Dependable Computing
Description
Covering dependability from software and hardware perspectives
Dependable Computing: Design and Assessment looks at both the software and hardware aspects of dependability.
This book:
* Provides an in-depth examination of dependability/fault tolerance topics
* Describes dependability taxonomy, and briefly contrasts classical techniques with their modern counterparts or extensions
* Walks up the system stack from the hardware logic via operating systems up to software applications with respect to how they are hardened for dependability
* Describes the use of measurement-based analysis of computing systems
* Illustrates technology through real-life applications
* Discusses security attacks and unique dependability requirements for emerging applications, e.g., smart electric power grids and cloud computing
* Finally, using critical societal applications such as autonomous vehicles, large-scale clouds, and engineering solutions for healthcare, the book illustrates the emerging challenges faced in making artificial intelligence (AI) and its applications dependable and trustworthy.
This book is suitable for those studying in the fields of computer engineering and computer science. Professionals who are working within the new reality to ensure dependable computing will find helpful information to support their efforts. With the support of practical case studies and use cases from both academia and real-world deployments, the book provides a journey of developments that include the impact of artificial intelligence and machine learning on this ever-growing field. This book offers a single compendium that spans the myriad areas in which dependability has been applied, providing theoretical concepts and applied knowledge with content that will excite a beginner, and rigor that will satisfy an expert. Accompanying the book is an online repository of problem sets and solutions, as well as slides for instructors, that span the chapters of the book.
More details
Other editions
Additional editions
Persons
Ravishankar K. Iyer is George and Ann Fisher Distinguished Professor of Engineering at the University of Illinois Urbana-Champaign, USA. He holds joint appointments in the Departments of Electrical & Computer Engineering and Computer Science as well as the Coordinated Science Laboratory (CSL), the National Center for Supercomputing Applications (NCSA), and the Carl R. Woese Institute for Genomic Biology. The winner of numerous awards and honors, he was the founding chief scientist of the Information Trust Institute at UIUC-a campus-wide research center addressing security, reliability, and safety issues in critical infrastructures.
Zbigniew T. Kalbarczyk is a Research Professor in the Department of Electrical & Computer Engineering and the Coordinated Science Laboratory of the University of Illinois Urbana-Champaign, USA. He is a member of the IEEE, the IEEE Computer Society, and IFIP Working Group 10.4 on Dependable Computing and Fault Tolerance. Dr. Kalbarczyk's research interests are in the design and validation of reliable and secure computing systems. His current work explores emerging computing technologies, machine learning-based methods for early detection of security attacks, analysis of data on failures and security attacks in large computing systems, and more.
Nithin M. Nakka received his B. Tech (hons.) degree from the Indian Institute of Technology, Kharagpur, India, and his M.S. and Ph.D. degrees from the University of Illinois Urbana-Champaign, USA. He is a Technical Leader at Cisco Systems and has worked on most layers of the networking stack, from network data-plane hardware, including layer-2 and layer-3 (control plane), network controllers, and network fabric monitoring. His areas of research interest include systems reliability, network telemetry, and hardware-implemented fault tolerance.
