The Specification-Consistent Coordination Model (SCCM)
1 / 27

The Specification-Consistent Coordination Model SCCM and its applications to Byzantine Failures - PowerPoint PPT Presentation

  • Uploaded on

The Specification-Consistent Coordination Model (SCCM) and its applications to Byzantine Failures. The Byzantine Failure Problem. In a large multi-processor, internal breakdowns are expected to be common events.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'The Specification-Consistent Coordination Model SCCM and its applications to Byzantine Failures' - meg

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Slide1 l.jpg

The Specification-Consistent Coordination Model (SCCM) and its applications to Byzantine Failures

The byzantine failure problem l.jpg
The Byzantine Failure Problem

  • In a large multi-processor, internal breakdowns are expected to be common events.

  • Most of these breakdowns will result in complex behavior where the processor will return incorrect output.

  • Given the source code of the program, we want to be able to detect and recover from such failures.

  • SCCM may be a way to do this.

The goals of sccm l.jpg
The Goals of SCCM

  • SCCM was originally intended as an aid to programmers.

  • It divides the programming task into two stages

    • A Specification that rigorously defines the algorithm.

    • A Coordination, which defines the actual imperative program and associates it with the Specification to ensure correctness.

  • SCCM employs a runtime checker to ensure that the imperative program being executed matches the specification.

Sccm specification l.jpg
SCCM – Specification

  • SCCM defines the algorithm via a functional language.

  • For every piece of information that arises during the algorithm's lifetime, there is a function with a particular argument value to identify it.

  • Example: sum of all the numbers in array A:

    input A[]

    sum(i) = sum(i-1) + A[i]

    output sum(A.length)

  • Each intermediate value is identified by sum(i)

Sccm coordination l.jpg
SCCM – Coordination

  • An imperative version of this program:

    var ImpSum = 0

    Array A[] = {1, 2, 3, 4, 5, 6}

    for i=1 to A.length

    ImpSum = ImpSum + A[i]

    Output ImpSum

  • We can ensure that this program matches the Specification by associating with every value of ImpSum a corresponding identifier sum(i).

Named values l.jpg
Named Values

  • SCCM works by naming each piece of mutable storage with some f(x) from the specification.

  • It maintains correctness by ensuring that when the imperative program overwrites values, it transforms their names in a way consistent with the specification.

  • Because all values have names and names may only be transformed in consistent ways, SCCM ensures that the implementation's control flow is the same as in the specification.

Summation s named values l.jpg
Summation's Named Values

  • In command ImpSum = ImpSum + A[i], we would use the definition of sum() to transform ImpSum's name from sum(i) to sum(i+1).

  • Sum(): sum(i) = sum(i-1) + A[i]

  • ImpSum's values and names:

Fibonacci sequence l.jpg
Fibonacci Sequence

  • The algorithm specification for the Fibonacci Sequence is simple:

    fib(0) = 1

    fib(1) = 1

    fib(i) = fib(i-1) + fib(i-2)

  • An implementation will have to name each of its values with some fib(i) and only use the above rule to transform values.

Fibonacci specification l.jpg
Fibonacci – Specification

  • The source code of the specification of the Fibonacci Sequence algorithm.

The consistency link l.jpg
The Consistency Link

  • Full Application: “A:=fib(0)”

  • Here, fib() is actually called with 0 as the argument and its return value, 1 is assigned to A. fib(0) is now A's name.

  • Fetch Application: “C:=fib(i) <- A”

  • The value and name of A are copied into C. SCCM makes sure that before the copy, A's name is fib(i).

The consistency link 2 l.jpg
The Consistency Link 2

  • Step Application:

    “B:=fib(i+2)|(fib.l1 <-A,

    fib.l2 <-C)”

    • fib() is executed to obtain the value of B.

    • Rather than wastefully recursively calling fib(i+1) and fib(i), SCCM pulls those values from A and C.

    • It ensures that the name in A is fib(i+1) and C's name is f(i).

    • Thus, B gets its value and SCCM ensures that proper control flow was maintained.

Potential coding errors l.jpg
Potential Coding Errors

  • Errors in the imperative program are caught.

  • Example: Setting loop bounds to (0,n) rather than (0, n-1) results in fib(n+1) being output rather than fib(n). SCCM detects this error.

