A development method for deriving reusable concurrent programs from verified CSP models

This work proposes and demonstrates a novel method for software development that applies formal verification techniques to the design and implementation of concurrent programs. This method is supported by a new software tool, CSPIDER, which translates machine-readable Communicating Sequential Processes (CSP) models into encapsulated, reusable components coded in the Go programming language. In relation to existing CSP implementation techniques, this work is only the second to implement a translator and it provides original support for some CSP language constructs and modelling approaches. The method is evaluated through three case studies: a concurrent sorting array, a trialdivision prime number generator, and a component node for the Ricart-Agrawala distributed mutual exclusion algorithm. Each of these case studies presents the formal verification of safety and functional requirements through CSP model-checking, and it is shown that CSPIDER is capable of generating reusable implementations from each model. The Ricart-Agrawala case study demonstrates the application of the method to the design of a protocol component. This method maintains full compatibility with the primary CSP verification tool. Applying the CSPIDER tool requires minimal commitment to an explicitly defined modelling style and a very small set of pre-translation annotations, but all of these measures can be instated prior to verification. The Go code that CSPIDER produces requires no intervention before it may be used as a component within a larger development. The translator provides a traceable, structured implementation of the CSP model, automatically deriving formal parameters and a channel-based client interface from its interpretation of the CSP model. Each case study demonstrates the use of the translated component within a simple test development

Data handover on a peer-to-peer system

This paper presents the DHO API and its integration into apeer-to-peer Grid architecture. It provides an efficientmanagement of critical data resources in an extensible distributedsetting consisting of a set of peers that may join or leave the system.Locking and mapping of such a resource are handled transparently forusers: they may access them through simple function calls.On the lowest level of the proposed architecture the Exclusive Locksfor Mobile Processes ELMP algorithm ensures data consistencyand guarantees the logical order of requests.All operations in our architecture have an amortized cost of O(logn). An experimental assessment validates the practicality of ourproposal

Local Mutual Exclusion for Dynamic, Anonymous, Bounded Memory Message Passing Systems

Mutual exclusion is a classical problem in distributed computing that provides isolation among concurrent action executions that may require access to the same shared resources. Inspired by algorithmic research on distributed systems of weakly capable entities whose connections change over time, we address the local mutual exclusion problem that tasks each node with acquiring exclusive locks for itself and the maximal subset of its "persistent" neighbors that remain connected to it over the time interval of the lock request. Using the established time-varying graphs model to capture adversarial topological changes, we propose and rigorously analyze a local mutual exclusion algorithm for nodes that are anonymous and communicate via asynchronous message passing. The algorithm satisfies mutual exclusion (non-intersecting lock sets) and lockout freedom (eventual success with probability 1) under both semi-synchronous and asynchronous concurrency. It requires ?(?) memory per node and messages of size ?(1), where ? is the maximum number of connections per node. We conclude by describing how our algorithm can implement the pairwise interactions assumed by population protocols and the concurrency control operations assumed by the canonical amoebot model, demonstrating its utility in both passively and actively dynamic distributed systems

Transparent distributed data management in large scale distributed systems

International audienceIn this chapter, we deal with sharing resources transparency in large distributed systems. By using the Data Handover (DHO), together with a peer-to-peer system we provide an easy-to-use architecture to claim resources in dynamic environments: data resources are distributed over a set of peers that may appear and disappear. By means of DHO functions, users request the mapping of data into local memory (for reading or writing) without prior knowledge neither of the location of that data nor of the underlying structure nor of the mobility of peers. This abstraction level is ensured by three managers that interact within our three level architecture. Two algorithms, Exclusive Locks with Mobile Processes (ELMP) and Read-Write Locks with Mobile Processes (RW-LMP), are introduced on the lowest level of the architecture. They ensure data access consistency despite the dynamicity of the environment. Both algorithms satisfy Safety and Liveness properties. Experimental studies show good performance as well as the stability of our approach

