1

Dependability• Dependability is the ability to avoid service failures that are

more frequent or severe than desired. It is an important goal of distributed systems.

• Requirements for dependable systems– Availability: the probability that the system is available to perform its

functions at any moment• 99.999 % availability (five 9s) 5 minutes of downtime per year

– Reliability: the ability of the system to run continuously without failure• Down for 1ms every hour 99.9999 % availability but highly unreliable• Down for two weeks every year high reliability but only 96% availability

– Safety: when a system temporarily fails to operate correctly, nothing catastrophic happens

– Maintainability: how easily a failed system can be repaired– Security: will cover in Chapter 9

2

Failures and Faults• Building a dependable system comes down to preventing

failures• A failure of a system occurs when the system cannot meet

its promises• Failures are caused by faults. A fault is an anomalous

condition. There are three categories of faults:– Transient faults: Occur once and never reoccur (e.g., wireless

communication being interrupted by external interference)– Intermittent faults: Reoccur irregularly (e.g., a loose contact on

a connector)– Permanent faults: Persist until the faulty component is

replaced (e.g., software bugs)

3

Types of Failures

Arbitrary failures are also known as Byzantine failures

4

Fault Tolerance• In a single-machine system, a failure is almost always total

– All components are affected and entire system may be brought down (e.g., OS crash, disk failures)

• In distributed systems, partial failures are possible– When one component fails, it may affect some components, while

leaving other components unaffected• Fault tolerance means that a system can provide its services

even in the presence of faults• Fault tolerance requires

– preventing faults and failures from affecting other components of the system

– automatically recovering from partial failures

5

Failure Masking• Failure masking is a fault tolerance technique that

hides occurrence of failures from other processes• The most common approach to failure masking is

redundancy• Three types of redundancy:– Information redundancy: add extra bits to allow

recovery from garbled bits– Time redundancy: repeat an action if needed– Physical redundancy: add extra equipment or processes

so that the system can tolerate the loss or malfunctioning of some components

6

An Example of Physical Redundancy

(a) No redundancy. (b) Triple modular redundancy: the effect of a single component failing is completely masked.

7

Process Resilience• By organizing several identical processes into a group, we

can mask one or more faculty processes in that group• A group of replicated processes is said to be k fault tolerant

if it can survive k faults and still meet its specifications• Assume all requests arrive in the same order at all servers

in a process group (this requires the use of atomic multicast) – With crash failures, K+1 processes are sufficient to survive k

faults– With Byzantine failures, processes may produce erroneous,

random, or malicious results 2k+1 processes are required to survive k faults (the client just believes the majority)

8

Agreement in Faulty Systems• Distributed processes often need to agree on something

(e.g., elect a coordinator, commit a transaction)– The goal of distributed agreement algorithms is to have all the

non-faulty processes reach consensus on some issue within a finite number of steps

• Can consensus be reached with non-faulty processes and unreliable communication channel?– Answer: No!

• Can consensus be reached with faulty (Byzantine) processes and reliable channel?– Answer: Depends

9

Process

behavior

Message Order Communication

delayUnordered Ordered

Asynchronous Yes Unbounded

Yes Bounded

Synchronous Yes Yes Yes Yes Bounded

Yes Yes Unbounded

Unicast Multicast Unicast Multicast

Message Transmission

• A system is synchronous iff the processes operate in a lock-step mode (i.e., there is a constant c ≥ 1, such that if any process has taken c+1 steps, every other process has taken at least one step).

Conditions under which consensus is possible. (Assume processes may be faulty, communication is reliable)

10

Byzantine Agreement Problem• Byzantine agreement problem: Can N generals reach consensus

about each other’s troop strengths when communication channel is perfect but some of the generals are traitors and will lie to prevent agreement?

• Formally, there are N processes, each process i will provide a value vi to the others. The goal is to let each process construct a vector V of length N, such that if process i is non-faulty, V[i]= v i. Otherwise V[i] is undefined.

• Assume processes are synchronous, messages are unicast while preserving ordering, and communication delay is bounded, with k faulty processes, agreement can be achieved if there are 2k+1 non-faulty processes [Lamport et al., 1982].

11

The Byzantine agreement problem for 3 non-faulty processes and 1 faulty process with vi=i. Consensus is reached for the non-faulty processes. (a) Each process sends its value to the others. (b) The vectors that each process assembles based on (a). (c) The vectors that each process receives after each process passes its vector from (b) to every other process.

12

The Byzantine agreement problem for 2 non-faulty processes and 1 faulty process. The algorithm fails to produce agreement.

13

Process Resilience• Protection against process failures can be achieved by

organizing several identical processes into a group– Flat group: all process are equal; the processes make decisions

collectively• No single point of failure, but decision making is more complicated

– Hierarchical group: a single coordinator makes all decisions• Decision making is simpler, but coordinator is a single point of failure