surviving sensor network software faults
play

Surviving Sensor Network Software Faults Yang Chen (University of - PowerPoint PPT Presentation

Jul 16, 2023 •507 likes •997 views

Surviving Sensor Network Software Faults Yang Chen (University of Utah) Omprakash Gnawali (USC, Stanford) Maria Kazandjieva (Stanford) Philip Levis (Stanford) John Regehr (University of Utah) 22nd SOSP October 13, 2009 In Atypical Places

  1. Surviving Sensor Network Software Faults Yang Chen (University of Utah) Omprakash Gnawali (USC, Stanford) Maria Kazandjieva (Stanford) Philip Levis (Stanford) John Regehr (University of Utah) 22nd SOSP October 13, 2009

  2. In Atypical Places for Networked Systems Forest fires Volcanoes Landmarks Really tall trees 2

  3. Challenges • Operate unattended for months, years • Diagnosing failures is hard • Input is unknown, no debugger • Memory bugs are excruciating to find • No hardware memory protection 3

  4. Safe TinyOS (memory safety) Deputy 4

  5. Safety Violation • Lab: blink LEDs, spit out error message • Deployment: reboot entire node (costly!) • Lose valuable soft state (e.g., routing tables) ‣ takes time and energy to recover • Lose application data ‣ unrecoverable 5

  6. Neutron • Changes response to a safety violation • Divides a program into recovery units • Precious state can persist across a reboot • Reduces the cost of a violation by 95-99% • Applications unaffected by kernel violations • Near-zero CPU overhead in execution • Works on a 16-bit low-power microcontroller 6

  7. Outline • Recovery units • Precious state • Results • Conclusion 7

  8. Outline • Recovery units • Precious state • Results • Conclusion 8

  9. A TinyOS Program • Graph of software components • Code and state, statically instantiated • Connections typed by interface • Minimal state sharing 9

  10. A TinyOS Program • Graph of software components • Code and state, statically instantiated • Connections typed by interface • Minimal state sharing • Preemptive multithreading • Kernel is non blocking, single-threaded syscalls • Kernel API uses message passing 10

  11. Recovery Units • Separate program into independent units • Infer boundaries at compile-time using: 1. A unit cannot directly call another 2. A unit instantiates at least one thread 3. A component is in one unit exactly 4. A component below syscalls is in the kernel unit 5. The kernel unit has one thread 11

  12. Recovery Units Application Threads syscalls Kernel Thread 12

  13. Recovery Units Application Threads syscalls Kernel Thread 13

  14. Recovery Units Application Threads syscalls Kernel Thread 14

  15. Recovery Units Application Threads syscalls Kernel Thread 15

  16. Recovery Units Application Threads syscalls Kernel Thread 16

  17. Rebooting Application Units • Halt threads, cancel outstanding syscalls • Reclaim malloc() memory • Re-initialize RAM • Restart threads 17

  18. Canceling System Calls • Problem: kernel may still be executing prior call ? • Next call will return EBUSY Kernel API • Pending flag in syscall structure • Block if flag is set • On completion, issue new syscall 18

  19. Memory • Allocator tags blocks with recovery unit • On reboot, walk the heap and free unit’s blocks • Must wait for syscalls that pass pointers to complete before rebooting • On reboot, re-run unit’s C initializers • Each unit has its own .data and .bss • Restart application threads 19

  20. Kernel Unit Reboot • Cancel pending system calls with ERETRY • Reboot kernel • Maintain thread memory structures • Applications continue after kernel reboots 20

  21. Outline • Recovery units • Precious state • Results • Conclusion 21

  22. Coupling Application Threads syscalls Kernel Thread 22

  23. Coupling Application Threads syscalls Kernel Thread 23

  24. Coupling Application Threads syscalls Kernel Thread 24

  25. Precious State • Components can make variables “precious” • Precious groups can persist across a reboot • Compiler clusters all precious variables in a component into a precious group • Restrict what precious pointers can point to TableItem @precious table[MAX_ENTRIES]; uint8_t @precious tableEntries; 25

