formalization and verification of fault tolerance and
play

Formalization and Verification of Fault Tolerance and Security - PowerPoint PPT Presentation

Nov 07, 2022 •249 likes •682 views

1/35 Formalization and Verification of Fault Tolerance and Security Felix G artner TU Darmstadt, Germany fcg@acm.org Example: Space Shuttle STS51 Discovery, http://spaceflight.nasa.gov/ 2/35 3/35 Fault-tolerant Operation [Spector and

  1. 1/35 Formalization and Verification of Fault Tolerance and Security Felix G¨ artner TU Darmstadt, Germany fcg@acm.org

  2. Example: Space Shuttle STS51 Discovery, http://spaceflight.nasa.gov/ 2/35

  3. 3/35 Fault-tolerant Operation [Spector and Gifford 1984] • Five redundant general purpose computers. • Four of them run the avionics software in parallel. • Majority vote of computation results. • “Fail-operational, fail-safe.” • Fifth computer runs backup system (written by separate contractor). Primary contractor: IBM.

  4. 4/35 Critical Infrastructures http://www.cs.virginia.edu/~survive • Critical infrastructures must be dependable (in this talk meaning fault-tolerant and secure).

  5. 5/35 Personal Motivation • My . . . – background: fault-tolerance, formal methods. – experience: formal methods help find bugs. – concern: need to formalize issues first (state what we mean). – claim: we know how to do this in fault-tolerance, not so much in security.

  6. 6/35 Overview 1. Fault tolerance (60% of talk). • What does “fault tolerance” mean? • How can it be formalized and verified? 2. Security (30%). • What does “security” mean and how can it be formalized???

  7. 7/35 Informal View of Fault Tolerance • Definition: Maintain some form of correct behavior in the presence of faults. • Correct behavior: specification. • Faults: – memory perturbation (cosmic rays), – link failure (construction works), – node crash (power outage), – . . .

  8. 8/35 Formal View of Fault Tolerance • System: state machine/event system with interface. • Specification: look at functional properties defined on individual executions of the system. • Safety properties: “always . . . ”. • Liveness properties: “eventually . . . ”. • Abstract away from real time.

  9. 9/35 Safety and Liveness • Safety properties: observable in finite time. • Examples: mutual exclusion, partial correctness. • Liveness property: violated after infinite time. • Example: starvation freedom, termination. • Safety and liveness are fundamental [Alpern and Schneider 1985; G¨ artner 1999a].

  10. 10/35 Faults. . . • can be modelled as unexpected events [Cristian 1985]. • are tied to one level of abstraction [Liu and Joseph 1992]. • Adding and “removing” state transitions is enough [G¨ artner 2001a]. • are formalized as a fault assumption.

  11. 11/35 Fault Tolerance Example • Network of workstations with point-to-point links. • Fault assumption: links and workstations can crash, but network stays connnected. • We want to do reliable broadcast. • Specification (desired properties): – A message which is delivered was previously broadcast (safety). – A broadcast message is eventually delivered on all surviving machines (liveness).

  12. 12/35 Fault on one Level of Abstraction • System = composition of systems. interface interaction subsystem subsystem system

  13. 13/35 Local and Global Fault Assumptions • Local fault assumption: add behavior to fault regions. • Example: node crash allows processes to stop. • Global fault assumption: restrict behavior again. • Example: network stays connected.

  14. 14/35 Fault Assumptions as Transformations [G¨ artner 1998] fault-tolerance ideal problem specification specification S ′ transformation specification S program system A system A ′ transformation faulty ideal fault assumption environment environment

  15. 15/35 Verification fault-tolerance ideal problem specification specification S ′ transformation specification S correctness correctness program system A system A ′ transformation faulty ideal fault assumption environment environment

  16. 16/35 Usual Verification of Fault Tolerance 1. Choose fault assumption. 2. Weaken specification (if needed). 3. Transform system. 4. Verify system.

