formalization and verification of fault tolerance and
play

Formalization and Verification of Fault Tolerance and Security - PowerPoint PPT Presentation

Nov 07, 2022 •249 likes •682 views

1/35 Formalization and Verification of Fault Tolerance and Security Felix G artner TU Darmstadt, Germany fcg@acm.org Example: Space Shuttle STS51 Discovery, http://spaceflight.nasa.gov/ 2/35 3/35 Fault-tolerant Operation [Spector and

  1. 1/35 Formalization and Verification of Fault Tolerance and Security Felix G¨ artner TU Darmstadt, Germany fcg@acm.org

  2. Example: Space Shuttle STS51 Discovery, http://spaceflight.nasa.gov/ 2/35

  3. 3/35 Fault-tolerant Operation [Spector and Gifford 1984] • Five redundant general purpose computers. • Four of them run the avionics software in parallel. • Majority vote of computation results. • “Fail-operational, fail-safe.” • Fifth computer runs backup system (written by separate contractor). Primary contractor: IBM.

  4. 4/35 Critical Infrastructures http://www.cs.virginia.edu/~survive • Critical infrastructures must be dependable (in this talk meaning fault-tolerant and secure).

  5. 5/35 Personal Motivation • My . . . – background: fault-tolerance, formal methods. – experience: formal methods help find bugs. – concern: need to formalize issues first (state what we mean). – claim: we know how to do this in fault-tolerance, not so much in security.

  6. 6/35 Overview 1. Fault tolerance (60% of talk). • What does “fault tolerance” mean? • How can it be formalized and verified? 2. Security (30%). • What does “security” mean and how can it be formalized???

  7. 7/35 Informal View of Fault Tolerance • Definition: Maintain some form of correct behavior in the presence of faults. • Correct behavior: specification. • Faults: – memory perturbation (cosmic rays), – link failure (construction works), – node crash (power outage), – . . .

  8. 8/35 Formal View of Fault Tolerance • System: state machine/event system with interface. • Specification: look at functional properties defined on individual executions of the system. • Safety properties: “always . . . ”. • Liveness properties: “eventually . . . ”. • Abstract away from real time.

  9. 9/35 Safety and Liveness • Safety properties: observable in finite time. • Examples: mutual exclusion, partial correctness. • Liveness property: violated after infinite time. • Example: starvation freedom, termination. • Safety and liveness are fundamental [Alpern and Schneider 1985; G¨ artner 1999a].

  10. 10/35 Faults. . . • can be modelled as unexpected events [Cristian 1985]. • are tied to one level of abstraction [Liu and Joseph 1992]. • Adding and “removing” state transitions is enough [G¨ artner 2001a]. • are formalized as a fault assumption.

  11. 11/35 Fault Tolerance Example • Network of workstations with point-to-point links. • Fault assumption: links and workstations can crash, but network stays connnected. • We want to do reliable broadcast. • Specification (desired properties): – A message which is delivered was previously broadcast (safety). – A broadcast message is eventually delivered on all surviving machines (liveness).

  12. 12/35 Fault on one Level of Abstraction • System = composition of systems. interface interaction subsystem subsystem system

  13. 13/35 Local and Global Fault Assumptions • Local fault assumption: add behavior to fault regions. • Example: node crash allows processes to stop. • Global fault assumption: restrict behavior again. • Example: network stays connected.

  14. 14/35 Fault Assumptions as Transformations [G¨ artner 1998] fault-tolerance ideal problem specification specification S ′ transformation specification S program system A system A ′ transformation faulty ideal fault assumption environment environment

  15. 15/35 Verification fault-tolerance ideal problem specification specification S ′ transformation specification S correctness correctness program system A system A ′ transformation faulty ideal fault assumption environment environment

  16. 16/35 Usual Verification of Fault Tolerance 1. Choose fault assumption. 2. Weaken specification (if needed). 3. Transform system. 4. Verify system.

