A Two Tier Approach To Building Dependable Middleware Services

1. Introduction We consider the problem of building middleware that facilitates service replication over a wide area network (e.g., the Internet) where service replicas are typically placed in different, geographically wide-apart locations. Several group communication protocols have been proposed in the literature, some have even been implemented ([C98, DM96, Moser96, VKM96]). However, many of the implemented services assume that processes fail in a benign manner: either by crashing or by occasionally failing to produce a response. Field and experimental data collected indicates that the benign fault assumption is not robust enough for critical applications: there is a non-negligible risk that faults can cause memory corruption which, before being detected or resulting in a system crash, can cause a process to produce erroneous outputs. Software faults are known to cause data corruption [CC98, SC91]. A paper analyzing software defect reports collected between 1986 and 1989 for the IBM MVS operating system showed that 15% to 25% of faults (referred to as 'overlay faults' in the paper) caused corruption of data [SC91]. Secondly, the impact of these faults was much more serious than the remaining faults. Thirdly, only 39% of the overlay faults were detected as addressing violations. A fault injection experiment to determine 'how fail stop are faulty programs', indicated that 7% of failures led to corruption of data [CC98]. Hardware faults can also lead to memory corruption. The design proposal submitted to US FAA [CDD96] assumed hardware failure modes to be benign, only with a caveat that 'an extensive error detecting/correcting mechanisms be embodied in the chosen hardware components (such as processors, memory, and networking components'. Enforcing this caveat severely restricts the use of wide ranging 'commercial off-the-shelf' (COTS) components available for building cost-effective commercial systems. If COTS processors are used then, even with extensive error detection facilities, it is very hard to eradicate faults that can cause corruption (see [Stott01]] for a comparison between error detection mechanisms and replication in COTS processors). In addition to the possibility of COTS components developing faults of less benign types, there is also a risk that faults can be introduced by adversaries who exploit the inherent security flaws. This cannot be ruled out in the context of service provisioning over a wide area network. It appears therefore that middleware systems, at least in certain application contexts, are expected to cope with Byzantine faults and skilled abuse of inherent security flaws. We attempt to …