  26. Persisting • Precious variables must be accessed in atomic{} blocks • Only current thread can be cause of violation • Static analysis determines tainted variables • Tainted precious state does not persist on violation 26

  27. Persisting Variables • If memory check fails, reboot unit • Reset current stack, re-run initializers, zero out .bss, restore variables • Need space to store persisting variables • Simple option: scratch space, wastes RAM • Neutron approach: place on stack • Stack has been reset • Often smaller than worst-case stack 27

  28. Outline • Recovery units • Precious state • Results • Conclusion 28

  29. Methodology • Evaluate cost of a kernel violation in Neutron compared to Safe TinyOS • Three libraries, 55 node testbed (Tutornet) • Collection Tree Protocol (CTP), 5 variables • Flooding Time Synch Protocol (FTSP), 7 variables • Tenet bytecode interpreter in the paper • Quantifies benefit of precious state 29

  30. Kernel Reboot: CTP 30

  31. Kernel Reboot: CTP 31

  32. Kernel Reboot: CTP 32

  33. Kernel Reboot: CTP 99.5% reduction 33

  34. Kernel Reboot: FTSP 34

  35. Kernel Reboot: FTSP 35

  36. Kernel Reboot: FTSP 36

  37. Kernel Reboot: FTSP 94% reduction 37

  38. Fault Isolation • CTP/FTSP persist on an application fault • Application data persists on a kernel fault 38

  39. Cost (ROM bytes) Safe TinyOS Neutron Increase Increase 6402 8978 2576 40% Blink 26834 31556 4722 18% BaseStation 39636 43040 3404 8% CTPThreadNonRoot 44842 48614 3772 8% TestCollection 29608 30672 1064 3% TestFtsp (no threads) Customized reboot code is small, still fits on these devices 39

  40. Cost (reboot, ms) Node Kernel Application 12.2 11.4 1.16 Blink 22.1 14.1 9.18 BaseStation 15.6 15.5 1.01 CTPThreadNonRoot 15.6 15.5 0.984 TestCollection 14.8 - - TestFtsp (no threads) 40

  41. Cost (reboot, ms) Kernel fault: CPU busy for 10-20 ms Node Kernel Application 12.2 11.4 1.16 Blink 22.1 14.1 9.18 BaseStation 15.6 15.5 1.01 CTPThreadNonRoot 15.6 15.5 0.984 TestCollection 14.8 - - TestFtsp (no threads) 41

  42. Outline • Recovery units • Precious state • Results • Conclusion 42

  43. What’s Different Here • Persistent data in the OS (RioVista, Lowell 1997) • Neutron: no backing store, modify in place • Microreboots (Candea 2004) • Kernel and applications, rather than J2E • Doesn’t require a transactional database 43

  44. What’s Different Here • Rx (Qin 2007) and recovery domains (Lenharth 2009) • Almost no CPU cost in execution, microreboots • Failure oblivious computing (Rinard 2004) • Recover from, rather than mask faults 44

  45. What’s Different Here • Changing the TinyOS toolchain is easy • Changing the TinyOS programming model isn’t (e.g., adding transactions) • 90,000 lines of tight embedded code • 35,000 downloads/year 45

  46. Neutron • Divides a program into recovery units • Precious state can persist across a reboot • Near-zero CPU overhead in execution • Applications survive kernel violations • Reduces the cost of a violation by 95-99% • Works on a 16-bit low-power microcontroller 46