  17. 17/35 Transformational Approach [G¨ artner 1999b] 1. Choose fault assumption. 2. Weaken specification (if needed). 3. Prove that original system satisfies specification. 4. Transform system. 5. Prove only items which have changed (use tools like VSE, PVS, . . . ).

  18. 18/35 Potential of Re-Use fault-tolerance ideal problem specification specification S ′ transformation specification S correctness correctness program system A system A ′ transformation faulty ideal fault assumption environment environment

  19. 19/35 Case Study [Mantel and G¨ artner 2000] • Example: reliable broadcast. • Proved safety part using industrial strength verification tool VSE [Hutter et al. 1996]. • Transformational approach applied. • Benefit: re-use of specification and proofs.

  20. 20/35 Re-use of Specification n o i t a m r o f s n a r t ReliableBroadcast Broadcast y b d e t c e f f a s e i r o e h CrashAdmissible- t AdmissibleTraces Traces CrashSafety- SafetyProperties Properties CrashTraces Traces CrashAction- List States CrashStates CrashActions ProcessList ChannelMatrix UpDownList Processes ChannelList ActionList MessageSets UChannel Actions Messages

  21. 21/35 Re-use of Proofs B1 B1’ B2 B3 B4 B5 crash

  22. 22/35 Fault Tolerance Summary • We basically know how to deal with fault tolerance. • Formalizations and verification methods are quite mature. • Area has a solid formal foundation.

  23. 23/35 Fault Tolerance and Security • Can research in security benefit from fault tolerance? “Fault tolerance and security are instances of a more general class of property that constrains influence.” Franklin Webber, BBN (during SRDS2000 panel) • Example: tolerate malicious behavior by assuming Byzantine faults (like in ISS).

  24. 24/35 Informal View of Security • Security is CIA [Laprie 1992]: – Confidentiality: non-occurrence of unauthorized disclosure of information. – Integrity: non-occurrence of inadequate information alterations. – Availability: readiness for usage. • Conjecture: Everything is CIA! [Cachin et al. 2000]

  25. 25/35 Formal View of Security • Recall concepts of safety and liveness (from fault tolerance). • We can model a lot of notions from security with these concepts, but not all. • Benefits: – Well understood formalisms. – Good proof methodologies and tool support.

  26. 26/35 Safety and Liveness in Security • Access control is safety [Schneider 2000; ? ]. • Aspects of confidentiality are safety [Gray, III. and McLean 1995]. • Aspects of integrity are safety, e.g. “no unauthorized change of a variable”. • Aspects of availability are liveness, e.g. “eventual reply to a request”.

  27. 27/35 Fair Exchange [Asokan et al. 1997] • Two participants A and B with electronic items. • How to exchange the items in a fair manner? Formally: – Effectiveness: if exchange succeeds then items matched the expectation and both participants have well behaved (safety). – Termination: eventually the protocol will terminate with success or abort (liveness). – Fairness: in case of an unsuccessful exchange, ange, nobody wins or loses something valuable.

  28. 28/35 Formalizing Fair Exchange [G¨ artner 2001b] z, z, z, . . . x, x, x, . . . input item i A e A output item d A description A s A success/abort m A malevolence i B Y, . . . , Y, X, X, . . . e B d B B s B m B x, Y, . . . , x, Y, x, X, x, X, . . . z, Y, . . . , z, Y, z, X, z, X, . . .

  29. 29/35 Higher Level Properties • Consequence: Restriction of information flow is neither safety nor liveness. • Property of the type: if trace x, X, x, X is possible, then trace z, X, z, X must be possible too. • Usually formalized as closure conditions on trace sets: σ ∈ S ⇒ f ( σ ) ∈ S • Properties of properties, sets of sets of traces.

  30. 30/35 Original Approach • Non-interference [Goguen and Meseguer 1982]. • Descendants with their own problems [McLean 1994]: – Generalized non-interference. – Restrictiveness. – Non-inference. – . . . • Possibilistic properties.

  31. 31/35 Possibilistic Properties • Pure non-interference is too strong. • There is progress in weakening the definition to make it practical [Mantel 2000]. • First results available [Focardi et al. 1997]. • To be investigated: relation to other ways to specify security [Pfitzmann et al. 2000].

