exposing design flaws in shared clock systems using tla
play

Exposing Design Flaws in Shared-Clock Systems using TLA+ Russell - PowerPoint PPT Presentation

Dec 18, 2022 •227 likes •823 views

Exposing Design Flaws in Shared-Clock Systems using TLA+ Russell Mull, Auxon Corporation TLA+ Conf September 12, 2019 About Me Russell Mull Software Engineer, Auxon Corporation How safe electronic systems are designed How safe electronic

  1. Exposing Design Flaws in Shared-Clock Systems using TLA+ Russell Mull, Auxon Corporation TLA+ Conf September 12, 2019

  2. About Me Russell Mull Software Engineer, Auxon Corporation

  3. How safe electronic systems are designed

  4. How safe electronic systems are designed ● Decide what matters (safety requirements)

  5. How safe electronic systems are designed ● Decide what matters (safety requirements) ● Decide how much it matters (Assign a Safety Integrity Level - SIL)

  6. How safe electronic systems are designed ● Decide what matters (safety requirements) ● Decide how much it matters (Assign a Safety Integrity Level - SIL) ● Analyze the parts of the system that matter (Fault Tree Analysis)

  7. How safe electronic systems are designed ● Decide what matters (safety requirements) ● Decide how much it matters (Assign a Safety Integrity Level - SIL) ● Analyze the parts of the system that matter (Fault Tree Analysis) ● Not good enough? Add redundancy.

  8. Example: Industrial Press

  9. Example: Industrial Press ● Safety requirement: Turn off press with emergency stop button

  10. Example: Industrial Press ● Safety requirement: Turn off press with emergency stop button ● SIL: 4

  11. Example: Industrial Press ● Safety requirement: Turn off press with emergency stop button ● SIL: 4 ● Fault tree: the actuator is only SIL 3

  12. Example: Industrial Press ● Safety requirement: Turn off press with emergency stop button ● SIL: 4 ● Fault tree: the actuator is only SIL 3 ● Redundancies: use two, design a SIL 4 failover mechanism

  13. Functional Safety ● IEC 61508 ● Power plants, chemical plants, cars, trains, heavy machinery, etc.

  14. This works well, until…

  15. This works well, until…

  16. This works well, until…

  17. This works well, until…

  18. In software, shared clock failures are lumpy and unpredictable

  19. The story of a system made from lots of computers, sensors, actuators, and clocks 19

  20. A client project for ██████████

  21. A client project for ██████████ ● Can’t say anything specific

  22. A client project for ██████████ ● Can’t say anything specific ● Relies fundamentally on a common timebase

  23. A client project for ██████████ ● Can’t say anything specific ● Relies fundamentally on a common timebase ● Appeared to be vulnerable to drift

  24. My Goal: Demonstrate the problem

  25. A naïve model

  26. A naïve model VARIABLES node_clock, system Nodes == { "A", "B", "C" }

  27. A naïve model VARIABLES node_clock, system Nodes == { "A", "B", "C" } Init == /\ node_clock = [ n \in Nodes |-> 0 ] /\ system = ...

  28. A naïve model VARIABLES node_clock, system Nodes == { "A", "B", "C" } Init == /\ node_clock = [ n \in Nodes |-> 0 ] /\ system = ... Next == \/ \E node \in DOMAIN node_clock: /\ node_clock' = [node_clock EXCEPT ![node] = @ + 1] /\ UNCHANGED << system >>

  29. A naïve model VARIABLES node_clock, system Nodes == { "A", "B", "C" } Init == /\ node_clock = [ n \in Nodes |-> 0 ] /\ system = ... Next == \/ \E node \in DOMAIN node_clock: /\ node_clock' = [node_clock EXCEPT ![node] = @ + 1] /\ UNCHANGED << system >> \/ /\ SystemStep(system) /\ UNCHANGED << node_clock >>

  30. A naïve model VARIABLES node_clock, system Nodes == { "A", "B", "C" } Init == /\ node_clock = [ n \in Nodes |-> 0 ] /\ system = ... Next == \/ \E node \in DOMAIN node_clock: /\ node_clock' = [node_clock EXCEPT ![node] = @ + 1] /\ UNCHANGED << system >> \/ /\ SystemStep(system) /\ UNCHANGED << node_clock >> \/ SyncClocks(node_clock, system)

