Resilience-Building Technologies: State of Knowledge -- ReSIST NoE Deliverable D12

ion could be that two modules with the same priority number can be permuted without changing the behavior of the system. Accordingly, the orbit relation partitions two global states into the same orbit if they can be transformed into each other simply by permuting the local states of the modules with the same priority number. As representatives, those states can be picked where e.g. the first module of the particular priority set is given the bus access. 2.1.5 A Novel Abstraction Approach Amongst verification and validation (V&V) approaches, formal verification is seeing increased usage and acceptance. One popular technique is model checking that allows for automated verification (without user guidance) by performing exhaustive simulation on the model of the system. However, model checking faces the problem of state space explosion. Abstraction is a general method to reduce the level of detail in order to reduce the complexity of analysis. Researchers at TU Darmstadt are working on a new technique that is tailored to the characteristic of a large class of distributed protocols [Serafini et al. 2006]. The basic observation is that many protocols exhibit a significant level of symmetry, which arises when all processes execute the same program and communication is synchronous and broadcast-based. Furthermore, most of the time the formulae to be verified are “plane”, i.e., they have the form “all correct processes enjoy a certain property”.ion is a general method to reduce the level of detail in order to reduce the complexity of analysis. Researchers at TU Darmstadt are working on a new technique that is tailored to the characteristic of a large class of distributed protocols [Serafini et al. 2006]. The basic observation is that many protocols exhibit a significant level of symmetry, which arises when all processes execute the same program and communication is synchronous and broadcast-based. Furthermore, most of the time the formulae to be verified are “plane”, i.e., they have the form “all correct processes enjoy a certain property”. The straightforward modeling of a distributed protocol entails modeling the behavior of a single process and then composing the processes together. As a consequence, the state of the system is represented as a tuple of states, one for each process. Our approach is instead to consider all the possible states that any correct process can assume at each round. At each round, we calculate the set of all the possible states of any correct process due to symmetric message exchange with the other correct processes and to the presence of faults. This allows representation of the state of the system as a set instead of as a tuple of states, leading to a considerable reduction of the size of the state space. The verification of global properties is then carried out by checking if the desired properties hold for all the states that any correct process can have. The key challenge is to prove that the abstraction process loses information but preserves certain properties. The abstraction is proved to be sound with respect to plane properties, i.e., if we can prove a plane property in the abstracted model then this also holds for the non-abstracted one. As we represent the set of states of any correct process, it is intuitively clear that our approach allows verification of properties that apply to each process individually, e.g., “each process shall have a variable within a given range”. In this case it is sufficient to visit all the possible states of a correct process and to verify that they satisfy the property of interest. It is more complicated to prove consistency properties, e.g., “all processes shall decide the same value”. For this purpose we partition the set of possible states of a process into consistency sets. At each round, it is guaranteed that if any two correct processes can have different states, these states belong to the same consistency set. The non-determinism in the evolution of the global system states determines the possibility of having several alternative consistency sets. Consistency properties are then required to hold only within each consistency set but not across them, e.g., “within each consistency set, all states shall have the same decision value”. For the sake of simplicity, the approach focuses on the verification problem for core fault tolerant protocols of frame-based, synchronous systems (e.g. consensus, atomic broadcast, diagnosis, membership). The approach, however, can be extended to model-checking of round-based asynchronous protocols. RESIST D12 verif p 16 Part Verif 2 – Model Checking Let us consider a scenario where such a protocol is symmetric (i.e., where each process performs the same operations) and there are no faults. If all processes start from the same initial state, they will perform the same state transitions at each round. Therefore, the state of the system could be modeled by representing only the common state of any process. Its evolution throughout rounds can thus be seen as a single thread. Each of these states is supposed to satisfy the desired properties of the protocol (safety and liveness). We can expand this model by considering the presence of different, asymmetric initial process states. The state of a correct process will now evolve as a tree, where at each round the state of each process at round i is derived according to the state of the other processes at round i − 1. Each combination of states at round i − 1 results in different branches of the tree at round i. At each round, a correct process will find itself in one state among a set of multiple possible states; these are the children of a common parent node. These sets are called consistency sets. Similarly to alternative subtrees, consistency sets are mutually exclusive. As in the previous case, all the possible states at each round, i.e., all the states within each consistency set, are supposed to enjoy the specified properties. When model checking fault tolerant protocols, however, the number of possible communication patterns and state transitions explodes due to the “extended” behavior of faulty nodes, particularly if the fault model allows them to communicate asymmetrically (e.g. under the Byzantine or the receive-omission fault assumption). This greatly increases the number of possible states and considerably reduces the symmetry of the system state. In our modeling approach, these further asymmetries are also handled using consistency sets. In fact, if the protocol is fault tolerant then the desired properties shall hold in spite of faults as well as of asymmetries in the possible initial states. To understand the concept of consistency set we can consider a very simple example of a synchronous system consisting of three processors, where one of the two can be faulty and symmetrically send incorrect messages. Assume that the domain of the messages is {0, 1, 2}. Say that all correct processes start from state S1 and produce the message 0 as initial message in the first round of the protocol. There are three possible states of a correct process after the first communication round: S2, if both processes are correct and send the message 0; S3 or S4, if one of the processes is faulty and symmetrically sends the message 1 or 2 respectively. In this case we would have two consistency sets: {S2, S3} and {S2, S4}. Consistency sets are mutually exclusive and reflect the non-determinism given by the possible presence of faulty messages. By construction, they allow us to deduce that we will never have a situation where one correct process has the state S3 and another correct process has the state S4 (although a correct process can assume both the states S3 and S4). Typically, abstraction techniques are defined considering general state models, for example Kripke structures. Such techniques are generally proved to be sound and complete and can be applied to model check any kind of specification, independent of the specific problem under examination. On the other hand, many papers reporting experiences on model checking distributed protocols introduce abstractions which are tied to the particular protocol and whose soundness and completeness are not shown but rather assumed as “sensible” (see for example [Steiner et al. 2004, Ramasamy et al. 2002]). Such an approach undermines the value of the results obtained by model checking. A contribution of our work is to introduce an abstraction scheme that, while specific for a class of distributed protocols, is rigorous enough to prove its properties mathematically. To achieve this, we first illustrate a modeling framework to express a distributed protocol (modified from [Dolev et al. 1986]). This somehow represents a higher level language if compared to normal specification languages used by model checkers. Then we show how to construct abstracted and nonabstracted models starting from the given specifications. Finally we prove that our abstracted models preserve soundness with respect to their corresponding non-abstracted models. RESIST D12 verif p 17 Part Verif 2 – Model Checking Using a specific protocol specification language, both the models are rigorously defined, allowing soundness and completeness to be proved. In contrast, much previous work on using abstractions to model check distributed protocols focused on defining the abstracted model. We claim that this approach should generally be applied when using domain specific abstraction, i.e. abstractions that are specific to a certain class of problems. Currently, we are running experiments to measure the gain of the abstraction (in terms of state space size and proof execution time). One of our running case studies is a consensus protocol to solve interactive (binary) consensus [Lamport et al. 1982]. 2.2 Process algebras and action-based model checking applied to fault-tolerant systems 2.2.1 Overview In [Bernardeschi et al. 2000], process algebras and action-based model chec

[1]  Christopher Batten,et al.  pStore: A Secure Peer-to-Peer Backup System∗ , 2007 .

[2]  Achour Mostéfaoui,et al.  Asynchronous implementation of failure detectors , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[3]  Jie Xu,et al.  WS-FIT: a tool for dependability analysis of Web services , 2004, Proceedings of the 28th Annual International Computer Software and Applications Conference, 2004. COMPSAC 2004..

[4]  Michael K. Reiter,et al.  Unreliable intrusion detection in distributed computations , 1997, Proceedings 10th Computer Security Foundations Workshop.

[5]  Upkar Varshney,et al.  Reliability and Survivability of Wireless and Mobile Networks , 2000, Computer.