Byzantine fault-tolerant agreement protocols for wireless Ad hoc networks

Tese de doutoramento, Informática (Ciências da Computação), Universidade de Lisboa, Faculdade de Ciências, 2010.The thesis investigates the problem of fault- and intrusion-tolerant consensus in resource-constrained wireless ad hoc networks. This is a fundamental problem in distributed computing because it abstracts the need to coordinate activities among various nodes. It has been shown to be a building block for several other important distributed computing problems like state-machine replication and atomic broadcast. The thesis begins by making a thorough performance assessment of existing intrusion-tolerant consensus protocols, which shows that the performance bottlenecks of current solutions are in part related to their system modeling assumptions. Based on these results, the communication failure model is identified as a model that simultaneously captures the reality of wireless ad hoc networks and allows the design of efficient protocols. Unfortunately, the model is subject to an impossibility result stating that there is no deterministic algorithm that allows n nodes to reach agreement if more than n2 omission transmission failures can occur in a communication step. This result is valid even under strict timing assumptions (i.e., a synchronous system). The thesis applies randomization techniques in increasingly weaker variants of this model, until an efficient intrusion-tolerant consensus protocol is achieved. The first variant simplifies the problem by restricting the number of nodes that may be at the source of a transmission failure at each communication step. An algorithm is designed that tolerates f dynamic nodes at the source of faulty transmissions in a system with a total of n 3f + 1 nodes. The second variant imposes no restrictions on the pattern of transmission failures. The proposed algorithm effectively circumvents the Santoro- Widmayer impossibility result for the first time. It allows k out of n nodes to decide despite dn 2 e(nk)+k2 omission failures per communication step. This algorithm also has the interesting property of guaranteeing safety during arbitrary periods of unrestricted message loss. The final variant shares the same properties of the previous one, but relaxes the model in the sense that the system is asynchronous and that a static subset of nodes may be malicious. The obtained algorithm, called Turquois, admits f < n 3 malicious nodes, and ensures progress in communication steps where dnf 2 e(n k f) + k 2. The algorithm is subject to a comparative performance evaluation against other intrusiontolerant protocols. The results show that, as the system scales, Turquois outperforms the other protocols by more than an order of magnitude.Esta tese investiga o problema do consenso tolerante a faltas acidentais e maliciosas em redes ad hoc sem fios. Trata-se de um problema fundamental que captura a essência da coordenação em actividades envolvendo vários nós de um sistema, sendo um bloco construtor de outros importantes problemas dos sistemas distribuídos como a replicação de máquina de estados ou a difusão atómica. A tese começa por efectuar uma avaliação de desempenho a protocolos tolerantes a intrusões já existentes na literatura. Os resultados mostram que as limitações de desempenho das soluções existentes estão em parte relacionadas com o seu modelo de sistema. Baseado nestes resultados, é identificado o modelo de falhas de comunicação como um modelo que simultaneamente permite capturar o ambiente das redes ad hoc sem fios e projectar protocolos eficientes. Todavia, o modelo é restrito por um resultado de impossibilidade que afirma não existir algoritmo algum que permita a n nós chegaram a acordo num sistema que admita mais do que n2 transmissões omissas num dado passo de comunicação. Este resultado é válido mesmo sob fortes hipóteses temporais (i.e., em sistemas síncronos) A tese aplica técnicas de aleatoriedade em variantes progressivamente mais fracas do modelo até ser alcançado um protocolo eficiente e tolerante a intrusões. A primeira variante do modelo, de forma a simplificar o problema, restringe o número de nós que estão na origem de transmissões faltosas. É apresentado um algoritmo que tolera f nós dinâmicos na origem de transmissões faltosas em sistemas com um total de n 3f + 1 nós. A segunda variante do modelo não impõe quaisquer restrições no padrão de transmissões faltosas. É apresentado um algoritmo que contorna efectivamente o resultado de impossibilidade Santoro-Widmayer pela primeira vez e que permite a k de n nós efectuarem progresso nos passos de comunicação em que o número de transmissões omissas seja dn 2 e(n k) + k 2. O algoritmo possui ainda a interessante propriedade de tolerar períodos arbitrários em que o número de transmissões omissas seja superior a . A última variante do modelo partilha das mesmas características da variante anterior, mas com pressupostos mais fracos sobre o sistema. Em particular, assume-se que o sistema é assíncrono e que um subconjunto estático dos nós pode ser malicioso. O algoritmo apresentado, denominado Turquois, admite f < n 3 nós maliciosos e assegura progresso nos passos de comunicação em que dnf 2 e(n k f) + k 2. O algoritmo é sujeito a uma análise de desempenho comparativa com outros protocolos na literatura. Os resultados demonstram que, à medida que o número de nós no sistema aumenta, o desempenho do protocolo Turquois ultrapassa os restantes em mais do que uma ordem de magnitude.FC