Content
About the Authors xxiii
Preface xxv
Acknowledgments xxvii
About the Companion Website xxix
1 Dependability Concepts and Taxonomy 1
1.1 Introduction 1
1.2 Placing Classical Dependability Techniques in Perspective 2
1.3 Taxonomy of Dependable Computing 4
1.3.1 Faults, Errors, and Failures 5
1.4 Fault Classes 6
1.5 The Fault Cycle and Dependability Measures 6
1.6 Fault and Error Classification 7
1.7 Mean Time Between Failures 11
1.8 User- perceived System Dependability 13
1.9 Technology Trends and Failure Behavior 14
1.10 Issues at the Hardware Level 15
1.11 Issues at the Platform Level 17
1.12 What is Unique About this Book? 18
1.13 Overview of the Book 19
References 20
2 Classical Dependability Techniques and Modern Computing Systems: Where and How Do They Meet? 25
2.1 Illustrative Case Studies of Design for Dependability 25
2.2 Cloud Computing: A Rapidly Expanding Computing Paradigm 31
2.3 New Application Domains 37
2.4 Insights 52
References 52
3 Hardware Error Detection and Recovery Through Hardware- Implemented Techniques 57
3.1 Introduction 57
3.2 Redundancy Techniques 58
3.3 Watchdog Timers 67
3.4 Information Redundancy 69
3.5 Capability and Consistency Checking 93
3.6 Insights 93
References 96
4 Processor Level Error Detection and Recovery 101
4.1 Introduction 101
4.2 Logic- level Techniques 104
4.3 Error Protection in the Processors 115
4.4 Academic Research on Hardware- level Error Protection 122
4.5 Insights 134
References 137
5 Hardware Error Detection Through Software- Implemented Techniques 141
5.1 Introduction 141
5.2 Duplication- based Software Detection Techniques 142
5.3 Control- Flow Checking 146
5.4 Heartbeats 166
5.5 Assertions 173
5.6 Insights 174
References 175
6 Software Error Detection and Recovery Through Software Analysis 179
6.1 Introduction 179
6.2 Diverse Programming 183
6.3 Static Analysis Techniques 194
6.4 Error Detection Based on Dynamic Program Analysis 217
6.5 Processor- Level Selective Replication 233
6.6 Runtime Checking for Residual Software Bugs 239
6.7 Data Audit 242
6.8 Application of Data Audit Techniques 246
6.9 Insights 252
References 253
7 Measurement- based Analysis of System Software: Operating System Failure Behavior 261
7.1 Introduction 261
7.2 MVS (Multiple Virtual Storage) 262
7.3 Experimental Analysis of OS Dependability 273
7.4 Behavior of the Linux Operating System in the Presence of Errors 275
7.5 Evaluation of Process Pairs in Tandem GUARDIAN 295
7.6 Benchmarking Multiple Operating Systems: A Case Study Using Linux on Pentium, Solaris on SPARC, and AIX on POWER 308
7.7 Dependability Overview of the Cisco Nexus Operating System 326
7.8 Evaluating Operating Systems: Related Studies 330
7.9 Insights 331
References 332
8 Reliable Networked and Distributed Systems 337
8.1 Introduction 337
8.2 System Model 339
8.3 Failure Models 340
8.4 Agreement Protocols 342
8.5 Reliable Broadcast 346
8.6 Reliable Group Communication 351
8.7 Replication 358
8.8 Replication of Multithreaded Applications 370
8.9 Atomic Commit 396
8.10 Opportunities and Challenges in Resource- Disaggregated Cloud Data Centers 400
References 405
9 Checkpointing and Rollback Error Recovery 413
9.1 Introduction 413
9.2 Hardware- Implemented Cache- Based Schemes Checkpointing 415
9.3 Memory- Based Schemes 421
9.4 Operating- System- Level Checkpointing 424
9.5 Compiler- Assisted Checkpointing 432
9.6 Error Detection and Recovery in Distributed Systems 438
9.7 Checkpointing Latency Modeling 451
9.8 Checkpointing in Main Memory Database Systems (MMDB) 455
9.9 Checkpointing in Distributed Database Systems 463
9.10 Multithreaded Checkpointing 468
References 470
10 Checkpointing Large- Scale Systems 475
10.1 Introduction 475
10.2 Checkpointing Techniques 476
10.3 Checkpointing in Selected Existing Systems 484
10.4 Modeling- Coordinated Checkpointing for Large- Scale Supercomputers 492
10.5 Checkpointing in Large- Scale Systems: A Simulation Study 502
10.6 Cooperative Checkpointing 506
References 508
11 Internals of Fault Injection Techniques 511
11.1 Introduction 511
11.2 Historical View of Software Fault Injection 513
11.3 Fault Model Attributes 517
11.4 Compile- Time Fault Injection 517
11.5 Runtime Fault Injection 521
11.6 Simulation- Based Fault Injection 529
11.7 Dependability Benchmark Attributes 530
11.8 Architecture of a Fault Injection Environment: NFTAPE Fault/Error Injection Framework Configured to Evaluate Linux OS 531
11.9 ML- Based Fault Injection: Evaluating Modern Autonomous Vehicles 547
11.10 Insights and Concluding Remarks 574
References 574
12 Measurement- Based Analysis of Large- Scale Clusters: Methodology 585
12.1 Introduction 585
12.2 Related Research 587
12.3 Steps in Field Failure Data Analysis 594
12.4 Failure Event Monitoring and Logging 597
12.5 Data Processing 608
12.6 Data Analysis 622
12.7 Estimation of Empirical Distributions 634
