Distributed Systems Technology Group Papers

Fault Tolerant Approaches for Distributed Real-Time and Embedded Systems

Fri, 07 Sep 2007 09:40:35 -0400

Paul Rubel, Matthew Gillen, Joseph Loyall, Aniruddha Gokhale, Jaiganesh Balasubramanian, Priya Narasimhan, and Aaron Paulos . Fault Tolerant Approaches for Distributed Real-Time and Embedded Systems . Military Communications Conference (MILCOM), Orlando, Florida, October 29-31, 2007.

Abstract: Fault tolerance (FT) is a crucial design consideration for mission-critical distributed real-time and embedded (DRE) systems, which combine the real-time characteristics of embedded platforms with the dynamic characteristics of distributed platforms. Traditional FT approaches do not address features that are common in DRE systems, such as scale, heterogeneity, real-time requirements, and other characteristics. Most previous R&D efforts in FT have focused on client-server object systems, whereas DRE systems are increasingly based on component-oriented architectures, which support more complex interaction patterns, such as peer-to-peer. This paper describes our current applied R&D efforts to develop FT technology for DRE systems. First, we describe three enhanced FT techniques that support the needs of DRE systems: a transparent approach to mixed-mode communication, auto-configuration of dynamic systems, and duplicate management for peer-to-peer interactions. Second, we describe an integrated FT capability for a real-world component-based DRE system that uses off-the-shelf FT middleware integrated with our enhanced FT techniques. We present experimental results that show that our integrated FT capability meets the DRE system's real-time performance requirements for both the responsiveness of failure recovery and the minimal amount of overhead introduced into the fault-free case.

PhishBouncer: An HTTPS proxy for attribute-based prevention of Phishing Attacks

Fri, 07 Sep 2007 09:40:35 -0400

Abstract This paper describes an innovative approach toward defending against phishing attacks by using HTTPS proxying and attribute-based checks. After a short overview of phishing, we describe the functional architecture of the PhishBouncer HTTPS proxy together with various deployment options. We then explain a number of anti-phishing algorithms implemented as plugins and highlight which attributes of phishing sites they consider. Next, we describe in detail how the proxy intercepts SSL traffic for HTTPS proxying. To assess the effectiveness and applicability of this prototype, we performed extensive experimental testing. We present a fully automated crawling framework that we developed for testing, along with the main experimental results.

KEYWORDS: Phishing, Cyber Security, QoS, Adaptive Defense

Deterministic and Stochastic Models for the Detection of Random Constant Scanning Worms

Fri, 07 Sep 2007 09:40:35 -0400

Kurt Rohloff and Tamer Ba\u015far. ACM TOMACS (Transactions on Modeling and Computer Science) Special Issue on Simulation, Modeling and Security, 2007

Abstract: This paper discusses modeling and detection properties associated with the stochastic behavior of Random Constant Scanning (RCS) worms. Although these worms propagate by randomly scanning network addresses to find hosts that are susceptible to infection, traditional RCS worm models are fundamentally deterministic. A density-dependent Markov jump process model for RCS worms is presented and analyzed herein. Conditions are shown for when some stochastic properties of RCS worm propagation can be ignored and when deterministic RCS worm models can be used. A computationally simple hybrid deterministic/stochastic point-process model for locally observed scanning behavior due to the global propagation of an RCS scanning worm epidemics is presented. An optimal hypothesis-testing approach is presented to detect epidemics of these under idealized conditions based on the cumulative sums of log-likelihood ratios using the hybrid RCS worm model. This paper presents in a mathematically rigorous fashion why detection techniques that are only based on passively monitoring local IP addresses cannot quickly detect the global propagation of an RCS worm epidemic with a low false alarm rate, even under idealized conditions.

Scalable, Distributed, Dynamic Resource Management for the ARMS Distributed Real-Time Embedded System

Fri, 07 Sep 2007 09:40:35 -0400

Kurt Rohloff, Yarom Gabay, Jianming Ye and Richard Schantz. International Workshop on Parallel and Distributed Real-Time Systems (WPDRTS) 2007

Abstract: We present a scalable, hierarchical control system for the dynamic resource management of a distributed real-time embedded (DRE) system. This DRE is inspired by the DARPA Adaptive and Reflective Middleware Systems (ARMS) program. The goal of the control system is to simultaneously manage multiple resources and QoS concerns using a utility-driven approach for decision making and performance evaluation. At each level of the control hierarchy there are multiple local controllers which autonomously make decisions to optimize their local utility. The controllers in the hierarchy can use different, localized resource control algorithms and the system's user can tune the operations of the local controllers. We discuss how the selections of local control algorithms affect the behavior of the overall system. The control system is designed to be easily adaptable to other multi-tiered DRE systems.

