This paper investigates sources of uncertainty in measurement results obtained using three different fault injection techniques. Two software-implemented and one test port-based technique are characterized and compare...
详细信息
This paper investigates sources of uncertainty in measurement results obtained using three different fault injection techniques. Two software-implemented and one test port-based technique are characterized and compared. The three techniques can be used to inject the same faults, which are defined in a shared database. Due to the uncertainties associated with the techniques, which we identify and discuss, the results of injecting a given fault may differ to some extent. The paper analyzes the results of using the three techniques to inject faults into two experimental targets: a brake-by-wire controller and a partitioning operating system. The objective of the experiments is to determine whether the results of the different techniques are metrologically compatible and, consequently, meaningful when disseminated and compared. Our observations indicate that, even though the outcome of many individual experiments is affected by uncertainties, the three techniques produce similar average results over a large number of experiments.
Distributed systems are used in numerous applications where failures can be costly. Due to concerns that some of the nodes may become faulty, critical services are usually replicated across several nodes, which execut...
详细信息
Distributed systems are used in numerous applications where failures can be costly. Due to concerns that some of the nodes may become faulty, critical services are usually replicated across several nodes, which execute distributed algorithms to ensure correct service in spite of failures. To prevent replica-exhaustion, it is fundamental to detect errors and trigger appropriate recovery actions. In particular, it is important to detect situations in which nodes cease to execute the intended algorithm, e.g., when a replica is compromised by an attacker or when a hardware fault causes the node to behave erratically. This paper proposes a method for monitoring the local execution of nodes using watchdog timers. The approach consists in deducing, from the global system properties, local states that must be visited periodically by nodes that execute the intended algorithm correctly. When a node fails to trigger a watchdog before the time limit, an appropriate response can be initiated. The approach is applied to a well-known Byzantine consensus algorithm. The algorithm is modeled in the Promela language and the Spin model checker is used to identify local states that must be visited periodically by correct nodes. Such states are suitable for online monitoring using watchdog timers.
Experimental dependability studies usually produce an amount of data substantially greater than what can be presented in a research paper or a technical report. For this reason, authors condensate the results into mor...
详细信息
Experimental dependability studies usually produce an amount of data substantially greater than what can be presented in a research paper or a technical report. For this reason, authors condensate the results into more succinct forms that allow them to convey their message. Since a large amount of the original data is left unexplored, sharing it allows other teams to discover additional facts (as well as to compare the results to other studies). In a previous paper, we investigated sources of uncertainty in measurement results obtained using three different fault injection techniques. The resulting experimental data was shared in the AMBER raw data repository. This paper gives an overview of the study and makes an attempt at further exploring the shared data.
This paper seeks to answer fundamental questions about trade-offs between static and dynamic security analysis. It has been previously shown that flow-sensitive static information-flow analysis is a natural generaliza...
详细信息
This paper seeks to answer fundamental questions about trade-offs between static and dynamic security analysis. It has been previously shown that flow-sensitive static information-flow analysis is a natural generalization of flow-insensitive static analysis, which allows accepting more secure programs. It has been also shown that sound purely dynamic information-flow enforcement is more permissive than static analysis in the flow-insensitive case. We argue that the step from flow-insensitive to flow-sensitive is fundamentally limited for purely dynamic information-flow controls. We prove impossibility of a sound purely dynamic information-flow monitor that accepts programs certified by a classical flow-sensitive static analysis. A side implication is impossibility of permissive dynamic instrumented security semantics for information flow, which guides us to uncover an unsound semantics from the literature. We present a general framework for hybrid mechanisms that is parameterized in the static part and in the reaction method of the enforcement (stop, suppress, or rewrite) and give security guarantees with respect to termination-insensitive noninterference for a simple language with output.
Transactional memory (TM) promises to unlock parallelism in software in a safer and easier way than lock-based approaches but the path to deployment is unclear for several reasons. First of all, since TM has not been ...
