Monitoring Networks through Multiparty Session Types

Monitoring Networks through Mutiparty Session Types Laura Bocchi 1, Tzu-Chun Chen 2, Romain Demangeon 2, Kohei Honda 2, and Nobuko Yoshida 3 1 University of Leicester 2 Queen Mary, University of London 3 Imperia Coege London Abstract. In arge-scae distributed infrastructures appications are reaised through communications among distributed components. Athough the need for methods for assuring safe interactions in such environments, the existing frameworks reying on centraised verification or restricted specification methods have imited appicabiity. This paper proposes a new theory of monitored π-cacuus with dynamic usage of mutiparty session types (MPST), offering a rigorous foundation for safety assurance of distributed components which asynchronousy communicate through mutiparty sessions. Our theory estabishes a framework for semanticay precise decentraised run-time enforcements and provides reasoning principes over monitored distributed appications, which compement existing static anaysis techniques. We introduce asynchrony through the means of an expicit router and goba queues, and propose nove equivaences between networks, capturing the notion of interface equivaence, i.e. equating networks offering the same services to a user. We iustrate our static-dynamic anaysis system with an ATM protoco as a running exampe and justify our theory with resuts: satisfaction equivaence, oca/goba safety and transparency, and session fideity. 1 Introduction One of the main engineering chaenges for distributed systems is the comprehensive verification of distributed software without reying on ad-hoc and expensive testing techniques. Mutiparty session types (MPST) is a typing discipine for communication programming, originay deveoped in the π-cacuus [1, 2, 6, 10, 11, 14] towards tacking this chaenge. The idea is that appications are buit starting from units of design caed sessions. Each type of session, invoving mutipe roes, is first modeed from a goba perspective (goba type) and then projected onto oca types, one for each roe invoved. As a verification method, the existing MPST systems focus on static type checking of endpoint processes against oca types. The standard properties enjoyed by we-typed processes are communication safety (a processes conform to gobay agreed communication protocos) and freedom from deadocks. The direct appication of the theoretica MPST techniques to the current practice, however, presents a few obstaces. Firsty, the existing type systems are targeted at cacui with first cass primitives for inear communication channes and communicationoriented contro fow; the majority of mainstream engineering anguages woud need to be extended in this sense to be suitabe for syntactic session type checking. Unfortunatey, it is not aways straightforward to add these features to the specific host anguages (e.g. inear resource typing for a very ibera anguage ike C). Furthermore, 1

the executabe processes in a distributed system may be impemented in different anguages. Secondy, for domains where dynamicay typed or untyped anguages are popuar (e.g., Web programming), or in muti-organizationa scenarios, the introduction of static typing infrastructure to support MPST may not be reaistic. This paper proposes a theoretica system addressing the above issues by enabing both static and dynamic verification of communicating processes. The aim is to capture the decentraised nature of distributed appication deveopment, providing better support for heterogeneous distributed systems by aowing components to be independenty impemented, using different anguages, ibraries and programming techniques, as we as being independenty verified, either staticay or dynamicay, whie retaining the strong goba safety properties of staticay verified homogeneous systems. This work is motivated in part by our ongoing coaboration with the Ocean Observatories Initiative (OOI) [17, 18], a project to estabish cyberinfrastructure for the deivery, management and anaysis of scientific data from a arge network of ocean sensor systems. Their architecture reies on the combination of high-eve protoco specifications (to express how the infrastructure services shoud be used) and distributed run-time monitoring to reguate the behaviour of third-party appications in the system. A forma theory for static/dynamic verification Our framework is based on the idea that, if each endpoint is independenty verified (staticay or dynamicay) to conform to their oca protocos, then the goba protoco is respected as a whoe. To this goa, we propose a new forma mode and bisimuation theories of heterogeneous networks of monitored and unmonitored processes. For the first time, we make expicit the routing mechanism impicity present inside the MPST framework: in a session, messages are sent to abstract roes (e.g. to a Seer) and the router, a dynamicay updated component of the network, transates these roes into actua addresses. By taking this feature into account when designing nove equivaences, our forma mode can reate networks buit in different ways (through different distributions or reocations of services) but offering the same interface to an externa observer. The router, being in charge of associating roes with principas, hides to an externa user the interna composition of a network: what distinguishes two networks is not their structure but the services they are abe to perform, or more precisey, the oca types they offer to the outside. We formay define a satisfaction reation to express when the behaviour of a network conforms to a goba specification and we prove a number of properties of our mode. Loca safety states that a monitored process respects its oca protoco, i.e. that dynamic verification by monitoring is sound, whie oca transparency states that a monitored process has equivaent behaviour to an unmonitored but we-behaved process, e.g. staticay verified against the same oca protoco. Goba safety states that a system satisfies the goba protoco, provided that each participant behaves as if monitored, whie goba transparency states that a fuy monitored network has equivaent behaviour to an unmonitored but we-behaved network, i.e. in which a oca processes are we-behaved against the same oca protocos. Session fideity states that, as a message fows of a network satisfy goba specifications, whenever the network changes because some oca processes take actions, a message fows continue to satisfy goba specifications. Together, these properties justify our framework for decentraised ver- 2

A ::=tt ff e 1 = e 2 e 1 < e 2 A A 1 A 2 A 1 A 2 e ::=v e 1 + e 2 e 1 e 2 e 1 e 2 e 1 mod e 2 S ::=boo int string G::=r 1 r 2 : { i (x i :S i ){A i }.G i } i I G 1 G 2 G 1 ;G 2 µt.g t ε end T ::=r!{ i (x i :S i ){A i }.T i } i I r?{ i (x i :S i ){A i }.T i } i I T 1 T 2 T 1 ;T 2 µt.t t ε end Fig. 1. Goba and oca types with assertions ification by aowing monitored and unmonitored processes to be safey mixed whie preserving protoco conformance for the entire network. Technicay, these properties aso ensure the coherence of our theory, by reating the satisfaction reations with the semantics and static vaidation procedures. Paper summary and contributions 2 introduces the formaisms for protoco specifications ( 2.1) and networks ( 2.2) used to provide a forma framework for monitored networks based on π-cacuus processes and on protoco-based run-time enforcement through monitors. 3 introduces: a semantics for specifications ( 3.1), a nove behavioura theory for compositiona reasoning over monitored networks through the use of equivaences (bisimiarity and barbed congruence) and the satisfaction reation ( 3.2). 3.4 estabishes key properties of monitored networks, namey oca/goba safety, transparency, and session fideity. We discuss reated work in 4 and future work in 5. Proof detais can be found in the Appendice A and B. 2 Distributed processes and networks: a forma presentation This section and the next one provide a theoretica basis for protoco-centred safety assurance. We first summarise the syntax of MPSTs (mutiparty session types) annotated with ogica assertions [2]. We then introduce a nove monitored session cacuus as a variant of the π-cacuus, modeing distributed dynamic components (whose behaviours are reaised by processes) and monitors, a residing in goba networks. 2.1 Mutiparty session types with assertions Mutiparty session types with assertions [2] are abstract descriptions of the structure of interactions among the participants of a mutiparty session, specifying potentia fows of messages, the conditions under which these interactions may be done, and the constraints on the communicated vaues. In this framework, goba types with assertions, or just goba types, describe mutiparty sessions from a network perspective. From goba types one can derive, through endpoint projection, oca types with assertions, or just oca types, describing the protoco from the perspective of a singe endpoint. The syntax of the goba types (G,G,...) and oca types (T,T,...) is given in Figure 1. The grammar is based on [2, 11] extended with parae threads (which aso require sequentia composition to merge parae threads) as in [23]. We et vaues v,v,... range over booean constants, numeras and strings, and e,e,... range over first-order expressions. For expressing constraints, we use ogica predicates, or assertions, ranged 3

