CS
Colloquium
Tuesday, April 1, 2003
4:15 PM
B17 Upson Hall
Aaron
Brown
University of California, Berkeley
Creating
Undo for Operators: A Human-Centric Approach to Recovery
Nearly
every productivity application on the market today offers its users the ability
to undo their actions, allowing them to recover from their mistakes and to
experiment with unfamiliar features in a forgiving environment.
Surprisingly, this safety net of undo is virtually nonexistent in the
domain of systems operations and management, where human error is the largest
single contributor to system and service outages.
This talk will address the challenge of creating an undo facility for
system operators, introducing an architecture for adding operator-undo
functionality as a wrapper around existing network service applications such as
electronic mail, online shopping, and auction services.
Our
operator-undo architecture leverages proven techniques from the systems and
database domains, including non-overwriting storage, redo recovery, proxy-based
logging of user requests, and predicate-based consistency management.
It adapts and integrates these techniques to provide a recovery tool that
offers a virtual time-travel interface to the system operator.
Using our undo system, an operator can rewind system state to nullify the
effects of human error, software misbehavior, or external attack; can
retroactively insert arbitrary changes into the system to repair the problem or
forestall future occurrences; and can replay the system forward in time, merging
the original system timeline with the retroactively-inserted repairs and
compensating for any inconsistencies that arise as a result.
A
human-centric recovery tool like operator-undo requires an evaluation methodology that captures the influence of its human users on its effectiveness. To that end, the talk will also introduce an evaluation methodology that combines traditional systems benchmarking and human studies techniques, and will describe how we are using this methodology to evaluate the dependability and recovery benefits offered by a prototype implementation of operator-undo for an e-mail store service.