[6]  Morten Kyng,et al.  Design at Work , 1992 .

[7]  Jean Arlat,et al.  Impact of Internal and External Software Faults on the Linux Kernel , 2003 .

[8]  V. Kumar,et al.  Recovery in the mobile wireless environment using mobile agents , 2004, IEEE Transactions on Mobile Computing.

[9]  Lisa Spainhower,et al.  Commercial fault tolerance: a tale of two systems , 2004, IEEE Transactions on Dependable and Secure Computing.

[10]  Gavriel Salvendy,et al.  Designing and using human-computer interfaces and knowledge based systems , 1989 .

[11]  François Taïani,et al.  A multi-level meta-object protocol for fault-tolerance in complex architectures , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[12]  Jeff Mellen,et al.  DIBS : Distributed Backup for Local Area Networks , .

[13]  Andrea Bondavalli,et al.  Threshold-Based Mechanisms to Discriminate Transient from Intermittent Faults , 2000, IEEE Trans. Computers.

[14]  Hector Garcia-Molina,et al.  Bidding for storage space in a peer-to-peer data preservation system , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.

[15]  Michael O. Rabin,et al.  Efficient dispersal of information for security, load balancing, and fault tolerance , 1989, JACM.

[16]  Karama Kanoun,et al.  Performability Evaluation of Multipurpose Multiprocessor Systems: The "Separation of Concerns" Approach , 2003, IEEE Trans. Computers.

[17]  David A. Wagner,et al.  Cryptographic Voting Protocols: A Systems Perspective , 2005, USENIX Security Symposium.

[18]  William H. Sanders,et al.  A connection formalism for the solution of large and stiff models , 2001, Proceedings. 34th Annual Simulation Symposium.

[19]  Birgit Pfitzmann,et al.  A cryptographically sound security proof of the Needham-Schroeder-Lowe public-key protocol , 2003, IEEE Journal on Selected Areas in Communications.

[20]  David Powell,et al.  A fault- and intrusion- tolerant file system , 1985 .

[21]  Birgit Pfitzmann,et al.  A composable cryptographic library with nested operations , 2003, CCS '03.

[22]  Roy Friedman,et al.  Distributed Agreement and Its Relation with Error-Correcting Codes , 2002, DISC.

[23]  Roberto Baldoni,et al.  Content-Based Publish-Subscribe over Structured Overlay Networks , 2005, 25th IEEE International Conference on Distributed Computing Systems (ICDCS'05).

[24]  L. Buttyán,et al.  Toward a Formal Model of Fair Exchange - a Game Theoretic Approach , 2000 .

[25]  Lorenzo Strigini,et al.  Fault Tolerance Against Design Faults , 2005 .

[26]  Domenico Cotroneo,et al.  Improving dependability of service oriented architectures for pervasive computing , 2003, Proceedings of the Eighth International Workshop on Object-Oriented Real-Time Dependable Systems, 2003. (WORDS 2003)..

[27]  Sergio B. Guarro,et al.  Reliability, availability, maintainability and safety assessment: By Alain Villemeur. John Wiley & Sons Ltd, Baffins Lane, Chichester, West Sussex PO19 1UD, UK, ISBN 0-471-93048-2 (vol. 1) and ISBN 0-471-93049-0 (vol. 2) , 1994 .

[28]  Andrew William Roscoe,et al.  The Theory and Practice of Concurrency , 1997 .

[29]  Brian D. Noble,et al.  Proceedings of the 5th Symposium on Operating Systems Design and Implementation Pastiche: Making Backup Cheap and Easy , 2022 .

[30]  Ravishankar K. Iyer,et al.  An approach towards benchmarking of fault-tolerant commercial systems , 1996, Proceedings of Annual Symposium on Fault Tolerant Computing.

[31]  Ramaswamy Ramanujam,et al.  Knowledge and the Ordering of Events in Distributed Systems , 1994, TARK.

[32]  Bev Littlewood,et al.  Applying Bayesian Belief Networks to System Dependability Assessment , 1996, SSS.

[33]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[34]  Bev Littlewood,et al.  Assessing the reliability of diverse fault-tolerant software-based systems , 2002 .

[35]  Yannis Smaragdakis,et al.  JCrasher: an automatic robustness tester for Java , 2004, Softw. Pract. Exp..

[36]  Y. Crouzet,et al.  Formal guides for experimentally verifying complex software-implemented fault tolerance mechanisms , 2001, Proceedings Seventh IEEE International Conference on Engineering of Complex Computer Systems.

[37]  Christof Fetzer,et al.  On the Possibility of Consensus in Asynchronous Systems with Finite Average Response Times , 2005, 25th IEEE International Conference on Distributed Computing Systems (ICDCS'05).

[38]  Manuel Blum,et al.  Noninteractive Zero-Knowledge , 1991, SIAM J. Comput..

[39]  Li Gong,et al.  Proceedings of the 4th ACM conference on Computer and communications security , 1996, CCS 1997.

[40]  Jean Vanderdonckt,et al.  Design, Specification and Verification of Interactive Systems ’96 , 1996, Eurographics.

[41]  Lorenzo Strigini,et al.  On the Effectiveness of Run-Time Checks , 2005, SAFECOMP.

[42]  William H. Sanders,et al.  Model-based evaluation: from dependability to security , 2004, IEEE Transactions on Dependable and Secure Computing.

[43]  Ralph Deters,et al.  3LS - a peer-to-peer network simulator , 2003, Proceedings Third International Conference on Peer-to-Peer Computing (P2P2003).

[44]  Paul Ammann,et al.  Data Diversity: An Approach to Software Fault Tolerance , 1988, IEEE Trans. Computers.

[45]  C. Constantinescu,et al.  Dependability benchmarking using environmental test tools , 2005, Annual Reliability and Maintainability Symposium, 2005. Proceedings..

[46]  Hugo Krawczyk Distributed fingerprints and secure information dispersal , 1993, PODC '93.

[47]  Hélène Waeselynck,et al.  A Case Study in Statistical Testing of Reusable Concurrent Objects , 1999, EDCC.

[48]  David Jackson,et al.  Assurance Cases: how assured are you? , 2004 .

[49]  Roger Dingledine,et al.  The Free Haven Project : design and deployment of an anonymous secure data haven , 2000 .

[50]  Sam Toueg,et al.  A Modular Approach to Fault-Tolerant Broadcasts and Related Problems , 1994 .

[51]  Somesh Jha,et al.  Exploiting symmetry in temporal logic model checking , 1993, Formal Methods Syst. Des..

[52]  E. Hollnagel Handbook of Cognitive Task Design , 2009 .

[53]  William H. Sanders,et al.  Quantifying the cost of providing intrusion tolerance in group communication systems , 2002, Proceedings International Conference on Dependable Systems and Networks.

[54]  J. Xu,et al.  An adaptive approach to achieving hardware and software fault tolerance in a distributed computing environment , 2002, J. Syst. Archit..

[55]  Lorenzo Strigini,et al.  Fault Tolerance via Diversity for Off-the-Shelf Products: A Study with SQL Database Servers , 2007, IEEE Transactions on Dependable and Secure Computing.

[56]  Christian Cachin,et al.  Secure INtrusion-Tolerant Replication on the Internet , 2002, Proceedings International Conference on Dependable Systems and Networks.

[57]  David Chaum,et al.  Secret-ballot receipts: True voter-verifiable elections , 2004, IEEE Security & Privacy Magazine.

[58]  David A. Duce,et al.  Systems, interactions, and macrotheory , 2000, TCHI.

[59]  Bev Littlewood The impact of diversity upon common mode failures , 1996 .

[60]  Bev Littlewood,et al.  Redundancy and Diversity in Security , 2004, ESORICS.

[61]  L. Floridi,et al.  The tragedy of the digital commons , 2004, Ethics and Information Technology.