  47. Questions 47

  48. Diagnosing Faults At label (2) on August 8, a software command was transmitted to reboot the network, using Deluge [6], in an attempt to correct the time synchronization fault described in Section 7. This caused a software failure affecting all nodes, with only a few reports being received at the base station later on August 8. After repeated attempts to recover the network, we returned to the deployment site on August 11 (label (3)) to manually reprogram each node.... ...In this case, the mean node uptime is 69%. However, with the 3-day outage factored out, nodes achieved an average uptime of 96%. “Fidelity and Yield in a Volcano Monitoring Sensor Network.” Geoff Werner-Allen, Konrad Lorincz, Jeff Johnson, Jonathan Lees, and Matt Welsh. In Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2006), Seattle, November 2006. Given the logistics of our deployment we weren't really able to do much information gathering once Deluge went down in the field, as we simply couldn't communicate with the testbed until the problem was resolved and it was more important to us, at the time, to get our system back on its feet than to debug Deluge. Note that I believe that the reboots were really more the *symptom*, not the *cause* of the Deluge issue (I think).... .... Anyway, in short this is a long way of saying that we actually have no idea what happened to Deluge. From: challen@eecs.harvard.edu Subject: Re: reventador reboots Date: July 18, 2009 9:15:26 AM PDT 48

Recommend

Surviving Sensor Network Software Faults Presented by Jacek Migdal Software crashes Software

Surviving Sensor Network Software Faults Presented by Jacek Migdal Software crashes Software

Surviving Sensor Network Software Faults Presented by Jacek Migdal Software crashes Software bugs are common: tests may not reveal rare problems hard to identify and fix ... but sensor network should be able to work for years. Ariane

522 views • 19 slides
Agilla/ Agim one: Middleware Existing sensor network software lacks flexibility Entire network

Agilla/ Agim one: Middleware Existing sensor network software lacks flexibility Entire network

Motivation Agilla/ Agim one: Middleware Existing sensor network software lacks flexibility Entire network runs just one application for Sensor Networks Cannot adapt to changes in the environment the network user requirements

374 views • 8 slides
INTERACTING FAULTS By Tyler Lagasse Faults typically form as a network How do we best

INTERACTING FAULTS By Tyler Lagasse Faults typically form as a network How do we best

INTERACTING FAULTS By Tyler Lagasse Faults typically form as a network How do we best interpret interacting faults and tell between different types of fault interaction? INTRODUCTION HOW DOES A FAULT NETWORK FORM? Forms within single

549 views • 21 slides
1 Agillas Computational Model Tuple Space-Based Coordination Content-addressable shared

1 Agillas Computational Model Tuple Space-Based Coordination Content-addressable shared

Motivation Agilla: Mobile Agent Middleware Existing sensor network software lacks flexibility Entire network runs just one application for Wireless Sensor Networks Cannot adapt to changes in the environment the network

322 views • 6 slides
Security in Wireless Sensor Networks Introduction A Wireless Sensor Network is a network made of

Security in Wireless Sensor Networks Introduction A Wireless Sensor Network is a network made of

Security in Wireless Sensor Networks Introduction A Wireless Sensor Network is a network made of many small devices consisting of a battery, radio communications, microcontroller, and sensors. Sensor nodes Task manager Gateway node 2

934 views • 44 slides
How to Deal With MAC Shortcomings for Sensor Networks or: Sensor Network Self Organization

How to Deal With MAC Shortcomings for Sensor Networks or: Sensor Network Self Organization

How to Deal With MAC Shortcomings for Sensor Networks or: Sensor Network Self Organization Rendezvous Clustering Algorithm March 16, 2004 Kathy Sohrabi Sensoria Corporation Internetworking the Physical World Dagstuhl Seminar 2004 About

323 views • 29 slides
Functional Claiming for Software Patents: Leveraging Recent Court Treatment Surviving 112(f) and

Functional Claiming for Software Patents: Leveraging Recent Court Treatment Surviving 112(f) and

Presenting a live 90-minute webinar with interactive Q&A Functional Claiming for Software Patents: Leveraging Recent Court Treatment Surviving 112(f) and Disclosing Functional Basis for Software to Meet Heightened Standard of Review

1.24k views • 111 slides
Distributed Algorithms for Guiding Navigation across a Sensor Network Qun Li Michael de Rosa

Distributed Algorithms for Guiding Navigation across a Sensor Network Qun Li Michael de Rosa

