The Fourth International

ICONS 20091-6 March 2009

Gosier, Guadeloupe/France

Editors

Raimund EgeWalter QuattrociocchiDaniela Dragomirescu

Oana Dini Published by

Sponsored by

Conference on Systems

CONFERENCE INFORMATION

PAPERS BY SESSION

PAPERS BY AUTHOR

SEARCH

GETTING STARTED

TRADEMARKS

Conference Information

2009 Fourth International Conference on Systems

q Prefaceq Program Committeeq Reviewersq Title Page (Book version)q Copyright Page (Book version)q Table of Contents (Book version)q Author Index (Book version)q Publisher's Information (Book version)

Sessions

q ICONS 1: Application-Oriented Systems & Target Oriented Systemsq ICONS 2: Systems’ Theory and Practiceq ICONS 3: Specialized Systemsq ICONS 4: Security and Protection Systems Iq ICONS 5: Security and Protection Systems IIq ICONS 6: Advanced Systemsq ICONS 7: Advanced & Complex Systemsq ICONS 8: Embedded Systems and Systems-on-the-Chipq ICONS 9: System Engineering Iq ICONS 10: System Engineering II & Safety in Industrial Systemsq ICONS 11: Poster Forum

Papers by Session

ICONS 1: Application-Oriented Systems & TargetOriented Systems

q Mobile Agents and Their Ontology Serving a Federated Identity PlatformFarah Layouni and Yann Pollet

q Technologies for the Pseudonymization of Medical Data: A Legal EvaluationThomas Neubauer and Mathias Kolb

q Important Nonverbal Attributes for Spontaneous Speech RecognitionJana Klečková

q Evaluation of Tasks Scheduling Algorithms in Multi-core and Multi-queuingEnvironments Using System MESMS2

Bartosz Czajka and Iwona Pozniak-Koszalka

Papers by Session

ICONS 2: Systems’ Theory and Practice

q Fault Management for Secure Embedded SystemsMiroslav Sveda

q Improving the Sensitivity of Deadlines with a Specific Asynchronous Scenario for Harmonic Periodic Tasks scheduled by FP

P. Meumeu Yomsi, Y. Sorel, D. de Rauglaudre, and L. George

q Low Cost RT Process Control Using Windows PLC by MATLAB/Simulink Throwthe REX Control System by Secured Wireless Network

Ondrej Krejcar and Petr Konarik

q Ideas on System Thinking and Acting: Basic Issues, Aporetic Constructs and Application of the Metanoia Principle

Thomas J. Vlk

Papers by Session

ICONS 3: Specialized Systems

q IMS Vertical Handover Optimization Based on Network ResourcesClaudia Arezio Ricardo

q Implicit Adaptation of User Preferences in Pervasive SystemsSarah McBurney, Elizabeth Papadopoulou, Nick Taylor, and M. Howard Williams

q Power Saving of Real Time Embedded Sensor for Medical Remote MonitoringFrédéric Fauberteau, Serge Midonnet, and Dan Istrate

q Modified Multi-layer Feedback Delay Network for Auditory Space SimulationMiroslav Balík

Papers by Session

ICONS 4: Security and Protection Systems I

q System Dynamics Based Risk Management for Distributed Information SystemsDenis Trček

q Ontology-Based Decision Support for Information Security Risk ManagementAndreas Ekelhart, Stefan Fenz, and Thomas Neubauer

q Multi-sensor Logical Decision Making in the Single Location Surveillance PointSystem

Mikko Nieminen, Tomi Räty, and Mikko Lindholm

q Authentication and Billing Framework for Service Oriented ArchitectureTripuresh Pandey, Brijmohan Singh, D. S. Kushwaha, and A. K. Misra

Papers by Session

ICONS 5: Security and Protection Systems II

q An Integrated System for Border SurveillanceBarbara Essendorfer, Eduardo Monari, and Heiko Wanning

q Extracting Value from P2P Content DeliveryRaimund K. Ege, Li Yang, and Richard Whittaker

q Authentication Protocol in Mobile RFID NetworkMing Hour Yang and Jia-Ning Luo

q Attribute-Based Access Control in an Adaptive Hypermedia SystemPedro Ballesteros and Yezid Donoso

Papers by Session

ICONS 6: Advanced Systems

q A Multiple Criteria Decision-Making Method for Enterprise Supply Chain FinanceCooperative Systems

