Kumiko Tadano

Automatic Synthesis of Static Fault Trees from System Models

Fault tree analysis (FTA) is a traditional reliability analysis technique. In practice, the manual development of fault trees could be costly and error-prone, especially in the case of fault tolerant systems due to the inherent complexities such as various dependencies and interactions among components. Some dynamic fault tree gates, such as Functional Dependency (FDEP) and Priority AND (PAND), are proposed to model the functional and sequential dependencies, respectively. Unfortunately, the potential semantic troubles and limitations of these gates have not been well studied before. In this paper, we describe a framework to automatically generate static fault trees from system models specified with SysML. A reliability configuration model (RCM) and a static fault tree model (SFTM) are proposed to embed system configuration information needed for reliability analysis and error mechanism for fault tree generation, respectively. In the SFTM, the static representations of functional and sequential dependencies with standard Boolean AND and OR gates are proposed, which can avoid the problems of the dynamic FDEP and PAND gates and can reduce the cost of analysis based on a combinatorial model. A fault-tolerant parallel processor (FTTP) example is used to demonstrate our approach.

Software Life-Extension: A New Countermeasure to Software Aging

This paper presents software life-extension, a new technique for counteracting software aging by preventive operation to extend the lifetime of software execution. Software aging is a phenomenon of progressive degradation of execution environment due to aging-related software faults and it might cause resource depletion resulting in system failures. To extend the lifetime of the software affected by aging, we use a virtual machine to execute the software and allocate additional memory to the virtual machine upon software aging detection. Although software life-extension is a temporal solution as it only postpones the occurrence of a failure, it provides a simple, cost-effective, and non-intrusive countermeasure to software aging. The feasibility and effectiveness of software life-extension are studied by the experiments on memcached, a widely adopted general-purpose in-memory cache server. From the experimental results, we present a Semi-Markov process (SMP) describing the general behavior of software life-extension and analyze the model which gives the prediction of the system availability as well as the user-perceived availability.

A Static Analysis of Dynamic Fault Trees with Priority-AND Gates

A PAND gate is a special AND gate of Dynamic Fault Trees (DFTs) where the input events must occur in a specific order for the occurrence of its output event. We present a transformation from a PAND gate to an AND gate with some dependent conditioning events, called CAND gate, provided that the dynamic behavior of the system can be modeled by a (semi-)Markov process. With the transformation, a DFT with only static Boolean logic gates and PAND gates can be transformed into a static fault tree, which opens up the way to employ efficient combinatorial analysis for the DFT. In addition, the PAND gate cannot model the priority relations between the events whose occurrences are not necessary for the output event. The inability has not been addressed before and it can be overcome by the proposed CAND gate.

Combined Server Rejuvenation in a Virtualized Data Center

This paper presents a high-availability solution to a virtualized data center which consists of a cluster of physical servers and hosted virtual machines (VMs). VMs are typically generated through software called virtual machine monitor (VMM) running on physical servers. Both VMs and VMMs face the risks of software aging which are caused by aging-related bugs in the software and may result in failures in long time execution. To prevent such failures proactively, we propose a combined server rejuvenation technique that performs VM rejuvenations simultaneously with VMM rejuvenation. In order to maximize the resource utilization of the data center, the placement of VMs in the data center is rearranged by live VM migration each time when VMM rejuvenation is performed. Through the simulation experiments, we show that the proposed technique can enhance the availability of VMs in a virtualized data center while achieving high resource utilization.

Towards the Quantitative Evaluation of Phased Maintenance Procedures Using Non-Markovian Regenerative Analysis

The concept of Phased Mission Systems (PMS) can be used to describe maintenance procedures made of sequential actions that use a set of resources and may severely affect them, for instance operations that require outage of hardware and/or software components to recover from a failure or to perform upgrades, tests, and configuration changes. We propose an approach for modeling and evaluation of this class of maintenance procedures, notably addressing the case of actions with non-exponential and firmly bounded duration. This yields stochastic models that underlie a Markov Regenerative Process (MRP) with multiple concurrent timed events having a general (GEN) distribution over a bounded support, which can be effectively analyzed through the method of stochastic state classes. The approach allows evaluation of transient availability measures, which can be exploited to support the selection of a rejuvenation plan of system resources and the choice among different feasible orderings of actions. The experiments were performed through a new release of the Oris tool based on the Sirio framework.

