From the link. Validator. network. link. Order. Sender. service. to the link CMQ ECL RMQ ICL PMQ DMQ. from?
|
|
- Lora West
- 8 years ago
- Views:
Transcription
1 Applying Coloured Petri Nets to Analyze Fail Silent Nodes in Distributed Systems Lvia M. R. Sampaio, Jorge C.A. de Figueiredo and Francisco V. Brasileiro Department of Computer Science Federal University of Paraba Caixa Postal Campina Grande, PB, Brazil Phone: Fax: Abstract A fail-silent node is a self-checking node composed of a number of conventional fail-uncontrolled processors that work together to provide the following failcontrolled behavior: the node either functions correctly or stops functioning after an internal failure is detected. In a software implemented fail-silent node, the non-faulty processors of the node need to execute message order and comparison protocols to keep in step and check each other respectively. In this paper we present a Petri net model for a software implemented fail-silent node specication. Formal analysis by means of occurrence graph is also shown. KYWORDS Fault-tolerance, fail-silence, replicated processing, Coloured Petri Nets, Formal Analysis. 1 Introduction xperiences in constructing distributed systems which continue to provide specied services in the presence of processing site and communication failures, have shown that designing and implementing such systems is a dicult task. In a perfect world, one would liketo construct a distributed system using hardware components which are guaranteed to be either failure-free or to have well dened failure modes. However, all hardware components must fail eventually, possibly in an unpredictable manner. A sensible approach, taken by the designers of a considerable number of dependable distributed systems reported in the literature, is to build their systems assuming that the underlying hardware components are fail-controlled, i.e. present a well dened failure mode, and then build The authors are partially supported by CAPS (Coordenac~ao de Aperfeicoamento de Pessoal de nsino Superior) and CNPq (Conselho Nacional de Desenvolvimento Cientco etecnologico). processing sites or nodes and communication infrastructure that do indeed present the fail-controlled behavior assumed. Replicated processing on distinct processors whereby outputs from faulty processors can be prevented from appearing at the application level (by employing means such as comparing or voting the outputs produced by the processors), provides a practical means of constructing fail-controlled nodes capable of tolerating Byzantine (also referred to as fail-uncontrolled) processor failures. A particular case of a fail-controlled node is a + 1 processor fail-silent node that either works correctly, or stops functioning (becomes silent) soon after an internal failure is detected. This behavior of a node is guaranteed so long as no more than processors in the node fail. A two processor failsilent node( = 1) oers a practical and economical solution to the problem of constructing fail-controlled nodes. In [1] it is described practical designs of software implemented two-processor fail-silent nodes suitable for use in distributed systems that meet the abstraction of fail-silence in the following sense: a node produces either correct messages which can be veried as such by destination nodes, or it ceases to produce new correct messages, in which case destination nodes can detect any messages it may produce as unwanted. However no formal technique is employed to analyze this solution. Due to its characteristics, Petri net [6] is one of the most adequate formalism to model and analyze distributed systems. Its graphical notation, solid mathematical basis and ability to describe synchronization, communication and sharing between concurrent processes contribute to this applicability. However the models obtained in practice often became excessively large. The development of high-level Petri nets and hierarchical Petri nets solved this problem. Coloured Petri net (CPN) [4] is one of the most wellknown high-level Petri nets.
2 In this paper we use CPN to model a two processor fail-silent node. The Design/CPN tool [5] is used to analyze the models. The paper is structured as follows. We begin by describing the basic principles that underpin our failsilent nodes. In Section 3 we present and detail the CPN model for the fail-silent node. In Section 4 we address some analysis issues. Conclusions from our work are presented in the nal section of the paper. 2 Node Description System Model and Assumptions We assume that a failed processor (and therefore the processes running on that processor) can exhibit Byzantine behavior but we do make the assumption that each non-faulty processor in a node is able to sign a message it sends by axing the message with a message dependent unforgeable signature a nonfaulty processor is also assumed to be able to authenticate any signed message it receives. Digital signature based techniques [7] provide a very comprehensive way of meeting this functionality. We assume that non-replicated distributed computations are composed of a number of processes that interact only via messages. As an example, the function of a typical 'server' process is to cycle by selecting an input message from any one of its input ports, process it and, if necessary, output one or more messages on its output ports. It is necessary to assume that the computation performed by a process on a selected message is deterministic. This is the well known state machine model (where a state machine is a process) for which the precise requirements for supporting replicated processing are known [9]. Basically, in the replicated version of a process, multiple input ports of the non-replicated process are merged into a single port and the replica selects the message at the head of its port queue for processing. So, if all the non-faulty replicas have identical initial states then identical output messages will be produced by them, provided the queues of all correct replicas can be guaranteed to contain identical messages in an identical order. Thus, replication of a process requires the following two conditions to be met: 1. Agreement: all the non-faulty replicas of a process receive identical input messages 2. Order: all the non-faulty replicas process the messages in an identical order. We assume that each processor of a fail-silent node has network interfaces for inter-node communication over (possibly redundant) networks. In addition, the processors of a node are internally connected by communication links for intra-node communication needed RMQ Order From the link network DMQ Receiver from? service i link PMQ CL Transmitter CMQ Validator ICL Sender to the link Figure 1: Software architecture of a processor is a fail-silent node for the execution of the redundancy management protocols (e.g., message ordering and comparison). We assume that the maximum intra-node communication delay over a link is known and bounded: if a nonfaulty process sends a message over a non-faulty link to a non-faulty process of a neighbor processor then the message will be received within time units. For simplicity,we will assume that the lower bound on the actual transmission delay, a, iszero:0 a (so also represents the maximum variation in message transmission delays over a link). Link failures will be categorized as processor failures. A link failure that prevents a message sent from a processor to be received by its neighbor in the node will be considered as a failure of the sender processor. Basic Software Architecture We now describe the basic software architecture of a two-processor fail-silent node. In addition to application level processes (server processes), each processor of a node executes ve system processes described below (see Figure 1): 1. Sender Process: this process takes the messages produced by the server processes of that processor, signs them and sends them via the link to the neighbor processor of the node for comparison. 2. Comparator Process: this process compares authentic messages sent by the neighbor processor with their counterparts produced locally. If a message comparison succeeds, the singly signed authentic message received from the neighbor is counter signed (by considering the rst signature as a part of the message) and this double signed message, termed a valid message, is