[62]  Philippe A. Palanque,et al.  Structuring Interactive Systems Specifications for Executability and Prototypability , 2000, DSV-IS.

[63]  John C. Mitchell,et al.  A probabilistic poly-time framework for protocol analysis , 1998, CCS '98.

[64]  Roberto Barbuti,et al.  Analyzing Information Flow Properties in Assembly Code by Abstract Interpretation , 2004, Comput. J..

[65]  Charles Babbage On the Mathematical Powers of the Calculating Engine , 1982 .

[66]  H. Pfeifer,et al.  Formal verification for time-triggered clock synchronization , 1999, Dependable Computing for Critical Applications 7.

[67]  M-O Killijian,et al.  MoSAIC: Mobile System Availability Integrity and Confidentiality , 2006 .

[68]  William H. Sanders,et al.  Stochastic Activity Networks: Structure, Behavior, and Application , 1985, PNPM.

[69]  Brendan Murphy,et al.  Progress on Defining Standardized Classes for Comparing the Dependability of Computer Systems , 2002 .

[70]  Bev Littlewood,et al.  Advantages of open source processes for reliability: clarifying the issues , 2002 .

[71]  Michael K. Reiter,et al.  On k-set consensus problems in asynchronous systems , 1999, PODC '99.

[72]  Rogério de Lemos,et al.  Architecting Dependable Systems VI , 2009, WADS.

[73]  E. D. Jensen,et al.  Adaptive Fault-Resistant Systems , 1994 .

[74]  Michael Mitzenmacher,et al.  Accessing multiple mirror sites in parallel: using Tornado codes to speed up downloads , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[75]  Sigrid Eldh Software Testing Techniques , 2007 .

[76]  William H. Sanders,et al.  CoBFIT: A component-based framework for intrusion tolerance , 2004 .

[77]  Michael D. Harrison,et al.  THEA: A Technique for Human Error Assessment Early in Design , 2001, INTERACT.

[78]  Adnan Noor Mian,et al.  Churn Resilience of Peer-to-Peer Group Membership: A Performance Analysis , 2005, IWDC.

[79]  N. Shadbolt,et al.  Eliciting Knowledge from Experts: A Methodological Analysis , 1995 .

[80]  Andrea Bondavalli,et al.  Discriminating fault rate and persistency to improve fault treatment , 1997, Proceedings of IEEE 27th International Symposium on Fault Tolerant Computing.

[81]  Birgit Pfitzmann,et al.  On the Cryptographic Key Secrecy of the Strengthened Yahalom Protocol , 2006, SEC.

[82]  Charles P. Shelton,et al.  Robustness testing of the Microsoft Win32 API , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[83]  Jean Arlat,et al.  Validation-based development of dependable systems , 1999, IEEE Micro.

[84]  Hagit Attiya,et al.  Adaptive and Efficient Algorithms for Lattice Agreement and Renaming , 2002, SIAM J. Comput..

[85]  John E. Hopcroft,et al.  Correctness of a gossip based membership protocol , 2005, PODC '05.

[86]  Philippe A. Palanque,et al.  Multidisciplinary perspective on accident investigation , 2006, Reliab. Eng. Syst. Saf..

[87]  Lorenzo Strigini,et al.  On Designing Dependable Services with Diverse Off-the-Shelf SQL Servers , 2003, WADS.

[88]  Philipp Obreiter,et al.  A Taxonomy of Incentive Patterns - The Design Space of Incentives for Cooperation , 2003, AP2PC.

[89]  Anup K. Ghosh,et al.  An Approach for Analyzing the Robustness of Windows NT Software , 1998 .

[90]  Seungjoon Lee,et al.  Cooperative peer groups in NICE , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[91]  J. E. Brown,et al.  Brown , 1975 .

[92]  Peter Y. A. Ryan,et al.  Prêt à Voter with Re-encryption Mixes , 2006, ESORICS.

[93]  Karama Kanoun,et al.  Dependability Evaluation of a Distributed Shared Memory Multiprocessor System , 1999, EDCC.

[94]  Maurizio Pighin,et al.  An empirical analysis of fault persistence through software releases , 2003, 2003 International Symposium on Empirical Software Engineering, 2003. ISESE 2003. Proceedings..

[95]  Songtao Xia,et al.  Dependently typing JVM method invocation , 2000 .

[96]  Idit Keidar Challenges in evaluating distributed algorithms , 2003 .

[97]  Gianfranco Ciardo,et al.  Saturation: An Efficient Iteration Strategy for Symbolic State-Space Generation , 2001, TACAS.

[98]  Miguel Correia,et al.  Wormhole-Aware Byzantine Protocols , 2004 .

[99]  Steven M. Bellovin,et al.  There Be Dragons , 1992, USENIX Summer.

[100]  Nicoletta De Francesco,et al.  Concrete and Abstract Semantics to Check Secure Information Flow in Concurrent Programs , 2003, Fundam. Informaticae.

[101]  Pedro J. Gil,et al.  On benchmarking the dependability of automotive engine control applications , 2004, International Conference on Dependable Systems and Networks, 2004.

[102]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[103]  Edward Grochowski,et al.  Emerging Trends in Data Storage on Magnetic Hard Disk Drives , 1999 .

[104]  Andrew D. Gordon,et al.  TulaFale: A Security Tool for Web Services , 2003, FMCO.

[105]  Michael Backes,et al.  A Cryptographically Sound Dolev-Yao Style Security Proof of the Otway-Rees Protocol , 2004, ESORICS.

[106]  S. Ramanathan,et al.  A Resilient Telco Grid Middleware , 2006, 11th IEEE Symposium on Computers and Communications (ISCC'06).

[107]  Mieke Massink,et al.  A reference framework for continuous interaction , 2002, Universal Access in the Information Society.

[108]  Jean Arlat,et al.  Characterization of the impact of faulty drivers on the robustness of the Linux kernel , 2004, International Conference on Dependable Systems and Networks, 2004.

[109]  J-C. Laprie,et al.  DEPENDABLE COMPUTING AND FAULT TOLERANCE : CONCEPTS AND TERMINOLOGY , 1995, Twenty-Fifth International Symposium on Fault-Tolerant Computing, 1995, ' Highlights from Twenty-Five Years'..

[110]  Omar Hasan A DEPLOYMENT-READY SOLUTION FOR ADDING QUALITY-OF-SERVICE FEATURES TO WEB SERVICES , 2004 .

[111]  Fabrice Guillemin,et al.  Experimental analysis of the impact of peer-to-peer applications on traffic in commercial IP networks , 2004, Eur. Trans. Telecommun..

[112]  Philippe A. Palanque,et al.  Petri net objects for the design, validation and prototyping of user-driven interfaces , 1990, INTERACT.

[113]  Valérie Issarny,et al.  Coordinated forward error recovery for composite Web services , 2003, 22nd International Symposium on Reliable Distributed Systems, 2003. Proceedings..

[114]  Miroslaw Malek,et al.  The consensus problem in fault-tolerant computing , 1993, CSUR.

[115]  Sandra Basnyat A generic integrated modelling framework for the analysis, design and validation of interactive safety-critical, error tolerant systems , 2006 .

[116]  Michael Luby,et al.  A digital fountain approach to reliable distribution of bulk data , 1998, SIGCOMM '98.

[117]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[118]  Ram Chillarege,et al.  Generation of an error set that emulates software faults based on field data , 1996, Proceedings of Annual Symposium on Fault Tolerant Computing.

[119]  Michael D. Harrison,et al.  Relating the Automation of Functions in Multiagent Control Systems to a System Engineering Representation , 2003 .

[120]  Asaf Degani,et al.  Modeling human-machine systems :on modes, error, and patterns of interaction , 1996 .

[121]  Kishor S. Trivedi,et al.  Power-hierarchy of dependability-model types , 1994 .

[122]  Valérie Issarny,et al.  Dependability in the Web Services Architecture , 2002, WADS.

