https://homeostasis.scs.carleton.ca/wiki/api.php?action=feedcontributions&feedformat=atom&user=AtubmanSoma-notes - User contributions [en]2026-04-22T14:07:15ZUser contributionsMediaWiki 1.42.1https://homeostasis.scs.carleton.ca/wiki/index.php?title=Talk:COMP_3000_Essay_2_2010_Question_2&diff=6533Talk:COMP 3000 Essay 2 2010 Question 22010-12-02T22:12:18Z<p>Atubman: spelling</p>
<hr />
<div>=Comments & Discussion=<br />
<br />
I'm adding bits and pieces here and there in most of the sections including references. <br />
<br />
--[[User:Ymoussou|Youcef M.]] 22:01, 2 December 2010 (UTC)<br />
<br />
<br />
--Writing up a critique of the researches evaluation methods for the critique section now<br />
<br />
[[User:Atubman|Atubman]] 21:25, 2 December 2010 (UTC)<br />
<br />
<br />
I've added to the Contribution part of the essay. I've basically explained as much as I thought was pertinent in what the section was asking for but don't be shy to add more!<br />
<br />
--[[User:Selliot3|Selliot3]] 14:11, 2 December 2010 (UTC)<br />
<br />
<br />
IBOS is designed to talk directly to the hardware. That's why they have everything at the lower level. All that extra TCB in other browsers was for all the extra stuff like services, OS components blah blah. I get their drift and how less code is secure but I don't get how they did it! From where do they get the services they claim to have taken out but still operates the same as any other browser. There is a catch somewhere but I can't find it in the paper or maybe I'm blind. I've been reading a lot of text but I got nowhere, its either too complex or not close to what I'm looking for. <br />
<br />
--[[User:Ymoussou|Youcef M.]] 04:19, 2 December 2010 (UTC)<br />
<br />
<br />
Brief description of the research problem below. (Still Needs expanding/fleshing out. can anyone help expand on why exactly shrinking the TCB will be more secure. I'm fuzzy on that)<br />
<br />
The IBOS attempts to improve the security of web browsers. The writers argue that the large size of the trusted code bases (TCB) which modern web browsers make use of increases the possibility of a security hole. For example a hijacked window manager could be used to draw a fake phishing website overtop a web browser. The researchers solution is drastically shrinking the size of the TCB. The TCB is shrunk by turning the web browser into an operating system in itself with direct access to hardware abstractions. <br />
<br />
Meanwhile, the IBOS must still support existing web applications while maintaining security.<br />
<br />
[[User:Atubman|Atubman]] 03:36, 2 December 2010 (UTC)<br />
<br />
This is what I understand of the TCB. Basically it is all of the components that are essential to the security of the computer system. Pretty much the stuff inside the kernel that if is compromised is "bad news bears". By removing things like device drivers, you reduce the TCB quite considerably (like probably 10s of thousands of lines of code). The smaller the TCB, the less of a chance that you have of an essential component getting corrupted. I don't know if I'm explaining it right, but maybe someone else can expand on what I've written here.<br />
--[[User:Gsmith6|Gsmith6]] 16:13, 2 December 2010 (UTC)<br />
<br />
<br />
EDIT: I've pretty much explained the background concept behind IBOS and I kind of added the way it's executed near the end. Feel free to move that into the research section.<br />
<br />
I can work on the background of IBOS<br />
<br />
--[[User:Selliot3|Selliot3]] 23:03, 22 November 2010 (UTC)<br />
<br />
<br />
It seems we only have 5/7 members. We should start splitting up the tasks and assign who gets what. So if everybody writes what section they would like to work on that would be great.<br />
<br />
--[[User:Ymoussou|Youcef M.]] 15:19, 20 November 2010 (UTC)<br />
<br />
<br />
I'll do the contribution section. I'll be reading through the paper thoroughly today and taking notes as I go. I'll post them later on this page as a sort of cheat-sheet/reminder. --[[User:Gsmith6|Gsmith6]] 17:45, 25 November 2010 (UTC)<br />
<br />
=Group Members=<br />
<br />
Leave your name and e-mail address if you are assigned to this question.<br />
<br />
<br />
[[User:Ymoussou|Youcef M.]] moussoud@gmail.com<br />
<br />
<br />
I am alive and still in the class, selliot3@connect.carleton.ca<br />
<br />
--[[User:Selliot3|Selliot3]] 18:12, 15 November 2010 (UTC)<br />
<br />
Still in the class, andrewtubman84@gmail.com<br />
<br />
[[User:Atubman|Atubman]]<br />
<br />
I'm here. I have received an email reply from John Vanden Heuvel as well (he may not see this) gsmith0413@gmail.com<br />
--[[User:Gsmith6|Gsmith6]] 22:31, 15 November 2010 (UTC)<br />
<br />
[[User:vviveka2|vG]]<br />
<br />
I am here... and replied to the email<br />
<br />
=Question 2 members=<br />
<br />
Elliott Charles selliot3<br />
<br />
Moussoud Youcef ymoussou<br />
<br />
Pharand Alexandre apharan2<br />
<br />
Smith Geoffrey gsmith6<br />
<br />
Tubman Andrew atubman<br />
<br />
Vanden Heuvel John jvheuvel<br />
<br />
Vivekanandarajah Vijitharan vviveka2<br />
<br />
=Raw Information=<br />
<br />
The web itself is ubiquitous which a person can use for communication; banking, business, social networking and it can be useful for other purposes. There are different type of vulnerabilities web applications, browser, OS and library vulnerabilities. Insecure web browsers are monolithic, and they are easy to exploit. Secure web browser such as chrome isolate web applications and it still contain huge trusted computing base (TCB). Browser abstractions as the first-class OS, contains reduced TCB for web browser and it also have protection to withstand attacks to most components. [[User:vviveka2|vG]]<br />
<br />
<br />
=Extra Resources=<br />
http://www.cs.uiuc.edu/homes/stang6/ibos.html#slide1<br />
I found some presentation slides by Shuo Tang, Haohui Mai and Sam King, the authors and developers of IBOS<br />
--[[User:Gsmith6|Gsmith6]] 22:35, 25 November 2010 (UTC)</div>Atubmanhttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_2&diff=6524COMP 3000 Essay 2 2010 Question 22010-12-02T21:45:56Z<p>Atubman: </p>
<hr />
<div>==Paper==<br />
'''Trust and Protection in the Illinois Browser Operating System'''<br />
<br />
http://www.usenix.org/events/osdi10/tech/full_papers/Tang.pdf<br />
<br />
<br />
Shuo Tang, Haohui Mai, Samuel T. King<br />
<br />
''University of Illinois at Urbana-Champaig''<br />
<br />
Presentation slides to go along with the paper: Trust and Protection in the Illinois Browser Operating System. http://www.cs.uiuc.edu/homes/stang6/ibos.html#slide1<br />
<br />
==Background Concepts==<br />
The Illinois Browser Operating System (IBOS) is not just a new browser to improve security, it is also a full operating system. It was developed by three graduate students at the University of Illinois. It’s main goal is to expose browser-level abstractions at the lowest possible software layer, reducing the trusted computing base for web browsers. Many websites and web applications have become major targets for attackers and hackers. These attackers are always finding new ways of exploiting even the most secure systems. Just recently, cross-site scripting (XSS) has become the most common security vulnerability over the age old buffer overflow.<br />
<br />
<br />
Plenty of research has gone in to improving security among the various web browsers on the market today but all browsers still remain susceptible to attacks on the lower layers. Compromised Ethernet drivers can send sensitive HTTP packets to third parties, compromised storage modules can send persistent data to unwanted viewers and compromised window managers can overlay fake interfaces common in phishing attacks. Common web browsers run on top of commodity operating systems with shared system services and user-mode libraries, increasing the trusted computing base(TCB). IBOS looks to solve this issue by exposing browser-level abstractions rather than just general-purpose abstractions. Important concepts such as cookies, HTTP connections and tabs for displaying pages are all brought into the browser abstraction layer. By using all of these methods, the IBOS system ultimately aims to reduce the computer's TCB. <br />
<br />
===TCB===<br />
The TCB is the hardware and software that is critical to the computer's security. Modern operating system-browser combinations have massive TCBs that may have several millions of lines of code. By extracting components such as device drivers from the kernel, one can lower a systems TCB considerably. If a device driver is outside of the TCB and becomes corrupted, the effects would not be too severe, but if the driver is left in the TCB, then the results could be cataclysmic. By removing elements from the TCB, you make it smaller, thereby reducing the risk of having an attack get inside.<br />
<br />
==Research Problem==<br />
Modern browsers, such as Google Chrome and Mozilla Firefox, are continuously being revised and updated to keep ahead of the latest attacks, but continuously have hundreds of security vulnerabilities. Most of these attacks are simple, slightly harmful assaults on web applications, but many attacks are on the browser or even the operating system and its libraries. Since the browser runs lower on the shared storage stack, a successful attack on a browser can have horrible repercussions because it gives access to all of the browser data for all of the web application. It also provides the attacker with access to other resources on the system which is being exploited. An attack on the operating system can be disastrous if it is successful and may cause serious damage to the entire system because the attackers can access arbitrary states and events, allowing them to have full control over the system. The focus of this research is to prevent and decrease the attacks on the browser, libraries, operating systems and system services.<br />
<br />
==Contribution==<br />
<br />
===Architecture and Design=== <br />
The authors have developed IBOS to reduce security risks, without compromising speed and efficiency. One of the ways they have achieved this is through the use of process creation. Essentially there are two types of processes. A web page instance and a traditional process. Any time the user opens a new tab, clicks on a link, or enters a web address in the uniform resource locator(URL) bar, the IBOS kernel creates a new process. Upon creating a web page instance process, the kernel labels it with the originating address of the HTTP request. If a web site such as ''facebook.com'' decides to host an outside script, also known as an iframe, from another website, the kernel creates a new process for the embedded script and labels it appropriately. Traditional processes are every other process that is created for the local machine. These processes are simply labeled as ''localhost''. <br />
<br />
By creating unique labels for each web page instance, the kernel can isolate them from one another. This prevents a compromised component from taking control of other processes. Also by labeling where requests come from, the IBOS kernel can ensure that the data it is receiving is in fact from the expected origin.<br />
<br />
IBOS has considerably smaller TCB compared to other modern browsers. Where both Chrome and Firefox come in at over 4 million plus lines of code in their trusted computing base, IBOS has only about 42,000. Since IBOS isolates each process, it was also able to prevent between 75-100% of vulnerabilities from affected components on a machine. Using Chrome, the researchers tested 175 known issues on the IBOS kernel which ranged from memory exploits to interface spoofing. Out of all the known issues, IBOS was able to prevent 135 or 77% of the issues whereas Chrome was only able to contain 83 of them. The issue is that Chrome is able to catch exploits in its rendering engine since it is in a sandbox but any exploits that took advantage of the browser kernel could not be prevented. This is not a problem for IBOS because many of the browser components inside the trusted computing base in Chrome have been brought outside of the IBOS TCB limiting what can be done with exploitation.<br />
<br />
===Performance===<br />
In terms of performance, IBOS is comparable to the two best performing web browsers currently released: Firefox and Chrome. For websites such as Google Maps and Facebook, IBOS actually performs much better than Firefox while loading pages. This may be due partly to the fact that IBOS was developed with the WebKit engine, which has been optimized to run Google Maps. For Facebook and Wikipedia, sites that use many HTTP requests, IBOS performs slightly slower than the other two browsers, but for the others, where there are only a few HTTP requests, IBOS runs just as quickly as the others.<br />
<br />
==Critique==<br />
<br />
===Structure===<br />
This paper was very well organized and executed. It naturally flows and keeps order in what it is trying to explain without the need to flip back and reference another piece of content in the paper. Starting with the core mechanics of why it is needed to how the kernel is organized and working its way up to many high-level pieces of information it felt like a natural progression of ideas, giving you the information you need to understand upcoming concepts.<br />
<br />
===Evaluation===<br />
The evaluation of the IBOS security has some flaws,it is not very thorough and the data set the testing against is potentially confounding. <br />
<br />
The IBOS has shown through internal testing that it is able to resist 77% of attacks from a set of 175 security bugs whereas Chrome is only able prevent 46%. The improvement sounds impressive however, the set of security bugs they tested against was obtained from Google “Chrome’s bug tracker”. The fact they are comparing known security flaws in Chrome against the new IBOS makes their improvement of 31% far less impressive. <br />
<br />
In addition, Their initial test set contained 217 bugs with duplicates removed, and 42 bugs were omitted because they were denial of service attacks and the IBOS does not protect against that form of attack. It is understandable this is out of the scope of this research. However, that is a big set of flaws which are not addressed.<br />
<br />
Furthermore, the researches only compared their results against the Chrome web browser. A comparison which also includes other browsers such as Mozilla Firefox, Internet Explorer and Safari would be much more compelling. <br />
<br />
<br />
==References==<br />
You will almost certainly have to refer to other resources; please cite these resources in the style of citation of the papers assigned (inlined numbered references). Place your bibliographic entries in this section.</div>Atubmanhttps://homeostasis.scs.carleton.ca/wiki/index.php?title=Talk:COMP_3000_Essay_2_2010_Question_2&diff=6516Talk:COMP 3000 Essay 2 2010 Question 22010-12-02T21:25:43Z<p>Atubman: /* Comments & Discussion */</p>
<hr />
<div>=Comments & Discussion=<br />
<br />
--Writing up a critic of the researches evalution methods for the critic section now<br />
<br />
[[User:Atubman|Atubman]] 21:25, 2 December 2010 (UTC)<br />
<br />
<br />
I've added to the Contribution part of the essay. I've basically explained as much as I thought was pertinent in what the section was asking for but don't be shy to add more!<br />
<br />
--[[User:Selliot3|Selliot3]] 14:11, 2 December 2010 (UTC)<br />
<br />
<br />
IBOS is designed to talk directly to the hardware. That's why they have everything at the lower level. All that extra TCB in other browsers was for all the extra stuff like services, OS components blah blah. I get their drift and how less code is secure but I don't get how they did it! From where do they get the services they claim to have taken out but still operates the same as any other browser. There is a catch somewhere but I can't find it in the paper or maybe I'm blind. I've been reading a lot of text but I got nowhere, its either too complex or not close to what I'm looking for. <br />
<br />
--[[User:Ymoussou|Youcef M.]] 04:19, 2 December 2010 (UTC)<br />
<br />
<br />
Brief description of the research problem below. (Still Needs expanding/fleshing out. can anyone help expand on why exactly shrinking the TCB will be more secure. I'm fuzzy on that)<br />
<br />
The IBOS attempts to improve the security of web browsers. The writers argue that the large size of the trusted code bases (TCB) which modern web browsers make use of increases the possibility of a security hole. For example a hijacked window manager could be used to draw a fake phishing website overtop a web browser. The researchers solution is drastically shrinking the size of the TCB. The TCB is shrunk by turning the web browser into an operating system in itself with direct access to hardware abstractions. <br />
<br />
Meanwhile, the IBOS must still support existing web applications while maintaining security.<br />
<br />
[[User:Atubman|Atubman]] 03:36, 2 December 2010 (UTC)<br />
<br />
This is what I understand of the TCB. Basically it is all of the components that are essential to the security of the computer system. Pretty much the stuff inside the kernel that if is compromised is "bad news bears". By removing things like device drivers, you reduce the TCB quite considerably (like probably 10s of thousands of lines of code). The smaller the TCB, the less of a chance that you have of an essential component getting corrupted. I don't know if I'm explaining it right, but maybe someone else can expand on what I've written here.<br />
--[[User:Gsmith6|Gsmith6]] 16:13, 2 December 2010 (UTC)<br />
<br />
<br />
EDIT: I've pretty much explained the background concept behind IBOS and I kind of added the way it's executed near the end. Feel free to move that into the research section.<br />
<br />
I can work on the background of IBOS<br />
<br />
--[[User:Selliot3|Selliot3]] 23:03, 22 November 2010 (UTC)<br />
<br />
<br />
It seems we only have 5/7 members. We should start splitting up the tasks and assign who gets what. So if everybody writes what section they would like to work on that would be great.<br />
<br />
--[[User:Ymoussou|Youcef M.]] 15:19, 20 November 2010 (UTC)<br />
<br />
<br />
I'll do the contribution section. I'll be reading through the paper thoroughly today and taking notes as I go. I'll post them later on this page as a sort of cheat-sheet/reminder. --[[User:Gsmith6|Gsmith6]] 17:45, 25 November 2010 (UTC)<br />
<br />
=Group Members=<br />
<br />
Leave your name and e-mail address if you are assigned to this question.<br />
<br />
<br />
[[User:Ymoussou|Youcef M.]] moussoud@gmail.com<br />
<br />
<br />
I am alive and still in the class, selliot3@connect.carleton.ca<br />
<br />
--[[User:Selliot3|Selliot3]] 18:12, 15 November 2010 (UTC)<br />
<br />
Still in the class, andrewtubman84@gmail.com<br />
<br />
[[User:Atubman|Atubman]]<br />
<br />
I'm here. I have received an email reply from John Vanden Heuvel as well (he may not see this) gsmith0413@gmail.com<br />
--[[User:Gsmith6|Gsmith6]] 22:31, 15 November 2010 (UTC)<br />
<br />
[[User:vviveka2|vG]]<br />
<br />
I am here... and replied to the email<br />
<br />
=Question 2 members=<br />
<br />
Elliott Charles selliot3<br />
<br />
Moussoud Youcef ymoussou<br />
<br />
Pharand Alexandre apharan2<br />
<br />
Smith Geoffrey gsmith6<br />
<br />
Tubman Andrew atubman<br />
<br />
Vanden Heuvel John jvheuvel<br />
<br />
Vivekanandarajah Vijitharan vviveka2<br />
<br />
=Raw Information=<br />
<br />
The web itself is ubiquitous which a person can use for communication; banking, business, social networking and it can be useful for other purposes. There are different type of vulnerabilities web applications, browser, OS and library vulnerabilities. Insecure web browsers are monolithic, and they are easy to exploit. Secure web browser such as chrome isolate web applications and it still contain huge trusted computing base (TCB). Browser abstractions as the first-class OS, contains reduced TCB for web browser and it also have protection to withstand attacks to most components. [[User:vviveka2|vG]]<br />
<br />
<br />
=Extra Resources=<br />
http://www.cs.uiuc.edu/homes/stang6/ibos.html#slide1<br />
I found some presentation slides by Shuo Tang, Haohui Mai and Sam King, the authors and developers of IBOS<br />
--[[User:Gsmith6|Gsmith6]] 22:35, 25 November 2010 (UTC)</div>Atubmanhttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_2&diff=6504COMP 3000 Essay 2 2010 Question 22010-12-02T20:46:54Z<p>Atubman: adding headings to break up chunks of text</p>
<hr />
<div>==Paper==<br />
'''Trust and Protection in the Illinois Browser Operating System'''<br />
<br />
http://www.usenix.org/events/osdi10/tech/full_papers/Tang.pdf<br />
<br />
<br />
Shuo Tang, Haohui Mai, Samuel T. King<br />
<br />
''University of Illinois at Urbana-Champaig''<br />
<br />
Presentation slides to go along with the paper: Trust and Protection in the Illinois Browser Operating System. http://www.cs.uiuc.edu/homes/stang6/ibos.html#slide1<br />
<br />
==Research Problem==<br />
Modern browsers, such as Google Chrome and Mozilla Firefox, are continuously being revised and updated to keep ahead of the latest attacks, but continuously have hundreds of security vulnerabilities. Most of these attacks are simple, slightly harmful assaults on web applications, but many attacks are on the browser or even the operating system and its libraries. Since the browser runs lower on the shared storage stack, a successful attack on a browser can have horrible repercussions because it gives access to all of the browser data for all of the web application. It also provides the attacker with access to other resources on the system which is being exploited. An attack on the operating system can be disastrous if it is successful and may cause serious damage to the entire system because the attackers can access arbitrary states and events, allowing them to have full control over the system. The focus of this research is to prevent and decrease the attacks on the browser, libraries, operating systems and system services. <br />
<br />
==Background Concepts==<br />
The Illinois Browser Operating System (IBOS) is not just a new browser to improve security, it is also a full operating system. It was developed by three graduate students at the University of Illinois. It’s main goal is to expose browser-level abstractions at the lowest possible software layer, reducing the trusted computing base for web browsers. Many websites and web applications have become major targets for attackers and hackers. These attackers are always finding new ways of exploiting even the most secure systems. Just recently, cross-site scripting (XSS) has become the most common security vulnerability over the age old buffer overflow.<br />
<br />
<br />
Plenty of research has gone in to improving security among the various web browsers on the market today but all browsers still remain susceptible to attacks on the lower layers. Compromised Ethernet drivers can send sensitive HTTP packets to third parties, compromised storage modules can send persistent data to unwanted viewers and compromised window managers can overlay fake interfaces common in phishing attacks. Common web browsers run on top of commodity operating systems with shared system services and user-mode libraries, increasing the trusted computing base(TCB). IBOS looks to solve this issue by exposing browser-level abstractions rather than just general-purpose abstractions. Important concepts such as cookies, HTTP connections and tabs for displaying pages are all brought into the browser abstraction layer. By using all of these methods, the IBOS system ultimately aims to reduce the computer's TCB. <br />
<br />
===TCB===<br />
The TCB is the hardware and software that is critical to the computer's security. Modern operating system-browser combinations have massive TCBs that may have several millions of lines of code. By extracting components such as device drivers from the kernel, one can lower a systems TCB considerably. If a device driver is outside of the TCB and becomes corrupted, the effects would not be too severe, but if the driver is left in the TCB, then the results could be cataclysmic. By removing elements from the TCB, you make it smaller, thereby reducing the risk of having an attack get inside.<br />
<br />
==Contribution==<br />
<br />
===Architecture and Design=== <br />
The authors have developed IBOS to reduce security risks, without compromising speed and efficiency. One of the ways they have achieved this is through the use of process creation. Essentially there are two types of processes. A web page instance and a traditional process. Any time the user opens a new tab, clicks on a link, or enters a web address in the uniform resource locator(URL) bar, the IBOS kernel creates a new process. Upon creating a web page instance process, the kernel labels it with the originating address of the HTTP request. If a web site such as ''facebook.com'' decides to host an outside script, also known as an iframe, from another website, the kernel creates a new process for the embedded script and labels it appropriately. Traditional processes are every other process that is created for the local machine. These processes are simply labeled as ''localhost''. <br />
<br />
By creating unique labels for each web page instance, the kernel can isolate them from one another. This prevents a compromised component from taking control of other processes. Also by labeling where requests come from, the IBOS kernel can ensure that the data it is receiving is in fact from the expected origin.<br />
<br />