  31. A naïve model VARIABLES node_clock, system Nodes == { "A", "B", "C" } Init == /\ node_clock = [ n \in Nodes |-> 0 ] /\ system = ... Next == \/ \E node \in DOMAIN node_clock: /\ node_clock' = [node_clock EXCEPT ![node] = @ + 1] /\ UNCHANGED << system >> \/ /\ SystemStep(system) /\ UNCHANGED << node_clock >> \/ SyncClocks(node_clock, system) SystemStep(s) == ... SyncClocks(cs,s) == ...

  32. This approach is not great.

  33. This approach is not great. ● Massive state explosion

  34. This approach is not great. ● Massive state explosion ● Customer doesn’t care about the sync protocol

  35. Model the drift, not the sync 35

  36. Drift Modeling (1) CONSTANTS SIMULATED_CYCLES, BOUNDED_DRIFT VARIABLES node_clock, system, global_clock

  37. Drift Modeling (1) CONSTANTS SIMULATED_CYCLES, BOUNDED_DRIFT VARIABLES global_clock, node_clock, system Nodes == { "A", "B", "C" }

  38. Drift Modeling (1) CONSTANTS SIMULATED_CYCLES, BOUNDED_DRIFT VARIABLES global_clock, node_clock, system Nodes == { "A", "B", "C" } Init == /\ global_clock = 0 /\ node_clock = [ n \in Nodes |-> 0 ]

  39. Drift Modeling (1) CONSTANTS SIMULATED_CYCLES, BOUNDED_DRIFT VARIABLES global_clock, node_clock, system Nodes == { "A", "B", "C" } Init == /\ global_clock = 0 /\ node_clock = [ n \in Nodes |-> 0 ] Next == \/ ClockStep /\ UNCHANGED system \/ SystemStep /\ UNCHANGED global_clock /\ UNCHANGED node_clock

  40. Drift Modeling (1) CONSTANTS SIMULATED_CYCLES, BOUNDED_DRIFT VARIABLES global_clock, node_clock, system Nodes == { "A", "B", "C" } Init == /\ global_clock = 0 /\ node_clock = [ n \in Nodes |-> 0 ] Next == \/ ClockStep /\ UNCHANGED system \/ SystemStep /\ UNCHANGED global_clock /\ UNCHANGED node_clock SystemStep == ...

  41. Drift Modeling (2) ClockStep ==

  42. Drift Modeling (2) ClockStep == \* Tick the global clock \/ /\ global_clock' = global_clock + 1 /\ UNCHANGED << node_clock >> /\ ClockDriftInBounds(global_clock', node_clock)

  43. Drift Modeling (2) ClockStep == \* Tick the global clock \/ /\ global_clock' = global_clock + 1 /\ UNCHANGED << node_clock >> /\ ClockDriftInBounds(global_clock', node_clock) \* Tick a node clock \/ \E node \in DOMAIN node_clock: /\ node_clock' = [node_clock EXCEPT ![node] = @ + 1] /\ UNCHANGED << global_clock >> /\ ClockDriftInBounds(global_clock, node_clock')

  44. Drift Modeling (3) ClockDriftInBounds(g, n) == /\ g <= SIMULATED_CYCLES /\ \A node \in DOMAIN n : /\ n[node] <= SIMULATED_CYCLES /\ Abs(c[node] - g) <= BOUNDED_DRIFT

  45. This works better 45

  46. This works better ● Narrower state space 46

  47. This works better ● Narrower state space ● Directly addresses relevant failure domain 47

  48. The system was more vulnerable to drift than previously thought

  49. Delivering a Model ● Literate PDF ● Makefile / .cfg file ● Config Instructions

  50. TLA+ is tricky to use this way ● Difficult setup ● Easier development ● Easier delivery

  51. Give models to your customers

  52. Extending the technique ● Asymmetric Drift ● Action on Tick ● Cyclical Clock

  53. Closing Thoughts

  54. Closing Thoughts ● Fake a real clock

  55. Closing Thoughts ● Fake a real clock ● Bound the drift

  56. Closing Thoughts ● Fake a real clock ● Bound the drift ● Give models to your customers

  57. Closing Thoughts ● Fake a real clock ● Bound the drift ● Give models to your customers ● I owe Hillel Wayne a great debt