  32. 32/35 Motivation Reminder • Formal methods are no silver bullet, but they help to find bugs in critical systems. • Starting point: formalization of central concepts. • We know how to do that in fault tolerance. • But fault tolerance seems “easy” compared to security. • Security defines a new class of properties.

  33. 33/35 Historic Perspective “The first wave of attacks is physical [e.g. cut wires]. But these problems we basically know how to solve.” → fault tolerance The second wave is syntactic [e.g. exploiting vulnerabilities]. We have a bad track record in protecting against syntactic attacks. But at least we know what the problem is. → security models Bruce Schneier (Inside Risks, Dec. 2000)

  34. 34/35 Conclusions 1/2 • We seem to have managed dealing with physical attacks. • Currently trying to cope with syntactic ones. • We need a thorough understanding of the concepts involved. • Formal methods can support rigorous anaysis. • Formalization is the first step.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Formal Verification of Automatic Circuit Transformations for Fault-Tolerance Dmitry Burlyaev

Formal Verification of Automatic Circuit Transformations for Fault-Tolerance Dmitry Burlyaev

Formal Verification of Automatic Circuit Transformations for Fault-Tolerance Dmitry Burlyaev Pascal Fradet 09/30/15, Austin, TX, USA @ FMCAD'15 Outline For a given (fault-tolerance) transformation T , we want to prove a property of the form

1.11k views • 79 slides
Roadmap for Section 10.1 The Notion of Fault-Tolerance Fault-Tolerance Support in NTFS Volume

Roadmap for Section 10.1 The Notion of Fault-Tolerance Fault-Tolerance Support in NTFS Volume

Unit OS10: Fault Tolerance Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 10.1 The Notion of Fault-Tolerance Fault-Tolerance Support in NTFS Volume Management - Striped

394 views • 25 slides
Fault Tolerance in Message Passing Fault Tolerance in Message Passing and in Action and in

Fault Tolerance in Message Passing Fault Tolerance in Message Passing and in Action and in

Fault Tolerance in Message Passing Fault Tolerance in Message Passing and in Action and in Action Jack Dongarra, Innovative Computing Laboratory University of Tennessee and Computer Science and Mathematics Division Oak Ridge National

422 views • 14 slides
General Principles of Fault- Tolerance Daniel Gottesman Perimeter Institute Whats Left For

General Principles of Fault- Tolerance Daniel Gottesman Perimeter Institute Whats Left For

General Principles of Fault- Tolerance Daniel Gottesman Perimeter Institute Whats Left For Fault-Tolerance? Reduce the overhead (in space and in time) needed for fault-tolerance Better fault-tolerance in 1D? Better magic state

556 views • 22 slides
Rigorous fault-tolerance thresholds Ben Reichardt UC Berkeley N gate circuit 0/1 N gate

Rigorous fault-tolerance thresholds Ben Reichardt UC Berkeley N gate circuit 0/1 N gate

Rigorous fault-tolerance thresholds Ben Reichardt UC Berkeley N gate circuit 0/1 N gate circuit Need error 1/N 1/0 Quantum fault-tolerance problem Classical fault-tolerance: Von Neumann (1956) 0/1 Fault-tolerant, larger C High

846 views • 63 slides
Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault tolerant programming are: Fault Detection - Knowing that a fault exists Fault Recovery - having atomic instructions that can be rolled back in

361 views • 18 slides
CH NG 8: FAULT TOLERANCE TS. Tr n H i Anh Content 2 1. Introduction to fault

CH NG 8: FAULT TOLERANCE TS. Tr n H i Anh Content 2 1. Introduction to fault

1 Tr n H i Anh Distributed System CH NG 8: FAULT TOLERANCE TS. Tr n H i Anh Content 2 1. Introduction to fault tolerance 2. Process resilience 3. Reliable client-Server Communication 4. Reliable Group Communication 5.