Software Certification for Distributed, Adaptable Medical Systems: Position Paper on Challenges and Paths Forward

Fri, 07 Sep 2007 09:40:35 -0400

Kurt Rohloff, Richard Schantz, Partha Pal and Joseph Loyall. Joint Workshop On High Confidence Medical Devices, Software, and Systems (HCMDSS) and Medical Device Plug-and-Play (MD PnP) Interoperability, June 25-27, 2007, Boston, MA.

Position:

Elements of previously vetted architectural constructs, design principles and algorithms, along with static and dynamic analysis, simulation, testing and instrumentation/logging have all historically contributed to certification arguments for safety-critical medical systems. Although certification arguments based on these aspects are appropriate and have been sufficient in the past, especially for previous monolithic, non-adapting software systems, these aspects of certification arguments will have to be updated in order to generate economically feasible approaches to certification arguments for advanced, distributed adaptive system architectures such as Plug and Play (PnP), multi-layer Quality of Service (QoS) management, peer-to-peer behavior and ad-hoc distributed interaction strategies for reconfigurable topologies. Updated certification arguments need to take into account system-wide, multi time-scale event structures with time-critical operations, the aggregation of synchronous and asynchronous computation systems, and multi-platform, distributed resource management issues in a cost-effective manner. Furthermore, for the pervasive, wide-scale architectures listed above, life-cycle issues need to be addressed so that beyond initial certification, the systems can be easily and inexpensively recertifiable as they are modified and adapted as system requirements that evolve over both very short and very large time scales (possibly years or decades). Recertification must be possible without incurring large additional costs, with the goal of being able to recertify on the fly for PnP operation.

In this position paper, we propose an analysis, architecture and design approach to specify and enforce certifiable behavior as a means for meaningful and economically feasible certification argument construction in the context of distributed, adaptable safety-critical software systems. The main components of our approach are:
1. Methods to identify and separate uncertifiable behavior based on system observables.
2. Extending interface standards to complement certification activities.
3. Methods for regulating component interaction.
4. Methods to dynamically, constrain behavior into localized, certifiable operating regions.

Additionally, to have maximum impact, future work on the analysis, architecture and design of certifiable distributed, adaptable medical systems must intelligently link augmentations of each of these analysis, architecture and design approaches with the traditional certification evidence such as simulation, testing and instrumentation/logging into one unified methodology capable of being easily adopted by governmental and industrial regulation agencies to enhance certification standards.

Our thoughts on approaches to design for certifiable, distributed, PnP and adaptable medical systems is informed by our experiences in designing, developing, building and fielding numerous highly adaptable prototype distributed software systems in diverse application areas. Several examples of relevant programs for which we recently developed adaptable distributed software system include the ARMS and DPASA programs funded by DARPA and the ICED program funded by the AFRL. For ARMS we developed an adaptive and reflective middleware system that manages the resource allocation and fault recovery of distributed computation processes. As part of the DPASA program we developed an adaptive survivability architecture to improve the resiliency and tolerance of distributed information systems against cyber attacks performed by a malicious adversary. For the ICED program we developed a QoS management system for dynamic information sharing environments.

Identify "Good" and "Bad" Behavior

As an initial step on the path towards the certifiability and acceptance of adaptive, distributed, real-time medical systems, one needs to be able to separate "good" dynamic behavior from "bad" dynamic behavior from a certifiability point of view. System adaptation is not always appropriate and there may be times when otherwise appropriate dynamic behavior is inappropriate. The certification of dynamic systems will need to establish the terms of evaluation for dynamic operation, and will need to establish that both "good" behaviors happen, while "bad" behaviors don't, to a high degree of plausibility.

Beyond a simple binary analysis of "good" and "bad" appropriate for static systems, there is a need in dynamic systems to be able to express how "good" and "bad" evolves over time -- for example mild cardiovascular stress may be appropriate during periods of light exertion, but cardiovascular stress is never appropriate when the patient is resting. This illustrates the need for time-varying expressions for the utility of dynamic system performance. These expressions for the utility of system performance could vary from simple rankings of observed system behavior to more complex expressions for evaluating the timing of conditional occurrences and orderings of system behaviors.

The more complex approaches to evaluating system behavior based on the timing and ordering of system events may be thought of similarly to formal logics classically used to evaluate system correctness. However, our proposed methods are intended to be more easily applicable in that they are intended to be driven by direct observations of system behavior rather than by the inferencing of underlying, unobserved system behavior that may not be directly related to system observables.

Based on a new, experimental approach for distributed systems behavior evaluation, a major research and development step in the fielding of distributed, certifiable real-time system would be the ability to automatically generate code based on expressions of the suitability of system behavior based on derived, experimental understanding of system behavior. This automatically generated code and/or the experimental models could be used as an additional input to our methodologies for component interaction control.

Interface Standards

Today, to our knowledge, there are no meaningful, scalable techniques to certify a whole, composed network centric system, even when it is composed of certified parts using PnP interactions. This is due, in large part, to the fact that two composed elements, even when their independent behaviors are certified, might functionally interact in ways that cause one or both of them to exhibit unpredictable emergent behavior that violates their "certified" behaviors. A simple example is that of two high priority real-time components, each of which independently are shown to meet their real-time deadlines in isolation. When composed, they utilize shared computation and network resources needed by the other, in such a way that they can affect each other's ability to meet its deadline.