详细信息
Transactional memory (TM) promises to unlock parallelism in software in a safer and easier way than lock-based approaches but the path to deployment is unclear for several reasons. First of all, since TM has not been deployed in any machine yet, experience of using it is limited. While software transactional memory implementations exist, they are too slow to provide useful experience. Existing hardware transactional memory implementations, on the other hand, can provide the efficiency required but they require a significant effort to integrate in cache coherence infrastructures or freeze critical policy parameters. This paper proposes the LV* (lazy versioning and eager/lazy conflict resolution) class of hardware transactional memory protocols. This class of protocols has been implemented with ease of deployment in mind. LV* can be integrated with low additional complexity in standard snoopy-cache MESI-protocols and can be accommodated in a directory-based cache coherence infrastructure. Since the optimal conflict resolution policy (lazy or eager) depends on transactional characteristics of workloads, LV* supports a set of conflict resolution policies that range from LazEr - a family of Lazy versioning Eager conflict resolution protocols - to LL-MESI which provides lazy resolution. We show that LV* can be hosted in a MESI protocol through straightforward extensions and that the flexibility in the choice of conflict resolution strategy has a significant impact on performance.
Existing secure protocols and code signing mechanisms for vehicle systems to download and install software over the air certify only the origin and the integrity of software; thus, they do not address errors that migh...
Existing secure protocols and code signing mechanisms for vehicle systems to download and install software over the air certify only the origin and the integrity of software; thus, they do not address errors that might not be detected in the development process and cannot ensure that the downloaded software do not contain malicious code. In this paper, we identify such possible threats by developing a threat model for the vehicle software architecture. We propose countermeasures against the threats by preventing or modifying inappropriate behaviour caused by, e.g., malicious or poorly designed applications. We propose a model to deploy the approach which is based on modifying the application at the wireless gateway in the vehicle before being installed. As a result, security policies are embedded into the application and intercepts security relevant execution events. Thus, the execution of downloaded vehicle applications is monitored to ensure the safety and security for the vehicle system and to detect potential cyber attacks.
A key property of overlay networks, that is going to play an important part in future networking solutions, is the peers' ability to establish connections with other peers based on some suitability metric related ...
详细信息
A key property of overlay networks, that is going to play an important part in future networking solutions, is the peers' ability to establish connections with other peers based on some suitability metric related to e.g. the node's distance, interests, recommendations, transaction history or available resources. Each node may choose individually an appropriate metric and try to connect or be matched with the available peers that it considers best. When there are no preference cycles among the peers, it has been proven that a stable matching exists, where peers have maximized the individual satisfaction gleaned of their choices. However, no such guarantees are currently being given for the cases where cycles may exist and known methods may not be able to resolve ¿oscillations¿ in preference-based connectivity and reach stability. In this work we employ the use of node satisfaction to move beyond classic stable matchings and towards the overlay network context. We present a simple yet powerful distributed algorithm that uses aggregate satisfaction as an optimization metric. The algorithm is a generalization of an approximation one-to-one matching algorithm, into the many-to-many case. We prove that the total satisfaction achieved by our algorithm is a constant factor approximation of the maximum total satisfaction in the network, depending also on the maximum number of possible connections of a peer in the overlay.
Good layout quality is very important in order to obtain efficient integrated circuits, and custom design methods are thus considered when speed, power, and area requirements are very strict. But since custom design s...
详细信息
ISBN:
(纸本)9781424473212
Good layout quality is very important in order to obtain efficient integrated circuits, and custom design methods are thus considered when speed, power, and area requirements are very strict. But since custom design styles require extensive and specialized development resources, automated, less optimal design methods are often chosen. Alternate methods to create efficient layouts may prove useful, especially since custom layout in future technology nodes is associated with prohibitive nonrecurring engineering (NRE) costs. The prototype layout generation environment shown in this paper allows us to define, evaluate and modify fine-grained cell placement strategies for barrel shifters in a quick manner. The three different 90-nm shifter circuit implementations demonstrated here show a performance that is on par with circuits harnessing the capabilities offered by conventional tools. Furthermore, this performance is achieved using the least possible die area. For example, a 32-bit fan-out split shifter conventionally laid out and clocked at 1.11 GHz, dissipates 0.37 mW of switching power and occupies an area of 5698 μm2. The same shifter circuit placed using our environment and routed conventionally, equivalently dissipates 0.34 mW, but occupies only 4711 μm2.
暂无评论