IBOS has considerably smaller TCB compared to other modern browsers. Where both Chrome and Firefox come in at over 4 million plus lines of code in their trusted computing base, IBOS has only about 42,000. Since IBOS isolates each process, it was also able to prevent between 75-100% of vulnerabilities from affected components on a machine. Using Chrome, the researchers tested 175 known issues on the IBOS kernel which ranged from memory exploits to interface spoofing. Out of all the known issues, IBOS was able to prevent 135 or 77% of the issues whereas Chrome was only able to contain 83 of them. The issue is that Chrome is able to catch exploits in its rendering engine since it is in a sandbox but any exploits that took advantage of the browser kernel could not be prevented. This is not a problem for IBOS because many of the browser components inside the trusted computing base in Chrome have been brought outside of the IBOS TCB limiting what can be done with exploitation.<br />
<br />
===Performance===<br />
In terms of performance, IBOS is comparable to the two best performing web browsers currently released: Firefox and Chrome. For websites such as Google Maps and Facebook, IBOS actually performs much better than Firefox while loading pages. This may be due partly to the fact that IBOS was developed with the WebKit engine, which has been optimized to run Google Maps. For Facebook and Wikipedia, sites that use many HTTP requests, IBOS performs slightly slower than the other two browsers, but for the others, where there are only a few HTTP requests, IBOS runs just as quickly as the others.<br />
<br />
==Critique==<br />
<br />
===Structure===<br />
This paper was very well organized and executed. It naturally flows and keeps order in what it is trying to explain without the need to flip back and reference another piece of content in the paper. Starting with the core mechanics of why it is needed to how the kernel is organized and working its way up to many high-level pieces of information it felt like a natural progression of ideas, giving you the information you need to understand upcoming concepts.<br />
<br />
===Content===<br />
<br />
==References==<br />
You will almost certainly have to refer to other resources; please cite these resources in the style of citation of the papers assigned (inlined numbered references). Place your bibliographic entries in this section.</div>Atubmanhttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_2&diff=6497COMP 3000 Essay 2 2010 Question 22010-12-02T20:11:39Z<p>Atubman: </p>
<hr />
<div>==Paper==<br />
'''Trust and Protection in the Illinois Browser Operating System'''<br />
<br />
http://www.usenix.org/events/osdi10/tech/full_papers/Tang.pdf<br />
<br />
<br />
Shuo Tang, Haohui Mai, Samuel T. King<br />
<br />
''University of Illinois at Urbana-Champaig''<br />
<br />
Presentation slides to go along with the paper: Trust and Protection in the Illinois Browser Operating System. http://www.cs.uiuc.edu/homes/stang6/ibos.html#slide1<br />
<br />
==Research Problem==<br />
Modern browsers, such as Google Chrome and Mozilla Firefox, are continuously being revised and updated to keep ahead of the latest attacks, but continuously have hundreds of security vulnerabilities. Most of these attacks are simple, slightly harmful assaults on web applications, but many attacks are on the browser or even the operating system and its libraries. Since the browser runs lower on the shared storage stack, a successful attack on a browser can have horrible repercussions because it gives access to all of the browser data for all of the web application. It also provides the attacker with access to other resources on the system which is being exploited. An attack on the operating system can be disastrous if it is successful and may cause serious damage to the entire system because the attackers can access arbitrary states and events, allowing them to have full control over the system. The focus of this research is to prevent and decrease the attacks on the browser, libraries, operating systems and system services. <br />
<br />
==Background Concepts==<br />
The Illinois Browser Operating System (IBOS) is not just a new browser to improve security, it is also a full operating system. It was developed by three graduate students at the University of Illinois. It’s main goal is to expose browser-level abstractions at the lowest possible software layer, reducing the trusted computing base for web browsers. Many websites and web applications have become major targets for attackers and hackers. These attackers are always finding new ways of exploiting even the most secure systems. Just recently, cross-site scripting (XSS) has become the most common security vulnerability over the age old buffer overflow.<br />
<br />
<br />
Plenty of research has gone in to improving security among the various web browsers on the market today but all browsers still remain susceptible to attacks on the lower layers. Compromised Ethernet drivers can send sensitive HTTP packets to third parties, compromised storage modules can send persistent data to unwanted viewers and compromised window managers can overlay fake interfaces common in phishing attacks. Common web browsers run on top of commodity operating systems with shared system services and user-mode libraries, increasing the trusted computing base(TCB). IBOS looks to solve this issue by exposing browser-level abstractions rather than just general-purpose abstractions. Important concepts such as cookies, HTTP connections and tabs for displaying pages are all brought into the browser abstraction layer. By using all of these methods, the IBOS system ultimately aims to reduce the computer's TCB. <br />
<br />
===TCB===<br />
The TCB is the hardware and software that is critical to the computer's security. Modern operating system-browser combinations have massive TCBs that may have several millions of lines of code. By extracting components such as device drivers from the kernel, one can lower a systems TCB considerably. If a device driver is outside of the TCB and becomes corrupted, the effects would not be too severe, but if the driver is left in the TCB, then the results could be cataclysmic. By removing elements from the TCB, you make it smaller, thereby reducing the risk of having an attack get inside.<br />
<br />
==Contribution==<br />
<br />
The authors have developed IBOS to reduce security risks, without compromising speed and efficiency. One of the ways they have achieved this is through the use of process creation. Essentially there are two types of processes. A web page instance and a traditional process. Any time the user opens a new tab, clicks on a link, or enters a web address in the uniform resource locator(URL) bar, the IBOS kernel creates a new process. Upon creating a web page instance process, the kernel labels it with the originating address of the HTTP request. If a web site such as ''facebook.com'' decides to host an outside script, also known as an iframe, from another website, the kernel creates a new process for the embedded script and labels it appropriately. Traditional processes are every other process that is created for the local machine. These processes are simply labeled as ''localhost''. <br />
<br />
By creating unique labels for each web page instance, the kernel can isolate them from one another. This prevents a compromised component from taking control of other processes. Also by labeling where requests come from, the IBOS kernel can ensure that the data it is receiving is in fact from the expected origin.<br />
<br />
<br />
IBOS has considerably smaller TCB compared to other modern browsers. Where both Chrome and Firefox come in at over 4 million plus lines of code in their trusted computing base, IBOS has only about 42,000. Since IBOS isolates each process, it was also able to prevent between 75-100% of vulnerabilities from affected components on a machine. Using Chrome, the researchers tested 175 known issues on the IBOS kernel which ranged from memory exploits to interface spoofing. Out of all the known issues, IBOS was able to prevent 135 or 77% of the issues whereas Chrome was only able to contain 83 of them. The issue is that Chrome is able to catch exploits in its rendering engine since it is in a sandbox but any exploits that took advantage of the browser kernel could not be prevented. This is not a problem for IBOS because many of the browser components inside the trusted computing base in Chrome have been brought outside of the IBOS TCB limiting what can be done with exploitation.<br />
<br />
<br />
In terms of performance, IBOS is comparable to the two best performing web browsers currently released: Firefox and Chrome. For websites such as Google Maps and Facebook, IBOS actually performs much better than Firefox while loading pages. This may be due partly to the fact that IBOS was developed with the WebKit engine, which has been optimized to run Google Maps. For Facebook and Wikipedia, sites that use many HTTP requests, IBOS performs slightly slower than the other two browsers, but for the others, where there are only a few HTTP requests, IBOS runs just as quickly as the others.<br />
<br />
==Critique==<br />
<br />
===Structure===<br />
This paper was very well organized and executed. It naturally flows and keeps order in what it is trying to explain without the need to flip back and reference another piece of content in the paper. Starting with the core mechanics of why it is needed to how the kernel is organized and working its way up to many high-level pieces of information it felt like a natural progression of ideas, giving you the information you need to understand upcoming concepts.<br />
<br />
===Content===<br />
<br />
==References==<br />
You will almost certainly have to refer to other resources; please cite these resources in the style of citation of the papers assigned (inlined numbered references). Place your bibliographic entries in this section.</div>Atubmanhttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_2_2010_Question_2&diff=6494COMP 3000 Essay 2 2010 Question 22010-12-02T20:10:17Z<p>Atubman: rephrasing</p>
<hr />
<div>==Paper==<br />
'''Trust and Protection in the Illinois Browser Operating System'''<br />
<br />
http://www.usenix.org/events/osdi10/tech/full_papers/Tang.pdf<br />
<br />
<br />
Shuo Tang, Haohui Mai, Samuel T. King<br />
<br />
''University of Illinois at Urbana-Champaig''<br />
<br />
Presentation slides to go along with the paper: Trust and Protection in the Illinois Browser Operating System. http://www.cs.uiuc.edu/homes/stang6/ibos.html#slide1<br />
<br />
==Research Problem==<br />
Modern browsers, such as Google Chrome and Mozilla Firefox, are continuously being revised and updated to keep ahead of the latest attacks, but continuously have hundreds of security vulnerabilities. Most of these attacks are simple, slightly harmful assaults on web applications, but many attacks are on the browser or even the operating system and its libraries. Since the browser runs lower on the shared storage stack, a successful attack on a browser can have horrible repercussions because it gives access to all of the browser data for all of the web application. It also provides the attacker with access to other resources on the system which is being exploited. An attack on the operating system can be disastrous if it is successful and may cause serious damage to the entire system because the attackers can access arbitrary states and events, allowing them to have full control over the system. The focus of this research is to prevent and decrease the attacks on the browser, libraries, operating systems and system services. <br />
<br />
==Background Concepts==<br />
The Illinois Browser Operating System (IBOS) is not just a new browser to improve security, it is also a full operating system. It was developed by three graduate students at the University of Illinois. It’s main goal is to expose browser-level abstractions at the lowest possible software layer, reducing the trusted computing base for web browsers. Many websites and web applications have become major targets for attackers and hackers. These attackers are always finding new ways of exploiting even the most secure systems. Just recently, cross-site scripting (XSS) has become the most common security vulnerability over the age old buffer overflow.<br />
<br />
<br />
Plenty of research has gone in to improving security among the various web browsers on the market today but all browsers still remain susceptible to attacks on the lower layers. Compromised Ethernet drivers can send sensitive HTTP packets to third parties, compromised storage modules can send persistent data to unwanted viewers and compromised window managers can overlay fake interfaces common in phishing attacks. Common web browsers run on top of commodity operating systems with shared system services and user-mode libraries, increasing the trusted computing base(TCB). IBOS looks to solve this issue by exposing browser-level abstractions rather than just general-purpose abstractions. Important concepts such as cookies, HTTP connections and tabs for displaying pages are all brought into the browser abstraction layer. By using all of these methods, the IBOS system ultimately aims to reduce the computer's TCB. <br />
<br />
===TCB===<br />
The TCB is the hardware and software that is critical to the computer's security. Modern operating system-browser combinations have massive TCBs that may have several millions of lines of code. By extracting components such as device drivers from the kernel, one can lower a systems TCB considerably. If a device driver is outside of the TCB and becomes corrupted, the effects would not be too severe, but if the driver is left in the TCB, then the results could be cataclysmic. By removing elements from the TCB, you make it smaller, thereby reducing the risk of having an attack get inside.<br />
<br />
==Contribution==<br />
<br />
The authors have developed IBOS to reduce security risks, without compromising speed and efficiency. One of the ways they have achieved this is through the use of process creation. Essentially there are two types of processes. A web page instance and a traditional process. Any time the user opens a new tab, clicks on a link, or enters a web address in the uniform resource locator(URL) bar, the IBOS kernel creates a new process. Upon creating a web page instance process, the kernel labels it with the originating address of the HTTP request. If a web site such as ''facebook.com'' decides to host an outside script, also known as an iframe, from another website, the kernel creates a new process for the embedded script and labels it appropriately. Traditional processes are every other process that is created for the local machine. These processes are simply labeled as ''localhost''. <br />
<br />
By creating unique labels for each web page instance, the kernel can isolate them from one another. This prevents a compromised component from taking control of other processes. Also by labeling where requests come from, the IBOS kernel can ensure that the data it is receiving is in fact from the expected origin.<br />
<br />
<br />
IBOS has considerably smaller TCB compared to other modern browsers. Where both Chrome and Firefox come in at over 4 million plus lines of code in their trusted computing base, IBOS has only about 42,000. Since IBOS isolates each process, it was also able to prevent between 75-100% of vulnerabilities from affected components on a machine. Using Chrome, the researchers tested 175 known issues on the IBOS kernel which ranged from memory exploits to interface spoofing. Out of all the known issues, IBOS was able to prevent 135 or 77% of the issues whereas Chrome was only able to contain 83 of them. The issue is that Chrome is able to catch exploits in its rendering engine since it is in a sandbox but any exploits that took advantage of the browser kernel could not be prevented. This is not a problem for IBOS because many of the browser components inside the trusted computing base in Chrome have been brought outside of the IBOS TCB limiting what can be done with exploitation.<br />
<br />
<br />
In terms of performance, IBOS is comparable to the two best performing web browsers currently released: Firefox and Chrome. For websites such as Google Maps and Facebook, IBOS actually performs much better than Firefox while loading pages. This may be due partly to the fact that IBOS was developed with the WebKit engine, which has been optimized to run Google Maps. For Facebook and Wikipedia, sites that use many HTTP requests, IBOS performs slightly slower than the other two browsers, but for the others, where there are only a few HTTP requests, IBOS runs just as quickly as the others.<br />
<br />
==Critique==<br />
This paper was very well organized and executed. It naturally flows and keeps order in what it is trying to explain without the need to flip back and reference another piece of content in the paper. Starting with the core mechanics of why it is needed to how the kernel is organized and working its way up to many high-level pieces of information it felt like a natural progression of ideas, giving you the information you need to understand upcoming concepts.<br />
<br />
==References==<br />
You will almost certainly have to refer to other resources; please cite these resources in the style of citation of the papers assigned (inlined numbered references). Place your bibliographic entries in this section.</div>Atubmanhttps://homeostasis.scs.carleton.ca/wiki/index.php?title=Talk:COMP_3000_Essay_2_2010_Question_2&diff=6178Talk:COMP 3000 Essay 2 2010 Question 22010-12-02T04:24:48Z<p>Atubman: </p>
<hr />
<div>=Comments & Discussion=<br />
IBOS is designed to talk directly to the hardware. That's why they have everything at the lower level. All that extra TCB in other browsers was for all the extra stuff like services, OS components blah blah. I get their drift and how less code is secure but I don't get how they did it! From where do they get the services they claim to have taken out but still operates the same as any other browser. There is a catch somewhere but I can't find it in the paper or maybe I'm blind. I've been reading a lot of text but I got nowhere, its either too complex or not close to what I'm looking for. <br />
<br />
--[[User:Ymoussou|Youcef M.]] 04:19, 2 December 2010 (UTC)<br />
<br />
<br />
Brief description of the research problem below. (Still Needs expanding/fleshing out. can anyone help expand on why exactly shrinking the TCB will be more secure. I'm fuzzy on that)<br />
<br />
The IBOS attempts to improve the security of web browsers. The writers argue that the large size of the trusted code bases (TCB) which modern web browsers make use of increases the possibility of a security hole. For example a hijacked window manager could be used to draw a fake phishing website overtop a web browser. The researchers solution is drastically shrinking the size of the TCB. The TCB is shrunk by turning the web browser into an operating system in itself with direct access to hardware abstractions. <br />
<br />
Meanwhile, the IBOS must still support existing web applications while maintaining security.<br />
<br />
[[User:Atubman|Atubman]] 03:36, 2 December 2010 (UTC)<br />
<br />
<br />
EDIT: I've pretty much explained the background concept behind IBOS and I kind of added the way it's executed near the end. Feel free to move that into the research section.<br />
<br />
I can work on the background of IBOS<br />
<br />
--[[User:Selliot3|Selliot3]] 23:03, 22 November 2010 (UTC)<br />
<br />
<br />
It seems we only have 5/7 members. We should start splitting up the tasks and assign who gets what. So if everybody writes what section they would like to work on that would be great.<br />
<br />
--[[User:Ymoussou|Youcef M.]] 15:19, 20 November 2010 (UTC)<br />
<br />
<br />
I'll do the contribution section. I'll be reading through the paper thoroughly today and taking notes as I go. I'll post them later on this page as a sort of cheat-sheet/reminder. --[[User:Gsmith6|Gsmith6]] 17:45, 25 November 2010 (UTC)<br />
<br />
=Group Members=<br />
<br />
Leave your name and e-mail address if you are assigned to this question.<br />
<br />
<br />
[[User:Ymoussou|Youcef M.]] moussoud@gmail.com<br />
<br />
<br />
I am alive and still in the class, selliot3@connect.carleton.ca<br />
<br />
--[[User:Selliot3|Selliot3]] 18:12, 15 November 2010 (UTC)<br />
<br />
Still in the class, andrewtubman84@gmail.com<br />
<br />
[[User:Atubman|Atubman]]<br />
<br />
I'm here. I have received an email reply from John Vanden Heuvel as well (he may not see this) gsmith0413@gmail.com<br />
--[[User:Gsmith6|Gsmith6]] 22:31, 15 November 2010 (UTC)<br />
<br />
[[User:vviveka2|vG]]<br />
<br />
I am here... and replied to the email<br />
<br />
=Question 2 members=<br />
<br />
Elliott Charles selliot3<br />
<br />
Moussoud Youcef ymoussou<br />
<br />
Pharand Alexandre apharan2<br />
<br />
Smith Geoffrey gsmith6<br />
<br />
Tubman Andrew atubman<br />
<br />
Vanden Heuvel John jvheuvel<br />
<br />
Vivekanandarajah Vijitharan vviveka2<br />
<br />
=Raw Information=<br />
<br />
The web itself is ubiquitous which a person can use for communication; banking, business, social networking and it can be useful for other purposes. There are different type of vulnerabilities web applications, browser, OS and library vulnerabilities. Insecure web browsers are monolithic, and they are easy to exploit. Secure web browser such as chrome isolate web applications and it still contain huge trusted computing base (TCB). Browser abstractions as the first-class OS, contains reduced TCB for web browser and it also have protection to withstand attacks to most components. [[User:vviveka2|vG]]<br />
<br />
<br />
=Extra Resources=<br />
http://www.cs.uiuc.edu/homes/stang6/ibos.html#slide1<br />
I found some presentation slides by Shuo Tang, Haohui Mai and Sam King, the authors and developers of IBOS<br />
--[[User:Gsmith6|Gsmith6]] 22:35, 25 November 2010 (UTC)</div>Atubmanhttps://homeostasis.scs.carleton.ca/wiki/index.php?title=Talk:COMP_3000_Essay_2_2010_Question_2&diff=6144Talk:COMP 3000 Essay 2 2010 Question 22010-12-02T03:36:18Z<p>Atubman: </p>
<hr />
<div>=Comments & Discussion=<br />
Brief description of the research problem below. (Still Needs expanding/fleshing out. can anyone help expand on why exactly shrinking the TCB will be more secure. I'm fuzzy on that)<br />
<br />
The IBOS attempts to improve the security of web browsers. The writers argue that the large size of the trusted code bases (TCB) which modern web browsers make use of increases the possibility of a security hole. For example a hijacked window manager could be used to draw a fake phishing website overtop a web browser. The researchers solution is drastically shrinking the size of the TCB. The TCB is shrunk by turning the web browser into an operating system in itself with direct access to hardware abstractions. <br />
<br />
[[User:Atubman|Atubman]] 03:36, 2 December 2010 (UTC)<br />
<br />
<br />
EDIT: I've pretty much explained the background concept behind IBOS and I kind of added the way it's executed near the end. Feel free to move that into the research section.<br />
<br />
I can work on the background of IBOS<br />
<br />
--[[User:Selliot3|Selliot3]] 23:03, 22 November 2010 (UTC)<br />
<br />
<br />
It seems we only have 5/7 members. We should start splitting up the tasks and assign who gets what. So if everybody writes what section they would like to work on that would be great.<br />
<br />
--[[User:Ymoussou|Youcef M.]] 15:19, 20 November 2010 (UTC)<br />
<br />
<br />
I'll do the contribution section. I'll be reading through the paper thoroughly today and taking notes as I go. I'll post them later on this page as a sort of cheat-sheet/reminder. --[[User:Gsmith6|Gsmith6]] 17:45, 25 November 2010 (UTC)<br />
<br />
=Group Members=<br />
<br />
Leave your name and e-mail address if you are assigned to this question.<br />
<br />
<br />
[[User:Ymoussou|Youcef M.]] moussoud@gmail.com<br />
<br />
<br />
I am alive and still in the class, selliot3@connect.carleton.ca<br />
<br />
--[[User:Selliot3|Selliot3]] 18:12, 15 November 2010 (UTC)<br />
<br />
Still in the class, andrewtubman84@gmail.com<br />
<br />
[[User:Atubman|Atubman]]<br />
<br />
I'm here. I have received an email reply from John Vanden Heuvel as well (he may not see this) gsmith0413@gmail.com<br />
--[[User:Gsmith6|Gsmith6]] 22:31, 15 November 2010 (UTC)<br />
<br />
[[User:vviveka2|vG]]<br />
<br />
I am here... and replied to the email<br />
<br />
=Question 2 members=<br />
<br />
Elliott Charles selliot3<br />
<br />
Moussoud Youcef ymoussou<br />
<br />
Pharand Alexandre apharan2<br />
<br />
Smith Geoffrey gsmith6<br />
<br />
Tubman Andrew atubman<br />
<br />
Vanden Heuvel John jvheuvel<br />
<br />
Vivekanandarajah Vijitharan vviveka2<br />
<br />
=Raw Information=<br />
<br />
The web itself is ubiquitous which a person can use for communication; banking, business, social networking and it can be useful for other purposes. There are different type of vulnerabilities web applications, browser, OS and library vulnerabilities. Insecure web browsers are monolithic, and they are easy to exploit. Secure web browser such as chrome isolate web applications and it still contain huge trusted computing base (TCB). Browser abstractions as the first-class OS, contains reduced TCB for web browser and it also have protection to withstand attacks to most components. [[User:vviveka2|vG]]<br />
<br />
<br />
=Extra Resources=<br />
http://www.cs.uiuc.edu/homes/stang6/ibos.html#slide1<br />
I found some presentation slides by Shuo Tang, Haohui Mai and Sam King, the authors and developers of IBOS<br />