  58. Russell Mull @mullr russell@auxon.io

Recommend

Google Study: Google Study: Could those memory failures be caused by design flaws? Could those

Google Study: Google Study: Could those memory failures be caused by design flaws? Could those

Google Study: Google Study: Could those memory failures be caused by design flaws? Could those memory failures be caused by design flaws? Barbara P. Aichinger Vice President New Business Development FuturePlus Systems Corporation

886 views • 21 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (5/1/07) I E S R C E O V U

UMBC A B M A L T F O U M B C I M Y O R T 1 (5/1/07) I E S R C E O V U

Digital Systems Clock Distribution I CMPE 650 Clock Characteristics Clock signals must toggle twice (full cycle) for each single transition for data. Clock wires also tend to be very heavily loaded nets because they typically fan-out to every

490 views • 19 slides
EXPOSING EXPOSING A FLEXIBLE, COMPOSABLE &amp; EXTENSIBLE A FLEXIBLE, COMPOSABLE &amp;

EXPOSING EXPOSING A FLEXIBLE, COMPOSABLE &amp; EXTENSIBLE A FLEXIBLE, COMPOSABLE &amp;

EXPOSING EXPOSING A FLEXIBLE, COMPOSABLE &amp; EXTENSIBLE A FLEXIBLE, COMPOSABLE &amp; EXTENSIBLE REST API REST API Thierry Delprat td@nuxeo.com https://github.com/tiry/ AGENDA AGENDA Quick introduction provide some context API design

1.37k views • 75 slides
Google Study: Could Those Memory Failures Be Caused By Design Flaws? By Barbara P. Aichinger,

Google Study: Could Those Memory Failures Be Caused By Design Flaws? By Barbara P. Aichinger,

Google Study: Could Those Memory Failures Be Caused By Design Flaws? By Barbara P. Aichinger, FuturePlus Systems Corporation JEDEC Memory Server Forum Shenzhen, China March 1, 2012 Abstract : The conclusions of the extensive Google study

243 views • 12 slides
High-level State Machines &amp; RTL Design Prof. Usagi Recap: Clock signal 0ns 10ns 20ns

High-level State Machines &amp; RTL Design Prof. Usagi Recap: Clock signal 0ns 10ns 20ns

High-level State Machines &amp; RTL Design Prof. Usagi Recap: Clock signal 0ns 10ns 20ns 30ns 40ns 50ns 60ns 70ns 80ns 90ns Clock -- Pulsing signal for enabling latches; ticks like a clock The clock's period must be longer than

658 views • 40 slides
Clock-Driven Scheduling (in-depth) Pre-compute static schedule off-line (e.g. at design

Clock-Driven Scheduling (in-depth) Pre-compute static schedule off-line (e.g. at design

CPSC-663: Real-Time Systems Clock-Driven Scheduling Clock-Driven Scheduling (in-depth) Pre-compute static schedule off-line (e.g. at design time): Task Scheduler: i := 0; k := 0; can afford expensive &lt;set timer to expire at time t 0

266 views • 11 slides
Distributed Systems - III What about distributed systems? No common clock or memory

Distributed Systems - III What about distributed systems? No common clock or memory

CSC 4103 - Operating Systems Distributed Coordination Spring 2007 Ordering events and achieving synchronization in centralized systems is easier. Lecture - XXIV We can use common clock and memory Distributed Systems - III What

286 views • 4 slides
DESIGN AND TUNING OF A TREE-MESH CLOCK DISTRIBUTION Nikhil Jayakumar, Dave Murata, Valery Kugel

DESIGN AND TUNING OF A TREE-MESH CLOCK DISTRIBUTION Nikhil Jayakumar, Dave Murata, Valery Kugel