A first step to managing component interactions for adaptable, distributed systems is the enforced use of interface standards, such as those for objects and components. This approach would impose some (limited) rigor on the functional interactions between elements. As long as system developers limit their development of independent elements to components or objects with well defined interfaces, and compose the system only through those interfaces, then some properties of the component interaction can be identified. These functional interfaces are insufficient for reasoning-based certification of our dynamic, distributed systems because components also interact through shared access to resources. Combined with dynamic resource management, these interactions are most often quite complex, difficult to completely and adequately specify, and even more difficult to certify.

An approach to developing advanced interface standards is thru methods to express the constraints/relations associated with component interaction. The constraints/relations/obligations (i.e., can do, cannot do, should do, must do or else-- so on and so forth) and their enforcement (static and dynamic) transcends the representation of system interaction. One step to expressing the constraints and relations for interface standards would be to develop an (or specialize an existing) extensible markup language for safety-critical component behaviors and interactions.

Beyond creating interface standards, an approach to certifiable composition is to create well-defined QoS, or resource, interfaces through a middleware system and program only to within the strict limits imposed by them, analogous to using functional interfaces. Such an interface would identify the resources used by a component (the obvious ones would be CPU and network, but other interfaces such as shared displays, memory footprints, etc. could also be considered) and identify the change in expectations as well as the behaviors of the component under various ranges of resource availability.

Component Interaction Control

Provisioning the resource management functionality as common middleware infrastructure enables us to more uniformly and more certifiably control the resources provided through these interfaces. Early on, we can use clearly partitioning resource allocation mechanisms, such as CPU reservations and network reservations (if available). These enable the dynamic resource manager to provide a clear set of resources to each component (and component interaction), simplifying the reasoning and certification. A next step, which introduces more complexity to the interfaces and analysis, might look at priority based resource provisioning. Even there, priority lanes and admission control help bound the problem space.

A more general problem involves removing these constraint mechanism interfaces in favor of policy-driven application control that would automatically regulate component interaction and avoid system behavior that may be uncertified and/or uncertifiable. A promising idea in this space, related to our previously mentioned approach to dynamic system evaluation, is to use specialized, domain-specific, mutually composable sequential processes to express the certified behaviors of individual components of the system. The union of shared behavior in these processes would need to be able to interface with the behavior of the overall system (with respect to both functional behavior and resource usage), but would also need to be sufficiently easy to compose and perform computable operations with respect to the certifiability of the behavior of the overall system and evaluate experimentally.

Dynamic, Regulated Operation in Certifiable Configurations

An additional avenue to "on-the-fly" certification of highly reconfigurable medical systems would be to take an incremental online approach to system regulation that permits "certifiable" behavior to occur and facilitates system recovery if unforeseen events (such as partial system failures) occur that cause the system to enter an uncertified operating mode. For this approach, based on our previously mentioned approach to experimentally evaluating behavior, a regulator in the system could be continually run to identify "acceptable" and "unacceptable" variations of the system's current configuration (based on some measure of utility). The regulator would attempt to prevent the system from entering into an "unacceptable" configuration and could be used as a kind of "fail-safe" governor for system behavior. If the system would ever exhibit "unacceptable" behavior due to partial system failure or the use of the system in an unproscribed manner, the governor would push the system to return into an acceptable operation configuration, or at least prevent the system from entering an unacceptable operation configuration.

As this procedure progresses, we would not automatically get full, continuous certification of the configuration space, but we would get directed coverage of large numbers of static certified configurations over the areas of highest interest/utility. Operation would be prevented from getting worse if things go wrong (and things always go wrong in complex systems overly sufficiently large timeframes). This certification process could run in the background when the software is deployed. During operation, the software's configuration controller would only reconfigure to use configurations that have been designated as certified

Survivability Metrics -- A View from the Trenches

Fri, 07 Sep 2007 09:40:35 -0400

Partha Pal, Richard Schantz and Franklin Webber "Survivability Metrics-- A View from the Trenches." , DSN Workshop on Assurance Cases for Security - The Metrics Challange, Edunburgh, June 27, 2007.

Abstract: In this paper we describe our latest experience in evaluating a survivable system. This effort signified an unprecedented attempt to specify quantitative survivability metrics and to evaluate the system against them. Even though one way to quantitatively score the survivable system was demonstrated- a significant step forward in the context of survivability validation in its own right- it was also apparent that such quantitative measurements, by themselves, did not adequately establish the assurance case for the survivable system, and more research is needed in this area. With the advantage of 20-20 hindsight, we outline a number of thoughts about survivability metrics that are more amenable to assurance cases.