  17. 17/35 Transformational Approach [G¨ artner 1999b] 1. Choose fault assumption. 2. Weaken specification (if needed). 3. Prove that original system satisfies specification. 4. Transform system. 5. Prove only items which have changed (use tools like VSE, PVS, . . . ).

  18. 18/35 Potential of Re-Use fault-tolerance ideal problem specification specification S ′ transformation specification S correctness correctness program system A system A ′ transformation faulty ideal fault assumption environment environment

  19. 19/35 Case Study [Mantel and G¨ artner 2000] • Example: reliable broadcast. • Proved safety part using industrial strength verification tool VSE [Hutter et al. 1996]. • Transformational approach applied. • Benefit: re-use of specification and proofs.

  20. 20/35 Re-use of Specification n o i t a m r o f s n a r t ReliableBroadcast Broadcast y b d e t c e f f a s e i r o e h CrashAdmissible- t AdmissibleTraces Traces CrashSafety- SafetyProperties Properties CrashTraces Traces CrashAction- List States CrashStates CrashActions ProcessList ChannelMatrix UpDownList Processes ChannelList ActionList MessageSets UChannel Actions Messages

  21. 21/35 Re-use of Proofs B1 B1’ B2 B3 B4 B5 crash

  22. 22/35 Fault Tolerance Summary • We basically know how to deal with fault tolerance. • Formalizations and verification methods are quite mature. • Area has a solid formal foundation.

  23. 23/35 Fault Tolerance and Security • Can research in security benefit from fault tolerance? “Fault tolerance and security are instances of a more general class of property that constrains influence.” Franklin Webber, BBN (during SRDS2000 panel) • Example: tolerate malicious behavior by assuming Byzantine faults (like in ISS).

  24. 24/35 Informal View of Security • Security is CIA [Laprie 1992]: – Confidentiality: non-occurrence of unauthorized disclosure of information. – Integrity: non-occurrence of inadequate information alterations. – Availability: readiness for usage. • Conjecture: Everything is CIA! [Cachin et al. 2000]

  25. 25/35 Formal View of Security • Recall concepts of safety and liveness (from fault tolerance). • We can model a lot of notions from security with these concepts, but not all. • Benefits: – Well understood formalisms. – Good proof methodologies and tool support.

  26. 26/35 Safety and Liveness in Security • Access control is safety [Schneider 2000; ? ]. • Aspects of confidentiality are safety [Gray, III. and McLean 1995]. • Aspects of integrity are safety, e.g. “no unauthorized change of a variable”. • Aspects of availability are liveness, e.g. “eventual reply to a request”.

  27. 27/35 Fair Exchange [Asokan et al. 1997] • Two participants A and B with electronic items. • How to exchange the items in a fair manner? Formally: – Effectiveness: if exchange succeeds then items matched the expectation and both participants have well behaved (safety). – Termination: eventually the protocol will terminate with success or abort (liveness). – Fairness: in case of an unsuccessful exchange, ange, nobody wins or loses something valuable.

  28. 28/35 Formalizing Fair Exchange [G¨ artner 2001b] z, z, z, . . . x, x, x, . . . input item i A e A output item d A description A s A success/abort m A malevolence i B Y, . . . , Y, X, X, . . . e B d B B s B m B x, Y, . . . , x, Y, x, X, x, X, . . . z, Y, . . . , z, Y, z, X, z, X, . . .

  29. 29/35 Higher Level Properties • Consequence: Restriction of information flow is neither safety nor liveness. • Property of the type: if trace x, X, x, X is possible, then trace z, X, z, X must be possible too. • Usually formalized as closure conditions on trace sets: σ ∈ S ⇒ f ( σ ) ∈ S • Properties of properties, sets of sets of traces.

  30. 30/35 Original Approach • Non-interference [Goguen and Meseguer 1982]. • Descendants with their own problems [McLean 1994]: – Generalized non-interference. – Restrictiveness. – Non-inference. – . . . • Possibilistic properties.

  31. 31/35 Possibilistic Properties • Pure non-interference is too strong. • There is progress in weakening the definition to make it practical [Mantel 2000]. • First results available [Focardi et al. 1997]. • To be investigated: relation to other ways to specify security [Pfitzmann et al. 2000].