Distributed Algorithms for Guiding Navigation across a Sensor Network Qun Li Michael de Rosa Daniela Rus Department of Computer Science Dartmouth College MobiCom 2003 ICS280 Winter'05 Presenter: Daniel Massaguer 1 Static sensor network

665 views • 37 slides
Ubiquitous faults T-79.4001 Seminar on Theoretical Computer Science Tero Pietilinen 4.4.2007

Ubiquitous faults T-79.4001 Seminar on Theoretical Computer Science Tero Pietilinen 4.4.2007

Nature of ubiquitous faults Communication Faults and Agreement Limits to Number of Ubiquitous Faults for Majority Unanimity in Spite of Ubiquitous Faults Ubiquitous faults T-79.4001 Seminar on Theoretical Computer Science Tero Pietilinen

685 views • 36 slides
W HAT A BOUT P AXOS ? Paxos tolerates a minority of processing failing by crashing . What

W HAT A BOUT P AXOS ? Paxos tolerates a minority of processing failing by crashing . What

B YZANTINE F AULT T OLERANCE Ellis Michael A H IERARCHY OF F AULT M ODELS No faults Crash faults Byzantine faults People who use tabs instead of spaces B YZANTINE F AULTS Also called "general" or "arbitrary" faults.

563 views • 31 slides
Ambient Sensor Cloud as A Solution of Practical Sensor Network in Agriculture in Agriculture

Ambient Sensor Cloud as A Solution of Practical Sensor Network in Agriculture in Agriculture

Ambient Sensor Cloud as A Solution of Practical Sensor Network in Agriculture in Agriculture Masayuki Hirafuji (NARO/Univ. of Tsukuba) Hideo Yoichi, Takuji Kiura, Keiko Matsumoto (NARO) Hirohisa Nesumi, Norihiro Hoshi (NARO) , ( ) Seishi

452 views • 21 slides
INTRODUCTION TO WIRELESS SENSOR NETWORKS Marco Zennaro, ICTP Trieste-Italy Wireless sensor

INTRODUCTION TO WIRELESS SENSOR NETWORKS Marco Zennaro, ICTP Trieste-Italy Wireless sensor

INTRODUCTION TO WIRELESS SENSOR NETWORKS Marco Zennaro, ICTP Trieste-Italy Wireless sensor networks A Wireless Sensor Network is a self- configuring network of small sensor nodes communicating among themselves using radio signals, and

1.31k views • 34 slides
Facing Up to Faults Facing Up to Faults Facing Up to Faults (v.2.0.1) (v.2.0.1) (v.2.0.1)

Facing Up to Faults Facing Up to Faults Facing Up to Faults (v.2.0.1) (v.2.0.1) (v.2.0.1)

Facing Up to Faults Facing Up to Faults Facing Up to Faults (v.2.0.1) (v.2.0.1) (v.2.0.1) Brian Randell Brian Randell Brian Randell WADS-3, May 2004 1 The Menu The Menu The Menu On Dependability Concepts On Fault Assumptions

600 views • 20 slides
Mobility assistance in Wireless Sensor Network Xiujuan Yi Nalini Venkatasubramanian University

Mobility assistance in Wireless Sensor Network Xiujuan Yi Nalini Venkatasubramanian University

Mobility assistance in Wireless Sensor Network Xiujuan Yi Nalini Venkatasubramanian University of California, Irvine Outline Background Why people introduce robots into wireless sensor network? Trade-off Advantages & Overheads

380 views • 10 slides
Surviving the First Night Surviving the First Night Surviving the First Night Surviving

Surviving the First Night Surviving the First Night Surviving the First Night Surviving

Surviving the First Night Surviving the First Night Surviving the First Night Surviving the First Night Surviving the First Night Surviving the First Night Surviving the First Night Surviving the First Night Duane Anderson,

631 views • 40 slides
I m pact of I nterm ittent Faults on Nanocom puting Devices Cristian Constantinescu June 28th,

I m pact of I nterm ittent Faults on Nanocom puting Devices Cristian Constantinescu June 28th,