KEYWORDS: Evaluating Survivability, Metrics, Red Team Exercises

Cognitive Enhancements to Support Dependability

Fri, 07 Sep 2007 09:40:35 -0400

Partha Pal, Franklin Webber and Richard Schantz "Cognitive Enhancements to Support Dependability." , DSN Workshop on Hot Topics in Dependability, Edinburgh, June 26, 2007.

Abstract: The threat of cyber-attacks is not limited to the boundary of information systems any longer. Safety and reliability of almost any system can be compromised by exploiting the vulnerabilities in the information systems that connect with or control them. Agile and ongoing manipulation of (redundant and diverse) system components, defense mechanisms and system resources is essential for surviving attacks and continuing operation. Cyber-defense administrationdynamic management of components, defense mechanism and systems resourcesis therefore a current topic of significant interest to the dependability community. In this paper, we present our ongoing work on automated support for intelligent cyber-defense administration.

KEYWORDS: Cyber-Defense Decision Making, Dependability

High-Level Dynamic Resource Management for Distributed,

Fri, 07 Sep 2007 09:40:35 -0400

Kurt Rohloff, Richard Schantz and Yarom Gabay. Submitted to 5th Symposium on Design, Analysis, and Simulation of Distributed Systems 2007

Abstract: In this paper we discuss the problem of coordinating resource allocations among independent high-level goals, called missions, for scalable, hierarchical, Dynamic Resource Management (DRM) in a Distributed Real-time Embedded (DRE) system. The DRM goal is to dynamically allocate shared resources to simultaneously manage multiple Quality of Service (QoS) concerns among the missions that maintain system operation despite partial system failures. We use a utility-driven approach for decisionmaking and performance evaluation. We offer an approach for multi-mission coordination and provide a design for implementing that approach. Finally, we show experimental results demonstrating the viability and near-optimality of our solution for a target environment based on a large-scale Matlab/Simulink simulation of a target system.

Experience with Task/Allocation Coordination Primitive for Building Survivable Multi-Agent Systems

Fri, 07 Sep 2007 09:40:35 -0400

Sarah Siracuse, Ray Tomlinson, Todd Wright, John Zinky "Experience with Task/Allocation Coordination Primitive for Building Survivable Multi-Agent Systems." IEEE KIMAS, Boston MA, April 2007

Abstract: A key goal in building survivable agent frameworks is to create application-level coordination primitives that fit naturally within the application's domain and are capable of being made robust and efficient by the agent framework. The Cougaar agent framework supports several types of application-level coordination primitives, including Task/Allocation. Under the DARPA-funded UltraLog project, BBN used the Cougaar agent framework to create survivable agent societies based on these primitives. The Cougaar logistics application that was produced used the Task/Allocation coordination primitive to decompose work among multiple agents. Other coordination primitives were used to monitor and control the agent infrastructure itself. When combined and run together, the UltraLog societies were able to recover from a substantial, 45% infrastructure loss and were still able to complete their jobs with minimal impact on performance.

KEYWORDS: QoS Adaptation, Fault Tolerance,

The DPASA Survivable JBI- A High-Water Mark in Intrusion Tolerant Systems

Fri, 07 Sep 2007 09:40:35 -0400

Partha Pal, Franklin Webber and Richard Schantz, "The DPASA Survivable JBI- A High-Water Mark in Intrusion-Tolerant Systems", EuroSys Workshop on Recent Advances in Intrusion-Tolerant Systems, Lisbon, March 23, 2007

Abstract In this paper, we describe the design, development, and validation of an information system that has recently set a new high-water mark for intrusion tolerance. The system, known as the DPASA Survivable JBI, conforms to an abstract architecture for survivable systems and integrates concrete defense mechanisms for prevent-ing intrusion and for detecting and responding to intrusions that cannot be prevented. The system has shown a high level of resis-tance to sustained attacks by sophisticated adversaries.

KEYWORDS: Survivability, Intrusion-tolerance, Survivability Architecture, Defense-enabling, Defense Mechanisms

Adaptive Environments: A Necessary Feature of Scalable, Survivable and Secure Multi-Agent Systems.

Fri, 07 Sep 2007 09:40:35 -0400

John Zinky "Adaptive Environments: A Necessary Feature of Scalable, Survivable and Secure Multi-Agent Systems" Workshop on Large Scale Multi-Agent Architectures (LaSMAS 07), University of Maryland, March 2007

If agents societies are to be fielded under extreme conditions, then the environment must adapt to meet the societies systemic requirements, within the constraints imposed by the underlying resources. Adaptation is a three step process: First, multiple implementations of an environment service are created, each with different system properties and resource requirements. Second, the system is monitored to determine the current application requirements and resource constraints. Third, the environment enables the appropriate service implementation, the one which best meets the requirements and consumes the least scares resources. We will describe the research issues for creating an adaptive environment, in the context of four services offered by comprehensive agent middleware, such as Cougaar. The life cycle service allows multiple hooks for adding adaptive code. Coordination service allows agents to interact through the environment. Knowledge representation manages inference and change notification of the agents internal state. Finally, the programming model helps the programmer to decompose both application and environment issues.