  32. 32/35 Motivation Reminder • Formal methods are no silver bullet, but they help to find bugs in critical systems. • Starting point: formalization of central concepts. • We know how to do that in fault tolerance. • But fault tolerance seems “easy” compared to security. • Security defines a new class of properties.

  33. 33/35 Historic Perspective “The first wave of attacks is physical [e.g. cut wires]. But these problems we basically know how to solve.” → fault tolerance The second wave is syntactic [e.g. exploiting vulnerabilities]. We have a bad track record in protecting against syntactic attacks. But at least we know what the problem is. → security models Bruce Schneier (Inside Risks, Dec. 2000)

  34. 34/35 Conclusions 1/2 • We seem to have managed dealing with physical attacks. • Currently trying to cope with syntactic ones. • We need a thorough understanding of the concepts involved. • Formal methods can support rigorous anaysis. • Formalization is the first step.

Recommend

Formal Verification of Automatic Circuit Transformations for Fault-Tolerance Dmitry Burlyaev

Formal Verification of Automatic Circuit Transformations for Fault-Tolerance Dmitry Burlyaev

Formal Verification of Automatic Circuit Transformations for Fault-Tolerance Dmitry Burlyaev Pascal Fradet 09/30/15, Austin, TX, USA @ FMCAD'15 Outline For a given (fault-tolerance) transformation T , we want to prove a property of the form

1.11k views • 79 slides
Roadmap for Section 10.1 The Notion of Fault-Tolerance Fault-Tolerance Support in NTFS Volume

Roadmap for Section 10.1 The Notion of Fault-Tolerance Fault-Tolerance Support in NTFS Volume

Unit OS10: Fault Tolerance Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 10.1 The Notion of Fault-Tolerance Fault-Tolerance Support in NTFS Volume Management - Striped

394 views • 25 slides
Fault Tolerance in Message Passing Fault Tolerance in Message Passing and in Action and in

Fault Tolerance in Message Passing Fault Tolerance in Message Passing and in Action and in

Fault Tolerance in Message Passing Fault Tolerance in Message Passing and in Action and in Action Jack Dongarra, Innovative Computing Laboratory University of Tennessee and Computer Science and Mathematics Division Oak Ridge National

422 views • 14 slides
General Principles of Fault- Tolerance Daniel Gottesman Perimeter Institute Whats Left For

General Principles of Fault- Tolerance Daniel Gottesman Perimeter Institute Whats Left For

General Principles of Fault- Tolerance Daniel Gottesman Perimeter Institute Whats Left For Fault-Tolerance? Reduce the overhead (in space and in time) needed for fault-tolerance Better fault-tolerance in 1D? Better magic state

556 views • 22 slides
Rigorous fault-tolerance thresholds Ben Reichardt UC Berkeley N gate circuit 0/1 N gate

Rigorous fault-tolerance thresholds Ben Reichardt UC Berkeley N gate circuit 0/1 N gate

Rigorous fault-tolerance thresholds Ben Reichardt UC Berkeley N gate circuit 0/1 N gate circuit Need error 1/N 1/0 Quantum fault-tolerance problem Classical fault-tolerance: Von Neumann (1956) 0/1 Fault-tolerant, larger C High

846 views • 63 slides
Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault tolerant programming are: Fault Detection - Knowing that a fault exists Fault Recovery - having atomic instructions that can be rolled back in

361 views • 18 slides
CH NG 8: FAULT TOLERANCE TS. Tr n H i Anh Content 2 1. Introduction to fault

CH NG 8: FAULT TOLERANCE TS. Tr n H i Anh Content 2 1. Introduction to fault

1 Tr n H i Anh Distributed System CH NG 8: FAULT TOLERANCE TS. Tr n H i Anh Content 2 1. Introduction to fault tolerance 2. Process resilience 3. Reliable client-Server Communication 4. Reliable Group Communication 5.