--[[User:Gsmith6|Gsmith6]] 22:35, 25 November 2010 (UTC)</div>Atubmanhttps://homeostasis.scs.carleton.ca/wiki/index.php?title=Talk:COMP_3000_Essay_2_2010_Question_2&diff=6142Talk:COMP 3000 Essay 2 2010 Question 22010-12-02T03:36:01Z<p>Atubman: </p>
<hr />
<div>=Comments & Discussion=<br />
Brief description of the research problem below. (Still Needs expanding/fleshing out. can anyone help expand on why exactly shrinking the TCB will be more secure. I'm fuzzy on that)<br />
<br />
The IBOS attempts to improve the security of web browsers. The writers argue that the large size of the trusted code bases (TCB) which modern web browsers make use of increases the possibility of a security hole. For example a hijacked window manager could be used to draw a fake phishing website overtop a web browser. The researchers solution is drastically shrinking the size of the TCB. The TCB is shrunk by turning the web browser into an operating system in itself with direct access to hardware abstractions. <br />
[[User:Atubman|Atubman]] 03:36, 2 December 2010 (UTC)<br />
<br />
<br />
EDIT: I've pretty much explained the background concept behind IBOS and I kind of added the way it's executed near the end. Feel free to move that into the research section.<br />
<br />
I can work on the background of IBOS<br />
<br />
--[[User:Selliot3|Selliot3]] 23:03, 22 November 2010 (UTC)<br />
<br />
<br />
It seems we only have 5/7 members. We should start splitting up the tasks and assign who gets what. So if everybody writes what section they would like to work on that would be great.<br />
<br />
--[[User:Ymoussou|Youcef M.]] 15:19, 20 November 2010 (UTC)<br />
<br />
<br />
I'll do the contribution section. I'll be reading through the paper thoroughly today and taking notes as I go. I'll post them later on this page as a sort of cheat-sheet/reminder. --[[User:Gsmith6|Gsmith6]] 17:45, 25 November 2010 (UTC)<br />
<br />
=Group Members=<br />
<br />
Leave your name and e-mail address if you are assigned to this question.<br />
<br />
<br />
[[User:Ymoussou|Youcef M.]] moussoud@gmail.com<br />
<br />
<br />
I am alive and still in the class, selliot3@connect.carleton.ca<br />
<br />
--[[User:Selliot3|Selliot3]] 18:12, 15 November 2010 (UTC)<br />
<br />
Still in the class, andrewtubman84@gmail.com<br />
<br />
[[User:Atubman|Atubman]]<br />
<br />
I'm here. I have received an email reply from John Vanden Heuvel as well (he may not see this) gsmith0413@gmail.com<br />
--[[User:Gsmith6|Gsmith6]] 22:31, 15 November 2010 (UTC)<br />
<br />
[[User:vviveka2|vG]]<br />
<br />
I am here... and replied to the email<br />
<br />
=Question 2 members=<br />
<br />
Elliott Charles selliot3<br />
<br />
Moussoud Youcef ymoussou<br />
<br />
Pharand Alexandre apharan2<br />
<br />
Smith Geoffrey gsmith6<br />
<br />
Tubman Andrew atubman<br />
<br />
Vanden Heuvel John jvheuvel<br />
<br />
Vivekanandarajah Vijitharan vviveka2<br />
<br />
=Raw Information=<br />
<br />
The web itself is ubiquitous which a person can use for communication; banking, business, social networking and it can be useful for other purposes. There are different type of vulnerabilities web applications, browser, OS and library vulnerabilities. Insecure web browsers are monolithic, and they are easy to exploit. Secure web browser such as chrome isolate web applications and it still contain huge trusted computing base (TCB). Browser abstractions as the first-class OS, contains reduced TCB for web browser and it also have protection to withstand attacks to most components. [[User:vviveka2|vG]]<br />
<br />
<br />
=Extra Resources=<br />
http://www.cs.uiuc.edu/homes/stang6/ibos.html#slide1<br />
I found some presentation slides by Shuo Tang, Haohui Mai and Sam King, the authors and developers of IBOS<br />
--[[User:Gsmith6|Gsmith6]] 22:35, 25 November 2010 (UTC)</div>Atubmanhttps://homeostasis.scs.carleton.ca/wiki/index.php?title=Talk:COMP_3000_Essay_2_2010_Question_2&diff=4994Talk:COMP 3000 Essay 2 2010 Question 22010-11-15T18:19:50Z<p>Atubman: </p>
<hr />
<div>=Group Members=<br />
<br />
Leave your name and e-mail address if you are assigned to this question.<br />
<br />
[[User:Ymoussou|Youcef M.]] moussoud@gmail.com<br />
<br />
<br />
I am alive and still in the class, selliot3@connect.carleton.ca<br />
<br />
--[[User:Selliot3|Selliot3]] 18:12, 15 November 2010 (UTC)<br />
<br />
Still in the class, andrewtubman84@gmail.com<br />
<br />
[[User:Atubman|Atubman]]<br />
<br />
=Question 2 members=<br />
<br />
Elliott Charles selliot3<br />
<br />
Moussoud Youcef ymoussou<br />
<br />
Pharand Alexandre apharan2<br />
<br />
Smith Geoffrey gsmith6<br />
<br />
Tubman Andrew atubman<br />
<br />
Vanden Heuvel John jvheuvel<br />
<br />
Vivekanandarajah Vijitharan vviveka2</div>Atubmanhttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_1_2010_Question_6&diff=4086COMP 3000 Essay 1 2010 Question 62010-10-14T21:03:49Z<p>Atubman: </p>
<hr />
<div>=Question=<br />
<br />
What are some examples of notable systems that have failed due to flawed efforts at mutual exclusion and/or race conditions? How significant was the failure in each case?<br />
<br />
=Answer=<br />
<br />
=Introduction=<br />
<br />
Race conditions have their fare share of notoriety in the history of software bugs. This may range from a piece of Java code causing an application to halt, the corruption of web services, or the failure of a life-critical system with fatal consequences. In this article, we will define race conditions, examine some of the most well known cases involving race conditions. We will also take a look at some of the solution schemes and ways the industry have proposed to track and detect race conditions.<br />
<br />
=Overview=<br />
<br />
A race condition occurs when two or more processes receive write access to shared data simultaneously. The end result may be incorrect <br />
depending on the exact timing of those processes. Consequently a major system failure can occur. The main challenge with race condition errors is <br />
that they're usually unpredictable and can be triggered in various ways depending on the processes involved and the surrounding environment, making it a nightmare for<br />
the programmers to debug and track the error.<br />
<br />
=Examples=<br />
== Therac-25 ==<br />
<br />
The Therac-25 was an x-ray machine developed in Canada by Atomic Energy of Canada Limited (AECL). The machine was used to treat people using radiation therapy. Between 1985 and 1987 six patients were given overdoses of radiation by the machine. Half these patients died due to the accident. The incident is quite possibly the most infamous software bug relating to race conditions. The cause of the incidents has been traced back to a programming bug which caused a race-condition.<br />
The Therac-25 software was written by a single programmer in PDP-11 assembly language. Portions of code were reused from software in the previous Therac-6 and Therac-20 machines. <br />
The main portion of the code runs a function called “Treat” this function determins which of the programs 8 main subroutines it should be executing. The Keyboard handler task ran concurrently with “Treat”.<br />
<br />
===Main Subroutines===<br />
<br />
The Therac-25 had 8 main subroutines it made use of. The Datent had its own helper routine called magnet which prepared the x-rays magnets to administer the correct dosage of radiation.<br />
<br />
#Reset<br />
#Datent<br />
##Magnet<br />
#Set Up Done<br />
#Set Up Test<br />
#Patient Treatment<br />
#Pause Treatment<br />
#Terminate Treatment<br />
#Date, Time, ID Changes<br />
<br />
<br />
The Datent subroutine communicated with the keyboard hander task through a shared variable which signaled if the operator was finished entering the necessary data. Once the Datent subroutine sets the flag signifying the operator has entered the necessary information it allows the main program to move onto the next subroutine. If the flag was not set the “Treat” task reschedules itself in turn rescheduling the Datent subroutine. This continues until the shared data entry flag is set.<br />
<br />
<br />
The Datent subroutine was also responsible for preparing the x-ray to administer the correct radiation dosage. The subroutine was setup so that before returning to “Treat” instructions to move on to the next of its 8 subroutines it would first call the “Magnet” subroutine. This subroutine parsed the operators input and moved the x-ray machines magnets into position to administer the prescribed radiation. This magnet subroutine took approximately 8 seconds to complete and while it ran the keyboard handler was also running. If the operator modified the data before the “magnet” subroutine returned their changes would not be register and the x-ray strength would already be set to its prior value ignoring the operator’s changes.<br />
<br />
<br />
<br />
===Example Bug Situation===<br />
<br />
The situation below illustrates a chain of events that would result in an unintended dose of radiation being administered.<br />
<br />
#Operator types up data, presses return<br />
#(Magnet subroutine is initiated)<br />
#Operator realizes there is an extra 0 in the radiation intensity field<br />
#Operator quickly moves cursor up and fixes the error and presses return again.<br />
#Magnets are set to previous power level .subroutine returns <br />
#Program moves on to next subroutine without registering changes<br />
#Patient is administered a lethal overdose of radiation<br />
<br />
<br />
===Root Causes & Outcomes===<br />
<br />
A number of factors contributed to the failure of the Therac-25. The code was put together by a single programmer and no proper testing was conducted. In addition, code was reused from previous generation machines without verifying it was fully compatible with the new hardware. Previous Therac-6 and Therac-20 had hardware interrupts which prevent race conditions from occurring. It is clear that proper planning and forethought could have prevented this incident.<br />
<br />
Six incidents involving the Therac-25 took place over the span 1985 and 1987. It took 2 years until the FDA took the machines out of service. The FDA forced AECL to make modifications to the Therac-25 before it was allowed back on the market. Software bugs were fixed to suspend all other operations while the magnets positioned themselves to administer the correct radiation strength. In addition, a dead mans switch was added the switch was a foot pedal which the operator must hold down to enable motion of the x-ray machine. This prevented the operator of being unaware of changes in the x-ray machines state.<br />
<br />
After these changes were made the Therac-25 was reintroduced into the market in 1988. Some of the machines are still in service today. <br />
<br />
<br />
== Black-out of 2003 ==<br />
<br />
An energy management system failed due to a race condition, ultimately leading to Ontario and parts of the United States experiencing a black-out.<br />
<br />
The incident occured on August 14th, 2003, when a power plant located in Eastlake, Ohio went offline. The system was set up so that if this were to occur, a warning would be sent to FirstEnergy's control center in Akron, Ohio. Upon recieving this warning, power would be re-routed through other plants to isolate the failure.However, no warning was recieved, resulting in a domino effect causing ultimately over 100 power plants to go offline.<br />
<br />
FirstEnergy at the time was using General Eletric's Unix-based XA/21 energy management system. This system was responsible for alerting the operators of the control center whenever there was a problem. Unfortunately, a flaw in the software caused the system to crash.The energy management system crashed silently, so that the operators at the control center had no idea they were not receiving alerts the otherwise would be. Without any warnings, the operators had no idea the power plant went offline, and so took no measures to prevent the cascading effect leading to the black-out.<br />
<br />
===Cause of Race Condition===<br />
<br />
The XA/21 energy management system failed due to three sagging power lines being tripped simultaneously. These three seperate events then attempted to execute on a shared state, causing the main system to fail. A back-up server went online to attempt to handle the requests. By the time it kicked in the accumulation of events since the main system failure caused the back-up to fail as well.<br />
<br />
===Aftermath===<br />
With the system failure that ultimately led to 256 plants going offline, a massive black-out was experienced in North Eastern USA and Ontario. It is estimated that 55 million people were effected by the black-out. Investigations in the aftermath revealed both negligence on FirstEnergy's part and revealed the deeply embedded bug within the XA/21 energy management system. The bug has since been fixed with a patch.<br />
<br />
== The NASA Mars-Rover ==<br />
The NASA Mars-Rover incident is another well known case of system failure due to race conditions. The Mars-Rover is a six wheeled driven, four wheeled steered vehicle designed by NASA to navigate the surface of Mars in order to gather videos, images, samples or and possible data about the planet. NASA landed two Rover vehicles, the Spirit and Opportunity Rovers, on January 4 and January 25, 2004, respectively. The Rover was controlled on a daily basis by the NASA team on earth by sending messages and tasks. Each solar day in the life of the Rover is called a Sol. <br />
<br />
===Hardware design and architecture===<br />
The vehicle's main operating equipment consists of a set of high-resolution cameras, a collection of specialized spectrometers and a set of radio antennas for transmitting and receiving data. The main computer was built around a BAE RAD-6000 CPU (Rad6k), RAM and non-volatile memory (a combination of FLASH and ROM). <br />
<br />
===Software design===<br />
The Rover is controlled by the VxWorks real-time operating system. The Rover flight software was mostly implemented in ANSI C, with some fragements of code written in C++ and assembly. <br />
The rover relied on an autonomous system that enabled it to drive itself and carry out a number of self-maintenance operations. The system implements a time-multiplexing system, where all processes share and access resources on the single CPU. The Rover records progress through the use of three primary log-file systems: event reports (EVRs), engineering data (EH&A) and data products.<br />
<br />
===System failures and vulnerabilities===<br />
The first race-condition bug occured in the Spirit Rover Sol 131. The initilazation module (IM) process was preparing to increment a counter that keeps track of the number of times an initilazation occured, in order to do that, the IM process must request permission and be granted access to write that counter to memory (critical section). While requesting the permission, another process was granted access to use that very same piece of memory (critical section). This resulted in the IM process generating a fatal exception through its EVR log. The exception lead to loss and trouble in transmitting data to the NASA team on earth, which eventually led to<br />
the Rover being in a halt state for a few days. The NASA team attempted to solve the problem by rebooting the Rover and restricting another module from operating during that time-frame. However, the same bug reoccured in the Spirit Rover on Sol 209 and then on the Opportunity Rover on Sol 596 and Sol 622.<br />
<br />
A similar type of error occurred on the Spirit Sol 136, this time the Imaging Services Module (IMG) was involved. Just as the NASA team requested data from the Rover to be transmitted, the IMG was beginning a deactivation state, the IMG reading cycles from memory were suddenly interrupted by the deactivation process which was attempting to power off the piece of memory associated with the IMG reading task. This resulted in a failure to return the requested data from the Rover. <br />
<br />
==Windows Blue-Screens-Of-Death==<br />
<br />
When a problem in Windows forces the operation systems to fail, the computer often displays an error screen, know as Stop message, that describes the cause of the problem, most people called this a Blue Screen of Death (BSOD).<br />
<br />
The error 0X0000001a, MEMORY_MANAGEMENT, occurs because of the race condition of memory management. It is a hardware error related to memory management. It is possible that the computer can not timely get enough power to the memory for the process. <br />
<br />
The BSOD has surfaced on a number of Windows versions including Windows 7. It has also caused system failures in airports, ATM machines and street hoardings. However, the most notable public incident happened on the opening ceremony of the 2008 Beijing Summer Olympics in China, when one of the projectors crashed because of a BSOD bug. <br />
<br />
=Conclusions=<br />
The need to control race conditions and maintain concurrency and safe sharing of resources among <br />
processes brings us to the concept of mutual exclusion (Mutex). Mutual exclusion is the idea of making sure <br />
processes access data in a serialized way. Meaning that, if process A for instance, happens to be executing or <br />
using a particular data structure (called a critical section), then no other process like B would be allowed<br />
to execute or use that very same data structure (critical section) until process A finishes executing or decides<br />
to leave the data structure. Common algorithms and techniques used to establish mutual exclusion include locks, semaphores and monitors.<br />
<br />
A handful of commercial software tools have been developed to address and detect race conditions errors as well. More recently, a US software company that goes by the name of ReplaySolutions has been awarded a patent from the US government for developing an innovative kit for debugging race conditions found in software. <br />
<br />
As the industry strives for faster and more efficient level of performance through the use of multi-processor systems and multi-core chips, this area continues to be a vast field for research and innovation within the computing world. <br />
<br />
<br />
=References=<br />
* Nancy Leveson. July 1993. [http://sunnyday.mit.edu/papers/therac.pdf Medical Devices: The Therac-25] <br />
* Nancy Leveson and Clark Turner. July 1993. [http://www.stanford.edu/class/cs240/readings/therac-25.pdf An Investigation of the Therac-25 Accidents] <br />
* Anne Marie Porrello. July 1993. [http://users.csc.calpoly.edu/~jdalbey/SWE/Papers/THERAC25.html Death and Denial: The Failure of the THERAC-25, A Medical Linear Accelerator] <br />
* Reeves and Snyder. 10 January 2006. [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=1571113&userType=inst An Overview of the Mars Exploration Rovers' Flight Software]. [http://trs-new.jpl.nasa.gov/dspace/bitstream/2014/37499/1/05-0539.pdf another source]<br />
* Matijevic and E. Dewell. 2006 [http://trs-new.jpl.nasa.gov/dspace/bitstream/2014/39897/1/06-0922.pdf Anomaly Recovery and the Mars Exploration Rovers]<br />
* John Chan. 12 August 2008. Dreaded Blue Screen of Death strikes Olympics [http://news.cnet.com/8301-17938_105-10015872-1.html] <br />
* Dr. Dobb's Journal. 9 June 2010. Patent Awarded for Debugging Race Conditions [http://www.drdobbs.com/tools/225600068]</div>Atubmanhttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_1_2010_Question_6&diff=4085COMP 3000 Essay 1 2010 Question 62010-10-14T21:01:22Z<p>Atubman: Added Root Causes & Outcomes to the Therac-25 example. More good references added as well</p>
<hr />
<div>=Question=<br />
<br />
What are some examples of notable systems that have failed due to flawed efforts at mutual exclusion and/or race conditions? How significant was the failure in each case?<br />
<br />
=Answer=<br />
<br />
=Introduction=<br />
<br />
Race conditions have their fare share of notoriety in the history of software bugs. This may range from a piece of Java code causing an application to halt, the corruption of web services, or the failure of a life-critical system with fatal consequences. In this article, we will define race conditions, examine some of the most well known cases involving race conditions. We will also take a look at some of the solution schemes and ways the industry have proposed to track and detect race conditions.<br />
<br />
=Overview=<br />
<br />
A race condition occurs when two or more processes receive write access to shared data simultaneously. The end result may be incorrect <br />
depending on the exact timing of those processes. Consequently a major system failure can occur. The main challenge with race condition errors is <br />
that they're usually unpredictable and can be triggered in various ways depending on the processes involved and the surrounding environment, making it a nightmare for<br />
the programmers to debug and track the error.<br />
<br />
=Examples=<br />
== Therac-25 ==<br />
<br />
The Therac-25 was an x-ray machine developed in Canada by Atomic Energy of Canada Limited (AECL). The machine was used to treat people using radiation therapy. Between 1985 and 1987 six patients were given overdoses of radiation by the machine. Half these patients died due to the accident. The incident is quite possibly the most infamous software bug relating to race conditions. The cause of the incidents has been traced back to a programming bug which caused a race-condition.<br />
The Therac-25 software was written by a single programmer in PDP-11 assembly language. Portions of code were reused from software in the previous Therac-6 and Therac-20 machines. <br />
The main portion of the code runs a function called “Treat” this function determins which of the programs 8 main subroutines it should be executing. The Keyboard handler task ran concurrently with “Treat”.<br />
<br />
===Main Subroutines===<br />
<br />
The Therac-25 had 8 main subroutines it made use of. The Datent had its own helper routine called magnet which prepared the x-rays magnets to administer the correct dosage of radiation.<br />
<br />
#Reset<br />
#Datent<br />
##Magnet<br />
#Set Up Done<br />
#Set Up Test<br />
#Patient Treatment<br />
#Pause Treatment<br />
#Terminate Treatment<br />
#Date, Time, ID Changes<br />
<br />
<br />
The Datent subroutine communicated with the keyboard hander task through a shared variable which signaled if the operator was finished entering the necessary data. Once the Datent subroutine sets the flag signifying the operator has entered the necessary information it allows the main program to move onto the next subroutine. If the flag was not set the “Treat” task reschedules itself in turn rescheduling the Datent subroutine. This continues until the shared data entry flag is set.<br />
<br />
<br />
The Datent subroutine was also responsible for preparing the x-ray to administer the correct radiation dosage. The subroutine was setup so that before returning to “Treat” instructions to move on to the next of its 8 subroutines it would first call the “Magnet” subroutine. This subroutine parsed the operators input and moved the x-ray machines magnets into position to administer the prescribed radiation. This magnet subroutine took approximately 8 seconds to complete and while it ran the keyboard handler was also running. If the operator modified the data before the “magnet” subroutine returned their changes would not be register and the x-ray strength would already be set to its prior value ignoring the operator’s changes.<br />
<br />
<br />
<br />
===Example Bug Situation===<br />
<br />
The situation below illustrates a chain of events that would result in an unintended dose of radiation being administered.<br />
<br />
#Operator types up data, presses return<br />
#(Magnet subroutine is initiated)<br />
#Operator realizes there is an extra 0 in the radiation intensity field<br />
#Operator quickly moves cursor up and fixes the error and presses return again.<br />
#Magnets are set to previous power level .subroutine returns <br />
#Program moves on to next subroutine without registering changes<br />
#Patient is administered a lethal overdose of radiation<br />
<br />
<br />
===Root Causes & Outcome===<br />
<br />
A number of factors contributed to the failure of the Therac-25. The code was put together by a single programmer and no proper testing was conducted. In addition, code was reused from previous generation machines without verifying it was fully compatible with the new hardware. Previous Therac-6 and Therac-20 had hardware interrupts which prevent race conditions from occurring. It is clear that proper planning and forethought could have prevented this incident.<br />
<br />
Six incidents involving the Therac-25 took place over the span 1985 and 1987. It took 2 years until the FDA took the machines out of service. The FDA forced AECL to make modifications to the Therac-25 before it was allowed back on the market. Software bugs were fixed to suspend all other operations while the magnets positioned themselves to administer the correct radiation strength. In addition, a dead mans switch was added the switch was a foot pedal which the operator must hold down to enable motion of the x-ray machine. This prevented the operator of being unaware of changes in the x-ray machines state.<br />
<br />
After these changes were made the Therac-25 was reintroduced into the market in 1988. Some of the machines are still in service today. <br />
<br />
<br />
== Black-out of 2003 ==<br />
<br />
An energy management system failed due to a race condition, ultimately leading to Ontario and parts of the United States experiencing a black-out.<br />
<br />