Liu Xiang

q Assessing - Learning - Improving, an Integrated Approach for Self Assessmentand Process Improvement Systems

Dirk Malzahn

q Adaptive Real-Time Video Streaming System for Best-Effort IP NetworksLassi Lehikoinen and Tomi Räty

q Resource Discovery with Dynamic Matchmakers in Ad Hoc GridTariq Abdullah, Lotfi Mhamdi, Behnaz Pourebrahimi, and Koen Bertels

Papers by Session

ICONS 7: Advanced & Complex Systems

q Runtime Diversity against Quasirandom FaultsAndreas Gerstinger

q The Integrated Unit for MEMS Based Pressure MeasurementJ. Haze, R. Vrba, and M. Pavlik

q Utilization of the Fuzzy Theory in the Adaptive Hypermedia SystemsAlyne Oliveira da Silva, Fernanda Alonso, Lilian Márcia Ferraz,Valéria Farinazzo Martins Salvador, and Rosimeire Aparecida Jerônimo

q Nine Robot´s Morris: A Challenge for Self-Organizing Robot TeamsH. Juergen Mueller

Papers by Session

ICONS 8: Embedded Systems and Systems-on-the-Chip

q Support for Programming Embedded Software with Dynamically TypedLanguages

Harald Krapfenbauer, Dominik Ertl, Hermann Kaindl, and Jürgen Falb

q The System for Detecting Lead in SoldersMachan Ladislav and Pavel Steffan

q FPGA Based High Date Rate Radio Interfaces for Aerospace Wireless SensorSystems

Julien Henaut, Daniela Dragomirescu, and Robert Plana

q Bandpass Sigma-Delta Modulator for Sensor Signal ProcessingLukáš Fujcik and Radimír Vrba

Papers by Session

ICONS 9: System Engineering I

q Defining Requirements for an Incident Management System: A Case StudyMarko Jäntti

q Signature Matching Applied to Simulation/Frame DualityVincent Albert and Alexandre Nketsa

q Production Quality Modeling Based on Regression Rules Extracted from TrainedArtificial Neural Networks

Yan Ning, Min Li, Jianhong Yang, and Kunyin Meng

q Integrated Circuits 3D Silicon IntegrationT. Chammah and T. Giuma

Papers by Session

ICONS 10: System Engineering II & Safety in IndustrialSystems

q Using Sysml to Describe a New Methodology for Semiautomatic SoftwareGeneration from Inferred Behavioral and Data Models

Ignacio González Alonso, M. P. Almudena García Fuente, and J. A. L. Brugos

q Iterative Requirements Engineering and Architecting in Systems EngineeringHermann Kaindl, Edin Arnautovic, Dominik Ertl, and Jürgen Falb

q Collaboration Strategies for Distributed Teams: A Case Study of CAD SystemsIntegration

Kurt E. Madsen

q Modeling System Safety Requirements Using Input/Output ConstraintMeta-automata

Zhe Chen and Gilles Motet

Papers by Session

ICONS 11: Poster Forum

q Use of Magnetic Resonance to Determine the Circumference of Radial Slices of Norway Spruce

Karel Bartusek, Eva Gescheidtova, Lucie Homolova, and Zdenek Dokoupil

q Data Processing in Studying the Growth of Early Spruce Embryos, Using MRImaging Techniques

Karel Bartusek, Eva Gescheidtova, Rene Kizek, and Zdenek Dokoupil

q Implementation of Intrusion Detection System for Automation Devices within Virtual Automation Network

Radek Kuchta, Jaroslav Kadlec, and Radimír Vrba

q Whole Brain CT Perfusion MapsPetr Maule, Jana Klečková, and Vladimír Rohan

q Ontology Driven E-GovernmentBernd Stadlhofer, Peter Salhofer, and Gerald Tretter

Papers by Author

Aq Abdullah, Tariqq Albert, Vincentq Alonso, Fernandaq Alonso, Ignacio Gonzálezq Arnautovic, Edin

Bq Balík, Miroslavq Ballesteros, Pedroq Bartusek, Karelq Bertels, Koenq Brugos, J. A. L.