DESIGN AND TUNING OF A TREE-MESH CLOCK DISTRIBUTION Nikhil Jayakumar, Dave Murata, Valery Kugel { nikhilj, dmurata , valery } @juniper.net Juniper Networks OVERVIEW Comparison of Clock trees vs Clock Grids/Mesh Junipers Clock

340 views • 13 slides
Securely Implementing Network Protocols: Detecting and Preventing Logical Flaws Mathy Vanhoef

Securely Implementing Network Protocols: Detecting and Preventing Logical Flaws Mathy Vanhoef

Securely Implementing Network Protocols: Detecting and Preventing Logical Flaws Mathy Vanhoef (KU Leuven) Black Hat Webcast, 24 August 2017 @vanhoefm Introduction Many protocols have been affected by logical bugs Design flaws Implementation

692 views • 31 slides
Distributed Shared Memory Shared memory : difficult to realize vs . easy to program with.

Distributed Shared Memory Shared memory : difficult to realize vs . easy to program with.

CSCE 613 : Operating Systems Memory Models CSCE 613: Interlude: Distributed Shared Memory Shared Memory Systems Consistency Models Distributed Shared Memory Systems page based shared-variable based Reading (old!):

679 views • 21 slides
DESIGN FLAWS IN PROPOSED ART PLAN: A SOLUTION AS DESIGNED, THE ALBUQUERQUE RAPID TRANSIT PROJECT

DESIGN FLAWS IN PROPOSED ART PLAN: A SOLUTION AS DESIGNED, THE ALBUQUERQUE RAPID TRANSIT PROJECT

DESIGN FLAWS IN PROPOSED ART PLAN: A SOLUTION AS DESIGNED, THE ALBUQUERQUE RAPID TRANSIT PROJECT WILL INFLICT DAMAGE TO HISTORICALLY SENSITIVE DISTRICTS ALONG THE CENTRAL CORRIDOR; NOB HILL, UNIVERSITY, EDO AND DOWNTOWN. MAKE ART SMART SUPPORTS

306 views • 27 slides
Parallel Software Design ASD Shared Memory HPC Workshop Computer Systems Group, ANU Research

Parallel Software Design ASD Shared Memory HPC Workshop Computer Systems Group, ANU Research

Parallel Software Design ASD Shared Memory HPC Workshop Computer Systems Group, ANU Research School of Computer Science Australian National University Canberra, Australia February 14, 2020 Schedule - Day 5 Computer Systems (ANU) Parallel

1.67k views • 141 slides
ISPD 2006 Arjun Rajagopal Arjun Rajagopal Dallas DSP Design Dallas DSP Design Texas

ISPD 2006 Arjun Rajagopal Arjun Rajagopal Dallas DSP Design Dallas DSP Design Texas

Clock Tree Design for Robust Low power design ISPD 2006 Arjun Rajagopal Arjun Rajagopal Dallas DSP Design Dallas DSP Design Texas Instruments Texas Instruments Outline Clock Tree Design Goals Definition of Balanced clock tree

2.06k views • 23 slides
Goals The Clock introduce clock signal. logical level clock fall clock rise Chapter 11:

Goals The Clock introduce clock signal. logical level clock fall clock rise Chapter 11:

Goals The Clock introduce clock signal. logical level clock fall clock rise Chapter 11: Flip-Flops define edge-triggered flip-flops. clock period discuss parameters of flip-flops: setup time, hold time, 1 Computer Structure pulse width

408 views • 8 slides
Application Logic Flaws Professor Larry Heimann Web Application Security Information Systems

Application Logic Flaws Professor Larry Heimann Web Application Security Information Systems

Application Logic Flaws Professor Larry Heimann Web Application Security Information Systems Discussion of Lab 6 Due end of the week on October 17th (11:59am) Complete findings record, attach screenshots and/or code files to confirm

847 views • 16 slides
Shared-clock methodology for time-triggered multi-cores Keith F. Athaide Project supervisor:

Shared-clock methodology for time-triggered multi-cores Keith F. Athaide Project supervisor:

