final_19_. - the ftp server

Document Sample
final_19_. - the ftp server Powered By Docstoc
					      Robust Distributed Computing

             Technologies for critical computing
              on the Information Superhighway

Robust Distributed Computing   1        (c) Kenneth P. Birman; 1996
     Conclusions and Final Lecture
• Reliable distributed computing: does it matter?
• Today, look at outcome from 1995 ISAT
  summer study
• Commissioned by DoD ARPA to study non-
  classified issues associated with critical use of
  distributed computing, Birman participated
• Focused on telecommunications, power
  systems, banking and touched on ATC project
Robust Distributed Computing   2    (c) Kenneth P. Birman; 1996
    Critical Distributed Systems
• National security, human safety, revenue
   entrusted to correct operation of information-
   based systems
• Growing dependence: military, government,
   and commercial
• Exposure to intentional and accidental threats
   is a major public concern
... the technology base for highly assured
   distributed computing needs improvement

Robust Distributed Computing   3   (c) Kenneth P. Birman; 1996
                     ISAT findings
  • The systems that matter are often complex,
    unstructured, include COTS components
  • The process of hardening complex systems is
    poorly understood
  • Laboratory successes are not impacting the
    nationally critical technologies
  • The requirement: a practical technology for
    selectively hardening complex systems to
    achieve “high confidence” solutions

Robust Distributed Computing   4     (c) Kenneth P. Birman; 1996
      Vision: A System of Systems
  • There will be a process to relate local
    properties to system-wide properties
  • Critical properties of systems will be
    derived by ensuring robustness properties
    of their components
  • Component interfaces will be augmented
    to include assumptions, guarantees,
    properties as well as functional spec
  • Per-component cost/benefit tradeoffs

Robust Distributed Computing   5   (c) Kenneth P. Birman; 1996
     Client Server Example: Before
• Fault intolerant server
• Unmanaged clients

Robust Distributed Computing   6   (c) Kenneth P. Birman; 1996
       Client Server Example: After
     • Fault tolerant servers
     • Managed clients and communication links
     • Firewall protection

                                          QoS requirements explicit
                          replicate server for fault-tolerance
                                               selective firewall

Robust Distributed Computing         7               (c) Kenneth P. Birman; 1996
 Same technology should work for new
          applications, too
     • Multimedia groupware system used by a set
       of clients, has a media server
     • Goals: security, guarantees of throughput,

                                          QoS requirements explicit
                          replicate server for fault-tolerance
                                               selective firewall
Robust Distributed Computing         8               (c) Kenneth P. Birman; 1996
                          Threat Profile
       • Hackers                    • Design flaws
       • Terrorists                 • Implementation flaws
       • Espionage                  • Mismanagement
       • Organized Crime            • Hardware, software,
       • Disgruntled or               network failures
         malicious insider          • Performance failures
       • Information warfare        • Acts of God

Robust Distributed Computing    9           (c) Kenneth P. Birman; 1996
          The Legacy/COTS Issue

 • Critical systems are large: Millions of lines of
    code, hundreds to thousands of computers
 • Many are built with modern technology, but
    contain substantial pre-developed (“legacy”)
 ... resulting in complex structures in which
    confidence concerns arise late in the game

Robust Distributed Computing   10    (c) Kenneth P. Birman; 1996
     Trends in Telecommunications

• Trends favor introduction of new services into
  “Intelligent Network”
• Users will have virtual private networks,
  customizable service profiles
• Numbers of switches vastly increased as price
  and size scales downward
• Community had a success story in 1980’s

Robust Distributed Computing   11   (c) Kenneth P. Birman; 1996
  ... creating new reliability threats
  • New challenges to robustness: difficulty of
    managing, reconfiguring, protection
  • Explosion in system complexity
  • Mobility making system more dynamic
  • Hackers, service theft emerging as a threat of
    growing proportions