966 views • 50 slides
Distributed Systems 5. Fault Tolerant Systems Fault-Tolerance - 1 Lszl Bszrmnyi

Distributed Systems 5. Fault Tolerant Systems Fault-Tolerance - 1 Lszl Bszrmnyi

Distributed Systems 5. Fault Tolerant Systems Fault-Tolerance - 1 Lszl Bszrmnyi Distributed Systems Fault tolerance A system or a component fails due to a fault Fault tolerance means that the system continues to provide its

428 views • 40 slides
CSci 5105 Introduction to Distributed Systems Fault Tolerance Last Time Replication and

CSci 5105 Introduction to Distributed Systems Fault Tolerance Last Time Replication and

CSci 5105 Introduction to Distributed Systems Fault Tolerance Last Time Replication and Consistency Today Fault tolerance Chapter 8 TVS Fault Tolerance Basics Availability short time horizon e.g down 1 msec every hour

292 views • 27 slides
Challenging Malicious Inputs with Fault Tolerance Techniques Bruno Luiz Agenda Threats

Challenging Malicious Inputs with Fault Tolerance Techniques Bruno Luiz Agenda Threats

Challenging Malicious Inputs with Fault Tolerance Techniques Bruno Luiz Agenda Threats Fault Tolerance Fault Injection for Fault Tolerance Assessment Basic and classic techniques Decision Mechanisms Implementation

962 views • 61 slides
Guest lecture, UC Berkeley EECS 149, 13 April 2009 Safety, Fault-tolerance, Verification, and

Guest lecture, UC Berkeley EECS 149, 13 April 2009 Safety, Fault-tolerance, Verification, and

Guest lecture, UC Berkeley EECS 149, 13 April 2009 Safety, Fault-tolerance, Verification, and Certification for Embedded Systems John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Safety etc.: 1

909 views • 53 slides
Distributed Systems (ICE 601) Fault Tolerance Dongman Lee ICU Class Overview Introduction

Distributed Systems (ICE 601) Fault Tolerance Dongman Lee ICU Class Overview Introduction

Distributed Systems (ICE 601) Fault Tolerance Dongman Lee ICU Class Overview Introduction Failure Model Fault Tolerance Models state machine primary-backup Distributed Systems - Fault Tolerance Introduction

146 views • 12 slides
Fibre bundle framework for unitary quantum fault tolerance Lucy Liuxuan Zhang University of

Fibre bundle framework for unitary quantum fault tolerance Lucy Liuxuan Zhang University of

Motivations and main idea Basics of quantum fault tolerance Geometric picture of QECCs and unitary fault tolerance Conclusion Fibre bundle framework for unitary quantum fault tolerance Lucy Liuxuan Zhang University of Toronto December 18,

795 views • 16 slides
Hypervisor-Based Fault-Tolerance Thomas C. Bressoud, Isis

Hypervisor-Based Fault-Tolerance Thomas C. Bressoud, Isis

Hypervisor-Based Fault-Tolerance Thomas C. Bressoud, Isis Distributed Systems Fred B. Schneider, Cornell University SOSP, 1995 Problem Fault tolerance

2.97k views • 8 slides
Adaptability and Fault Tolerance Adaptability and Fault Tolerance Rog rio rio de Lemos de

Adaptability and Fault Tolerance Adaptability and Fault Tolerance Rog rio rio de Lemos de

Adaptability and Fault Tolerance Adaptability and Fault Tolerance Rog rio rio de Lemos de Lemos Rog University of Kent, UK University of Kent, UK Context: self-* and dependability; Focus: adaptability and fault tolerance;

640 views • 19 slides
Towards an Efficient Fault-Tolerance Scheme for GLB Claudia Fohry, Marco Bungart and Jonas Posner

Towards an Efficient Fault-Tolerance Scheme for GLB Claudia Fohry, Marco Bungart and Jonas Posner

GLB Fault Tolerance Scheme Experimental Results Towards an Efficient Fault-Tolerance Scheme for GLB Claudia Fohry, Marco Bungart and Jonas Posner Programming Languages / Methodologies June 14, 2015 1 / 18 GLB Fault Tolerance Scheme

