FRIENDS - A flexible architecture for implementing fault tolerant and secure distributed applications

FRIENDS is a software-based architecture for implementing fault-tolerant and, to some extent, secure applications. This architecture is composed of sub-systems and libraries of metaobjects. Transparency and separation of concerns is provided not only to the application programmer but also to the programmers implementing metaobjects for fault tolerance, secure communication and distribution. Common services required for implementing metaobjects are provided by the sub-systems. Metaobjects are implemented using object-oriented techniques and can be reused and customised according to the application needs, the operational environment and its related fault assumptions. Flexibility is increased by a recursive use of metaobjects. Examples and experiments are also described

A metaobject architecture for fault-tolerant distributed systems : the FRIENDS approach

The FRIENDS system developed at LAAS-CNRS is a metalevel architecture providing libraries of metaobjects for fault tolerance, secure communication, and group-based distributed applications. The use of metaobjects provides a nice separation of concerns between mechanisms and applications. Metaobjects can be used transparently by applications and can be composed according to the needs of a given application, a given architecture, and its underlying properties. In FRIENDS, metaobjects are used recursively to add new properties to applications. They are designed using an object oriented design method and implemented on top of basic system services. This paper describes the FRIENDS software-based architecture, the object-oriented development of metaobjects, the experiments that we have done, and summarizes the advantages and drawbacks of a metaobject approach for building fault-tolerant system

Fragmentation of confidential objects for data processing security in distributed systems

This paper discusses how object orientation in application design enables confidentiality aspects to be handled more easily than in conventional approaches. The idea, based on object fragmentation at design time, is to reduce processing in confidential objects; the more non confidential objects can be produced at design-time, the more application objects can be processed on untrusted shared computers. Still confidential objects must be processed on non shared trusted workstations. Rules and limits of object fragmentation are discussed together with some criteria evaluating trade-offs between fragmentation and performance

Processing of confidential information in distributed systems by fragmentation

This paper discusses how object orientation in application design enables confidentiality aspects to be handled more easily than in conventional approaches. The approach is based on the Fragmentation-Redundancy-Scattering technique developed at LAAS–CNRS for several years. This technique and previous developments are briefly summarized. The idea developed in this paper is based on object fragmentation at design time for reducing data processing in confidential objects; the more non confidential objects can be produced at design-time, the more application objects can be processed on untrusted shared computers. Still confidential objects must be processed on non shared trusted workstations. Rules and limits of object fragmentation are discussed together with some criteria evaluating tradeoffs between fragmentation and performance. Finally, a distributed object-oriented support especially fitted for fragmented applications is briefly described

Implementing fault tolerant applications using reflective object-oriented programming

Abstract: Shows how reflection and object-oriented programming can be used to ease the implementation of classical fault tolerance mechanisms in distributed applications. When the underlying runtime system does not provide fault tolerance transparently, classical approaches to implementing fault tolerance mechanisms often imply mixing functional programming with non-functional programming (e.g. error processing mechanisms). The use of reflection improves the transparency of fault tolerance mechanisms to the programmer and more generally provides a clearer separation between functional and non-functional programming. The implementations of some classical replication techniques using a reflective approach are presented in detail and illustrated by several examples, which have been prototyped on a network of Unix workstations. Lessons learnt from our experiments are drawn and future work is discussed

Mixed Critical Automotive Embedded Applications on Multicores: A Safe Scheduling Approach for Dependability

International audienceMemory access durations on multicore architectures are highly variable, since concurrent accesses to memory by different cores induce time interferences. Consequently, critical software tasks may be delayed by noncritical ones, leading to deadline misses and possible catastrophic failures. We present an approach to tackle the implementation of mixed criticality workloads on multicore chips, focusing on task chains, i.e., sequences of tasks with end-to-end deadlines. Our main contribution is a Monitoring & Control System able to stop noncritical software execution in order to prevent memory interference and guarantee that critical tasks deadlines are met. This paper describes our approach, and the associated experimental framework to conduct experiments to analyze attainable real-time guarantees on a multicore platform

Prévention et détection des interférences inter-aspects (méthode et application à l'aspectisation de la tolérance aux fautes)

