Submitted to: FLACOS 2010 This work is licensed under the Creative Commons Attribution License. Synthesis and Analysis of Adaptors through Security Contracts J. Antonio Mart´ ın University of M´ alaga jamartin@lcc.uma.es E. Pimentel University of M´ alaga ernesto@lcc.uma.es Security is considered to be one of the main challenges as regards the widespread application of Service Oriented Architectures across organisations. WS-Security, and its successive extensions, have emerged to fulfil this need, but these approaches hinder the loose-coupling among services, therefore constraining their reusability and replaceability. Software adaptation is a sound solution to overcome the incompatibilities in interface, behaviour and security constraints among stateful services. Adaptation contracts successfully express in a concise manner how to overcome the incompatibilities between secure services. However, most of the work in the literature do not provide the means to generate full-blown adaptors from contracts through an analysable synthesis process. Furthermore, traditional algorithms for adaptor synthesis are comparable to common model checking and simulation techniques in their approach and complexity. Therefore, the state-space of the system was usually explored at least twice: once to generate the adaptor and another to verify the adapted system. In this work, we propose a new approach to generate security adaptors from adaptation contracts. This approach allow us to prove desirable properties, such as deadlock and livelock freedom, by construction of the adaptor, avoiding the computational cost of subsequent verification and simulation phases. 1 Motivation Service Oriented Architectures (SOA) are composed of interoperable Web Services. However, Web Services (WS) are not always compatible, a fact which hinders their reusability, development and maintenance. This is particularly important in stateful services with complex behaviour (such as those described as BPEL processes [1] or Windows Workflows [9]) where any mismatch in the sequence of the messages exchanged may lead the composition to a deadlock situation. For instance, a missing operation in a service, a mismatch in the operation name or arguments, or an unexpected sequence of messages makes impossible the correct termination of the services involved. Software adaptation [10, 4] is a sound solution which enables Web Services to interoperate despite their initial incompatibilities. This adaptation is achieved by deploying an adaptor, either as a set of wrappers or as a centric orchestrator, which is in charge of receiving, translating and rearranging the messages in the way expected by the destination service. Adaptor design is a difficult task where the developer must take into account the behaviour of all the services and their possible interactions. In this process, subtle details may be missed, therefore resulting in an erroneous adaptation. We propose adaptation contracts as an abstract specification of the adaptation. These contracts will allow us to state clearly and concisely how to solve the incompatibilities among the services. The complexity of the adaptation increases when it has to support security-enabled messages, such as SOAP messages enhanced with WS-Security [8]. Consequently, security adaptation comprises a new set of problems since the different parts of the message might be encrypted, signed or digested. In this case,