Presentation is loading. Please wait.

Presentation is loading. Please wait.

A. Haeberlen Fault Tolerance and the Five-Second Rule 1 HotOS XV (May 18, 2015) Ang Chen Hanjun Xiao Andreas Haeberlen Linh Thi Xuan Phan Department of.

Published byJayson Harry Watkins Modified over 8 years ago

Similar presentations

Presentation on theme: "A. Haeberlen Fault Tolerance and the Five-Second Rule 1 HotOS XV (May 18, 2015) Ang Chen Hanjun Xiao Andreas Haeberlen Linh Thi Xuan Phan Department of."— Presentation transcript:

1 A. Haeberlen Fault Tolerance and the Five-Second Rule 1 HotOS XV (May 18, 2015) Ang Chen Hanjun Xiao Andreas Haeberlen Linh Thi Xuan Phan Department of Computer and Information Science University of Pennsylvania

2 A. Haeberlen Faults in Distributed Systems Nodes in a distributed system can fail Example: Online banking The consequences can be serious Example: Monetary loss Solution: Use fault-tolerance techniques 2 HotOS XV (May 18, 2015) bank.com Balance: $100 Transfer $9 to Marcos New balance: $1

3 A. Haeberlen Faults in Real Life Transactions in real life can fail, too! Example: Paying with cash at the checkout counter Failures can have bad consequences Example: Getting shortchanged Solution: Use fault-tolerance techniques? 3 HotOS XV (May 18, 2015) $9, please! Your change:

4 A. Haeberlen Online vs. offline How do we do handle this in the real world? No masking: The transaction is allowed to fail initially Detection: Participants check the results Recovery: Detected failures are fixed if possible Timeliness: Checking happens quickly (to limit damage) Can we do the same in distributed systems? Our proposal: Bounded-time recovery (BTR) Intuition: When a node fails, the system may make mistakes for a limited time (e.g., 100ms), but then it recovers Should be a provable property - not just best-effort! 4 HotOS XV (May 18, 2015)

5 A. Haeberlen When would BTR be sufficient? Not all systems can use BTR Example: Systems where failures are immediately fatal But there are systems that could benefit! Example: Cyber-physical systems Physical part often has some inertia Control algorithms can often tolerate some mistakes Time bound is key: Fixing problems 'eventually' is not enough! 5 HotOS XV (May 18, 2015)

6 A. Haeberlen What could we gain from BTR? Opportunity #1: Lower cost Detection is cheaper than masking Particularly important for CPS Opportunity #2: Timing guarantees Even most BFT solutions cannot guarantee timely responses when the system is under attack Opportunity #3: Fine-grained responses Typical fault-tolerance guarantee is "all or nothing" BTR can recover failures in many ways, e.g., by dropping less important tasks or by adjusting the service level 6 HotOS XV (May 18, 2015)

7 A. Haeberlen Outline Motivation Idea: Bounded-Time Recovery (BTR) Pros and Cons of BTR BTR defined Solution sketch Summary 7 HotOS XV (May 18, 2015) NEXT

8 A. Haeberlen Bounded-time recovery: A system offers BTR with a time bound R if its outputs are correct in any interval [t 1,t 2 ] such that no fault has manifested in [t 1 -R,t 2 ] Some special cases: R=0: Similar to BFT (but with timing guarantees!) R=  : Similar to self-stabilization Small values of R are the most interesting (and the hardest) A proposed definition 8 HotOS XV (May 18, 2015) Time R R R System correct Fault

9 A. Haeberlen What assumptions do we need? BTR talks about time  Need synchrony! Must have strong bounds on execution times Must have strong bounds on message delays This is reasonable (in the CPS domain) WCETs are often known or can be derived Networks have FEC and support bandwidth reservations Can we assume Byzantine faults? Real, growing concern for CPS! Qualified yes: Some hardware features needed Example: Protection against Babbling Idiots -- e.g., bus guardians 9 HotOS XV (May 18, 2015)

10 A. Haeberlen A B C D Plan for "B faulty" mode A Solution sketch: Planning Ingredient #1: Planner System can run in several modes, has a (static) plan for what to run where in each mode Online vs. offline planning Several interesting challenges (see paper for details) Example: Inter-mode dependencies; connections to game theory Example: Distributed mixed-mode scheduling Interesting opportunites, e.g., fine-grained responses 10 HotOS XV (May 18, 2015) B C D Plan for "no faults" mode Tasks Data flow

11 A. Haeberlen 4 Ingredient #2: Fault detector Need to detect (at runtime) when a node misbehaves Can we use PeerReview [SOSP’07] for this? No - PeerReview is for asynchronous systems! Challenge: Detecting temporal faults Example: Faulty node might send the right message at the wrong time Challenge: Bounding time to detection Adversary can ‘win’ simply by delaying detection (and thus recovery) for too long! A Solution sketch: Detection 11 HotOS XV (May 18, 2015) B 2+2? 4

12 A. Haeberlen Solution sketch: Recovery Ingredient #3: Evidence distributor Need to convince other nodes that a fault really exists Adversary might try to confuse the system by reporting non-existent faults PeerReview-style protocols can provide evidence of faults Challenge: Needs resources, new kinds of evidence Ingredient #4: Mode switcher Each node needs to switch to the new plan Involves transferring state, starting/terminating tasks Some existing work on mode-change protocols Surprisingly, global agreement may not be needed 12 HotOS XV (May 18, 2015)

13 A. Haeberlen Putting it all together Planning: Decide what to run where in each mode Detection: Nodes audit each other to look for faults Evidence: Nodes prove existence of detected faults Mode change: System reconfigures 13 HotOS XV (May 18, 2015) A B C D B is faulty! Evidence Time R ✔ ✖ ✔ ✔

14 A. Haeberlen Summary We propose Bounded-Time Recovery (BTR) New approach to fault tolerance System is allowed to produce wrong outputs after a fault, but only for a limited time Case study: Cyber-physical systems Support the additional assumptions that BTR requires BTR could offer lower cost, fine-grained responses to faults Interesting research challenges Unusual scheduling problems, new detection protocols,... 14 HotOS XV (May 18, 2015) Questions?