over by A,A,..., whose grammar is aso given in Figure 1. The sorts of exchanged vaues (S,S,...) consists of atomic types. Goba types with assertions r 1 r 2 : { i (x i : S i ){A i }.G i } i I modes an interaction where roe r 1 sends roe r 2 one of the branch abes i, as we as a vaue denoted by an interaction variabe x i of sort S i. Interaction variabe x i binds its occurrences in A i and G i. A i is the assertion which needs to hod for r 1 to seect i, and which may constrain the vaues instantiating x i. G 1 G 2 specifies two parae sessions, and G 1 ;G 2 denotes sequentia composition (assuming that G 1 does not incude end). µt.g is a recursive type, where t is guarded in G in the standard way. ε is the inaction for absence of communication, and end ends the session. Exampe 1 (ATM: the goba type). We present goba type G ATM that specifies an ATM scenario. Each session of ATM invoves three roes: a cient (C), the payment server (S) and a separate authenticator (A). G ATM = C A : { Login(x i : string){tt}. A S : { LoginOK(){tt}. A C : {LoginOK(){tt}. G Loop }, LoginFai(){tt}. A C : {LoginFai(){tt}. end}}} G Loop = µ LOOP. S C : { Account(x b : int){x b 0}. C S : { Withdraw(x p : int){x p > 0 x b x p 0}. LOOP, Deposit(x d : int){x d > 0}. LOOP, Quit(){tt}.end}} At the start of the session C sends its ogin detais x i to A, then A informs S and C whether the authentication is successfu, by choosing either the branch with abe LoginOK or LoginFai. In the former case C and S enter a transaction oop specified by G Loop. In each iteration S sends C the amount x b avaiabe in the account, which must be non negative. Next, C has three choices: Withdraw withdraws an amount x p (x p must be positive and not exceed the current amount x b ) and repeats the oop, Deposit deposits a positive amount x d in the account and repeats the oop, and Quit ends the session. Loca types with assertions Each oca type T is associated with a roe taking part in a session. In the grammar of oca types, r!{ i (x i : S i ){A i }.T i } i I modes an interaction where the roe under consideration sends r a branch abe i and a message denoted by an interaction variabe x i of sort S i. Its dua is the send interaction r?{ i (x i :S i ){A i }.T i } i I. The other oca types are simiar to the goba types. One can derive a set of oca types T i from a goba type G by endpoint projection, defined as in [2]. We write G r for the projection of G onto roe r. We iustrate the main projection rue, which is for projecting a goba type modeing an interaction. Let G be (r r : { i (x i :S i ){A i }.G i } i I ); the projection of G on r is r!{ i (x i : S i ){A i }.(G i r)} i I, and the projection of G on r is r?{ i (x i : S i ){A i }.(G i r)} i I. The other rues are homomorphic, foowing the grammar of goba types inductivey. 4

P ::= a s[r] : T a(y[r]:t ).P k[r 1,r 2 ]! e k[r 1,r 2 ]?{ i (x i ).P i } i I if e then P ese Q P Q 0 µx.p X P;Q (νa) P (νs)p N ::= [P] α N 1 N 2 0 (νa)n (νs)n r ; h r ::= a α s[r] α h ::= m h /0 m ::= a s[r] : T s r 1,r 2, v r,r 1,... roes s,s,... session names X,Y,... process variabes a,b,... shared names x,y,... variabes P,Q,... processes α,β,... principa names N,N,... networks Fig. 2. Processes and networks: syntax Exampe 2 (ATM: the oca type of C). We present the oca type T C obtained by projecting G AT M on roe C. T C = A!{ Login(x i : string){tt}. A?{ LoginOK(){tt}. T Loop LoginFai(){tt}. end}} T Loop = µ LOOP. S?{Account(x b : int){x b 0}. S!{Withdraw(x p : int){x p > 0 x b x p 0}. LOOP, Deposit(x d : int){x d > 0}.LOOP, Quit(){tt}.end}} T C specifies the behaviour that C shoud foow to meet the contract of the origina goba type G AT M. T C states that C shoud first authenticate with A, then receive the Account message from S, and then has the choice of sending Withdraw (and enact the recursion), or Deposit (and enact the recursion) or Quit (and end the session). 2.2 Forma framework of processes and networks In our forma framework, each distributed appication consists of one or more sessions among principas. A principa with behaviour P and name α is represented as [P] α. A network is a set of principas together with a (unique) goba transport, which abstracty represents the communication functionaity of a distributed system. The syntax of processes, principas and networks is given in Figure 2, buiding on the mutiparty session π-cacuus from [1]. Processes Processes are ranged over by P,P,... and communicate using two types of channe: shared channes (or shared names) used by processes for sending and receiving invitations to participate in sessions, and session channes (or session names) used for communication within estabished sessions. One may consider session names as e.g., URLs or service names. The session invitation a s[r] : T invites, through a shared name a, another process to pay r in a session s. The session accept a(y[r] : T ).P receives a session invitation and, after instantiating y with the received session name, behaves in its continuation P as specified by oca type T for roe r. The seection k[r 1,r 2 ]! e sends, through session channe k (of an estabished session), and as a sender r 1 and to a receiver r 2, an expression e with abe. The branching k[r 1,r 2 ]?{ i (x i ).P i } i I is ready to receive one of the abes and a vaue, then behaves as P i after instantiating x i with the received vaue. We omit abes when I is a singeton. The conditiona, parae and inaction are 5

[a s[r] : T ] α r ; h [0] α r ; h a s[r] : T [a(y[r] : T ).P] α r ; a s[r] : T h [P[s/y]] α r s[r] α ; h REQ ACC [s[r 1,r 2 ]! j v ] α r ; h [0] α r ; h s r 1,r 2, j v SEL [s[r 1,r 2 ]?{ i (x i ).P i } i ] α r ; s r 1,r 2, j v h [P j [v/x j ]] α r ; h BRA [if tt then P ese Q] α [P] α [if ff then P ese Q] α [Q] α CND [P] α N [P ] α N e e N N [E(P)] α N [E(P )] α N [E(e)] α [E(e )] α E(N) E(N CTX ) : r(a) = α : r(s[r 2 ]) α : r(s[r 2 ]) = α E ::= ( ) E P (νs)e (νa)e E;P E N if E then P ese Q s[r 1,r 2 ]! E Fig. 3. Reduction for dynamic networks standard. The recursion µx.p defines X as P. Processes (νa)p and (νs)p hide shared names and session names, respectivey. Principas and network A principa [P] α, with its process P and name α, represents a unit of behaviour (hence verification) in a distributed system. A network N is a coection of principas with a unique goba transport. A goba transport r ; h is a pair of a goba queue and a routing tabe which deivers messages to principas. Messages between two parties inside a singe session are ordered (as in a TCP connection), otherwise unordered. More precisey, in r ; h, h is a goba queue, which is a sequence of messages a s[r] : T or s r 1,r 2, v, ranged over by m. These m represent messages-in-transit, i.e. those messages which have been sent from some principas but have not yet been deivered. The routing tabe r is a finite map from session-roes and shared names to principas. If, for instance, s[r] α r then a message for r in session s wi be deivered to principa α. Let n,n,... range over shared and session channes. A network N which satisfies the foowing conditions is we-formed: (1) N contains at most one goba transport; (2) two principas in N never have the same name; and (3) if N (νñ)( i [P i ] αi r ; h ), each free shared or session name in P i and h occurs in ñ (we use i P i to denote P 1 P 2 P n ). Semantics The reduction reation is generated from the rues in Figure 3. The rues mode the interactions of principas with the goba queue. Rue REQ paces an invitation in the goba queue. Duay, in ACC, a process receives an invitation on a shared name from the goba queue, assuming a message on a is to be routed to α. As a resut, the routing tabe adds s[r] α in the entry for s. Rue SEL puts in the queue a message sent from r 1 to r 2, which seects abe j and carries v, if it is not going to be routed to α (i.e. sent to sef). Duay, BRA gets a message with abe j from the goba queue, so that the j-th process P j receives vaue v. The reduction is aso defined moduo the structura congruence defined by the standard aws over processes/networks, the unfoding of recursion (µx.p P[µX.P/X]) and the associativity and commutativity and the rues of message permutation in the queue [10, 14]. The other rues are standard. Exampe 3 (ATM: an impementation). We now iustrate the processes impementing the cient roe of the ATM protoco. We et P C be the process impementing T C (from 6