KEYWORDS: QoS Adaptation,Multi-Agent,

Cognitive Adaptation for Teams in ADROIT

Fri, 07 Sep 2007 09:40:35 -0400

Gregory D. Troxel, Armando Caro, Isidro Castineyra, Nick Goffee, Karen Zita Haigh, Talib Hussain, Vikas Kawadia, Paul Rubel, David Wiggins. "Cognitive Adaptation for Teams in ADROIT" IEEE Globecom, November 26-30, 2007, Washington, DC.

We have created a sensor-sharing protocol that uses cognition to increase performance by choosing protocol parameters based on the current environment and the past relationships between environment and performance. We have constructed a prototype of the protocol, and experimented with it in a four-node outdoor testbed. Our testbed is part of a larger effort, ADROIT, which seeks to create cognitive teams of software-defined radios

Minimum-Cost Subgraphs for Joint Distributed Source and Network Coding

Fri, 07 Sep 2007 09:40:35 -0400

Anna Lee, Muriel Medard, Karen Zita Haigh, Sharon Gowan, and Paul Rubel. Minimum-Cost Subgraphs for Joint Distributed Source and Network Coding , Third Workshop on Network Coding, Theory and Applications (NetCod). San Diego, California January 29, 2007.

We consider multicast of correlated sources over a network. Assuming the use of random network coding, we provide a linear optimization formulation for allocation of link rates in the network, also known as subgraph construction. Such an approach requires joint distributed source and network coding, which often has a lower cost than of that required by separated source and network coding. We support this result with simulations on randomly generated networks and on network data collected from a Future Combat Systems (FCS) exercise at Lakehurst, NJ.

Dynamic, High Confidence Certifiable Embedded Software: Position Paper

Fri, 07 Sep 2007 09:40:35 -0400

Kurt Rohloff, Richard Schantz and Joseph Loyall. 2006 National Meeting, Beyond SCADA: Networked Embedded Control for Cyber Physical Systems, November 8 & 9, 2006, Pittsburgh, Pennsylvania

Position:

Exhaustive testing, documentation, code review, and formal methods have been the main approaches for software certification in high confidence cyber-physical systems. Although these methods have been appropriate and sufficient in the past, the continued reliance on these methods are no longer economically feasible for increasingly complex modern, distributed, dynamic systems due to inherent problems of state-explosions. We need to develop innovative, economically feasible means to certify distributed dynamic control software for cyber-physical systems so that when these systems are deployed, harmful and potentially unpredictable emergent control behavior does not manifest itself.

There are many hurdles for even minimal acceptance of dynamic behavior embedded in distributed mission critical cyber-physical systems. Examples of such distributed mission critical systems include DoD systems (including secure, timely command, control and information sharing systems and for military logistics and transportation infrastructures), systems for manufacturing and process control (for industries whose safety is of critical national importance such as transportation, chemical, oil and natural gas), and medical systems among others.

As the use of advanced, distributed adaptive system architectures become mainstream for these applications that include multi-layer QoS, peer-to-peer behavior and ad-hoc distributed interaction strategies for reconfigurable topologies, entire new classes of certification strategies will need to be developed and implemented. These certification strategies need to handle system-wide, multi time-scale event structures with time-critical operations, the aggregation of synchronous and asynchronous computation systems, and address multi-platform, distributed resource management issues. Furthermore, for the pervasive, wide-scale architectures listed above, life-cycle issues need to be addressed so that beyond initial certification, the systems need to be easily and inexpensively recertifiable so that they can be modifiable as system requirements evolve over very large time scales (possibly years or decades) without incurring large additional costs.

Elements of architecture, design, algorithms, analysis, simulation, testing and instrumentation/logging would all contribute to increasing the acceptance and the certifiability of distributed, real-time high-confidence software for cyber-physical systems. To have maximum impact, future work on certification in this area must intelligently link augmentations of each of the elements together into one unified methodology capable of being easily adopted by governmental and industrial regulation agencies large and small.

Today, there are no meaningful, scalable techniques to certify a whole, composed network centric system, even when it is composed of certified parts. This is due, in large part, to the fact that two composed elements, even when their independent behaviors are certified, might functionally interact in ways that cause one or both of them to exhibit unpredictable emergent behavior that violates their "certified" behaviors. A simple example is that of two high priority real-time components, each of which independently are shown to meet their real-time deadlines in isolation. When composed, they utilize shared computation and network resources needed by the other, in such a way that they could affect each other's ability to meet its deadline.

Interface standards, such as those for objects and components, impose some (minimal) rigor on the functional interactions between elements. As long as system developers limit their development of independent elements to components or objects with well defined interfaces, and compose the system only through those interfaces, then some properties of the component interaction can be identified. These functional interfaces are insufficient for reasoning-based certification of our dynamic, distributed systems because components also interact through shared access to resources. Combined with dynamic resource management, these interactions are most often quite complex, difficult to completely and adequately specify, and even more difficult to certify.

