Communication-oriented abstractions such as atomic multicast, group RPC, and protocols for location-independent mobile computing can simplify the development of complex applications built on distributed systems. This paper describes Coyote, a system that supports the construction of highly modular and configurable versions of such abstractions. Coyote extends the notion of protocol objects and hierarchical composition found in existing systems with support for finer-grain objects called micro-protocols that implement individual semantic properties of the target service. A customized service is constructed by selecting micro-protocols based on their semantic guarantees and configuring them together with a standard runtime system to form a composite protocol implementing the service. Micro-protocols within a composite protocol can share data and are executed using an event-driven paradigm that enhances configurability. The overall approach is described and illustrated with exampl...

The project has benefited through some demonstrations and presentations given to people from the computer industry, and the discussions they generated. Of them, mention must be made of Pankaj Mehra of Tandem Labs, Roger Lee, Robert Ferraro and Jagdish Patel of the Jet Propulsion Laboratory, Larry Jack and Chet Markiewicz of Honeywell Inc., and Haim Levendel of Motorola. iii TABLE OF CONTENTS CHAPTER PAGE 1 INTRODUCTION : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1 2 RELATED WORK : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 3 3 CHAMELEON OVERVIEW : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 14 3.1 Behavioral Overview : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 15 3.1.1 Initialization of the Chameleon Environment : : : : : : : : : : : : : : : : 15 3.1.2 Interpreting User-Specified Depen

A membership service is used to maintain information about which sites are functioning in a distributed system at any given time. Many such services have been defined, with each implementing a unique combination of properties that simplify the construction of higher levels of the system. Despite this wealth of possibilities, however, any given service only realizes one set of properties, which makes it difficult to tailor the service provided to the specific needs of the application. Here, a configurable membership service that addresses this problem is described. This service is based on decomposing membership into its constituent abstract properties, and then implementing these properties as separate software modules called micro-protocols that can be configured together to produce a customized membership service. A prototype C++ implementation of the membership service for a simulated distributed environment is also described. December 19, 1994 Revised January 9, 1996 Department of ...

Software executing on distributed systems consists of many asynchronous, autonomous components which interact in order to coordinate local activity. The need for such coordination, as well as requirements such as heterogeneity, scalability, security and availability, considerably increase the complexity of code in distributed applications. Moreover, changing requirements, as well as changes in hardware platforms, lead to software that is constantly evolving and complicates reuse. To support development and evolution of distributed applications requires techniques which allow coordination code to be specified, customized, and maintained independently of application components; goals which cannot be realized solely through object-oriented techniques. This thesis demonstrates that meta-level specification of interaction policies enables modular description of component interaction policies, as well as customization of policy implementations. We present the high-level language Dil for spec...

To optimize performance in a fault-tolerant distributed system, it is often necessary to enforce different failure semantics for different components. By choosing a custom set of failure semantics for each component and then by enforcing the semantics with a minimal set of protocols for a particular architecture, performance may be maximized while ensuring the desired system behavior. We have developed DIL, a language for specifying, on a per-component basis, protocols that transparently enforce failure semantics. These protocols may be reused with arbitrary components, allowing the development of a library of protocols. 1 Introduction Although descriptions of dependability protocols in the literature are relatively simple and concise, incorporating the protocols into an application often requires custom routines which intermix code for the application with that of the protocol. Such intermixing significantly increases the complexity of the code. One way to avoid the resulting comple...

The cost of employing software fault-tolerance techniques in distributed systems is strongly related to the type of failures to be tolerated. For example, in terms of the amount of redundancy required and execution time, tolerating a processor crash is much cheaper than tolerating arbitrary (or Byzantine) failures. The tradeoff, of course, is that making stronger assumptions about failures lessens the degree of fault coverage provided by the system. This paper describes an approach to constructing configurable services for distributed systems that allows easy customization of the type of failures to tolerate. For example, using our approach, it is possible to configure custom services across a spectrum of possibilities, from a very efficient but unreliable server group that does not tolerate any failures, to a less efficient but reliable group that tolerates crash, omission, timing, or arbitrary failures. The approach is based on building configurable services as collections o...

The demand for highly available software systems has increased dramatically over the past several years. Such systems must be developed using a discipline that supports unanticipated runtime evolution. We characterize the desiderata of a programming model that provides such support, and describe the design and implementation of an architecture satisfying these criteria. The Dynamic Reconfiguration Subsystem (DRSS) is an interceptor-based open container architecture that supports the development of highly available systems by enabling the scalable, dynamic deployment of cross-cutting software modifications. We have implemented a prototype of DRSS using Microsoft’s.NET Framework.

Many large software systems have different components with varying requirements for robustness and performance. Moreover, dependability requirements often change throughout their software life-cycle. Thus any single dependability technique is insufficient for implementing large systems. Software developers need to be able to modify dependability code without modifying application code. We outline a methodology for the separate development and maintenance of dependability and application codes. The advantage of our methodology is that dependability of each component may be customized and the dependability techniques reused with different application components. We demonstrate that our approach may be implemented efficiently, providing comparable performance to applications with hand-coded dependable behavior. We discuss a run-time system to implement our techniques and some optimizations it uses. 1 Introduction Large dependable applications have different components with varying requi...

This paper presents an overview of the Chameleon architecture for supporting a wide range of criticality requirements in a heterogeneous network environment. Chameleon employs ARMORs--- Adaptive, Reconfigurable, and Mobile Objects for Reliability---to synthesize different fault-tolerant configurations and to maintain run-time adaptation to changes in the fault tolerance requirements of an application. ARMORs have a flexible architecture that allows their composition to be reconfigured at run-time, i.e., the ARMORs may dynamically adapt to changing application requirements. In this paper we focus on the detailed description of the ARMORs architecture, including ARMOR class hierarchy, basic building blocks, ARMOR composition, and use of ARMOR factories. We describe how the ARMORs can be reconfigured and reengineered, and demonstrate how the architecture serves our objective of providing an adaptive software infrastructure. Our experience with an early Chameleon implementation demonstrate...

This paper presents Chameleon, an adaptive software infrastructure for supporting different levels of availability requirements in a heterogeneous networked environment. Chameleon provides dependability through the use of ARMORs---Adaptive, Reconfigurable, and Mobile Objects for Reliability. Three broad classes of ARMORs are defined: Managers, Daemons, and Common ARMORs. Key concepts that support adaptive fault tolerance include the construction of fault tolerance execution strategies from a comprehensive set of ARMORs, the creation of ARMORs from a library of reusable basic building blocks, the dynamic adaptation to changing fault tolerance requirements, and the ability to detect and recover from errors in applications and in ARMORs. 1 Introduction Traditionally, fault tolerance has been provided through dedicated hardware, dedicated software, or a combination of both. Hardware-based fault-tolerant architectures provide high reliability through extensive hardware redundancy and u...