Exampe 2) and communicating on session channe s. P C = s[c,a]! Login(aice pwd123); s[a,c]? {LoginOK();µX. P C, LoginFai().0 } P C = s[s,c]? Account(x b);p C P C = if getmore() (x b 10) then s[c, S]! Withdraw(10); X ese s[c,s]! Quit();0 Note that P C seects ony two of the possibe branches (i.e., Withdraw and Quit) and Deposit is never seected. One can think of P C as an ATM machine that ony aows to withdraw a number of 10 banknotes, unti the amount exceeds the current baance. This ATM machine does not aow deposits. We assume getmore() to be a oca function to the principa running P C that returns tt if more notes are required and ff otherwise. P S beow impements the server roe: P S = s[a,s]? {LoginOK();µX. P S, LoginFai().0 } P S = s[s,c]! Account(getBaance());P S P S = s[c,s]? {Withdraw(x p).x, Deposit(x d ).X, Quit().0 } where getbaance() is a oca function to the principa running P S that synchronousy returns the current baance of the cient. 3 Theory of dynamic safety assurance In this section we formaise the specifications (based on oca types) used to guard the runtime behaviour of the principas in a network. These specifications can be embedded into system monitors, each wrapping a principa to ensure that the ongoing communication conforms to the given specification. Then, we present a behavioura theory for monitored networks and its safety properties. 3.1 Semantics of goba specifications The specification of the (correct) behaviour of a principa consists of an assertion environment Γ;, where Γ is the shared environment describing the behaviour on shared channes, and is the session environment representing the behaviour on session channes. The syntax of Γ and is given by: Γ ::= /0 Γ,a : I(T [r]) Γ,a : O(T [r]) ::= /0,s[r]:T In Γ, the type assignment a : I(T [r]) (resp. a : O(T [r])) states that the principa can, through a, receive (resp. send) invitations to pay roe r in a session instance specified by T. In, we write s[r] : T when the principa is paying in roe r of session s specified by T. Networks are monitored with respect to coections of specifications, or just specifications, one for each principa in the network. A specification Σ,Σ,... is a finite map assigning assertion environments to principas: Σ ::= /0 Σ,α: Γ; The semantics of Σ is defined by the abeed transition reation defined in Figure 4 which uses the foowing abes: ::= a s[r] :T a s[r] :T s[r 1,r 2 ]! v s[r 1,r 2 ]? v τ 7

α: Γ,a : O(T [r]); a s[r]:t α: Γ,a : O(T [r]); s dom( ) α: Γ,a : I(T [r]); a s[r]:t α: Γ,a : I(T [r]);,s[r]:t Γ v:s j, A j [v/x j ] tt, j I α: Γ;,s[r 2 ]:r 1?{ i (x i :S i ){A i }.T i } i I s[r 1,r 2 ]? j v α: Γ;,s[r 2 ]:T j [v/x j] Γ v:s j, A j [v/x j ] tt, j I α: Γ;,s[r 1 ]:r 2!{ i (x i :S i ){A i }.T i } i I s[r 1,r 2 ]! j v α: Γ;,s[r 1 ]:T j [v/x j] α: Γ 1 ; 1 α: Γ 1 ; 1 α: Γ 1 ; 1 2 α: Γ 1 ; 1 2 Σ τ Σ Fig. 4. Labeed transition reation for specifications [REQ] [ACC] [BRA] [SEL] Σ 1 Σ2 [SPL,TAU,PAR] Σ 1,Σ 3 Σ2,Σ 3 The first two abes are for invitation actions, the first is for requesting and the second is for accepting. Labes with s[r 1,r 2 ] indicate interaction actions for sending (!) or receiving (?) messages within sessions. Rue [REQ] aows α to send an invitation on a propery typed shared channe a (i.e., given that the shared environment maps a to T [r]). Rue [ACC] aows α to receive an invitation to be roe r in a new session s, on a propery typed shared channe a. Rue [BRA] aows α, participating to sessions s as r 2, to receive a message with abe j from r 1, given that A j is satisfied after repacing x j with the received vaue v. After the appication of this rue the specification is T j. Rue [SEL] is the symmetric (output) counterpart of [BRA]. We use to denote the evauation of a ogica assertion. [SPL] is the parae composition of two session environments where 1 2 composes two oca types: 1 2 = {s[r] : (T 1 T 2 ) T i = i (s[r]),s[r] dom( 1 ) dom( 2 )} dom( 1 )/dom( 2 ) dom( 2 )/dom( 1 ). [TAU] says that the specification shoud be invariant under reduction of principas. [PAR] says if Σ 1 and Σ 3 are composabe, after Σ 1 becomes as Σ 2, they are sti composabe. 3.2 Semantics of dynamic monitoring The endpoint monitor M,M,... for principa α is a specification α : Γ; used to dynamicay ensure that the messages to and from α are ega with respect to Γ and. Technicay, the abeed transitions of a monitor are the abeed transitions of its corresponding specification (i.e., Figure 4) and are used, in monitored networks, to preserve the good actions and discard the bad ones. A monitored network N is a network N with monitors, obtained by extending the syntax of networks as: N ::= N M N N (νs)n (νa)n The reduction rues for monitored networks are given in Figure 5. The first four rues mode reductions that are aowed by the monitor (i.e., in the premise). Rue REQ inserts an invitation in the goba queue. Rue ACC is symmetric and updates the router so that a messages for roe r in session s wi be routed to α. Simiary, BRA (resp. SEL ) extracts (resp. introduces) messages from (resp. in) the goba queue. The error cases for REQ and SEL, namey REQER and SELER, skip the current action (removing it from the process), do not modify the queue, the router nor the state of 8

REQ M a s[r]:t M [a s[r] : T ] α M r ; h [0] α M r ; h a s[r] : T M a s[r]:t M ACC r(a) = α [a(y[r] : T ).P] α M r ; a s[r] : T h [P[s/y]] α M r s[r] α ; h M s[r 1,r 2 ]? j v M BRA r(s[r 2 ]) = α [s[r 1,r 2 ]?{ i (x i ).P i } i ] α M r ; s r 1,r 2, j v h [P j [v/x j ]] α M r ; h M s[r 1,r 2 ]! v M SEL r(s[r 2 ]) α [s[r 1,r 2 ]! v ] α M r ; h [0] α M r ; h s r 1,r 2, v a s[r]:t M REQER [a s[r] : T ] α M r ; h [0] α M r ; h a s[r]:t M ACCER [a(y[r] : T ).P] α M r ; a s[r] : T h [a(y[r] : T ).P] α M r ; h s[r 1,r 2 ]! v M SELER [s[r 1,r 2 ]! v ] α M r ; h [0] α M r ; h Fig. 5. Reduction rues for monitored networks (we assume M = α: Γ; and omit BRAER ). the monitor. The error cases for ACC and BRA, namey ACCER and BRAER (the atter omitted for space constraint), do not affect the process, which remains ready to perform the action, and remove the vioating message from the queue. Exampe 4 (ATM: a monitored network). We iustrate the monitored networks for the ATM scenario, where the routing tabe is defined as r = a α,b β,c γ,s[s] α,s[c] β,s[a] γ We consider the fragment of session in which the authentication has occurred, hence the process of C (resp. S) is P C (resp. P S) from Exampe 3, and the process of A is 0. N S = [P S ] α M S = [s[s,c]! Account(100);P S ] α M S (assuming getbaance() = 100) N C = [P C ] β M C = [s[s,c]? Account(x b ).P C ] β M C N A = [0] γ γ : c : T A [A] ; s[a] : end where e.g., M S = α : a : T S [S] ; s[s] : C! Account(x b : int){x b 0}.T S (and M C is dua). N 1 = [s[s,c]! Account(100);P S ] α M S [s[s,c]? Account(x b ).P C ] β M C N A r ; /0 [P S ] α M S [P C [100/x b]] β M C N A r ; /0 where M S = α : a:t S[S] ; s[s] : T S and M C = β : b : T C[C] ; s[c] : T C Above, predicate x b 0 is satisfied since x b = 100. If the server tried to communicate e.g., the vaue 100 for x b, the monitoring (by rue SELER ) woud drop the message. 3.3 Network satisfaction and equivaences Based on the forma representations of monitored networks, we now introduce the key forma toos for anaysing their behaviour. First, we introduce bisimuation and barbed 9