Cq Chammah, T.

q Chen, Zheq Czajka, Bartosz

Dq Dokoupil, Zdenekq Donoso, Yezidq Dragomirescu, Daniela

Eq Ege, Raimund K.q Ekelhart, Andreasq Ertl, Dominikq Essendorfer, Barbara

Fq Falb, Jürgenq Fauberteau, Frédéric

Papers by Author

q Fenz, Stefanq Ferraz, Lilian Márciaq Fuente, M. P. Almudena Garcíaq Fujcik, Lukáš

Gq George, L.q Gerstinger, Andreasq Gescheidtova, Evaq Giuma, T.

Hq Haze, J.q Henaut, Julienq Homolova, Lucie

Iq Istrate, Dan

Jq Jäntti, Markoq Jerônimo, Rosimeire Aparecida

Kq Kadlec, Jaroslavq Kaindl, Hermannq Kizek, Reneq Klečková, Janaq Kolb, Mathiasq Konarik, Petrq Krapfenbauer, Haraldq Krejcar, Ondrej

Papers by Author

q Kuchta, Radekq Kushwaha, D. S.

Lq Ladislav, Machanq Layouni, Farahq Lehikoinen, Lassiq Li, Minq Lindholm, Mikkoq Luo, Jia-Ning

Mq Madsen, Kurt E.q Malzahn, Dirkq Maule, Petrq McBurney, Sarahq Meng, Kunyin

q Mhamdi, Lotfiq Midonnet, Sergeq Misra, A. K.q Monari, Eduardoq Motet, Gillesq Mueller, H. Juergen

Nq Neubauer, Thomasq Nieminen, Mikkoq Ning, Yanq Nketsa, Alexandre

Pq Pandey, Tripureshq Papadopoulou, Elizabethq Pavlik, M.

Papers by Author

q Plana, Robertq Pollet, Yannq Pourebrahimi, Behnazq Pozniak-Koszalka, Iwona

Rq Räty, Tomiq Rauglaudre, D. deq Ricardo, Claudia Arezioq Rohan, Vladimír

Sq Salhofer, Peterq Salvador, Valéria Farinazzo Martinsq Silva, Alyne Oliveira daq Singh, Brijmohanq Sorel, Y.

q Stadlhofer, Berndq Steffan, Pavelq Sveda, Miroslav

Tq Taylor, Nickq Trček, Denisq Tretter, Gerald

Vq Vlk, Thomas J.q Vrba, R.q Vrba, Radimír

Wq Wanning, Heikoq Whittaker, Richard

Papers by Author

q Williams, M. Howard

Xq Xiang, Liu

Yq Yang, Jianhongq Yang, Liq Yang, Ming Hourq Yomsi, P. Meumeu

Papers by Author

Abdullah, Tariqq Resource Discovery with Dynamic Matchmakers in Ad Hoc Grid

Albert, Vincentq Signature Matching Applied to Simulation/Frame Duality

Alonso, Fernandaq Utilization of the Fuzzy Theory in the Adaptive Hypermedia Systems

Alonso, Ignacio Gonzálezq Using Sysml to Describe a New Methodology for Semiautomatic Software

Generation from Inferred Behavioral and Data Models

Arnautovic, Edinq Iterative Requirements Engineering and Architecting in Systems Engineering

Papers by Author

Balík, Miroslavq Modified Multi-layer Feedback Delay Network for Auditory Space Simulation

Ballesteros, Pedroq Attribute-Based Access Control in an Adaptive Hypermedia System

Bartusek, Karelq Use of Magnetic Resonance to Determine the Circumference of Radial Slices

of Norway Spruceq Data Processing in Studying the Growth of Early Spruce Embryos, Using MR

Imaging Techniques

Bertels, Koenq Resource Discovery with Dynamic Matchmakers in Ad Hoc Grid

Papers by Author

Brugos, J. A. L.q Using Sysml to Describe a New Methodology for Semiautomatic Software

Generation from Inferred Behavioral and Data Models

Chammah, T.q Integrated Circuits 3D Silicon Integration

Chen, Zheq Modeling System Safety Requirements Using Input/Output Constraint

Meta-automata

Czajka, Bartoszq Evaluation of Tasks Scheduling Algorithms in Multi-core and Multi-queuing

Environments Using System MESMS2

Papers by Author

Dokoupil, Zdenekq Use of Magnetic Resonance to Determine the Circumference of Radial Slices

of Norway Spruceq Data Processing in Studying the Growth of Early Spruce Embryos, Using MR