[123]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[124]  L.E. Moser,et al.  The SecureGroup group communication system , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[125]  Hélène Waeselynck,et al.  Property-oriented testing: a strategy for exploring dangerous scenarios , 2003, SAC '03.

[126]  Paulo Veríssimo Uncertainty and predictability: can they be reconciled? , 2003 .

[127]  A. Jefferson Offutt,et al.  Bypass testing of Web applications , 2004, 15th International Symposium on Software Reliability Engineering.

[128]  David J. Duke,et al.  Device Models , 1996, DSV-IS.

[129]  Laurent Bussard,et al.  Untraceable secret credentials: trust establishment with privacy , 2004, IEEE Annual Conference on Pervasive Computing and Communications Workshops, 2004. Proceedings of the Second.

[130]  Karama Kanoun,et al.  Multi‐level modeling approach for the availability assessment of e‐business applications , 2003, Softw. Pract. Exp..

[131]  John Rushby,et al.  Using model checking to help discover mode confusions and other automation surprises , 2002, Reliab. Eng. Syst. Saf..

[132]  Fred B. Schneider,et al.  Replication management using the state-machine approach , 1993 .

[133]  Miguel Correia,et al.  Randomized Intrusion-Tolerant Asynchronous Services , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[134]  Lorenzo Strigini,et al.  Human-machine diversity in the use of computerised advisory systems: a case study , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[135]  Marco Vieira,et al.  Dependability Benchmarking of Web-Servers , 2004, SAFECOMP.

[136]  Lorenzo Strigini,et al.  Software Fault-Tolerance with Off-the-Shelf SQL Servers , 2004, ICCBSS.

[137]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[138]  Luca Simoncini,et al.  Formally Verifying Fault Tolerant System Designs , 2000, Comput. J..

[139]  Brian Randell,et al.  Voting Technologies and Trust , 2006, IEEE Security & Privacy.

[140]  Algirdas Avizienis A fault tolerance infrastructure for dependable computing with high-performance COTS components , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[141]  Andrew V. Goldberg,et al.  Towards an archival Intermemory , 1998, Proceedings IEEE International Forum on Research and Technology Advances in Digital Libraries -ADL'98-.

[142]  Thomas B. Sheridan,et al.  Human and Computer Control of Undersea Teleoperators , 1978 .

[143]  Kishor S. Trivedi,et al.  Fixed Point Iteration in Availability Modeling , 1991, Fault-Tolerant Computing Systems.

[144]  Eric Barboni,et al.  Model-Based Engineering of Widgets, User Applications and Servers Compliant with ARINC 661 Specification , 2006, DSV-IS.

[145]  Paulo Veríssimo,et al.  Intrusion Tolerance: Concepts and Design Principles , 2002 .

[146]  Philippe A. Palanque,et al.  Formal Specification as a Tool for Objective Assessment of Safety-Critical Interactive Systems , 1997, INTERACT.

[147]  Patrick Cousot,et al.  The ASTREÉ Analyzer , 2005, ESOP.

[148]  Victor Shoup,et al.  Random Oracles in Constantinople: Practical Asynchronous Byzantine Agreement Using Cryptography , 2000, Journal of Cryptology.

[149]  Kian-Lee Tan,et al.  PeerStore: better performance by relaxing in peer-to-peer backup , 2004, Proceedings. Fourth International Conference on Peer-to-Peer Computing, 2004. Proceedings..

[150]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[151]  Roberto Barbuti,et al.  Abstract interpretation of operational semantics for secure information flow , 2002, Inf. Process. Lett..

[152]  Nancy A. Lynch,et al.  Impossibility of distributed consensus with one faulty process , 1985, JACM.

[153]  Masayuki Terada,et al.  An Optimistic Fair Exchange Protocol for Trading Electronic Rights , 2004, CARDIS.

[154]  Mark Lycett,et al.  Service-oriented architecture , 2003, 2003 Symposium on Applications and the Internet Workshops, 2003. Proceedings..

[155]  Shahram Ghandeharizadeh,et al.  DeW: a dependable Web services framework , 2004, 14th International Workshop Research Issues on Data Engineering: Web Services for e-Commerce and e-Government Applications, 2004. Proceedings..

[156]  Sebastian Mödersheim,et al.  Symbolic and Cryptographic Analysis of the Secure WS-ReliableMessaging Scenario , 2006, IACR Cryptol. ePrint Arch..

[157]  Jie Xu,et al.  Pedagogic data as a basis for Web service fault models , 2005, IEEE International Workshop on Service-Oriented System Engineering (SOSE'05).

[158]  Stefania Gnesi,et al.  A Formal Verification Environment for Railway Signaling System Design , 1998, Formal Methods Syst. Des..

[159]  Jian Su,et al.  A survey of service discovery protocols for mobile ad hoc networks , 2008, 2008 International Conference on Communications, Circuits and Systems.

[160]  Jie Xu,et al.  Dynamic Adjustment of Dependability and Efficiency in Fault-Tolerant Software , 1995 .

[161]  Steve Anderson,et al.  Web Services Secure Conversation Language (WS-SecureConversation) , 2005 .

[162]  Ram Chillarege,et al.  Understanding large system failures-a fault injection experiment , 1989, [1989] The Nineteenth International Symposium on Fault-Tolerant Computing. Digest of Papers.

[163]  Michel Raynal,et al.  Consensus in Byzantine asynchronous systems , 2003, J. Discrete Algorithms.

[164]  Jean-Philippe Martin,et al.  A framework for dynamic Byzantine storage , 2004, International Conference on Dependable Systems and Networks, 2004.

[165]  Stephen Gilmore,et al.  A survey of the PEPA tools , 2003 .

[166]  Lorenzo Strigini,et al.  On Performability Modeling and Evaluation of Software Fault Tolerant Structures , 1994, EDCC.

[167]  David F. Feldon,et al.  Cognitive task analysis , 2009 .

[168]  Dan Suciu,et al.  Journal of the ACM , 2006 .

[169]  Ravishankar K. Iyer,et al.  Hardware support for high performance, intrusion- and fault-tolerant systems , 2004, Proceedings of the 23rd IEEE International Symposium on Reliable Distributed Systems, 2004..

[170]  Péter Urbán,et al.  Totally Ordered Broadcast and Multicast Algorithms: A Comprehensive Survey , 2000 .

[171]  Neeraj Suri,et al.  On Exploiting Symmetry To Verify Distributed Protocols ∗ , 2006 .

[172]  K. H. Kim,et al.  Adaptive fault tolerance: issues and approaches , 1990, [1990] Proceedings. Second IEEE Workshop on Future Trends of Distributed Computing Systems.

[173]  Somesh Jha,et al.  Symmetry and Induction in Model Checking , 1995, Computer Science Today.

[174]  Butler W. Lampson,et al.  The ABCD's of Paxos , 2001, PODC '01.

[175]  John J. Grefenstette,et al.  Learning to break things: Adaptive testing of intelligent controllers , 1997 .

[176]  Philip Koopman,et al.  Quantifying the reliability of proven SPIDER group membership service guarantees , 2004, International Conference on Dependable Systems and Networks, 2004.

[177]  Mary Baker,et al.  Mitigating routing misbehavior in mobile ad hoc networks , 2000, MobiCom '00.

[178]  Philippe A. Palanque,et al.  A Making-Movies Metaphor for Structuring Software Components in Highly Interactive Applications , 1997, BCS HCI.

[179]  Michael Burrows,et al.  A Cooperative Internet Backup Scheme , 2003, USENIX Annual Technical Conference, General Track.

[180]  Cornelia Kappler,et al.  Enabling Mobile Peer-to-Peer Networking , 2004, EuroNGI Workshop.

[181]  Gil Utard,et al.  Data distribution in a peer to peer storage system , 2005, CCGRID.

[182]  Eli Upfal,et al.  Building low-diameter P2P networks , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[183]  Maria Sorea,et al.  Model checking a fault-tolerant startup algorithm: from design exploration to exhaustive fault simulation , 2004, International Conference on Dependable Systems and Networks, 2004.