The incident occured on August 14th, 2003, when a power plant located in Eastlake, Ohio went offline. The system was set up so that if this were to occur, a warning would be sent to FirstEnergy's control center in Akron, Ohio. Upon recieving this warning, power would be re-routed through other plants to isolate the failure.However, no warning was recieved, resulting in a domino effect causing ultimately over 100 power plants to go offline.<br />
<br />
FirstEnergy at the time was using General Eletric's Unix-based XA/21 energy management system. This system was responsible for alerting the operators of the control center whenever there was a problem. Unfortunately, a flaw in the software caused the system to crash.The energy management system crashed silently, so that the operators at the control center had no idea they were not receiving alerts the otherwise would be. Without any warnings, the operators had no idea the power plant went offline, and so took no measures to prevent the cascading effect leading to the black-out.<br />
<br />
===Cause of Race Condition===<br />
<br />
The XA/21 energy management system failed due to three sagging power lines being tripped simultaneously. These three seperate events then attempted to execute on a shared state, causing the main system to fail. A back-up server went online to attempt to handle the requests. By the time it kicked in the accumulation of events since the main system failure caused the back-up to fail as well.<br />
<br />
===Aftermath===<br />
With the system failure that ultimately led to 256 plants going offline, a massive black-out was experienced in North Eastern USA and Ontario. It is estimated that 55 million people were effected by the black-out. Investigations in the aftermath revealed both negligence on FirstEnergy's part and revealed the deeply embedded bug within the XA/21 energy management system. The bug has since been fixed with a patch.<br />
<br />
== The NASA Mars-Rover ==<br />
The NASA Mars-Rover incident is another well known case of system failure due to race conditions. The Mars-Rover is a six wheeled driven, four wheeled steered vehicle designed by NASA to navigate the surface of Mars in order to gather videos, images, samples or and possible data about the planet. NASA landed two Rover vehicles, the Spirit and Opportunity Rovers, on January 4 and January 25, 2004, respectively. The Rover was controlled on a daily basis by the NASA team on earth by sending messages and tasks. Each solar day in the life of the Rover is called a Sol. <br />
<br />
===Hardware design and architecture===<br />
The vehicle's main operating equipment consists of a set of high-resolution cameras, a collection of specialized spectrometers and a set of radio antennas for transmitting and receiving data. The main computer was built around a BAE RAD-6000 CPU (Rad6k), RAM and non-volatile memory (a combination of FLASH and ROM). <br />
<br />
===Software design===<br />
The Rover is controlled by the VxWorks real-time operating system. The Rover flight software was mostly implemented in ANSI C, with some fragements of code written in C++ and assembly. <br />
The rover relied on an autonomous system that enabled it to drive itself and carry out a number of self-maintenance operations. The system implements a time-multiplexing system, where all processes share and access resources on the single CPU. The Rover records progress through the use of three primary log-file systems: event reports (EVRs), engineering data (EH&A) and data products.<br />
<br />
===System failures and vulnerabilities===<br />
The first race-condition bug occured in the Spirit Rover Sol 131. The initilazation module (IM) process was preparing to increment a counter that keeps track of the number of times an initilazation occured, in order to do that, the IM process must request permission and be granted access to write that counter to memory (critical section). While requesting the permission, another process was granted access to use that very same piece of memory (critical section). This resulted in the IM process generating a fatal exception through its EVR log. The exception lead to loss and trouble in transmitting data to the NASA team on earth, which eventually led to<br />
the Rover being in a halt state for a few days. The NASA team attempted to solve the problem by rebooting the Rover and restricting another module from operating during that time-frame. However, the same bug reoccured in the Spirit Rover on Sol 209 and then on the Opportunity Rover on Sol 596 and Sol 622.<br />
<br />
A similar type of error occurred on the Spirit Sol 136, this time the Imaging Services Module (IMG) was involved. Just as the NASA team requested data from the Rover to be transmitted, the IMG was beginning a deactivation state, the IMG reading cycles from memory were suddenly interrupted by the deactivation process which was attempting to power off the piece of memory associated with the IMG reading task. This resulted in a failure to return the requested data from the Rover. <br />
<br />
==Windows Blue-Screens-Of-Death==<br />
<br />
When a problem in Windows forces the operation systems to fail, the computer often displays an error screen, know as Stop message, that describes the cause of the problem, most people called this a Blue Screen of Death (BSOD).<br />
<br />
The error 0X0000001a, MEMORY_MANAGEMENT, occurs because of the race condition of memory management. It is a hardware error related to memory management. It is possible that the computer can not timely get enough power to the memory for the process. <br />
<br />
The BSOD has surfaced on a number of Windows versions including Windows 7. It has also caused system failures in airports, ATM machines and street hoardings. However, the most notable public incident happened on the opening ceremony of the 2008 Beijing Summer Olympics in China, when one of the projectors crashed because of a BSOD bug. <br />
<br />
=Conclusions=<br />
The need to control race conditions and maintain concurrency and safe sharing of resources among <br />
processes brings us to the concept of mutual exclusion (Mutex). Mutual exclusion is the idea of making sure <br />
processes access data in a serialized way. Meaning that, if process A for instance, happens to be executing or <br />
using a particular data structure (called a critical section), then no other process like B would be allowed<br />
to execute or use that very same data structure (critical section) until process A finishes executing or decides<br />
to leave the data structure. Common algorithms and techniques used to establish mutual exclusion include locks, semaphores and monitors.<br />
<br />
A handful of commercial software tools have been developed to address and detect race conditions errors as well. More recently, a US software company that goes by the name of ReplaySolutions has been awarded a patent from the US government for developing an innovative kit for debugging race conditions found in software. <br />
<br />
As the industry strives for faster and more efficient level of performance through the use of multi-processor systems and multi-core chips, this area continues to be a vast field for research and innovation within the computing world. <br />
<br />
<br />
=References=<br />
* Nancy Leveson. July 1993. [http://sunnyday.mit.edu/papers/therac.pdf Medical Devices: The Therac-25] <br />
* Nancy Leveson and Clark Turner. July 1993. [http://www.stanford.edu/class/cs240/readings/therac-25.pdf An Investigation of the Therac-25 Accidents] <br />
* Anne Marie Porrello. July 1993. [http://users.csc.calpoly.edu/~jdalbey/SWE/Papers/THERAC25.html Death and Denial: The Failure of the THERAC-25, A Medical Linear Accelerator] <br />
* Reeves and Snyder. 10 January 2006. [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=1571113&userType=inst An Overview of the Mars Exploration Rovers' Flight Software]. [http://trs-new.jpl.nasa.gov/dspace/bitstream/2014/37499/1/05-0539.pdf another source]<br />
* Matijevic and E. Dewell. 2006 [http://trs-new.jpl.nasa.gov/dspace/bitstream/2014/39897/1/06-0922.pdf Anomaly Recovery and the Mars Exploration Rovers]<br />
* John Chan. 12 August 2008. Dreaded Blue Screen of Death strikes Olympics [http://news.cnet.com/8301-17938_105-10015872-1.html] <br />
* Dr. Dobb's Journal. 9 June 2010. Patent Awarded for Debugging Race Conditions [http://www.drdobbs.com/tools/225600068]</div>Atubmanhttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_1_2010_Question_6&diff=3578COMP 3000 Essay 1 2010 Question 62010-10-14T03:12:54Z<p>Atubman: Made couple changes to Therac-25 and cleaned lists</p>
<hr />
<div>=Question=<br />
<br />
What are some examples of notable systems that have failed due to flawed efforts at mutual exclusion and/or race conditions? How significant was the failure in each case?<br />
<br />
=Answer=<br />
<br />
=Introduction=<br />
<br />
Race conditions bugs have their fare share of notoriety in the history of software bugs. This may range from a piece of Java code causing the application to halt, to life-critical system failures that lead to fatal results. In this article, we will define race conditions, examine some of the most well known cases involving race conditions and explore some of the solution schemes and ways the industry have proposed to track and detect race conditions.<br />
<br />
=Overview=<br />
<br />
Race conditions is the term used in situations where two or more processes can access the same piece of data simutaneously and <br />
the end result depends on the timing sequence of those processes. This end result can be quite hazardous leading to major system<br />
failures.<br />
<br />
The need to control those race conditions and maintain concurrency and safe sharing of resources among processes brings us to the concept of mutual exclusion (Mutex). Mutual exclusion is the idea of making sure processes access data in a serialized way. Meaning that, if process A for instance, happens to be executing or using a particular data structure (called a critical section), then no other process like B would be allowed to execute or use that very same data structure (critical section) until process A finishes executing or decides to leave the data structure. Common algorithms and techniques used to establish mutual exclusion include locks, semaphores and monitors.<br />
=Examples=<br />
== Therac-25 ==<br />
<br />
The Therac-25 was an x-ray machine developed in Canada by Atomic Energy of Canada Limited (AECL). The machine was used to treat people using radiation therapy. Between 1985 and 1987 six patients were given overdoses of radiation by the machine. Half these patients died due to the accident. The cause of the incidents has been traced back to a programming bug which caused a race-condition.<br />
The Therac-25 software was written by a single programmer in PDP-11 assembly language. Portions of code were reused from software in the previous Therac-6 and Therac-20 machines. <br />
The main portion of the code runs a function called “Treat” this function determins which of the programs 8 main subroutines it should be executing. The Keyboard handler task ran concurrently with “Treat”<br />
<br />
===Main Subroutines===<br />
<br />
The Therac-25 had 8 main subroutines it made use of. The Datent had its own helper routine called magnet which prepared the x-rays magnets to administer the correct dosage of radiation.<br />
<br />
#Reset<br />
#Datent<br />
##Magnet<br />
#Set Up Done<br />
#Set Up Test<br />
#Patient Treatment<br />
#Pause Treatment<br />
#Terminate Treatment<br />
#Date, Time, ID Changes<br />
<br />
<br />
The Datent subroutine communicated with the keyboard hander task through a shared variable which signaled if the operator was finished entering the necessary data. Once the Datent subroutine sets the flag signifying the operator has entered the necessary information it allows the main program to move onto the next subroutine. If the flag was not set the “Treat” task reschedules itself in turn rescheduling the Datent subroutine. This continues until the shared data entry flag is set.<br />
<br />
<br />
The Datent subroutine was also responsible for preparing the x-ray to administer the correct radiation dosage. The subroutine was setup so that before returning to “Treat” instructions to move on to the next of its 8 subroutines it would first call the “Magnet” subroutine. This subroutine parsed the operators input and moved the x-ray machines magnets into position to administer the prescribed radiation. This magnet subroutine took approximately 8 seconds to complete and while it ran the keyboard handler was also running. If the operator modified the data before the “magnet” subroutine returned their changes would not be register and the x-ray strength would already be set to its prior value ignoring the operator’s changes.<br />
<br />
<br />
<br />
===Example Bug Situation===<br />
<br />
The situation below illustrates a chain of events that would result in an unintended dose of radiation being administered.<br />
<br />
#Operator types up data, presses return<br />
#(Magnet subroutine is initiated)<br />
#Operator realizes there is an extra 0 in the radiation intensity field<br />
#Operator quickly moves cursor up and fixes the error and presses return again.<br />
#Magnets are set to previous power level .subroutine returns <br />
#Program moves on to next subroutine without registering changes<br />
#Patient is administered a lethal overdose of radiation<br />
<br />
<br />
== Black-out of 2003 ==<br />
<br />
On August 14th, 2003, a massive power outage spread through the Northeastern and Midwestern United States and Canada. A generating plant in Eastlake, Ohio went offline, causing a domino affect ultimately leading to over 100 power plants shutting down.<br />
<br />
There are several reasons that are attributed to this massive failure. One of the most prominent factors being a software bug in General Electric Energy's Unix-based XA/21 energy management system.<br />
<br />
FirstEnergy's Akron, Ohio control center was responsible for monitoring the Eastlake plant. However, the software flaw caused the control center to be unable to receive any warning or alarm from the plants.<br />
<br />
Because of this, the control center's ability to prevent the cascading effect after the Eastlake plant went offline.<br />
<br />
The XA/21 bug was triggered through a unique combination of events and alarm conditions on the equipment it was monitoring. The main system failed, unable to handle the combination of requests. By the time the back-up server kicked in, the accumulation of events since the main system failure caused it to go down as well.<br />
<br />
The system made no indication that it had failed, and the control center received no warnings about the fact that they were operating without an alarm system.<br />
<br />
The combination which caused the first system failure itself was due to three sagging power lines being tripped simultaneously. The three separate events attempted to execute on a shared state, causing no alarm to be raised and the system to fail.<br />
<br />
== The NASA Mars-Rover ==<br />
<br />
The NASA Mars-Rover incident is another well known case of system failure due to race conditions. The Mars-Rover is a six wheeled driven, four wheeled steered vehicle designed by NASA to navigate the surface of Mars in order to gather videos, images, samples or any possible data about the planet. NASA landed two Rover vehicles, the Spirit and Opportunity Rovers, on January 4 and January 25, 2004, respectively. The Rover was controlled on a daily basis by the NASA team on earth by sending messages and tasks. Each solar day in the life of the Rover is called a Sol. <br />
<br />
===Hardware design and architecture===<br />
<br />
The vehicle's main operating equipment consists of a set of high-resolution cameras, a collection of specialized spectrometers and a set of radio antennas for transmitting and receiving data. The main computer was built around a BAE RAD-6000 CPU (Rad6k), RAM and non-volatile memory (a combination of FLASH and ROM). <br />
<br />
===Software design===<br />
<br />
The Rover software was mostly implemented in ANSI C, with some fragements of code written in C++ and assembly. The rover relied on an autonomous system that enabled the rover to drive itself and carry out a number of self-maintenance operations. The system implements a time-multiplexing system, as all processes share resources on the CPU. The Rover records progress through the use of three primary log-file systems: event reports (EVRs), engineering data (EH&A) and data products.<br />
<br />
===System failures===<br />
The first race-condition bug occured in the Spirit Rover on Sol 131. The initilazation module (IM) process was preparing to increment a counter that keeps track of the number of times an initilazation occured, in order to do that, the IM process must request permission and be granted access to write that counter to memory (critical section). While requesting the permission, another process was granted access to use that very same piece of memory (critical section). This resulted in the IM process generating a fatal exception through its EVR log. The exception lead to loss and trouble in transmitting data to the NASA team on earth. The NASA team attempted to solve the problem by restricting another module from operating during that time-frame. However, the same bug reoccured in the Spirit Rover on Sol 209 and then on the Opportunity Rover on Sol 596 and Sol 622.<br />
<br />
<br />
<br />
==Windows Blue-Screens-Of-Death==<br />
<br />
When a problem in Windows forces the operation systems to fail, the computer often displays an error screen, know as Stop message, that describes the cause of the problem, most people called this a Blue Screen of Death (BSOD).<br />
<br />
The error 0X0000001a, MEMORY_MANAGEMENT, occurs because of the race condition of memory management. It is a hardware error related to memory management. It is possible that the computer can not timely get enough power to the memory for the process. <br />
<br />
The BSOD has surfaced on a number of Windows versions including Windows 7. It has also caused system failures in airports, ATM machines and street hoardings. However, the most notable public incident happened on the opening ceremony of the 2008 Beijing Summer Olympics in China, when one of the projectors crashed because of a BSOD bug. <br />
<br />
=Conclusions=<br />
<br />
<br />
=References=<br />
* Nancy Leveson. [http://sunnyday.mit.edu/papers/therac.pdf Medical Devices: The Therac-25] <br />
* Reeves and Snyder. [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=1571113&userType=inst An Overview of the Mars Exploration Rovers' Flight Software]<br />
* Matijevic and E. Dewell. 2006 [http://trs-new.jpl.nasa.gov/dspace/bitstream/2014/39897/1/06-0922.pdf Anomaly Recovery and the Mars Exploration Rovers]<br />
* Dreaded Blue Screen of Death strikes Olympics [http://news.cnet.com/8301-17938_105-10015872-1.html]</div>Atubmanhttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_1_2010_Question_6&diff=3547COMP 3000 Essay 1 2010 Question 62010-10-14T02:31:14Z<p>Atubman: Added Therac-25 Reference</p>
<hr />
<div>=Question=<br />
<br />
What are some examples of notable systems that have failed due to flawed efforts at mutual exclusion and/or race conditions? How significant was the failure in each case?<br />
<br />
=Answer=<br />
<br />
=Introduction=<br />
<br />
Race conditions bugs have their fare share of notoriety in the history of software bugs. This may range from a piece of Java code causing the application to halt, to life-critical system failures that lead to fatal results. In this article, we will define race conditions, examine some of the most well known cases involving race conditions and explore some of the solution schemes and ways the industry have proposed to track and detect race conditions.<br />
<br />
=Overview=<br />
<br />
Race conditions is the term used in situations where two or more processes can access the same piece of data simutaneously and <br />
the end result depends on the timing sequence of those processes. This end result can be quite hazardous leading to major system<br />
failures.<br />
<br />
The need to control those race conditions and maintain concurrency and safe sharing of resources among processes brings us to the concept of mutual exclusion (Mutex). Mutual exclusion is the idea of making sure processes access data in a serialized way. Meaning that, if process A for instance, happens to be executing or using a particular data structure (called a critical section), then no other process like B would be allowed to execute or use that very same data structure (critical section) until process A finishes executing or decides to leave the data structure. Common algorithms and techniques used to establish mutual exclusion include locks, semaphores and monitors.<br />
=Examples=<br />
== Therac-25 ==<br />
(This is still very rough and needs work. Thought I would lay it out there as a starting point)<br />
<br />
The Therac-25 was an x-ray machine developed in Canada by Atomic Energy of Canada Limited (AECL). The machine was used to treat people using radiation therapy. Between 1985 and 1987 six patients were given overdoses of radiation by the machine. Half these patients died due to the accident. The cause of the incidents has been traced back to a programming bug which caused a race-condition.<br />
The Therac-25 software was written by a single programmer in PDP-11 assembly language. Portions of code were reused from software in the previous Therac-6 and Therac-20 machines. <br />
The main portion of the code runs a function called “Treat” this function determins which of the programs 8 main subroutines it should be executing. The Keyboard handler task ran concurrently with “Treat”<br />
<br />
The 8 main subroutines were: <br />
<br />
Reset<br />
<br />
Datent<br />
<br />
Set Up Done<br />
<br />
Set Up Test<br />
<br />
Patient Treatment<br />
<br />
Pause Treatment<br />
<br />
Terminate Treatment<br />
<br />
Date, Time, ID Changes<br />
<br />
<br />
The Datent subroutine communicated with the keyboard hander task through a shared variable which signaled if the operator was finished entering the necessary data. Once the Datent subroutine sets the flag signifying the operator has entered the necessary information it allows the main program to move onto the next subroutine. If the flag was not set the “Treat” task reschedules itself in turn rescheduling the Datent subroutine. This continues until the shared data entry flag is set.<br />
<br />
<br />
The Datent subroutine was also responsible for preparing the x-ray to administer the correct radiation dosage. The subroutine was setup so that before returning to “Treat” instructions to move on to the next of its 8 subroutines it would first call the “Magnet” subroutine. This subroutine parsed the operators input and moved the x-ray machines magnets into position to administer the prescribed radiation. This magnet subroutine took approximately 8 seconds to complete and while it ran the keyboard handler was also running. If the operator modified the data before the “magnet” subroutine returned their changes would not be register and the x-ray strength would already be set to its prior value ignoring the operator’s changes.<br />
<br />
<br />
<br />
Hypothetical example situation:<br />
<br />
-Operator types up data, presses return<br />
<br />
-(Magnet subroutine is initiated)<br />
<br />
-Operator realizes there is an extra 0 in the radiation intensity field<br />
-Operator moves cursor up and fixes the error and presses return again.<br />
<br />
-Magnets are set to previous power level .subroutine returns <br />
<br />
-Program moves on to next subroutine without registering changes<br />
<br />
-Patient is administered a lethal overdose of radiation<br />
<br />
== Black-out of 2003 ==<br />
<br />
On August 14th, 2003, a massive power outage spread through the Northeastern and Midwestern United States and Canada. A generating plant in Eastlake, Ohio went offline, causing a domino affect ultimately leading to over 100 power plants shutting down.<br />
<br />
There are several reasons that are attributed to this massive failure. One of the most prominent factors being a software bug in General Electric Energy's Unix-based XA/21 energy management system.<br />
<br />
FirstEnergy's Akron, Ohio control center was responsible for monitoring the Eastlake plant. However, the software flaw caused the control center to be unable to receive any warning or alarm from the plants.<br />
<br />
Because of this, the control center's ability to prevent the cascading effect after the Eastlake plant went offline.<br />
<br />
The XA/21 bug was triggered through a unique combination of events and alarm conditions on the equipment it was monitoring. The main system failed, unable to handle the combination of requests. By the time the back-up server kicked in, the accumulation of events since the main system failure caused it to go down as well.<br />
<br />
The system made no indication that it had failed, and the control center received no warnings about the fact that they were operating without an alarm system.<br />
<br />
The combination which caused the first system failure itself was due to three sagging power lines being tripped simultaneously. The three separate events attempted to execute on a shared state, causing no alarm to be raised and the system to fail.<br />
<br />
== The NASA Mars-Rover ==<br />
<br />
