Alternative Executions Research Articles

Runtime Enforcement of Security Policies on Black Box Reactive Programs

Security enforcement mechanisms like execution monitors are used to make sure that some untrusted program complies with a policy. Different enforcement mechanisms have different strengths and weaknesses and hence it is important to understand the qualities of various enforcement mechanisms. This paper studies runtime enforcement mechanisms for reactive programs. We study the impact of two important constraints that many practical enforcement mechanisms satisfy: (1) the enforcement mechanism must handle each input/output event in finite time and on occurrence of the event (as opposed to for instance Ligatti's edit automata that have the power to buffer events for an arbitrary amount of time), and (2) the enforcement mechanism treats the untrusted program as a black box : it can monitor and/or edit the input/output events that the program exhibits on execution and it can explore alternative executions of the program by running additional copies of the program and providing these different inputs. It can not inspect the source or machine code of the untrusted program. Such enforcement mechanisms are important in practice: they include for instance many execution monitors, virtual machine monitors, and secure multi-execution or shadow executions. We establish upper and lower bounds for the class of policies that are enforceable by such black box mechanisms, and we propose a generic enforcement mechanism that works for a wide range of policies. We also show how our generic enforcement mechanism can be instantiated to enforce specific classes of policies, at the same time showing that many existing enforcement mechanisms are optimized instances of our construction.

A BMC-based formulation for the scheduling problem of hardware systems

Hardware scheduling is a well-known and well-studied problem. This paper defines a new SAT-based formulation of automata-based scheduling and proposes for the first time a completely new resolution algorithm based on SAT solvers and bounded model checking (BMC). The new formulation is specifically suited to control-dominated applications. Alternative executions are modeled as concurrency, where alternative behaviors are followed in parallel. This approach produces "single-path" scheduling traces instead of standard "treelike" solutions, thus enabling the use of BMC. This choice, however, creates the problem that resource bounds are treated incorrectly, due to the artificial concurrency modeling alternative behaviors. We then discuss how to take this into account, either by modifying the SAT solver or by adding extra clauses. Thus we are able to exploit SAT-based BMC to find the desired minimum latency schedule. Our method shows significant improvements in terms of both computational efficiency and modeling power, when compared to the BDD-based approach, and in terms of the optimality of the results when compared to heuristic methods.

Alternative Solutions for Distributed Simulation Cloning

Simulation cloning is designed to satisfy the requirement of examining alternative scenarios concurrently. This article discusses the issues involved in cloning distributed simulations based on the High Level Architecture (HLA) and proposes tentative solutions. Alternative solutions are compared from both the qualitative and quantitative point of view. In terms of federation organization, candidate solutions can be classified into the single-federation and the multiple-federation categories. To guarantee the correctness and optimize the performance of the whole cloning-enabled distributed simulation, the single-federation solution requires an additional mechanism to isolate the interactions among alternative executions. Data distribution management (DDM) is one of the candidate approaches. To measure the trade-off between complexity and efficiency, the authors introduce a series of experiments to benchmark various solutions at the runtime infrastructure (RTI) level. The benchmark results indicate that the single-federation solution provides encouraging performance when using DDM.

A BMC-Formulation for the Scheduling Problem in Highly Constrained Hardware Systems

This paper describes a novel application for SAT-based Bounded Model Checking (BMC) within hardware scheduling problems.First of all, it introduces a new model for control-dependent systems. In this model, alternative executions (producing “tree-like” scheduling traces) are managed as concurrent systems, where alternative behaviors are followed in parallel. This enables standard BMC techniques, producing solutions made up of single paths connecting initial and terminal states.Secondly, it discusses the main problem arising from the above choice, i.e., rewriting resource bounds, so that they take into account the artificial concurrencies introduced for controlled behaviors.Thirdly, we exploit SAT-based Bounded Model Checking as a verification technique mostly oriented to bug hunting and counter-example extraction. In order to consider resource constraints, the solutions of modifying the SAT solver or adding extra clauses are both taken into consideration.Preliminary experimental results, comparing our SAT based approach to state-of-the art BDD-based techniques are eventually presented.

Global scheduling for flexible transactions in heterogeneous distributed database systems

A heterogeneous distributed database environment integrates a set of autonomous database systems to provide global database functions. A flexible transaction approach has been proposed for the heterogeneous distributed database environments. In such an environment, flexible transactions can increase the failure resilience of global transactions by allowing alternate (but in some sense equivalent) executions to be attempted when a local database system fails or some subtransactions of the global transaction abort. We study the impact of compensation, retry, and switching to alternative executions on global concurrency control for the execution of flexible transactions. We propose a new concurrency control criterion for the execution of flexible and local transactions, termed F-serializability, in the error-prone heterogeneous distributed database environments. We then present a scheduling protocol that ensures F-serializability on global schedules. We also demonstrate that this scheduler avoids unnecessary aborts and compensation.

New results on deriving protocol specifications from service specifications

Previous papers describe an algorithm for deriving a specification of protocol entities from a given service specification. A service specification defines a particular ordering for the execution of service primitives at the different service access points using operators for sequential, parallel and alternative executions. The derived protocol entities ensure the correct ordering by exchanging appropriate synchronization messages, between one another through the underlying communication medium. This paper presents several new results which represent important improvements to the above protocol derivation approach. First the language restriction to finite behaviors is removed by allowing for the definition of procedures which can be called recursively. Secondly, a new derivation algorithm has been developed which is much simpler than the previous one. Third, the resulting protocol specifications are much more optimized than those obtained previously.

Consumers’ perceptions of direct marketing techniques

Direct marketing has become a highly popular and successful component of marketing. Today direct marketing-originated sales are growing at more than twice the rate of all general merchandise sales. This growth signifies an important shift in the marketing efforts of many companies to more selectively and directly target their customers with less waste and more timely response. Despite this growth, the research literature on direct marketing is lacking in both its breadth of coverage across the various techniques available and in its depth of investigation in any one area. For instance, most studies have narrowly focused on through-the-mail techniques such as direct mail or catalog shopping. One obvious reason for this emphasis is the ability on the part of the researcher to control for message exposure and contain research costs. Direct marketing generally encompasses much more, however, such as direct response advertising scheduled in the customary mass media channels — radio, television, newspaper, and magazine — as well as telemarketing and door-to-door selling. The available research has also been developed primarily to define the demographic and psychographic characteristics of the direct marketing consumer, or to quantify the sales/inquiry response of alternative executions controlled experimentally in the field. Virtually no published research has addressed how the consumer, rather than the researcher or practitioner, perceives direct marketing; yet, insight into the way the consumer views direct marketing in its various forms, and how the consumer sees him/herself in relation to these techniques, is vitally important to the direct marketer.

Rating industrial advertisements

Industrial advertisers can create more effective advertisements if they have some notion about the immediate effect their advertising has on the target audience. Here, a multiple item scale is developed for categorizing an audience's reactions to print ads. The proposed scale is discussed as a copytesting instrument and could be used to evaluate alternative executions in order to indicate which ads may be most effective.