Robust Distributed Computing   12   (c) Kenneth P. Birman; 1996
                State of the art today?
• Irony is that telecommunications was the big
   success story of the 1980’s
• Series of problems lead to an industry-wide
   consensus on reliability and security
• It worked! Telephone system is exceptionally
   reliable today
... but nothing we know today will scale to the
   complexity and sheer size of future systems!
Robust Distributed Computing   13   (c) Kenneth P. Birman; 1996
                         Power Systems
• ISAT study didn’t look at nuclear power plant
  control; focus was on the software that runs
  the switching systems and handles load
  balancing in the overall grid
• Power systems run their own communications
  networks and are self-sufficient
• Use of distributed software systems for control
  is rapidly expanding.
Robust Distributed Computing   14        (c) Kenneth P. Birman; 1996
                         Power Systems
• Trends favor remote control of power systems
  from dialup PC’s
• Ever more dependent on software from a small
  set of vendors (in US, 3 major vendors)
• Less and less “margin” within which to operate
  as companies share power rather than build
  new plants

Robust Distributed Computing   15        (c) Kenneth P. Birman; 1996
 ... and new risks to power grid

  • Increasingly open to attack over network.
    Dialup security depends on security of the
    telecommunications network!
  • Interdependence on remainder of power
    systems grid: nobody knows how “stable” the
    system actually is.
  Could the power grid be shut down over the
    telephone system or the internet?

Robust Distributed Computing   16   (c) Kenneth P. Birman; 1996
                   Air Traffic Control

• Newspapers full of reports on failures
• FAA’s project to replace system stumbled; new
  distributed architecture a victim of failure
• Yet load on the system continues to rise
• “Free flight” likely within ten years
• New concerns about terrorist threats

Robust Distributed Computing   17   (c) Kenneth P. Birman; 1996
                   Air Traffic Control
• Irony here was that the new system set out to
  use the state of the art in distributed computing
  (CASD real-time protocols)
• Somehow, they didn’t scale from the
  laboratory into practical settings
• Technical challenges were only amplified by
  management errors, unestimation of the
  difficulty of solving the problems
Robust Distributed Computing   18   (c) Kenneth P. Birman; 1996
       ... leaving troubling questions
• Why did the new technology effort fail?
• Are we capable of fielding a robust, scalable,
  distributed solution for ATC?
• If so, what practical obstacles account for these
  very visible problems?

Robust Distributed Computing   19   (c) Kenneth P. Birman; 1996
                      The list goes on...
• Medical decision support systems
• Web commerce and digital cash
• Banking systems and stock exchanges
• Environmental monitoring (detect oil spills,
  toxic emissions)
• Weather monitoring
• Earthquake early-warning systems

Robust Distributed Computing   20       (c) Kenneth P. Birman; 1996
  • Emerging “critical” systems are often
    complex, unstructured, include off-the-shelf
    (COTS) components or technologies
  • The process of hardening these sorts of
    complex systems is poorly understood
  • Laboratory successes are not impacting the
    critical technology areas
  • The requirement: a practical technology for
    selectively hardening complex systems to
    achieve “high confidence” solutions
Robust Distributed Computing   21    (c) Kenneth P. Birman; 1996
        Hardening complex systems

  • Characterize essential system robustness
    properties and structure (not necessarily the
    entire system!)
  • Identify and localize vulnerabilities
  • Intervene to harden selected components
  • Exploit methodology to manage and reason
    about hardened system

Robust Distributed Computing   22   (c) Kenneth P. Birman; 1996
             Lego Building Blocks for
                   identify a component or subsystem

Robust Distributed Computing      23            (c) Kenneth P. Birman; 1996
             Lego Building Blocks for
                   wrapped component

     Wrap the component at an appropriate interface.
     Ideally, the underlying code remains unchanged.

