Advancing Software Services Robustness. Techniques for Assessment and Improvement

Abstract

The use of software services in the development and integration of enterprise applications in business-­‐‑critical scenarios has been steadily increasing. Software services consist of components that can be used by other applications across the web and are supported by standard protocols and specifications. In a service-­‐‑based environment, providers supply a set of operations for consumers. These operations, supported by a complex software infrastructure (including application servers, middleware stacks, databases, etc.), are based on an immense variety of technologies, and use other services to compose complex business processes (i.e., a collection of services working together towards a goal). The increasing use of service-­‐‑based applications in critical business-­‐‑to-­‐‑ business environments raises the need for new techniques and tools that support the development and deployment of services that fulfill key dependability properties. Currently, services are dynamic, use a vast diversity of systems, are evolving and are frequently deployed over public unreliable networks. Additionally, service developers normally face time-­‐‑ to-­‐‑market pressure, leading them to focus on functionality development and disregard important testing activities, which may result in the deployment of software with bugs, including robustness problems and security vulnerabilities. This thesis addresses the problem of robustness assessment and improvement in software services. In particular, we first propose a generic approach for assessing the robustness of distinct classes of services (e.g., web and messaging services). The approach is based on a set of tests, which comprise a combination of valid and invalid input parameters, and are used in services operations. Besides defining the general procedure, the approach describes all the components necessary for testing services for robustness. The proposal is demonstrated with two concrete case studies on web services and messaging middleware. The thesis also proposes a technique to fix robustness problems in web services. This technique, which extends to the development process itself, is based on the definition and announcement of the service input and output domains in a complete way. Wrappers are automatically built based on the domain definitions to prevent the execution of the service with invalid input parameters. The wrapping technique is taken one step further to include protection against malicious inputs (although possibly valid in the domain). To achieve this goal, we introduce a learning phase to gather invariant information representing the profile of regular (i.e., non malicious) client requests. The robustness wrapper is then able to use that information, which is complemented with a set of heuristics to handle new cases (i.e., previously unobserved), to prevent the execution of requests that fall out of the regular profile. Finally, the thesis proposes techniques to improve relevant fault tolerance aspects of web services. In particular, we design two concrete mechanisms that endow web services with features that allow increasing correctness, availability and performance, including proper handling of timing requirements. The first mechanism helps developers to deploy fault-­‐‑tolerant compositions using diverse services, by applying techniques like diversity and voting schemes. The second mechanism provides support for deploying services able to perform runtime detection and prediction of timing failures, based on the collection and analysis of historical data. In this case, when clients’ timing requirements are exceeded or are not possible to (predictably) be guaranteed, the service consistently replies with a well known exceptional behavior.