Maturation of Computer Science Research and Education at the University of Maryland: Evolution of the Department of Computer Science from 1979 through 2006

This report traces the evolution of the Department of Computer Science from 1979 through the end of 2006. In 1979 the department was growing, approaching over 2000 undergraduate majors. This report describes how this crush of students was handled, followed by other significant events in the history of the Department, such as the creation of the Institute for Advanced Computer Studies, moving into the A. V. Williams Building, creating its own computer laboratory, as well as the creation of various centers and institutes that helped further its growing research reputation. At the end of 2006, the Department had close to 50 faculty members, was nationally ranked, and was ranked one of the highest departments on the University of Maryland campus

Autonomous Operation of a Reconfigurable Multi-Robot System for Planetary Space Missions

Reconfigurable robots can physically merge and form new types of composite systems. This ability leads to additional degrees of freedom for robot operations especially when dynamically composed robotic systems offer capabilities that none of the individual systems have. Research in the area of reconfigurable multi-robot systems has mainly been focused on swarm-based robots and thereby to systems with a high degree of modularity but a heavily restricted set of capabilities. In contrast, this thesis deals with heterogeneous robot teams comprising individually capable robots which are also modular and reconfigurable. In particular, the autonomous application of such reconfigurable multi-robot systems to enhance robotic space exploration missions is investigated. Exploiting the flexibility of a reconfigurable multi-robot system requires an appropriate system model and reasoner. Hence, this thesis introduces a special organisation model. This model accounts for the key characteristics of reconfigurable robots which are constrained by the availability and compatibility of hardware interfaces. A newly introduced mapping function between resource structures and functional properties permits to characterise dynamically created agent compositions. Since a combinatorial challenge lies in the identification of feasible and functionally suitable agents, this thesis further suggests bounding strategies to reason efficiently with composite robotic systems. This thesis proposes a mission planning algorithm which permits to exploit the flexibility of reconfigurable multi-robot systems. The implemented planner builds upon the developed organisation model so that multi-robot missions can be specified by high-level functionality constraints which are resolved to suitable combinations of robots. Furthermore, the planner synchronises robot activities over time and characterises plans according to three objectives: efficacy, efficiency and safety. The plannera s evaluation demonstrates an optimization of an exemplary space mission. This research is based on the parallel development of theoretical concepts and practical solutions while working with three reconfigurable multi-robot teams. The operation of a reconfigurable robotic team comes with practical constraints. Therefore, this thesis composes and evaluates an operational infrastructure which can serve as reference implementation. The identification and combination of applicable state-of-the-art technologies result in a distributed and dynamically extensible communication infrastructure which can maintain the properties of reconfigurable multi-robot systems. Field tests covering semi-autonomous and autonomous operation have been performed to characterise multi-robot missions and validate the autonomous control approach for reconfigurable multi-robot systems. The practical evaluation identified critical constraints and design elements for a successful application of reconfigurable multi-robot systems. Furthermore, the experiments point to improvements for the organisation model. This thesis is a wholistic approach to automate reconfigurable multi-robot systems. It identifies theoretical as well as practical challenges and it suggests effective solutions which permit an exploitation of an increased level of flexibility in future robotics missions

Autonomous Operation of a Reconfigurable Multi-Robot System for Planetary Space Missions