Download ppt "A. Haeberlen Fault Tolerance and the Five-Second Rule 1 HotOS XV (May 18, 2015) Ang Chen Hanjun Xiao Andreas Haeberlen Linh Thi Xuan Phan Department of."

Similar presentations

Fault Tolerance. Basic System Concept Basic Definitions Failure: deviation of a system from behaviour described in its specification. Error: part of.

Fault Tolerance. Basic System Concept Basic Definitions Failure: deviation of a system from behaviour described in its specification. Error: part of.
Impossibility of Distributed Consensus with One Faulty Process

Impossibility of Distributed Consensus with One Faulty Process
CS 542: Topics in Distributed Systems Diganta Goswami.

CS 542: Topics in Distributed Systems Diganta Goswami.
Teaser - Introduction to Distributed Computing

Teaser - Introduction to Distributed Computing
Distributed Systems Overview Ali Ghodsi

Distributed Systems Overview Ali Ghodsi
1 The Case for Byzantine Fault Detection. 2 Challenge: Byzantine faults Distributed systems are subject to a variety of failures and attacks Hacker break-in.

1 The Case for Byzantine Fault Detection. 2 Challenge: Byzantine faults Distributed systems are subject to a variety of failures and attacks Hacker break-in.
LADIS workshop (Oct 11, 2009) A Case for the Accountable Cloud Andreas Haeberlen MPI-SWS.

LADIS workshop (Oct 11, 2009) A Case for the Accountable Cloud Andreas Haeberlen MPI-SWS.
P. Kouznetsov, 2006 Abstracting out Byzantine Behavior Peter Druschel Andreas Haeberlen Petr Kouznetsov Max Planck Institute for Software Systems.

P. Kouznetsov, 2006 Abstracting out Byzantine Behavior Peter Druschel Andreas Haeberlen Petr Kouznetsov Max Planck Institute for Software Systems.
Announcements. Midterm Open book, open note, closed neighbor No other external sources No portable electronic devices other than medically necessary medical.

Announcements. Midterm Open book, open note, closed neighbor No other external sources No portable electronic devices other than medically necessary medical.
Nummenmaa & Thanish: Practical Distributed Commit in Modern Environments PDCS’01 PRACTICAL DISTRIBUTED COMMIT IN MODERN ENVIRONMENTS by Jyrki Nummenmaa.

Nummenmaa & Thanish: Practical Distributed Commit in Modern Environments PDCS’01 PRACTICAL DISTRIBUTED COMMIT IN MODERN ENVIRONMENTS by Jyrki Nummenmaa.
A. Haeberlen Having your Cake and Eating it too: Routing Security with Privacy Protections 1 HotNets-X (November 15, 2011) Alexander Gurney * Andreas Haeberlen.

A. Haeberlen Having your Cake and Eating it too: Routing Security with Privacy Protections 1 HotNets-X (November 15, 2011) Alexander Gurney * Andreas Haeberlen.
1 © P. Kouznetsov On the weakest failure detector for non-blocking atomic commit Rachid Guerraoui Petr Kouznetsov Distributed Programming Laboratory Swiss.

1 © P. Kouznetsov On the weakest failure detector for non-blocking atomic commit Rachid Guerraoui Petr Kouznetsov Distributed Programming Laboratory Swiss.
Making Services Fault Tolerant

Making Services Fault Tolerant
Distributed Systems Fall 2010 Replication Fall 20105DV0203 Outline Group communication Fault-tolerant services –Passive and active replication Highly.

Distributed Systems Fall 2010 Replication Fall 20105DV0203 Outline Group communication Fault-tolerant services –Passive and active replication Highly.
Ashish Gupta Under Guidance of Prof. B.N. Jain Department of Computer Science and Engineering Advanced Networking Laboratory.

Ashish Gupta Under Guidance of Prof. B.N. Jain Department of Computer Science and Engineering Advanced Networking Laboratory.
Distributed systems Module 2 -Distributed algorithms Teaching unit 1 – Basic techniques Ernesto Damiani University of Bozen Lesson 3 – Distributed Systems.

Distributed systems Module 2 -Distributed algorithms Teaching unit 1 – Basic techniques Ernesto Damiani University of Bozen Lesson 3 – Distributed Systems.
Asynchronous Consensus (Some Slides borrowed from ppt on Web.(by Ken Birman) )

Asynchronous Consensus (Some Slides borrowed from ppt on Web.(by Ken Birman) )
Systems of Distributed Systems Module 2 -Distributed algorithms Teaching unit 3 – Advanced algorithms Ernesto Damiani University of Bozen Lesson 6 – Two.

Systems of Distributed Systems Module 2 -Distributed algorithms Teaching unit 3 – Advanced algorithms Ernesto Damiani University of Bozen Lesson 6 – Two.
Brent Dingle Marco A. Morales Texas A&M University, Spring 2002

Brent Dingle Marco A. Morales Texas A&M University, Spring 2002
A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.

A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.

Similar presentations

Ads by Google