3 handed over to the local Transmitter process for network delivery to destination nodes (clients). A comparison that detects a disagreement indicates a failure. Similarly, an absence of a message for comparison (after a node specic timeout interval) also indicates a failure. Once a failure is detected, the comparator process stops, and so does the sender process. No new valid messages can be produced by the node. 3. Transmitter Process: this process is responsible for sending the double signed messages over the network to destination nodes. As each processor has a Transmitter process, a correct node will generate two copies of its output messages. 4. Receiver Process: this process authenticates messages received from the network or from the link and discards any inauthentic or duplicate messages. Authenticated messages from the network (valid messages) are sent to the local Order process. Authenticated singly signed messages from the link are sent to the Comparator. 5. Order Process: this process executes an order protocol with its counterpart in the other processor of the node in order to construct identical queues of valid messages for processing by the server processes. Since such a protocol entails the Order process to relay valid messages to its counterpart, it is sucient for a message to be received from the network by any one of the processors of a node for it to be ordered at both the processors. The architecture can be adapted for the more general case of +1 processor fail-silent node such a node will produce + 1 signed valid messages. Node Failure Semantics We assume that server processes of correctly functioning nodes assign monotonically increasing sequence numbers to new messages they produce this property enables correctly functioning destination nodes to discard replicas of any previously received messages. Let an application process running on a correctly functioning unreplicated node take t units of time to compute the response to an input message. The corresponding correct output from a fail-silent node will take at most t 0 = t + tdelay units of time, where tdelay, tdelayi0, is the bounded worst-case delay introduced by the redundancy management protocols. If the output from the fail-silent is produced later than t 0 then the node will be said to have suered a performance failure [3]. A fail-silent nodecanbe in one of the following three states (see Figure 2): Failing Normal Silent Figure 2: Fail-silent node states 1. Normal State: In this state, a node produces correct outputs. Detection of an internal failure (by a comparator) causes the node to irreversibly enter either the failing state or the silent state. 2. Failing State: This is an intermediate state in which the node can suer at most one performance failure. From this state the node eventually enters the terminal silent state. 3. Silent State: No new valid messages are produced by the node. Any messages produced by the node can only be invalid or copies of previously produced valid messages: any functioning destination node can detect these messages as unwanted. The reason for the existence of the intermediate failing state is as follows. A faulty processor can contain a message from the correct processor sent for comparison (a message that was sent before the correct processor stopped). The faulty processor can output this asavalid double signed message at any future time. The Sender and Comparator processes of each processor must therefore incorporate intra-node message synchronization measures to ensure that each processor of a node at anytimecontains no more than one message from the neighbor for comparison in this way, thenumber of performance failures in the failing state can be limited to at most one. The fact that a fail-silent node can suer a single performance failure in the intermediate state is not a cause for concern. Consider "fail-crash" nodes without an intermediate state. Applications with timing constraints running over these nodes will still be expected to contain timeliness checks for detecting late or absent messages. The same checks will be adequate for the case of fail-silent nodes for ltering out late responses. If application programs have no timing constraints, then a performance failure suered by a fail-silent node in the failing state will not cause any inconsistencies. Thus, a system of software implemented fail-silent nodes can be regarded as capable of implementing the abstraction of fail-silence in the following sense: a node produces either correct messages which canbeveried as such by destination fail-silent nodes, or it ceases to produce new correct messages,
4 Hierarchy#10 ReplicatedNode#1 M Prime Node#2 GlobalDecl#5 Network#3 node net procr1 procr2 Processor#4 Figure 3: CPN Hierarchy Page Receiver#6 receiver_p Comparator# comparator_p Sender#8 sender_p Order#9 order_p in which case destination nodes can detect any messages it may produce as unwanted. It is possible to design specialized fault-tolerant network interfaces that could prevent further messages from being output by a node once one of the processors detects a failure. Minimally, we need to provide a network interface with a single switch that can unilaterally and irreversibly be switched o by a control signal sent by either of the processors in the node. Any software solution to the design of a node that has no intermediate failing state will require additional redundancy. For example, one could delegate the responsibility of message comparison and output to a separate node that does not fail. A failure-masking node (capable of masking processor failure within anode) could provide the services of message comparison and output to a collection of +1 processor nodes. Indeed the failure-masking node can provide other services, such as recording the status of fail-silent nodes. This design very much resembles that of a system of failstop nodes [8] that can switch from the functioning to the halted state, and can provide failure-status indication. 