[184]  Patrick Cousot,et al.  Types as abstract interpretations , 1997, POPL '97.

[185]  Peter Y. A. Ryan,et al.  A variant of the Chaum voter-verifiable scheme , 2005, WITS '05.

[186]  Peter Buchholz,et al.  Hierarchical Markovian Models: Symmetries and Reduction , 1995, Perform. Evaluation.

[187]  Daniel P. Siewiorek,et al.  Development of a benchmark to measure system robustness , 1993, FTCS-23 The Twenty-Third International Symposium on Fault-Tolerant Computing.

[188]  R. L. Loftness Nuclear Power Plants , 1964 .

[189]  Daniel P. Siewiorek,et al.  Automated robustness testing of off-the-shelf software components , 1998, Digest of Papers. Twenty-Eighth Annual International Symposium on Fault-Tolerant Computing (Cat. No.98CB36224).

[190]  Maurice Herlihy,et al.  Wait-free synchronization , 1991, TOPL.

[191]  Edmund M. Clarke,et al.  Model checking and abstraction , 1994, TOPL.

[192]  Lorenzo Strigini,et al.  Fault diversity among off-the-shelf SQL database servers , 2004, International Conference on Dependable Systems and Networks, 2004.

[193]  Patrick Cousot,et al.  Abstract Interpretation Frameworks , 1992, J. Log. Comput..

[194]  Idit Keidar,et al.  Group communication specifications: a comprehensive study , 2001, CSUR.

[195]  Rachid Guerraoui,et al.  The Generic Consensus Service , 2001, IEEE Trans. Software Eng..

[196]  Andrea Bondavalli,et al.  Stochastic Dependability Analysis of System Architecture Based on UML Models , 2002, WADS.

[197]  Sam Toueg,et al.  Unreliable failure detectors for reliable distributed systems , 1996, JACM.

[198]  Anne-Marie Kermarrec,et al.  Peer-to-Peer Membership Management for Gossip-Based Protocols , 2003, IEEE Trans. Computers.

[199]  Peter Y. A. Ryan,et al.  Prêt à Voter : a Systems Perspective , 2005 .

[200]  Jacob A. Abraham,et al.  FERRARI: A Flexible Software-Based Fault and Error Injection System , 1995, IEEE Trans. Computers.

[201]  Meine van der Meulen,et al.  The Effectiveness of Choice of Programming Language as a Diversity Seeking Decision , 2005, EDCC.

[202]  Emil Sit,et al.  A DHT-based Backup System , 2003 .

[203]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[204]  Zhen Xiao,et al.  HEALERS: a toolkit for enhancing the robustness and security of existing applications , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[205]  Pietro Michiardi,et al.  Cooperation enforcement and network security mechanisms for mobile ad hoc networks , 2004 .

[206]  D. Norman The psychology of everyday things , 1990 .

[207]  A. D. Swain,et al.  Handbook of human-reliability analysis with emphasis on nuclear power plant applications. Final report , 1983 .

[208]  Patrick Lincoln,et al.  A Formally Verified Algorithm for Interactive Consistency Under a Hybrid Fault Model , 1993, Twenty-Fifth International Symposium on Fault-Tolerant Computing, 1995, ' Highlights from Twenty-Five Years'..

[209]  Jakob Nielsen,et al.  Finding usability problems through heuristic evaluation , 1992, CHI.

[210]  Hagit Attiya,et al.  Atomic snapshots in O(n log n) operations , 1993, PODC '93.

[211]  Eric Marsden Caractérisation de la sûreté de fonctionnement de systèmes à base d'intergiciel , 2004 .

[212]  Thierry Massart,et al.  How to Make FDR Spin LTL Model Checking of CSP by Refinement , 2001, FME.

[213]  Asaf Degani,et al.  Formal Analysis and Automatic Generation of User Interfaces: Approach, Methodology, and an Algorithm , 2007, Hum. Factors.

[214]  Roberto Beraldi,et al.  A hint-based probabilistic protocol for unicast communications in MANETs , 2006, Ad Hoc Networks.

[215]  Soma Chaudhuri,et al.  More Choices Allow More Faults: Set Consensus Problems in Totally Asynchronous Systems , 1993, Inf. Comput..

[216]  Eli Gafni,et al.  Musical Benches , 2005, DISC.

[217]  Birgit Pfitzmann,et al.  Symmetric encryption in a simulatable Dolev-Yao style cryptographic library , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[218]  Karama Kanoun,et al.  Dependability of fault-tolerant systems-explicit modeling of the interactions between hardware and software components , 1996, Proceedings of IEEE International Computer Performance and Dependability Symposium.

[219]  Ravishankar K. Iyer,et al.  Automatic Recognition of Intermittent Failures: An Experimental Study of Field Data , 1990, IEEE Trans. Computers.

[220]  Torben Æ. Mogensen,et al.  The essence of computation : complexity, analysis, transformation : essays dedicated to Neil D. Jones , 2002 .

[221]  Shensheng Zhang,et al.  Interactive Web service choice-making based on extended QoS model , 2006 .

[222]  Tal Rabin,et al.  Secure distributed storage and retrieval , 2000, Theor. Comput. Sci..

[223]  Michael Backes,et al.  A cryptographically sound Dolev-Yao style security proof of an electronic payment system , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[224]  Rakesh Kumar,et al.  The FastTrack overlay: A measurement study , 2006, Comput. Networks.

[225]  Daniel P. Siewiorek,et al.  Robustness testing and hardening of CORBA ORB implementations , 2001, 2001 International Conference on Dependable Systems and Networks.

[226]  Thomas P. Jensen,et al.  Types in Program Analysis , 2002, The Essence of Computation.

[227]  Miguel Castro,et al.  BASE: using abstraction to improve fault tolerance , 2001, SOSP.

[228]  Gianfranco Ciardo,et al.  Efficient Reachability Set Generation and Storage Using Decision Diagrams , 1999, ICATPN.

[229]  Peeter Laud,et al.  Secrecy types for a simulatable cryptographic library , 2005, CCS '05.

[230]  Neeraj Suri,et al.  Formally Verified On-Line Diagnosis , 1997, IEEE Trans. Software Eng..

[231]  Birgit Pfitzmann,et al.  Service-oriented Assurance - Comprehensive Security by Explicit Assurances , 2006, Quality of Protection.

[232]  Magnos Martinello,et al.  A user-perceived availability evaluation of a web based travel agency , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[233]  Miguel Correia,et al.  Sharing Memory between Byzantine Processes Using Policy-Enforced Tuple Spaces , 2009, IEEE Trans. Parallel Distributed Syst..

[234]  Jon Crowcroft,et al.  A survey and comparison of peer-to-peer overlay network schemes , 2005, IEEE Communications Surveys & Tutorials.

[235]  William H. Sanders,et al.  A Parsimonious Approach for Obtaining Resource-Efficient and Trustworthy Execution , 2007, IEEE Transactions on Dependable and Secure Computing.

[236]  Sam Toueg,et al.  Randomized Byzantine Agreements , 1984, PODC '84.

[237]  Christian Grothoff,et al.  An Excess-Based Economic Model for Resource Allocation in Peer-to-Peer Networks , 2005 .

[238]  George S. Avrunin,et al.  Patterns in property specifications for finite-state verification , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[239]  Laurent Bussard,et al.  One-time capabilities for authorizations without trust , 2004, Second IEEE Annual Conference on Pervasive Computing and Communications, 2004. Proceedings of the.

[240]  Hélène Waeselynck,et al.  An empirical investigation of simulated annealing applied to property-oriented testing , 2003 .

[241]  Kishor S. Trivedi,et al.  A Decomposition Approach for Stochastic Reward Net Models , 1993, Perform. Evaluation.

