pay commit refund hotel ticket commitH payH abortH commitF payF abortF : -> Atom [ctor] . ops CU CF CH : -> UniContract . ops P PU PU’ PF PH : -> Process . ops xu xf xh : -> SessionVariable . eq CU = pay . (commit ; 0 (+) refund ; 0) . eq CF = ticket . ( commitF ; payF ; 0 (+) abortF ; 0) . eq CH = hotel . ( commitH ; payH ; 0 (+) abortH ; 0) . ops refund? : -> Formula . eq refund? = [] ~ payH . eq PF = do xf ticket . (do xh commitH . 0 + do xf abortF . 0) . eq PH = do xh hotel . (do xf commitF . 0 + do xh abortH . 0) .

40

eq PU = ask xh refund? . do xu refund . 0 + t . (do xu commit . (do xf payF . 0 | do xh payH . 0)) . eq P = ( xu , xf , xh ) ( tell xu CU . do xu pay . ( (tell xf CF . PF) | (tell xh CH . PH) | PU ) ) . *** context for honest-ctx checking ops A U H F : -> Participant . ops DU DH DF : -> UniContract . ops Q Q’ QU QH QF : -> Process . ops yu yf yh : -> SessionVariable . op S : -> System . eq DU = - pay ; (- commit . 0 + - refund . 0) . eq DF = - ticket ; (- commitF . - payF . 0 + - abortF . 0) . eq DH = - hotel ; (- commitH . - payH . 0 + - abortH . 0) . eq Q = ( yu , yf , yh )(tell yu DU . tell yf DF . tell yh DH . (do yu - pay . 0 | do yf - ticket . 0 | do yh - hotel . 0 | Q’)) . eq Q’ = (do yu - commit . 0 + do yu - refund . 0 ) | (do yf - commitF . do yf - payF . 0 + do yf - abortF . 0 ) | (do yh - commitH . do yh - payH . 0 + do yh - abortH . 0 ) . eq S = A[P] | U[Q] . *** A should be honest in the given context red honest-ctx(A , S , [’TRAVEL-AGENCY-CTX]) .

Example 5.12 (voucher distribution system). ops ops ops ops

clickPay clickVoucher pay voucher accept reject ok no : -> Atom [ctor] . x y : -> SessionVariable [ctor] . CB CV : -> UniContract . P Q R : -> Process .

eq CB = clickPay . pay . 0 + clickVoucher . (- reject ; pay . 0 (+) - accept ; voucher . 0) . eq CV = ok . 0 + no . 0 . *** should be dishonest eq P = (x)(tell x CB . (do x clickPay . do x pay . 0 + do x clickVoucher . ((y) tell y CV . Q))) . eq Q = do y ok . do x - accept . do x voucher . 0 + do y no . do x - reject . do x pay . 0 + R . eq R = t . (do x - reject . do x pay . 0) . ops P’ Q’ R’ : -> Process . *** should be honest eq P’ = (x)(tell x CB . (do x clickPay . do x pay . 0 + do x clickVoucher . ((y) tell y CV . Q’))) . eq Q’ = do y ok . do x - accept . do x voucher . 0 + do y no . do x - reject . do x pay . 0 + R’ . eq R’ = t . (do x - reject . do x pay . 0 | (do y no . 0 + do y ok . 0)) . reduce in STORE-VOUCHER : honest(P, [’STORE-VOUCHER]) . rewrites: 31649 in 40ms cpu (39ms real) (791185 rewrites/second) result TSystem: < ($ 0,$ 1)(A[do $ 0 - reject . do $ 0 pay . (0).Sum] | $ 0[- accept ; voucher . 0(+)- reject ; pay . 0] | $ 1[ready ok . 0]) > reduce in STORE-VOUCHER : honest(P’, [’STORE-VOUCHER]) . rewrites: 44010 in 32ms cpu (31ms real) (1375226 rewrites/second) result Bool: true

41