3 CPN Model In this section we present the CPN model for a two processor fail-silent node, representing its components (processors, processes, input/output buers, etc.) and the system for both intra and inter-node communication. The model is a hierarchical CPN composed by9 pages, 1 for global declarations (GlobalDecl) and the others for net structure (ReplicatedNode, Node, Network, Processor, Receiver, Comparator, Sender and Order). Due to space limitation we detail only two pages: processor page and comparator page. The page Processor allows us to observe a general view of the entire model whereas the page Comparator shows us the silent behavior of the node when a failure is detected. As can be seen from the CPN hierarchy page in Figure 3, ReplicatedNode is the prime page, it represents inter-node communication (node$net). The communication system modeled in Network is very simple, there are input/output buers through which processors can send/receive messages to/from physical network, respectively. These buers representthe network interfaces and communication links for inter and intra-node communication mentioned in Section 2. Page Node describes the arrival of messages (service requests) to processors, and the sending of outputs produced by these processors (double signed messages) to the clients. ach processor of a two-fail silent node is represented by an instance of Processor that is the most important page of the model. It contains the main ow of control into the node, since receiving until validation of the message (see Figure 4). This page describes all the processes and buers that form a processor, as is illustrated in Figure 1. The exception is the transmitter process, due to its simplicity it was represented in page Node. The receiver process authenticate messages for that processor and put them into an appropriate buer according to the type of the message. These buers are used as input places for order and comparator processes. We modeled the order process that implements a protocol based on logical clocks, as described in [1]. Ordered messages are put into buer dmq indexed by the identiers of the server processes running on the processor. The execution of services is represented by the transition attribute id that attributes a sequence number to each output message. These messages will be sent tothecomparator process of the neighbor processor for validation. When a failure is detected in the comparator process (explained later), a token is put in place silent, meaning that the comparator stopped functioning. A token in this place also forces the sender process to stop (detailed in page Sender not showed in this paper). If the validation is OK (a token in place buer msg) a message is put in the output buer of the processor. very time that a message is sent through network (for ordering, comparison or as output of a service request) information about the receiver must be updated, this is represented by place info receiver. ach process corresponds to one substitution transition. The processes described above are represented by pages with the same name. All declarations of color sets (lists, records, tuples, etc.), variables and functions used in the model are dened in the page GlobalDecl. The model was built using Design/CPN [5] and time features of the model were supplied by Design/CPN timing support. The page that models the comparator describes the structure of the comparator process, that is, all the elements that contribute to the execution of this process (see Figure 5). The buers icl and ecl are lists of messages from the local processor, where the comparator is running, and the neighbor processor, respectively. Messages in
5 BufPROCR buffer_procr (processsor,) (processor,msg::) receiver_p if #typemsg(msg)=order then ^^[msg] else if #typemsg(msg)=orderi then ^^[msg] else if #typemsg(msg)=compare then ^^[msg] else IdPROCR processor rmq msg:: msg:: secl ecl order_p (idproc,) (idproc,include_msg(msg,)) 1 (0,1)+ 1 (0,2) BufID buffer_ids (idproc,) (idmens,idproc ) 1 (1,)+1 (2,) BufPROC dmq (idproc,msg::) (idmens+1,procid ) [#idpc(#receiver(msg))=idproc ] attribute_id ^^[update_id(msg,idmens)] (idnode, ) BufNODO buffer_in_net (idnode, ^^[update_type (msg,orderi)]) (idnode, ^^[update_type (msg,compare)]) (idnode, ) pmq msg:: sender_p silent msg :: ^^[update_type (update_sign(msg,0),compare)]@+4 compare_p ^^[update_sign (msg,#numsign(msg )+1)] buffer_msg msg:: msg:: [#idnd()<> #idnd(#receiver(msg)), #idpc()= #idpc(#receiver(msg))] ^^[update_receiver attribute_info_receiver (update_type (msg,order),)] icl procr_output 1 {idnd=1,idpcr=1,idpc=1} +1 {idnd=2,idpcr=1,idpc=1}+ 1 {idnd=1,idpcr=1,idpc=2} +1 {idnd=2,idpcr=1,idpc=2}+ 1 {idnd=1,idpcr=2,idpc=1} +1 {idnd=2,idpcr=2,idpc=1}+ 1 {idnd=1,idpcr=2,idpc=2} +1 {idnd=2,idpcr=2,idpc=2} InfoPROC info_receiver Figure 4: Processor page icl must have acounterpart in ecl with the same sequence number (identier). These numbers are compared and if they match, the validation is OK (a token in place ok), otherwise, it is characterized a failure (this check is represented by transitions compare1 msg and compare2 msg). The other possibility to have a failure is when there is no message to be compared, that is, there is a message in ecl with no correspondent in icl, or vice-versa. To model this situation we used the time support of Design/CPN. All messages put in icl have a timestamp attributed, automatically, by the simulator, during execution, according to the inscription on the output arc from transition sign msg, in page Sender, to icl, in page Comparator. This timestamp indicates that the message will be available in icl just after some units of time (timeout). So, if after this time, there is no message in ecl to be compared, we can assume that a failure occurred. In both cases, when a failure occurs the comparator stops functioning. This is modeled by a token in place silent. Place ecl empty controls the number of messages in ecl, allowing just one token at any time. This guarantees the existence of the failing state. 4 Simulation and Analysis of the Model The behavior of a two processor fail-silent node can be perceived through the three states discussed in Section 2, namely: normal, silent and failing. It is important to guarantee that in the presence of a failure, the node will not produce any valid message or at most one, that is, when a failure occurs there are just two possible states assumed by the node: silent or failing, respectively. Simulation is a very interesting way to debug a model and can be used to get additional understanding as well. It is similar to the testing and execution of a program. During the simulation we detected a number of errors in the model, leading to the remodeling of some parts of the model. Through simulation we observed the failing state when we considered one message on the network and the existence of a failure condition. Occurrence graphs (O-graph) [2] were also used to investigate the dynamic behavior of the models. As is pointed out in [4], this kind of analysis is an indispensable complement to the more straightforward and intuitive simulation possibilities. We construct the O-graph for one message on net-
