Guaranteeing Recoverability in Electronic Commerce Cris Pedregal-Martin Krithi Ramamritham Computer Science Department, University of Massachusetts Amherst, Mass. 01003 USA E-mail: cris@cs.umass.edu Abstract Electronic commerce systems (retail, auction, etc.) are good examples of data-based systems that operate under correctness and resilience requirements of a transactional nature but go beyond conventional databases, as they are formed by the aggregation of heterogeneous, autonomous components. In this paper we introduce a framework to specify, analyze, and reason about the behavior of such sys- tems, focusing on how they are designed to make consistent progress in spite of failures. The contributions of this pa- per are: (a) the introduction of the Guarantee abstraction to deal with transactional applications; (b) a framework based on guarantees and protocols to specify the behaviors of systems and their components and reason about the prop- erties of systems and their components; and (c) application of the framework to a common e-commerce scenario. The framework allows the hierarchical composition of transac- tional systems and their properties, as well as the proofs of these properties: we specify a system’s behavior at its most abstract level, and proceed to decompose the speciﬁcation mirroring the structure of the system’s components, consid- ering the role of guarantee-preserving component systems and recovery in each case. In particular, we show how the lower-level properties are supported by the component sys- tems, which we also characterize within the same frame- work. 1. Introduction Many data-based systems go beyond conventional databases, as they are formed by the aggregation of hetero- geneous, autonomous components, but operate under cor- rectness and resilience requirements of a transactional na- ture. In this paper we introduce a framework to specify and reason about the requirements (and how to satisfy them) for such systems to make consistent progress towards their goals in spite of failures. Ensuring progress in spite of fail- ures is the task of recovery, broadly understood to mean the infrastructure that deals with the consequences of failures in a manner that enables the progress of the system. In or- der to achieve this end-to-end property even in the face of failures, each of the components must observe certain be- haviors which we describe in terms of protocols, and keep certain promises, which we describe in terms of guarantees. The abstractions of guarantees and protocols are stated in terms of predicates on events and on the state of the system as produced by a particular history of these events. Contributions of the Paper. The primary contributions of this paper are: (a) the introduction of the Guarantee ab- straction to deal with transactional applications; (b) the de- velopment of a framework based on guarantees and proto- cols to specify the behaviors of systems and their compo- nents and reason about the properties of systems and their components; and (c) application of the framework to a com- monly occurring e-commerce scenario. An interesting as- pect of the framework is that it allows the hierarchical com- position of transactional systems and their properties, as well as the proofs of these properties. A Speciﬁc E-Commerce Scenario. Our scenario con- sists of all the parties in an e-commerce retail (business) transaction, e.g., a customer, a merchant, supplier, and a bank. We describe the system, at the highest level, in terms of how the behaviors and relationships between these com- ponents contribute to the progress of an e-commerce (busi- ness) transaction. Speciﬁcally, the property, or goal, of the e-commerce system is that (the right) goods be exchanged for (the correct amount of) money [9]. In e-commerce, as in most real systems, this end-to-end property must hold in spite of failures; in other words, once the merchant conﬁrms and order to a client, the goal of completing the exchange of goods for money must be attained eventually. Throughout the paper, we consider the speciﬁc scenario (illustrated in Figures 1 and 2) of an online Merchant sell- ing to a Customer who pays with a credit card 1 issued by a Bank, which functions as a trusted third party for the trans- fer of money between the Merchant and the Customer. A Supplier provides the goods to the Customer as instructed 1 We chose this well-known scenario for pedagogical reasons – to cap- ture enough real world details without overwhelming the reader.