• A Tool for the Design and Verification of Composite Web, Emilia Cambronero Piqueras
• Increasing Trust in Public Service Delivery - Contract-Based Software Infrastructure for Electronic Government, Tomasz Janowski
• Towards Verifying Contract Regulated Service Composition, Alessio Lomuscio
• Security-By-Contract for the Future Internet?, Fabio Massacci
• Cc-Pi: A Constraint-Based Language for Contracts with Service Level Agreements, Ugo Montanari
• Service Oriented Architectures: The New Software Paradigm, Wolfgang Reisig
• Permission to Speak: An Access Control Logic, Oleg Sokolsky
• A Contract-Oriented View on Threat Modelling, Ketil Stølen
• Integrating Contract-based Security Monitors in the Software Development Life Cycle, Isabelle Simplot-Ryl

• Service Contracts in a Secure Middleware for Embedded Peer-to-Peer Systems, Antonio Brogi (joint work with. F. Benigni, S. Corfini, T. Fuentes)
• Treaty - A Modular Component Contract Language, Jens Dietrich, Graham Jenson
• Contract-Based Verification of Hierarchical Systems of Components, Sophie Quinton, Susanne Graf
• An Aspect-Oriented Behavioral Interface Specification Language, Takuo Watanabe, Kiyoshi Yamada

• Contracts in the Swedish Crisis Management System, Björn Bjurling
• Runtime Verification of Deontic Contracts, Christian Colombo (joint work with Gordon Pace and Gerardo Schneider)
• Conflict Analysis of Deontic Contracts, Stephen Fenech (joint work with Gordon Pace and Gerardo Schneider
• Classification of SOA Contract Specification Languages, Joseph Okika
• Contract-Oriented Software Development for Internet Services - where are we now?, Anders P. Ravn
• Specification and analysis of electronic contracts in CL, Gerardo Schneider (joint work with Cristian Prisacariu and Gordon Pace)

Contracts in the Swedish Crisis Management System
Björn Bjurling

The talk will give a brief overview of my research project funded by the Swedish Emergency Management Agency. The Swedish Crisis Mangament System relies to a great extent on agreements both between governmental agencies and between agencies and private companies. These agreements deal both with resource allocation and distribution of responsibilities.

The agreements are often made independently of each other, so a vital concern for the Swedish Crisis Management System is to be able to make sure that a set of such agreement form an adequate crisis response capability. The project formalises the agreements and try to find ways to decide whether an existing set of agreements form an adequate crisis respons capability.

Peer-to-peer (P2P) systems are distributed computing systems where all network elements act both as service consumers (clients) and service providers. Most P2P communication mechanisms are not based on pre-existing infrastructures, but rather on dynamic ad-hoc networks among peers. Embedded Peer-to-Peer (EP2P) systems introduce new challenges in the development of software for distributed systems.

The goal of the Secure Middleware for Embedded Peer-To-Peer Systems (SMEPP) European Project (www.smepp.org) is precisely to develop such a middleware, that will have to be secure, generic and highly customisable, allowing for its adaptation to different devices (from PDAs and smart phones to embedded sensor actuator systems) and to different domains (from critical systems to consumer entertainment or communication). One of the objectives of SMEPP is to feature a high-level, service-oriented model to program the interaction among peers, thus hiding low-level details that concern the supporting infrastructure. SMEPP services are associated with service contracts - which provide standard descriptions of SMEPP services - and with service groundings - which provide details on how to interoperate with services (i.e. communication protocols, message formats, port numbers, etc.). Service contracts are the key ingredients of the SMEPP mechanisms for service publication and discovery. In this paper, after briefly introducing the main features SMEPP model, we report on the structure of service contracts that has been defined in the SMEPP project.

With the advancement of service-oriented architecture (SOA), a lot of services are provided to customers, together with a contract between the customer and the service provider, regulating the transaction. To enable automatic verification of contracts, an adequate logic must be used to describe them formally. Contract Language (CL) is but one of the various logics suggested to represent contracts in a deontic style. Building upon recent work relating CL and automata, we present a framework for the runtime verification of contracts using LARVA, a real-time runtime verification system.

This talk describes the main features of the Web Services Translation tool, WST for short, a tool for modeling and veri.cation of Web Services systems with time restrictions. The different parts of WST are then presented, and a case study is used to show the potential of this tool. This case study is called .Dynamic Internet Purchase Site. and it allows us to see the capabilities of modelling, code generation and verification of the tool. This case study is a Web Service system with time restrictions, which are one of the main objetives of the WST verification part.

We introduce Treaty, a platform-independent component contract language. Treaty is expressive enough to define different types of constracts between components consuming and providing services and other resources, including contracts referring to interface interoperability, component semantics, and quality of service attributes. The contracts are based on a modular and extensible vocabulary, and precise enough to be used for runtime verification of component-based systems. We present a prototype based on OSGi/Eclipse that uses Treaty contracts. The contracts used in this example describe relationships between different resource types including Java types and XML documents. A modified version of JUnit that supports dependency injection is used to check semantic and quality of service contracts.