The NASA Mars-Rover incident is another well known case of system failure due to race conditions. The Mars-Rover is a six wheeled driven, four wheeled steered vehicle designed by NASA to navigate the surface of Mars in order to gather videos, images, samples or any possible data about the planet. NASA landed two Rover vehicles, the Spirit and Opportunity Rovers, on January 4 and January 25, 2004, respectively. The Rover was controlled on a daily basis by the NASA team on earth by sending messages and tasks. Each solar day in the life of the Rover is called a Sol. <br />
<br />
===Hardware design and architecture===<br />
<br />
The vehicle's main operating equipment consists of a set of high-resolution cameras, a collection of specialized spectrometers and a set of radio antennas for transmitting and receiving data. The main computer was built around a BAE RAD-6000 CPU (Rad6k), RAM and non-volatile memory (a combination of FLASH and ROM). <br />
<br />
===Software design===<br />
<br />
The Rover software was mostly implemented in ANSI C, with some fragements of code written in C++ and assembly. The rover relied on an autonomous system that enabled the rover to drive itself and carry out a number of self-maintenance operations. The system implements a time-multiplexing system, as all processes share resources on the CPU. The Rover records progress through the use of three primary log-file systems: event reports (EVRs), engineering data (EH&A) and data products.<br />
<br />
===System failures===<br />
The first race-condition bug occured in the Spirit Rover on Sol 131. The initilazation module (IM) process was preparing to increment a counter that keeps track of the number of times an initilazation occured, in order to do that, the IM process must request permission and be granted access to write that counter to memory (critical section). While requesting the permission, another process was granted access to use that very same piece of memory (critical section). This resulted in the IM process generating a fatal exception through its EVR log. The exception lead to loss and trouble in transmitting data to the NASA team on earth. The NASA team attempted to solve the problem by restricting another module from operating during that time-frame. However, the same bug reoccured in the Spirit Rover on Sol 209 and then on the Opportunity Rover on Sol 596 and Sol 622.<br />
<br />
<br />
<br />
==Windows Blue-Screens-Of-Death==<br />
<br />
When a problem in Windows forces the operation systems to fail, the computer often displays an error screen, know as Stop message, that describes the cause of the problem, most people called this a Blue Screen of Death (BSOD).<br />
<br />
The error 0X0000001a, MEMORY_MANAGEMENT, occurs because of the race condition of memory management. It is a hardware error related to memory management. It is possible that the computer can not timely get enough power to the memory for the process. <br />
<br />
The BSOD has surfaced on a number of Windows versions including Windows 7. It has also caused system failures in airports, ATM machines and street hoardings. However, the most notable public incident happened on the opening ceremony of the 2008 Beijing Summer Olympics in China, when one of the projectors crashed because of a BSOD bug. <br />
<br />
=Conclusions=<br />
<br />
<br />
=References=<br />
* Nancy Leveson. [http://sunnyday.mit.edu/papers/therac.pdf Medical Devices: The Therac-25] <br />
* Reeves and Snyder. [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=1571113&userType=inst An Overview of the Mars Exploration Rovers' Flight Software]<br />
* Matijevic and E. Dewell. 2006 [http://trs-new.jpl.nasa.gov/dspace/bitstream/2014/39897/1/06-0922.pdf Anomaly Recovery and the Mars Exploration Rovers]<br />
* Dreaded Blue Screen of Death strikes Olympics [http://news.cnet.com/8301-17938_105-10015872-1.html]</div>Atubmanhttps://homeostasis.scs.carleton.ca/wiki/index.php?title=Talk:COMP_3000_Essay_1_2010_Question_6&diff=2871Talk:COMP 3000 Essay 1 2010 Question 62010-10-10T23:28:12Z<p>Atubman: </p>
<hr />
<div>Hey guys, this is Munther. I'm one of the members of the group assigned to this question. Before we start, let me just say that since this is a collective piece of work thats supposed to include contributions from each member of the group, let us all assume the role of the editor. So we will all contribute and help edit the final version of the article.<br />
<br />
Regarding our question. As a starting point, I figured it would be appropriate to start defining what mutual exclusion (mutex) and race conditions mean. Lets start with race conditions, since mutual exclusion basically came to life because of the need to control race conditions.<br />
<br />
Race conditions: situations where one or more processes are trying to write, read or access the same piece of data, and the final result depends on who runs precisely when. Look at the text book in pages 117-118 for a detailed example of that.<br />
<br />
Mutual exclusion (mutex): the idea of making sure that processes access data in a serialized way. Meaning that, if process A for instance, happens to be executing or using a particular data structure (called a critical section), then no other process like B would be allowed to execute or use that very same data structure (critical section) until process A finishes executing or decides to leave the data structure. Common algorithms and techniques used in mutual exclusion include: locks, semaphores and monitors.<br />
<br />
Our question asks for examples of systems that have failed due to flawed efforts. For starters, this is a wiki-programming page (Rosetta code) that examines race conditions and offers an example from the Unix/Linux operating systems, whether the example mentioned here is considered a "failure" we should check with the prof. Anyways, its a good starting point.<br />
http://rosettacode.org/wiki/Race_condition<br />
<br />
Heres also a paper that goes back to 1992, which basically examines the excessive amount of expenses and resources used in older versions of the Unix system when implementing mutual exclusion. The paper goes to explain the problem and offers a better solution. Its pretty easy to follow and understand, worth reading as well.<br />
http://www.usenix.org/publications/library/proceedings/sa92/moran.pdf<br />
<br />
-- Munther<br />
<br />
----<br />
<br />
<br />
Hey Andrew here another member of this group. Those are some good starting points. The Wikipedia page on race conditions have references to a few good examples http://en.wikipedia.org/wiki/Race_condition<br />
<br />
Couple notable ones:<br />
<br />
The Therac-25 x-ray machine which killed a bunch of people http://courses.cs.vt.edu/~cs3604/lib/Therac_25/Side_bar_1.html<br />
<br />
A blackout in 2003 was caused by a race condition in one of the power company's alarm systems http://www.securityfocus.com/news/8412 (really awful block of text)<br />
<br />
--Andrew<br />
<br />
-----<br />
<br />
<br />
Alright, so the things that the prof mentioned in our last lecture proved to be super helpful. Basically, what he means by "systems", is any device based operating system. It doesn't necessarily has to be a PC-based operating system (Windows, Linux, etc.). So the Therac-25 story mentioned by Andrew in the above post is a prime example of the type of things we might be looking for.<br />
<br />
Other notable examples:<br />
<br />
1. The Opportunity Mars-Rover 1116 incident. (A rover is basically a space exploration vehicle designed to navigate the surface of a planet in order to gather images, samples or any possible information about that particular surface.). The rover experienced a rare unexpected error due to a race-conditions fault. For some reason, this seems to be a fairly common problem for those Mars-Rovers, since the same kind of error was experienced on the Spirit Mars-Rover as well. <br />
<br />
Heres an overview of the Opportunity 1116 incident from MarsToday : http://www.marstoday.com/news/viewsr.html?pid=23772<br />
<br />
Heres a paper that examines the race conditions experienced on those rovers, discuses the Spirit Rover incident and even goes to <br />
explain the underlying architecture of the rover hardware: http://trs-new.jpl.nasa.gov/dspace/bitstream/2014/39897/1/06-0922.pdf<br />
<br />
<br />
2. A file-system based type of race condition involves an older version of the Unix operating system, in which the user-mode can actually be bypassed, allowing the user to access the entire system. I can see this being considered an error or a case of failure as well. This actually may be a bit more approachable, as far as understanding the Unix kernel and stuff like that, I'm sure we can find a lot of resources for this.<br />
<br />
A small article exploring the issue: http://www.osdata.com/holistic/security/attacks/racecond.html<br />
<br />
- - - - - - - - - - -<br />
<br />
Heres also a paper that examines Race Conditions in depth, talks about the importance of mutual exclusion and provides a number of solutions :<br />
http://www.google.ca/url?sa=t&source=web&cd=4&ved=0CCoQFjAD&url=http%3A%2F%2Fciteseerx.ist.psu.edu%2Fviewdoc%2Fdownload%3Fdoi%3D10.1.1.1.5897%26rep%3Drep1%26type%3Dpdf&rct=j&q=race%20conditions%20case%20study%20steve%20carr%2010.1.1.1&ei=FTCtTOzRN8mVnAeL-OThDA&usg=AFQjCNHdyHdeFSpES0nMjzb7lPkFxKwC2g&sig2=u2Qo9kdemxdCWAlH10GNeQ<br />
<br />
Heres another paper from the ACM Portal: http://portal.acm.org/citation.cfm?id=130616.130623&coll=Portal&dl=GUIDE&CFID=104720795&CFTOKEN=13393160<br />
<br />
If anyone can't access the pdf files on the ACM Portal or even CiteSeer for that matter, you need to log in to the netwrk using your Carleton library account. Go to the following: http://portal.acm.org.proxy.library.carleton.ca<br />
You will be prompted to enter your Student ID card barcode number, thats the number below your name on your student ID. And the password is your CarletonCentral password.<br />
<br />
I think so far we have managed to gather a handful amount of cases. In the next couple of days, we should probably delve deeper into some of those cases.<br />
<br />
PS: If you wanna contact me, go to my profile in the history tab. Click on Hesperus.<br />
<br />
-- Munther<br />
<br />
--------------------<br />
<br />
Hey guys, I am Daniel. I am also in group 6 (Am i the final group member?). I'm ready to help get this show on the road! I am going to set up a basic essay structure on the other page so that we know what to aim for. You guys look like you've rounded up quite a bit of info on the subject already, great job!<br />
<br />
Introduction Paragraph: Introduces the question and gives some general background etc.<br />
Paragraph 1: Gives first example in detail<br />
Paragraph 2: Gives second example in detail<br />
Paragraph 3: Gives third example in detail<br />
Conclusion: Relates it all back together or something (never been good with conclusions) <br />
<br />
<br />
I think each example paragraph should be broken down like this:<br />
<br />
1. Introduction to the example<br />
2. What they tried to use the Multi-Threading to do (or something like that)<br />
3. Story of the system failing<br />
4. The significance/involvement of race condition and mutual exclusion in the failure<br />
5. Conclusion (how it was solved and stuff like that can go here too)<br />
<br />
-----<br />
<br />
<br />
Hey guys, I'm Fangchen. I am also in group 6. (So I might be the last member lol) <br />
I found a chapter of a book from sun, which name of the chapter is Race Conditions and<br />
Mutual Exclusion.There are some examples on race condition in Java programming which i think we could study for sure.<br />
<br />
The link of the book chapter is here.<br />
<br />
http://java.sun.com/developer/Books/performance2/chap3.pdf<br />
<br />
On page 2 of the pdf file, there is a first example of race condition. I think this might be useful in our essay as a case study.<br />
<br />
<br />
--Fangchen<br />
<br />
----<br />
My name is Julie and I believe that I am the last group member. Our professor said that every group has 5 to 6 members.<br />
It appears that we have quite the list of resources. Are we planning to use them all? It might be a good idea to list the resources we believe are the most relevant. <br />
<br />
Note: This link, http://www.osdata.com/holistic/security/attacks/racecond.html, is broken. <br />
<br />
I only have one resource to add. I found a paper that summarizes information about Therac-25 and the blackout of 2003: http://x4.6times7.org/downloads/software_catastrophes.pdf.<br />
<br />
4.1 Blackout (pg. 5 – 6)<br />
<br />
4.3 Therac-25 (pg. 7 – 8)<br />
<br />
I think we should agree on a thesis soon. Currently the examples in our essay are not connected by a central argument. If we have time, I think we should try to find another example (assuming we have agreed to write about Therac-25, the blackout of 2003 and the Mars rovers). Prof. Anil said that he was expecting four to five examples. Three examples is a minimum. I have been trying to search for one that is not as well known (as encouraged in class) but I have not had any luck.<br />
<br />
Are the series of Mars rovers (Opportunity and Spirit from 2004-2005) the most recent examples? I have not found any that are more recent so far. I wonder if systems programmers have learned from these past failures. I noticed, while searching for resources, that researchers have developed/are now developing tools and strategies to detect race conditions. <br />
<br />
Lastly, what is our plan on how divide the work for this essay? Also do we want to meet in person someday?<br />
<br />
--[[User:J powers|J powers]] 16:08, 9 October 2010 (UTC)<br />
<br />
One suggestion I have for dividing the work is for everyone to write a paragraph of the essay or about a specific disaster.<br />
--[[User:J powers|J powers]] 16:50, 9 October 2010 (UTC)<br />
<br />
-----<br />
<br />
Cool, its good to have the other members of the group on board. I will handle the editing and the introductory paragraph. I will try to make it as academic as possible. <br />
<br />
What Julie mentioned is right. The prof said that 3 examples are alright. But he's really looking for 4-5 cases. We need to impress him a little bit here. The other case he mentioned was the Blue-Screens-Of-Death incidents. I believe a mail man was killed because of that. I will try to find some information on that later on today. <br />
<br />
Also, if you guys wanna meet up a couple of days before the due date, thats ok by me. We can meet up in the Herzberg labs in the 4th floor, not the undergrad ones, the ones at the end of the hall. Or I can reserve a room for us in the library. Or if you just want to continue doing this online, I know that each one of us has probably a different schedule and everything.<br />
<br />
-- Munther<br />
<br />
----<br />
<br />
Alright, Seems we needed more than i originally thought :p so i tweaked the other page to have 5 of them instead of 3. I would absolutely like to meet up :D. Doing this online thing makes me feel wierd for some reason...<br />
<br />
But if we do meet up lets put all our discussion and decisions on the page here so it can get reviewed etc.<br />
<br />
If we are gonna meet up I would prefer Herzberg (not that it really matters, its just where i hang out anyways)<br />
<br />
Also is this due on tuesday or thursday?<br />
<br />
-- Daniel<br />
<br />
---<br />
Ok everyone write in here when you are available before the 14th<br />
<br />
Daniel: all day Monday, Tuesday, and Thursday<br />
Munther: --<br />
Fangchen: --<br />
Andrew: After 12:30 Tues-Wed-Thurs<br />
Julie: Tuesday after 2:30, and Wednesday/Thursday after 1:00 [[User:J powers|J powers]] 19:32, 10 October 2010 (UTC)<br />
<br />
----<br />
<br />
Hey Everyone. Awesome looks like we have a lot of information and resources here to work from. Daniels template structure looks good and we should follow that. We should come up with a plan for executing this, what topics we want to cover and who would like to focus on what. I think the 3 big examples we've found lots of resources for are the Therac-25, Mars Rover and the Blackout. The professor mentioned he'd like to see some more exotic examples lets try and find some for examples 4/5.<br />
<br />
Layout we can build on.<br />
<br />
<br />
Introduction<br />
<br />
Therac-25<br />
<br />
Mars Rover<br />
<br />
Blackout<br />
<br />
Example 4<br />
<br />
Example 5<br />
<br />
Conclusion<br />
<br />
<br />
I'm going to try and read up a bit more on the Therac-25 and put in a few paragraphs today.<br />
<br />
[[User:Atubman|Atubman]] 21:55, 10 October 2010 (UTC) (did not know about the 4 tildes thing, thanks for sharing)<br />
----<br />
I do not mind which topic I write about but I feel a personal connection with the blackout. My hometown was affected for a long time and there were concerns about chemical plants nearby. Therefore I have an interest in writing/researching about it.<br />
<br />
Has the group member above (<strike>Could you please put your name? Was it Andrew?</strike>) decided on Therac-25 then? <br />
<br />
Also I have noticed that everyone has not been using 4 tildes. I am not sure if this how the professor knows who wrote what but it would not hurt to use it (Less to type as well). <br />
<br />
Any ideas on a deadline for all of our writing?<br />
<br />
[[User:J powers|J powers]] 21:05, 10 October 2010 (UTC)<br />
<br />
----<br />
<br />
I tried writing up a bit about the Therac-25. Still pretty rough but its a start.<br />
<br />
Good information in this paper http://sunnyday.mit.edu/papers/therac.pdf<br />
<br />
Pages 22-28 deal with the software bug<br />
<br />
[[User:Atubman|Atubman]] 23:27, 10 October 2010 (UTC)</div>Atubmanhttps://homeostasis.scs.carleton.ca/wiki/index.php?title=Talk:COMP_3000_Essay_1_2010_Question_6&diff=2870Talk:COMP 3000 Essay 1 2010 Question 62010-10-10T23:27:47Z<p>Atubman: </p>
<hr />
<div>Hey guys, this is Munther. I'm one of the members of the group assigned to this question. Before we start, let me just say that since this is a collective piece of work thats supposed to include contributions from each member of the group, let us all assume the role of the editor. So we will all contribute and help edit the final version of the article.<br />
<br />
Regarding our question. As a starting point, I figured it would be appropriate to start defining what mutual exclusion (mutex) and race conditions mean. Lets start with race conditions, since mutual exclusion basically came to life because of the need to control race conditions.<br />
<br />
Race conditions: situations where one or more processes are trying to write, read or access the same piece of data, and the final result depends on who runs precisely when. Look at the text book in pages 117-118 for a detailed example of that.<br />
<br />
Mutual exclusion (mutex): the idea of making sure that processes access data in a serialized way. Meaning that, if process A for instance, happens to be executing or using a particular data structure (called a critical section), then no other process like B would be allowed to execute or use that very same data structure (critical section) until process A finishes executing or decides to leave the data structure. Common algorithms and techniques used in mutual exclusion include: locks, semaphores and monitors.<br />
<br />
Our question asks for examples of systems that have failed due to flawed efforts. For starters, this is a wiki-programming page (Rosetta code) that examines race conditions and offers an example from the Unix/Linux operating systems, whether the example mentioned here is considered a "failure" we should check with the prof. Anyways, its a good starting point.<br />
http://rosettacode.org/wiki/Race_condition<br />
<br />
Heres also a paper that goes back to 1992, which basically examines the excessive amount of expenses and resources used in older versions of the Unix system when implementing mutual exclusion. The paper goes to explain the problem and offers a better solution. Its pretty easy to follow and understand, worth reading as well.<br />
http://www.usenix.org/publications/library/proceedings/sa92/moran.pdf<br />
<br />
-- Munther<br />
<br />
----<br />
<br />
<br />
Hey Andrew here another member of this group. Those are some good starting points. The Wikipedia page on race conditions have references to a few good examples http://en.wikipedia.org/wiki/Race_condition<br />
<br />
Couple notable ones:<br />
<br />
The Therac-25 x-ray machine which killed a bunch of people http://courses.cs.vt.edu/~cs3604/lib/Therac_25/Side_bar_1.html<br />
<br />
A blackout in 2003 was caused by a race condition in one of the power company's alarm systems http://www.securityfocus.com/news/8412 (really awful block of text)<br />
<br />
--Andrew<br />
<br />
-----<br />
<br />
<br />
Alright, so the things that the prof mentioned in our last lecture proved to be super helpful. Basically, what he means by "systems", is any device based operating system. It doesn't necessarily has to be a PC-based operating system (Windows, Linux, etc.). So the Therac-25 story mentioned by Andrew in the above post is a prime example of the type of things we might be looking for.<br />
<br />
Other notable examples:<br />
<br />
1. The Opportunity Mars-Rover 1116 incident. (A rover is basically a space exploration vehicle designed to navigate the surface of a planet in order to gather images, samples or any possible information about that particular surface.). The rover experienced a rare unexpected error due to a race-conditions fault. For some reason, this seems to be a fairly common problem for those Mars-Rovers, since the same kind of error was experienced on the Spirit Mars-Rover as well. <br />
<br />
Heres an overview of the Opportunity 1116 incident from MarsToday : http://www.marstoday.com/news/viewsr.html?pid=23772<br />
<br />
Heres a paper that examines the race conditions experienced on those rovers, discuses the Spirit Rover incident and even goes to <br />
explain the underlying architecture of the rover hardware: http://trs-new.jpl.nasa.gov/dspace/bitstream/2014/39897/1/06-0922.pdf<br />
<br />
<br />
2. A file-system based type of race condition involves an older version of the Unix operating system, in which the user-mode can actually be bypassed, allowing the user to access the entire system. I can see this being considered an error or a case of failure as well. This actually may be a bit more approachable, as far as understanding the Unix kernel and stuff like that, I'm sure we can find a lot of resources for this.<br />
<br />
A small article exploring the issue: http://www.osdata.com/holistic/security/attacks/racecond.html<br />
<br />
- - - - - - - - - - -<br />
<br />
Heres also a paper that examines Race Conditions in depth, talks about the importance of mutual exclusion and provides a number of solutions :<br />
http://www.google.ca/url?sa=t&source=web&cd=4&ved=0CCoQFjAD&url=http%3A%2F%2Fciteseerx.ist.psu.edu%2Fviewdoc%2Fdownload%3Fdoi%3D10.1.1.1.5897%26rep%3Drep1%26type%3Dpdf&rct=j&q=race%20conditions%20case%20study%20steve%20carr%2010.1.1.1&ei=FTCtTOzRN8mVnAeL-OThDA&usg=AFQjCNHdyHdeFSpES0nMjzb7lPkFxKwC2g&sig2=u2Qo9kdemxdCWAlH10GNeQ<br />
<br />
Heres another paper from the ACM Portal: http://portal.acm.org/citation.cfm?id=130616.130623&coll=Portal&dl=GUIDE&CFID=104720795&CFTOKEN=13393160<br />
<br />
If anyone can't access the pdf files on the ACM Portal or even CiteSeer for that matter, you need to log in to the netwrk using your Carleton library account. Go to the following: http://portal.acm.org.proxy.library.carleton.ca<br />
You will be prompted to enter your Student ID card barcode number, thats the number below your name on your student ID. And the password is your CarletonCentral password.<br />
<br />
I think so far we have managed to gather a handful amount of cases. In the next couple of days, we should probably delve deeper into some of those cases.<br />
<br />
PS: If you wanna contact me, go to my profile in the history tab. Click on Hesperus.<br />
<br />
-- Munther<br />
<br />
--------------------<br />
<br />
Hey guys, I am Daniel. I am also in group 6 (Am i the final group member?). I'm ready to help get this show on the road! I am going to set up a basic essay structure on the other page so that we know what to aim for. You guys look like you've rounded up quite a bit of info on the subject already, great job!<br />
<br />
Introduction Paragraph: Introduces the question and gives some general background etc.<br />
Paragraph 1: Gives first example in detail<br />
Paragraph 2: Gives second example in detail<br />
Paragraph 3: Gives third example in detail<br />
Conclusion: Relates it all back together or something (never been good with conclusions) <br />
<br />
<br />
I think each example paragraph should be broken down like this:<br />
<br />
1. Introduction to the example<br />
2. What they tried to use the Multi-Threading to do (or something like that)<br />
3. Story of the system failing<br />
4. The significance/involvement of race condition and mutual exclusion in the failure<br />
5. Conclusion (how it was solved and stuff like that can go here too)<br />
<br />
-----<br />
<br />
<br />
Hey guys, I'm Fangchen. I am also in group 6. (So I might be the last member lol) <br />
I found a chapter of a book from sun, which name of the chapter is Race Conditions and<br />
Mutual Exclusion.There are some examples on race condition in Java programming which i think we could study for sure.<br />
<br />
The link of the book chapter is here.<br />
<br />
http://java.sun.com/developer/Books/performance2/chap3.pdf<br />
<br />
On page 2 of the pdf file, there is a first example of race condition. I think this might be useful in our essay as a case study.<br />
<br />
<br />
--Fangchen<br />