     Wrapper may transform component to confer property
                 add new interfaces
                 monitor or control component in some way

Robust Distributed Computing    24           (c) Kenneth P. Birman; 1996
         Potential Wrapper Functions

     •   Virtual fault tolerance
     •   Authentication, data integrity, encryption
     •   Analytic redundancy (behavior checking)
     •   Packet filtering
     •   Service and resource negotiation
     •   Resource use monitoring & management
     •   Type enforcement for access control

Robust Distributed Computing   25      (c) Kenneth P. Birman; 1996
             Lego Building Blocks for
                   wrapped component

                      “Secure fault-tolerance”

      In some cases, more than one wrapper might be needed
     for the same component, or even the same interface.
     For example, a data encryption security wrapper might
     be ``composed’’ with one that does replication for

Robust Distributed Computing      26             (c) Kenneth P. Birman; 1996
             Lego Building Blocks for
                  wrapped component

                       group of replicas (e.g., for fault tolerance)

                             ftol                 REPLICATE FOR
Plug in modules implement
communication or protocol. vsync
The wrapper hides this     encrypt
structure behind the
wrapped interface

Robust Distributed Computing         27               (c) Kenneth P. Birman; 1996
              Lego Building Blocks for
                    Component wrapped for secure fault-tolerance
                      Environment sees group as one entity
                                group semantics (membership, actions,
                                events) defined by stack of modules

Toolkit of                               ftol
plug-and-play                           vsync          sign
modules gives             filter       encrypt
design flexibility
to developer

 Robust Distributed Computing          28             (c) Kenneth P. Birman; 1996
                This looks like Horus!
• Horus illustrates what the concept is about
• Horus may well be a valuable tool in this
  setting (and is intended for that purpose)
• But the need is much broader! Need extends to
  all aspects of reliability, not just groupware
  aspects, and Horus is a research system, while
  the need is for practical tools that work in
  major commercial settings (like Windows!)
Robust Distributed Computing   29   (c) Kenneth P. Birman; 1996
    Plug-in support for wrappers
 • Fault-tolerance through replication, Byzantine
   agreement, behavior checking
 • Security through intelligent filtering, signatures,
   encryption, access control
 • Transactional infrastructure
 • Group communication protocols
 • Layers for enforcing performance needs
 • Layers for monitoring behavior and intervening to
   enforce restrictions, do software fault-isolation
 • Load-sharing within replicated servers
 • Real-time, periodic or synchronized action
Robust Distributed Computing   30       (c) Kenneth P. Birman; 1996
            Example: VLSI FAB line
• Initially a distributed workflow system

                                                      smart FAB
                                                      tools do as told

                                   sends commands

   centralized                 Lacks fault-tolerance
   workflow control
                               Want to retrofit management
                               Protect from external threats
Robust Distributed Computing           31           (c) Kenneth P. Birman; 1996
         Wrapping and specification
• Wrap selected components
• Introduce “whole system” specification

Robust Distributed Computing   32   (c) Kenneth P. Birman; 1996
    Introduce robustness properties
• Augment specification with robustness
  properties desired for subsystems
                manage as
                a group

                                           QoS requirements explicit
                          replicate for fault-tolerance
                                              selective firewall

Robust Distributed Computing         33              (c) Kenneth P. Birman; 1996
And use same base for new systems
• At Cornell, Brian Smith has developed CMT:
  the Continuous Media Toolkit
• CMT was built using Tcl/Tk for PC’s
• With Horus we transformed it into a
  groupware system for multimedia conferencing
  applications in a few weeks!
• Thus same “vision” offers route to harden both
  COTS and also new generations of systems
Robust Distributed Computing   34   (c) Kenneth P. Birman; 1996
           Research Opportunities
• Represent critical system structure as an
  integral step towards a hardened system
• Provide software tools for exploiting this
  information to gradually harden complex
  systems that may include legacy code
• Use specification to verify/validate/simulate
  and to introduce desired properties
• Runtime tools for management and control
• Design tools for creating new survivable
  systems (or adjuncts)
Robust Distributed Computing   35   (c) Kenneth P. Birman; 1996
          Intrusion Management Tools
    • Use enhanced specifications as input to
      system management software
    • Monitor to detect threats and trigger
      responses, not just “routine” behavior
    • Automate enforcement and verification of
      key properties and system state
    • Visualization tools for observing runtime
      system state and dynamic behaviors