6 icl msg:: e ecl_empty send_msg_ecl msg :: ecl msg :: msg MS msg_ecl msg :: msg:: [(#mensid(msg)=#mensid(msg )) andalso (#numsign(msg)=0) andalso (#numsign(msg )=1)] compare1_msg ^^[msg ] ok msg :: ^^[update_sign (msg,#numsign(msg )+1)] e comparator_free counter_sign_msg buf_msg silent [(#mensid(msg)<>#mensid(msg )) andalso (#numsign(msg)<>0) andalso (#numsign(msg )<>1)] compare2_msg [(<>) andalso ( =)] compare3_msg Figure 5: CPN Page Comparator work, representing a service request from a client node. Two situations were considered: in the rst one both processors received messages to be compared. As a result, we observed the normal state. In the second situation, a failure condition was introduced and we perceived the silent state. For one message on the network it is not possible to reach the failing state. We tried to generate the O-graph for two messages on the network. However, for this situation, it was only possible to get a partial occurrence graph that restricted the verication of the model. To obtain O- graphs with a manageable size we do believe thatit is necessary to simplify the model. In order to get some additional understanding of the system as well as to verify the existence of the failing state discussed earlier, we used small congurations (scenarios). The occurrence graph analysis became as extended simulation, allowing the investigation of all possible sequences for the considered scenario. It was also possible to observe that some parts of the model were not being specied in sucient detail. 5 Conclusion In this paper we have showed the modeling and analysis of a two processor fail-silent node for distributed systems by means of Coloured Petri Nets. The model describes important aspects of the node that contributes to provide the specied behavior. Simulation and occurrence graph analysis allowed the detection and correction of errors in the original model. Although for some kind of congurations we did not succeed to generate the full O-graph, we could detect and correct some errors. Moreover, it was possible to observe the three states specied for the node. Currently, we are working on the simplication of the model in order to overcome the analysis limitation. 6 RFRNCS [1] F. V. Brasileiro, P. D. zhilchelvan, S. K. Shrivastava, N. A. Speirs, and S. Tao. Implementing Fail-Silent Nodes for Distributed Systems. I Transactions on Computers, 45(11):1226{1238, November [2] S. Christensen and K. Jensen. The Design/CPN Occurrence Graph Tool - user's manual version 1.0. Technical report, Computer Sceience Department, Aarhus Universite, Aarhus, Denmark, [3] F. Cristian. Understanding Fault-Tolerant Distributed Systems. Communications of the ACM, 34(2):57{78, February [4] K. Jensen. Coloured Petri Nets: Basic Concepts, Analysis, Methods and Practical Use, volume 1 of ACTS { Monographs on Theoretical Computer Science. Springer-Verlag, [5] K. Jensen, S. Christensen, P. Huber, and M. Holla. Design/CPN. A Reference Manual. Technical report, Meta Software Corporation, Cambridge Park Drive, USA, [6] T. Murata. Petri Nets: Properties, Analysis and Applications. Proc. of the I, 77(4):541{580, April [7] R. Rivest, A. Shamir, and L. Adleman. A Method of Obtaining Digital Signatures and Public-key Cryptosystems. Communications of the ACM, 21(2):120{ 126, February [8] F Schneider. Byzantine Generals in Action: Implementing Fail-Stop Processors. ACM Transactions on Computer Systems, 2(2):145{154, May [9] F. Schneider. Implementing Fault Tolerant Services Using the State Machine Approach: a Tutorial. ACM Computing Surveys, 22(4):299{319, December 1990.
Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification
Introduction Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification Advanced Topics in Software Engineering 1 Concurrent Programs Characterized by
More informationModeling and Simulation Firewall Using Colored Petri Net
World Applied Sciences Journal 15 (6): 826-830, 2011 ISSN 1818-4952 IDOSI Publications, 2011 Modeling and Simulation Firewall Using Colored Petri Net 1 2 Behnam Barzegar and Homayun Motameni 1 Department
More informationSynchronization in. Distributed Systems. Cooperation and Coordination in. Distributed Systems. Kinds of Synchronization.
Cooperation and Coordination in Distributed Systems Communication Mechanisms for the communication between processes Naming for searching communication partners Synchronization in Distributed Systems But...
More informationDr Markus Hagenbuchner markus@uow.edu.au CSCI319. Distributed Systems
Dr Markus Hagenbuchner markus@uow.edu.au CSCI319 Distributed Systems CSCI319 Chapter 8 Page: 1 of 61 Fault Tolerance Study objectives: Understand the role of fault tolerance in Distributed Systems. Know
More informationReal-Time Component Software. slide credits: H. Kopetz, P. Puschner
Real-Time Component Software slide credits: H. Kopetz, P. Puschner Overview OS services Task Structure Task Interaction Input/Output Error Detection 2 Operating System and Middleware Applica3on So5ware
More informationTest Coverage Criteria for Autonomous Mobile Systems based on Coloured Petri Nets
9th Symposium on Formal Methods for Automation and Safety in Railway and Automotive Systems Institut für Verkehrssicherheit und Automatisierungstechnik, TU Braunschweig, 2012 FORMS/FORMAT 2012 (http://www.forms-format.de)
More information!! #!! %! #! & ((() +, %,. /000 1 (( / 2 (( 3 45 (
!! #!! %! #! & ((() +, %,. /000 1 (( / 2 (( 3 45 ( 6 100 IEEE TRANSACTIONS ON COMPUTERS, VOL. 49, NO. 2, FEBRUARY 2000 Replica Determinism and Flexible Scheduling in Hard Real-Time Dependable Systems Stefan
More informationMiddleware and Distributed Systems. System Models. Dr. Martin v. Löwis. Freitag, 14. Oktober 11
Middleware and Distributed Systems System Models Dr. Martin v. Löwis System Models (Coulouris et al.) Architectural models of distributed systems placement of parts and relationships between them e.g.
More informationState-Machine Replication
State-Machine Replication The Problem Clients Server The Problem Clients Server The Problem Clients Server The Problem Clients Server The Problem Clients Server The Problem Clients Server Solution: replicate
More informationKirsten Sinclair SyntheSys Systems Engineers
Kirsten Sinclair SyntheSys Systems Engineers Kirsten Sinclair SyntheSys Systems Engineers Spicing-up IBM s Enterprise Architecture tools with Petri Nets On Today s Menu Appetiser: Background Starter: Use
More informationA Framework for Highly Available Services Based on Group Communication
A Framework for Highly Available Services Based on Group Communication Alan Fekete fekete@cs.usyd.edu.au http://www.cs.usyd.edu.au/ fekete Department of Computer Science F09 University of Sydney 2006,
More informationMixed-Criticality Systems Based on Time- Triggered Ethernet with Multiple Ring Topologies. University of Siegen Mohammed Abuteir, Roman Obermaisser
Mixed-Criticality s Based on Time- Triggered Ethernet with Multiple Ring Topologies University of Siegen Mohammed Abuteir, Roman Obermaisser Mixed-Criticality s Need for mixed-criticality systems due to
More informationChapter 4 Multi-Stage Interconnection Networks The general concept of the multi-stage interconnection network, together with its routing properties, have been used in the preceding chapter to describe
More informationFAULT TOLERANCE FOR MULTIPROCESSOR SYSTEMS VIA TIME REDUNDANT TASK SCHEDULING
FAULT TOLERANCE FOR MULTIPROCESSOR SYSTEMS VIA TIME REDUNDANT TASK SCHEDULING Hussain Al-Asaad and Alireza Sarvi Department of Electrical & Computer Engineering University of California Davis, CA, U.S.A.