<br />
----<br />
My name is Julie and I believe that I am the last group member. Our professor said that every group has 5 to 6 members.<br />
It appears that we have quite the list of resources. Are we planning to use them all? It might be a good idea to list the resources we believe are the most relevant. <br />
<br />
Note: This link, http://www.osdata.com/holistic/security/attacks/racecond.html, is broken. <br />
<br />
I only have one resource to add. I found a paper that summarizes information about Therac-25 and the blackout of 2003: http://x4.6times7.org/downloads/software_catastrophes.pdf.<br />
<br />
4.1 Blackout (pg. 5 – 6)<br />
<br />
4.3 Therac-25 (pg. 7 – 8)<br />
<br />
I think we should agree on a thesis soon. Currently the examples in our essay are not connected by a central argument. If we have time, I think we should try to find another example (assuming we have agreed to write about Therac-25, the blackout of 2003 and the Mars rovers). Prof. Anil said that he was expecting four to five examples. Three examples is a minimum. I have been trying to search for one that is not as well known (as encouraged in class) but I have not had any luck.<br />
<br />
Are the series of Mars rovers (Opportunity and Spirit from 2004-2005) the most recent examples? I have not found any that are more recent so far. I wonder if systems programmers have learned from these past failures. I noticed, while searching for resources, that researchers have developed/are now developing tools and strategies to detect race conditions. <br />
<br />
Lastly, what is our plan on how divide the work for this essay? Also do we want to meet in person someday?<br />
<br />
--[[User:J powers|J powers]] 16:08, 9 October 2010 (UTC)<br />
<br />
One suggestion I have for dividing the work is for everyone to write a paragraph of the essay or about a specific disaster.<br />
--[[User:J powers|J powers]] 16:50, 9 October 2010 (UTC)<br />
<br />
-----<br />
<br />
Cool, its good to have the other members of the group on board. I will handle the editing and the introductory paragraph. I will try to make it as academic as possible. <br />
<br />
What Julie mentioned is right. The prof said that 3 examples are alright. But he's really looking for 4-5 cases. We need to impress him a little bit here. The other case he mentioned was the Blue-Screens-Of-Death incidents. I believe a mail man was killed because of that. I will try to find some information on that later on today. <br />
<br />
Also, if you guys wanna meet up a couple of days before the due date, thats ok by me. We can meet up in the Herzberg labs in the 4th floor, not the undergrad ones, the ones at the end of the hall. Or I can reserve a room for us in the library. Or if you just want to continue doing this online, I know that each one of us has probably a different schedule and everything.<br />
<br />
-- Munther<br />
<br />
----<br />
<br />
Alright, Seems we needed more than i originally thought :p so i tweaked the other page to have 5 of them instead of 3. I would absolutely like to meet up :D. Doing this online thing makes me feel wierd for some reason...<br />
<br />
But if we do meet up lets put all our discussion and decisions on the page here so it can get reviewed etc.<br />
<br />
If we are gonna meet up I would prefer Herzberg (not that it really matters, its just where i hang out anyways)<br />
<br />
Also is this due on tuesday or thursday?<br />
<br />
-- Daniel<br />
<br />
---<br />
Ok everyone write in here when you are available before the 14th<br />
<br />
Daniel: all day Monday, Tuesday, and Thursday<br />
Munther: --<br />
Fangchen: --<br />
Andrew: After 12:30 Tues-Wed-Thurs<br />
Julie: Tuesday after 2:30, and Wednesday/Thursday after 1:00 [[User:J powers|J powers]] 19:32, 10 October 2010 (UTC)<br />
<br />
----<br />
<br />
Hey Everyone. Awesome looks like we have a lot of information and resources here to work from. Daniels template structure looks good and we should follow that. We should come up with a plan for executing this, what topics we want to cover and who would like to focus on what. I think the 3 big examples we've found lots of resources for are the Therac-25, Mars Rover and the Blackout. The professor mentioned he'd like to see some more exotic examples lets try and find some for examples 4/5.<br />
<br />
Layout we can build on.<br />
<br />
<br />
Introduction<br />
<br />
Therac-25<br />
<br />
Mars Rover<br />
<br />
Blackout<br />
<br />
Example 4<br />
<br />
Example 5<br />
<br />
Conclusion<br />
<br />
<br />
I'm going to try and read up a bit more on the Therac-25 and put in a few paragraphs today.<br />
<br />
[[User:Atubman|Atubman]] 21:55, 10 October 2010 (UTC) (did not know about the 4 tildes thing, thanks for sharing)<br />
----<br />
I do not mind which topic I write about but I feel a personal connection with the blackout. My hometown was affected for a long time and there were concerns about chemical plants nearby. Therefore I have an interest in writing/researching about it.<br />
<br />
Has the group member above (<strike>Could you please put your name? Was it Andrew?</strike>) decided on Therac-25 then? <br />
<br />
Also I have noticed that everyone has not been using 4 tildes. I am not sure if this how the professor knows who wrote what but it would not hurt to use it (Less to type as well). <br />
<br />
Any ideas on a deadline for all of our writing?<br />
<br />
[[User:J powers|J powers]] 21:05, 10 October 2010 (UTC)<br />
<br />
----<br />
<br />
I tried writing up a bit about the Therac-25. Still pretty rough but its a start.<br />
Good information in this paper http://sunnyday.mit.edu/papers/therac.pdf<br />
Pages 22-28 deal with the software bug<br />
<br />
[[User:Atubman|Atubman]] 23:27, 10 October 2010 (UTC)</div>Atubmanhttps://homeostasis.scs.carleton.ca/wiki/index.php?title=COMP_3000_Essay_1_2010_Question_6&diff=2869COMP 3000 Essay 1 2010 Question 62010-10-10T23:26:00Z<p>Atubman: Adding content</p>
<hr />
<div>=Question=<br />
<br />
What are some examples of notable systems that have failed due to flawed efforts at mutual exclusion and/or race conditions? How significant was the failure in each case?<br />
<br />
=Answer=<br />
<br />
Check the discussion tab. -- Munther <br />
<br />
Introduction Paragraph:<br />
Introduces the question and gives some general background etc.<br />
<br />
Paragraph 1:<br />
Gives first example in detail<br />
<br />
Paragraph 2:<br />
Gives second example in detail<br />
<br />
Paragraph 3:<br />
Gives third example in detail<br />
<br />
Paragraph 4:<br />
Gives fourth example in detail<br />
<br />
Paragraph 5:<br />
Gives fifth example in detail<br />
<br />
Conclusion:<br />
Relates it all back together or something (never been good with conclusions)<br />
<br />
<br />
<br />
== Therac-25 ==<br />
(This is still very rough and needs work. Thought I would lay it out there as a starting point)<br />
<br />
The Therac-25 was an x-ray machine developed in Canada by Atomic Energy of Canada Limited (AECL). The machine was used to treat people using radiation therapy. Between 1985 and 1987 six patients were given overdoses of radiation by the machine. Half these patients died due to the accident. The cause of the incidents has been traced back to a programming bug which caused a race-condition.<br />
The Therac-25 software was written by a single programmer in PDP-11 assembly language. Portions of code were reused from software in the previous Therac-6 and Therac-20 machines. <br />
The main portion of the code runs a function called “Treat” this function determins which of the programs 8 main subroutines it should be executing. The Keyboard handler task ran concurrently with “Treat”<br />
<br />
The 8 main subroutines were: <br />
<br />
Reset<br />
<br />
Datent<br />
<br />
Set Up Done<br />
<br />
Set Up Test<br />
<br />
Patient Treatment<br />
<br />
Pause Treatment<br />
<br />
Terminate Treatment<br />
<br />
Date, Time, ID Changes<br />
<br />
<br />
The Datent subroutine communicated with the keyboard hander task through a shared variable which signaled if the operator was finished entering the necessary data. Once the Datent subroutine sets the flag signifying the operator has entered the necessary information it allows the main program to move onto the next subroutine. If the flag was not set the “Treat” task reschedules itself in turn rescheduling the Datent subroutine. This continues until the shared data entry flag is set.<br />
<br />
<br />
The Datent subroutine was also responsible for preparing the x-ray to administer the correct radiation dosage. The subroutine was setup so that before returning to “Treat” instructions to move on to the next of its 8 subroutines it would first call the “Magnet” subroutine. This subroutine parsed the operators input and moved the x-ray machines magnets into position to administer the prescribed radiation. This magnet subroutine took approximately 8 seconds to complete and while it ran the keyboard handler was also running. If the operator modified the data before the “magnet” subroutine returned their changes would not be register and the x-ray strength would already be set to its prior value ignoring the operator’s changes.<br />
<br />
<br />
<br />
Hypothetical example situation:<br />
<br />
-Operator types up data, presses return<br />
<br />
-(Magnet subroutine is initiated)<br />
<br />
-Operator realizes there is an extra 0 in the radiation intensity field<br />
-Operator moves cursor up and fixes the error and presses return again.<br />
<br />
-Magnets are set to previous power level .subroutine returns <br />
<br />
-Program moves on to next subroutine without registering changes<br />
<br />
-Patient is administered a lethal overdose of radiation</div>Atubmanhttps://homeostasis.scs.carleton.ca/wiki/index.php?title=Talk:COMP_3000_Essay_1_2010_Question_6&diff=2863Talk:COMP 3000 Essay 1 2010 Question 62010-10-10T21:55:18Z<p>Atubman: </p>
<hr />
<div>Hey guys, this is Munther. I'm one of the members of the group assigned to this question. Before we start, let me just say that since this is a collective piece of work thats supposed to include contributions from each member of the group, let us all assume the role of the editor. So we will all contribute and help edit the final version of the article.<br />
<br />
Regarding our question. As a starting point, I figured it would be appropriate to start defining what mutual exclusion (mutex) and race conditions mean. Lets start with race conditions, since mutual exclusion basically came to life because of the need to control race conditions.<br />
<br />
Race conditions: situations where one or more processes are trying to write, read or access the same piece of data, and the final result depends on who runs precisely when. Look at the text book in pages 117-118 for a detailed example of that.<br />
<br />
Mutual exclusion (mutex): the idea of making sure that processes access data in a serialized way. Meaning that, if process A for instance, happens to be executing or using a particular data structure (called a critical section), then no other process like B would be allowed to execute or use that very same data structure (critical section) until process A finishes executing or decides to leave the data structure. Common algorithms and techniques used in mutual exclusion include: locks, semaphores and monitors.<br />
<br />
Our question asks for examples of systems that have failed due to flawed efforts. For starters, this is a wiki-programming page (Rosetta code) that examines race conditions and offers an example from the Unix/Linux operating systems, whether the example mentioned here is considered a "failure" we should check with the prof. Anyways, its a good starting point.<br />
http://rosettacode.org/wiki/Race_condition<br />
<br />
Heres also a paper that goes back to 1992, which basically examines the excessive amount of expenses and resources used in older versions of the Unix system when implementing mutual exclusion. The paper goes to explain the problem and offers a better solution. Its pretty easy to follow and understand, worth reading as well.<br />
http://www.usenix.org/publications/library/proceedings/sa92/moran.pdf<br />
<br />
-- Munther<br />
<br />
----<br />
<br />
<br />
Hey Andrew here another member of this group. Those are some good starting points. The Wikipedia page on race conditions have references to a few good examples http://en.wikipedia.org/wiki/Race_condition<br />
<br />
Couple notable ones:<br />
<br />
The Therac-25 x-ray machine which killed a bunch of people http://courses.cs.vt.edu/~cs3604/lib/Therac_25/Side_bar_1.html<br />
<br />
A blackout in 2003 was caused by a race condition in one of the power company's alarm systems http://www.securityfocus.com/news/8412 (really awful block of text)<br />
<br />
--Andrew<br />
<br />
-----<br />
<br />
<br />
Alright, so the things that the prof mentioned in our last lecture proved to be super helpful. Basically, what he means by "systems", is any device based operating system. It doesn't necessarily has to be a PC-based operating system (Windows, Linux, etc.). So the Therac-25 story mentioned by Andrew in the above post is a prime example of the type of things we might be looking for.<br />
<br />
Other notable examples:<br />
<br />
1. The Opportunity Mars-Rover 1116 incident. (A rover is basically a space exploration vehicle designed to navigate the surface of a planet in order to gather images, samples or any possible information about that particular surface.). The rover experienced a rare unexpected error due to a race-conditions fault. For some reason, this seems to be a fairly common problem for those Mars-Rovers, since the same kind of error was experienced on the Spirit Mars-Rover as well. <br />
<br />
Heres an overview of the Opportunity 1116 incident from MarsToday : http://www.marstoday.com/news/viewsr.html?pid=23772<br />
<br />
Heres a paper that examines the race conditions experienced on those rovers, discuses the Spirit Rover incident and even goes to <br />
explain the underlying architecture of the rover hardware: http://trs-new.jpl.nasa.gov/dspace/bitstream/2014/39897/1/06-0922.pdf<br />
<br />
<br />
2. A file-system based type of race condition involves an older version of the Unix operating system, in which the user-mode can actually be bypassed, allowing the user to access the entire system. I can see this being considered an error or a case of failure as well. This actually may be a bit more approachable, as far as understanding the Unix kernel and stuff like that, I'm sure we can find a lot of resources for this.<br />
<br />
A small article exploring the issue: http://www.osdata.com/holistic/security/attacks/racecond.html<br />
<br />
- - - - - - - - - - -<br />
<br />
Heres also a paper that examines Race Conditions in depth, talks about the importance of mutual exclusion and provides a number of solutions :<br />
http://www.google.ca/url?sa=t&source=web&cd=4&ved=0CCoQFjAD&url=http%3A%2F%2Fciteseerx.ist.psu.edu%2Fviewdoc%2Fdownload%3Fdoi%3D10.1.1.1.5897%26rep%3Drep1%26type%3Dpdf&rct=j&q=race%20conditions%20case%20study%20steve%20carr%2010.1.1.1&ei=FTCtTOzRN8mVnAeL-OThDA&usg=AFQjCNHdyHdeFSpES0nMjzb7lPkFxKwC2g&sig2=u2Qo9kdemxdCWAlH10GNeQ<br />
<br />
Heres another paper from the ACM Portal: http://portal.acm.org/citation.cfm?id=130616.130623&coll=Portal&dl=GUIDE&CFID=104720795&CFTOKEN=13393160<br />
<br />
If anyone can't access the pdf files on the ACM Portal or even CiteSeer for that matter, you need to log in to the netwrk using your Carleton library account. Go to the following: http://portal.acm.org.proxy.library.carleton.ca<br />
You will be prompted to enter your Student ID card barcode number, thats the number below your name on your student ID. And the password is your CarletonCentral password.<br />
<br />
I think so far we have managed to gather a handful amount of cases. In the next couple of days, we should probably delve deeper into some of those cases.<br />
<br />
PS: If you wanna contact me, go to my profile in the history tab. Click on Hesperus.<br />
<br />
-- Munther<br />
<br />
--------------------<br />
<br />
Hey guys, I am Daniel. I am also in group 6 (Am i the final group member?). I'm ready to help get this show on the road! I am going to set up a basic essay structure on the other page so that we know what to aim for. You guys look like you've rounded up quite a bit of info on the subject already, great job!<br />
<br />
Introduction Paragraph: Introduces the question and gives some general background etc.<br />
Paragraph 1: Gives first example in detail<br />
Paragraph 2: Gives second example in detail<br />
Paragraph 3: Gives third example in detail<br />
Conclusion: Relates it all back together or something (never been good with conclusions) <br />
<br />
<br />
I think each example paragraph should be broken down like this:<br />
<br />
1. Introduction to the example<br />
2. What they tried to use the Multi-Threading to do (or something like that)<br />
3. Story of the system failing<br />
4. The significance/involvement of race condition and mutual exclusion in the failure<br />
5. Conclusion (how it was solved and stuff like that can go here too)<br />
<br />
-----<br />
<br />
<br />
Hey guys, I'm Fangchen. I am also in group 6. (So I might be the last member lol) <br />
I found a chapter of a book from sun, which name of the chapter is Race Conditions and<br />
Mutual Exclusion.There are some examples on race condition in Java programming which i think we could study for sure.<br />
<br />
The link of the book chapter is here.<br />
<br />
http://java.sun.com/developer/Books/performance2/chap3.pdf<br />
<br />
On page 2 of the pdf file, there is a first example of race condition. I think this might be useful in our essay as a case study.<br />
<br />
<br />
--Fangchen<br />
<br />
----<br />
My name is Julie and I believe that I am the last group member. Our professor said that every group has 5 to 6 members.<br />
It appears that we have quite the list of resources. Are we planning to use them all? It might be a good idea to list the resources we believe are the most relevant. <br />
<br />
Note: This link, http://www.osdata.com/holistic/security/attacks/racecond.html, is broken. <br />
<br />
I only have one resource to add. I found a paper that summarizes information about Therac-25 and the blackout of 2003: http://x4.6times7.org/downloads/software_catastrophes.pdf.<br />
<br />
4.1 Blackout (pg. 5 – 6)<br />
<br />
4.3 Therac-25 (pg. 7 – 8)<br />
<br />
I think we should agree on a thesis soon. Currently the examples in our essay are not connected by a central argument. If we have time, I think we should try to find another example (assuming we have agreed to write about Therac-25, the blackout of 2003 and the Mars rovers). Prof. Anil said that he was expecting four to five examples. Three examples is a minimum. I have been trying to search for one that is not as well known (as encouraged in class) but I have not had any luck.<br />
<br />
Are the series of Mars rovers (Opportunity and Spirit from 2004-2005) the most recent examples? I have not found any that are more recent so far. I wonder if systems programmers have learned from these past failures. I noticed, while searching for resources, that researchers have developed/are now developing tools and strategies to detect race conditions. <br />
<br />
Lastly, what is our plan on how divide the work for this essay? Also do we want to meet in person someday?<br />
<br />
--[[User:J powers|J powers]] 16:08, 9 October 2010 (UTC)<br />
<br />
One suggestion I have for dividing the work is for everyone to write a paragraph of the essay or about a specific disaster.<br />
--[[User:J powers|J powers]] 16:50, 9 October 2010 (UTC)<br />
<br />
-----<br />
<br />
Cool, its good to have the other members of the group on board. I will handle the editing and the introductory paragraph. I will try to make it as academic as possible. <br />
<br />
What Julie mentioned is right. The prof said that 3 examples are alright. But he's really looking for 4-5 cases. We need to impress him a little bit here. The other case he mentioned was the Blue-Screens-Of-Death incidents. I believe a mail man was killed because of that. I will try to find some information on that later on today. <br />
<br />
Also, if you guys wanna meet up a couple of days before the due date, thats ok by me. We can meet up in the Herzberg labs in the 4th floor, not the undergrad ones, the ones at the end of the hall. Or I can reserve a room for us in the library. Or if you just want to continue doing this online, I know that each one of us has probably a different schedule and everything.<br />
<br />
-- Munther<br />
<br />
----<br />
<br />
Alright, Seems we needed more than i originally thought :p so i tweaked the other page to have 5 of them instead of 3. I would absolutely like to meet up :D. Doing this online thing makes me feel wierd for some reason...<br />
<br />
But if we do meet up lets put all our discussion and decisions on the page here so it can get reviewed etc.<br />
<br />
If we are gonna meet up I would prefer Herzberg (not that it really matters, its just where i hang out anyways)<br />
<br />
Also is this due on tuesday or thursday?<br />
<br />
-- Daniel<br />
<br />
---<br />
Ok everyone write in here when you are available before the 14th<br />
<br />
Daniel: all day Monday, Tuesday, and Thursday<br />
Munther: --<br />
Fangchen: --<br />
Andrew: After 12:30 Tues-Wed-Thurs<br />
Julie: Tuesday after 2:30, and Wednesday/Thursday after 1:00[[User:J powers|J powers]] 19:32, 10 October 2010 (UTC)<br />
<br />
----<br />
<br />
Hey Everyone. Awesome looks like we have a lot of information and resources here to work from. Daniels template structure looks good and we should follow that. We should come up with a plan for executing this, what topics we want to cover and who would like to focus on what. I think the 3 big examples we've found lots of resources for are the Therac-25, Mars Rover and the Blackout. The professor mentioned he'd like to see some more exotic examples lets try and find some for examples 4/5.<br />
<br />
Layout we can build on.<br />
<br />
<br />
Introduction<br />
<br />
Therac-25<br />
<br />
Mars Rover<br />
<br />
Blackout<br />
<br />
Example 4<br />
<br />
Example 5<br />
<br />
Conclusion<br />
<br />
<br />
I'm going to try and read up a bit more on the Therac-25 and put in a few paragraphs today.<br />
<br />
[[User:Atubman|Atubman]] 21:55, 10 October 2010 (UTC) (did not know about the 4 tildes thing, thanks for sharing)<br />
----<br />
I do not mind which topic I write about but I feel a personal connection with the blackout. My hometown was affected for a long time and there were concerns about chemical plants nearby. Therefore I have an interest in writing/researching about it.<br />
<br />
Has the group member above (Could you please put your name? Was it Andrew?) decided on Therac-25 then? <br />
<br />
Also I have noticed that everyone has not been using 4 tildes. I am not sure if this how the professor knows who wrote what but it would not hurt to use it (Less to type as well). <br />
<br />
Any ideas on a deadline for all of our writing?<br />
--[[User:J powers|J powers]] 21:05, 10 October 2010 (UTC)</div>Atubmanhttps://homeostasis.scs.carleton.ca/wiki/index.php?title=Talk:COMP_3000_Essay_1_2010_Question_6&diff=2862Talk:COMP 3000 Essay 1 2010 Question 62010-10-10T21:54:02Z<p>Atubman: </p>
<hr />
<div>Hey guys, this is Munther. I'm one of the members of the group assigned to this question. Before we start, let me just say that since this is a collective piece of work thats supposed to include contributions from each member of the group, let us all assume the role of the editor. So we will all contribute and help edit the final version of the article.<br />
<br />
Regarding our question. As a starting point, I figured it would be appropriate to start defining what mutual exclusion (mutex) and race conditions mean. Lets start with race conditions, since mutual exclusion basically came to life because of the need to control race conditions.<br />
<br />
Race conditions: situations where one or more processes are trying to write, read or access the same piece of data, and the final result depends on who runs precisely when. Look at the text book in pages 117-118 for a detailed example of that.<br />
<br />
Mutual exclusion (mutex): the idea of making sure that processes access data in a serialized way. Meaning that, if process A for instance, happens to be executing or using a particular data structure (called a critical section), then no other process like B would be allowed to execute or use that very same data structure (critical section) until process A finishes executing or decides to leave the data structure. Common algorithms and techniques used in mutual exclusion include: locks, semaphores and monitors.<br />
<br />
Our question asks for examples of systems that have failed due to flawed efforts. For starters, this is a wiki-programming page (Rosetta code) that examines race conditions and offers an example from the Unix/Linux operating systems, whether the example mentioned here is considered a "failure" we should check with the prof. Anyways, its a good starting point.<br />
http://rosettacode.org/wiki/Race_condition<br />
<br />
Heres also a paper that goes back to 1992, which basically examines the excessive amount of expenses and resources used in older versions of the Unix system when implementing mutual exclusion. The paper goes to explain the problem and offers a better solution. Its pretty easy to follow and understand, worth reading as well.<br />
http://www.usenix.org/publications/library/proceedings/sa92/moran.pdf<br />