[242]  Sam Toueg,et al.  The weakest failure detector for solving consensus , 1992, PODC '92.

[243]  Andrea Bondavalli,et al.  Service-Level Availability Estimation of GPRS , 2003, IEEE Trans. Mob. Comput..

[244]  Andrew Hinton,et al.  PRISM: A Tool for Automatic Verification of Probabilistic Systems , 2006, TACAS.

[245]  Harrison,et al.  Investigation of structural properties of hazard mitigation arguments , 2006 .

[246]  Magnos Martinello,et al.  Availability modeling and evaluation of web-based services - A pragmatic approach , 2005 .

[247]  Danny Dolev,et al.  On the minimal synchronism needed for distributed consensus , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).

[248]  Michael D. Harrison,et al.  Model Checking Interactor Specifications , 2001, Automated Software Engineering.

[249]  Isabel Rojas Compositional Construction of SWN models , 1995, Comput. J..

[250]  Charles E. Billings,et al.  Aviation Automation: The Search for A Human-centered Approach , 1996 .

[251]  P. Buchholz Exact and ordinary lumpability in finite Markov chains , 1994, Journal of Applied Probability.

[252]  Michael D. Harrison,et al.  Unifying views of interactors , 1994, AVI '94.

[253]  David I. August,et al.  SWIFT: software implemented fault tolerance , 2005, International Symposium on Code Generation and Optimization.

[254]  A. Chervenak,et al.  Protecting File Systems : A Survey of Backup Techniques , 1998 .

[255]  Günter Grünsteidl,et al.  TTP - A Protocol for Fault-Tolerant Real-Time Systems , 1994, Computer.

[256]  David A. Patterson,et al.  Architecture and Dependability of Large-Scale Internet Services , 2002, IEEE Internet Comput..

[257]  Andrew Chi-Chih Yao,et al.  Theory and application of trapdoor functions , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[258]  Jakob Nielsen,et al.  Usability engineering , 1997, The Computer Science and Engineering Handbook.

[259]  Dominique L. Scapin,et al.  Transferring Knowledge of User Interfaces Guidelines to the Web , 2000, TFWWG.

[260]  Sadie Creese,et al.  Conceptual Model and Architecture of MAFTIA , 2003 .

[261]  J. Steven Perry,et al.  Java Management Extensions , 2002 .

[262]  Kishor S. Trivedi,et al.  Dependability Modelling and Sensitivity Analysis of Scheduled Maintenance Systems , 1999, EDCC.

[263]  Yves Deswarte,et al.  Intrusion tolerance in distributed computing systems , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[264]  Fabio Paternò Model-Based Design and Evaluation of Interactive Applications , 2000 .

[265]  Asit Dan,et al.  Web services agreement specification (ws-agreement) , 2004 .

[266]  A. Jefferson Offutt,et al.  Mutation 2000: uniting the orthogonal , 2001 .

[267]  Paul C. Attie,et al.  Wait-free Byzantine consensus , 2002, Inf. Process. Lett..

[268]  Jens Palsberg,et al.  Type-based analysis and applications , 2001, PASTE '01.

[269]  Tudor Dumitras,et al.  Architecting and Implementing Versatile Dependability , 2004, WADS.

[270]  Peter Y. A. Ryan,et al.  A qualitative analysis of the intrusion-tolerance capabilities of the MAFTIA architecture , 2004, International Conference on Dependable Systems and Networks, 2004.

[271]  Hein Meling,et al.  Anthill: a framework for the development of agent-based peer-to-peer systems , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.

[272]  Giorgio Mongardi DEPENDABLE COMPUTING FOR RAILWAY CONTROL SYSTEMS , 1993 .

[273]  Jeffrey D. Case,et al.  Simple network management protocol , 1995 .

[274]  Ian Clarke,et al.  Freenet: A Distributed Anonymous Information Storage and Retrieval System , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[275]  Michael Hildebrandt,et al.  Putting Time (Back) Into Dynamic Function Allocation , 2003 .

[276]  Bev Littlewood,et al.  The effect of testing on reliability of fault-tolerant software , 2004, International Conference on Dependable Systems and Networks, 2004.

[277]  Michel Banâtre,et al.  Collaborative backup for dependable mobile applications , 2004, MPAC '04.

[278]  Eli Gafni Read-Write Reductions , 2006, ICDCN.

[279]  Michael K. Reiter,et al.  On k-Set Consensus Problems in Asynchronous Systems , 2001, IEEE Trans. Parallel Distributed Syst..

[280]  Philippe A. Palanque,et al.  Formal socio-technical barrier modelling for safety-critical interactive systems design , 2007 .

[281]  Marc Dacier,et al.  Honeypots: practical means to validate malicious fault assumptions , 2004, 10th IEEE Pacific Rim International Symposium on Dependable Computing, 2004. Proceedings..

[282]  Donald Beaver,et al.  Secure multiparty protocols and zero-knowledge proof systems tolerating a faulty minority , 2004, Journal of Cryptology.

[283]  William H. Sanders,et al.  Reduced base model construction methods for stochastic activity networks , 1989, Proceedings of the Third International Workshop on Petri Nets and Performance Models, PNPM89.

[284]  Richard D. Schlichting,et al.  Fail-stop processors: an approach to designing fault-tolerant computing systems , 1983, TOCS.

[285]  Alessandro F. Garcia,et al.  Context-aware exception handling in mobile agent systems: the MoCA case , 2006, SELMAS '06.

[286]  Fred B. Schneider,et al.  Implementing fault-tolerant services using the state machine approach: a tutorial , 1990, CSUR.

[287]  Michael K. Reiter,et al.  Byzantine quorum systems , 1997, STOC '97.

[288]  Michael K. Reiter,et al.  The Rampart Toolkit for Building High-Integrity Services , 1994, Dagstuhl Seminar on Distributed Systems.

[289]  Henrique Madeira,et al.  Multidimensional Characterization of the Impact of Faulty Drivers on the Operating Systems Behavior , 2003 .

[290]  Moni Naor,et al.  Visual Cryptography , 1994, Encyclopedia of Multimedia.

[291]  Xavier Leroy,et al.  Java bytecode verification : algorithms and formalizations Xavier Leroy INRIA Rocquencourt and Trusted Logic , 2003 .

[292]  Roy Friedman,et al.  Practical Byzantine Group Communication , 2006, 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06).

[293]  David Powell,et al.  Storage Tradeoffs in a Collaborative Backup Service for Mobile Devices , 2006, 2006 Sixth European Dependable Computing Conference.

[294]  Pascale Thévenod-Fosse,et al.  A mutation analysis tool for Java programs , 2003, International Journal on Software Tools for Technology Transfer.

[295]  Ravishankar K. Iyer,et al.  Chameleon: A Software Infrastructure for Adaptive Fault Tolerance , 1999, IEEE Trans. Parallel Distributed Syst..

[296]  Victor Shoup,et al.  Secure and efficient asynchronous broadcast protocols : (Extended abstract) , 2001, CRYPTO 2001.

[297]  Noga Alon,et al.  Scalable Secure Storage when Half the System Is Faulty , 2000, ICALP.

[298]  Giovanni Squillero,et al.  An industrial environment for high-level fault-tolerant structures insertion and validation , 2002, Proceedings 20th IEEE VLSI Test Symposium (VTS 2002).

[299]  Birgit Pfitzmann,et al.  Symmetric Authentication within a Simulatable Cryptographic Library , 2003, ESORICS.

[300]  Bev Littlewood,et al.  Multi-legged arguments:the impact of diversity upon confidence in dependability arguments , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[301]  Diego Latella,et al.  Towards Model Checking Stochastic Aspects of the thinkteam User Interface , 2005, DSV-IS.

[302]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[303]  Bev Littlewood,et al.  Bayesian belief networks for safety assessment of computer-based systems , 2000 .

[304]  Michael K. Reiter,et al.  Efficient Byzantine-tolerant erasure-coded storage , 2004, International Conference on Dependable Systems and Networks, 2004.