La programmation orientée aspects (POA) sépare les différentes préoccupations composant un système informatique pour améliorer la modularité. La POA offre de nombreux bénéfices puisqu'elle permet de séparer le code fonctionnel du code non-fonctionnel améliorant ainsi leur réutilisation et la configurabilitè des systèmes informatiques. La configurabilité est un élément essentiel pour assurer la résilience des systèmes informatiques, puisqu elle permet de modifier les mécanismes de sûreté de fonctionnement. Cependant le paradigme de programmation orientée aspect introduit de nouveaux défis pour le test. Dans les systèmes de grande taille où plusieurs préoccupations non fonctionnelles cohabitent, une implémentation à l'aide d'aspects de ces préoccupations peut être problématique. Partageant le même flot de données et le même flot de contrôle les aspects implémentant les différentes préoccupations peuvent écrire dans des variables lues par d'autres aspects ou interrompre le flot de contrôle commun aux différents aspects empêchant ainsi l'exécution de certains d'entre eux. Dans cette thèse nous nous intéressons plus spécifiquement aux interférences entre aspects dans le cadre du développement de mécanismes de tolérance aux fautes implémentés sous forme d aspects. Ces interférences sont dues à une absence de déclaration de précédence entre les aspects ou à une déclaration de précédence erronée. Afin de mieux maîtriser l assemblage des différents aspects composant un mécanisme de tolérance aux fautes, nous avons développé une méthode alliant l'évitement à la détection des interférences au niveau du code. Le but de l'évitement est d'empêcher l'introduction d'interférences en imposant une déclaration de précédence entre les aspects lors de l'intégration des aspects. La détection permet d'exhiber lors du test les erreurs introduites dans la déclaration des précédences. Ces deux facettes de notre approche sont réalisées grâce à l utilisation d une extension d'AspectJ appelée AIRIA. Les constructions d'AIRIA permettent l instrumentation et donc la détection des interférences entre aspects, avec des facilités de compilation permettant de mettre en œuvre l évitement d interférences. Notre approche est outillée et vise à limiter le temps de déboguage : le testeur peut se concentrer directement sur les points où une interférence se produit. Nous illustrons notre approche sur une étude de cas: un protocole de réplication duplex. Dans ce contexte le protocole est implémenté en utilisant des aspects à grain fin permettant ainsi une meilleure configurabilité de la politique de réplication. Nous montrons que l'assemblage de ces aspects à grain fin donne lieu à des interférences de flot de données et flot de contrôle qui sont détectées par notre approche d'instrumentation. Nous définissons un ensemble d'aspects interférant pour l'exemple, et nous montrons comment notre approche permet la détection d'interférences.Aspect-oriented programming (AOP) separates the different concerns of a computer software system to improve modularity. AOP offers many benefits since it allows separating the functional code from the non-functional code, thus improving reuse and configurability of computer systems. Configurability is essential to ensure the resilience of computer systems, since it allows modifying the dependability mechanisms. However, the paradigm of aspectoriented programming introduces new challenges regarding testing. In large systems where multiple non-functional concerns coexist, an AOP implementation of these concerns can be problematic. Sharing the same data flow and the same control flow, aspects implementing different concerns can write into variables read by other aspects, or interrupt the control flow involving various aspects, and thus preventing the execution of some aspects in the chain. In this work we focus more specifically on interference between aspects implementing fault tolerance mechanisms. This interference is due to a lack of declaration of fine-grain precedence between aspects or an incorrect precedence declaration. To better control the assembly of the various aspects composing fault tolerance mechanisms, we have developed a method combining avoidance of interferences with runtime detection interferences at code level. The purpose of avoidance is to prevent the introduction of interference by requiring a statement of precedence between aspects during the aspects integration. Detection allows exhibiting during the test, errors introduced in the precedence statement. These two aspects of our approach are performed through the use of an extension called AspectJ AIRIA. AIRIA s constructs allow instrumentation and therefore the detection of interference between aspects, with facilities compilation to implement the interference avoidance. Our approach is designed and equipped to limit the debugging time : the tester can focus directly on the points where an interference occurs. Finaly, we illustrate our approach on a case study : a duplex replication protocol. In this context, the protocol is implemented using fine grained aspects allowing a better configurability of the replication policy.We show that the assembly of these fine-grained aspects gives rise to interference data flow and control flow that are detected by our instrumentation approach. We define a set of interfering aspects in this example, and show how our approach allows the detection of interferences.TOULOUSE-INP (315552154) / SudocSudocFranceF

Fine-Grained Implementation of Fault Tolerance Mechanisms with AOP: To What Extent?

Abstract: The benefits of using aspect oriented programming (AOP) for separation of concerns is well-known and has been demonstrated in many works, including for dependable computing. In this paper, we use this composition capability of AOP to develop micro-aspects that can be combined together to realize a given fault tolerance mechanism. The toolbox of microaspects can be used to make mechanisms easily configurable and by the way to simplify their update. We show that the composition of micro aspects leads to undesirable side effects of the interactions between them, called interferences. We propose an approach to detect interferences with executable assertions, using an extension of AspectJ called AIRIA that enables control over an aspect chain at a shared join point. We finally draw the lessons learnt and discuss to what extent AOP can be used to develop fault tolerance mechanisms

