safe composition of web communication protocols
DESCRIPTION
Safe Composition of Web Communication Protocols. Adam D. Bradley Azer Bestavros Assaf J. Kfoury artdodge,best,[email protected]. Introduction. Preliminaries HTTP Versions The Expect/Continue Feature: Is it “Safe”? Model-based Analysis Building Models from RFCs Verification Results - PowerPoint PPT PresentationTRANSCRIPT
Computer Science
14 August, 2002 7th International Workshop on Web Content Caching and Distribution (WCW 2002)
Computer Science DepartmentBoston University
Safe Composition of Web Communication Protocols
Adam D. BradleyAzer BestavrosAssaf J. Kfoury
artdodge,best,[email protected]
Computer Science
14 August, 2002 7th International Workshop on Web Content Caching and Distribution (WCW 2002)
2
Introduction
Preliminaries HTTP Versions The Expect/Continue Feature: Is it “Safe”?
Model-based Analysis Building Models from RFCs Verification Results General Claims
Conclusions and Future Directions
Computer Science
14 August, 2002 7th International Workshop on Web Content Caching and Distribution (WCW 2002)
3
HTTP Versioning Problem
HTTP - informal docs, internet-drafts
HTTP/1.0 RFC1945
HTTP/1.1 RFC2068 (1/97), superceded by RFC2616 (6/99) “HTTP/1.1” does not uniquely identify semantics
Computer Science
14 August, 2002 7th International Workshop on Web Content Caching and Distribution (WCW 2002)
4
Expect/Continue
Clients can send entities in requests POSTing a form, Image, PDF paper,
Web Service invocation (SOAP etc.)
Don’t send entity if doing so accomplishes nothing Authentication failure, server overload, failed predicate
“100 Continue” Interim Response Server signals interest in request entity Introduced in RFC2068
“Expect: 100-continue” Request Header Client signals it will wait for a 100 Continue message Introduced in RFC2616
Computer Science
14 August, 2002 7th International Workshop on Web Content Caching and Distribution (WCW 2002)
5
Expect/Continue: Problems!
This changes the event model for HTTP!
What’s a proxy to do? (Pre-RFC2616) Is “100 Continue” hop-by-hop?
Defeats most obvious use: Bandwidth-starved client
Is “100 Continue” end-to-end?Deadlock-prone [Mogul97]
Is it either/both? (Choose either at whim?)Confuses (deceives) downstream agents?
Computer Science
14 August, 2002 7th International Workshop on Web Content Caching and Distribution (WCW 2002)
6
The “Fix”
RFC2616 added Expect: 100-continueDefined Expect/Continue as Hop-by-HopRules for graceful interoperability with
RFC2068
Problem solved…
or IS it?
Computer Science
14 August, 2002 7th International Workshop on Web Content Caching and Distribution (WCW 2002)
7
Formal Modeling
SPIN Finite-State Model Checker
Strength: Find deadlocks, livelocks, LTL violations
Gerard Holzmann - Bell Labs Freely Downloadable
Promela C-like code for non-deterministic state machines Useful constructs for communication modeling
The Challenge: Translate prosaic RFCs into Reactive State
Machines
Computer Science
14 August, 2002 7th International Workshop on Web Content Caching and Distribution (WCW 2002)
8
Promela/SPIN Models
Clientsclient-1945, -2068, -2616
Serversserver-1945, -2068, -2616, -2616-may
Proxiesproxy-1945proxy-2068-e2e, -2068-hbh, -2068-hybridproxy-2616, -2616-fixed
Code available via web:
http://cs-people.bu.edu/artdodge/research/httpverify/
Computer Science
14 August, 2002 7th International Workshop on Web Content Caching and Distribution (WCW 2002)
9
Client-Server Results
Write Deadlock: C1.1 - S1.1
Resembles a DoS attack Benevolent
Peers!
Rare in practice Large S/R
buffers
Otherwise, all cases verify
Computer Science
14 August, 2002 7th International Workshop on Web Content Caching and Distribution (WCW 2002)
10
Client-Proxies-Server Results
Experiment with proxy-2068-hybrid Use -e2e, -hbh to explore reasons for failures
All Deadlock-Prone Cases: RFC1945 Server or Proxy upstream of a 1.1 Proxy Included an RFC2068 Proxy downstream
somewhere
2068-e2e behavior induces problems2068-hybrid aggravates it (deception)Interaction of RFC2068 and RFC2616 rules
can fail Experiments 2.8, 4.3, 4.6, 4.12, 4.13
Computer Science
14 August, 2002 7th International Workshop on Web Content Caching and Distribution (WCW 2002)
11
Example
proxy-2616-fixed handles this
correctly
Computer Science
14 August, 2002 7th International Workshop on Web Content Caching and Distribution (WCW 2002)
12
Example
Problem:
Imperfect knowledge beyond first hop
Computer Science
14 August, 2002 7th International Workshop on Web Content Caching and Distribution (WCW 2002)
13
Generalizing: Reductions
Tested all CS, CPS, CPPS Longer chain = greater computational cost
Each CS: secondsEach CPS: minutesEach CPPS: hoursEach CPPPS: days
How do we argue about C(P*)S? Reduction Rules Failure Patterns
Computer Science
14 August, 2002 7th International Workshop on Web Content Caching and Distribution (WCW 2002)
14
Reduction Rules, Failure Patterns
e.g.: “A sequence of proxy-2616 agents behaves (causally) exactly as a single proxy-2616 would.”
Our 8 reductions can reduce any arbitrarily long C(P*)S to one of 53 finite-length models (see [3])
Gives rise to two failure patterns: p/c-2068 proxy-1.1 p/s-1945 c-1.1 (p-1.1 )* p-2068 p/s-1945
Computer Science
14 August, 2002 7th International Workshop on Web Content Caching and Distribution (WCW 2002)
15
Conclusions and Future Work
Modeling informs standards writers Do modeling/verification at design/draft time Force semantic disambiguation Formalize goal of “interoperability” as
requiring verifiable reductions/reducibility
Automatically Identifying Reductions Ideas from I/O automata [Lynch 89, etc]
Backend tools for Flow Calculus Language-level safety of net protocols and
programs
Computer Science
14 August, 2002 7th International Workshop on Web Content Caching and Distribution (WCW 2002)
16
Supported in part by: NSF awards ANI-9986397, ANI-0095988,
CCR-9988529, ITR-0113193 U.S. Dept of Education GAANN Fellowship
Questions?