Imaging Techniques

Donoso, Yezidq Attribute-Based Access Control in an Adaptive Hypermedia System

Dragomirescu, Danielaq FPGA Based High Date Rate Radio Interfaces for Aerospace Wireless Sensor

Systems

Ege, Raimund K.q Extracting Value from P2P Content Delivery

Papers by Author

Ekelhart, Andreasq Ontology-Based Decision Support for Information Security Risk Management

Ertl, Dominikq Support for Programming Embedded Software with Dynamically Typed

Languagesq Iterative Requirements Engineering and Architecting in Systems Engineering

Essendorfer, Barbaraq An Integrated System for Border Surveillance

Falb, Jürgenq Support for Programming Embedded Software with Dynamically Typed

Languagesq Iterative Requirements Engineering and Architecting in Systems Engineering

Papers by Author

Fauberteau, Frédéricq Power Saving of Real Time Embedded Sensor for Medical Remote Monitoring

Fenz, Stefanq Ontology-Based Decision Support for Information Security Risk Management

Ferraz, Lilian Márciaq Utilization of the Fuzzy Theory in the Adaptive Hypermedia Systems

Fuente, M. P. Almudena Garcíaq Using Sysml to Describe a New Methodology for Semiautomatic Software

Generation from Inferred Behavioral and Data Models

Fujcik, Lukášq Bandpass Sigma-Delta Modulator for Sensor Signal Processing

Papers by Author

George, L.q Improving the Sensitivity of Deadlines with a Specific Asynchronous Scenario

for Harmonic Periodic Tasks scheduled by FP

Gerstinger, Andreasq Runtime Diversity against Quasirandom Faults

Gescheidtova, Evaq Use of Magnetic Resonance to Determine the Circumference of Radial Slices

of Norway Spruceq Data Processing in Studying the Growth of Early Spruce Embryos, Using MR

Imaging Techniques

Giuma, T.q Integrated Circuits 3D Silicon Integration

Papers by Author

Haze, J.q The Integrated Unit for MEMS Based Pressure Measurement

Henaut, Julienq FPGA Based High Date Rate Radio Interfaces for Aerospace Wireless Sensor

Systems

Homolova, Lucieq Use of Magnetic Resonance to Determine the Circumference of Radial Slices

of Norway Spruce

Istrate, Danq Power Saving of Real Time Embedded Sensor for Medical Remote Monitoring

Jäntti, Markoq Defining Requirements for an Incident Management System: A Case Study

Papers by Author

Jerônimo, Rosimeire Aparecidaq Utilization of the Fuzzy Theory in the Adaptive Hypermedia Systems

Kadlec, Jaroslavq Implementation of Intrusion Detection System for Automation Devices

within Virtual Automation Network

Kaindl, Hermannq Support for Programming Embedded Software with Dynamically Typed

Languagesq Iterative Requirements Engineering and Architecting in Systems Engineering

Kizek, Reneq Data Processing in Studying the Growth of Early Spruce Embryos, Using MR

Imaging Techniques

Papers by Author

Klečková, Janaq Important Nonverbal Attributes for Spontaneous Speech Recognitionq Whole Brain CT Perfusion Maps

Kolb, Mathiasq Technologies for the Pseudonymization of Medical Data: A Legal Evaluation

Konarik, Petrq Low Cost RT Process Control Using Windows PLC by MATLAB/Simulink Throw

the REX Control System by Secured Wireless Network

Krapfenbauer, Haraldq Support for Programming Embedded Software with Dynamically Typed

Languages

Papers by Author

Krejcar, Ondrejq Low Cost RT Process Control Using Windows PLC by MATLAB/Simulink Throw

the REX Control System by Secured Wireless Network

Kuchta, Radekq Implementation of Intrusion Detection System for Automation Devices

within Virtual Automation Network

Kushwaha, D. S.q Authentication and Billing Framework for Service Oriented Architecture

Ladislav, Machanq The System for Detecting Lead in Solders

Layouni, Farahq Mobile Agents and Their Ontology Serving a Federated Identity Platform

Papers by Author

Lehikoinen, Lassiq Adaptive Real-Time Video Streaming System for Best-Effort IP Networks

Li, Minq Production Quality Modeling Based on Regression Rules Extracted from Trained