[305]  Jean-Yves Le Boudec,et al.  Performance analysis of the CONFIDANT protocol , 2002, MobiHoc '02.

[306]  Levente Buttyán,et al.  Stimulating Cooperation in Self-Organizing Mobile Ad Hoc Networks , 2003, Mob. Networks Appl..

[307]  Mark Moir Fast, Long-Lived Renaming Improved and Simplified , 1998, Sci. Comput. Program..

[308]  Marc Dacier,et al.  Privilege Graph: an Extension to the Typed Access Matrix Model , 1994, ESORICS.

[309]  Michel Raynal,et al.  In Search of the Holy Grail: Looking for the Weakest Failure Detector for Wait-Free Set Agreement , 2006, OPODIS.

[310]  Michel Cukier,et al.  An experimental evaluation to determine if port scans are precursors to an attack , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[311]  Philip J. Barnard,et al.  Computers, Communication, and Usability: Design Issues, Research and Methods for Integrated Services , 1993 .

[312]  Achour Mostéfaoui,et al.  Condition-based consensus solvability: a hierarchy of conditions and efficient protocols , 2003, Distributed Computing.

[313]  Henrique Madeira,et al.  Xception: A Technique for the Experimental Evaluation of Dependability in Modern Computers , 1998, IEEE Trans. Software Eng..

[314]  Miguel Correia,et al.  Improving Byzantine Protocols with Secure Computational Components , 2005 .

[315]  Birgit Pfitzmann,et al.  Relating symbolic and cryptographic secrecy , 2005, IEEE Transactions on Dependable and Secure Computing.

[316]  H. AbdelallahElhadj,et al.  An Experimental Sniffer Detector: SnifferWall , 2002 .

[317]  Daniel P. Siewiorek,et al.  Fault Injection Experiments Using FIAT , 1990, IEEE Trans. Computers.

[318]  Miguel Correia,et al.  Worm-IT - A wormhole-based intrusion-tolerant group communication system , 2007, J. Syst. Softw..

[319]  Noah Treuhaft,et al.  Recovery Oriented Computing (ROC): Motivation, Definition, Techniques, and Case Studies , 2002 .

[320]  Vladimir Stankovic,et al.  Improving DBMS Performance through Diverse Redundancy , 2006, 2006 25th IEEE Symposium on Reliable Distributed Systems (SRDS'06).

[321]  Stefano Tessaro,et al.  Optimal Resilience for Erasure-Coded Byzantine Distributed Storage , 2005, International Conference on Dependable Systems and Networks (DSN'06).

[322]  Miroslaw Malek,et al.  Weakly-Persistent Causal Objects in Dynamic Distributed Systems , 2006, 2006 25th IEEE Symposium on Reliable Distributed Systems (SRDS'06).

[323]  Markus Jakobsson,et al.  A Micro-Payment Scheme Encouraging Collaboration in Multi-hop Cellular Networks , 2003, Financial Cryptography.

[324]  Johan Karlsson,et al.  Comparison of Physical and Software-Implemented Fault Injection Techniques , 2003, IEEE Trans. Computers.

[325]  Mieke Massink,et al.  Specification and Verification of Media Constraints using UPAAL , 1998, DSV-IS.

[326]  J. Kaiser,et al.  Survey of mobile ad hoc network routing protocols , 2005 .

[327]  Dong Chen,et al.  Reliability and availability analysis for the JPL Remote Exploration and Experimentation System , 2002, Proceedings International Conference on Dependable Systems and Networks.

[328]  Yves Crouzet,et al.  Benchmarking the dependability of Windows and Linux using PostMark/spl trade/ workloads , 2005, 16th IEEE International Symposium on Software Reliability Engineering (ISSRE'05).

[329]  Refik Molva,et al.  Core: a collaborative reputation mechanism to enforce node cooperation in mobile ad hoc networks , 2002, Communications and Multimedia Security.

[330]  GERNOT METZE,et al.  On the Connection Assignment Problem of Diagnosable Systems , 1967, IEEE Trans. Electron. Comput..

[331]  Ozalp Babaoglu,et al.  ACM Transactions on Computer Systems , 2007 .

[332]  FriedmanRoy,et al.  Simple and Efficient Oracle-Based Consensus Protocols for Asynchronous Byzantine Systems , 2005 .

[333]  Flemming Nielson,et al.  Two-Level Semantics and Abstract Interpretation , 1989, Theor. Comput. Sci..

[334]  Philippe A. Palanque,et al.  Verification of an interactive software by analysis of its formal specification , 1995, INTERACT.

[335]  Paulo Veríssimo,et al.  Intrusion-tolerant middleware: the road to automatic security , 2006, IEEE Security & Privacy.

[336]  Ilir Gashi,et al.  Rephrasing Rules for Off-The-Shelf SQL Database Servers , 2006, 2006 Sixth European Dependable Computing Conference.

[337]  Ji Zhu,et al.  Robustness benchmarking for hardware maintenance events , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[338]  Chris Smith,et al.  Secure and Provable Service Support for Human-Intensive Real-Estate Processes , 2006, 2006 IEEE International Conference on Services Computing (SCC'06).

[339]  Santosh K. Shrivastava,et al.  Constructing Dependable Web Services , 1999, IEEE Internet Comput..

[340]  Karama Kanoun,et al.  A System Dependability Modeling Framework Using AADL and GSPNs , 2006, WADS.

[341]  Birgit Pfitzmann,et al.  Soundness Limits of Dolev-Yao Models , 2006 .

[342]  Michel Raynal,et al.  The Committee Decision Problem , 2006, LATIN.

[343]  R. Guerraoui,et al.  Best-Case Complexity of Asynchronous Byzantine Consensus , 2005 .

[344]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[345]  Tyson Condie,et al.  Simulating A File-Sharing P2P Network , 2003 .

[346]  Kang G. Shin,et al.  DIAGNOSIS OF PROCESSORS WITH BYZANTINE FAULTS IN A DISTRIBUTED COMPUTING SYSTEM. , 1987 .

[347]  Birgit Pfitzmann,et al.  A model for asynchronous reactive systems and its application to secure message transmission , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[348]  Norman E. Fenton,et al.  Quantitative Analysis of Faults and Failures in a Complex Software System , 2000, IEEE Trans. Software Eng..

[349]  Priya Narasimhan,et al.  Thema: Byzantine-fault-tolerant middleware for Web-service applications , 2005, 24th IEEE Symposium on Reliable Distributed Systems (SRDS'05).

[350]  Flaviu Cristian,et al.  Reaching agreement on processor-group membrship in synchronous distributed systems , 1991, Distributed Computing.

[351]  Mike Hill,et al.  Safety analysis of Hawk In Flight monitor , 1999, PASTE '99.

[352]  Jamal N. Al-Karaki,et al.  Stability helps quality of service routing in wireless ad hoc networks , 2004, IEEE International Conference on Performance, Computing, and Communications, 2004.

[353]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[354]  David Cooper,et al.  SafSec: Commonalities Between Safety and Security Assurance , 2005, SSS.

[355]  Steffen Becker,et al.  Towards an Engineering Approach to Component Adaptation , 2004, Architecting Systems with Trustworthy Components.

[356]  Richard J. Lipton,et al.  Hints on Test Data Selection: Help for the Practicing Programmer , 1978, Computer.

[357]  Fabien Pouget White paper: honeypot, honeynet, honeytoken: terminological issues , 2003 .

[358]  Roberto Beraldi,et al.  Structure-less content-based routing in mobile ad hoc networks , 2005, ICPS '05. Proceedings. International Conference on Pervasive Services, 2005..

[359]  Farnam Jahanian,et al.  The Internet Motion Sensor - A Distributed Blackhole Monitoring System , 2005, NDSS.

[360]  Liam J. Bannon,et al.  From Human Factors to Human Actors: The Role of Psychology and Human-Computer Interaction Studies in System Design , 1992, Design at Work.