More informationData Consistency on Private Cloud Storage System
Volume, Issue, May-June 202 ISS 2278-6856 Data Consistency on Private Cloud Storage System Yin yein Aye University of Computer Studies,Yangon yinnyeinaye.ptn@email.com Abstract: Cloud computing paradigm
More informationPrimary-Backup Systems. CS249 FALL 2005 Sang Soo Kim
Primary-Backup Systems CS249 FALL 2005 Sang Soo Kim Active Replication vs. Primary-Backup In active-replication (state machine approach from Ch.7) o Client sends request to all servers o All servers execute
More informationFormal Modeling Approach for Supply Chain Event Management
Formal Modeling Approach for Supply Chain Event Management Rong Liu and Akhil Kumar Smeal College of Business Penn State University University Park, PA 16802, USA {rul110,akhilkumar}@psu.edu Wil van der
More informationSYSTEMS AND SOFTWARE REQUIREMENTS SPECIFICATION (SSRS) TEMPLATE. Version A.4, January 2014 FOREWORD DOCUMENT CONVENTIONS
SYSTEMS AND SOFTWARE REQUIREMENTS SPECIFICATION (SSRS) TEMPLATE Version A.4, January 2014 FOREWORD This document was written to provide software development projects with a template for generating a System
More informationQoS issues in Voice over IP
COMP9333 Advance Computer Networks Mini Conference QoS issues in Voice over IP Student ID: 3058224 Student ID: 3043237 Student ID: 3036281 Student ID: 3025715 QoS issues in Voice over IP Abstract: This
More informationModular Communication Infrastructure Design with Quality of Service
Modular Communication Infrastructure Design with Quality of Service Pawel Wojciechowski and Péter Urbán Distributed Systems Laboratory School of Computer and Communication Sciences Swiss Federal Institute
More informationHow To Improve Availability In Local Disaster Recovery
2011 International Conference on Information Communication and Management IPCSIT vol.16 (2011) (2011) IACSIT Press, Singapore A Petri Net Model for High Availability in Virtualized Local Disaster Recovery
More informationLecture 15. IP address space managed by Internet Assigned Numbers Authority (IANA)
Lecture 15 IP Address Each host and router on the Internet has an IP address, which consist of a combination of network number and host number. The combination is unique; no two machines have the same
More informationImplementing Fault-Tolerant Services Using the State Machine Approach: A Tutorial
Implementing Fault-Tolerant Services Using the State Machine Approach: A Tutorial FRED B. SCHNEIDER Department of Computer Science, Cornell University, Ithaca, New York 14853 The state machine approach
More informationThe Advantages of Using COTS Components in Reliable Real Time Applications
Real-Time Systems, 26, 261±296, 2004 # 2004 Kluwer Academic Publishers. Manufactured in The Netherlands. Replication Management in Reliable Real-Time Systems LUIÂS MIGUEL PINHO lpinho@dei.isep.ipp.pt Department
More informationProgramma della seconda parte del corso
Programma della seconda parte del corso Introduction Reliability Performance Risk Software Performance Engineering Layered Queueing Models Stochastic Petri Nets New trends in software modeling: Metamodeling,
More informationTSX ETY 110 Module 8
Module 8 Introduction Subject of this chapter What s in this Chapter? This chapter describes the implementation of a TSX ETY 110 module. This chapter contains the following sections: Section Topic Page
More informationBIS 3106: Business Process Management. Lecture Two: Modelling the Control-flow Perspective
BIS 3106: Business Process Management Lecture Two: Modelling the Control-flow Perspective Makerere University School of Computing and Informatics Technology Department of Computer Science SEM I 2015/2016
More informationSECURITY ANALYSIS OF SESSION INITIATION PROTOCOL - A METHODOLOGY BASED ON COLOURED PETRI NETS
Abstract SECURITY ANALYSIS OF SESSION INITIATION PROTOCOL - A METHODOLOGY BASED ON COLOURED PETRI NETS Lin Liu School of Computer and Information Science University of South Australia Mawson Lakes, South
More informationA Test Case Generator for the Validation of High-Level Petri Nets
A Test Case Generator for the Validation of High-Level Petri Nets Jörg Desel Institut AIFB Universität Karlsruhe D 76128 Karlsruhe Germany E-mail: desel@aifb.uni-karlsruhe.de Andreas Oberweis, Torsten
More informationPacket Level Authentication Overview
Packet Level Authentication Overview Dmitrij Lagutin, Dmitrij.Lagutin@hiit.fi Helsinki Institute for Information Technology HIIT Aalto University School of Science and Technology Contents Introduction
More informationNeeraj Suri, Michelle M. Hugue and Chris J. Walter. AlliedSignal Electronics & Technology Center. email: suri%newton@batc.allied.com.
Synchronization Issues in Real-Time Systems Neeraj Suri, Michelle M. Hugue and Chris J. Walter AlliedSignal Electronics & Technology Center 9140 Old Annapolis Road Columbia, MD 21045 email: suri%newton@batc.allied.com
More informationAstaro Deployment Guide High Availability Options Clustering and Hot Standby
Connect With Confidence Astaro Deployment Guide Clustering and Hot Standby Table of Contents Introduction... 2 Active/Passive HA (Hot Standby)... 2 Active/Active HA (Cluster)... 2 Astaro s HA Act as One...