Reconfigurable robots can physically merge and form new types of composite systems. This ability leads to additional degrees of freedom for robot operations especially when dynamically composed robotic systems offer capabilities that none of the individual systems have. Research in the area of reconfigurable multi-robot systems has mainly been focused on swarm-based robots and thereby to systems with a high degree of modularity but a heavily restricted set of capabilities. In contrast, this thesis deals with heterogeneous robot teams comprising individually capable robots which are also modular and reconfigurable. In particular, the autonomous application of such reconfigurable multi-robot systems to enhance robotic space exploration missions is investigated. Exploiting the flexibility of a reconfigurable multi-robot system requires an appropriate system model and reasoner. Hence, this thesis introduces a special organisation model. This model accounts for the key characteristics of reconfigurable robots which are constrained by the availability and compatibility of hardware interfaces. A newly introduced mapping function between resource structures and functional properties permits to characterise dynamically created agent compositions. Since a combinatorial challenge lies in the identification of feasible and functionally suitable agents, this thesis further suggests bounding strategies to reason efficiently with composite robotic systems. This thesis proposes a mission planning algorithm which permits to exploit the flexibility of reconfigurable multi-robot systems. The implemented planner builds upon the developed organisation model so that multi-robot missions can be specified by high-level functionality constraints which are resolved to suitable combinations of robots. Furthermore, the planner synchronises robot activities over time and characterises plans according to three objectives: efficacy, efficiency and safety. The plannera s evaluation demonstrates an optimization of an exemplary space mission. This research is based on the parallel development of theoretical concepts and practical solutions while working with three reconfigurable multi-robot teams. The operation of a reconfigurable robotic team comes with practical constraints. Therefore, this thesis composes and evaluates an operational infrastructure which can serve as reference implementation. The identification and combination of applicable state-of-the-art technologies result in a distributed and dynamically extensible communication infrastructure which can maintain the properties of reconfigurable multi-robot systems. Field tests covering semi-autonomous and autonomous operation have been performed to characterise multi-robot missions and validate the autonomous control approach for reconfigurable multi-robot systems. The practical evaluation identified critical constraints and design elements for a successful application of reconfigurable multi-robot systems. Furthermore, the experiments point to improvements for the organisation model. This thesis is a wholistic approach to automate reconfigurable multi-robot systems. It identifies theoretical as well as practical challenges and it suggests effective solutions which permit an exploitation of an increased level of flexibility in future robotics missions

Agreement-related problems:from semi-passive replication to totally ordered broadcast

Agreement problems constitute a fundamental class of problems in the context of distributed systems. All agreement problems follow a common pattern: all processes must agree on some common decision, the nature of which depends on the specific problem. This dissertation mainly focuses on three important agreements problems: Replication, Total Order Broadcast, and Consensus. Replication is a common means to introduce redundancy in a system, in order to improve its availability. A replicated server is a server that is composed of multiple copies so that, if one copy fails, the other copies can still provide the service. Each copy of the server is called a replica. The replicas must all evolve in manner that is consistent with the other replicas. Hence, updating the replicated server requires that every replica agrees on the set of modifications to carry over. There are two principal replication schemes to ensure this consistency: active replication and passive replication. In Total Order Broadcast, processes broadcast messages to all processes. However, all messages must be delivered in the same order. Also, if one process delivers a message m, then all correct processes must eventually deliver m. The problem of Consensus gives an abstraction to most other agreement problems. All processes initiate a Consensus by proposing a value. Then, all processes must eventually decide the same value v that must be one of the proposed values. These agreement problems are closely related to each other. For instance, Chandra and Toueg [CT96] show that Total Order Broadcast and Consensus are equivalent problems. In addition, Lamport [Lam78] and Schneider [Sch90] show that active replication needs Total Order Broadcast. As a result, active replication is also closely related to the Consensus problem. The first contribution of this dissertation is the definition of the semi-passive replication technique. Semi-passive replication is a passive replication scheme based on a variant of Consensus (called Lazy Consensus and also defined here). From a conceptual point of view, the result is important as it helps to clarify the relation between passive replication and the Consensus problem. In practice, this makes it possible to design systems that react more quickly to failures. The problem of Total Order Broadcast is well-known in the field of distributed systems and algorithms. In fact, there have been already more than fifty algorithms published on the problem so far. Although quite similar, it is difficult to compare these algorithms as they often differ with respect to their actual properties, assumptions, and objectives. The second main contribution of this dissertation is to define five classes of total order broadcast algorithms, and to relate existing algorithms to those classes. The third contribution of this dissertation is to compare the expected performance of the various classes of total order broadcast algorithms. To achieve this goal, we define a set of metrics to predict the performance of distributed algorithms