Shared-clock methodology for time-triggered multi-cores Keith F. Athaide Project supervisor: Michael J. Pont Technical supervisor: Devaraj Ayavoo Communicating Process Architectures (CPA) 2008 8 th -10 th September 2008 Overview Aims

230 views • 20 slides
Clock Synchronization Synchronization Clock Henrik Lnn Electronics &amp; Software Volvo

Clock Synchronization Synchronization Clock Henrik Lnn Electronics &amp; Software Volvo

Parallel and Distributed Systems: Clock Synchronization Clock Synchronization Synchronization Clock Henrik Lnn Electronics &amp; Software Volvo Technological Development VTD Electronics and Software Parallel and Distributed Systems: Clock

345 views • 17 slides
Clock-Driven Scheduling (in-depth) Precompute static schedule off-line Task Scheduler: (e.g.

Clock-Driven Scheduling (in-depth) Precompute static schedule off-line Task Scheduler: (e.g.

CPSC-663: Real-Time Systems Clock-Driven Scheduling Clock-Driven Scheduling (in-depth) Precompute static schedule off-line Task Scheduler: (e.g. at design time): can afford i := 0; k := 0; expensive algorithms. &lt;set timer to expire at

303 views • 7 slides
Flaws and Frauds Flaws and Frauds in IDPS evaluation in IDPS evaluation Dr. Stefano Zanero, PhD

Flaws and Frauds Flaws and Frauds in IDPS evaluation in IDPS evaluation Dr. Stefano Zanero, PhD

Flaws and Frauds Flaws and Frauds in IDPS evaluation in IDPS evaluation Dr. Stefano Zanero, PhD Post-Doc Researcher, Politecnico di Milano CTO, Secure Network Outline Establishing a need for testing methodologies Testing for

1.13k views • 43 slides
Debunking Design Flaws in PHP Code using Static Call Graphs Berlin PHP Usergroup Falko Menge

Debunking Design Flaws in PHP Code using Static Call Graphs Berlin PHP Usergroup Falko Menge

Debunking Design Flaws in PHP Code using Static Call Graphs Berlin PHP Usergroup Falko Menge 07.11.2007 1 Agenda Motivation PHPCallGraph Results 3D Exploration with the CGA framework Conclusion 2 Motivation When

543 views • 13 slides
Clock IC Product Update Clock IC Product Update Clock Distribution and Clock Generation Solutions

Clock IC Product Update Clock IC Product Update Clock Distribution and Clock Generation Solutions

The World Leader in High-Performance Signal Processing Solutions Clock IC Product Update Clock IC Product Update Clock Distribution and Clock Generation Solutions Clock Distribution and Clock Generation Solutions September 2005 September 2005

575 views • 29 slides
Secure Systems Engineering Chester Rebeiro Indian Institute of Technology Madras Flaws that

Secure Systems Engineering Chester Rebeiro Indian Institute of Technology Madras Flaws that

Secure Systems Engineering Chester Rebeiro Indian Institute of Technology Madras Flaws that would allow an attacker access the OS flaw Bugs in the OS The Human factor Chester Rebeiro, IITM 2 Program Bugs that can be exploited Buffer

844 views • 38 slides
Distributed Shared Memory Presented by Humayun Arafat 1 Outline Background Shared Memory,

Distributed Shared Memory Presented by Humayun Arafat 1 Outline Background Shared Memory,

Distributed Shared Memory Presented by Humayun Arafat 1 Outline Background Shared Memory, Distributed memory systems Distributed shared memory Design Implementation TreadMarks Comparison TreadMarks with Princetons home based protocol

524 views • 31 slides
The Clock of STM32F4 Corrado Santoro ARSLAB - Autonomous and Robotic Systems Laboratory

The Clock of STM32F4 Corrado Santoro ARSLAB - Autonomous and Robotic Systems Laboratory

The Clock of STM32F4 Corrado Santoro ARSLAB - Autonomous and Robotic Systems Laboratory Dipartimento di Matematica e Informatica - Universit` a di Catania, Italy santoro@dmi.unict.it L.S.M. Course Corrado Santoro The Clock of STM32F4 STM32

270 views • 12 slides

More recommend