More informationIntroduction to Basics of Communication Protocol
Network Model Introduction to Basics of Communication Protocol Prof Pallapa. Venkataram Department of Electrical Communication Engineering Indian Institute of Science Bangalore 560012, India Physical Communication
More informationHigh-level Petri Nets
High-level Petri Nets Model-based system development Aarhus University, Denmark Presentation at the Carl Adam Petri Memorial Symposium, Berlin, February 4, 2011 1 Concurrent systems are very important
More informationDistributed Data Management
Introduction Distributed Data Management Involves the distribution of data and work among more than one machine in the network. Distributed computing is more broad than canonical client/server, in that
More informationA Reputation Replica Propagation Strategy for Mobile Users in Mobile Distributed Database System
A Reputation Replica Propagation Strategy for Mobile Users in Mobile Distributed Database System Sashi Tarun Assistant Professor, Arni School of Computer Science and Application ARNI University, Kathgarh,
More informationModelling and Analysis of the INVITE Transaction of the Session Initiation Protocol Using Coloured Petri Nets
Modelling and Analysis of the INVITE Transaction of the Session Initiation Protocol Using Coloured Petri Nets Lay G. Ding and Lin Liu School of Computer and Information Science University of South Australia
More informationSignature-Free Asynchronous Binary Byzantine Consensus with t < n/3, O(n 2 ) Messages, and O(1) Expected Time
Signature-Free Asynchronous Binary Byzantine Consensus with t < n/3, O(n 2 ) Messages, and O(1) Expected Time Achour Mostéfaoui Hamouma Moumen Michel Raynal, LINA, Université de Nantes, 44322 Nantes Cedex,
More informationTransport Layer Protocols
Transport Layer Protocols Version. Transport layer performs two main tasks for the application layer by using the network layer. It provides end to end communication between two applications, and implements
More informationOutline. Clouds of Clouds lessons learned from n years of research Miguel Correia
Dependability and Security with Clouds of Clouds lessons learned from n years of research Miguel Correia WORKSHOP ON DEPENDABILITY AND INTEROPERABILITY IN HETEROGENEOUS CLOUDS (DIHC13) August 27 th 2013,
More informationSeparating Agreement from Execution for Byzantine Fault-Tolerant Services
Separating Agreement from Execution for Byzantine Fault-Tolerant Services Rethinking Replicated State Machines Jian Yin, Jean-Philippe Martin, Arun enkataramani, Lorenzo Alvisi and Mike Dahlin jianyin@us.ibm.com,
More informationAlbert Ludwigs University Freiburg Department of Computer Science Prof. Dr. Stefan Leue and Corina Apachite Distributed Systems - WS 2001/2002 Assignment 1 - Solutions Question 1.1 Give vetypes of hardware
More informationModelling and Analysis of Railway Network Control Logic using Coloured Petri Nets a dissertation submitted to the School of Mathematics University of South Australia for the degree of doctor of philosophy
More informationVoice over IP Measurements. Radu Dudici Ruscior
Voice over IP Measurements Radu Dudici Ruscior LYNGBY 2002 IMM-THESIS-2002-75 IMM Printed by IMM, DTU i Preface This M.Sc. thesis is submitted in partial fulllment of the requirements for the degree of
More informationAn Overview of Clock Synchronization
An Overview of Clock Synchronization Barbara Simons, IBM Almaden Research Center Jennifer Lundelius Welch, GTE Laboratories Incorporated Nancy Lynch, MIT 1 Introduction A distributed system consists of
More informationSecurity Sensor Network. Biswajit panja
Security Sensor Network Biswajit panja 1 Topics Security Issues in Wired Network Security Issues in Wireless Network Security Issues in Sensor Network 2 Security Issues in Wired Network 3 Security Attacks
More informationLatency on a Switched Ethernet Network
Application Note 8 Latency on a Switched Ethernet Network Introduction: This document serves to explain the sources of latency on a switched Ethernet network and describe how to calculate cumulative latency
More informationAvoid a single point of failure by replicating the server Increase scalability by sharing the load among replicas
3. Replication Replication Goal: Avoid a single point of failure by replicating the server Increase scalability by sharing the load among replicas Problems: Partial failures of replicas and messages No
More informationTrust Management and Network Layer Security Protocols Matt Blaze 1 and John Ioannidis 1 and Angelos D. Keromytis 2 1 AT&T Laboratories { Research fmab,jig@research.att.com 2 Distributed Systems Labs CIS
More informationChapter 7: Replication Management using the State Machine Approach
Chapter 7: Replication Management using the State Machine Approach Fred B. Schneider * Department of Computer Science Cornell University Ithaca, New York 14853 U.S.A. This chapter reprints my paper "Implementing
More informationCompliance and Requirement Traceability for SysML v.1.0a
1. Introduction: Compliance and Traceability for SysML v.1.0a This document provides a formal statement of compliance and associated requirement traceability for the SysML v. 1.0 alpha specification, which
More informationProfessor: Ian Foster TAs: Xuehai Zhang, Yong Zhao. Winter Quarter. www.classes.cs.uchicago.edu/classes/archive/2003/winter/54001-1
Professor: Ian oster Ts: Xuehai Zhang, Yong Zhao Winter Quarter www.classes.cs.uchicago.edu/classes/archive//winter/541-1 alculate the total time required to transfer a 1 KB file (RTT=1 ms, packet size
More informationApplications. Network Application Performance Analysis. Laboratory. Objective. Overview
Laboratory 12 Applications Network Application Performance Analysis Objective The objective of this lab is to analyze the performance of an Internet application protocol and its relation to the underlying
More informationCS556 Course Project Performance Analysis of M-NET using GSPN
Performance Analysis of M-NET using GSPN CS6 Course Project Jinchun Xia Jul 9 CS6 Course Project Performance Analysis of M-NET using GSPN Jinchun Xia. Introduction Performance is a crucial factor in software
More informationDistributed Data Stores
Distributed Data Stores 1 Distributed Persistent State MapReduce addresses distributed processing of aggregation-based queries Persistent state across a large number of machines? Distributed DBMS High
More informationReplication on Virtual Machines
Replication on Virtual Machines Siggi Cherem CS 717 November 23rd, 2004 Outline 1 Introduction The Java Virtual Machine 2 Napper, Alvisi, Vin - DSN 2003 Introduction JVM as state machine Addressing non-determinism
More informationLoad Balancing and Switch Scheduling
EE384Y Project Final Report Load Balancing and Switch Scheduling Xiangheng Liu Department of Electrical Engineering Stanford University, Stanford CA 94305 Email: liuxh@systems.stanford.edu Abstract Load
More informationToken-ring local area network management
Token-ring local area network management by BARBARA J. DON CARLOS IBM Corporation Research Triangle Park, North Carolina ABSTRACT This paper describes an architecture for managing a token-ring local area
More informationDistributed Database for Environmental Data Integration
Distributed Database for Environmental Data Integration A. Amato', V. Di Lecce2, and V. Piuri 3 II Engineering Faculty of Politecnico di Bari - Italy 2 DIASS, Politecnico di Bari, Italy 3Dept Information
More informationTimer Value IRQ IACK
Real Time Clocks & s Programming with Real-time clocks Real-time clock is just another source of interrupts. Should have high priority in real-time systems Timing jitter must be accommodated or tolerated
More informationBASIC CONCEPTS AND RELATED WORK
Chapter 2 BASIC CONCEPTS AND RELATED WORK This chapter presents the basic concepts and terminology used in this book and gives an overview of system architectures for ultra-dependable, distributed real-time
More informationComputer Network. Interconnected collection of autonomous computers that are able to exchange information
Introduction Computer Network. Interconnected collection of autonomous computers that are able to exchange information No master/slave relationship between the computers in the network Data Communications.
