Raul Barbosa

GOOFI-2: A tool for experimental dependability assessment

This paper presents GOOFI-2, a comprehensive fault injection tool for experimental dependability assessment of embedded systems. The tool includes a large number of extensions and improvements over its predecessor, GOOFI. These include support for three widely used fault injection techniques, two target processors, and a variety of new features for storing, disseminating and analyzing experimental data. We report on our experiences and lessons learned from the use and development of GOOFI-2. In particular, we compare and discuss properties of three fault injection techniques: Nexus-based, exception-based and instrumentation-based injection. The comparison relies on several sets of experiments with two target processors, Freescales MPC565 and MPC5554.

Assembly-Level pre-injection analysis for improving fault injection efficiency

This paper describes a fully automated pre-injection analysis technique aimed at reducing the cost of fault injection campaigns. The technique optimizes the fault-space by utilizing assembly-level knowledge of the target system in order to place single bit-flips in registers and memory locations only immediately before these are read by the executed instructions. This way, faults (time-location pairs) that are overwritten or have identical impact on program execution are removed. Experimental results obtained by random sampling of the optimized fault-space and the complete (non-optimized) fault-space are compared for two different workloads running on a MPC565 microcontroller. The pre-injection analysis yields an increase of one order of magnitude in the effectiveness of faults, a reduction of the fault-space of two orders of magnitude in the case of CPU-registers and four to five orders of magnitude in the case of memory locations, while preserving a similar estimation of the error detection coverage.

On reliability analysis of leader election protocols for virtual traffic lights

This paper addresses the problem of leader election in virtual traffic lights. A virtual traffic light (VTL) is a self-organizing traffic control system that allows road vehicles equipped with vehicle-to-vehicle communication facilities to implement the function of a traffic light without the support of a roadside installation. Previous research has shown that it is impossible to construct a leader election protocol that guarantees agreement among the participating vehicles in the presence of massive communication failures. The paper addresses the problem of calculating the probability of disagreement in situations where a large number of protocol messages are lost due to communication interference, so-called communication grey-outs. To this end, we present a probabilistic analysis of a family of simple round-based consensus algorithms that solve the 1-of-n selection problem. We propose to use these algorithms for the core logic of a VTL leader election protocol (LEP). Our analysis shows that the probability of disagreement depends on: i) the number of vehicles involved in the leader election, ii) the number of rounds of message exchange, iii) the probability of message loss, and iv) the decision criterion used by the LEP. We propose an optimistic and a pessimistic decision criteria for the proposed 1-of-n selection algorithms. The analysis encompass two probabilistic failure models, one for symmetric communication failures and one for asymmetric communication failures.

Comparing and Validating Measurements of Dependability Attributes

This paper investigates sources of uncertainty in measurement results obtained using three different fault injection techniques. Two software-implemented and one test port-based technique are characterized and compared. The three techniques can be used to inject the same faults, which are defined in a shared database. Due to the uncertainties associated with the techniques, which we identify and discuss, the results of injecting a given fault may differ to some extent. The paper analyzes the results of using the three techniques to inject faults into two experimental targets: a brake-by-wire controller and a partitioning operating system. The objective of the experiments is to determine whether the results of the different techniques are metrologically compatible and, consequently, meaningful when disseminated and compared. Our observations indicate that, even though the outcome of many individual experiments is affected by uncertainties, the three techniques produce similar average results over a large number of experiments.

Automated Reliability Prediction from Formal Architectural Descriptions

Quantitative assessment of quality attributes (i.e., non-functional requirements, such as performance, safety or reliability) of software architectures during design supports important early decisions and validates the quality requirements established by the stakeholder. In current practice, these quality requirements are most often manually checked, which is time-consuming and error-prone due to the overwhelmingly complex designs. We propose an automated approach to assess the reliability of software architectures. It consists in extracting a Markov model from the system specification written in an Architecture Description Language (ADL). Our approach translates the specified architecture to a high-level probabilistic model-checking language, supporting system validation and quantitative reliability prediction against usage profile, component arrangement and architectural styles. We validate our approach by applying it to different architectural styles and comparing those with two different quantitative reliability assessment methods presented in the literature: the composite and the hierarchical methods.

