Brian Randell

Basic concepts and taxonomy of dependable and secure computing

This paper gives the main definitions relating to dependability, a generic concept including a special case of such attributes as reliability, availability, safety, integrity, maintainability, etc. Security brings in concerns for confidentiality, in addition to availability and integrity. Basic definitions are given first. They are then commented upon, and supplemented by additional definitions, which address the threats to dependability and security (faults, errors, failures), their attributes, and the means for their achievement (fault prevention, fault tolerance, fault removal, fault forecasting). The aim is to explicate a set of general concepts, of relevance across a wide range of situations and, therefore, helping communication and cooperation among a number of scientific and technical communities, including ones that are concentrating on particular types of system, of system failures, or of causes of system failures.

Reliability Issues in Computing System Design

This paper surveys the various problems involved in achieving very high rehability from complex computing systems, and discusses the relatmnship between system structurmg techniques and techniques of fault tolerance. Topics covered mclude: 1) protective redundancy in hardware and software; 2) the use of atomic actmns to structure the activity of a system to limit mformatmn flow; 3) error detection techniques; 4) strategies for locating and dealmg with faults and for assessing the damage they have caused; and 5) forward and backward error recovery techmques, based on the concepts of recovery line, commitment, exceptmn, and compensation. The ideas described relate to techmques used to date in systems mtended for environments in whmh high reliability is demanded Three specific systems the JPL-STAR, the Bell Laboratories ESS No. 1A processor, and the PLURIBUS are described m some detail and compared.

A program structure for error detection and recovery

The paper describes a method of structuring programs which aids the design and validation of facilities for the detection of and recovery from software errors. Associated with the method is a mechanism for the automatic preservation of restart information at a level of overhead which is believed to be tolerable.

Error recovery in asynchronous systems

A framework for the provision of fault tolerance in asynchronous systems is introduced. The proposal generalizes the form of simple recovery facilities supported by nested atomic actions in which the exception mechanisms only permit backward error recovery. It allows the construction of systems using both forward and backward error recovery and thus allows the exploitation of the complementary benefits of the two schemes. Backward recovery, forward recovery, and normal processing activities can occur concurrently within the organization proposed. Exception handling is generalized to provide a uniform basis for fault tolerance schemes with the atomic action structure. The generalization includes a resolution scheme for concurrently raised exceptions based on an exception tree and an abortion scheme that permits the termination of the internal atomic actions. An automatic resolution mechanism is outlined for exceptions in atomic actions which allows users to separate their recovery schemes from the details of the underlying algorithms.

The newcastle connection or UNIXes of the world unite

In this paper we describe a software subsystem that can be added to each of a set of physically interconnected UNIX or UNIX look‐alike systems, so as to construct a distributed system which is functionally indistinguishable at both the user and the program level from a conventional single‐processor UNIX system. The techniques used are applicable to a variety and multiplicity of both local and wide area networks, and enable all issues of inter‐processor communication, network protocols, etc., to be hidden. A brief account is given of experience with such a distributed system, which is currently operational on a set of PDPlls connected by a Cambridge Ring. The final sections compare our scheme to various precursor schemes and discuss its potential relevance to other operating systems.

Fault tolerance in concurrent object-oriented software through coordinated error recovery

Presents a scheme for coordinated error recovery between multiple interacting objects in a concurrent object-oriented system. A conceptual framework for fault tolerance is established based on a general object concurrency model that is supported by most concurrent object-oriented languages and systems. This framework integrates two complementary concepts-conversations and transactions. Conversations (associated with cooperative exception handling) are used to provide coordinated error recovery between concurrent interacting activities whilst transactions are used to maintain the consistency of shared resources in the presence of concurrent access and possible failures. The serialisability property of transactions is exploited in order to help prevent unexpected information smuggling. The proposed framework is illustrated by means of a case study, and various linguistic and implementation issues are discussed.<<ETX>>

Dependability and Its Threats: A Taxonomy

This paper gives the main definitions relating to dependability, a generic concept including as special case such attributes as reliability, availability, safety, confidentiality, integrity, maintainability, etc. Basic definitions are given first. They are then commented upon, and supplemented by additional definitions, which address the threats to dependability (faults, errors, failures), and the attributes of dependability. The discussion on the attributes encompasses the relationship of dependability with security, survivability and trustworthiness.

A systematic classification of cheating in online games

Cheating is rampant in current game play on the Internet. However, it is not as well understood as one might expect. In this paper, we summarize the various known methods of cheating, and we define a taxonomy of online game cheating with respect to the underlying vulnerability (what is exploited?), consequence (what type of failure can be achieved?) and the cheating principal (who is cheating?). This taxonomy provides a systematic introduction to the characteristics of cheats in online games and how they can arise. It is intended to be comprehensible and useful not only to security specialists, but also to game developers, operators and players who are less knowledgeable and experienced in security. One of our findings is that although cheating in online games is largely due to various security failures, the four traditional aspects of security -- confidentiality, integrity, availability and authenticity -- are insufficient to explain it. Instead, fairness becomes a vital additional aspect, and its enforcement provides a convincing perspective for understanding the role of security techniques in developing and operating online games.

A note on storage fragmentation and program segmentation

The main purpose of this paper is the presentation of some of the results of a series of simulation experiments investigating the phenomenon of storage fragmentation. Two different types of storage fragmentation are distinguished: (1) external fragmentation, namely the loss in storage utilization caused by the inability to make use of all available storage after it has been fragmented into a large number of separate blocks; and (2) internal fragmentation, the loss of utilization caused by rounding up a request for storage, rather than allocating only the exact number of words required. The most striking result is the apparently general rule that rounding up requests for storage, to reduce the number of different sizes of blocks coexisting in storage, causes more loss of storage by increased internal fragmentation than is saved by decreased external fragmentation. Described also are a method of segment allocation and an accompanying technique for segment addressing which take advantage of the above result. Evidence is presented of possible advantages of the method over conventional paging techniques.

A formal model of atomicity in asynchronous systems

SummaryWe propose a generalisation of occurrence graphs as a formal model of computational structure. The model is used to define the “atomic occurrence” of a program, to characterise “interference freeness” between programs, and to model error recovery in a decentralised system.