congruence over networks, and deveop the notion of interface. Then we define the satisfaction reation = N : M, used in 3.4 to prove the properties of our framework. Bisimuations We use M,M,... for a partia network, that is a network which does not contain a goba transport. The transition reation for M is defined by Figure 6. In (CTX), n() indicates the names occurring in whie bn(e) indicates binding E induces. In (RES), sbj() denotes the subject of. We write = for τ, = for = =, and ˆ = for = if = τ and = otherwise. (REQ) [a s[r] : T ;P] α a s[r]:t [0] α (ACC) [a(y[r] : T ).P] α a s[r]:t [P[s/y]] α (BRA) [s[r 1,r 2 ]?{ i (x i :S i ).P i } i ] α s[r 1,r 2 ]? j v [P j [v/x j ]] α s[r 1,r 2 ]! j v (SEL) [s[r 1,r 2 ]! j v ] α [0] α (CTX) [P] α [P ] α n() bn(e)= /0 [E(P)] α [E(P )] α (TAU) M M M τ M (RES) M M a sbj() (νa)m \a M 0 M (STR) M M 0 (νa)m M M Fig. 6. Labeed transition reation for processes and partia networks Definition 1 (Bisimuation over partia networks). A binary reation R over partia networks is a weak bisimuation when M 1 R M 2 impies: whenever M 1 M 1 such that ˆ bn() fn(m 2 ) = /0, we have M 2 = M 2 such that M 1 R M 2, and the symmetric case. We write M 1 M 2 if (M 1,M 2 ) are in a weak bisimuation. Interface We want to buid a mode where two different impementations of the same service are reated. Bisimiarity is too strong for this aim (as shown in Exampe 5). We use instead a contextua congruence (barbed reduction-cosed congruence [13]) = for networks. Intuitivey, two networks are barbed-congruent when they are indistinguishabe for any principa that connects to them. In this case we say they propose the same interface to the exterior. Formay, two networks are reated with = when, composed with the same third network, they offer the same barbs (the messages to externa principas in the respective goba queues are on the same channes) and this property is preserved under reduction. We say that a message m is routed for α in N if N = (νñ)(m 0 r ; h ), m h, either m = a s[r] : T and r(a) = α or m = s[r 1,r 2 ]! e and r(s[r 2 ]) = α. Definition 2 (Barb). We write N a when the goba queue of N contains a message m to free a and m is routed for a principa not in N. We write N a if N N a. We denote P (N) for a set of principas in N, P ( [P i ] αi ) = {α 1,...,α n }. We say N 1 and N 2 are composabe when P (N 1 ) P (N 2 ) = /0, the union of their routing tabes remains a function, and their free session names are disjoint. If N 1 and N 2 are composabe, we define N 1 N 2 = (νñ 1,ñ 2 )(M 1 M 2 r 1 r 2 ; h 1 h 2 ) where N i = (νñ i )(M i r i ; h i ) (i = 1,2). Notice that both equivaences are compositiona, as proved in Propostion 4. 10

Definition 3 (Barbed reduction-cosed congruence). A reation R on networks with the same principas is a barbed r.c. congruence [13] if the foowing hods: whenever N 1 R N 2 we have: (1) for each composabe N, N N 1 R N N 2 ; (2) N 1 N 1 impies N 2 N 2 s.t. N 1 R N 2 again, and the symmetric case; (3) N 1 a iff N 2 a. We write N 1 = N2 when they are reated by a barbed r.c. congruence. The foowing resut states that composing two bisimiar partia networks with the same network impying the same router and goba transport yieds two undistinguishabe networks. Proposition 4 (Congruency). If M 1 M 2, then (1) M 1 M M 2 M for each composabe partia M; and (2) M 1 N = M 2 N for each composabe N. Exampe 5 (ATM: an exampe of behavioura equivaence). We use an exampe to iustrate our notion of interface. As our verification by monitors is done separatey for each endpoint, one can safey modify a goba specification as ong as its projection on the pubic roes stays the same. The barbed congruence we introduce takes this into account: two networks proposing the same service, but organised in different ways, are equated even if the two networks correspond to different goba specifications. As an exampe, consider goba type G 2 ATM defined as G ATM where G 2 Loop is used in pace of G Loop from Exampe 3. G 2 Loop invoves a fourth party, the transaction agent B: S sends a query to B which gives back a one-use transaction identifier. Then, the protoco proceeds as the origina one. Notaby, G ATM and G 2 ATM have the same interfaces for the cient (resp. the authenticator), as their projections of on C (resp. A) are equa. G 2 Loop = µ LOOP. S B : { Query(){true}. B S : { Answer(x t : int){true}. S C : { Account(x b : int){x b 0}. C S : { Withdraw(x p : int){x p 0 x b x p 0}. LOOP, Deposit(x d : int){x d > 0}. LOOP, Quit(){true}.end }}}} We define P 2 S as P S in Exampe 3 except that the occurrence of P S in P S is repaced by s[s,b]!query ;s[b,s]?answer(x t ).P S and we define N 2 S = [P 2 S ] α and N B = [µx.s[s,b]?query ;s[b,s]!answer gettrans() ] δ. By definition, the two foowing networks are barbed-congruent: (N S /0 ; s[s] α,s[c] β,s[a] γ ) = (N 2 S N B /0 ; s[s] α,s[c] β,s[a] γ,s[b] δ ) even if the first one impements the origina ATM protoco whie the second one impements its variant. Indeed, composed with any tester, such as N C N A = [P C ] β [P A ] γ these two networks wi produce the same interactions. However, the corresponding partia networks NS 2 N B and N S are not bisimiar: the former is abe to perform a transition abeed s[s, B]!Query whie the atter cannot. This difference in behaviour is not visibe to the barbed congruence, as it takes into account the router which prevents the messages s[s, B]!Query to be caught by a tester. As an exampe of network bisimiar to N S, consider: N 1 = (νk) ([P S P S [k/s]] α [P C [k/s]] δ ) 11

In this partia network, principa α pays both S in pubic session s (as in N S ) and S in the private session k. Principa δ pays C in the atter. As k is private, N 1 offers the same observabe behaviour than N S (no action on k can be observed), and we have N 1 N S. Satisfaction We present a satisfaction reation for partia networks, which incude oca principas. If M is a partia network, = M : Σ s.t. dom(σ) = P (M), means that the specification aows a outputs from the network; that the network is ready to receive a the inputs indicated by the specification; and that this is preserved by transition. Definition 5 (Satisfaction). Let sbj() denote the subject of τ. A reation R from partia networks to specifications is a satisfaction when MR Σ impies: 1. If Σ Σ for an input and M has an input at sbj(), then M M s.t. M R Σ. 2. If M M for an output at, then Σ Σ s.t. M R Σ. 3. If M τ M, then Σ τ Σ s.t. M R Σ (i.e. M R Σ since Σ τ Σ aways). When MR Σ for a satisfaction reation R, we say M satisfies Σ, denoted = M : Σ. By Definition 5 and Proposition 4 we obtain: Proposition 6. If M 1 = M2 and = M 1 : Σ then = M 2 : Σ. 3.4 Safety assurance and session fideity In this section, we present the properties underpinning safety assurance in the proposed framework from different perspectives. Theorem 7 show oca safety/transparency, and goba safety/transparency for fuy monitored networks. A network N is fuy monitored w.r.t. Σ when a its principas are monitored and the coection of the monitors is congruent to Σ. Theorem 7 (Safety and Transparency). 1. (Loca Safety) = [P] α M : α : Γ; with M = α: Γ;. 2. (Loca Transparency) If = [P] α : α : Γ;, then [P] α ([P] α M) with M = α : Γ;. 3. (Goba Safety) If N is fuy monitored w.r.t. Σ, then = N : Σ. 4. (Goba Transparency) Assum N and N have the same goba transport r ; h. If N is fuy monitored w.r.t. Σ and N = M r ; h is unmonitored but = M : Σ, then we have N N. Loca safety (7.1) states that a monitored process aways behaves we with respect to the specification. Loca transparency (7.2) states that a monitored process behaves as an unmonitored process when the atter is we-behaved (e.g., it is staticay checked). Goba safety (7.3) states that a fuy monitored network behaves we with respect to the given goba specification. This property is cosey reated to session fideity, introduced ater in Theorem 11. Goba transparency (7.4) states that a monitored network and an unmonitored network have equivaent behaviour when the atter is we-behaved with respect to the same (coection of) specifications. In addition, by Proposition 4 and (7.2), we derive Coroary 8 stating that weaky bisimiar static networks combined with the same goba transport are congruent: 12

