On Development of a Dependable Distributed System

Yinong Chen   
Highly Dependable Systems Research Programme
Department of Computer Science
University of the Witwatersrand , Johannesburg 
South Africa
phone:     +27 - 11 - 716 3304
facsimile: +27 - 11 - 339 3513
email:  yinong@cs.wits.ac.za
http://www.cs.wits.ac.za/~yinong/

Full IFIP Paper in Postscript File



Abstract
Many organisations have started to use the internet to provide service 
to their clients by allowing limited accesses to their intranet, a local 
network within an organisation. The accesses to the intranet from the 
internet are in fact packets transferred between the two networks. To 
ensure the security of the intranet firewalls are usually used between 
the internet and the intranet. However, firewalls and other security 
mechanisms can ensure the security of the intranet only if the underlying 
computer systems (system software and hardware) are fault-free.

This paper reports the development of a dependable real-time system in 
which software and hardware duplication schemes are used to build a 
fault-tolerant firewall system which considers both reliability and 
security of the system.

The system is developed on an ethernet network of UNIX workstations. 
The real-time requirement is implemented by a token bus protocol running 
on the ethernet as well as a real-time scheduler on the UNIX operating 
system. The high dependability of the system is achieved by a layer of 
fault-tolerant protocols between the token bus and the application layers.

Three fault-tolerant protocols have been implemented: a comparison protocol, 
a heart beat protocol and a reconfiguration protocol. The comparison 
protocol checks outputs of duplicate application tasks. Disagreements in 
duplicate outputs indicate possible faults in the system. The heart beat 
protocol checks the availability among workstations by sending heart beat 
signals around them. Fault reports from the comparison protocol and heart 
beat protocol will be available to the reconfiguration protocol which can 
isolate the faulty machines from the working machines.

Currently, a secure and fault-tolerant network is simulated at the 
application layer. A packet generator on one machine sends data units 
through a fault-tolerant firewall to a packet collector on another 
machine. Three copies of the firewall are running simultaneously. Each 
incoming packet is hashed to two of the three firewall processes. The 
decision of firewall processes are checked by the comparison protocol. 
Only when the duplicate comparison processes agree, can the decision be 
considered as valid, otherwise the packet generator is informed to re-send 
the packet for which the duplicate firewall processes couldnŐt make a 
consistent decision. A fault injector that can accelerate the testing 
process is also implemented in  the system.