744 views • 18 slides
Tolerating Faults in Disaggregated Datacenters Amanda Carbonari , Ivan Beschastnikh University

Tolerating Faults in Disaggregated Datacenters Amanda Carbonari , Ivan Beschastnikh University

Tolerating Faults in Disaggregated Datacenters Amanda Carbonari , Ivan Beschastnikh University of British Columbia To appear at HotNets17 Current Datacenters 2 The future: Disaggregation ToR CPU blade Memory blade Storage Blade 3 The

769 views • 37 slides
Hamiltonian thickness and fault-tolerant spanning rooted path systems of graphs Yinfeng Zhu ( 6

Hamiltonian thickness and fault-tolerant spanning rooted path systems of graphs Yinfeng Zhu ( 6

Hamiltonian thickness and fault-tolerant spanning rooted path systems of graphs Yinfeng Zhu ( 6 ) Shanghai Jiao Tong University Dec 8, 2015 Joint with Yaokun Wu n & Ziqing Xiang ( f ) 1 / 20 Spanning connection

1.27k views • 89 slides
Principles of Multi-Level Reflection for Fault Tolerant Architectures PRDC'02 (Dec 16-18 2002,

Principles of Multi-Level Reflection for Fault Tolerant Architectures PRDC'02 (Dec 16-18 2002,

* # Principles of Multi-Level Reflection for Fault Tolerant Architectures PRDC'02 (Dec 16-18 2002, Tsukuba, Japan) Franois Taani, Jean-Charles Farbre, Marc-Olivier Killijian Context Software COTS now in systems with high FT

433 views • 24 slides
Parallel & Distributed Real-Time Systems Lecture #14 Professor Jan Jonsson Department of

Parallel & Distributed Real-Time Systems Lecture #14 Professor Jan Jonsson Department of

Parallel & Distributed Real-Time Systems Lecture #14 Professor Jan Jonsson Department of Computer Science and Engineering Chalmers University of Technology Administrative issues Remaining course schedule: Consultation sessions on

736 views • 37 slides
Fault Tolerant Computing Coping with errors Steven Janke February 2013 Steven Janke (Seminar)

Fault Tolerant Computing Coping with errors Steven Janke February 2013 Steven Janke (Seminar)

Fault Tolerant Computing Coping with errors Steven Janke February 2013 Steven Janke (Seminar) Fault Tolerant Computing February 2013 1 / 30 Outline Problem: How do you design a computer system to avoid errors? Failure Data for laptops,

608 views • 30 slides
Fully Fault Tolerant Real Time Data Pipeline with Docker and Mesos Rahul Kumar Technical Lead

Fully Fault Tolerant Real Time Data Pipeline with Docker and Mesos Rahul Kumar Technical Lead

Fully Fault Tolerant Real Time Data Pipeline with Docker and Mesos Rahul Kumar Technical Lead LinuxCon / ContainerCon - Berlin, Germany Data Pipeline Agenda Mesos + Docker Reactive Data Pipeline Goal Analyzing data always

504 views • 37 slides
Dependability Engineering of Complex Computing Systems M. Kaniche J.-C. Laprie

Dependability Engineering of Complex Computing Systems M. Kaniche J.-C. Laprie

Dependability Engineering of Complex Computing Systems M. Kaniche J.-C. Laprie J.-P. Blanquart LAAS / LIS LAAS / LIS Astrium / LIS kaaniche@laas.fr laprie@laas.fr blanquar@laas.fr 6th International Conference on Engineering

269 views • 12 slides
Distributed Real-Time Fault Tolerance on a Virtualized Multi-Core System Eric Missimer*, Richard

Distributed Real-Time Fault Tolerance on a Virtualized Multi-Core System Eric Missimer*, Richard

Distributed Real-Time Fault Tolerance on a Virtualized Multi-Core System Eric Missimer*, Richard West and Ye Li Computer Science Department Boston University Boston, MA 02215 Email: { missimer,richwest,liye } @cs.bu.edu *VMware, Inc. Eric

614 views • 27 slides

More recommend