dissecting self-* properties
Post on 26-Feb-2016
62 Views
Preview:
DESCRIPTION
TRANSCRIPT
Dissecting Self-* Properties
Andrew Berns & Sukumar GhoshUniversity of Iowa
Background
• Autonomic systems are characterized by a number of properties that exhibit its ability of self-management.
• Collectively known as self-* properties
Goal
• Self-organizing• Self-stabilizing• Self-optimizing• Self-adaptive• Self-healing• Self-scaling• Self-managing
What do they precisely mean?
How do they differ?
Can we find some common framework
to satisfy different characterizations of
the various self-star properties?
The model of a system
Network of processes: topology G = (V, E)
Processes execute actions. Each action by a process changes its local state.
Global state S is the collection of local states.
A computation is a sequence of global states.
What is a “good” system
Safety. Property P must always holdBad things never happen. Example: no deadlock, at least onetoken must always exist etc.
Liveness. Property Q must eventually holdGood things eventually happen. Example: termination, convergence, progress etc.
A system configuration is legal when these properties hold
The Environment
System
Environment
Consists of variables that a process can read but not modify.A system is legal when it satisfies its safety properties. Legality is defined with respect to an environment
Time of day
Network topology
User demands for service
Output from another system
Failures etc
System vs. adversary
AdversaryDisrupts or challenges the system
The adversary causes failures, perturbation, allows processes to join or leave without notice, changes global state, launches security attacks, changes the environment etc. Ultimately the system must win.
System
Environment
Tolerance to Adversarial actions
Masking. Safety and Liveness Properties are NEVER violated.
The system always remains in a legal configuration
Non masking. Safety properties (but not Liveness)
are temporarily violated, but eventually restored. The system
state may temporarily become illegal
Self-management = tolerance to adversarial actions
Masking vs. Non-masking
Legal
State space
More on tolerance
Tolerance to adversarial actions also depends on
its type and extent.
A system may be masking tolerant to a single crash
failure, but exhibit non-masking tolerance to multiple
failures
Graceful degradation
The system negotiates the adversarial action,
but recovers to a configuration that satisfies a
predicate P’ P’⊃ (P= original safety predicate).
To be graceful, P’ predicate must be acceptable
to the application.
Types of actions
Actions can be internal or external. External actions can change the environment.
Processes execute internal actions only
The adversary executes both internal and external actions.
Self-management
Self-management is a vision. It encompasses
all self-* properties. Typically attributed to systems
that exhibit at least one self-star property.
The framework
Generally, in defining a specific self-* property,
the important issues are:
Interpretation of the legal configuration
type of adversarial action
Type of tolerance permitted like
masking, non-masking, or graceful degradation
Self-stabilization
Starting from an arbitrary configuration, a self-stabilizing
system eventually recovers to a legal configuration (satisfies
a predefined predicate P) and remains in that configuration
thereafter.
Adversarial action: transient failure corrupting the system state
Tolerance: non-masking
Self-adaptation
if Rk then Pk will hold Can be viewed as an extension of a self-stabilizing system, where the legal configuration satisfies the predicate
P = ∨( Ri ∧ Pi)
Environment {∈ R1 R2 …, Rm}. A system adapts to an environment R.
Environment R
P
i
Process j crashes implies that adversary changes the environment variable crashed (j) from false to true
Self-healing
A system is self-healing with respect to a subset of external actions if occurrence of those actions causeat most a temporary violation of the system’s legal configuration (safety Property P)
Adversarial action: a subset of all possible external actions
Tolerance: typically non-masking, but masking not ruled out
Comments on Self-healing
A self-healing system may not be self-healing
with respect to an enlarged set of adversarial actions.
Skype is a Self-healing system, but it crashed
on August 16, 2007 and was down for nearly
two days. Why?
Comments on Self-healing
Also, self-healing frequently leads to graceful degradation.
Self-organization
A system is self-organizing with respect to a subset of external actions involving process join and leave ifthose actions cause at most a temporary violation of the system’s legal configuration (safety Property P)
Adversarial action: join / leave actions (up to N processes may concurrently join or N/2 processes may concurrently leave)
Tolerance: usually non-masking, but masking not ruled out.
Self-organization
75
10
78
25 34
45
18
5
83
Self-organization
An example of gathering
Comments on Self-organization
A self-organizing system is expected to recover in
a reasonable time.
[1] imposed a requirement of sub-linear recovery time
per join or leave operation
[1] Dolev & Tzachar: Empire of Colonies, Theoretical Computer Science 2009
Self-protectionA system is self-protecting with respect to a set ofmalicious external actions if it maintains its legal configuration (data integrity and continuedfunctionality) in the presence of those actions.
Adversarial action: malicious actions
Tolerance: masking.
Comment: Hard to characterize what a malicious action is. Itmay be a direct security attack, or something very subtle.
Self-optimization
A system is self-optimizing when starting from aninitial configuration if it spontaneously improves / maximizes the value of an objective function (cost)relevant to the systems performance
Adversarial action: A bad initialization, or an interim action thatmakes the current configuration sub-optimal.
Tolerance: Non-masking.
Comment: What if different nodes have different perceptionsof cost? Selfishness adds a new dimension.
Self-optimization with selfish agents
Selfish actions used to optimize a system may never reach an equilibrium configuration
1, 3 4, 3
3, 10
1, 3 1, 10
3, 1
4,1 1, 10
From a game theory perspective, no Nash Equilibrium exists
root
Shortest path tree withtwo different types ofprocesses
Self-configuration
The legal configuration is defined over the configuration space: Various notions of configuration, like a set of optimal choices of hardware or software modules and connections among them, which is consistent with the environment.
Adversarial action: A subset of external actions.
Tolerance: Non-masking.
Self-configuration
1
User
Self-configuration
2
User
Relationships among self-star properties
Self-stabilization implies self-healing with respect to any adversarial internal action
Self-organization implies self-healing with respect to join and leave operations
Relationships among self-star properties
Self-organization implies self-configuration but the reverse is not true
For example, a self-configuring web-server changes the connectionbetween server components, processor cycles and memory capacity to provide a stable response [2], but is not self-organizing since it cannot automatically integrate another server
[2] (Wildstrom et al ICAC 2005)
Relationships among self-star properties
Self-organization Self-stabilization
A self-stabilizing system that allows a process to join or leave a system of N processes is O(N2) time is not self-organizing (some will disagree)
Relationships among self-star properties
Chord P2P network is self-organizing, but not self-stabilizing, since once an adversarial action splits the Chord ring into two rings, they do not join.
New property: self-immunity
A system is self-immune with respect to an action C, if
(1) initially tolerance to action C is non-masking, but
(2) eventually the system is able to mask the effect of action C
The system learns from experience, and becomes smarter with time
Self-immune behavior
Legal
State space
New property: self-containment
Self-containment is a variant of self-protection. It prevents the total system from being compromised by external malicious actions. At most a fraction of the system is compromised, but eventually the non-compromised processes are able to offer a meaningful level of service.
(The system has the ability of damage control by saving a part of it in
spite of a security attack. It is a non-masking version of self-protection, similar in spirit with the fault-containment property of self-stabilizing systems)
Self-containment
Conclusion
There is a need for a framework to define what we actually
mean by specific self-star property. This will not satisfy
everyone’s vision, but as long as it satisfies the majority’s
view, the chance of further divergence of views is minimized.
top related