<br />
-- Munther<br />
<br />
----<br />
<br />
<br />
Hey Andrew here another member of this group. Those are some good starting points. The Wikipedia page on race conditions have references to a few good examples http://en.wikipedia.org/wiki/Race_condition<br />
<br />
Couple notable ones:<br />
<br />
The Therac-25 x-ray machine which killed a bunch of people http://courses.cs.vt.edu/~cs3604/lib/Therac_25/Side_bar_1.html<br />
<br />
A blackout in 2003 was caused by a race condition in one of the power company's alarm systems http://www.securityfocus.com/news/8412 (really awful block of text)<br />
<br />
--Andrew<br />
<br />
-----<br />
<br />
<br />
Alright, so the things that the prof mentioned in our last lecture proved to be super helpful. Basically, what he means by "systems", is any device based operating system. It doesn't necessarily has to be a PC-based operating system (Windows, Linux, etc.). So the Therac-25 story mentioned by Andrew in the above post is a prime example of the type of things we might be looking for.<br />
<br />
Other notable examples:<br />
<br />
1. The Opportunity Mars-Rover 1116 incident. (A rover is basically a space exploration vehicle designed to navigate the surface of a planet in order to gather images, samples or any possible information about that particular surface.). The rover experienced a rare unexpected error due to a race-conditions fault. For some reason, this seems to be a fairly common problem for those Mars-Rovers, since the same kind of error was experienced on the Spirit Mars-Rover as well. <br />
<br />
Heres an overview of the Opportunity 1116 incident from MarsToday : http://www.marstoday.com/news/viewsr.html?pid=23772<br />
<br />
Heres a paper that examines the race conditions experienced on those rovers, discuses the Spirit Rover incident and even goes to <br />
explain the underlying architecture of the rover hardware: http://trs-new.jpl.nasa.gov/dspace/bitstream/2014/39897/1/06-0922.pdf<br />
<br />
<br />
2. A file-system based type of race condition involves an older version of the Unix operating system, in which the user-mode can actually be bypassed, allowing the user to access the entire system. I can see this being considered an error or a case of failure as well. This actually may be a bit more approachable, as far as understanding the Unix kernel and stuff like that, I'm sure we can find a lot of resources for this.<br />
<br />
A small article exploring the issue: http://www.osdata.com/holistic/security/attacks/racecond.html<br />
<br />
- - - - - - - - - - -<br />
<br />
Heres also a paper that examines Race Conditions in depth, talks about the importance of mutual exclusion and provides a number of solutions :<br />
http://www.google.ca/url?sa=t&source=web&cd=4&ved=0CCoQFjAD&url=http%3A%2F%2Fciteseerx.ist.psu.edu%2Fviewdoc%2Fdownload%3Fdoi%3D10.1.1.1.5897%26rep%3Drep1%26type%3Dpdf&rct=j&q=race%20conditions%20case%20study%20steve%20carr%2010.1.1.1&ei=FTCtTOzRN8mVnAeL-OThDA&usg=AFQjCNHdyHdeFSpES0nMjzb7lPkFxKwC2g&sig2=u2Qo9kdemxdCWAlH10GNeQ<br />
<br />
Heres another paper from the ACM Portal: http://portal.acm.org/citation.cfm?id=130616.130623&coll=Portal&dl=GUIDE&CFID=104720795&CFTOKEN=13393160<br />
<br />
If anyone can't access the pdf files on the ACM Portal or even CiteSeer for that matter, you need to log in to the netwrk using your Carleton library account. Go to the following: http://portal.acm.org.proxy.library.carleton.ca<br />
You will be prompted to enter your Student ID card barcode number, thats the number below your name on your student ID. And the password is your CarletonCentral password.<br />
<br />
I think so far we have managed to gather a handful amount of cases. In the next couple of days, we should probably delve deeper into some of those cases.<br />
<br />
PS: If you wanna contact me, go to my profile in the history tab. Click on Hesperus.<br />
<br />
-- Munther<br />
<br />
--------------------<br />
<br />
Hey guys, I am Daniel. I am also in group 6 (Am i the final group member?). I'm ready to help get this show on the road! I am going to set up a basic essay structure on the other page so that we know what to aim for. You guys look like you've rounded up quite a bit of info on the subject already, great job!<br />
<br />
Introduction Paragraph: Introduces the question and gives some general background etc.<br />
Paragraph 1: Gives first example in detail<br />
Paragraph 2: Gives second example in detail<br />
Paragraph 3: Gives third example in detail<br />
Conclusion: Relates it all back together or something (never been good with conclusions) <br />
<br />
<br />
I think each example paragraph should be broken down like this:<br />
<br />
1. Introduction to the example<br />
2. What they tried to use the Multi-Threading to do (or something like that)<br />
3. Story of the system failing<br />
4. The significance/involvement of race condition and mutual exclusion in the failure<br />
5. Conclusion (how it was solved and stuff like that can go here too)<br />
<br />
-----<br />
<br />
<br />
Hey guys, I'm Fangchen. I am also in group 6. (So I might be the last member lol) <br />
I found a chapter of a book from sun, which name of the chapter is Race Conditions and<br />
Mutual Exclusion.There are some examples on race condition in Java programming which i think we could study for sure.<br />
<br />
The link of the book chapter is here.<br />
<br />
http://java.sun.com/developer/Books/performance2/chap3.pdf<br />
<br />
On page 2 of the pdf file, there is a first example of race condition. I think this might be useful in our essay as a case study.<br />
<br />
<br />
--Fangchen<br />
<br />
----<br />
My name is Julie and I believe that I am the last group member. Our professor said that every group has 5 to 6 members.<br />
It appears that we have quite the list of resources. Are we planning to use them all? It might be a good idea to list the resources we believe are the most relevant. <br />
<br />
Note: This link, http://www.osdata.com/holistic/security/attacks/racecond.html, is broken. <br />
<br />
I only have one resource to add. I found a paper that summarizes information about Therac-25 and the blackout of 2003: http://x4.6times7.org/downloads/software_catastrophes.pdf.<br />
<br />
4.1 Blackout (pg. 5 – 6)<br />
<br />
4.3 Therac-25 (pg. 7 – 8)<br />
<br />
I think we should agree on a thesis soon. Currently the examples in our essay are not connected by a central argument. If we have time, I think we should try to find another example (assuming we have agreed to write about Therac-25, the blackout of 2003 and the Mars rovers). Prof. Anil said that he was expecting four to five examples. Three examples is a minimum. I have been trying to search for one that is not as well known (as encouraged in class) but I have not had any luck.<br />
<br />
Are the series of Mars rovers (Opportunity and Spirit from 2004-2005) the most recent examples? I have not found any that are more recent so far. I wonder if systems programmers have learned from these past failures. I noticed, while searching for resources, that researchers have developed/are now developing tools and strategies to detect race conditions. <br />
<br />
Lastly, what is our plan on how divide the work for this essay? Also do we want to meet in person someday?<br />
<br />
--[[User:J powers|J powers]] 16:08, 9 October 2010 (UTC)<br />
<br />
One suggestion I have for dividing the work is for everyone to write a paragraph of the essay or about a specific disaster.<br />
--[[User:J powers|J powers]] 16:50, 9 October 2010 (UTC)<br />
<br />
-----<br />
<br />
Cool, its good to have the other members of the group on board. I will handle the editing and the introductory paragraph. I will try to make it as academic as possible. <br />
<br />
What Julie mentioned is right. The prof said that 3 examples are alright. But he's really looking for 4-5 cases. We need to impress him a little bit here. The other case he mentioned was the Blue-Screens-Of-Death incidents. I believe a mail man was killed because of that. I will try to find some information on that later on today. <br />
<br />
Also, if you guys wanna meet up a couple of days before the due date, thats ok by me. We can meet up in the Herzberg labs in the 4th floor, not the undergrad ones, the ones at the end of the hall. Or I can reserve a room for us in the library. Or if you just want to continue doing this online, I know that each one of us has probably a different schedule and everything.<br />
<br />
-- Munther<br />
<br />
----<br />
<br />
Alright, Seems we needed more than i originally thought :p so i tweaked the other page to have 5 of them instead of 3. I would absolutely like to meet up :D. Doing this online thing makes me feel wierd for some reason...<br />
<br />
But if we do meet up lets put all our discussion and decisions on the page here so it can get reviewed etc.<br />
<br />
If we are gonna meet up I would prefer Herzberg (not that it really matters, its just where i hang out anyways)<br />
<br />
Also is this due on tuesday or thursday?<br />
<br />
-- Daniel<br />
<br />
---<br />
Ok everyone write in here when you are available before the 14th<br />
<br />
Daniel: all day Monday, Tuesday, and Thursday<br />
Munther: --<br />
Fangchen: --<br />
Andrew: After 12:30 Tues-Wed-Thurs<br />
Julie: Tuesday after 2:30, and Wednesday/Thursday after 1:00[[User:J powers|J powers]] 19:32, 10 October 2010 (UTC)<br />
<br />
----<br />
<br />
Hey Everyone. Awesome looks like we have a lot of information and resources here to work from. Daniels template structure looks good and we should follow that. We should come up with a plan for executing this, what topics we want to cover and who would like to focus on what. I think the 3 big examples we've found lots of resources for are the Therac-25, Mars Rover and the Blackout. The professor mentioned he'd like to see some more exotic examples lets try and find some for examples 4/5.<br />
<br />
Layout we can build on.<br />
<br />
<br />
Introduction<br />
<br />
Therac-25<br />
<br />
Mars Rover<br />
<br />
Blackout<br />
<br />
Example 4<br />
<br />
Example 5<br />
<br />
Conclusion<br />
<br />
<br />
I'm going to try and read up a bit more on the Therac-25 and put in a few paragraphs today.<br />
<br />
--Andrew (Edit: Forgot to sign)<br />
----<br />
I do not mind which topic I write about but I feel a personal connection with the blackout. My hometown was affected for a long time and there were concerns about chemical plants nearby. Therefore I have an interest in writing/researching about it.<br />
<br />
Has the group member above (Could you please put your name? Was it Andrew?) decided on Therac-25 then? <br />
<br />
Also I have noticed that everyone has not been using 4 tildes. I am not sure if this how the professor knows who wrote what but it would not hurt to use it (Less to type as well). <br />
<br />
Any ideas on a deadline for all of our writing?<br />
--[[User:J powers|J powers]] 21:05, 10 October 2010 (UTC)</div>Atubmanhttps://homeostasis.scs.carleton.ca/wiki/index.php?title=Talk:COMP_3000_Essay_1_2010_Question_6&diff=2846Talk:COMP 3000 Essay 1 2010 Question 62010-10-10T20:24:23Z<p>Atubman: </p>
<hr />
<div>Hey guys, this is Munther. I'm one of the members of the group assigned to this question. Before we start, let me just say that since this is a collective piece of work thats supposed to include contributions from each member of the group, let us all assume the role of the editor. So we will all contribute and help edit the final version of the article.<br />
<br />
Regarding our question. As a starting point, I figured it would be appropriate to start defining what mutual exclusion (mutex) and race conditions mean. Lets start with race conditions, since mutual exclusion basically came to life because of the need to control race conditions.<br />
<br />
Race conditions: situations where one or more processes are trying to write, read or access the same piece of data, and the final result depends on who runs precisely when. Look at the text book in pages 117-118 for a detailed example of that.<br />
<br />
Mutual exclusion (mutex): the idea of making sure that processes access data in a serialized way. Meaning that, if process A for instance, happens to be executing or using a particular data structure (called a critical section), then no other process like B would be allowed to execute or use that very same data structure (critical section) until process A finishes executing or decides to leave the data structure. Common algorithms and techniques used in mutual exclusion include: locks, semaphores and monitors.<br />
<br />
Our question asks for examples of systems that have failed due to flawed efforts. For starters, this is a wiki-programming page (Rosetta code) that examines race conditions and offers an example from the Unix/Linux operating systems, whether the example mentioned here is considered a "failure" we should check with the prof. Anyways, its a good starting point.<br />
http://rosettacode.org/wiki/Race_condition<br />
<br />
Heres also a paper that goes back to 1992, which basically examines the excessive amount of expenses and resources used in older versions of the Unix system when implementing mutual exclusion. The paper goes to explain the problem and offers a better solution. Its pretty easy to follow and understand, worth reading as well.<br />
http://www.usenix.org/publications/library/proceedings/sa92/moran.pdf<br />
<br />
-- Munther<br />
<br />
----<br />
<br />
<br />
Hey Andrew here another member of this group. Those are some good starting points. The Wikipedia page on race conditions have references to a few good examples http://en.wikipedia.org/wiki/Race_condition<br />
<br />
Couple notable ones:<br />
<br />
The Therac-25 x-ray machine which killed a bunch of people http://courses.cs.vt.edu/~cs3604/lib/Therac_25/Side_bar_1.html<br />
<br />
A blackout in 2003 was caused by a race condition in one of the power company's alarm systems http://www.securityfocus.com/news/8412 (really awful block of text)<br />
<br />
--Andrew<br />
<br />
-----<br />
<br />
<br />
Alright, so the things that the prof mentioned in our last lecture proved to be super helpful. Basically, what he means by "systems", is any device based operating system. It doesn't necessarily has to be a PC-based operating system (Windows, Linux, etc.). So the Therac-25 story mentioned by Andrew in the above post is a prime example of the type of things we might be looking for.<br />
<br />
Other notable examples:<br />
<br />
1. The Opportunity Mars-Rover 1116 incident. (A rover is basically a space exploration vehicle designed to navigate the surface of a planet in order to gather images, samples or any possible information about that particular surface.). The rover experienced a rare unexpected error due to a race-conditions fault. For some reason, this seems to be a fairly common problem for those Mars-Rovers, since the same kind of error was experienced on the Spirit Mars-Rover as well. <br />
<br />
Heres an overview of the Opportunity 1116 incident from MarsToday : http://www.marstoday.com/news/viewsr.html?pid=23772<br />
<br />
Heres a paper that examines the race conditions experienced on those rovers, discuses the Spirit Rover incident and even goes to <br />
explain the underlying architecture of the rover hardware: http://trs-new.jpl.nasa.gov/dspace/bitstream/2014/39897/1/06-0922.pdf<br />
<br />
<br />
2. A file-system based type of race condition involves an older version of the Unix operating system, in which the user-mode can actually be bypassed, allowing the user to access the entire system. I can see this being considered an error or a case of failure as well. This actually may be a bit more approachable, as far as understanding the Unix kernel and stuff like that, I'm sure we can find a lot of resources for this.<br />
<br />
A small article exploring the issue: http://www.osdata.com/holistic/security/attacks/racecond.html<br />
<br />
- - - - - - - - - - -<br />
<br />
Heres also a paper that examines Race Conditions in depth, talks about the importance of mutual exclusion and provides a number of solutions :<br />
http://www.google.ca/url?sa=t&source=web&cd=4&ved=0CCoQFjAD&url=http%3A%2F%2Fciteseerx.ist.psu.edu%2Fviewdoc%2Fdownload%3Fdoi%3D10.1.1.1.5897%26rep%3Drep1%26type%3Dpdf&rct=j&q=race%20conditions%20case%20study%20steve%20carr%2010.1.1.1&ei=FTCtTOzRN8mVnAeL-OThDA&usg=AFQjCNHdyHdeFSpES0nMjzb7lPkFxKwC2g&sig2=u2Qo9kdemxdCWAlH10GNeQ<br />
<br />
Heres another paper from the ACM Portal: http://portal.acm.org/citation.cfm?id=130616.130623&coll=Portal&dl=GUIDE&CFID=104720795&CFTOKEN=13393160<br />
<br />
If anyone can't access the pdf files on the ACM Portal or even CiteSeer for that matter, you need to log in to the netwrk using your Carleton library account. Go to the following: http://portal.acm.org.proxy.library.carleton.ca<br />
You will be prompted to enter your Student ID card barcode number, thats the number below your name on your student ID. And the password is your CarletonCentral password.<br />
<br />
I think so far we have managed to gather a handful amount of cases. In the next couple of days, we should probably delve deeper into some of those cases.<br />
<br />
PS: If you wanna contact me, go to my profile in the history tab. Click on Hesperus.<br />
<br />
-- Munther<br />
<br />
--------------------<br />
<br />
Hey guys, I am Daniel. I am also in group 6 (Am i the final group member?). I'm ready to help get this show on the road! I am going to set up a basic essay structure on the other page so that we know what to aim for. You guys look like you've rounded up quite a bit of info on the subject already, great job!<br />
<br />
Introduction Paragraph: Introduces the question and gives some general background etc.<br />
Paragraph 1: Gives first example in detail<br />
Paragraph 2: Gives second example in detail<br />
Paragraph 3: Gives third example in detail<br />
Conclusion: Relates it all back together or something (never been good with conclusions) <br />
<br />
<br />
I think each example paragraph should be broken down like this:<br />
<br />
1. Introduction to the example<br />
2. What they tried to use the Multi-Threading to do (or something like that)<br />
3. Story of the system failing<br />
4. The significance/involvement of race condition and mutual exclusion in the failure<br />
5. Conclusion (how it was solved and stuff like that can go here too)<br />
<br />
-----<br />
<br />
<br />
Hey guys, I'm Fangchen. I am also in group 6. (So I might be the last member lol) <br />
I found a chapter of a book from sun, which name of the chapter is Race Conditions and<br />
Mutual Exclusion.There are some examples on race condition in Java programming which i think we could study for sure.<br />
<br />
The link of the book chapter is here.<br />
<br />
http://java.sun.com/developer/Books/performance2/chap3.pdf<br />
<br />
On page 2 of the pdf file, there is a first example of race condition. I think this might be useful in our essay as a case study.<br />
<br />
<br />
--Fangchen<br />
<br />
----<br />
My name is Julie and I believe that I am the last group member. Our professor said that every group has 5 to 6 members.<br />
It appears that we have quite the list of resources. Are we planning to use them all? It might be a good idea to list the resources we believe are the most relevant. <br />
<br />
Note: This link, http://www.osdata.com/holistic/security/attacks/racecond.html, is broken. <br />
<br />
I only have one resource to add. I found a paper that summarizes information about Therac-25 and the blackout of 2003: http://x4.6times7.org/downloads/software_catastrophes.pdf.<br />
<br />
4.1 Blackout (pg. 5 – 6)<br />
<br />
4.3 Therac-25 (pg. 7 – 8)<br />
<br />
I think we should agree on a thesis soon. Currently the examples in our essay are not connected by a central argument. If we have time, I think we should try to find another example (assuming we have agreed to write about Therac-25, the blackout of 2003 and the Mars rovers). Prof. Anil said that he was expecting four to five examples. Three examples is a minimum. I have been trying to search for one that is not as well known (as encouraged in class) but I have not had any luck.<br />
<br />
Are the series of Mars rovers (Opportunity and Spirit from 2004-2005) the most recent examples? I have not found any that are more recent so far. I wonder if systems programmers have learned from these past failures. I noticed, while searching for resources, that researchers have developed/are now developing tools and strategies to detect race conditions. <br />
<br />
Lastly, what is our plan on how divide the work for this essay? Also do we want to meet in person someday?<br />
<br />
--[[User:J powers|J powers]] 16:08, 9 October 2010 (UTC)<br />
<br />
One suggestion I have for dividing the work is for everyone to write a paragraph of the essay or about a specific disaster.<br />
--[[User:J powers|J powers]] 16:50, 9 October 2010 (UTC)<br />
<br />
-----<br />
<br />
Cool, its good to have the other members of the group on board. I will handle the editing and the introductory paragraph. I will try to make it as academic as possible. <br />
<br />
What Julie mentioned is right. The prof said that 3 examples are alright. But he's really looking for 4-5 cases. We need to impress him a little bit here. The other case he mentioned was the Blue-Screens-Of-Death incidents. I believe a mail man was killed because of that. I will try to find some information on that later on today. <br />
<br />
Also, if you guys wanna meet up a couple of days before the due date, thats ok by me. We can meet up in the Herzberg labs in the 4th floor, not the undergrad ones, the ones at the end of the hall. Or I can reserve a room for us in the library. Or if you just want to continue doing this online, I know that each one of us has probably a different schedule and everything.<br />
<br />
-- Munther<br />
<br />
----<br />
<br />
Alright, Seems we needed more than i originally thought :p so i tweaked the other page to have 5 of them instead of 3. I would absolutely like to meet up :D. Doing this online thing makes me feel wierd for some reason...<br />
<br />
But if we do meet up lets put all our discussion and decisions on the page here so it can get reviewed etc.<br />
<br />
If we are gonna meet up I would prefer Herzberg (not that it really matters, its just where i hang out anyways)<br />
<br />
Also is this due on tuesday or thursday?<br />
<br />
-- Daniel<br />
<br />
---<br />
Ok everyone write in here when you are available before the 14th<br />
<br />
Daniel: all day Monday, Tuesday, and Thursday<br />
Munther: --<br />
Fangchen: --<br />
Andrew: After 12:30 Tues-Wed-Thurs<br />
Julie: Tuesday after 2:30, Wednesday after 1:00, and Thursday after 1:00 [[User:J powers|J powers]] 19:32, 10 October 2010 (UTC)<br />
<br />
----<br />
<br />
Hey Everyone. Awesome looks like we have a lot of information and resources here to work from. Daniels template structure looks good and we should follow that. We should come up with a plan for executing this, what topics we want to cover and who would like to focus on what. I think the 3 big examples we've found lots of resources for are the Therac-25, Mars Rover and the Blackout. The professor mentioned he'd like to see some more exotic examples lets try and find some for examples 4/5.<br />
<br />
Layout we can build on.<br />
<br />
<br />
Introduction<br />
<br />
Therac-25<br />
<br />
Mars Rover<br />
Blackout<br />
<br />
Example 4<br />
<br />
Example 5<br />
<br />
Conclusion<br />
<br />
<br />
I'm going to try and read up a bit more on the Therac-25 and put in a few paragraphs today.</div>Atubmanhttps://homeostasis.scs.carleton.ca/wiki/index.php?title=Talk:COMP_3000_Essay_1_2010_Question_6&diff=2845Talk:COMP 3000 Essay 1 2010 Question 62010-10-10T20:23:54Z<p>Atubman: </p>
<hr />
<div>Hey guys, this is Munther. I'm one of the members of the group assigned to this question. Before we start, let me just say that since this is a collective piece of work thats supposed to include contributions from each member of the group, let us all assume the role of the editor. So we will all contribute and help edit the final version of the article.<br />
<br />
Regarding our question. As a starting point, I figured it would be appropriate to start defining what mutual exclusion (mutex) and race conditions mean. Lets start with race conditions, since mutual exclusion basically came to life because of the need to control race conditions.<br />
<br />
Race conditions: situations where one or more processes are trying to write, read or access the same piece of data, and the final result depends on who runs precisely when. Look at the text book in pages 117-118 for a detailed example of that.<br />
<br />
Mutual exclusion (mutex): the idea of making sure that processes access data in a serialized way. Meaning that, if process A for instance, happens to be executing or using a particular data structure (called a critical section), then no other process like B would be allowed to execute or use that very same data structure (critical section) until process A finishes executing or decides to leave the data structure. Common algorithms and techniques used in mutual exclusion include: locks, semaphores and monitors.<br />
<br />
Our question asks for examples of systems that have failed due to flawed efforts. For starters, this is a wiki-programming page (Rosetta code) that examines race conditions and offers an example from the Unix/Linux operating systems, whether the example mentioned here is considered a "failure" we should check with the prof. Anyways, its a good starting point.<br />