CloudBFT: Elastic Byzantine Fault Tolerance

Cloud computing is increasingly important, with the industry moving towards outsourcing computational resources as a means to reduce investment and management costs, while improving security, dependability and performance. Cloud operators use multi-tenancy, by grouping virtual machines (VMs) into a few physical machines (PMs), to pool computing resources, thus offering elasticity to clients. Although cloud-based fault tolerance schemes impose communication and synchronization overheads, the cloud offers excellent facilities for critical applications, as it can host varying numbers of replicas in independent resources. Given these contradictory forces, determining whether the cloud can host elastic critical services is a major research question. We address this challenge from the perspective of a standard three-tiered system with relational data. We propose to tolerate Byzantine faults using groups of replicas placed on distinct physical machines, as a means to avoid exposing applications to correlated failures. To improve the scalability of our system, we divide data to enable parallel accesses. Using a realistic setup, this setting can reach speedups largely exceeding the number of partitions. Even for a wide variation of the load, the system preserves latency and throughput within reasonable bounds. We believe that the elasticity we observe demonstrates the feasibility of tolerating Byzantine faults in a cloud-based server using a relational database.

On Probabilistic Analysis of Disagreement in Synchronous Consensus Protocols

This paper presents a probabilistic analysis of disagreement for a family of simple synchronous consensus algorithms aimed at solving the 1-of-n selection problem in presence of unrestricted communication failures. In this problem, a set of n nodes are to select one common value among n proposed values. There are two possible outcomes of each nodes selection process: decide to select a value or abort. We have disagreement if some nodes select the same value while other nodes decide to abort. Previous research has shown that it is impossible to guarantee agreement among the nodes subjected to an unbounded number of message losses. Our aim is to find decision algorithms for which the probability of disagreement is as low as possible. In this paper, we investigate two different decision criteria, one optimistic and one pessimistic. We assume two communication failure models, symmetric and asymmetric. For symmetric communication failures, we present the closed-form expressions for the probability of disagreement. For asymmetric failures, we analyse the algorithm using a probabilistic model checking tool. Our results show that the choice of decision criterion significantly influences the probability of disagreement for the 1-of-n selection algorithm. The optimistic decision criterion shows a lower probability of disagreement compare to the pessimistic one when the probability of message loss is less than 30% to 70%. On the other hand, the optimistic decision criterion has in general a higher maximum probability of disagreement compared to the pessimistic criterion.

On the Integrity of Lightweight Checkpoints

This paper proposes a lightweight checkpointing scheme for real-time embedded systems. The goal is to separate concerns by allowing applications to take checkpoints independently while providing them with an operating system service to assure the integrity of checkpoints. The scheme takes error detection latency into account and assumes a broad class of application failure modes. In this paper we detail the design of the operating system service, which offers a very simple programming model to application designers and introduces only a small execution overhead for each checkpoint. Moreover, we describe the usage of model checking to ascertain the correctness of our approach.

Improving self-adaptation planning through software architecture-based stochastic modeling

We propose a formal automated approach to translate from an ADL to a DTMC.We address issues of today self-adaptive systems.We assessed dynamically the impact of each strategy in the system quality.Our approach presents better results than traditional planning algorithms.Our approach presents good scalability and performance results. The ever-growing complexity of software systems makes it increasingly challenging to foresee at design time all interactions between a system and its environment.Most self-adaptive systems trigger adaptations through operators that are statically configured for specific environment and system conditions. However, in the occurrence of uncertain conditions, self-adaptive decisions may not be effective and might lead to a disruption of the desired non-functional attributes.To address this, we propose an approach that improves the planning stage by predicting the outcome of each strategy. In detail, we automatically derive a stochastic model from a formal architecture description of the managed system with the changes imposed by each strategy. Such information is used to optimize the self-adaptation decisions to fulfill the desired quality goals.To assess the effectiveness of our approach we apply it to a cloud-based news system and predicted the reliability for each possible adaptation strategy. The results obtained from our approach are compared to a representative static planning algorithm as well as to an oracle that always makes the ideal decision. Experiments show that our method improves both availability and cost when compared to the static planning algorithm, while being close to the oracle.Our approach may therefore be used to optimize self-adaptation planning.

TRONE: Trustworthy and Resilient Operations in a Network Environment

Cloud infrastructures play an increasingly important role for telecom operators, because they enable internal consolidation of resources with the corresponding savings in hardware and management costs. However, this same consolidation exposes core services of the infrastructure to very disruptive attacks. This is indeed the case with monitoring, which needs to be dependable and secure to ensure proper operation of large datacenters and cloud infrastructures. We argue that currently existing centralized monitoring approaches (e.g., relying on a single solution provider, using single point of failure components) represent a huge risk, because a single vulnerability may compromise the entire monitoring infrastructure. In this paper, we describe the TRONE approach to trustworthy monitoring, which relies on multiple components to achieve increased levels of reliance on the monitoring data and hence increased trustworthiness. In particular, we focus on the TRONE framework for event dissemination, on security-oriented diagnosis based on collected events and on fast network adaptation in critical situations based on multi-homing application support. To validate our work, we will deploy and demonstrate our solutions in a live environment provided by Portugal Telecom.