Coroary 8 (Loca transparency and congruence). If = [P] α : α : Γ;, then for any r ; h, we have ([P] α r ; h ) = ([P] α M r ; h ) with M = α: Γ;. By Theorem 7, we can mix unmonitored principas with monitored principas sti obtaining the desired safety assurances. In the foowing, we refer to a pair Σ; r ; h of a specification and a goba transport as a configuration. The abeed transition reation for configurations, denoted by g, is reegated to Appendix B. Here it is sufficient to notice that the transitions of a configuration mode the correct behaviours (with respect to Σ) as the observation of inputs and outputs from/to the goba transport r ; h. On this basis, we state that a message emitted by a vaid output action is aways receivabe. Lemma 9. Assume a network N M r ; h conforming to Σ; r ; h which is configurationay consistent, if N g N such that is an output and Σ; r ; h g Σ ; r ; h m then h m is receivabe to Σ. Aso, we state that, as N M H and = M : Σ, the satisfaction reation of M and Σ is preserved by transitions. Lemma 10. Assume N M H and = M : Σ. If N g N M H and Σ Σ, then = M : Σ. We write that a configuration Σ; r ; h is configurationay consistent if a of its muti-step goba input transition derivatives are receivabe and the resuting specifications Σ is consistent. In order to state session fideity, whose proof and auxiiary definitions are reegated to Appendix B, we use a LTS g for configurations, which is straightforwardy defined. Theorem 11 (Session Fideity). Assume configuration Σ; r ; h is configurationay consistent, and network N M r ; h conforms to configuration Σ; r ; h. For any, whenever we have N g N s.t. Σ; r ; h g Σ ; r ; h, it hods that Σ ; r ; h is configurationay consistent and N conforms to Σ ; r ; h. By session fideity, if a session message exchanges in a monitored/unmonitored network behave we with respect to the specifications (as communications dynamicay unfod), then this network exacty foows the origina goba specifications. 4 Reated work Our work features a ocated, distributed process cacuus to mode monitored networks. Due to space imitations, we focus on the key differences with reated work on dynamic monitoring. See the onine report [22] for more reated work. The work in [12] proposes an ambient-based run-time monitoring formaism, caed guardians, targeted at access contro rights for network processes, and Kaim [8] advocates a hybrid (dynamic and static) approach for access contro against capabiities (poicies) to support static checking integrated within a dynamic access-contro procedure. These works address specific forms of access contro for mobiity, whie our 13

approach is more genera, aiming to ensure correct behaviour in sessions through a combination of static or run-time static verification. The work in [3] presents a monitor-based information-fow anaysis in mutiparty sessions. The monitors in [3] are inine (according to [5]) and contro the informationfow by tagging each message with security eves. Our monitors are outine and aim at the appication to distributed systems. An informa approach to monitoring based on MPSTs, and an outine of monitors are presented in [7]. However, [7] ony gives an overview of the desired properties, and requires a oca processes to be dynamicay verified through the protections of system monitors. In this paper, instead, we integrate staticay and dynamicay verified oca processes into one network, and formay state the properties of this combination. In summary, compared to these reated works, our contribution focuses on the enforcement of goba safety, with protocos specified as mutiparty session types with assertions. It aso provides formaisms and theorems for decentraised run-time monitoring, targeting interaction between components written in mutipe (e.g., staticay and dynamicay typed) programming anguages. 5 Concusion and future work We have proposed a new forma safety assurance framework to specify and enforce the goba safety for distributed systems, through the use of both static and dynamic verification. We formay proved the correctness (with respect to distributed principas) of our architectura framework through a π-cacuus based theory, identified in two key properties of dynamic network: goba transparency and safety. We introduced a behavioura theory over monitored networks which aows compositiona reasoning over trusted and untrusted (but monitored) components. Impementation As a part of our coaboration with the Ocean Observatory Initiative [17], our theoretica framework is currenty reaised by an impementation [15], in which each monitor supports a we-formed protocos and is automaticay sefconfigured, via session initiation messages, for a sessions that the endpoint participates in. Our impementation of the framework automates distributed monitoring by generating FSM from the oca protoco projections. In this impementation, the goba protoco serves as the key abstraction that heps unify the aspects of specification, impementation and verification (both static and dynamic) of distributed appication deveopment. Our experience has shown that the specification framework can accommodate diverse practica use cases, incuding rea-word communication patterns used in the distributed services of the OOI cyberinfrastructure [17]. Future work Our objectives incude the incorporation in the impementation of more eaborate handing of error cases into monitor functionaity, such as hating a oca sessions or coercing to vaid actions [16, 20]. In order to reach this goa, is goa, we need to combine a simpification of [4] and nested sessions [9] to hande an exception inside MPSTs. Our goa is to construct a simpe and reiabe way to raise and catch exceptions in an asynchronous networks. Our work is motivated by ongoing coaborations with the Savara and Scribbe projects [19, 21] and OOI [17]. We are continuing the deveopment of Scribbe, its toosuite and associated environments towards a fu integration of sessions into the OOI infrastructure. 14

References 1. L. Bettini et a. Goba progress in dynamicay intereaved mutiparty sessions. In CONCUR, voume 5201 of LNCS, pages 418 433. Springer, 2008. 2. L. Bocchi, K. Honda, E. Tuosto, and N. Yoshida. A theory of design-by-contract for distributed mutiparty interactions. In CONCUR, voume 6269 of LNCS, pages 162 176, 2010. 3. S. Capecchi, I. Casteani, and M. Dezani-Ciancagini. Information fow safety in mutiparty sessions. In EXPRESS, voume 64 of EPTCS, pages 16 30, 2011. 4. S. Capecchi, E. Giachino, and N. Yoshida. Goba escape in mutiparty session. In FSTTCS 10, voume 8 of LIPICS, pages 338 351, 2010. 5. F. Chen and G. Rosu. MOP:An Efficient and Generic Runtime Verification Framework. In OOPSLA, pages 569 588, 2007. 6. T.-C. Chen. Theories for Session-based Governance for Large-Scae Distributed Systems. PhD thesis, Queen Mary, University of London, 2013. (to be defended). 7. T.-C. Chen, L. Bocchi, P.-M. Deniéou, K. Honda, and N. Yoshida. Asynchronous distributed monitoring for mutiparty session enforcement. In TGC, pages 25 45, 2011. 8. R. De Nicoa, G. Ferrari, and R. Pugiese. Kaim: a kerne anguage for agents interaction and mobiity. IEEE Trans. Softw. Eng., 24:315 330, 1998. 9. R. Demangeon and K. Honda. Nested protocos in session types. In M. Koutny and I. Uidowski, editors, CONCUR, voume 7454 of Lecture Notes in Computer Science, pages 272 286. Springer, 2012. 10. P.-M. Deniéou and N. Yoshida. Dynamic mutiroe session types. In POPL, pages 435 446, 2011. 11. P.-M. Deniéou and N. Yoshida. Mutiparty session types meet communicating automata. In ESOP, LNCS, pages 194 213. Springer, 2012. http://www.doc.ic.ac.uk/ pmao/ research/papers/mutiparty-session-automata.pdf. 12. G. Ferrari, E. Moggi, and R. Pugiese. Guardians for ambient-based monitoring. In F-WAN, pages 141 202. Esevier, 2002. 13. K. Honda and N. Yoshida. On reduction-based process semantics. TCS, 151(2):437 486, 1995. 14. K. Honda, N. Yoshida, and M. Carbone. Mutiparty Asynchronous Session Types. In POPL 08, pages 273 284. ACM, 2008. 15. R. Hu, R. Neykova, and N. Yoshida. An impementation of network monitors. (to be submitted). 16. J. Ligatti, L. Bauer, and D. Waker. Run-time enforcement of nonsafety poicies. ACM Trans. Inf. Syst. Secur., 12:19:1 19:41, 2009. 17. OOI. http://www.oceanobservatories.org/. 18. OOI Coaboration. https://confuence.oceanobservatories.org/dispay/cidev/ Conversations+and+Commitments. 19. Savara JBoss Project. http://www.jboss.org/savara. 20. F. B. Schneider. Enforceabe security poicies. ACM Trans. Inf. Syst. Secur., 3:30 50, 2000. 21. Scribbe deveopment too site. http://www.scribbe.org. 22. Onine report. http://www.doc.ic.ac.uk/ rn710/mon. 23. N. Yoshida, P.-M. Deniéou, A. Bejeri, and R. Hu. Parameterised mutiparty session types. In FoSSaCs 10, voume 6014 of LNCS, pages 128 145. Springer, 2010. 15