966 views • 50 slides
Distributed Systems 5. Fault Tolerant Systems Fault-Tolerance - 1 Lszl Bszrmnyi

Distributed Systems 5. Fault Tolerant Systems Fault-Tolerance - 1 Lszl Bszrmnyi

Distributed Systems 5. Fault Tolerant Systems Fault-Tolerance - 1 Lszl Bszrmnyi Distributed Systems Fault tolerance A system or a component fails due to a fault Fault tolerance means that the system continues to provide its

428 views • 40 slides
CSci 5105 Introduction to Distributed Systems Fault Tolerance Last Time Replication and

CSci 5105 Introduction to Distributed Systems Fault Tolerance Last Time Replication and

CSci 5105 Introduction to Distributed Systems Fault Tolerance Last Time Replication and Consistency Today Fault tolerance Chapter 8 TVS Fault Tolerance Basics Availability short time horizon e.g down 1 msec every hour

292 views • 27 slides
Challenging Malicious Inputs with Fault Tolerance Techniques Bruno Luiz Agenda Threats

Challenging Malicious Inputs with Fault Tolerance Techniques Bruno Luiz Agenda Threats

Challenging Malicious Inputs with Fault Tolerance Techniques Bruno Luiz Agenda Threats Fault Tolerance Fault Injection for Fault Tolerance Assessment Basic and classic techniques Decision Mechanisms Implementation

962 views • 61 slides
Guest lecture, UC Berkeley EECS 149, 13 April 2009 Safety, Fault-tolerance, Verification, and

Guest lecture, UC Berkeley EECS 149, 13 April 2009 Safety, Fault-tolerance, Verification, and

Guest lecture, UC Berkeley EECS 149, 13 April 2009 Safety, Fault-tolerance, Verification, and Certification for Embedded Systems John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Safety etc.: 1

909 views • 53 slides
Distributed Systems (ICE 601) Fault Tolerance Dongman Lee ICU Class Overview Introduction

Distributed Systems (ICE 601) Fault Tolerance Dongman Lee ICU Class Overview Introduction

Distributed Systems (ICE 601) Fault Tolerance Dongman Lee ICU Class Overview Introduction Failure Model Fault Tolerance Models state machine primary-backup Distributed Systems - Fault Tolerance Introduction

146 views • 12 slides
Fibre bundle framework for unitary quantum fault tolerance Lucy Liuxuan Zhang University of

Fibre bundle framework for unitary quantum fault tolerance Lucy Liuxuan Zhang University of

Motivations and main idea Basics of quantum fault tolerance Geometric picture of QECCs and unitary fault tolerance Conclusion Fibre bundle framework for unitary quantum fault tolerance Lucy Liuxuan Zhang University of Toronto December 18,

795 views • 16 slides
Hypervisor-Based Fault-Tolerance Thomas C. Bressoud, Isis

Hypervisor-Based Fault-Tolerance Thomas C. Bressoud, Isis

Hypervisor-Based Fault-Tolerance Thomas C. Bressoud, Isis Distributed Systems Fred B. Schneider, Cornell University SOSP, 1995 Problem Fault tolerance

2.97k views • 8 slides
Adaptability and Fault Tolerance Adaptability and Fault Tolerance Rog rio rio de Lemos de

Adaptability and Fault Tolerance Adaptability and Fault Tolerance Rog rio rio de Lemos de

Adaptability and Fault Tolerance Adaptability and Fault Tolerance Rog rio rio de Lemos de Lemos Rog University of Kent, UK University of Kent, UK Context: self-* and dependability; Focus: adaptability and fault tolerance;

640 views • 19 slides
Towards an Efficient Fault-Tolerance Scheme for GLB Claudia Fohry, Marco Bungart and Jonas Posner

Towards an Efficient Fault-Tolerance Scheme for GLB Claudia Fohry, Marco Bungart and Jonas Posner

GLB Fault Tolerance Scheme Experimental Results Towards an Efficient Fault-Tolerance Scheme for GLB Claudia Fohry, Marco Bungart and Jonas Posner Programming Languages / Methodologies June 14, 2015 1 / 18 GLB Fault Tolerance Scheme