  • In general, it is hard to make errors in both the specification and the coordination that match each other.

Sccm message passing l.jpg
SCCM Message Passing

  • SCCM allows us to create parallel programs via message passing.

  • We can send and receive SCCM named values, with SCCM ensuring global adherence to the specification.

  • Both the Send and the Receive are checked.

Sccm send l.jpg
SCCM – Send

  • Sample Send:

    send n() <- N to <destination>


  • The value of N, named n() is sent out.

  • We can send out single elements or lists of elements.

  • SCCM makes sure that the values sent out actually have the names the Send command claims them to have.

Sccm receive l.jpg
SCCM – Receive

  • Sample Receive:


    match n() := N


  • The value of N, that was sent in the prior slide is received by the target processor.

  • N's value must be named n(), just like in the send.

  • All receives (as far as I can tell) are Receive-Any's.

Another send example l.jpg
Another Send Example

  • Sample send command:

    send a(i, 2*i) <- A(i, i)

    for i in (1,3)

    to <destination>


  • The contents of 3 diagonal elements of A[][] are sent, named a(1,2), a(2,4), a(3,6) to the destination processor.

  • SCCM checks that those are indeed the names in those diagonal elements.

Another receive example l.jpg
Another Receive Example

  • Sample receive command:


    check a(i, 2*i) =: B(i)

    match for i:int in (s,t)


  • The diagonal elements of A[][] are now received.

  • Their names must be the same but they may be saved into some other structure at the target processor. (like the array B[])

Sccm performance l.jpg
SCCM Performance

  • When the same problem is implemented in C, SCCM and SML:

    • SCCM is usually 6-9 time slower than C because of all the runtime checking overhead.

    • SCCM is 50% faster than SML, because SCCM produces imperative programs that do not have SML's functional overheads.

Is sccm useful for programmers l.jpg
Is SCCM useful for Programmers?

  • The amount of time one spends writing a SCCM program is much larger than for a normal program.

  • Arguably, this is less than the amount of time spent on debugging but writing a specification for a large system would be very hard.

  • Most programmers would find it hard to express their algorithms in purely functional notation.

  • Programs in SCCM are several times longer than their equivalents in C.

  • Example: Bubble Sort.

Sccm for byzantine failures l.jpg
SCCM for Byzantine Failures

  • SCCM effectively captures a program's control flow.

  • The price for the programmer is having to write a more complex program that is several times longer.

  • We are trying to design compilers techniques that can verify whether a processor has faithfully executed a program.

  • Thus, the added difficulty does not concern our purposes.

Sccm for byzantine failures22 l.jpg
SCCM for Byzantine Failures

  • We may be able to annotate a program so that after execution it can prove to us that it transformed all of its data according to the original source code.

  • SCCM can be thought of a system for creating problem-specific type systems. Can we create a Linear-Algebra specific type system?

  • Can Model Checking help us determine a program's legal set of data transformations?

Related fields i certification trails l.jpg
Related FieldsI. Certification Trails

  • A Certification Trail is a trail of information a program leaves behind, describing its work.

  • After the first program completes, a second program can use this trail to perform the same computation much more quickly.

  • Thus, the certification trail for a program acts much like a checksum or parity bit for data.

  • Little overhead is required.

  • Problem: Currently this approach requires mostly manual work. No techniques exist for compilers to generate certification trails.

Related fields ii result checking l.jpg
Related FieldsII. Result Checking

  • A subfield of CS Theory dealing with ways to probabilistically verify the correctness of an algorithm's output.

  • Related to Interactive Proofs.

  • Problems:

    • Though the focus is on checkers that are asymptotically faster than the actual algorithm, most solutions are too inefficient to be used in practice.

    • There is no general methodology for generating checkers for problems and most checkers in existence are for obscure and specialized problems.

Related fields iii replication l.jpg
Related FieldsIII. Replication

  • Run the same program on multiple computers. Compare their output to protect from corruption.

  • The only available solution to Byzantine Failures.

  • Very resource inefficient. Most replication-based approaches require 3 times as many resources as unprotected systems.

  • ED4I – run the same program twice with different data to detect permanent and transient faults.

  • BFS – Replicated services. Processors Vote on results. Resilient to f faults by using 3f+1 replicas.