A Safety Theorem 7.1 (Loca safety) = [P] α M : α: Γ; with M = α: Γ;. Proof. Since [P] α is a partia network, by Definition 5, it is straightforward that the network [P] α M : satisfies α: Γ; due to M = α: Γ;. Theorem 7.2 (Loca transparency (bisim)) If = [P] α : α: Γ;, then [P] α ([P] α M) with M = α: Γ;. Proof. By Theorem 7.1, we have = [P] α M : α : Γ; with M = α : Γ;. Define a reation R: R = {([P] α,[p] α M) = [P] α : α: Γ; } Assume ([P] α,[p] α M) R, for an output or τ, [P] α [P ] α impies M M due to = [P] α : M, so that [P] α M [P ] α M ; for an input, [P] α [P ] α ony when M M, which together impy that [P] α M [P ] α M. By Definition 5, we have = [P ] α : M, so that ([P ] α,[p ] α M ) R. Symmetricay, for an output or τ, [P] α M [P ] α M impies M M whenever [P] α [P ] α ; for an input, [P] α M [P ] α M says M M, which impies [P] α [P ] α. By Definition 5, we have = [P ] α M : M, so that ([P ] α M,[P ] α ) R. By Definition 1, [P] α ([P] α M) with M = α: Γ;. Theorem 7.3 (Goba safety) If N is fuy monitored w.r.t. Σ, then = N : Σ. Proof. Assume N is composed by monitored endpoints [P i ] αi M i,i {1,...,n} and a goba transport r ; h N [P 1 ] α1 M 1... [P n ] αn M n r ; h where M i = α i : Γ i ; i for i = {1,...,n}, Σ = M 1,...,M n. Based on Theorem 7.1, for each i {1,...,n}, = [P i ] αi M i : α i : Γ i ; i with M i = α i : Γ i ; i. By Definition 5 and induction, we have so that = N : Σ. [P 1 ] α1 M 1... [P n ] αn M n : α 1 : Γ 1 ; 1,...,α n : Γ n ; n As Figure 3, which corresponds to Figure 6, defines the invisibe actions i.e. reduction of networks, for proving the properties of goba transparency (Theorem 7.4) and session fideity (Theorem 11), we introduce the LTS of dynamic networks in Figure 7, where the actions are observabe through observing the dynamics of the goba transport 16

{REQ} r ; h a s[r]:t g r ; h a s[r] : T {ACC} r ; a s[r] : T h a s[r]:t g r ; h {SEL} r ; h s[r 1,r 2 ]! v g r ; h s r 1,r 2, v {BRA} r ; s r 1,r 2, v h s[r 1,r 2 ]? v g r ; h {IN} r ; h g r ; h input dest(,r) P (M) M r ; h g M r ; h {OUT} r ; h g r ; h output dest(,r) P (M) M r ; h g M r ; h The rues for (TAU,RES,STR) are the same as Figure 6. Fig. 7. LTS for goba transport h. The notation of goba observabe transition g is used to denote gobay observabe action. For unmonitored networks, as N g N, it means [P] α N, [P] α [P ] α (i.e. ocay visibe) such that r ; h g r ; h (i.e. gobay visibe). Simiary, for monitored networks, N g N means [P] α M N, [P] α [P ] α and M M (i.e. ocay visibe) such that r ; h g r ; h (i.e. gobay visibe). Theorem 7.4 (Goba transparency) Assum N and N have the same goba transport r ; h. If N is fuy monitored w.r.t. Σ and N = M r ; h is unmonitored but = M : Σ, then we have N N. Proof. Define a reation R: R = {N,N N = M r ; h and = M : Σ} We prove that R is a standard strong bisimiar reation over g. Note that, M : Σ means [P] αi M, we have α i : Γ i ; i Σ and = [P] αi : α i : Γ i ; i. 1. As N g N, it impies [P] α j M j N, [P] α j [P ] α j and M j M j such that r ; h g r ; h, and other monitored processes in N are not affected. When is an input, by Definition 5, since = M : Σ, we shoud have [P] α j [P ] α j ; when is an output or a τ action, by Definition 5, the transition of [P] α j [P ] α j is abe to take pace. Both cases ead to M M and r ; h g r ; h so that N = M r ; h g M r ; h = N, and = [P ] α j : α j : Γ j ; j by Definition 5. α j : Γ j ; j is the resuting new configuration of α j in Σ. Other specifications {α i : Γ i ; i } i I\{ j} Σ are not affected. Let Σ = α j : Γ j ; j,{α i : Γ i ; i } i I\{ j}. Therefore, for the resuting new network N = M r ; h, we have = M : Σ. Thus we have (N,N ) R. 2. For the symmetric case, as N g N, it impies [P] α j N, [P] α j [P ] α j such that r ; h g r ; h and other processes in N are not affected. Since = M : Σ, 17

B without oss of generaity, et M j = α j : Γ j ; j, then we have, for any, [P] α j [P ] α j M j, where M j = α j : Γ j ; j. It makes r ; h g r ; h, so that M j N g N. Since N is a fuy monitored network, its static part (i.e. the part when the goba transport is taken off from N ), say [P i ] αi {M i } i I where {M i } i I = α j : Γ j ; j,{α i : Γ i ; i } i I\{ j}, = [P i ] αi {M i } i I : Σ where Σ = α j : Γ j ; j,{α i : Γ i ; i } i I\{ j}. Thus we have (N,N ) R. Session Fideity To prove the property of session fideity, we define the LTS of configurations in Figure 8. A rues are straightforward from the LTS of specifications and the one of networks. [Req] Σ a s[r]:t Σ Σ ; r ; h a s[r]:t g Σ ; r ; h a s[r] : T [Acc] [Se] [Bra] α: Γ,a : I(T [r]); Σ Σ a s[r]:t Σ Σ ; r ; a s[r] : T h a s[r]:t g Σ ; r,s[r] α ; h Σ s[r 1,r 2 ]! v Σ Σ ; r ; h s[r 1,r 2 ]! v g Σ ; r ; h s r 1,r 2, v Σ s[r 1,r 2 ]? v Σ Σ ; r ; s r 1,r 2, v h s[r 1,r 2 ]? v g Σ ; r ; h [Par] Φ 1 g Φ 2 Φ 1 Φ 3 g Φ 2 Φ 3 [Tau] Σ τ Σ Σ; r ; h τ g Σ; r ; h Fig. 8. Labeed transition reation for configurations Definition 12 (Configuration). A configuration is denoted by Φ = Σ; r ; h, in which the group of monitors correspond to h. In other words, a messages corresponding to the actions guarded by Σ are in h. A Φ thus guides and captures the behaviours in the network. Let P (Φ) be the set of prinicipas invoving in Φ. We define the composition of configurations as foows. Definition 13 (Parae composition of configurations). Assume Φ 1 = Σ 1 ; r 1 ; h 1 and Φ 2 = Σ 2 ; r 2 ; h 2, we say Φ 1 and Φ 2 are composabe whenever P (Φ 1 ) P (Φ 2 ) = /0 and the union of their routing tabes remains a function. If Φ 1 and Φ 2 are composabe, we define the composition of Φ 1 and Φ 2 as: Φ 1 Φ 2 = Σ 1,Σ 2 ; r 1 r 2 ; h 1 h 2. The behaviours of each principa in a network are guided by the Σ (specification), and are observed by the r ; h (goba transport). Except rues [Acc] and [Par], a rues 18

are straightforward from the LTS of specifications (Figure 4) and the one of dynamic networks (Figure 7). 1. Rue [Acc] indicates that, ony when the invitation has been (internay) accepted by a principa in the network, the routing information registers s[r] α. When we observe the goba transport (externay), we ony observe that an invitation is moved out from the goba queue (which impies that it has been accepted). However, we do not know who accepts it. Ony Σ tes which principa accepts this invitation, so that we can register it in the routing information using α. 2. Rue Par says if Φ 1 and Φ 3 are composabe (Definition 13), after Φ 1 becomes as Φ 2, they are sti composabe. Definition 14 (Consistency, Coherence). Σ = {α i : Γ i ; i } i I is consistent when 1. there is one and ony one i such that Γ i a : I(T [r]), and 2. as ong as a : O(T [r]) exists in some Γ i, Γ j such that a : I(T [r]) Γ j ; and 3. for any s appearing in any j, if {s[r k ] : T k } 1 k n is a coection appeared in { i } i I, there exists we-formed G such that roes(g) = {r 1,..,r n } and G r i = T i. Two specifications Σ 1 and Σ 2 are coherent when their union is a consistent specification. Definition 15 (Routing tabe). We define route(σ), the routing tabe derived from Σ, as foows: route(α : Γ;,s[r] : T,Σ) = s[r] α,route(α : Γ;,Σ) route(α : Γ,a : I(T [r]);,σ) = a α,route(α : Γ;,Σ) route(α : Γ,a : O(T [r]);,σ) = route(α : Γ;,Σ) for route(α : Γ,a : O(T [r])), because a : O(T [r]) impies that a : I(T [r]) shoud exist in the network, routing tabe shoud have contained the routing information for a. The theorem of session fideity states that, whenever a network conforms to specifications, i.e., its a oca processes (static network) conform to specifcations, a of its derivatives conform to specifications. In the foows, we firsty formay define receivabiity, consistency and conformance based on LTS of configurations and dynamic networks. Definition 16 (Receivabe Configuration). Define Σ; r ; h is receivabe by the foowing induction: 1. If h is empty then Σ; r ; h is receivabe. 2. If h m h, then Σ; r ; h is receivabe when we have Σ; r ; m h g Σ ; r ; h, where corresponding to m, and Σ ; r ; h is receivabe. A configuration Σ; r ; h is configurationay consistent if a of its muti-step goba input transition derivatives are receivabe and the resuting specifications Σ is consistent. The consistency of specifications is defined in Definition 14. Definition 17 (Configurationa Consistency). A configuration Φ = Σ; r ; h is configurationay consistent whenever 1. If h is empty and Σ is consistent, or 19

