detection of conflicts in electronic contracts

Semantics &Verification

Research Group

Department of Computer ScienceUniversity of Malta

FLACOS 2008

Detection of Conflicts in Electronic Contracts

Stephen FenechGordon J. Pace University of Malta

Gerardo SchneiderUniversity of Oslo


Research Group


2November 2008

Motivation

Are different services compatible together? (is this (almost) just the beauty criterion we saw

yesterday?)

Different views of contracts: Contracts as properties A meta-level view of contracts

Composition of services/systems means composition of contracts


Research Group


3November 2008

The CL View of Contracts

An action-based deontic logic Enables specification of obligations,

prohibitions and permissions Reparations as (possibly nested) CTDs, CTPs


Research Group


4November 2008

What are Conflicts?

Conflicts arise when the contract enforces contradictory actions by one or more signatories. Obliged and forbidden from doing an action Permitted and forbidden from performing an

action Being obliged to perform two conflicting actions Being obliged and permitted to perform two

conflicting actions


Research Group


5November 2008

Semantic Detection of Conflicts

A contract is conflict-free if for any sequence of non-violating actions, a contract monitor will not end up in a state where the contract enforces a conflict.

This requires a trace semantics of CL on finite traces; and which preserves deontic information


Research Group


6November 2008

Original trace semantics:

¾ ²1 c Example:

[{a,b}, {b}, …] ²1

[a]O(b) Æ [b]P(c)

Deontic Trace Semantics of CL

¾`1 c


Research Group


7November 2008

Three problems: Infinite traces are not always constructible:

8 ¾ ¢ ¾ 21 O(a) Æ F(a) Permission has no role in the semantics:

[ {b}, … ] ²1 F(a) Æ P(a)

No deontic information is used in the semantics


¾`1 c


Research Group


8November 2008

New trace semantics:¾, ¾d ²f c

Correctness:¾ ²1 c ,

9¾d ¢ 8n ¢ ¾(0..n), ¾d (0..n) ²f c


¾`1 c


Research Group


9November 2008

Automata with Deontic Information

Given a CL contract c, (c) = h S, A&, s0, T, V, I, ± i is an automaton: S is the set of states, s0 the initial state

A& is the set of concurrent actions

T= S £ A& £ S are the labelled transitions

V is the violation state I : S ! CL tags states with CL clauses ± labels states with deontic information

The language of such an automaton Accept((c)) is the set of traces accepted by the automaton, not passing through state V.


Research Group


10November 2008

Correctness Result

Theorem: Given a CL contract c:

¾, ¾d ²f c if and only if

¾ 2 Accept((c))

A contract is conflict-free if and only if its automaton representation is conflict-free.


Research Group


11November 2008

CLAN: An Implementation

[c]O(b)^[a]F(b)


Research Group


12November 2008

Other Analysis using the Automaton

Superfluous Clauses State is labelled with a deontic notion

multiple times Contract Query

What does contract enforce after a sequence of actions

What actions would lead to a specific obligation


Research Group


13November 2008

Other Analysis using the Automaton

Unreachable clausesClauses in the contract which are superfluous

Overlapping clausesClauses repeating similar or identical deontic properties


Research Group


14November 2008

Conclusions

Sound and complete decision algorithm for conflict detection of CL contracts: Based on a trace semantics of CL Prototype implementation

Used on a case study involving an airline company check-in desk.

Currently looking into combining this with runtime verification.

detection of conflicts in electronic contracts

Documents