http://rosettacode.org/wiki/Race_condition<br />
<br />
Heres also a paper that goes back to 1992, which basically examines the excessive amount of expenses and resources used in older versions of the Unix system when implementing mutual exclusion. The paper goes to explain the problem and offers a better solution. Its pretty easy to follow and understand, worth reading as well.<br />
http://www.usenix.org/publications/library/proceedings/sa92/moran.pdf<br />
<br />
-- Munther<br />
<br />
----<br />
<br />
<br />
Hey Andrew here another member of this group. Those are some good starting points. The Wikipedia page on race conditions have references to a few good examples http://en.wikipedia.org/wiki/Race_condition<br />
<br />
Couple notable ones:<br />
<br />
The Therac-25 x-ray machine which killed a bunch of people http://courses.cs.vt.edu/~cs3604/lib/Therac_25/Side_bar_1.html<br />
<br />
A blackout in 2003 was caused by a race condition in one of the power company's alarm systems http://www.securityfocus.com/news/8412 (really awful block of text)<br />
<br />
--Andrew<br />
<br />
-----<br />
<br />
<br />
Alright, so the things that the prof mentioned in our last lecture proved to be super helpful. Basically, what he means by "systems", is any device based operating system. It doesn't necessarily has to be a PC-based operating system (Windows, Linux, etc.). So the Therac-25 story mentioned by Andrew in the above post is a prime example of the type of things we might be looking for.<br />
<br />
Other notable examples:<br />
<br />
1. The Opportunity Mars-Rover 1116 incident. (A rover is basically a space exploration vehicle designed to navigate the surface of a planet in order to gather images, samples or any possible information about that particular surface.). The rover experienced a rare unexpected error due to a race-conditions fault. For some reason, this seems to be a fairly common problem for those Mars-Rovers, since the same kind of error was experienced on the Spirit Mars-Rover as well. <br />
<br />
Heres an overview of the Opportunity 1116 incident from MarsToday : http://www.marstoday.com/news/viewsr.html?pid=23772<br />
<br />
Heres a paper that examines the race conditions experienced on those rovers, discuses the Spirit Rover incident and even goes to <br />
explain the underlying architecture of the rover hardware: http://trs-new.jpl.nasa.gov/dspace/bitstream/2014/39897/1/06-0922.pdf<br />
<br />
<br />
2. A file-system based type of race condition involves an older version of the Unix operating system, in which the user-mode can actually be bypassed, allowing the user to access the entire system. I can see this being considered an error or a case of failure as well. This actually may be a bit more approachable, as far as understanding the Unix kernel and stuff like that, I'm sure we can find a lot of resources for this.<br />
<br />
A small article exploring the issue: http://www.osdata.com/holistic/security/attacks/racecond.html<br />
<br />
- - - - - - - - - - -<br />
<br />
Heres also a paper that examines Race Conditions in depth, talks about the importance of mutual exclusion and provides a number of solutions :<br />
http://www.google.ca/url?sa=t&source=web&cd=4&ved=0CCoQFjAD&url=http%3A%2F%2Fciteseerx.ist.psu.edu%2Fviewdoc%2Fdownload%3Fdoi%3D10.1.1.1.5897%26rep%3Drep1%26type%3Dpdf&rct=j&q=race%20conditions%20case%20study%20steve%20carr%2010.1.1.1&ei=FTCtTOzRN8mVnAeL-OThDA&usg=AFQjCNHdyHdeFSpES0nMjzb7lPkFxKwC2g&sig2=u2Qo9kdemxdCWAlH10GNeQ<br />
<br />
Heres another paper from the ACM Portal: http://portal.acm.org/citation.cfm?id=130616.130623&coll=Portal&dl=GUIDE&CFID=104720795&CFTOKEN=13393160<br />
<br />
If anyone can't access the pdf files on the ACM Portal or even CiteSeer for that matter, you need to log in to the netwrk using your Carleton library account. Go to the following: http://portal.acm.org.proxy.library.carleton.ca<br />
You will be prompted to enter your Student ID card barcode number, thats the number below your name on your student ID. And the password is your CarletonCentral password.<br />
<br />
I think so far we have managed to gather a handful amount of cases. In the next couple of days, we should probably delve deeper into some of those cases.<br />
<br />
PS: If you wanna contact me, go to my profile in the history tab. Click on Hesperus.<br />
<br />
-- Munther<br />
<br />
--------------------<br />
<br />
Hey guys, I am Daniel. I am also in group 6 (Am i the final group member?). I'm ready to help get this show on the road! I am going to set up a basic essay structure on the other page so that we know what to aim for. You guys look like you've rounded up quite a bit of info on the subject already, great job!<br />
<br />
Introduction Paragraph: Introduces the question and gives some general background etc.<br />
Paragraph 1: Gives first example in detail<br />
Paragraph 2: Gives second example in detail<br />
Paragraph 3: Gives third example in detail<br />
Conclusion: Relates it all back together or something (never been good with conclusions) <br />
<br />
<br />
I think each example paragraph should be broken down like this:<br />
<br />
1. Introduction to the example<br />
2. What they tried to use the Multi-Threading to do (or something like that)<br />
3. Story of the system failing<br />
4. The significance/involvement of race condition and mutual exclusion in the failure<br />
5. Conclusion (how it was solved and stuff like that can go here too)<br />
<br />
-----<br />
<br />
<br />
Hey guys, I'm Fangchen. I am also in group 6. (So I might be the last member lol) <br />
I found a chapter of a book from sun, which name of the chapter is Race Conditions and<br />
Mutual Exclusion.There are some examples on race condition in Java programming which i think we could study for sure.<br />
<br />
The link of the book chapter is here.<br />
<br />
http://java.sun.com/developer/Books/performance2/chap3.pdf<br />
<br />
On page 2 of the pdf file, there is a first example of race condition. I think this might be useful in our essay as a case study.<br />
<br />
<br />
--Fangchen<br />
<br />
----<br />
My name is Julie and I believe that I am the last group member. Our professor said that every group has 5 to 6 members.<br />
It appears that we have quite the list of resources. Are we planning to use them all? It might be a good idea to list the resources we believe are the most relevant. <br />
<br />
Note: This link, http://www.osdata.com/holistic/security/attacks/racecond.html, is broken. <br />
<br />
I only have one resource to add. I found a paper that summarizes information about Therac-25 and the blackout of 2003: http://x4.6times7.org/downloads/software_catastrophes.pdf.<br />
<br />
4.1 Blackout (pg. 5 – 6)<br />
<br />
4.3 Therac-25 (pg. 7 – 8)<br />
<br />
I think we should agree on a thesis soon. Currently the examples in our essay are not connected by a central argument. If we have time, I think we should try to find another example (assuming we have agreed to write about Therac-25, the blackout of 2003 and the Mars rovers). Prof. Anil said that he was expecting four to five examples. Three examples is a minimum. I have been trying to search for one that is not as well known (as encouraged in class) but I have not had any luck.<br />
<br />
Are the series of Mars rovers (Opportunity and Spirit from 2004-2005) the most recent examples? I have not found any that are more recent so far. I wonder if systems programmers have learned from these past failures. I noticed, while searching for resources, that researchers have developed/are now developing tools and strategies to detect race conditions. <br />
<br />
Lastly, what is our plan on how divide the work for this essay? Also do we want to meet in person someday?<br />
<br />
--[[User:J powers|J powers]] 16:08, 9 October 2010 (UTC)<br />
<br />
One suggestion I have for dividing the work is for everyone to write a paragraph of the essay or about a specific disaster.<br />
--[[User:J powers|J powers]] 16:50, 9 October 2010 (UTC)<br />
<br />
-----<br />
<br />
Cool, its good to have the other members of the group on board. I will handle the editing and the introductory paragraph. I will try to make it as academic as possible. <br />
<br />
What Julie mentioned is right. The prof said that 3 examples are alright. But he's really looking for 4-5 cases. We need to impress him a little bit here. The other case he mentioned was the Blue-Screens-Of-Death incidents. I believe a mail man was killed because of that. I will try to find some information on that later on today. <br />
<br />
Also, if you guys wanna meet up a couple of days before the due date, thats ok by me. We can meet up in the Herzberg labs in the 4th floor, not the undergrad ones, the ones at the end of the hall. Or I can reserve a room for us in the library. Or if you just want to continue doing this online, I know that each one of us has probably a different schedule and everything.<br />
<br />
-- Munther<br />
<br />
----<br />
<br />
Alright, Seems we needed more than i originally thought :p so i tweaked the other page to have 5 of them instead of 3. I would absolutely like to meet up :D. Doing this online thing makes me feel wierd for some reason...<br />
<br />
But if we do meet up lets put all our discussion and decisions on the page here so it can get reviewed etc.<br />
<br />
If we are gonna meet up I would prefer Herzberg (not that it really matters, its just where i hang out anyways)<br />
<br />
Also is this due on tuesday or thursday?<br />
<br />
-- Daniel<br />
<br />
---<br />
Ok everyone write in here when you are available before the 14th<br />
<br />
Daniel: all day Monday, Tuesday, and Thursday<br />
Munther: --<br />
Fangchen: --<br />
Andrew: After 12:30 Tues-Wed-Thurs<br />
Julie: Tuesday after 2:30, Wednesday after 1:00, and Thursday after 1:00 [[User:J powers|J powers]] 19:32, 10 October 2010 (UTC)<br />
<br />
----<br />
<br />
Hey Everyone. Awesome looks like we have a lot of information and resources here to work from. Daniels template structure looks good and we should follow that. We should come up with a plan for executing this, what topics we want to cover and who would like to focus on what. I think the 3 big examples we've found lots of resources for are the Therac-25, Mars Rover and the Blackout. The professor mentioned he'd like to see some more exotic examples lets try and find some for examples 4/5.<br />
<br />
Layout we can build on.<br />
<br />
Introduction<br />
Therac-25<br />
Mars Rover<br />
Blackout<br />
Example 4<br />
Example 5<br />
Conclusion<br />
<br />
I'm going to try and read up a bit more on the Therac-25 and put in a few paragraphs today.</div>Atubmanhttps://homeostasis.scs.carleton.ca/wiki/index.php?title=Talk:COMP_3000_Essay_1_2010_Question_6&diff=2844Talk:COMP 3000 Essay 1 2010 Question 62010-10-10T20:08:04Z<p>Atubman: </p>
<hr />
<div>Hey guys, this is Munther. I'm one of the members of the group assigned to this question. Before we start, let me just say that since this is a collective piece of work thats supposed to include contributions from each member of the group, let us all assume the role of the editor. So we will all contribute and help edit the final version of the article.<br />
<br />
Regarding our question. As a starting point, I figured it would be appropriate to start defining what mutual exclusion (mutex) and race conditions mean. Lets start with race conditions, since mutual exclusion basically came to life because of the need to control race conditions.<br />
<br />
Race conditions: situations where one or more processes are trying to write, read or access the same piece of data, and the final result depends on who runs precisely when. Look at the text book in pages 117-118 for a detailed example of that.<br />
<br />
Mutual exclusion (mutex): the idea of making sure that processes access data in a serialized way. Meaning that, if process A for instance, happens to be executing or using a particular data structure (called a critical section), then no other process like B would be allowed to execute or use that very same data structure (critical section) until process A finishes executing or decides to leave the data structure. Common algorithms and techniques used in mutual exclusion include: locks, semaphores and monitors.<br />
<br />
Our question asks for examples of systems that have failed due to flawed efforts. For starters, this is a wiki-programming page (Rosetta code) that examines race conditions and offers an example from the Unix/Linux operating systems, whether the example mentioned here is considered a "failure" we should check with the prof. Anyways, its a good starting point.<br />
http://rosettacode.org/wiki/Race_condition<br />
<br />
Heres also a paper that goes back to 1992, which basically examines the excessive amount of expenses and resources used in older versions of the Unix system when implementing mutual exclusion. The paper goes to explain the problem and offers a better solution. Its pretty easy to follow and understand, worth reading as well.<br />
http://www.usenix.org/publications/library/proceedings/sa92/moran.pdf<br />
<br />
-- Munther<br />
<br />
----<br />
<br />
<br />
Hey Andrew here another member of this group. Those are some good starting points. The Wikipedia page on race conditions have references to a few good examples http://en.wikipedia.org/wiki/Race_condition<br />
<br />
Couple notable ones:<br />
<br />
The Therac-25 x-ray machine which killed a bunch of people http://courses.cs.vt.edu/~cs3604/lib/Therac_25/Side_bar_1.html<br />
<br />
A blackout in 2003 was caused by a race condition in one of the power company's alarm systems http://www.securityfocus.com/news/8412 (really awful block of text)<br />
<br />
--Andrew<br />
<br />
-----<br />
<br />
<br />
Alright, so the things that the prof mentioned in our last lecture proved to be super helpful. Basically, what he means by "systems", is any device based operating system. It doesn't necessarily has to be a PC-based operating system (Windows, Linux, etc.). So the Therac-25 story mentioned by Andrew in the above post is a prime example of the type of things we might be looking for.<br />
<br />
Other notable examples:<br />
<br />
1. The Opportunity Mars-Rover 1116 incident. (A rover is basically a space exploration vehicle designed to navigate the surface of a planet in order to gather images, samples or any possible information about that particular surface.). The rover experienced a rare unexpected error due to a race-conditions fault. For some reason, this seems to be a fairly common problem for those Mars-Rovers, since the same kind of error was experienced on the Spirit Mars-Rover as well. <br />
<br />
Heres an overview of the Opportunity 1116 incident from MarsToday : http://www.marstoday.com/news/viewsr.html?pid=23772<br />
<br />
Heres a paper that examines the race conditions experienced on those rovers, discuses the Spirit Rover incident and even goes to <br />
explain the underlying architecture of the rover hardware: http://trs-new.jpl.nasa.gov/dspace/bitstream/2014/39897/1/06-0922.pdf<br />
<br />
<br />
2. A file-system based type of race condition involves an older version of the Unix operating system, in which the user-mode can actually be bypassed, allowing the user to access the entire system. I can see this being considered an error or a case of failure as well. This actually may be a bit more approachable, as far as understanding the Unix kernel and stuff like that, I'm sure we can find a lot of resources for this.<br />
<br />
A small article exploring the issue: http://www.osdata.com/holistic/security/attacks/racecond.html<br />
<br />
- - - - - - - - - - -<br />
<br />
Heres also a paper that examines Race Conditions in depth, talks about the importance of mutual exclusion and provides a number of solutions :<br />
http://www.google.ca/url?sa=t&source=web&cd=4&ved=0CCoQFjAD&url=http%3A%2F%2Fciteseerx.ist.psu.edu%2Fviewdoc%2Fdownload%3Fdoi%3D10.1.1.1.5897%26rep%3Drep1%26type%3Dpdf&rct=j&q=race%20conditions%20case%20study%20steve%20carr%2010.1.1.1&ei=FTCtTOzRN8mVnAeL-OThDA&usg=AFQjCNHdyHdeFSpES0nMjzb7lPkFxKwC2g&sig2=u2Qo9kdemxdCWAlH10GNeQ<br />
<br />
Heres another paper from the ACM Portal: http://portal.acm.org/citation.cfm?id=130616.130623&coll=Portal&dl=GUIDE&CFID=104720795&CFTOKEN=13393160<br />
<br />
If anyone can't access the pdf files on the ACM Portal or even CiteSeer for that matter, you need to log in to the netwrk using your Carleton library account. Go to the following: http://portal.acm.org.proxy.library.carleton.ca<br />
You will be prompted to enter your Student ID card barcode number, thats the number below your name on your student ID. And the password is your CarletonCentral password.<br />
<br />
I think so far we have managed to gather a handful amount of cases. In the next couple of days, we should probably delve deeper into some of those cases.<br />
<br />
PS: If you wanna contact me, go to my profile in the history tab. Click on Hesperus.<br />
<br />
-- Munther<br />
<br />
--------------------<br />
<br />
Hey guys, I am Daniel. I am also in group 6 (Am i the final group member?). I'm ready to help get this show on the road! I am going to set up a basic essay structure on the other page so that we know what to aim for. You guys look like you've rounded up quite a bit of info on the subject already, great job!<br />
<br />
Introduction Paragraph: Introduces the question and gives some general background etc.<br />
Paragraph 1: Gives first example in detail<br />
Paragraph 2: Gives second example in detail<br />
Paragraph 3: Gives third example in detail<br />
Conclusion: Relates it all back together or something (never been good with conclusions) <br />
<br />
<br />
I think each example paragraph should be broken down like this:<br />
<br />
1. Introduction to the example<br />
2. What they tried to use the Multi-Threading to do (or something like that)<br />
3. Story of the system failing<br />
4. The significance/involvement of race condition and mutual exclusion in the failure<br />
5. Conclusion (how it was solved and stuff like that can go here too)<br />
<br />
-----<br />
<br />
<br />
Hey guys, I'm Fangchen. I am also in group 6. (So I might be the last member lol) <br />
I found a chapter of a book from sun, which name of the chapter is Race Conditions and<br />
Mutual Exclusion.There are some examples on race condition in Java programming which i think we could study for sure.<br />
<br />
The link of the book chapter is here.<br />
<br />
http://java.sun.com/developer/Books/performance2/chap3.pdf<br />
<br />
On page 2 of the pdf file, there is a first example of race condition. I think this might be useful in our essay as a case study.<br />
<br />
<br />
--Fangchen<br />
<br />
----<br />
My name is Julie and I believe that I am the last group member. Our professor said that every group has 5 to 6 members.<br />
It appears that we have quite the list of resources. Are we planning to use them all? It might be a good idea to list the resources we believe are the most relevant. <br />
<br />
Note: This link, http://www.osdata.com/holistic/security/attacks/racecond.html, is broken. <br />
<br />
I only have one resource to add. I found a paper that summarizes information about Therac-25 and the blackout of 2003: http://x4.6times7.org/downloads/software_catastrophes.pdf.<br />
<br />
4.1 Blackout (pg. 5 – 6)<br />
<br />
4.3 Therac-25 (pg. 7 – 8)<br />
<br />
I think we should agree on a thesis soon. Currently the examples in our essay are not connected by a central argument. If we have time, I think we should try to find another example (assuming we have agreed to write about Therac-25, the blackout of 2003 and the Mars rovers). Prof. Anil said that he was expecting four to five examples. Three examples is a minimum. I have been trying to search for one that is not as well known (as encouraged in class) but I have not had any luck.<br />
<br />
Are the series of Mars rovers (Opportunity and Spirit from 2004-2005) the most recent examples? I have not found any that are more recent so far. I wonder if systems programmers have learned from these past failures. I noticed, while searching for resources, that researchers have developed/are now developing tools and strategies to detect race conditions. <br />
<br />
Lastly, what is our plan on how divide the work for this essay? Also do we want to meet in person someday?<br />
<br />
--[[User:J powers|J powers]] 16:08, 9 October 2010 (UTC)<br />
<br />
One suggestion I have for dividing the work is for everyone to write a paragraph of the essay or about a specific disaster.<br />
--[[User:J powers|J powers]] 16:50, 9 October 2010 (UTC)<br />
<br />
-----<br />
<br />
Cool, its good to have the other members of the group on board. I will handle the editing and the introductory paragraph. I will try to make it as academic as possible. <br />
<br />
What Julie mentioned is right. The prof said that 3 examples are alright. But he's really looking for 4-5 cases. We need to impress him a little bit here. The other case he mentioned was the Blue-Screens-Of-Death incidents. I believe a mail man was killed because of that. I will try to find some information on that later on today. <br />
<br />
Also, if you guys wanna meet up a couple of days before the due date, thats ok by me. We can meet up in the Herzberg labs in the 4th floor, not the undergrad ones, the ones at the end of the hall. Or I can reserve a room for us in the library. Or if you just want to continue doing this online, I know that each one of us has probably a different schedule and everything.<br />
<br />
-- Munther<br />
<br />
----<br />
<br />
Alright, Seems we needed more than i originally thought :p so i tweaked the other page to have 5 of them instead of 3. I would absolutely like to meet up :D. Doing this online thing makes me feel wierd for some reason...<br />
<br />
But if we do meet up lets put all our discussion and decisions on the page here so it can get reviewed etc.<br />
<br />
If we are gonna meet up I would prefer Herzberg (not that it really matters, its just where i hang out anyways)<br />
<br />
Also is this due on tuesday or thursday?<br />
<br />
-- Daniel<br />
<br />
---<br />
Ok everyone write in here when you are available before the 14th<br />
<br />
Daniel: all day Monday, Tuesday, and Thursday<br />
Munther: --<br />
Fangchen: --<br />
Andrew: After 12:30 Tues-Wed-Thurs<br />
Julie: Tuesday after 2:30, Wednesday after 1:00, and Thursday after 1:00 [[User:J powers|J powers]] 19:32, 10 October 2010 (UTC)</div>Atubmanhttps://homeostasis.scs.carleton.ca/wiki/index.php?title=Talk:COMP_3000_Essay_1_2010_Question_6&diff=2324Talk:COMP 3000 Essay 1 2010 Question 62010-10-04T20:04:06Z<p>Atubman: </p>
<hr />
<div>Hey guys, this is Munther. I'm one of the members of the group assigned to this question. Before we start, let me just say that since this is a collective piece of work thats supposed to include contributions from each member of the group, let us all assume the role of the editor. So we will all contribute and help edit the final version of the article.<br />
<br />
Regarding our question. As a starting point, I figured it would be appropriate to start defining what mutual exclusion (mutex) and race conditions mean. Lets start with race conditions, since mutual exclusion basically came to life because of the need to control race conditions.<br />
<br />
Race conditions: situations where one or more processes are trying to write, read or access the same piece of data, and the final result depends on who runs precisely when. Look at the text book in pages 117-118 for a detailed example of that.<br />
<br />
Mutual exclusion (mutex): the idea of making sure that processes access data in a serialized way. Meaning that, if process A for instance, happens to be executing or using a particular data structure (called a critical section), then no other process like B would be allowed to execute or use that very same data structure (critical section) until process A finishes executing or decides to leave the data structure. Common algorithms and techniques used in mutual exclusion include: locks, semaphores and monitors.<br />
<br />
Our question asks for examples of systems that have failed due to flawed efforts. For starters, this is a wiki-programming page (Rosetta code) that examines race conditions and offers an example from the Unix/Linux operating systems, whether the example mentioned here is considered a "failure" we should check with the prof. Anyways, its a good starting point.<br />
http://rosettacode.org/wiki/Race_condition<br />
<br />
Heres also a paper that goes back to 1992, which basically examines the excessive amount of expenses and resources used in older versions of the Unix system when implementing mutual exclusion. The paper goes to explain the problem and offers a better solution. Its pretty easy to follow and understand, worth reading as well.<br />
http://www.usenix.org/publications/library/proceedings/sa92/moran.pdf<br />
<br />
-- Munther<br />
<br />
----<br />
<br />
<br />
Hey Andrew here another member of this group. Those are some good starting points. The Wikipedia page on race conditions have references to a few good examples http://en.wikipedia.org/wiki/Race_condition<br />
<br />
Couple notable ones:<br />
<br />
The Therac-25 x-ray machine which killed a bunch of people http://courses.cs.vt.edu/~cs3604/lib/Therac_25/Side_bar_1.html<br />
<br />
A blackout in 2003 was caused by a race condition in one of the power company's alarm systems http://www.securityfocus.com/news/8412 (really awful block of text)<br />
<br />
--Andrew</div>Atubman