Over the next 5 to 10 years, an approach to certifiable composition is to create well-defined QoS, or resource, interfaces through a middleware system and program only to within the strict limits imposed by them, analogous to using functional interfaces. Such an interface would identify the resources used by a component (the obvious ones would be CPU and network, but other interfaces such as a shared displays, memory footprints, etc. could also be considered) and identify the change in expectations as well as the behaviors of the component under various ranges of resource availability.

As a path towards the certifiability and acceptance of dynamic, distributed, real-time embedded systems, one needs to be able to separate "good" dynamic behavior from "bad" dynamic behavior from a certifiability point of view. Dynamic behavior is not always appropriate and there may be times when otherwise appropriate dynamic behavior is inappropriate. The certification of dynamic systems will need to establish the terms of evaluation for dynamic operation, and will need to establish that both "good" behaviors happen, while "bad" behaviors don't, to some degree of plausibility.

Provisioning the resource management functionality as middleware infrastructure enables us to better and more certifiably control the resources provided through these interfaces. In the beginning, we can use clearly partitioning resource allocation mechanisms, such as CPU reservations and network reservations. These enable the dynamic resource manager to provide a clear set of resources to each component (and component interaction), simplifying the reasoning and certification. A next step, which introduces more complexity to the interfaces and analysis, would look at priority based resource provisioning. Even there, priority lanes and admission control can help bound the problem space.

A more general problem involves removing these constraint mechanism interfaces in favor of policy-driven application control which would automatically regulate component interaction. A promising idea in this space is to use specialized, domain-specific, mutually composable sequential process languages such as a duration calculus to express the certified behaviors of individual components of the system. The union of shared expressions in these domain-specific sequential process languages would need to be expressive enough to specify the behavior of the overall system (with respect to both functional behavior and resource usage), but should be sufficiently easy to compose and perform computable operations on to certify the behavior of the overall system. The languages could be used as control specifications to regulate the behaviors of the local components with respect to these desired behaviors.

The Verification and Control of Interacting Similar Discrete-Event Systems

Fri, 07 Sep 2007 09:40:35 -0400

Kurt Rohloff, Stephane Lafortune. SIAM Journal on Control and Optimization. Volume 45, Number 2, 2006.

Abstract: This paper explore issues related to the control and verification of similar module systems in the discrete-event systems framework. Similar module systems are distributed systems comprised of subsystem modules that exhibit isomorphic local behavior coordinated on global event occurrences. When given a global model of these systems, it is shown how to decompose the global model into the component subsystems in polynomial time. It is also shown how to perform various verification tasks for these interacting systems while mitigating common state explosion difficulties by taking advantage of the special similar module system structure. Control properties of the similar module systems are also discussed. It is assumed that the local modules are supervised by exactly one local controller and the controllers enforce the same local control policy. Necessary and sufficient conditions for achieving local and global control specifications in this setting are identified.

Integrated Adaptive QoS Management in Middleware: A Case Study.

Christopher D. Gill, Jeanna M. Gossett, David Corman, Joseph P. Loyall, Richard E. Schantz, Michael Atighetchi, Douglas C. Schmidt. Integrated Adaptive QoS Management in Middleware: A Case Study. Real-Time Systems, Springer Science+Business Media B.V., Volume 29, Numbers 2-3, March 2005, pp. 101-130.

End-to-End Quality of Service Management for Distributed Real-time Embedded Applications.

Prakash Manghwani, Joseph Loyall, Praveen Sharma, Matthew Gillen, and Jianming Ye. End-to-End Quality of Service Management for Distributed Real-time Embedded Applications. The Thirteenth International Workshop on Parallel and Distributed Real-Time Systems (WPDRTS 2005), Denver, Colorado, April 4-5, 2005.

Detection and Reaction to Unplanned Operational Events in Large Scale Distributed Real-Time Embedded Systems

Jianming Ye, Joe Loyall, Rick Schantz, and Gary Duzan. Detection and Reaction to Unplanned Operational Events in Large Scale Distributed Real-Time Embedded Systems. The Thirteenth International Workshop on Parallel and Distributed Real-Time Systems (WPDRTS 2005), Denver, Colorado, April 4-5, 2005.

Using QoS-Adaptive Coordination Artifacts to Increase Scalability of Communication in Distributed Multi-Agent Systems.

John Zinky, Sarah Siracuse, Richard Shapiro.. Using QoS-Adaptive Coordination Artifacts to Increase Scalability of Communication in Distributed Multi-Agent Systems. in IEEE Integration of Knowledge Intensive Multi-Agent Systems (KIMAS-05), Waltham, MA, April 18 - 21, 2005.

A Distributed Real-time Embedded Application for Surveillance, Detection, and Tracking of Time Critical Targets.