Treaty contracts can be used to address the following workshop topics: reasoning about quality of service attributes (such as resource restrictions encountered in ubiquitous computing applications), making component assemblies more predictable (through verification), and the description of non-functional aspects.

Industry is currently pushing towards Service Oriented Architecture where code execution is not limited to the organisational borders but may extend outside of the organisation to which the sources are typically not accessible. In order to protect the interests of the organisation contracts are used which can be seen as a list of obligations, permissions and prohibitions. The composition of different services with different contracts, and the combination of service contracts with local contracts can give rise to conflicts, exposing the need for automatic techniques for contract analysis. In this paper we investigate how conflict analysis can be performed automatically for contracts specified in the contract language CL.

Citizens increasingly demand high-quality public services, available from a one-stop government portal, and delivered through a choice of electronic and traditional channels. In order to fulfill this demand, the implementation involves collaboration between agencies at different levels of government, driven by complex administrative and business processes. In addition, the delivery of public services increasingly involves private sector organizations serving as intermediaries or suppliers, able to flexibly join or leave dynamic service networks. Such networks have to be managed to address the expected stability of the services delivered through them.

This paper presents a lightweight software infrastructure that enables collaborative delivery of public services through a managed set of services, components and frameworks. The infrastructure currently comprises five run-time and design-time elements: (1) Front Office Framework, (2) Back Office Framework, (3) Workflow Service, (4) Messaging Service, and (5) Infrastructure Management Service. With each element offering a pair of functional and management interfaces, the infrastructure allows the expression, instrumentation and verification of contracts. Contracts are expressed in an XML language defined by us, their instrumentation is implemented through the Web Services Distributed Management (WSDM) framework, and verification is carried out though a mediation service, part of Management Service. In addition to infrastructure-level contracts, we show how contracts can be formulated and verified at process and service levels where violation of infrastructure-level contracts may cause a chain of violations at process and service levels. Finally, we discuss how contract information can be use as part of organizational practices - IT Governance and specifically Service Management, to improve the delivery of public services in terms of availability and reliability.

Service Level Agreements are a key issue in Service Oriented Computing. SLA contracts specify client requirements and service guarantees, with emphasis on Quality of Service (cost, performance, availability, etc.). In this work we propose a simple model of contracts for QoS and SLAs that also allows to study mechanisms for resource allocation and for joining different SLA requirements.

Our language combines two basic programming paradigms: name-passing calculi and concurrent constraint programming (cc programming). Specifically, we extend cc programming by adding synchronous communication and by providing a treatment of names in terms of restriction and structural axioms closer to nominal calculi than to variables with existential quantification. In the resulting framework, SLA requirements are constraints that can be generated either by a single party or by the synchronisation of two agents. Moreover, restricting the scope of names allows for local stores of constraints, which may become global as a consequence of synchronisations. Our approach relies on a system of named constraints that equip classical constraints with a suitable algebraic structure providing a richer mechanism of constraint combination. The cc-pi calculus has been equipped with both a reduction and an abstract semantics in the style of open pi calculus. A symbolic transition system with contextual labels has also been defined. A reduction-preserving translation of cc programming and a translation of the fusion calculus by Gardner and Wischik which respects open bisimilarity have been provided.

Besides small examples, cc-pi has been applied to a Telco case study. The model allows to specify, negotiate, and enforce policies in complex scenarios where policy negotiations and validations can be arbitrarily nested.

We report on an approach to (semi-)automatically compile and verify contract-regulated service compositions. We specify web services and the contracts governing them as WSBPEL behaviours. We compile WSBPEL behaviours into the specialised system description language ISPL, to be used with the model checker MCMAS to verify behaviours automatically. We use the formalism of temporal-epistemic logic suitably extended to deal with compliance/violations of contracts. We illustrate these concepts using a motivat- ing example whose state space is approximately 10^6 and discuss experimental results.

With the advent of the next generation java servlet on the smartcard, the Future Internet will be composed by web servers and clients silently yet busily running on high end smart cards in our phones and our wallets. In this brave new world we can no longer accept the current security model where programs can be downloaded on our machines just because they are vaguely "trusted". We want to know what they do in more precise details.

We claim that the Future Internet needs the notion of security-by-contract: In a nutshell, a contract describes the security relevant interactions that the smart internet application could have with the smart devices hosting them. Compliance with contracts should veri.ed at development time, checked at depolyment time and contracts should be accepted by the platform before deployment and possibly their enforcement guaranteed, for instance by in-line monitoring.

In this paper we describe the challenges that must be met in order to develop a security-by-contract framework for the Future Internet and how security research can be changed by it.