I m pact of I nterm ittent Faults on Nanocom puting Devices Cristian Constantinescu June 28th, 2007 Dependable Systems and Networks Outline Fault classes Permanent faults Transient faults Intermittent faults Field

709 views • 24 slides
eGATE Smart Building Innovation Sensor network technology based (IoT) condition monitoring and

eGATE Smart Building Innovation Sensor network technology based (IoT) condition monitoring and

eGATE Smart Building Innovation Sensor network technology based (IoT) condition monitoring and analysis of condition data for higher quality conditions on construction sites and completed buildings. Background Utilizing sensor network

957 views • 30 slides
Ground Control to Major Faults: Towards Fault Tolerant and Adaptive SDN Control Network Liron

Ground Control to Major Faults: Towards Fault Tolerant and Adaptive SDN Control Network Liron

Ground Control to Major Faults: Towards Fault Tolerant and Adaptive SDN Control Network Liron Schiff (Tel Aviv University) Stefan Schmid (TU Berlin, Germany & Aalborg University, Denmark) Marco Canini (Universit catholique de Louvain)

524 views • 28 slides
Make My Day Just Run A Web Scanner Countering the faults of typical web scanners through

Make My Day Just Run A Web Scanner Countering the faults of typical web scanners through

Make My Day Just Run A Web Scanner Countering the faults of typical web scanners through bytecode injection Toshinari Kureha, Fortify Software Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4

761 views • 53 slides
A Practical Introduction to Sensor Network Programming Wireless Communication and Networked

A Practical Introduction to Sensor Network Programming Wireless Communication and Networked

A Practical Introduction to Sensor Network Programming Wireless Communication and Networked Embedded Systems, VT 2011 Frederik Hermans, Communication Research, Uppsala Universitet Overview Sensor node hardware: Zolertia Z1 TinyOS

596 views • 46 slides
Sensor network simulation in YAES February 18, 2008 This is a following to the original quick

Sensor network simulation in YAES February 18, 2008 This is a following to the original quick

Sensor network simulation in YAES February 18, 2008 This is a following to the original quick YAES tutorial, and it shows the functionality for sensor network simulation supported in YAES. It utilizes the EEL6788 package as an example, which

140 views • 3 slides
On the Optimal Cell Size in a Sensor Network Aided Cognitive Radio System Pl Grnsund and Ole

On the Optimal Cell Size in a Sensor Network Aided Cognitive Radio System Pl Grnsund and Ole

On the Optimal Cell Size in a Sensor Network Aided Cognitive Radio System Pl Grnsund and Ole Grndalen SDR11, WInnComm Europe Brussels, June 22-24, 2011 The SENDORA concept can be described as a "Sensor Network aided Cognitive

572 views • 11 slides
APAN Sensor Network WG 3rd meeting @ Hong Kong 2011/02/23 Susumu Takeuchi (NICT, Japan)

APAN Sensor Network WG 3rd meeting @ Hong Kong 2011/02/23 Susumu Takeuchi (NICT, Japan)

APAN Sensor Network WG 3rd meeting @ Hong Kong 2011/02/23 Susumu Takeuchi (NICT, Japan) Introduction of APAN Sensor Network WG Chair Eui Nam Huh ( KyungHee University, Korea ) Co Chairs Lasse Thiem ( FOKUS, Germany )

468 views • 18 slides
APAN Sensor Network WG APAN Sensor Network WG nd meeting @ Hanoi 2 nd 2 nd nd meeting @ Hanoi

APAN Sensor Network WG APAN Sensor Network WG nd meeting @ Hanoi 2 nd 2 nd nd meeting @ Hanoi

APAN Sensor Network WG APAN Sensor Network WG nd meeting @ Hanoi 2 nd 2 nd nd meeting @ Hanoi i i @ H @ H i i Group Meeting (2010/08/10) (2010/08/10) Chair: Susumu Takeuchi Chair: Susumu Takeuchi (NICT, Japan) Introduction of

867 views • 53 slides

More recommend