Artificial Neural Networks

Lindholm, Mikkoq Multi-sensor Logical Decision Making in the Single Location Surveillance Point

System

Luo, Jia-Ningq Authentication Protocol in Mobile RFID Network

Papers by Author

Madsen, Kurt E.q Collaboration Strategies for Distributed Teams: A Case Study of CAD Systems

Integration

Malzahn, Dirkq Assessing - Learning - Improving, an Integrated Approach for Self Assessment

and Process Improvement Systems

Maule, Petrq Whole Brain CT Perfusion Maps

McBurney, Sarahq Implicit Adaptation of User Preferences in Pervasive Systems

Papers by Author

Meng, Kunyinq Production Quality Modeling Based on Regression Rules Extracted from Trained

Artificial Neural Networks

Mhamdi, Lotfiq Resource Discovery with Dynamic Matchmakers in Ad Hoc Grid

Midonnet, Sergeq Power Saving of Real Time Embedded Sensor for Medical Remote Monitoring

Misra, A. K.q Authentication and Billing Framework for Service Oriented Architecture

Monari, Eduardoq An Integrated System for Border Surveillance

Papers by Author

Motet, Gillesq Modeling System Safety Requirements Using Input/Output Constraint

Meta-automata

Mueller, H. Juergenq Nine Robot´s Morris: A Challenge for Self-Organizing Robot Teams

Neubauer, Thomasq Technologies for the Pseudonymization of Medical Data: A Legal Evaluationq Ontology-Based Decision Support for Information Security Risk Management

Nieminen, Mikkoq Multi-sensor Logical Decision Making in the Single Location Surveillance Point

System

Papers by Author

Ning, Yanq Production Quality Modeling Based on Regression Rules Extracted from Trained

Artificial Neural Networks

Nketsa, Alexandreq Signature Matching Applied to Simulation/Frame Duality

Pandey, Tripureshq Authentication and Billing Framework for Service Oriented Architecture

Papadopoulou, Elizabethq Implicit Adaptation of User Preferences in Pervasive Systems

Pavlik, M.q The Integrated Unit for MEMS Based Pressure Measurement

Papers by Author

Plana, Robertq FPGA Based High Date Rate Radio Interfaces for Aerospace Wireless Sensor

Systems

Pollet, Yannq Mobile Agents and Their Ontology Serving a Federated Identity Platform

Pourebrahimi, Behnazq Resource Discovery with Dynamic Matchmakers in Ad Hoc Grid

Pozniak-Koszalka, Iwonaq Evaluation of Tasks Scheduling Algorithms in Multi-core and Multi-queuing

Environments Using System MESMS2

Papers by Author

Räty, Tomiq Multi-sensor Logical Decision Making in the Single Location Surveillance Point

Systemq Adaptive Real-Time Video Streaming System for Best-Effort IP Networks

Rauglaudre, D. deq Improving the Sensitivity of Deadlines with a Specific Asynchronous Scenario

for Harmonic Periodic Tasks scheduled by FP

Ricardo, Claudia Arezioq IMS Vertical Handover Optimization Based on Network Resources

Rohan, Vladimírq Whole Brain CT Perfusion Maps

Papers by Author

Salhofer, Peterq Ontology Driven E-Government

Salvador, Valéria Farinazzo Martinsq Utilization of the Fuzzy Theory in the Adaptive Hypermedia Systems

Silva, Alyne Oliveira daq Utilization of the Fuzzy Theory in the Adaptive Hypermedia Systems

Singh, Brijmohanq Authentication and Billing Framework for Service Oriented Architecture

Sorel, Y.q Improving the Sensitivity of Deadlines with a Specific Asynchronous Scenario

for Harmonic Periodic Tasks scheduled by FP

Papers by Author

Stadlhofer, Berndq Ontology Driven E-Government

Steffan, Pavelq The System for Detecting Lead in Solders

Sveda, Miroslavq Fault Management for Secure Embedded Systems

Taylor, Nickq Implicit Adaptation of User Preferences in Pervasive Systems

Trček, Denisq System Dynamics Based Risk Management for Distributed Information Systems

Papers by Author

Tretter, Geraldq Ontology Driven E-Government

Vlk, Thomas J.q Ideas on System Thinking and Acting: Basic Issues, Aporetic Constructs

and Application of the Metanoia Principle

Vrba, R.q The Integrated Unit for MEMS Based Pressure Measurement

Vrba, Radimírq Bandpass Sigma-Delta Modulator for Sensor Signal Processingq Implementation of Intrusion Detection System for Automation Devices

within Virtual Automation Network

Papers by Author

Wanning, Heikoq An Integrated System for Border Surveillance

Whittaker, Richardq Extracting Value from P2P Content Delivery

Williams, M. Howardq Implicit Adaptation of User Preferences in Pervasive Systems

Xiang, Liuq A Multiple Criteria Decision-Making Method for Enterprise Supply Chain Finance

Cooperative Systems

Yang, Jianhongq Production Quality Modeling Based on Regression Rules Extracted from Trained

Artificial Neural Networks

Papers by Author

Yang, Liq Extracting Value from P2P Content Delivery

Yang, Ming Hourq Authentication Protocol in Mobile RFID Network

Yomsi, P. Meumeuq Improving the Sensitivity of Deadlines with a Specific Asynchronous Scenario

for Harmonic Periodic Tasks scheduled by FP

Papers by Author

A B C D E F G

H I J K L M N

O P Q R S T U

V W X Y Z

Runtime Diversity against Quasirandom Faults

Andreas Gerstinger Institute of Computer Technology, University of Vienna, Austria

gerstinger@ict.tuwien.ac.at

Keywords: Fault Tolerance, Fault Detection, Diversity, Faults, Failures, Software Reliability

Abstract

Complex software based systems that have to be highly reliable, are increasingly confronted with fault types whose corresponding failures appear to be random, although they have a systematic cause. This paper introduces and defines these "quasirandom" faults. They have certain inconvenient common pro-perties such as their difficulty to be reproduced, their strong state dependence and their likelihood to be found in operational systems after testing. However, these faults are also likely to be detected or tolerated with the help of diversity in software, and even low level diversity which can be achieved during runtime is a promising means against them. The result suggests, that runtime diversity can improve software reliability in complex systems. 1. Introduction

It has been first mentioned by Jim Gray in [1], that software systems exhibit specific failures which dis-appear after a reset. The faults causing these failures are the only vaguely defined "Heisenbugs". Gray has detected these faults in systems that were highly com-plex for that time.

Software systems are continuing to get more complex and they grow in size. This can, for example,

be seen on the number of lines of code in operating systems. Two popular operating systems, Windows and Linux, are both continuing to grow in size which suggests that these faults should not be neglected in such systems.

Not just software, but also hardware is getting in-creasingly complex. Modern CPUs possess features such as pipelines, branch prediction and several levels of caches, which all make predictions especially con-cerning the timing behavior difficult. These features introduce a certain level of perceived indeterminism. The complexity of hardware also increases in terms of numbers of transistors per CPU. In a recent issue of IEEE Spectrum [2], all quoted experts predict the con-tinuation of Moore's Law (which predicts a doubling of transistors every 1-2 years) for at least the next 10-30 years.

With the advance of multi-core processors, the software is expected to introduce another level of com-plexity, as soon as programs are optimized to work on parallel processors.

This paper uses the terminology as introduced in [3], with a fault being the adjudged or hypothesized cause of an error, the error being is the part of the total state of the system that may lead to its subsequent (service) failure, and a failure being the event that occurs when the delivered service deviates from

Figure 1 – Fault spectrum

correct service. This failure chain can then be described as a

succession of faults, errors and failures: A fault in a system is activated and causes an error within the sys-tem state, which then propagates to become a failure.

2. Quasirandom Faults

A typical distinction between faults is the dis-tinction between random and systematic faults. The crucial difference is that random faults are caused by environmental conditions which are only predictable statistically, and systematic faults are inherent in the design and exactly predictable once the fault is known. The distinction is not as clear as it appears at first glance, as there are faults which fall in-between these two extremes. Therefore, faults can be depicted along a fault spectrum (Figure 1).

True random faults do not exist in software, but faults and their corresponding failures sometimes appear to be random, and have characteristics which resemble random hardware faults. They are somehow related to Heisenbugs [1], but the term Heisenbugs suggests that they modify their behavior when "looking" at them – which not the case. They are also linked to aging-related faults as described in [4]. How-ever, they are not exclusively related to aging, but they can occur at any time. We will call these faults "quasi-random faults". The properties of these quasirandom faults are:

(1) difficult to reproduce (2) difficult to be found by testing (3) depend strongly on state of system (4) predictable only statistically The first observation is that the distinction between

systematic and quasirandom software faults is not sharp, so that faults do not fall unambiguously in one of the categories. There is no strict dividing line in the fault spectrum between systematic and also quasiran-dom faults. However, the more of the properties above are fulfilled, the more the fault is in the quasirandom area of the spectrum.