More informationNetwork Design Performance Evaluation, and Simulation #6
Network Design Performance Evaluation, and Simulation #6 1 Network Design Problem Goal Given QoS metric, e.g., Average delay Loss probability Characterization of the traffic, e.g., Average interarrival
More informationSegmentation in a Distributed Real-Time Main-Memory Database
Segmentation in a Distributed Real-Time Main-Memory Database HS-IDA-MD-02-008 Gunnar Mathiason Submitted by Gunnar Mathiason to the University of Skövde as a dissertation towards the degree of M.Sc. by
More informationIEC 61850: Communication Networks and Systems in Substations
IEC 61850: Communication Networks and Systems in Substations Sistemi e strumenti per l'automazione, A. Flammini, AA2011-2012 Background I: Power Grid Sistemi e strumenti per l'automazione A. Flammini,
More informationPerformance tuning policies for application level fault tolerance in distributed object systems
Journal of Computational Methods in Sciences and Engineering 6 (2006) S265 S274 IOS Press S265 Performance tuning policies for application level fault tolerance in distributed object systems Theodoros
More informationThe Byzantine Generals Problem
The Byzantine Generals Problem LESLIE LAMPORT, ROBERT SHOSTAK, and MARSHALL PEASE SRI International Reliable computer systems must handle malfunctioning components that give conflicting information to
More informationonline- phase offline- phase System under Test signals Probe Selection Unit (PSU) FPID trigger FPGA Preprocessing Unit (PPU) Trace Buffer Unit (TBU)
A Recongurable Hardware-Monitor for Communication Analysis in Distributed Real-Time Systems Andreas Kirschbaum and Jurgen Becker and Manfred Glesner Darmstadt University of Technology, Institute of Microelectronic
More informationSubnetting,Supernetting, VLSM & CIDR
Subnetting,Supernetting, VLSM & CIDR WHAT - IP Address Unique 32 or 128 bit Binary, used to identify a system on a Network or Internet. Network Portion Host Portion CLASSFULL ADDRESSING IP address space
More informationSupporting the Workflow Management System Development Process with YAWL
Supporting the Workflow Management System Development Process with YAWL R.S. Mans 1, W.M.P. van der Aalst 1 Department of Mathematics and Computer Science, Eindhoven University of Technology, P.O. ox 513,
More informationEthernet. Ethernet. Network Devices
Ethernet Babak Kia Adjunct Professor Boston University College of Engineering ENG SC757 - Advanced Microprocessor Design Ethernet Ethernet is a term used to refer to a diverse set of frame based networking
More informationA Tool for Multimedia Quality Assessment in NS3: QoE Monitor
A Tool for Multimedia Quality Assessment in NS3: QoE Monitor D. Saladino, A. Paganelli, M. Casoni Department of Engineering Enzo Ferrari, University of Modena and Reggio Emilia via Vignolese 95, 41125
More informationReal-Time (Paradigms) (51)
Real-Time (Paradigms) (51) 5. Real-Time Communication Data flow (communication) in embedded systems : Sensor --> Controller Controller --> Actor Controller --> Display Controller Controller Major
More informationHow To Understand A Self-Adapting Recovery Net (Sarn)
DOI 10.1007/s10619-007-7020-1 Self-adapting recovery nets for policy-driven exception handling in business processes Rachid Hamadi Boualem Benatallah Brahim Medjahed Springer Science+Business Media, LLC
More informationGFI Product Manual. Administration and Configuration Manual
GFI Product Manual Administration and Configuration Manual http://www.gfi.com info@gfi.com The information and content in this document is provided for informational purposes only and is provided "as is"
More information(Refer Slide Time: 02:17)
Internet Technology Prof. Indranil Sengupta Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture No #06 IP Subnetting and Addressing (Not audible: (00:46)) Now,
More informationImproved Aggressive Update Propagation Technique in Cloud Data Storage
Improved Aggressive Update Propagation Technique in Cloud Data Storage Mohammed Radi Computer science department, Faculty of applied science, Alaqsa University Gaza Abstract: Recently, cloud computing
More informationClock Synchronization
Clock Synchronization Henrik Lönn Electronics & Software Volvo Technological Development Contents General Types of Synchronisation Faults and problems to cope with Example algorithms Transmission delays
More informationOur premise is that a notable part of the delays that can be encountered in. We show that modeling and verifying the requirements separately, before
Interval Reduction through Requirements Analysis Gerard J. Holzmann Margaret H. Smith ABSTRACT Our premise is that a notable part of the delays that can be encountered in system design projects are caused
More informationNetwork Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23
Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest
More informationSpecification and Analysis of Contracts Lecture 1 Introduction
Specification and Analysis of Contracts Lecture 1 Introduction Gerardo Schneider gerardo@ifi.uio.no http://folk.uio.no/gerardo/ Department of Informatics, University of Oslo SEFM School, Oct. 27 - Nov.