Robust Distributed Computing   36   (c) Kenneth P. Birman; 1996
             Related opportunities
• Orders of magnitude speedups for key
  robustness interventions
• Lightweight formal methods for synthesis and
  verification of robustness properties
• Specifications drive simulation and modeling
• New technologies for “in depth” security and
  performance enforcement
• Integrate with enhanced networks offering
  guaranteed quality of service
Robust Distributed Computing   37   (c) Kenneth P. Birman; 1996
       Limitations on the concept

  • The technologies that increase confidence
    embody assumptions, hence may require
    trust in a developer’s “assertions”
  • It may not always be possible to wrap
    components where we need to do so, and
    there may be flaws wrappers can’t fix
  • There may be intrinsic tradeoffs, e.g. fault-
    tolerance versus real-time guarantees

Robust Distributed Computing   38    (c) Kenneth P. Birman; 1996
       Recap of the Technical Vision
         Exploiting enhanced component
            descriptions to build high-
            confidence COTS systems
  • Wrappers: hooks for selective intervention
  • Plug-and-play protocols offer robustness
  • DIW management tools to automate attack
    detection, characterization, response
  • Formal tools to validate designs

Robust Distributed Computing   39   (c) Kenneth P. Birman; 1996
                  Measuring Success
  • Have “numeric” metrics for some properties,
    e.g., fault-tolerance
  • Security is more complex, metrics only for
    some component technologies
  • System robustness demonstrations
      – Pick several medium size systems, e.g. California
        “quake occurring” warning system
      – Identify threat profile, intervene, demonstrate
        enhanced survivability
  • Effective transition the ultimate metric
Robust Distributed Computing   40         (c) Kenneth P. Birman; 1996
                      Missing Science
    • A science for selective intervention in large
      complex systems
    • Compositionality for robustness properties
    • Plug-and-play realizations of key
      technologies in common framework
    • DIW perspective in system management
    • Faster robustness technologies
    • Formal methods for robustness

Robust Distributed Computing   41       (c) Kenneth P. Birman; 1996
                  Motivating Industry
• Today, many vendors view reliability as a
  minor issue
• Must raise the level of dialog and expectations
• If the generally accepted standard rises,
  vendors that don’t work at that level may be
  seen as negligent, potentially at financial risk
• This will also cause the market and hence op-
  portunities for products to grow
Robust Distributed Computing   42   (c) Kenneth P. Birman; 1996
                        Beyond Dialog?
• For particularly critical or sensitive systems,
  may need stronger legal requirements
• Is it appropriate and adequate to simply hope
  that vendors will make systems as reliable,
  secure and safe as possible?
• Need a notion of software product liability in
  critical environments and applications

Robust Distributed Computing   43        (c) Kenneth P. Birman; 1996
  Issue                Today                 +2yrs             +5yrs
   Security         Ad-hoc, weak         Strong wrappers       Generalized
   Availability     Rarely addressed Plug-in fault-            Transparent
                                     tolerance                 solutions
   Formal           Rarely used          Show how              New design-
   methods                                                     analysis tools
   Descriptive      Component IDL        Critical system       Automated
   methods          (e.g., CORBA...)     architecture          enforcement
   Behavior         None                 Show how              Defensive
   profiles                                                    monitoring,
   Middleware       In research labs,    Wrapper               Widespread
   support          not integrated       technology base       availability.
                                         uses plug-in          Robust devel.
                                         technologies          env.

Robust Distributed Computing            44                 (c) Kenneth P. Birman; 1996
     • World faces a serious and growing threat to
       critical infrastructure
     • Raise expectations and pressure on industry
     • Harden by specifying critical structure and
       drawing on a mixture of software,
       methodological and management tools
     • Success yields integrated technology for
       making complex systems robust

Robust Distributed Computing       45        (c) Kenneth P. Birman; 1996

Shared By: