Fred B. Schneider

Implementing fault-tolerant services using the state machine approach: a tutorial

The state machine approach is a general method for implementing fault-tolerant services in distributed systems. This paper reviews the approach and describes protocols for two different failure models—Byzantine and fail stop. Systems reconfiguration techniques for removing faulty components and integrating repaired components are also discussed.

Enforceable security policies

A precise characterization is given for the class of security policies that can be enforced using mechanisms that work by monitoring system execution, and a class of automata is introduced for specifying those security policies. Techniques to enforce security policies specified by such automata are also discussed. READERS NOTE: A substantially revised version of this document is available at http://cs-tr.cs.cornell.edu:80/Dienst/UI/1.0/Display/ncstrl.cornell/TR99-1759

Concepts and Notations for Concurrent Programming

Much has been learned in the last decade about concurrent programming. This paper identifies the major concepts and describes some of the more important language notations for writing concurrent programs. The roles of processes, communication and syhchronization are discussed from both an operational and an axiomatic viewpoint. Language notations for expressing concurrent execution and for specifying process interaction are surveyed. Synchronization primitives based on shared variables and on message passing are described. Finally, three general classes of concurrent programming languages are identified and compared.

Recognizing Safety and Liveness

A formal characterization for safety properties and liveness properties is given in terms of the structure of the Buchi automaton that specifies the property. The characterizations permit a property to be decomposed into a safety property and a liveness property whose conjunction is the original. The characterizations also give insight into techniques required to prove a large class of safety and liveness properties.

SASI enforcement of security policies: a retrospective

SASI enforces security policies by modifying object code for a target system before that system is executed. The approach has been prototyped for two rather dieren t machine architectures: Intel x86 and Java JVML. Details of these prototypes and some generalizations about the SASI approach are discussed.

IRM enforcement of Java stack inspection

Two implementations are given for Javas stack inspection access-control policy. Each implementation is obtained by generating an inlined reference monitor (IRM) for a different formulation of the policy. Performance of the implementations is evaluated, and one is found to be competitive with Javas less flexible, JVM-resident implementation. The exercise illustrates the power of the IRM approach for enforcing security policies.

Byzantine generals in action: implementing fail-stop processors

A fail-stop processor halts instead of performing an erroneous state transformation that might be visible to other processors, can detect whether another fail-stop processor has halted (due to a failure), and has a predefined portion of its storage that will remain unaffected by failures and accessible to any other fail-stop processor. Fail-stop processors can simplify the construction of fault-tolerant computing systems. In this paper, the problem of approximating fail-stop processors is discussed. Use of fail-stop processors is compared with the state machine approach, another general paradigm for constructing fault-tolerant systems.

Computability classes for enforcement mechanisms

A precise characterization of those security policies enforceable by program rewriting is given. This also exposes and rectifies problems in prior work, yielding a better characterization of those security policies enforceable by execution monitors as well as a taxonomy of enforceable security policies. Some but not all classes can be identified with known classes from computational complexity theory.

COCA: A secure distributed online certification authority

COCA is a fault-tolerant and secure online certification authority that has been built and deployed both in a local area network and in the Internet. Extremely weak assumptions characterize environments in which COCAs protocols execute correctly: no assumption is made about execution speed and message delivery delays; channels are expected to exhibit only intermittent reliability; and with 3t + 1 COCA servers up to t may be faulty or compromised. COCA is the first system to integrate a Byzantine quorum system (used to achieve availability) with proactive recovery (used to defend against mobile adversaries which attack, compromise, and control one replica for a limited period of time before moving on to another). In addition to tackling problems associated with combining fault-tolerance and security, new proactive recovery protocols had to be developed. Experimental results give a quantitative evaluation for the cost and effectiveness of the protocols.

Towards Fault-Tolerant and Secure Agentry

Processes that roam a network-agents-present new technical challenges. Two are discussed here. The first problem, which arises in connection with implementing fault-tolerant agents, concerns how a voter authenticates the agents comprising its electorate. The second is to characterize security policies that are enforceable as well as approaches for enforcing those policies.