2. h is not empty, the sequence of messages in h are receivabe to Σ, and after receiving a messages in h with Σ 1... n Σ, where i,i = {1,...,n} are inputs and, m h, 1... n such that corresponds to m, we have Σ is consistent. In other words, Σ; r ; h is configurationay consistent if, in each of its derivatives, a messages in the transport can be received by some monitors in Σ and, after absorbing a these messages, the resuting Σ is sti consistent. Definition 18 (Conformance to a Configuration). Assume a network N M r ; h is given. Define N conforms to Σ; r ; h when: 1. h is empty, = M : Σ and Σ is consistent, or 2. h is not empty, and the foowing conditions hod (a) = M : Σ, (b) a messages in h are receivabe to M, and (c) as Σ; r ; h 1... n g Σ ; r ; /0 so that M h 1... n g M /0 where each i,i = {1,...,n} is an input, Σ is consistent. The foowing session fideity theorem states: assume network N M r ; /0 is given, suppose that M satisfies Σ. If Σ is consistent and if r = route(σ), then we say N conforms to Σ. If this hods, then, with the messages which N exchanges foow the specification, the dynamics of the network witnesses the vaidity of specifications. In the foows, we aways assume Σ is consistent, uness otherwise stated. Theorem 19 (Session Fideity). Assume configuration Σ; r ; h is configurationay consistent. and network N M r ; h conforms to configuration Σ; r ; h. Then for any, whenever we have N g N s.t. Σ; r ; h g Σ ; r ; h, it hods that Σ ; r ; h is configurationay consistent and that N conforms to Σ ; r ; h. Before proving the property of session fideity, we first prove the foowing emmas. Lemma 9 Assume a network N M r ; h conforming to Σ; r ; h which is configurationay consistent, if N g N such that is an output and Σ; r ; h g Σ ; r ; h m then h m is receivabe to Σ. Proof. When = a s[r] : T, since Σ is consistent, by Definitions 14, there exists a : I(T [r]) in some Γ of Σ. Because does not affect the existence of a : I(T [r]), it remains in Γ of Σ, thus invitation m = a s[r] : T is receivabe to Σ. Let α i = Γ i, i. When = s[r 1,r 2 ]! j v, by Definitions 14 and 18, since = M : Σ and Σ is consistent, α s,α r Σ, G is we-formed and s obeys to G, such that G = r 1 r 2 : { i (x i : (T [p]) i ){A i }.G i } i I s (s[r 1 ]) = G r 1 = r 2!{ i (x i : (T [p]) i ){A i }.G i r 1 } i I r (s[r 2 ]) = G r 2 = r 1?{ i (x i : (T [p]) i ){A i}.g i r 2 } i I (1) 20

As action s[r 1,r 2 ]! j v fires, Equation 1 changes to s (s[r 1 ]) = G j r 1 r (s[r 2 ]) = G r 2 = r 1?{ i (x i : (T [p]) i ){A i}.g i r 2 } i I (2) the receiving capabiity of r 1? sti remains in r (s[r 2 ]), where α r Σ, thus m = s r 1,r 2, j v is receivabe to Σ. As N M H and = M : Σ, the satisfaction reation of M and Σ remains whenever action takes pace. Lemma 10 Assume N M H and = M : Σ. If N g N M H and Σ Σ, then = M : Σ. Proof. Directy from Definition 5. Now we prove session fideity: Proof. Assume N conforms to Σ; r ; h, which is configurationay consistent. We prove the statement by inspection of each case. (Se) Let = s[r 1,r 2 ]! j v, N g N and Σ; route(σ) ; h g Σ ; r ; h m, where m = s r 1,r 2, j v. Then r = route(σ) = route(σ ) because there is no change to the eements in Σ or to the routing tabe. Since Σ aows, and Σ is consistent, α r,α s Σ, G is we-formed, G = r 1 r 2 { i (x i : S i ){A i }.G i } i I, such that s (s[r 1 ]) = G r 1 = r 2!{ i (x i : S i ){A i }.G i r 1 } i I, r (s[r 2 ]) = G r 2 = r 1?{ i (x i : S i ){A i }.G i r 2 } i I. Σ Σ impies Σ has s[r 1 ] = G j r 1, s[r 2 ] = r 1?{ i (x i : S i ){A i }.G i r 2 } i I. Consider (case 1: h is empty). By Lemma 9, after receiving m, say Σ Σ, Σ has s[r 1 ] = G j r 1 and s[r 2 ] = G j r 2, Σ is thus consistent by Definition 14. By Definition 17, Σ ; r ; m is configurationay consistent, and = M : Σ by Lemma 10, thus N conforms to Σ ; r ; h m. Consider (case 2: h is not empty). Since Σ; r ; h is configurationay consistent, again, by Lemma 9, after receiving messages in h (but not m), say Σ 0... n Σ 1, where every action in 0... n corresponds to each message in h, we have Σ 1 ; r ; m 21

is configurationay consistent. After Σ 1 receives m, say Σ s[p 1,p 2 ]? v 1 Σ, where s[p 1,p 2 ]? v is dua to, with the same reasoning above, Σ has s[r 1 ] = G j r 1 and s[r 2 ] = G j r 2, so that Σ is consistent. By Definition 17, Σ ; r ; h m is configurationay consistent, and = M : Σ by Lemma 10, thus N conforms to Σ ; r ; h m. (Bra) Let = s[r 1,r 2 ]? j v, N g N and N conforms to Σ; route(σ) ; h. Consider (case 1: h is empty). Since Σ; route(σ) ; /0 g, so this case never happens. Consider (case 2: h is not empty). When h is not empty. N g N and Σ; route(σ) ; h g Σ ; r ; h/m, where h/m means taking off message m from h, where m = s r 1,r 2, j v We have r = route(σ) = route(σ ) because there is no change to the eements in Σ or to the routing tabe. By Definition 17, after receiving a messages in H, Σ is consistent, thus Σ, which has received message m is consistent after receiving a messages in h/m. By Lemma 10, we have = M : Σ thus N conforms to Σ ; r ; h/m. (Req) Let = a s[r] : T. N g N and Σ; route(σ) ; h g Σ ; r ; h m, where m = a s[r] : T. Then r = route(σ) = route(σ ) because, by Definition 15, nothing new is registered to the routing tabe. Since Σ aows and Σ is consistent, by Definition 14, Γ i,γ j Σ such that a : I(T [r]) Γ i and a : O(T [r]) Γ j. After Σ Σ, by rue [REQ] in Figure 4, a : I(T [r]) remains in Γ i, a : O(T [r]) remains in Γ j, and thus they both remain in Σ. Consider (case 1: h is empty): By Lemma 9, after receiving m, say Σ a s[r]:t Σ, both a : I(T [r]) and a : O(T [r]) remain in Σ, satisfying Definition 14, so that Σ ; r ; m is configurationay consistent. By Lemma 10, we have = M : Σ, thus N conforms to Σ ; r ; h m. Consider (case 2: h is not empty). The proof is simiar to the one in (Se) and ommitted. (Acc) Let = a s[r] : T. Consider (case 1: h is empty). Since Σ; route(σ) ; /0 g, this case never happens. Consider (case 2: h is not empty). If N g N and Σ; route(σ) ; h g Σ ; r ; h/m, 22

where m = a s[r] : T. Since there exists Σ s.t. s[r], by Definition 15, r = route(σ),s[r] α = route(σ ). For the same reasoning in (Bra), we have Σ ; r ; h/m is configurationay consistent. By Lemma 10, we have = M : Σ thus N conforms to Σ ; r ; h/m. The proof for other cases are trivia. C Satisfaction Proposition 4 [Congruency] If M 1 M 2, then (1) M 1 M M 2 M for each composabe partia M; and (2) M 1 N = M 2 N for each composabe N. Proof. For (1) we show that the reation R = {(M 1 M, M 2 M) M 1 M 2, M composabe with M 1 and M 2 } is a bisimuation. Suppose (M 1 M)R (M 2 M) and M 1 M M 1. We discuss the shape of M 1 : If M 1 = M 1 M, it means that M 1 M 1. By definition of R, M ˆ 2 = M 2 and M 1, we concude. M 2 If M 1 = M 1 M, it means that M M. It is easy to concude. By examining the reduction rue associated to parae composition, we observe no reduction is induced through interactions between two networks. Hence we have covered a cases. The symmetric case (when M 2 M M 2 ) is easy. To prove (2) we proceed by showing that R = {((νñ)(m 1 N),(νñ)(M 2 N)) M 1 M 2, N comp. with M 1, M 2 } is a barbed congruence. First, this is ceary a congruence since it is cosed under composition. Second, for (1), we take a composabe N. We have N (M i N) = M i (N N). We use the definition of R to concude. For (2), assume M 1 N N 1. If N 1 = M 1 N, meaning that N N. We use the definition of R to concude. If N 1 = M 1 N, meaning that N = M 0 r ; H, N = M 0 r ; H and M 1 M 1. We deduce N 2 = M 2 N, with N = M 0 r ; H, N = M 0 r ; H and M 2 M 2. We use the definition of R to concude. If the reduction is induced by interaction between M 1 and N, then M 2 has the corresponding action, hence we can reason in the same way, hence done. For (2), we suppose that (M 1 N). Two cases can occur: Either N and it foows directy that (M 2 N). or M 1 M 1 and by definition of R, M 2 = M 2, meaning that (M 2 N) a. 23

