David Powell

Dependability Evaluation of Cooperative Backup Strategies for Mobile Devices

Mobile devices (e.g., laptops, PDAs, cell phones) are increasingly relied on but are used in contexts that put them at risk of physical damage, loss or theft. This paper discusses the dependability evaluation of a cooperative backup service for mobile devices. Participating devices leverage encounters with other devices to temporarily replicate critical data. Permanent backups are created when the participating devices are able to access the fixed infrastructure. Several data replication and scattering strategies are presented, including the use of erasure codes. A methodology to model and evaluate them using Petri nets and Markov chains is described. We demonstrate that our cooperative backup service decreases the probability of data loss by a factor up to the ad hoc to Internet connectivity ratio.

A hybrid approach for building eventually accurate failure detectors

Unreliable failure detectors introduced by Chandra and Toueg are abstract mechanisms that provide information about process crashes. On the one hand, failure detectors allow a statement of the minimal requirements on process failures that allow solutions to problems that cannot otherwise be solved in purely asynchronous systems. However, on the other hand, they cannot be implemented in such systems: their implementation requires that the underlying distributed system be enriched with additional assumptions. Classic failure detector implementations rely on additional synchrony assumptions such as partial synchrony. More recently, a new approach for implementing failure detectors has been proposed: it relies on behavioral properties on the flow of messages exchanged. This shows that these approaches are not antagonistic and can be advantageously combined. A hybrid protocol (the first to our knowledge) implementing failure detectors with eventual accuracy properties is presented. Interestingly, this protocol benefits from the best of both worlds in the sense that it converges (i.e., provides the required failure detector) as soon as either the system behaves synchronously or the required message exchange pattern is satisfied. This shows that, to expedite convergence, it can be interesting to consider that the underlying system can satisfy several alternative assumptions.

A UML-based method for risk analysis of human-robot interactions

Safety is a major concern for robots that interact physically with humans. We propose a risk analysis method based on deviation analysis of system usage scenarios that allows the identification of major risks. Scenarios are described with the common Unified Modeling Language (UML), and risk analysis is performed with the guideword-based collaborative method HAZOP (HAZard OP-erability). We adapt HAZOP attributes and guidewords for generic interpretation of UML use-case and sequence diagrams describing human-robot interactions. This approach has been systematically applied for the analysis of two quite different robots working in a human environment: a mobile manipulator and a robotic strolling assistant. When applied, the method gave conclusive evidence that the modeled systems were not safe. A CASE tool to support this method is also presented.

Geo-registers: An Abstraction for Spatial-Based Distributed Computing

In this work we present an abstraction that allows a set of distributed processes, aware of their respective positions in space, to collectively maintain information associated with an area in the physical world. This abstraction is a logical object shared between participating processes that provides two operations, namely read and write.

The SESAME Experience: from Assembly Languages to Declarative Models

SESAME (Software Environment for Software Analysis by Mutation Effects) is a fault injection tool using mutation as the target fault model. It has been used for 15 years to support dependability research at LAAS-CNRS. A salient feature of SESAME is that it is multi-language. This made it possible to inject faults into software written in assembly languages, procedural languages (Pascal, C), a data-flow language (LUSTRE), as well as in a declarative language for temporal planning in robotics. This paper provides an overview of the tool, and reports on its use in experimental research addressing either fault removal or fault tolerance topics.

Connecting commercial computers to avionics systems

In this paper, we present two case studies identified for new aircraft generations in which bidirectional communications are carried between onboard and off-board computers. These two case studies deal respectively with flight parameter calculation and enhanced maintenance operations for future aircraft. We emphasize the safety and security challenges in such communications, and propose a safe architecture allowing the connection of commercial computers to avionics systems, without altering any embedded software component behavior.

AMORES: an architecture for mobiquitous resilient systems

We present the AMORES project, which aims to provide an architecture for the provision of privacy preserving and resilient collaborative services in mobiquitous (i.e., mobile and ubiquitous) systems. The project is built around three use-cases from the area of public transportation: (1) dynamic carpooling, (2) real-time computation of multimodal transportation itineraries and (3) mobile social networking. Four main research tasks are presented in this paper. The first task deals with use-cases, prototypes and privacy assessment. The second task addresses geo-communication primitives: verified positioning, locanyms and geo-services. The third task deals with privacy-preserving communication means such as anonymous routing and geo-cryptography. Finally, the last task is devoted to collaborative behaviors.

Security rationale for a cooperative backup service for mobile devices

Mobile devices (e.g., laptops, PDAs, cell phones) are increasingly relied on but are used in contexts that put them at risk of physical damage, loss or theft. This paper discusses security considerations that arise in the design of a cooperative backup service for mobile devices. Participating devices leverage encounters with other devices to temporarily replicate critical data. Anyone is free to participate in the cooperative service, without requiring any prior trust relationship with other participants. In this paper, we identify security threats relevant in this context as well as possible solutions and discuss how they map to low-level security requirements related to identity and trust establishment. We propose self-organized, policy-neutral mechanisms that allow the secure designation and identification of participating devices. We show that they can serve as a building block for a wide range of cooperation policies that address most of the security threats we are concerned with. We conclude on future directions.

Enhancing dependability in avionics using virtualization

Software in avionics has always been totally separated from open-world software, in order to avoid any interaction that could corrupt critical on-board systems. However, new aircraft generations need more interaction with off-board systems to offer extended services, which makes these information flows potentially dangerous.n In this paper, we present a case study (identified in the ArSec project) that requires bidirectional communication between critical on-board systems and untrusted off-board systems. We propose the use of virtualization to ensure dependability of critical applications despite such communication.

Dependability assessment of GUARDS instances

The generic architectural concepts developed in the European ESPRIT project GUARDS (Generic Upgradable Architecture for Real time Distributed Systems) provide a comprehensive framework from which specific instances can be derived to meet the dependability requirements of various application domains. Three main application domains are considered (railway, nuclear propulsion and space) that correspond to the fields of the three end-user partners of the project. This paper presents the modeling method supporting the assessment of GUARDS instances. The goal is to assist the designers in making objective decisions for defining a specific instance of the generic architecture. After a short summary of the main architectural concepts of GUARDS, the paper describes the major assumptions concerning: i) component types (both hardware and software), ii) fault types, where special attention is paid to potentially correlated faults, and iii) the generic fault tolerance features of GUARDS. The main architectural characteristics of the target instances (one for each application domain) are briefly described. The modeling strategy is summarized and examples of models (stochastic Petri nets) are given. Selected results are then presented and discussed. They exemplify the usefulness of the modeling and evaluation method, in particular in the light of sensitivity analyses with respect to model parameters.