R. van Renesse

Amoeba: a distributed operating system for the 1990s

A description is given of the Amoeba distributed operating system, which appears to users as a centralized system but has the speed, fault tolerance, security safeguards, and flexibility required for the 1990s. The Amoeba software is based on objects. Objects are managed by server processes and named using capabilities chosen randomly from a sparse name space. Amoeba has a unique, fast file system split into two parts: the bullet service stores immutable files contiguously on the disk; the directory service gives capabilities symbolic names and handles replication and atomicity, eliminating the need for a separate transaction management system. To bridge the gap with existing systems, Amoeba has a Unix emulation facility consisting of a library of Unix system call routines that make calls to the various Amoeba server processes.<<ETX>>

Operating system support for mobile agents

The TACOMA project is concerned with implementing operating system support for agents, processes that migrate through a network. Two TACOMA prototypes have been completed; this paper outlines our experiences in building and using them. A mechanism for exchanging electronic cash was explored, as well as agent-based schemes for scheduling and fault-tolerance.

Scalable fault-tolerant aggregation in large process groups

The paper discusses fault-tolerant, scalable solutions to the problem of accurately and scalably calculating global aggregate functions in large process groups communicating over unreliable networks. These groups could represent sensors or processes communicating over a network that is either fixed (e.g., the Internet) or dynamic (e.g., multihop ad-hoc). Group members are prone to failures. The ability to evaluate global aggregate properties (e.g., the average of sensor temperature readings) is important for higher-level coordination activities in such large groups. We first define the setting and problem, laying down metrics to evaluate different algorithms for the same. We discuss why the usual approaches to solve this problem are unviable and unscalable over an unreliable network prone to message delivery failures and crash failures. We then propose a technique to impose an abstract hierarchy on such large groups, describing how this hierarchy can be made to mirror the network topology. We discuss several alternatives to use this technique to solve the global aggregate function evaluation problem. Finally, we present a protocol based on gossiping that uses this hierarchical technique. We present mathematical analysis and performance results to validate the robustness, efficiency and accuracy of the Hierarchical Gossiping algorithm.

The Horus and Ensemble projects: accomplishments and limitations

The Horus and Ensemble efforts culminated a multi-year Cornell research program in process group communication used for fault-tolerance, security and adaptation. Our intent was to understand the degree to which a single system could offer flexibility and yet maintain high performance, to explore the integration of fault tolerance with security and real-time mechanisms, and to increase trustworthiness of our solutions by applying formal methods. Here, we summarize the accomplishments of the effort and evaluate the successes and failures of the approach.

Voting with ghosts

A mechanism called voting with ghosts (VWG) is proposed for maintaining consistency of replicated data. VWG is an improvement of the weighted voting (WV) algorithm; it performs as well as the available copies (AC) algorithm, but unlike AC, works correctly in the face of network partitioning. A detailed description of the VWG method is given, and it is analyzed in the presence of node crashes and network partitions. Its performance is compared with that of WV and AC.<<ETX>>

Scalable and secure resource location

In this paper we present Captain Cook, a service that continuously monitors resources in the Internet, and allows clients to locate resources using this information. Captain Cook maintains a tree-based representation of all the collected resource information. The leaves in the tree contain directly measured resource information, while internal nodes are generated using condensation functions that aggregate information in child nodes. We present examples of how such information may be used for cluster management, application-level routing and placement of servers, and pervasive computing. The nodes are automatically replicated updates being propagated using a novel hierarchical gossip protocol. We analyze how well this protocol behaves, and conclude that updates propagate quickly in spite of scale, failed nodes, and message loss. We describe how Captain Cook can be made secure using Public Key Certificates without compromising its scalability.In this paper we present Captain Cook, a service that continuously monitors resources in the Internet, and allows clients to locate resources using this information. Captain Cook maintains a tree-based representation of all the collected resource information. The leaves in the tree contain directly measured resource information, while internal nodes are generated using condensation functions that aggregate information in child nodes. We present examples of how such information may be used for cluster management, application-level routing and placement of servers, and pervasive computing. The nodes are automatically replicated updates being propagated using a novel hierarchical gossip protocol. We analyze how well this protocol behaves, and conclude that updates propagate quickly in spite of scale, failed nodes, and message loss. We describe how Captain Cook can be made secure using Public Key Certificates without compromising its scalability.

The design of a high-performance file server

The Bullet server is a file server that outperforms traditional file servers by more than a factor of three. It achieves high throughput and low delay by a software design radically different from that of file servers currently in use. Whereas files are normally stored as a sequence of disk blocks, each Bullet server file is stored contiguously, both on disk and in the servers random access memory cache. Furthermore, it uses the concept of an immutable file to improve performance, to enable caching, and to provide a clean semantic model to the user. The authors describe the design and implementation of the Bullet server in detail, present measurements of its performance, and compare this performance to that of the SUN file server running on the same hardware.<<ETX>>

Defense against Intrusion in a Live Streaming Multicast System

Application-level multicast systems are vulnerable to attacks that impede nodes from receiving desired data. Live streaming protocols are especially susceptible to packet loss induced by malicious behavior. We describe SecureStream, an application-level live streaming system built using a pull-based architecture that results in improved tolerance of malicious behavior. SecureStream is implemented as a layer running over Fireflies, an intrusion-tolerant membership protocol. Our paper describes the SecureStream system and offers simulation and experimental results confirming its resilience to attack

Protocol switching: exploiting meta-properties

As we see a growing variety of network and application behaviors, it becomes more important that protocols adapt to their surroundings. Building adaptive protocols is complicated, and therefore we have considered building hybrid protocols that switch between specialized protocols. We show for which communication properties this is a correct solution, and classify these using a new concept called meta-properties. We also show how well these switches perform.

A transparent light-weight group service

The virtual synchrony model for group communication has proven to be a powerful paradigm for building distributed applications. Implementations of virtual synchrony usually require the use of failure detectors and failure recovery protocols. In applications that require the use of a large number of groups, significant performance gains can be attained if these groups share the resources required to provide virtual synchrony. A service that maps user groups onto instances of a virtually synchronous implementation is called a light-weight group service. This paper proposes a new design for the light-weight group protocols that enables the usage of this service in a transparent manner as a test case, the new design was implemented in the Horus system, although the underlying principles can be applied to other architectures as well. The paper also presents performance results from this implementation.