The symmetric case is simiar. By definition this shows =. The two satisfactions are reated by the foowing cut-rue-ike composition principe, which enabes a composition of a new partia network to a fu network, described in Appendix, as Proposition 23. Proposition 20 (Determinism). Σ Σ 1 and Σ Σ 2 impy Σ 1 = Σ 2. Proposition 20 does not mean a behaviour satisfying a specification is deterministic. The determinism is essentia for our dynamic verification to predictaby guarantee safety properties. Proof. Suppose Σ Σ 1 and Σ Σ 2. We discuss the nature of. If = a s[r] : T. We deduce Σ = Σ 0,α : Γ,a : I(T [r]); and Σ 1 = Σ 0,α : a : I(T [r]),γ;. The definition of Σ ensures that α / Σ 0. We deduce Σ 2 = Σ 0,α: a : I(T [r]),γ;. If = s[r 1,r 2 ]! j v. We deduce Σ = Σ 0,α: Γ;,s[r 1 ]:T and Σ 1 = Σ 0,α: Γ;,s[r 1 ] : T j {v/x j}. The definition of Σ ensures that α / Σ 0. The other cases are simiar or straightforward. Hereafter we denote the set of roes in G with roes(g). The foowing states that if a partia network satisfies a specification, then we can add a goba transport to it to obtain a fu network satisfying any coherent specification. Proposition 21 (Competion of partia network). Let M 0 be a partia network s.t. = M 0 : Σ 1. If Σ 2 is coherent with Σ 1, then = Σ 2 (M 0 route(σ 1 ) ; /0 ). Proof. In the proof we use a processisation of a queue in order to identify, from an externa point of view, the processes and This operation is defined as foows: We prove that the reation (M 1 route(m 1 ) ; a s[r] : T H ) (M 1 a s[r] : T. route(m 1 ) ; H ). Pss((M 1 route(m 1 ) ; a s[r] : T H )) = Pss((M 1 a s[r] : T route(m 1 ) ; H )); Pss((M 1 route(m 1 ) ; s r 1,r 2, j v H )) = Pss((M 1 s[r 1,r 2 ]! j v ;P route(m 1 ) ; H )); Pss((M 1 route(n 1 ) ; /0 )) = (M 1 route(m 1 ) ; /0 ) R = {((M 1 route(m 1 ) ; H ),Σ 2 ), for a M 1,Σ 2 such that = Pss(M 1 ) : Σ 1 for some Σ 1 coherent with Σ 2 } is an externa satisfaction reation. We have the foowing cases: 24

If Σ 2 Σ 2 then, as Σ 1 is coherent with Σ 2, we have Σ 1 Σ 1 with Σ 1 coherent with Σ 2. By the interna satisfaction reation, we have Pss(M 1 route(m 1 ) ; H ) Pss(M 1 route(m 1) ; H ) and = Pss(M 1 route(m 1 ) ; H ) : Σ 1. By definition of R, we concude. If (M 1 route(m 1 ) ; H ) N, meaning that N = (M 1 route(m 1 ) ; H ), we have Pss(M 1 route(m 1 ) ; H ) Pss(M 1 route(m 1 ) ; H ); the interna satisfaction reation gives Σ 1 s.t. Σ 1 Σ 1 and = Pss(M 1 route(m 1 ) ; H ) : Σ 1. By coherence Σ 2 Σ 2 coherent with Σ 1. By definition of R, we concude. If (M 1 route(m 1 ) ; H ) τ N = M 1 route(m 1 ) ; H then we have Pss(M 1 route(m 1 ) ; H ) τ Pss(M 1 route(m 1 ) ; H ). By the interna satisfaction reation, we get Σ 1 such that Σ 1 τ Σ 1 and = Pss(M 1 route(m 1) ; H ) : Σ 1. τ By coherence Σ 2 Σ 2 coherent with Σ 1. By definition of R, we concude. Proposition 22 (Compositionaity). If = M i : Σ i (i = 1,2) such that Σ 1 and Σ 2 are coherent, then = M 1 M 2 : Σ 1,Σ 2. Proof. We prove that {(M 1 M 2,Σ 1,Σ 2 ) for a (M 1,M 2 ) verifying = M i : Σ i } is a satisfaction reation. 1. Suppose Σ 2,Σ 1 Σ. Exacty one of the two foowing statements is true: Σ 1 Σ 1. The satisfaction reation gives M 1 M 1 such that = M 1 : Σ 1, aowing us to concude. Σ 2 Σ 2. We reason in a simiar way. 2. Suppose (M 1 M 2 ) M. As τ, exacty one of the two foowing statements is true: M 1 M 1. The satisfaction reation Σ 1 Σ 1 and = M 1 : Σ 1, aowing us to concude. N 2 M 2. We reason in a simiar way. 3. Suppose (M 1 M 2 ) τ M τ. Then either M 1 M τ 1 or M 2 M 2, and we reason as in the previous case, no interaction between two networks can take pace, foowing the definition of the transition reation. We define n(σ) with Σ = (α i : Γ i ; i ) i to be the set of names present in at east one of the i. Proposition 23 (Mixed compositionaity). If n(σ 1 ) n(σ 2 ) = /0, = Σ 1,Σ 2 N and = M : Σ 2, then = Σ 1 (ν n(σ 2 ))(N M). 25

Proof. We prove that the reation is a satisfaction reation. R = {(ν n(σ 2 )) (N 1 M 2,Σ 1 ), for a N 1, M 2, Σ 1 such that = Σ 1,Σ 2 N 1 and = M 2 : Σ 2 } If Σ 1 Σ 1 with output, then the externa satisfaction reation gives N 1 N 1 and = Σ 1,Σ 2 N 1. As n(σ 1) n(σ 2 ) = /0, we have (νn(σ 2 )) (N 1 M 2 ) (νn(σ 2 )) (N 1 M 2). The definition of R aows us to concude. If (νn(σ 2 )) (N 1 M 2 ) N with output, then it means than the subject of is not in n(σ 2 ). Suppose M 2 M 2, this means Σ 2 Σ 2 : contradiction. Thus N 1 N 1. The externa transition reation gives Σ 1 Σ 1 and = Σ 1,Σ 2 N 1. The definition of R aows us to concude. If (N 1 M 2 ) τ N, then τ either N 1 N τ 1 or M 2 M 2, and we use the stabiity of the satisfaction reation by τ-transition to concude; or N 1 N 1 and M 2 M 2. 1. If is an output, then M 2 M 2 gives us, by M 2 : Σ 2 and by the definition of partia satisfaction, Σ 2 Σ 2 such that = M 2 : Σ 2 (3) We now combine the first part of (3) with N 1 N 1, as we as determinacy of specification transition (Prop. 20), to obtain, through = Σ 1,Σ 2 N 1, = Σ 1,Σ 2 N 1 (4) By (3) and (4) as we as noting the name extrusion does not occur in the present system, the resut is again in the cosure, hence done. 2. If is an input, then we reason symmetricay: by N 1 N 1 (an output transition) and by the definition of fu satisfaction, we get Σ 2 Σ 2, such that = Σ 1,Σ 2 N 1 (5) By the first part of (5), M 2 M 2 and = M 2 : Σ 2, we obtain = M 2 : Σ 2. (6) Again we note the resut is in the cosure again. We have exhausted a cases. 26