Aging-Related Bugs in Cloud Computing Software

Cloud computing is established on advanced software technologies intended to enhance the scalability of computing infrastructure by making full use of commodity servers. The more cloud computing relies on software technologies, the more software bugs have significant impacts on the system availability. Aging-related bugs, which cause the accumulation of errors in long time software execution, often remain even after the release of a stable version of the software. This paper investigates the bug reports of five major open-source software projects related to cloud computing and confirms the issues about the existence of aging-related bugs. From the investigation how the developers work around such aging-related bugs, the importance of the tool assistance for reproducing the aging problem in replicated site is discussed.

Automatic synthesis of SRN models from system operation templates for availability analysis

In order to cost-effectively verify whether system designs of information systems satisfy availability requirements, it is reasonable to utilize a model-based availability assessment of system design containing administrative operation procedures and a system configuration, because it does not require installing and testing in a real environment. However, since the model-based availability assessments typically require special expertise in mathematical modeling, it would be difficult for a practical system designer to build a correct availability model to assess his/her system design. Although there have been several methods to automatically synthesize the availability model from widely-used design description languages, the synthesized models do not capture impacts caused by operations in operation procedures on availability. To address this issue, this paper proposes a method to automatically synthesize an availability model in the form of stochastic reward net (SRN) from Systems Modeling Language (SysML) diagrams to specify operation procedures and system configurations. Modeling all the features of individual operations is impractical because the amount of required information in SysML diagrams input by system designers becomes larger as the number of features increases. To design the availability models with a smallest possible number of features, we classify typical availability-related features of operations into operation templates. The feasibility of the proposed method is studied by a case study based on a real system of a local government. We succeeded in synthesizing the availability models from the SysML diagrams based on an operation procedure and system configuration of the real system, and analyzing the synthesized availability models with an existing model analysis tool.

An Imperfect Fault Coverage Model With Coverage of Irrelevant Components

This paper addresses the coverage (including identification and isolation) of irrelevant components in systems with imperfect fault coverage (IFC). In fault-tolerant systems, a single not-covered component fault may thwart the automatic recovery mechanisms, and lead to a system or subsystem failure. The models that consider the effects of IFC are known as coverage models (CMs). In traditional CMs, except those considering functional dependency (a similar concept to relevancy but with different assumptions and semantics), coverage is typically limited to faulty components regardless of their relevancies. Consequently, an operational but irrelevant component will not be isolated, and may threaten the system by its future uncovered (not-covered) failures. Although the system is generally assumed to be coherent, which implies the relevancy of each component in the initial system state, the traditional CMs do not consider the fact that an initially relevant component could become irrelevant after the failures of other components. We propose the irrelevancy coverage model (ICM) to cover the irrelevant components in addition to the faulty components. In the ICM, a component will be isolated from the system whenever it becomes irrelevant (even it is not failed), such that its future not-covered failures will not affect the system anymore. By incorporating the coverage of irrelevant components, the ICM opens up a new cost-effective approach to improve system reliability without additional redundancy.

DIGITAL WATERMARKING OF VIRTUAL MACHINE IMAGES

The widespread use of server and desktop virtualization technologies increases the likelihood of unauthorized and uncontrolled distribution of virtual machine (VM) images that contain proprietary software. This paper attempts to address this issue using a platform-independent digital watermarking scheme applicable to a variety of VM images. The scheme embeds a watermark in the form of files in a VM image; the watermarked VM image is identified based on the embedded files. To reduce the possibility of discovery by an attacker, the names of the embedded files are very similar to the names of pre-existing files in the VM image. Experiments indicate that the approach is fast and accurate, with average turnaround times of 24.001 seconds and 7.549 seconds for watermark generation and detection, respectively.

Efficient Analysis of Fault Trees with Voting Gates

The voting gate, or k-out-of-n (k/n) gate, is a standard logic gate used in fault trees modelling fault-tolerant systems. It is traditionally expanded into a combination of AND and OR gates, and this expansion may result in combinatorial explosion problem in the calculation of minimal cut sets (MCSs) of the fault tree for even a not very big n, especially when the voting gate inputs are intermediate rather than basic events. In this paper we propose a set of reduction rules to simplify the voting gates without direct expanding, and also propose a concept of minimal cut vote (MCV) denoting a k/n gate whose inputs are all basic events and whose k-combinations are all MCSs of the fault tree. With the proposed reduction rules and MCV concept, the MCSs of fault trees can be evaluated and weeded more efficiently and the result can be represented in a more compact form. The results of experiments on practical fault trees with voting gates show that our method not only outperforms conventional MCS evaluation methods by several orders of magnitude but also provides performance comparably to that provided by binary decision tree (BDD) based algorithms.