More informationSoftware Architecture Action Guide. Why do we care about Software Architecture?
Software Action Guide Dana Bredemeyer Bredemeyer Consulting Tel: (812) 335-1653 Fax: (812) 335-1652 Email: dana@bredemeyer.com Web: Why do we care about Software? Because we want to be a dominant player
More informationQUEUE MONITORING A Delay Jitter Management Policy *
QUEUE MONITORING A Delay Jitter Management Policy * Donald L. Stone, Kevin Jeffay University of North Carolina at Chapel Hill Department of Computer Science Chapel Hill, NC - USA {stone,jeffay}@cs.unc.edu
More informationConnectivity. Alliance Access 7.0. Database Recovery. Information Paper
Connectivity Alliance Access 7.0 Database Recovery Information Paper Table of Contents Preface... 3 1 Overview... 4 2 Resiliency Concepts... 6 2.1 Database Loss Business Impact... 6 2.2 Database Recovery
More informationMatrix Signatures: From MACs to Digital Signatures in Distributed Systems
Matrix Signatures: From MACs to Digital Signatures in Distributed Systems Amitanand S. Aiyer 1, Lorenzo Alvisi 1,,RidaA.Bazzi 2, and Allen Clement 1 1 Department of Computer Sciences, University of Texas
More informationCS423 Spring 2015 MP4: Dynamic Load Balancer Due April 27 th at 9:00 am 2015
CS423 Spring 2015 MP4: Dynamic Load Balancer Due April 27 th at 9:00 am 2015 1. Goals and Overview 1. In this MP you will design a Dynamic Load Balancer architecture for a Distributed System 2. You will
More informationThe Temporal Firewall--A Standardized Interface in the Time-Triggered Architecture
1 The Temporal Firewall--A Standardized Interface in the Time-Triggered Architecture H. Kopetz TU Vienna, Austria July 2000 Outline 2 Introduction Temporal Accuracy of RT Information The Time-Triggered
More informationEE361: Digital Computer Organization Course Syllabus
EE361: Digital Computer Organization Course Syllabus Dr. Mohammad H. Awedh Spring 2014 Course Objectives Simply, a computer is a set of components (Processor, Memory and Storage, Input/Output Devices)
More informationVeri cation and Validation of Simulation Models
of of Simulation Models mpressive slide presentations Faculty of Math and CS - UBB 1st Semester 2010-2011 Other mportant Validate nput- Hypothesis Type Error Con dence nterval Using Historical nput of
More informationDesign of a High-Availability Multimedia Scheduling Service using Primary-Backup Replication
Design of a High-Availability Multimedia Scheduling Service using Primary-Backup Replication Goudong (Shawn) Liu Vivek Sawant {liug,vivek,lindsey}@cs.unc.edu December 12, 2001 Mark R. Lindsey Abstract
More informationSimple Network Management Protocol
CHAPTER 32 Simple Network Management Protocol Background Simple Network Management Protocol (SNMP) is an application-layer protocol designed to facilitate the exchange of management information between
More informationCHAPTER 5 WLDMA: A NEW LOAD BALANCING STRATEGY FOR WAN ENVIRONMENT
81 CHAPTER 5 WLDMA: A NEW LOAD BALANCING STRATEGY FOR WAN ENVIRONMENT 5.1 INTRODUCTION Distributed Web servers on the Internet require high scalability and availability to provide efficient services to
More informationThe Role of Computers in Synchronous Collaborative Design
The Role of Computers in Synchronous Collaborative Design Wassim M. Jabi, The University of Michigan Theodore W. Hall, Chinese University of Hong Kong Abstract In this paper we discuss the role of computers
More informationA Systematic Approach. to Parallel Program Verication. Tadao TAKAOKA. Department of Computer Science. Ibaraki University. Hitachi, Ibaraki 316, JAPAN
A Systematic Approach to Parallel Program Verication Tadao TAKAOKA Department of Computer Science Ibaraki University Hitachi, Ibaraki 316, JAPAN E-mail: takaoka@cis.ibaraki.ac.jp Phone: +81 94 38 5130
More informationThesis work and research project
Thesis work and research project Hélia Pouyllau, INRIA of Rennes, Campus Beaulieu 35042 Rennes, helia.pouyllau@irisa.fr July 16, 2007 1 Thesis work on Distributed algorithms for endto-end QoS contract
More information10CS64: COMPUTER NETWORKS - II
QUESTION BANK 10CS64: COMPUTER NETWORKS - II Part A Unit 1 & 2: Packet-Switching Networks 1 and Packet-Switching Networks 2 1. Mention different types of network services? Explain the same. 2. Difference
More information1: B asic S imu lati on Modeling
Network Simulation Chapter 1: Basic Simulation Modeling Prof. Dr. Jürgen Jasperneite 1 Contents The Nature of Simulation Systems, Models and Simulation Discrete Event Simulation Simulation of a Single-Server
More informationDeployment of express checkout lines at supermarkets
Deployment of express checkout lines at supermarkets Maarten Schimmel Research paper Business Analytics April, 213 Supervisor: René Bekker Faculty of Sciences VU University Amsterdam De Boelelaan 181 181
More informationAn Integrated Modeling Approach for Analyzing Dependability, Cost and Sustainability of IT Data Center Systems
An Integrated Modeling Approach for Analyzing Dependability, Cost and Sustainability of IT Data Center Systems Gustavo Callou gustavo@deinfo.ufrpe.br Professor Paulo Maciel prmm@cin.ufpe.br Agenda Introduction
More information