Joseph Loyall, Richard Schantz, David Corman, James Paunicka, Sylvester Fernandez. A Distributed Real-time Embedded Application for Surveillance, Detection, and Tracking of Time Critical Targets. Real-time and Embedded Technology and Applications Symposium (RTAS), San Francisco, CA, March 7-10 2005.

Issues in Providing Quality of Service in a Join Battlespace Infosphere

Joseph Loyall, Jamie Lawson, Gary Duzan.: Issues in Providing Quality of Service in a Join Battlespace Infosphere. The Tenth IEEE International Workshop on Object-Oriented Real-Time Dependable Systems (WORDS), Sedona, Arizona, February 2-4, 2005.

Networking Aspects in the DPASA Survivability Architecture: An Experience Report.

Michael Atighetchi, Paul Rubel, Partha Pal, Jennifer Chong, Lyle Sudin. Networking Aspects in the DPASA Survivability Architecture: An Experience Report. The 4th IEEE International Symposium on Network Computing and Applications (IEEE NCA05), Cambridge, MA, July 27-29, 2005.

Scalable MAS-Based Control Systems Using QoS-Adaptive Coordination Artifacts

Sarah Siracuse, John Zinky, Richard Shapiro, Todd Wright. Scalable MAS-Based Control Systems Using QoS-Adaptive Coordination Artifacts, in 2nd workshop on challenges in the coordination of large scale multi-agent systems Workshop at AAMAS'05, July 25, 2005 Utrecht Netherlands

Implementing QoS-Adaptation in Coordination Artifacts by Enhancing Cougaar Multi-Agent Middleware

John Zinky, Richard Shapiro, Sarah Siracuse, Todd Wright. Implementing QoS-Adaptation in Coordination Artifacts by Enhancing Cougaar Multi-Agent Middleware , in IEEE Symposium on Multi-Agent Security and Survivability (MASS 2005) Philadelphia, Pennsylvania, USA August 30-31, 2005

Case Study: The Intrusion Tolerant JBI

Michael Atighetchi, Paul Rubel, Partha Pal, Jennifer Chong, Lyle Sudin. Case Study: The Intrusion Tolerant JBI. Internal Report, extended version of the NCA05 submission.

Survivability Architecture of a Mission Critical System: The DPASA Example

Jennifer Chong, Partha Pal, Michael Atighetchi, Paul Rubel, Franklin Webber. Survivability Architecture of a Mission Critical System: The DPASA Example. 21st Annual Computer Security Applications Conference December 5-9, 2005 Tucson, Arizona

Generating Policies for Defense in Depth.

Paul Rubel, Michael Ihde, Steven Harp, Charles Payne: Generating Policies for Defense in Depth. 21st Annual Computer Security Applications Conference December 5-9, 2005 Tucson, Arizona

Using Composition of QoS Components to Provide Dynamic, End-to-End QoS in Distributed Embedded Applications - A Middleware Approach

Praveen Sharma, Joesph Loyall, Richard Schantz, Jianming Ye, Prakash Manghwani, Matthew Gillen, and George T. Heineman: Using Composition of QoS Components to Provide Dynamic, End-to-End QoS in Distributed Embedded Applications - A Middleware Approach. IEEE Internet Computing, May/June 2006 (Vol. 10, No. 3), pp. 16-23.

Adding Fault-Tolerance to a Hierarchical DRE System

Paul Rubel, Joseph Loyall, Richard Schantz, Matthew Gillen. : Adding Fault-Tolerance to a Hierarchical DRE System Proceedings of Distributed Applications and Interoperable Systems: 6th IFIP WG 6.1 International Conference, DAIS 2006, Bologna, Italy, June 14-16, 2006. LNCS 4025/2006 pp 303 - 308

Quality Measures for Embedded Systems and Their Application to Control and Certification

Kurt Rohloff, Joseph Loyall, Richard Schantz: Quality Measures for Embedded Systems and Their Application to Control and Certification, 2006 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS 2006), Workshop on Innovative Techniques for Certification of Embedded Systems. April 4, 2006, San Jose, CA.

A Hierarchical Control System for Dynamic Resource Management

Kurt Rohloff, Jianming Ye, Joseph Loyall, Richard Schantz. A Hierarchical Control System for Dynamic Resource Management, 2006 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS 2006), Work in Progress Symposium. April 7, 2006, San Jose, CA.