12.8 Dependency Analysis 641
References 651
13 Measurement- Based Analysis of Large Systems: Case Studies 667
13.1 Introduction 667
13.2 Case Study I: Failure Characterization of a Production Software- as- a- Service Cloud Platform 667
13.3 Case Study II: Analysis of Blue Waters System Failures 686
13.4 Case Study III: Autonomous Vehicles: Analysis of Human- Generated Data 710
References 737
14 The Future: Dependable and Trustworthy AI Systems 745
14.1 Introduction 745
14.2 Building Trustworthy AI Systems 748
14.3 Offline Identification of Deficiencies 753
14.4 Online Detection and Mitigation 769
14.5 Trust Model Formulation 772
14.6 Modeling the Trustworthiness of Critical Applications 775
14.7 Conclusion: How Can We Make AI Systems Trustworthy? 786
References 788
Index 797
1
Dependability Concepts and Taxonomy
1.1 Introduction
Every single failure in any computing device is a potential cause for concern. Reliable computing and fault tolerance, or, to use a more current term, dependable computing, is a longstanding area of research and practical implementation. This broad area of study started in the mid-fifties with John von Neumann's construction of reliable systems from unreliable systems or components. Over the years, significant advancements and deployments have been made in commercial telecommunications, defense, and business applications that address a wide range of potential failures. Today, an explosion in the complexity of systems, applications, and operating systems has resulted in ever-expanding failure sources. That, combined with explosive growth in computing as an enterprise in all areas of human endeavor, has brought forth new challenges and opportunities in designing dependable systems. Further, early detection, rapid concurrent/online diagnosis, and efficient and complete recovery are key to the design of systems that continue to operate in the event of errors. They must be complemented by ongoing analysis and monitoring of failures, supported by strong statistical models. In dependability, an understanding of real failures is critical in the design, implementation, deployment, and validation of reliability techniques. Design and validation must go hand in hand in developing new systems. While dependability techniques protect systems against known faults, their greatest efficacy comes from their ability to safeguard against unanticipated failures due to accidental errors or malicious attacks.
This chapter sets the theme of the book by first placing classic work on dependability techniques in perspective and relating their importance for current computing systems. That assessment is followed by a description of the complexity of systems built using present-day hardware designs, architectures, and software technologies that pose compelling challenges in providing continuous availability against a vast array of potential failures. Examples are provided of the developmental (or changing) trends in these areas that motivate the need for a newer perspective on dependability. The purpose of this chapter is to bring forth the recent challenges and opportunities in the reliability domain. (Possible solutions and techniques for fault tolerance and security will be explained as the book unfolds in the remaining chapters.) The discussion concludes with an introduction of dependability concepts, definitions, a taxonomy of failures, and a sample set of measurements from real systems in preparation for the next chapter's description of basic techniques.
The entire book follows the theme set by this chapter in introducing fundamentals of techniques with examples of prior deployment of the techniques in systems currently in use, with the goal of educating the reader on the applicability of these techniques, and any modifications or adaptations they need for use in modern and upcoming systems.
1.2 Placing Classical Dependability Techniques in Perspective
The earliest diagnostic techniques were developed for testing and failure recovery in the ILLIAC machine at the University of Illinois [1, 2] in the 1950s. When ILLIAC I (1950) and ILLIAC II (1961) were built at Illinois, fault diagnosis consisted of a battery of programs that exercised different sections of the machine. Typically, the test programs compared answers computed in two different ways, or stressed what was suspected to be a vulnerable part. In the ILLIAC II, the arithmetic and control units were designed to operate asynchronously, using a double handshake for each control signal and its acknowledgment. That protocol simplified the fault diagnosis, as it was used as an automatic fault detection mechanism. Most faults caused the control to wait for the next step in the asynchronous handshake protocol; that next step was identified using indicator lights for the flip-flops.