The difficulty of reproduction (1) is based on the fact that the occurrence of the faults depends on many state and input variables and/or their timing, which rarely reoccur in exactly this combination. Due to this fact, testing is not always effective in finding them. If such a failure is observed during testing, it cannot be repeated, and therefore the fault which is the cause cannot be tracked down (2). This also leads to the fact that faults in operational systems are likely to be more of the quasirandom type, since a mature testing process is very effective at finding systematic faults. Quasiran-dom faults are likely to depend strongly on the internal state of the system, and less on the input variables (3). Therefore, although if the apparently same usage situation is reconstructed, the fault may not reappear. Finally, due to the fact that from a phenomenological point of view quasirandom faults in software and ran-dom faults in hardware are similar, probabilistic models are best suited for their prediction (4).

Examples for quasirandom faults which possess the properties described above are:

Race conditions: Faults depending on the exact timing of two or more events.

Resource depletion: Faults caused by the depletion of some resource.

Accumulation of floating point errors: Faults which occur after accumulation of a sufficient

Input parameter I1

Input parameter I2

Input parameter I3

State parameter S1

State parameter S2

State parameter S3

Input parameter I1

Input parameter I2

Fault 1(systematic)

Failure 1 Failure 2

Fault 2(quasirandom)

Figure 2 – Illustration of systematic vs. quasirandom fault

number of small rounding errors. Data corruption faults: Faults which are due to

successive corruption of data structures. Overflow faults: Faults which occur due to

some overflow or re-initialization of a data structure or value.

In summary, all these faults depend more on the state than on the inputs to a software system, and they depend on complex and rarely occurring combinations of state variables. This can be illustrated as shown in Figure 2. On the left, a typical systematic fault is sym-bolized. The systematic fault causes a failure, every time two specific input variables have a specific value. Therefore, this fault can easily be tracked down. On the right side of the figure, a quasirandom fault is sym-bolized. It depends not only on input parameters, but also on state parameters, and is triggered only if all are aligned in a very specific configuration.

The fact that system complexity – and therefore the state – grows in size and also other aspects such as the amount of parallelism suggests that quasirandom faults will become more prominent, and will increasingly in-fluence a software system's reliability. Due to the fact that quasirandom faults are unlikely to be removed by testing, we have to be able to cope with the occurrence of such faults during runtime.

3. Runtime Diversity

In systems where quasirandom faults are prominent, runtime diversity is an effective means against them. This argument can be made based on the following reasoning.

Diversity is not limited to the traditional "N version programming" (NVP) style of diversity as described in [3]. There are novel ways on how diversity can be introduced. NVP and design diversity is normally achieved by having multiple development teams develop multiple versions of functionally equivalent software (i.e. according to the same specification). The expectation is, that these diverse software versions contain different faults.

In general, diversity such as NVP is criticized frequently. The problem is, that expectations are too high. The objective of total independence between two developed versions cannot be achieved with the help of diversity, since people tend to make similar errors. There have been several discussions on the usefulness on diversity, with proponents and oppo-nents voicing their opinions enthusiastically [5]. The arguments against diversity are still valid and have not changed in the context of modern systems. The argu-ments in favor of diversity, however, have changed, because of the following facts:

Systems are becoming more complex, which increases the potential for introducing diversity. For example, a multi-layered system allows the introduction of diversity on several layers, such as the hardware, the operating system and the application.

Indeterminism increases in systems, which makes it easier to introduce diversity, since systems become more susceptible to small changes.

The use of automatic code generation becomes more widespread, which makes the automated introduction of diversity possible. One possibility might be the use of two different compilers.

The crucial point is that high complexity – the prime reason for the prevalence of quasirandom faults – also provides the possibility to introduce diversity in many aspects. Quasirandom faults are activated and lead to failures only in rare and difficult to reproduce cases. Hence it is unlikely that a diverse system is in the same state and triggers the same fault at the same time.