Controlling quality-of-service in distributed real-time and embedded systems via adaptive middleware

Richard E. Schantz, Joseph P. Loyall, Craig Rodrigues, Douglas C. Schmidt. Controlling quality-of-service in distributed real-time and embedded systems via adaptive middleware, Software: Practice and Experience, Volume 36, Issue 11-12 (September - October 2006) (p 1189-1208)

Abstract Computing systems are increasingly distributed, real-time, and embedded (DRE) and must operate under highly unpredictable and changeable conditions. A challenging problem for DRE systems is adaptation of behavior and reconfiguration of resources to maintain the best application performance in the face of changes in system load and available resources. To provide predictable mission-critical quality of service (QoS) end-to-end, QoS-enabled middleware services and mechanisms have begun to emerge, but they lack support for applications with stringent QoS requirements in changing, dynamic environments. This paper presents two contributions to research on adaptive and reconfigurable DRE systems. First, we describe the structure and functionality of an advanced middleware platform for developing applications that apply various techniques to adapt themselves to changes in resource availability to meet real-time quality of service (QoS) requirements. Second, we present results of a case study of a multimedia application for Unmanned Aerial Vehicle (UAV) video distribution we developed using this middleware platform in conjunction with QoS-enabled operating systems and networking protocols. We describe the design of the multimedia application using our middleware platform and report empirical results showing how adaptive behavior and end-to-end resource management techniques are used to reconfigure the system dynamically to meet timeliness requirements.

KEYWORDS: Adaptive middleware, reconfigurable DRE systems, aspect-oriented design, and multimedia applications

An architecture for adaptive intrusion-tolerant applications

Partha Pal, Paul Rubel, Michael Atighetchi, Franklin Webber, William H. Sanders, Mouna Seri, HariGovind Ramasamy, James Lyons, Tod Courtney, Adnan Agbaria, Michel Cukier, Jeanna Gossett, Idit Keidar, An architecture for adaptive intrusion-tolerant applications, Software: Practice and Experience, Volume 36, Issue 11-12 (September - October 2006) (p 1331-1354)

Applications that are part of a mission-critical information system need to maintain a usable level of key services through ongoing cyber-attacks. In addition to the well-publicized denial of service (DoS) attacks, these networked and distributed applications are increasingly threatened by sophisticated attacks that attempt to corrupt system components and violate service integrity. While various approaches have been explored to deal with the DoS attacks, corruption-inducing attacks remain largely unaddressed. We have developed a collection of mechanisms based on redundancy, Byzantine fault tolerance, and adaptive middleware that help distributed, object-based applications tolerate corruption-inducing attacks. In this paper, we present the ITUA architecture which integrates these mechanisms in a framework for auto-adaptive intrusion-tolerant systems, and describe our experience in using the technology to defend a critical application that is part of a larger avionics system as an example. We also motivate the adaptive responses that are key to intrusion tolerance, and explain using the ITUA architecture how to support them in an architectural framework.

Making Real-time Systems Survive Malicious Attacks

Partha Pal, Joe Loyall, Franklin Webber, Rick Schantz, Making Real-time Systems Survive Malicious Attacks. 2006 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS 2006), Workshop on Research Directions for Security and Networking in Critical Real-Time and Embedded Systems. April 7, 2006, San Jose, CA.

Trust Assessment from Observed Behavior: Toward and Essential Service for Trusted Network Computing

Partha Pal, Franklin Webber, Michael Atighetchi and Nate Combs, Trust Assessment from Observed Behavior: Toward and Essential Service for Trusted Network Computing. The 5th IEEE International Symposium on Network Computing and Applications (IEEE NCA06), Cambridge, MA, July 24-26, 2006.

Modern distributed information systems handle increasingly critical data and computation, but there is no systematic way to assess whether a given part of the system can be entrusted with such data and computation on a continuous basis. In a highly interconnected networked environment, components with varying levels of trustworthiness must interact with each other. Occurrence and spread of attack induced failure imply that hosts once trusted cannot remain equally trusted all the time. System components and human operators can benefit from a scheme that assesses the trustworthiness of hosts i.e., the confidence that individual hosts are not corrupt, on a continuous basis by adjusting and adapting their behavior when a hosts trustworthiness diminishes. In this work in progress report we present an accusation based trust assessment scheme.

Fault Tolerance in a Multi-Layered DRE System: A Case Study

Paul Rubel, Joseph Loyall, Richard Schantz and Matthew Gillen Fault Tolerance in a Multi-Layered DRE System: A Case Study , Journal of Computers (JCP) Volume 1, Issue : 6, September 2006 (p 43-52)

Abstract Dynamic resource management is a crucial part of the infrastructure for emerging distributed real-time embedded systems, responsible for keeping mission-critical applications operating and allocating the resources necessary for them to meet their requirements. Because of this, the resource manager must be fault-tolerant, with nearly continuous operation. This paper describes our efforts to develop a fault-tolerant multi-layer dynamic resource management capability and the challenges we encountered, some due to the fault tolerance requirements we needed to meet and others due to characteristics of the resource management software. The challenges include the need for extremely rapid recovery; supporting the characteristics of component middleware, including peer-to-peer communication and multi-tiered calling semantics; supporting multiple languages; and the co-existence of replicated and non-replicated elements. Making our multi-layer dynamic resource manager fault-tolerant required simultaneously overcoming all of these challenges, presenting a significant fault tolerance research challenge.