Spaceborne computing systems were one of the earliest avenues for dependability design. Early work on dependability in space-mission systems was performed on the JPL-STAR (Jet Propulsion Laboratory Self-Testing and Repair) computer (1971) [3] and on Voyager [4], leading to work on the Boeing 777 [5]. Although the craft carrying the JPL-STAR computer never went into space, its development resulted in the design and implementation of a range of techniques that are considered standard today. The Voyager computer (launched in 1977) used block redundancy (a form of a standby redundancy whereby redundancy is provided at the subsystem level, e.g., at the altitude control subsystem, rather than internally in each subsystem) for fault tolerance. Heartbeat-based hardware- and software-implemented techniques were used for error detection. For example, an error would be detected in the hardware if a command for the primary (in the dual-redundant configuration) arrived before the current command had been completely processed, and in software error detection, an error would be detected when the output unit in the primary remained unavailable for more than 14 seconds. Further developments in dependability in aviation were used in the design of the Boeing 777 fly-by-wire system, which used triple modular redundancy for all hardware resources, including the computing system, airplane electrical power, hydraulic power, and communication path.
The basic techniques established for hardware redundancy and software-based fault and failure management, exceptions, and their handling in software, and the use of error codes in memory systems, transmission, and disk systems have been the mainstay of practical and commercial systems such as the AT&T No. 5 ESS [6], IBM S/360, and IBM S/370 [7]. These systems included a combination of hardware and software techniques and diagnostics that significantly advanced the theory and practice of dependable computing. The methods have since been augmented with computational algorithms and protocols to achieve consistency and reliable operation in distributed systems [8].
While parity, ECC (error correcting codes) and redundant array of independent disks have been widely used for commodity systems, the use of massive redundancy in hardware and software has led to high overheads in performance costs, hardware components, and software development costs. For example, the IBM MVS operating system devotes 50% of its software code base to fault management [9], while the IBM G5 processor dedicates 35% of its processor silicon area to fault detection and tolerance hardware [10]. In addition to those overheads, the validation of such systems has become increasingly complex and difficult. Thus, the use of the techniques discussed above to build "one-size-fits-all" architectures has become reserved for high-end, high-cost systems such as those used in military, telecommunication, and financial applications. Until recently, those application domains depended on traditional techniques in which redundancy in the hardware, combined with hooks into the operating system, together supported some level of software redundancy. On the other hand, until recently, failures in commodity environments did not have such a big cost impact and hence were either not addressed or at best marginally addressed.
With the explosion of computing devices, and in particular a variety of mobile/handheld devices in a wide variety of applications, computing has become a social enterprise. Massive computing data centers are distributed geographically, logically, and physically, servicing networked entities from telecom to Internet service providers to banks (i.e., high-dependability domains). On the one hand, the likes of Amazon and Google have increasingly adopted and invested in high-performance computing systems. On the other hand, ubiquitous computing, present in everyday appliances such as washing machines and microwaves, vehicles such as automobiles and airplanes, and applications such as e-commerce and health monitoring, has dramatically changed the impact of computing system failures on the world's social and economic machinery. With computing now a common enterprise, such outages can no longer be ignored or brushed aside with a marginal or cursory solution. Dependability requirements for these systems are nearly as high as those for the legacy systems that extensively used redundancy throughout the system. However, the cost margin for high availability is typically small, precluding the use of traditional techniques for commodity systems. New, low-cost techniques that are tailored to the specific needs of the application are required for the emerging domains. On the other end of the spectrum from embedded, ubiquitous computing are new large-scale, high-performance computing systems (i.e., supercomputers) for which dependability (or the ability to compute through failures) is paramount for providing sustained performance at scale. Such systems pose another important challenge with respect to dependability. The domain-specific requirements of the varied systems discussed thus far, failures during recovery in any system significantly change the dependability dynamics of the system [6, 11]. However, this aspect has not been adequately considered in either the design or the assessment of computing systems.
1.3 Taxonomy of Dependable Computing
In this section, we...