Test 1157: John Deere 2630 and 2640 Diesel

EXPLANATION OF TEST REPORT GENERAL CONDITIONS East tractor is a production model equipped for common usage. Power consuming accessories can be disconnected only when it is convenient for the operator to do so in practice. Additional weight can be added as ballast if the manufacturer regularly supplies it for sale. The static tire loads and the inflation pressures muse conform to recommendations in the Tire Standards published by the Society of Automotive Engineers. PREPARATION FOR PERFORMANCE RUNS The engine crank case is drained and refilled with a measured amount of new oil conforming to specifications in the operator’s manual. The fuel used and the maintenance operations must also conform to the published information delivered with the tractor. The tractor is then limbered-up for 1 hour on drawbar work in accordance with the manufacturers published recommendations. The manufacturer’s representative is present to make appropriate decisions regarding mechanical adjustments. The tractor is equipped with approximately the amount of added ballast that is used during maximum drawbar tests. The tire tread-bar height must be at least 65% of new tread height prior to the maximum power run. BELT OR POWER TAKE-OFF PERFORMANCE Maximum Power and Fuel Consumption. The manufacturer’s representative makes carburetor, fuel pump, ignition and governor control settings which remain unchanged throughout tall subsequent runs. The governor and the manually operated governor control lever is set to provide the high-idle speed specified by the manufacturer for maximum power. Maximum power is measured by connecting the belt pulley or the power take-off to a dynamometer. The dynamometer load is then gradually increased until the engine is operating at the rated speed specified by the manufacturer for maximum power. The corresponding fuel consumption is measured. Varying Power and Fuel Consumption. Six different horsepower levels are used to show corresponding fuel consumption rates and how the governor causes the engine to react to the following changes in dynamometer load: 85% of the dynamometer torque at maximum power; minimum dynamometer torque, ½ the 85% torque; maximum power; ¼ and ¾ of the 85% torque. Since at tractor is generally subjected to varying loads the average of the results in this test serve well for predicting the fuel consumption of a tractor in general usage. DRAWBAR PERFORMANCE All engine adjustments are the same as those used in the belt or power take-off tests. If the manufacturer specifies a different rated crankshaft speed for drawbar operations, then the position of the manually operated governor control is changed to provide the high-idle speed specified by the manufacturer in the operating instructions. Varying Power and Fuel Consumption With Ballast. The varying power runs are made to show the effect of speed-control devices (engine governor, automatic transmissions, etc.) on horsepower, speed and fuel consumption. These runs are made around the entire test course with has two 180 degree turns with a minimum radius of 50 feet. The drawbar pull is set at 3 different levels as follows: (1) as near to the pull a maximum power as possible and still have the tractor maintain the travel speed at maximum horsepower on the straight sections of the test course; (2) 75% of the pull at maximum power; and (3) 50% of the pull at maximum power. Prior to 1958, fuel consumption data (10 hour test) were shown only for the pull obtained at maximum power for tractors having torque converters and at 75% of the pull obtained at maximum power for gear-type tractors. Maximum Power With Ballast. Maximum power is measured on straight level sections of the test course. Data are shown for not more that 12 different gears or travel speeds. Some gears or travel speeds may be omitted because of high slippage of the traction members or because the travel speed may exceed the safe-limit for the test course. The maximum safe speed for the Nebraska Test course has been set at 15 miles per hour. The slippage limits have been set at 15% and 7% for pneumatic tires and steel tracks or lugs, respectively. Higher slippage gives widely varying results. Maximum Power Without Ballast. All added ballast is removed from the tractor. The maximum drawbar power of the tractor is determined by the same procedure used for getting maximum power with ballast. The gear (or travel speed) is the same as that used in the 10-hours test. Varying Power and Travel Speed With Ballast. Travel speeds corresponding to drawbar pulls beyond the maximum power range are obtained to show the “lugging ability” of the tractor. The run starts with the pull at maximum power; then additional drawbar pull is applied to cause decreasing speeds. The run is ended by one of three conditions; (1) maximum pull is obtained, (2) the maximum slippage limit is reached, or (3) some other operating limit is reached

Search for Charginos with a Small Mass Difference with the Lightest Supersymmetric Particle at \sqrt{s} = 189 GeV

A search for charginos nearly mass-degenerate with the lightest supersymmetric particle is performed using the 176 pb^-1 of data collected at 189 GeV in 1998 with the L3 detector. Mass differences between the chargino and the lightest supersymmetric particle below 4 GeV are considered. The presence of a high transverse momentum photon is required to single out the signal from the photon-photon interaction background. No evidence for charginos is found and upper limits on the cross section for chargino pair production are set. For the first time, in the case of heavy scalar leptons, chargino mass limits are obtained for any \tilde{\chi}^{+-}_1 - \tilde{\chi}^0_1 mass difference