744 views • 18 slides
iQIM 5 December 2011 Quantum fault tolerance Error correction and fault tolerance will be

iQIM 5 December 2011 Quantum fault tolerance Error correction and fault tolerance will be

Protected gates for superconducting qubits V( ) John Preskill with Peter Brooks and Alexei Kitaev

511 views • 33 slides
Fault Tolerance For Sparse Linear Algebra Computations Implemented In A Grid Environment

Fault Tolerance For Sparse Linear Algebra Computations Implemented In A Grid Environment

Fault Tolerance For Sparse Linear Algebra Computations Implemented In A Grid Environment Experiments with Fault Tolerant Linear Algebra Algorithms Jack Dongarra Jeffery Chen Zhiao Shi Asim YarKhan University of Tennessee Fault Tolerance:

412 views • 22 slides
Fault Tolerance and Robustness in Concurrent Systems Faults, errors, failures, and fault

Fault Tolerance and Robustness in Concurrent Systems Faults, errors, failures, and fault

Fault Tolerance and Robustness in Concurrent Systems Faults, errors, failures, and fault tolerance have many different definitions. What working definition should we use for fault? What does it mean to be fault-tolerant? 2 Faults, errors,

841 views • 16 slides
Improving Scalability and Fault Improving Scalability and Fault Tolerance in an Application

Improving Scalability and Fault Improving Scalability and Fault Tolerance in an Application

Improving Scalability and Fault Improving Scalability and Fault Tolerance in an Application Tolerance in an Application Management Infrastructure Management Infrastructure Nikolay Topilski , Jeannie Albrecht, and Amin Vahdat Williams College

560 views • 18 slides
Fault Tolerance at Speed Todd L. Montgomery @toddlmontgomery About me What type of Fault

Fault Tolerance at Speed Todd L. Montgomery @toddlmontgomery About me What type of Fault

StoneTor Fault Tolerance at Speed Todd L. Montgomery @toddlmontgomery About me What type of Fault Tolerance? What is Clustering? Why Aeron? Design for Speeding Up? What type of Fault Tolerance? What is Clustering? Why Aeron? Design

979 views • 77 slides
AFT: A Serverless Fault- Tolerance Shim Vikram Sreekanti , Chenggang Wu, Saurav Chhatrapati,

AFT: A Serverless Fault- Tolerance Shim Vikram Sreekanti , Chenggang Wu, Saurav Chhatrapati,

AFT: A Serverless Fault- Tolerance Shim Vikram Sreekanti , Chenggang Wu, Saurav Chhatrapati, Joseph E. Gonzalez, Joseph M. Hellerstein, Jose M. Faleiro RISE Lab, UC Berkeley 04/29/2020 Fault-Tolerance in Serverless Computing FaaS programs

93 views • 8 slides
MC714 - Sistemas Distribuidos slides by Maarten van Steen (adapted from Distributed System - 3rd

MC714 - Sistemas Distribuidos slides by Maarten van Steen (adapted from Distributed System - 3rd

MC714 - Sistemas Distribuidos slides by Maarten van Steen (adapted from Distributed System - 3rd Edition) Chapter 08: Fault Tolerance Version: May 16, 2019 Fault tolerance: Introduction to fault tolerance Basic concepts Dependability Basics

587 views • 47 slides
Fault-Tolerance for PastryGrid Middleware erin 1 , Heithem Abbes 1 , 2 , Mohamed Jemni 2 , Yazid

Fault-Tolerance for PastryGrid Middleware erin 1 , Heithem Abbes 1 , 2 , Mohamed Jemni 2 , Yazid

Introduction PastryGrid Fault Tolerance in PastryGrid Conclusion Fault-Tolerance for PastryGrid Middleware erin 1 , Heithem Abbes 1 , 2 , Mohamed Jemni 2 , Yazid Christophe C Missaoui 2 1 LIPN, Universit e de Paris XIII, CNRS UMR 7030,

835 views • 71 slides

More recommend