Such diversity can be introduced during the runtime of the system, with the intention to maximize the differences in the internal states of a diverse system configuration. Runtime diversity does not influence the faults in systems, but influences the fault activation process, such that failures occur in only one channel of the diverse system, or at least at different times in the two channels.

Runtime diversity is – compared to development di-versity – more cost efficient, since there is no need for duplicated software development. On the other hand, the faults that can be handled by runtime diversity are different. Typical systematic faults due to program-ming faults are not likely to be tolerated with runtime diversity. Runtime diversity can be inherent or en-forced.

3.1 Enforced Runtime Diversity

Enforced runtime diversity is the type of runtime di-versity which arises as a result of intentional diversity enhancing decisions during runtime. These decisions can be manifold, but they are all geared towards di-versifying the inputs to and the state of redundant com-ponents.

The input can be diversified by presenting two re-dundant components with different inputs, such as adding a small ε if floating point values are involved or intentionally modifying timing sequences in two re-dundant systems. Another possibility is to modify all inputs to semantically identical inputs if the input

allows this (e.g. by applying DeMorgan's laws to Boolean expressions). The state can be diversified by configuring a system differently, such that internal variables and data structures are different.

3.2 Inherent Runtime Diversity

Inherent runtime diversity is the same as enforced runtime diversity, except that it develops naturally without explicitly needing to enforce it. The property of inherent runtime diversity is possessed by all sys-tems which contain some degree of indeterminism. For example, whenever asynchronous external events take place, e.g. asynchronous interrupts coming from the environment (such as input via network interfaces), the exact timing is not under the control of the system. Two redundant computer systems always receive these interrupts at slightly different times. This causes the execution path to be interrupted during different oper-ations. This, in turn, leads to the fact that the two re-dundant systems are now in a different state and possess a certain degree of state diversity.

3.3 Runtime Diversity Example

A possible candidate for runtime diversity to in-crease reliability is a modern complex operating system such as GNU/Linux. Figure 3 shows a redun-dant system configuration with a diversified operating system. An operating system possesses inherent run-time diversity, due to the interaction with its environ-ment. Even if no intentional diversity enhancing de-cisions are made, due to the inherent indeterminism, the state of the system can differ considerably every time such a system is started. The boot process already possesses sufficient complexity, that it does not always follow the same paths. Therefore, a certain amount of inherent runtime diversity is already achieved auto-matically.

The following aspects are some examples of what could be diversified intentionally in operating systems, in order to achieve enforced runtime diversity:

Init sequence during booting Various memory sizes for data structures

Timing when system calls are invoked The more diverse the state of the operating systems

in a redundant configuration, the more likely it is that quasirandom faults in the operating systems occur in only one of the diverse systems.

4. Conclusion and Outlook

The main argument of this paper is that quasiran-dom faults are prominent in complex systems, and that runtime diversity is a promising means against exactly this important class of faults. However, the evidence of the effectiveness is still mostly qualitative and not quantitative. This is partly due to the fact that quasi-random faults are hard to simulate, so that fault in-jection experiments for quasirandom faults are very hard to conduct.

However, since many systems are redundant already simply to be more resistant against hardware faults, the introduction of runtime diversity in com-puter systems can only make such systems more reliable with respect to quasirandom faults – this po-tential should always be considered.

References [1] Jim Gray. Why do computers stop and what can be done

about it. Tandem Computers Technical Report 85.7. June 1985.

[2] Glenn Zorpette. Waiting for the Rapture. The Sin-gularity – Special Report. IEEE Spectrum Volume 45, Number 6. June 2008.

[3] Algirdas Avizienis, Jean-Claude Laprie, Brian Randell, Carl Landwehr. Basic concepts and taxonomy of de-pendable and secure computing. IEEE Transactions on Dependable and Secure Computing. Volume 1, Issue 1. Jan 2004.

[4] Kalyanaraman Vaidyanathan, Kishor S. Trivedi. Exten-ded Classification of Software Faults Based on Aging. Fast Abstract at the 12th International symposium on soft-ware reliability. ISSRE 2001.

[5] John C. Knight, Nancy G. Leveson. A reply to the criticisms of the Knight & Leveson experiment. ACM SIGSOFT Software Engineering Notes. Volume 15, Issue 1. pp.24-35. January 1990.

Figure 3 – Operating system runtime diversity