Showing papers by "André Schiper published in 2009"

The Heard-Of model: computing in distributed systems with benign faults

Abstract: Problems in fault-tolerant distributed computing have been studied in a variety of models. These models are structured around two central ideas: (1) degree of synchrony and failure model are two independent parameters that determine a particular type of system, (2) the notion of faulty component is helpful and even necessary for the analysis of distributed computations when faults occur. In this work, we question these two basic principles of fault-tolerant distributed computing, and show that it is both possible and worthy to renounce them in the context of benign faults: we present a computational model based only on the notion of transmission faults. In this model, computations evolve in rounds, and messages missed in a round are lost. Only information transmission is represented: for each round r and each process p, our model provides the set of processes that p “hears of” at round r (heard-of set), namely the processes from which p receives some message at round r. The features of a specific system are thus captured as a whole, just by a predicate over the collection of heard-of sets. We show that our model handles benign failures, be they static or dynamic, permanent or transient, in a unified framework. We demonstrate how this approach leads to shorter and simpler proofs of important results (non-solvability, lower bounds). In particular, we prove that the Consensus problem cannot be generally solved without an implicit and permanent consensus on heard-of sets. We also examine Consensus algorithms in our model. In light of this specific agreement problem, we show how our approach allows us to devise new interesting solutions.

Unifying Byzantine Consensus Algorithms with Weak Interactive Consistency

Abstract: The paper considers the consensus problem in a partially synchronous system with Byzantine processes. In this context, the literature distinguishes authenticated Byzantine faults, where messages can be signed by the sending process (with the assumption that the signature cannot be forged by any other process), and Byzantine faults, where there is no mechanism for signatures (but the receiver of a message knows the identity of the sender). The paper proposes an abstraction called weak interactive consistency (WIC ) that unifies consensus algorithms with and without signed messages. WIC can be implemented with and without signatures. The power of WIC is illustrated on two seminal Byzantine consensus algorithms: the Castro-Liskov PBFT algorithm (no signatures) and the Martin-Alvisi FaB Paxos algorithms (signatures). WIC allows a very concise expression of these two algorithms.

Latency-aware leader election

Abstract: Experimental studies have shown that electing a leader based on measurements of the underlying communication network can be beneficial. We use this approach to study the problem of electing a leader that is eventually not only correct (as captured by the Ω failure detector abstraction), but also optimal with respect to the transmission delays to its peers. We give the definitions of this problem and a suitable model, thus allowing us to make an analytical analysis of the problem, which is in contrast to previous work on that topic.

Highly available trading system: experiments with CORBA

Abstract: The Swiss Exchange system (SWX system) was the first stock exchange system in service to be fully computerised For high availability, the trading system is built as a replicated service based on Isis For portability reasons, the SWX team has considered basing the next version of the trading system on CORBA Despite the numerous advantages of a CORBA based solution, it was necessary not only to meet the functionality requirements of the system, but also to evaluate the performance of the chosen middleware This paper describes a model that simulates the communication behavior of the trading system on Iona's Orbix and OrbixTalk We have evaluated this model in order to illustrate some of the performance limitations of this communication infrastructure We have also studied the fault-tolerance of the system and found that a key aspect in such a system is the state transfer We have extended our model to support different schemes for state transfer Measurements have shown us the conditions under which a state transfer could be performed in the background, concurrently with the normal operations

Relaxed Atomic Broadcast: State-Machine Replication Using Bounded Memory

Abstract: Atomic broadcast is a useful abstraction for implementing fault-tolerant distributed applications such as state-machine replication. Although a number of algorithms solving atomic broadcast have been published, the problem of bounding the memory used by these algorithms has not been given the attention it deserves. It is indeed impossible to solve repeated atomic broadcast with bounded memory in a system (non-synchronous or not equipped with a perfect failure detector) in which consensus is solvable with bounded memory. The intuition behind this impossibility is the inability to safely garbage-collect unacknowledged messages, since a sender process cannot tell whether the destination process has crashed or is just slow.The usual technique to cope with this problem is to introduce a membership service, allowing the exclusion of a slow or silent process from the group and safely discarding unacknowledged messages sent to this process. In this paper,we present a novel solution that does not rely on a membership service. We relax the specification of atomic broadcast so that it can be implemented with bounded memory, while being strong enough to still be useful for applications that use atomic broadcast, e.g., state-machine replication.

Brief announcement: a leader-free byzantine consensus algorithm

Abstract: We consider the consensus problem in a partially synchronous system with Byzantine faults. In a distributed system of n processes, where each process has an initial value, Byzantine consensus is the problem of agreeing on a common value, even though some of the processes may fail in arbitrary, even malicious, ways. It is shown in [11] that — in a synchronous system — 3t + 1 processes are needed to solve the Byzantine consensus problem without signatures, where t is the maximum number of Byzantine processes. In an asynchronous system, Fischer, Lynch and Peterson [7] proved that no deterministic asynchronous consensus protocol can tolerate even a single non-Byzantine (= crash) failure. The problem can however be solved using randomization for benign and Byzantine faults. For Byzantine faults, Ben-Or [2] and Rabin [12] showed that this requires 5t + 1 processes. Later, Bracha [3] increased the resiliency of the randomized algorithm to 3t +1 . In 1988, Dwork, Lynch and Stockmeyer [6], considered an asynchronous system that eventually becomes synchronous (called partially synchronous system). The consensus algorithms proposed in [6], ensure safety in all executions, while guaranteeing liveness only if there exists a period of synchrony. Recently, several papers have considered the partially synchronous system model for Byzantine consensus [4,10,8,1,5]. However, [1,5] point out a potential weakness of these Byzantine consensus algorithms, namely that they suffer from “performance failure”. According to [1], a performance failure occurs when messages are sent slowly by a Byzantine leader, but without triggering protocol timeouts, and the paper points out that the PBFT leader-based algorithm [4] is vulnerable to such an attack. Interestingly, all deterministic Byzantine consensus algorithms for non-synchronous systems are leader-based. This raises the following fundamental question: is it possible to design a deterministic Byzantine consensus algorithm for a partially synchronous system that is not leader-based? With such an algorithm, performance failure of Byzantine processes might be harmless. Results. Our results confirm the existence of a deterministic leader-free Byzantine consensus algorithm in a partially synchronous system that is resilientoptimal and signature-free. We started from the observation that leader-free consensus algorithms exist for the synchronous system, both for benign faults (e.g., the FloodSet algorithm [9]) and for Byzantine faults (e.g., the algorithm based on interactive consistency [11]). However, these algorithms violate agreement if executed during the asynchronous period of a partially synchronous