exposing design flaws in shared clock systems using tla
play

Exposing Design Flaws in Shared-Clock Systems using TLA+ Russell - PowerPoint PPT Presentation

Dec 18, 2022 •227 likes •823 views

Exposing Design Flaws in Shared-Clock Systems using TLA+ Russell Mull, Auxon Corporation TLA+ Conf September 12, 2019 About Me Russell Mull Software Engineer, Auxon Corporation How safe electronic systems are designed How safe electronic

  1. Exposing Design Flaws in Shared-Clock Systems using TLA+ Russell Mull, Auxon Corporation TLA+ Conf September 12, 2019

  2. About Me Russell Mull Software Engineer, Auxon Corporation

  3. How safe electronic systems are designed

  4. How safe electronic systems are designed ● Decide what matters (safety requirements)

  5. How safe electronic systems are designed ● Decide what matters (safety requirements) ● Decide how much it matters (Assign a Safety Integrity Level - SIL)

  6. How safe electronic systems are designed ● Decide what matters (safety requirements) ● Decide how much it matters (Assign a Safety Integrity Level - SIL) ● Analyze the parts of the system that matter (Fault Tree Analysis)

  7. How safe electronic systems are designed ● Decide what matters (safety requirements) ● Decide how much it matters (Assign a Safety Integrity Level - SIL) ● Analyze the parts of the system that matter (Fault Tree Analysis) ● Not good enough? Add redundancy.

  8. Example: Industrial Press

  9. Example: Industrial Press ● Safety requirement: Turn off press with emergency stop button

  10. Example: Industrial Press ● Safety requirement: Turn off press with emergency stop button ● SIL: 4

  11. Example: Industrial Press ● Safety requirement: Turn off press with emergency stop button ● SIL: 4 ● Fault tree: the actuator is only SIL 3

  12. Example: Industrial Press ● Safety requirement: Turn off press with emergency stop button ● SIL: 4 ● Fault tree: the actuator is only SIL 3 ● Redundancies: use two, design a SIL 4 failover mechanism

  13. Functional Safety ● IEC 61508 ● Power plants, chemical plants, cars, trains, heavy machinery, etc.

  14. This works well, until…

  15. This works well, until…

  16. This works well, until…

  17. This works well, until…

  18. In software, shared clock failures are lumpy and unpredictable

  19. The story of a system made from lots of computers, sensors, actuators, and clocks 19

  20. A client project for ██████████

  21. A client project for ██████████ ● Can’t say anything specific

  22. A client project for ██████████ ● Can’t say anything specific ● Relies fundamentally on a common timebase

  23. A client project for ██████████ ● Can’t say anything specific ● Relies fundamentally on a common timebase ● Appeared to be vulnerable to drift

  24. My Goal: Demonstrate the problem

  25. A naïve model

  26. A naïve model VARIABLES node_clock, system Nodes == { "A", "B", "C" }

  27. A naïve model VARIABLES node_clock, system Nodes == { "A", "B", "C" } Init == /\ node_clock = [ n \in Nodes |-> 0 ] /\ system = ...

  28. A naïve model VARIABLES node_clock, system Nodes == { "A", "B", "C" } Init == /\ node_clock = [ n \in Nodes |-> 0 ] /\ system = ... Next == \/ \E node \in DOMAIN node_clock: /\ node_clock' = [node_clock EXCEPT ![node] = @ + 1] /\ UNCHANGED << system >>

  29. A naïve model VARIABLES node_clock, system Nodes == { "A", "B", "C" } Init == /\ node_clock = [ n \in Nodes |-> 0 ] /\ system = ... Next == \/ \E node \in DOMAIN node_clock: /\ node_clock' = [node_clock EXCEPT ![node] = @ + 1] /\ UNCHANGED << system >> \/ /\ SystemStep(system) /\ UNCHANGED << node_clock >>

  30. A naïve model VARIABLES node_clock, system Nodes == { "A", "B", "C" } Init == /\ node_clock = [ n \in Nodes |-> 0 ] /\ system = ... Next == \/ \E node \in DOMAIN node_clock: /\ node_clock' = [node_clock EXCEPT ![node] = @ + 1] /\ UNCHANGED << system >> \/ /\ SystemStep(system) /\ UNCHANGED << node_clock >> \/ SyncClocks(node_clock, system)

  31. A naïve model VARIABLES node_clock, system Nodes == { "A", "B", "C" } Init == /\ node_clock = [ n \in Nodes |-> 0 ] /\ system = ... Next == \/ \E node \in DOMAIN node_clock: /\ node_clock' = [node_clock EXCEPT ![node] = @ + 1] /\ UNCHANGED << system >> \/ /\ SystemStep(system) /\ UNCHANGED << node_clock >> \/ SyncClocks(node_clock, system) SystemStep(s) == ... SyncClocks(cs,s) == ...

  32. This approach is not great.

  33. This approach is not great. ● Massive state explosion

  34. This approach is not great. ● Massive state explosion ● Customer doesn’t care about the sync protocol

  35. Model the drift, not the sync 35

  36. Drift Modeling (1) CONSTANTS SIMULATED_CYCLES, BOUNDED_DRIFT VARIABLES node_clock, system, global_clock

  37. Drift Modeling (1) CONSTANTS SIMULATED_CYCLES, BOUNDED_DRIFT VARIABLES global_clock, node_clock, system Nodes == { "A", "B", "C" }

  38. Drift Modeling (1) CONSTANTS SIMULATED_CYCLES, BOUNDED_DRIFT VARIABLES global_clock, node_clock, system Nodes == { "A", "B", "C" } Init == /\ global_clock = 0 /\ node_clock = [ n \in Nodes |-> 0 ]

  39. Drift Modeling (1) CONSTANTS SIMULATED_CYCLES, BOUNDED_DRIFT VARIABLES global_clock, node_clock, system Nodes == { "A", "B", "C" } Init == /\ global_clock = 0 /\ node_clock = [ n \in Nodes |-> 0 ] Next == \/ ClockStep /\ UNCHANGED system \/ SystemStep /\ UNCHANGED global_clock /\ UNCHANGED node_clock

  40. Drift Modeling (1) CONSTANTS SIMULATED_CYCLES, BOUNDED_DRIFT VARIABLES global_clock, node_clock, system Nodes == { "A", "B", "C" } Init == /\ global_clock = 0 /\ node_clock = [ n \in Nodes |-> 0 ] Next == \/ ClockStep /\ UNCHANGED system \/ SystemStep /\ UNCHANGED global_clock /\ UNCHANGED node_clock SystemStep == ...

  41. Drift Modeling (2) ClockStep ==

  42. Drift Modeling (2) ClockStep == \* Tick the global clock \/ /\ global_clock' = global_clock + 1 /\ UNCHANGED << node_clock >> /\ ClockDriftInBounds(global_clock', node_clock)

  43. Drift Modeling (2) ClockStep == \* Tick the global clock \/ /\ global_clock' = global_clock + 1 /\ UNCHANGED << node_clock >> /\ ClockDriftInBounds(global_clock', node_clock) \* Tick a node clock \/ \E node \in DOMAIN node_clock: /\ node_clock' = [node_clock EXCEPT ![node] = @ + 1] /\ UNCHANGED << global_clock >> /\ ClockDriftInBounds(global_clock, node_clock')

  44. Drift Modeling (3) ClockDriftInBounds(g, n) == /\ g <= SIMULATED_CYCLES /\ \A node \in DOMAIN n : /\ n[node] <= SIMULATED_CYCLES /\ Abs(c[node] - g) <= BOUNDED_DRIFT

  45. This works better 45

  46. This works better ● Narrower state space 46

  47. This works better ● Narrower state space ● Directly addresses relevant failure domain 47

  48. The system was more vulnerable to drift than previously thought

  49. Delivering a Model ● Literate PDF ● Makefile / .cfg file ● Config Instructions

  50. TLA+ is tricky to use this way ● Difficult setup ● Easier development ● Easier delivery

  51. Give models to your customers

  52. Extending the technique ● Asymmetric Drift ● Action on Tick ● Cyclical Clock

  53. Closing Thoughts

  54. Closing Thoughts ● Fake a real clock

  55. Closing Thoughts ● Fake a real clock ● Bound the drift

  56. Closing Thoughts ● Fake a real clock ● Bound the drift ● Give models to your customers

  57. Closing Thoughts ● Fake a real clock ● Bound the drift ● Give models to your customers ● I owe Hillel Wayne a great debt

  58. Russell Mull @mullr russell@auxon.io

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Google Study: Google Study: Could those memory failures be caused by design flaws? Could those

Google Study: Google Study: Could those memory failures be caused by design flaws? Could those

Google Study: Google Study: Could those memory failures be caused by design flaws? Could those memory failures be caused by design flaws? Barbara P. Aichinger Vice President New Business Development FuturePlus Systems Corporation

886 views • 21 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (5/1/07) I E S R C E O V U

UMBC A B M A L T F O U M B C I M Y O R T 1 (5/1/07) I E S R C E O V U

Digital Systems Clock Distribution I CMPE 650 Clock Characteristics Clock signals must toggle twice (full cycle) for each single transition for data. Clock wires also tend to be very heavily loaded nets because they typically fan-out to every

490 views • 19 slides
EXPOSING EXPOSING A FLEXIBLE, COMPOSABLE &amp; EXTENSIBLE A FLEXIBLE, COMPOSABLE &amp;

EXPOSING EXPOSING A FLEXIBLE, COMPOSABLE &amp; EXTENSIBLE A FLEXIBLE, COMPOSABLE &amp;

EXPOSING EXPOSING A FLEXIBLE, COMPOSABLE &amp; EXTENSIBLE A FLEXIBLE, COMPOSABLE &amp; EXTENSIBLE REST API REST API Thierry Delprat td@nuxeo.com https://github.com/tiry/ AGENDA AGENDA Quick introduction provide some context API design

1.37k views • 75 slides
Google Study: Could Those Memory Failures Be Caused By Design Flaws? By Barbara P. Aichinger,

Google Study: Could Those Memory Failures Be Caused By Design Flaws? By Barbara P. Aichinger,

Google Study: Could Those Memory Failures Be Caused By Design Flaws? By Barbara P. Aichinger, FuturePlus Systems Corporation JEDEC Memory Server Forum Shenzhen, China March 1, 2012 Abstract : The conclusions of the extensive Google study

243 views • 12 slides
High-level State Machines &amp; RTL Design Prof. Usagi Recap: Clock signal 0ns 10ns 20ns

High-level State Machines &amp; RTL Design Prof. Usagi Recap: Clock signal 0ns 10ns 20ns

High-level State Machines &amp; RTL Design Prof. Usagi Recap: Clock signal 0ns 10ns 20ns 30ns 40ns 50ns 60ns 70ns 80ns 90ns Clock -- Pulsing signal for enabling latches; ticks like a clock The clock's period must be longer than

658 views • 40 slides
Clock-Driven Scheduling (in-depth) Pre-compute static schedule off-line (e.g. at design

Clock-Driven Scheduling (in-depth) Pre-compute static schedule off-line (e.g. at design

CPSC-663: Real-Time Systems Clock-Driven Scheduling Clock-Driven Scheduling (in-depth) Pre-compute static schedule off-line (e.g. at design time): Task Scheduler: i := 0; k := 0; can afford expensive &lt;set timer to expire at time t 0

266 views • 11 slides
Distributed Systems - III What about distributed systems? No common clock or memory

Distributed Systems - III What about distributed systems? No common clock or memory

CSC 4103 - Operating Systems Distributed Coordination Spring 2007 Ordering events and achieving synchronization in centralized systems is easier. Lecture - XXIV We can use common clock and memory Distributed Systems - III What

286 views • 4 slides
DESIGN AND TUNING OF A TREE-MESH CLOCK DISTRIBUTION Nikhil Jayakumar, Dave Murata, Valery Kugel

DESIGN AND TUNING OF A TREE-MESH CLOCK DISTRIBUTION Nikhil Jayakumar, Dave Murata, Valery Kugel

DESIGN AND TUNING OF A TREE-MESH CLOCK DISTRIBUTION Nikhil Jayakumar, Dave Murata, Valery Kugel { nikhilj, dmurata , valery } @juniper.net Juniper Networks OVERVIEW Comparison of Clock trees vs Clock Grids/Mesh Junipers Clock

340 views • 13 slides
Securely Implementing Network Protocols: Detecting and Preventing Logical Flaws Mathy Vanhoef

Securely Implementing Network Protocols: Detecting and Preventing Logical Flaws Mathy Vanhoef

Securely Implementing Network Protocols: Detecting and Preventing Logical Flaws Mathy Vanhoef (KU Leuven) Black Hat Webcast, 24 August 2017 @vanhoefm Introduction Many protocols have been affected by logical bugs Design flaws Implementation

692 views • 31 slides
Distributed Shared Memory Shared memory : difficult to realize vs . easy to program with.

Distributed Shared Memory Shared memory : difficult to realize vs . easy to program with.

CSCE 613 : Operating Systems Memory Models CSCE 613: Interlude: Distributed Shared Memory Shared Memory Systems Consistency Models Distributed Shared Memory Systems page based shared-variable based Reading (old!):

679 views • 21 slides
DESIGN FLAWS IN PROPOSED ART PLAN: A SOLUTION AS DESIGNED, THE ALBUQUERQUE RAPID TRANSIT PROJECT

DESIGN FLAWS IN PROPOSED ART PLAN: A SOLUTION AS DESIGNED, THE ALBUQUERQUE RAPID TRANSIT PROJECT

DESIGN FLAWS IN PROPOSED ART PLAN: A SOLUTION AS DESIGNED, THE ALBUQUERQUE RAPID TRANSIT PROJECT WILL INFLICT DAMAGE TO HISTORICALLY SENSITIVE DISTRICTS ALONG THE CENTRAL CORRIDOR; NOB HILL, UNIVERSITY, EDO AND DOWNTOWN. MAKE ART SMART SUPPORTS

306 views • 27 slides
Parallel Software Design ASD Shared Memory HPC Workshop Computer Systems Group, ANU Research

Parallel Software Design ASD Shared Memory HPC Workshop Computer Systems Group, ANU Research

Parallel Software Design ASD Shared Memory HPC Workshop Computer Systems Group, ANU Research School of Computer Science Australian National University Canberra, Australia February 14, 2020 Schedule - Day 5 Computer Systems (ANU) Parallel

1.67k views • 141 slides
ISPD 2006 Arjun Rajagopal Arjun Rajagopal Dallas DSP Design Dallas DSP Design Texas

ISPD 2006 Arjun Rajagopal Arjun Rajagopal Dallas DSP Design Dallas DSP Design Texas

Clock Tree Design for Robust Low power design ISPD 2006 Arjun Rajagopal Arjun Rajagopal Dallas DSP Design Dallas DSP Design Texas Instruments Texas Instruments Outline Clock Tree Design Goals Definition of Balanced clock tree

2.06k views • 23 slides
Goals The Clock introduce clock signal. logical level clock fall clock rise Chapter 11:

Goals The Clock introduce clock signal. logical level clock fall clock rise Chapter 11:

Goals The Clock introduce clock signal. logical level clock fall clock rise Chapter 11: Flip-Flops define edge-triggered flip-flops. clock period discuss parameters of flip-flops: setup time, hold time, 1 Computer Structure pulse width

408 views • 8 slides
Application Logic Flaws Professor Larry Heimann Web Application Security Information Systems

Application Logic Flaws Professor Larry Heimann Web Application Security Information Systems

Application Logic Flaws Professor Larry Heimann Web Application Security Information Systems Discussion of Lab 6 Due end of the week on October 17th (11:59am) Complete findings record, attach screenshots and/or code files to confirm

847 views • 16 slides
Shared-clock methodology for time-triggered multi-cores Keith F. Athaide Project supervisor:

Shared-clock methodology for time-triggered multi-cores Keith F. Athaide Project supervisor:

Shared-clock methodology for time-triggered multi-cores Keith F. Athaide Project supervisor: Michael J. Pont Technical supervisor: Devaraj Ayavoo Communicating Process Architectures (CPA) 2008 8 th -10 th September 2008 Overview Aims

230 views • 20 slides
Experiment on Cristians and Berkeley Time Synchronization Algorithms - Rahul Sehgal 1

Experiment on Cristians and Berkeley Time Synchronization Algorithms - Rahul Sehgal 1

Experiment on Cristians and Berkeley Time Synchronization Algorithms - Rahul Sehgal 1 12/6/2007 Introduction: Centralized Algorithm: 1) Cristians algorithm. ( timeserver ) 2) Berkeley algorithm. ( coordinator ) 2 12/6/2007 Concept of

571 views • 19 slides
Clock Synchronization Chapter 9 Ad Hoc and Sensor Networks Ad Hoc and Sensor Networks

Clock Synchronization Chapter 9 Ad Hoc and Sensor Networks Ad Hoc and Sensor Networks

Clock Synchronization Clock Synchronization Chapter 9 Ad Hoc and Sensor Networks Ad Hoc and Sensor Networks Roger Wattenhofer Roger Wattenhofer 9/1 Rating Overview Area maturity Motivation Clock Sources &amp;

149 views • 11 slides
Expanding Usability Studies of Complex Websites to Include Posthuman Users Daniel Hocutt ,

Expanding Usability Studies of Complex Websites to Include Posthuman Users Daniel Hocutt ,

Expanding Usability Studies of Complex Websites to Include Posthuman Users Daniel Hocutt , University of Richmond @dhocutt dhocutt@richmond.edu Composing for posthuman users is routine. Defining Agency does not belong to any single

506 views • 22 slides
Search Engine Optimization What is Search Engine Optimization Search Engine Optimization is the

Search Engine Optimization What is Search Engine Optimization Search Engine Optimization is the

Search Engine Optimization What is Search Engine Optimization Search Engine Optimization is the process of improving the visibility of a website on organic (&quot;natural&quot; or un-paid) search engine result pages (SERPs), by incorporating

1.54k views • 35 slides
NTP for .nz Josh Simpson Registrar Conference 2014, Auckland What is NTP? Network Time

NTP for .nz Josh Simpson Registrar Conference 2014, Auckland What is NTP? Network Time

NTP for .nz Josh Simpson Registrar Conference 2014, Auckland What is NTP? Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. In

163 views • 13 slides
Simulation of the IEEE 1588 Precision Time Protocol in OMNeT++ Wolfgang Wallner

Simulation of the IEEE 1588 Precision Time Protocol in OMNeT++ Wolfgang Wallner

Simulation of the IEEE 1588 Precision Time Protocol in OMNeT++ Wolfgang Wallner wolfgang-wallner@gmx.at September 15, 2016 Presentation Outline Introduction Motivation Problem statement Presentation Outline Introduction Motivation

1.54k views • 128 slides
Extremely Secure Communication Daniel Romo - daniel.romao@os3.nl Oil Company Oil Company What

Extremely Secure Communication Daniel Romo - daniel.romao@os3.nl Oil Company Oil Company What

Extremely Secure Communication Daniel Romo - daniel.romao@os3.nl Oil Company Oil Company What (almost) everyone knows: NSA collects traffic Confidential data can be compromised Backdoors in encryption-related software and hardware make it

583 views • 30 slides
A Dual-loop Injection-locked PLL with All-digital Background Calibration System for On-chip Clock

A Dual-loop Injection-locked PLL with All-digital Background Calibration System for On-chip Clock

A Dual-loop Injection-locked PLL with All-digital Background Calibration System for On-chip Clock Generation Wei Deng, Ahmed Musa, Teerachot Siriburanon, Masaya Miyahara, Kenichi Okada, and Akira Matsuzawa Tokyo Institute of Technology, Japan

591 views • 6 slides

More recommend