Foundations and Support for Survivable Systems

Principal Investigator:

Fred B. Schneider
Department of Computer Science
Cornell University
Ithaca, New York 14853
(607) 255-9221
fbs@cs.cornell.edu

Project Description:

Computing systems for managing critical infrastructures must tolerate failures and be resistant to attack. This project explores a new approach -- the use of mobile code -- for building such survivable critical-infrastructure systems. Mechanisms are being developed for ensuring integrity of hosts that execute mobile code and for ensuring fault-tolerance of software that employs mobile code. Ways in which mobile code can provide leverage in structuring distributed software systems are being explored by prototyping application systems as well as system-support for mobile code execution.

Use of mobile code. Mobile processes seem ideal for structuring tomorrow's critical-infrastructure systems. In addition to performance advantages only possible when programs can move from host to host, the paradigm is ideal for supporting fault-tolerance and security. The interface between a computation and the hosts it visits is narrow, which facilitates maintaining host integrity. Each agent's trajectory makes explicit the components on which it depends, facilitating fault-tolerance analysis. And, the paradigm embraces environments in which connectivity between sites is intermittent. To understand how mobile code can best be used, a series of prototype application systems is being built.

Host integrity. Any host that executes mobile code must be protected from attacks by that foreign code. To protect the integrity of the host's software from such attacks, two new approaches are being pursued. Both are based on a new specification method for defining any enforceable security policy. One scheme employs object-code rewriting, adding checks to prevent behavior that would violate the security policies of interest. The second scheme uses a form of type-checking to establish that the foreign code complies with the given security policies.

Fault-tolerance. A system structured in terms of programs that migrate from host to host in a system had best tolerate failures of that system's hosts. Classical replication-based methods (e.g. primary-backup and active replication) are not suitable for this setting. But a new generation of protocols -- based on cryptography -- does allow mobile code to be made fault-tolerant. The study of this marriage of cryptography and fault-tolerance promises to yield a spectrum practical methods for fault-tolerance. Protocol design, analysis, and implementation are all being investigated to ensure that the results are practical and also to understand the extent to which the new protocols can be more-generally deployed.

Accomplishments:

Our work on agents and mobile code is summarized in the following publications. Visit TACOMA for information about obtaining prototypes of our TACOMA mobile-code system.
  1. Johansen, Dag, Robbert van Renesse and Fred B. Schneider. Operating system support for mobile agents . Proceedings of the 5th. IEEE Workshop on Hot Topics in Operating Systems, Orcas Island, Wa, USA (May, 1995), Published by: IEEE Computer Society, NY, USA, May 1995, pp. 42-45. Also available as TR94-1568 Computer Science Department, Cornell University, Ithaca, New York.

  2. Johansen, Dag, Robbert van Renesse, and Fred B. Schneider. Supporting Broad Internet Access to TACOMA. Proceedings of the Seventh ACM SIGOPS European Workshop, Connemara, Ireland, (September 1996), pp. 55-58.

  3. Minsky, Yaron, Robbert van Renesse, Fred B. Schneider, and Scott D. Stoller. Cryptographic Support for Fault-Tolerant Distributed Computing. Proceedings of the Seventh ACM SIGOPS European Workshop, Connemara, Ireland, (September 1996), pp. 109-114.

  4. Schneider, Fred B. Towards Fault-tolerant and Secure Agentry. Invited paper, Proceedings 11th International Workshop on Distributed Algorithms, (Saarbucken, Germany, Sept. 1997), Lecture Notes in Computer Science, Volume 1320, Springer-Verlag, Heidelberg, 1997, 1-14. Also available as TR94-1568 , Computer Science Department, Cornell University, Ithaca, New York.

Our work on analysis of system fault-tolerance is summarized in the following publications.
  1. Stoller, Scott and Fred B. Schneider. Automated Analysis of Fault-Tolerance in Distributed Systems. Proceedings First ACM SIGPLAN Workshop on the Automated Analysis of Software, Rance Cleaveland and Daniel Jackson, eds., (Paris, France, Jan. 1997) ACM, New York, pp. 33-44. Also available as TR 96-1614 , Computer Science Department, Cornell University, Ithaca, New York.

  2. Stoller, Scott and Fred B. Schneider. Automated Stream-Based Analysis of Fault-Tolerance. To appear, Proceedings 5th International Symposium on Formal Techniques in Real-time and Fault-tolerant Systems (FTRTFT'98), Lecture Notes in Computer Science, Springer-Verlag, Heidelberg. Also available as TR 98-1691, Computer Science Department, Cornell University, Ithaca, New York.

Our work on enforcing security policies is summarized in the following publications. Click intel86 for a demo of the SAS tool on Intel x86 programs, and click java for a demo of the SAS tool on Java VM programs.
  1. Schneider, Fred B. Enforceable security policies. Submitted for publication. Available as TR 98-1664, Computer Science Department, Cornell University, Ithaca, New York.
Other work supported, in part, under the auspices of this project:
  1. Schneider, Fred B. Notes on Proof Outline Logic. Deductive Program Design. (M. Broy, ed.) ASI Vol. F152. Springer-Verlag, Heidelberg, pp. 351-394.

  2. Schneider, Fred B. On Concurrent Programming. Springer Verlag, NY, 1997, 473 pages.

  3. Information Systems Trustworthiness -- Interim Report. Computer Science and Telecommunications Board Commission on Physical Sciences, Mathematics, and Applications National Research Council. April 1997.

  4. Dolev, Danny, Rudiger Reischuk, Fred B. Schneider, and H. Raymond Strong. Report on Dagstuhl Seminar on Time Services, Schloss Dagstuhl, March 11-March 15 1996. Real-Time Systems 12, 3 (May 1997), pp. 329-345.

  5. Gries, David and Fred B. Schneider. Adding the everywhere operator to propositional logic. Journal of Logic and Computation 7 No. 96-25 (1997), pp. 1-11. Also available as TR 96-1583 Computer Science Department, Cornell University, Ithaca, New York.

  6. Schneider, Fred B. On Concurrent Programming, Communications of the ACM 41, No. 4 (April 1998), 128.

  7. Gries, David and Fred B. Schneider. Formalizations Of Substitution Of Equals For Equals. Submitted for publication. Available as TR 98-1686, Computer Science Department, Cornell University, Ithaca, New York.