Security - Telenor
Security - Telenor
Security - Telenor
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
38<br />
A failure is caused by some type of fault during<br />
the execution of an action. When a failure occurs<br />
no earlier than action a i and prior to action a i+1 ,<br />
the recovery action a' i starts execution.<br />
A simplified and slightly modified version of<br />
NAP (hereafter called NAP') is presented here.<br />
Whereas the NAP protocol tolerates f fail-stops<br />
during a computation, the modified version<br />
should tolerate f fail-stops per action-broadcast<br />
pair.<br />
Since a mobile agent is represented by many<br />
similar agents in the NAP' protocol, write a i,j for<br />
the j th action taken by agent number i for the<br />
f + 1 agents in a single NAP' protocol execution.<br />
Similarly the recovery action for the j th action<br />
taken by agent number i is written a' i,j . In the following,<br />
the head will refer to the primary process,<br />
which is doing the actual agent computation.<br />
The tail consists of the remaining backup<br />
processes.<br />
It is assumed that the agent execution consists<br />
of a series of actions satisfying the following<br />
assumptions.<br />
1. At least one action is executed on any given<br />
platform.<br />
2. An action may consist of a move to a new<br />
platform, possibly entailing movement to<br />
a different host.<br />
3. After each completed action, state information<br />
is propagated to the backup processes using a<br />
reliable broadcast. This state information<br />
should be enough for recovery if the subsequent<br />
action fails.<br />
4. The actions need not be specifically listed, but<br />
are given algorithmic expression.<br />
5. Upon completing an action, reliable broadcast<br />
is immediately initiated.<br />
The preconditions of a NAP' execution is the<br />
following:<br />
1. The degree of fault-tolerance f ≥ 1 is fixed.<br />
2. The sender has a platform within his domain<br />
capable of supporting (part of) a NAP' computation.<br />
3. The 1 + f head and tail processes are initiated<br />
at the sender’s platform, with the initial state<br />
of the head distributed to all tail processes.<br />
By convention, the head is written p 0 , and the<br />
tail processes are written p 1 , ..., p f . The platform<br />
supporting a process pj is written Pj . Note in particular<br />
that it is not necessarily the case that i�= j<br />
⇒ Pi �= Pj . Note also that Pj changes during the<br />
agent execution if the agent ever changes platform.<br />
A broadcast message associated with the<br />
completion of action i is written bi .<br />
The NAP' execution itself is carried out by letting<br />
the head execute action a 1,i , immediately<br />
followed by a reliable broadcast of b i to the tail<br />
processes containing the new state information<br />
of the head. The head is elected to ensure that<br />
the broadcast is delivered to all the tail processes.<br />
The broadcast itself proceeds as the<br />
one given in [6], but with some differences.<br />
The possible outcomes of the broadcast are<br />
essentially unchanged:<br />
1. No platform delivers b i . This happens if either<br />
P 0 failed or if p 0 ’s execution of action a 0,i<br />
somehow failed. One of the tail processes p j<br />
must therefore begin recovery action a' j,i .<br />
Immediately after recovery (including the<br />
new broadcast) is completed, p j takes on p 0 ’s<br />
role and spawns a new process p j to take its<br />
previous role.<br />
2. The platform P 1 delivers b i . This happens only<br />
if all non-faulty platforms supporting the<br />
agent have delivered b i . The head process p 0<br />
may thus begin executing action a 0,i+1 .<br />
3. A platform Pj delivers bi+1 , but P0 does not.<br />
Thus either P0 failed or p0 ’s execution failed<br />
somehow before the broadcast terminated.<br />
The Pj with the lowest j �= 0 such that Pj �=<br />
P0 acts as rearguard, and executes the recovery<br />
action a'j,i+1 . Immediately after recovery<br />
(including the new broadcast) is completed,<br />
pj takes on p0 ’s role and spawns a new process<br />
pj to take its previous role.<br />
The postconditions of a NAP' execution is the<br />
following:<br />
1. The head has completed the last action a 0,n .<br />
2. The last broadcast has terminated.<br />
3. The head and tail processes have terminated.<br />
This description concentrates on the invocation<br />
of the fault-tolerance parts. The broadcast protocol<br />
details and other details necessary for a complete<br />
implementation should not deviate much<br />
from that described in [6].<br />
5 Confidentiality<br />
Confidentiality is about controlling the ability of<br />
any given subject to extract information from an<br />
object. Information here is taken in the widest<br />
known sense, the information-theoretic sense.<br />
There are three basic methods controlling such<br />
information extraction:<br />
Telektronikk 3.2000