Sharing memory with semi-Byzantine clients and faulty storage servers

H. Attiya, A. Bar-Or
22nd International Symposium on Reliable Distributed Systems, 2003. Proceedings.  
This paper presents fault-tolerant simulations of a single-writer multi-reader regular register in storage systems. One simulation tolerates fail-stop failures of storage servers and requires a majority of nonfaulty servers, while the other simulation tolerates Byzantine failures and assumes that two-thirds of the servers are nonfaulty. A construction of Afek et al. [3] is used to mask semi-Byzantine failures of clients that result in erroneous write operations. The simulations are used to
more » ... e Paxos algorithms that tolerate semi-Byzantine failures of clients as well as fail-stop or Byzantine failures of storage servers. This paper proposes a systematic approach to algorithm design in storage systems, by simulating shared memory accessed by simple read and write operations. † This is a well-known methodology for obtaining simple solutions to distributed problems [4] . To reduce their cost, the simulations on a message-passing system with storage servers support only single-writer multi-reader (SWMR) regular registers [12] . Although regular registers provide weaker guarantees than the more-familiar atomic registers, they often suffice for the correctness of shared-memory algorithms. Two notable examples are the Bakery algorithm for mutual exclusion [11] , and the Paxos algorithm for state-machine replication [10] . Clients accessing the shared-memory are running application programs that attempt to perform a shared task. For such applications, it is reasonable to assume that programs are well-debugged and do not suffer malicious, arbitrary failures. Yet, corrupt data may be written to remote shared storage. For example, a client may fail while executing an update operation leaving a corrupted disk block, network switches and storage hardware can fail in various ways, and messages from the client to the storage server may be lost or re-ordered. Such semi-Byzantine failures can be modelled following the faulty shared-memory model [3], in which failures are atomic write operations of arbitrary data. We show how to mask semi-Byzantine clients by employing a simulation of an atomic single-writer multi-reader register using 20f + 8 atomic SWMR registers [3] . Fail-stop storage servers can be integrated into this scheme with the sharedmemory simulation of Attiya et al. [4] . This immediately implies a simulation of SWMR regular register with semi-Byzantine clients and fail-stop storage servers, assuming that at least a majority of the storage servers do not fail. An execution of a read or a write operation requires O(n) messages and O(f ) steps. To handle Byzantine failures at the servers, we show how to simulate a regular SWMR register in the presence of Byzantine storage servers. The simulation requires at least 3t + 1 storage servers, where t is the number of servers that may suffer Byzantine failures. A drawback of our construction is the possibility of nonterminating reads; however, this happens only when the number of overlapping writes is unbounded. In leader-oriented algorithms, eventually there is a single leader, which is the only process performing read and write operations; in such algorithms, the read operations of our construction terminate. Combining with our construction for semi-Byzantine clients, we get a simulation of SWMR regular register with semi-Byzantine clients and Byzantine storage servers. (All constructions appear in Section .) Several other shared-memory simulations tolerate Byzantine failures. Malkhi and Reiter [16] introduce two classes of quorum systems: Masking quorum systems tolerate t Byzantine failures with 4t + 1 servers, while dissemination quorum systems assume self-verifying data and require only 3t + 1 servers. Martin et al. [17] describe SBQ-L, a simulation of a multi-writer multi-reader † Stronger operations, such as compare&swap, cannot be simulated since they would allow to solve consensus, which is impossible in our model, unless sophisticated storage devices are used [7] . Our assumptions about storage servers are basic and satisfied by even the weakest servers, e.g., simple disks.
doi:10.1109/reldis.2003.1238090 dblp:conf/srds/AttiyaB03 fatcat:mlkysmm75zft7dwxbq6hrvewkq