Docstoc

bradley

Document Sample
bradley Powered By Docstoc
					                                                                              Computer Science




                      Safe Composition of Web
                     Communication Protocols
                                                         Adam D. Bradley
                                                          Azer Bestavros
                                                          Assaf J. Kfoury
                                     artdodge,best,kfoury@cs.bu.edu

                            Computer Science Department
                                       Boston University


                  7th International Workshop on Web Content Caching and Distribution (WCW
14 August, 2002                                                                       2002)
Introduction
                                                                                       Computer Science



Preliminaries
       HTTP Versions
       The Expect/Continue Feature: Is it “Safe”?


Model-based Analysis
       Building Models from RFCs
       Verification Results
       General Claims


Conclusions and Future Directions
                  7th International Workshop on Web Content Caching and Distribution
14 August, 2002                              (WCW 2002)                                              2
HTTP Versioning Problem
                                                                                       Computer Science



HTTP - informal docs, internet-drafts

HTTP/1.0
       RFC1945


HTTP/1.1
       RFC2068 (1/97), superceded by RFC2616 (6/99)
       “HTTP/1.1” does not uniquely identify semantics



                  7th International Workshop on Web Content Caching and Distribution
14 August, 2002                              (WCW 2002)                                              3
Expect/Continue
                                                                                       Computer Science



Clients can send entities in requests
       POSTing a form, Image, PDF paper,
         Web Service invocation (SOAP etc.)
Don’t send entity if doing so accomplishes nothing
       Authentication failure, server overload, failed predicate
“100 Continue” Interim Response
       Server signals interest in request entity
       Introduced in RFC2068
“Expect: 100-continue” Request Header
       Client signals it will wait for a 100 Continue message
       Introduced in RFC2616
                  7th International Workshop on Web Content Caching and Distribution
14 August, 2002                              (WCW 2002)                                              4
Expect/Continue: Problems!
                                                                                         Computer Science



This changes the event model for HTTP!

What’s a proxy to do? (Pre-RFC2616)
       Is “100 Continue” hop-by-hop?
            Defeats most obvious use: Bandwidth-starved client
       Is “100 Continue” end-to-end?
            Deadlock-prone [Mogul97]
       Is it either/both? (Choose either at whim?)
            Confuses (deceives) downstream agents?




                    7th International Workshop on Web Content Caching and Distribution
14 August, 2002                                (WCW 2002)                                              5
The “Fix”
                                                                                         Computer Science


RFC2616 added Expect: 100-continue
Defined Expect/Continue as Hop-by-Hop
Rules for graceful interoperability with RFC2068

                  Problem solved…

                                                   or IS it?


                    7th International Workshop on Web Content Caching and Distribution
14 August, 2002                                (WCW 2002)                                              6
Formal Modeling
                                                                                          Computer Science



SPIN
       Finite-State Model Checker
            Strength: Find deadlocks, livelocks, LTL violations
       Gerard Holzmann - Bell Labs
       Freely Downloadable
Promela
       C-like code for non-deterministic state machines
       Useful constructs for communication modeling
The Challenge:
       Translate prosaic RFCs into Reactive State Machines

                     7th International Workshop on Web Content Caching and Distribution
14 August, 2002                                 (WCW 2002)                                              7
Promela/SPIN Models
                                                                                        Computer Science



Clients
       client-1945, -2068, -2616
Servers
       server-1945, -2068, -2616, -2616-may
Proxies
       proxy-1945
       proxy-2068-e2e, -2068-hbh, -2068-hybrid
       proxy-2616, -2616-fixed
Code available via web:
            http://cs-people.bu.edu/artdodge/research/httpverify/


                   7th International Workshop on Web Content Caching and Distribution
14 August, 2002                               (WCW 2002)                                              8
Client-Server Results
                                                                                       Computer Science



Write Deadlock:
 C1.1 - S1.1
Resembles a
 DoS attack
       Benevolent Peers!
Rare in practice
       Large S/R buffers


Otherwise,
 all cases verify
                  7th International Workshop on Web Content Caching and Distribution
14 August, 2002                              (WCW 2002)                                              9
Client-Proxies-Server Results
                                                                                       Computer Science



Experiment with proxy-2068-hybrid
       Use -e2e, -hbh to explore reasons for failures
All Deadlock-Prone Cases:
       RFC1945 Server or Proxy upstream of a 1.1 Proxy
       Included an RFC2068 Proxy downstream somewhere
2068-e2e behavior induces problems
2068-hybrid aggravates it (deception)
Interaction of RFC2068 and RFC2616 rules can fail
       Experiments 2.8, 4.3, 4.6, 4.12, 4.13


                  7th International Workshop on Web Content Caching and Distribution
14 August, 2002                              (WCW 2002)                                             10
Example
                                                                                       Computer Science




                                                              proxy-2616-fixed
                                                         handles this correctly



                  7th International Workshop on Web Content Caching and Distribution
14 August, 2002                              (WCW 2002)                                             11
Example
                                                                                       Computer Science




Problem:
Imperfect
knowledge
beyond
first hop



                  7th International Workshop on Web Content Caching and Distribution
14 August, 2002                              (WCW 2002)                                             12
Generalizing: Reductions
                                                                                        Computer Science



Tested all CS, CPS, CPPS
       Longer chain = greater computational cost
            Each CS: seconds
            Each CPS: minutes
            Each CPPS: hours
            Each CPPPS: days


How do we argue about C(P*)S?
       Reduction Rules
       Failure Patterns


                   7th International Workshop on Web Content Caching and Distribution
14 August, 2002                               (WCW 2002)                                             13
Reduction Rules, Failure Patterns
                                                                                       Computer Science



 e.g.: “A sequence of proxy-2616 agents behaves
  (causally) exactly as a single proxy-2616 would.”

Our 8 reductions can reduce any arbitrarily long
 C(P*)S to one of 53 finite-length models (see [3])

Gives rise to two failure patterns:
       p/c-2068  proxy-1.1  p/s-1945
       c-1.1  (p-1.1 )* p-2068  p/s-1945


                  7th International Workshop on Web Content Caching and Distribution
14 August, 2002                              (WCW 2002)                                             14
Conclusions and Future Work
                                                                                       Computer Science



Modeling informs standards writers
       Do modeling/verification at design/draft time
       Force semantic disambiguation
       Formalize goal of “interoperability” as
         requiring verifiable reductions/reducibility
Automatically Identifying Reductions
       Ideas from I/O automata [Lynch 89, etc]
Backend tools for Flow Calculus
       Language-level safety of net protocols and programs


                  7th International Workshop on Web Content Caching and Distribution
14 August, 2002                              (WCW 2002)                                             15
                                                                                       Computer Science




                               Questions?



 Supported in part by:
       NSF awards ANI-9986397, ANI-0095988,
                  CCR-9988529, ITR-0113193
       U.S. Dept of Education GAANN Fellowship

                  7th International Workshop on Web Content Caching and Distribution
14 August, 2002                              (WCW 2002)                                             16

				
DOCUMENT INFO