An Adaptive N-variant Software Architecturefor Multi-Core Platforms: Models andPerformance AnalysisLi Tan1and Axel Krings21School of Electrical Engineering and Computer ScienceWashington State [email protected] of Computer ScienceUniversity of [email protected]. This paper discusses the models and performance analysisfor an adaptive software architecture, which supports multiple levels offault detection, masking, and recovery through reconfiguration. The ar-chitecture starts with a formal requirement model defining multiple lev-els of functional capability and information assurance. The architectureincludes a multi-layer design to implement the requirements using N-variant techniques. It also integrates a reconfiguration mechanism thatuses lower layers to monitor higher layers, and if a fault is detected, itreconfigures a system to maintain essential services. We first provide ageneral reliability model (based on generalized stochastic Petri nets) forsuch a system with cross-monitoring for reconfiguration. Next, we de-fine a probabilistic automaton-based model for behavioral modeling ofthe system. This model is especially suitable for modeling security prob-lems induced by value faults. Whereas the Petri net allows for reliabilitymodeling and reconfiguration, the performance analysis of the systemis given via probabilistic model checking. The models are experimen-tally evaluated and compared. With the current widespread deploymentof multi-core processors, one question in software engineering is how toeffectively harness the parallel computing power provided by these pro-cessors. The architecture presented here allows us to explore the parallelcomputing power that otherwise may be wasted, and uses it to improvethe dependability and survivability of a system, which is validated byour performance analysis.1 IntroductionWith the introduction of multi-core processors and their wide-spread deploy-ment ranging from laptops to cloud computing, a question has been raised onhow we can effectively exploit the parallel resources. It is projected that thelevel of application-exploitable parallelism will limb behind the number of coresin multi-core processors and GPU (graphics processing units) since to date mostapplications only allow limited parallelism. One way of harnessing these other-wise unused or underutilized resources is to use them for the purpose of increasingdependability, security, and survivability of a system, but doing so requires thesupport from adaptive software.Two key features of an adaptive software are (1) the ability to monitor its ownexecution and (2) the ability to reconfigure itself based on the result of runtimemonitoring [6]. While the proposed benefits of adaptive software is promising,developing adaptive software also raises some challenging questions. First, inmany cases self-adaptation adds one more dimension of complexity to oftenalready complicated dependable system designs. A question is how to specifyrequirements and implement them in a way that facilitates orderly and verifiablesystem reconfiguration. Second, a system may be subject to a variety of faults. Soa challenge is how one could compartmentalize and diversify system design so thesystem can be resilient to different types of faults. This may be especially relevantin safety-critical applications. Finally, runtime monitoring requires additionalcomputation power. Thus, it is important that our design can make efficient useof the underlying hardware architecture to minimize overhead.To address the first challenge, we use a formal model to specify require-ments for self-adaptation and then propose a multi-layered assured architectureto realize requirements expressed in the formal model. The Adaptive FunctionalCapability Model (AFCM) introduced in [10] defines levels of capabilities foreach system functionality. The AFCM specifies how a system shall reconfigureitself and scale down its functional capabilities while still providing essentialservices and information assurance. Each level of functional capability in theAFCM will then be implemented as a layer in a Multi-layered Assured Architec-ture Design. The architecture design embeds a Monitoring and ReconfigurationModule (MRM) that uses lower-layer functionalities as reference to monitor high-layer functionalities. In case a fault is detected, the system reconfigures itself bydisabling affected layers, while lower layers still maintain essential services.To further improve system resilience, we use a diversified layered design basedon N-variant techniques in each layer [3, 4]. The N-variant techniques use redun-dant executions to reduce system vulnerability to common-mode faults. The ex-pectation is that redundant but dissimilar implementations reduce or eliminatecommon-mode faults. Dissimilarity is typically discussed in the context of N-version programming [1] dating back to the late 70s. In N-version programmingit is assumed that several software development groups independently derive pro-grams from the same specification. The concept of N-variant software is inspiredby N-version software, but in N-variant software different variants are generatedin a more automated fashion. In both cases a fault is detected if a difference isdetected between outputs generated by two versions or variants.Redundant executions exercised by multiple variants and extra work of run-time monitoring requires additional computational power. To reduce overhead,our N-variant-based implementation takes advantage of multi-core hardware.Most new general-purpose computers incorporate dual or quad-core processorsand higher numbers of cores are already used widely in GPUs. Whereas in the-ory the computational capabilities increase with the number of cores, it becomesdifficult to exploit sufficient parallelism to keep all cores utilized. Most commonapplications still allow little parallelism and it is likely that cores may be un-derutilized or running idle. In our approach, unused or underutilized cores areexploited to increase reliability, security, and survivability. Specifically, multi-ple variants execute on different cores, and if they can execute on idle cores,this overhead can be largely absorbed. This was also shown in [8] where multi-variants executed in multi-core systems. Our approach extends this by makingextensive use of N-variant implementation at each layer of functional capability.In general, the lower a layer, the more variants it may