Verification of REST Using CSP Model Checking

Overview

  • Recap
  • Goals
  • Model Checking
  • Progress
  • Future Work

Recap

  • We have decent models for formalizing REST
  • But little verification
    • Incomplete implementations
    • Inexhaustive proofs
    • No error handling
    • Only have proved a few properties

Goal

Use the existing work done on modeling REST/HTTP in CSP as a base for a more robust and verified model

Goal

What needs to be done?

  • State management
  • Auxiliary functions
  • Error handling
  • Extensibility

Model Checking

  • Use the existing work done on modeling REST/HTTP in CSP as a base for a more robust and verified model
  • We will use FDR - a CSP refinement checker
    • https://www.cs.ox.ac.uk/projects/fdr/
    • CSP + functional programming

Our Model

  • Derived from the model in the paper we reviewed
  • Adds discrete state to reason about and verify
  • Aims to fully implement all of the functions necessary to verify several properties of REST and underlying HTTP

Our Model

datatype Method = get | post | put | delete
datatype Status = 200 | 201 | 202 | 204 | 400 | 404 | 500
datatype Data = (| <Char> => <Char> |)

datatype Message = CS.Method.ClientId.ResourceId.Data
                    | SR.Method.ResourceId.Data
                    | Return.Data.Status

channel ComCS : Message
channel ComSR : Message

Our Model

Resource(resources, next_id) =
  ComSR?method.resource_id.data
    ->
      method == get &
        if mapMember(resources, resource_id) then
          let resource = mapLookup(resources, resource_id)
          within ComSR!resource.200
        else ComSR!null.404
        -> Resource(resources, next_id)
      [] method == post &
        let resources = mapUpdate(resources, next_id, data) within
          ComSR!next_id.201
          -> Resource(resources, next_id + 1)
      [] method == put &
        let 
          status = if mapMember(resources, resource_id) then 204 else 201
          resources = mapUpdate(resources, resource_id, data) within
          ComSR!null.status
          -> Resource(resources, next_id)
      [] method == delete &
        let resources = mapDelete(resources, resource_id) within
          ComSR!null.204
          -> Resource(resources, resource_id)

Our Model

Client(method, client_id, resource_id, data) =
  if method == get then
    ComCS!get.c.resource_id.null    
      -> ComCS?representation.status                 
      -> Client
  else if method == post then
    ComSR!post.client_id.resource_id.data      
      -> ComCS?new_id.status -- -> add_assoc(c, new_id)
      -> linkResource(c, new_id)
      -> Client
  else if method == put then
    ComCS!put.client_id.resource_id.data       
      -> ComCS?empty.status -- -> add_assoc(c, i)      
      -> linkResource(c, resource_id)
      -> Client
  else if method == delete then
    ComCS!delete.client_id.resource_id.null 
      -> ComCS?empty.status -- -> unlink_assoc(c, i)   
      -> unlinkResource(c, resource_id)
      -> Client
  else STOP

Our Model

channel AssocCellAdd : Int.Int
channel AssocCellRem : Int.Int

AssocCell(state) = 
  AssocCellAdd?client_id.resource_id
    -> if mapMember(state, client_id) == False
      then AssocCell(mapUpdate(state, client_id, {resource_id}))
      else AssocCell(mapUpdate(state, client_id,
        union(mapLookup(state, client_id), {resource_id})))
  AssocCellRem?client_id.resource_id
    -> AssocCell(mapUpdate(state, client_id,
        diff(mapLookup(state, client_id), {resource_id})))

Verification

  • In the process of verifying several properties that the paper did not successfully verify or consider
  • We want to verify:
    • Architecture
    • Statelessness
    • Uniformity
  • As well as HTTP:
    • Idempotence
    • Safety
    • Response codes & structure
  • This is a work-in-progress

Verification

  • We have defined some lemmas we are currently working to implement in FDR
  • We use the notion of a Communication introduced the paper
  • Because both the Client and Resource have state we can reason about a lot more

Verification

forall client_id in ClientId . exists comm in Communication
  method(comm) = get ^
  client_id(comm) = client_id ^
  resource_id(comm) in ResourceId ^
  data(comm) = null ^
  ==> status(comm) = 200

Verify 200 response code on GET for all resources that exist

Verification

forall client_id in ClientId . exists comm in Communication
  method(comm) = get ^
  client_id(comm) = client_id ^
  resource_id(comm) not in R
  data(comm) = null ^
  ==> status(comm) = 404

Verify 404 response code on GET for all resources that do not exist

Verification

forall client_id in ClientId, r in ResourceId, request_data, response_data in Data .
exists comm1, comm2 in Communication
  method(comm1) = method ^ method(comm2) = method ^
  client_id(comm1) = client_id ^ client_id(comm2) = client_id ^
  resource_id(comm1) = r ^ resource_id(comm2) = r ^
  data(comm1) = request_data ^ data(comm2) = request_data
  ==> resource_data(comm1) = response_data ^ resource_data(comm2) = response_data

Verify Idempotence of a method

deck

By Ada Young

Made with Slides.com

deck

  • 278

More from Ada Young