[361]  Flemming Nielson A denotational framework for data flow analysis , 2004, Acta Informatica.

[362]  Giovanni Pau,et al.  Code torrent: content distribution using network coding in VANET , 2006, MobiShare '06.

[363]  Birgit Pfitzmann,et al.  Limits of the Cryptographic Realization of Dolev-Yao-Style XOR , 2005, ESORICS.

[364]  Paul D. Ezhilchelvan,et al.  A Performance Study on the Signal-On-Fail Approach to Imposing Total Order in the Streets of Byzantium , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[365]  Ben Y. Zhao,et al.  OceanStore: an architecture for global-scale persistent storage , 2000, SIGP.

[366]  Neeraj Suri,et al.  Continual On-Line Diagnosis of Hybrid Faults , 1995 .

[367]  Mario Jeckle,et al.  Active UDDI - An Extension to UDDI for Dynamic and Fault-Tolerant Service Invocation , 2002, Web, Web-Services, and Database Systems.

[368]  Michael D. Harrison,et al.  Demonstration of Safety in Healthcare Organisations , 2006, SAFECOMP.

[369]  Nancy G. Leveson,et al.  Beyond Normal Accidents and High Reliability Organizations: The Need for an Alternative Approach to Safety in Complex Systems , 2004 .

[370]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[371]  D. Powell,et al.  The Delta-4 Approach to Dependability in Open Distributed Computing Systems , 1995, Twenty-Fifth International Symposium on Fault-Tolerant Computing, 1995, ' Highlights from Twenty-Five Years'..

[372]  Nancy A. Lynch,et al.  Impossibility of distributed consensus with one faulty process , 1983, PODS '83.

[373]  Michael Hildebrandt,et al.  Paintshop: A Microworld Experiment Investigating Temporal Decisions in a Supervisory Control Task , 2004 .

[374]  Andrea Bondavalli,et al.  Dependability Evaluation of Web Service-Based Processes , 2006, EPEW.

[375]  Mario Dal Cin,et al.  Reproducible dependability benchmarking experiments based on unambiguous benchmark setup descriptions , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[376]  Andrea Bondavalli,et al.  Hardware and Software Fault Tolerance: Definition and Evaluation of Adaptive Architectures in a Distributed Computing Environment , 1997 .

[377]  B. Nordstrom FINITE MARKOV CHAINS , 2005 .

[378]  Gianfranco Ciardo,et al.  A data structure for the efficient Kronecker solution of GSPNs , 1999, Proceedings 8th International Workshop on Petri Nets and Performance Models (Cat. No.PR00331).

[379]  Sam Toueg,et al.  The weakest failure detector for solving consensus , 1996, JACM.

[380]  Domenico Cotroneo,et al.  An automated distributed infrastructure for collecting Bluetooth field failure data , 2005, Eighth IEEE International Symposium on Object-Oriented Real-Time Distributed Computing (ISORC'05).

[381]  Capers Jones,et al.  Why software fails , 1996 .

[382]  Budi Arief,et al.  On using the CAMA framework for developing open mobile fault tolerant agent systems , 2006, SELMAS '06.

[383]  Leslie Lamport,et al.  A fast mutual exclusion algorithm , 1987, TOCS.

[384]  Harrison,et al.  Time as a dimension in the design and analysis of interactive systems , 2006 .

[385]  Martin Hiller,et al.  An experimental comparison of fault and error injection , 1998, Proceedings Ninth International Symposium on Software Reliability Engineering (Cat. No.98TB100257).

[386]  Hélène Waeselynck,et al.  Simulated annealing applied to test generation: landscape characterization and stopping criteria , 2007, Empirical Software Engineering.

[387]  Rachid Guerraoui,et al.  Consensus in Asynchronous Distributed Systems: A Concise Guided Tour , 1999, Advances in Distributed Systems.

[388]  Ravishankar K. Iyer,et al.  An experimental study of security vulnerabilities caused by errors , 2001, 2001 International Conference on Dependable Systems and Networks.

[389]  Sangjoon Park,et al.  A survivability strategy in mobile networks , 2006, IEEE Trans. Veh. Technol..

[390]  Mary Beth Rosson,et al.  Usability Engineering: Scenario-based Development of Human-Computer Interaction , 2001 .

[391]  Maurice Herlihy,et al.  Linearizability: a correctness condition for concurrent objects , 1990, TOPL.

[392]  Andy J. Wellings,et al.  GUARDS: A Generic Upgradable Architecture for Real-Time Dependable Systems , 1997, IEEE Trans. Parallel Distributed Syst..

[393]  Anne-Marie Kermarrec,et al.  The Peer Sampling Service: Experimental Evaluation of Unstructured Gossip-Based Implementations , 2004, Middleware.

[394]  A. Bondavalli,et al.  Dependability modeling and evaluation of phased mission systems: a DSPN approach , 1999, Dependable Computing for Critical Applications 7.

[395]  Yehuda Afek,et al.  Fast, wait-free (2k-1)-renaming , 1999, PODC '99.

[396]  Marc Dacier,et al.  Lessons learned from the deployment of a high-interaction honeypot , 2006, 2006 Sixth European Dependable Computing Conference.

[397]  Andrea Bondavalli,et al.  Analyzing quality of service of GPRS network systems from a user's perspective , 2002, Proceedings ISCC 2002 Seventh International Symposium on Computers and Communications.

[398]  Vladimir Tosic,et al.  Management applications of the Web Service Offerings Language (WSOL) , 2005, Inf. Syst..

[399]  Jaynarayan H. Lala,et al.  Foundations of Intrusion Tolerant Systems , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[400]  Nancy A. Lynch,et al.  Distributed Algorithms , 1992, Lecture Notes in Computer Science.

[401]  David Powell,et al.  A Survey of Cooperative Backup Mechanisms , 2006 .

[402]  Lionel M. Ni,et al.  Service discovery in pervasive computing environments , 2005, IEEE Pervasive Computing.

[403]  Miguel Correia,et al.  Sharing Memory between Byzantine Processes Using Policy-Enforced Tuple Spaces , 2009, IEEE Transactions on Parallel and Distributed Systems.

[404]  Antony I. T. Rowstron,et al.  Storage management and caching in PAST, a large-scale, persistent peer-to-peer storage utility , 2001, SOSP.

[405]  Emin Gün Sirer,et al.  SHARP: a hybrid adaptive routing protocol for mobile ad hoc networks , 2003, MobiHoc '03.

[406]  Paul Ammann,et al.  An experimental evaluation of simple methods for seeding program errors , 1985, ICSE '85.

[407]  Marco Vieira,et al.  On the emulation of software faults by software fault injection , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[408]  Birgit Pfitzmann,et al.  Cryptographically sound theorem proving , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[409]  K. Echtle,et al.  Test of fault tolerant distributed systems by fault injection , 1994, Proceedings of IEEE Workshop on Fault-Tolerant Parallel and Distributed Systems.

[410]  Domenico Cotroneo,et al.  Effective fault treatment for improving the dependability of COTS and legacy-based applications , 2004, IEEE Transactions on Dependable and Secure Computing.

[411]  Roberto Baldoni,et al.  Fighting Erosion in Dynamic Large-Scale Overlay Networks , 2007, 21st International Conference on Advanced Information Networking and Applications (AINA '07).

[412]  Ravishankar K. Iyer,et al.  Modeling and evaluating the security threats of transient errors in firewall software , 2004, Perform. Evaluation.

[413]  D. Daly Analysis of Connection as a Decomposition Technique , 2001 .

[414]  Rémi Bastide,et al.  Reconciling Safety and Usability Concerns through Formal Specification-based Development Process , 2002 .

[415]  Tim Hawkins,et al.  The Modelling and Analysis of OceanStore Elements Using the CSP Dependability Library , 2005, TGC.

[416]  Leslie Lamport,et al.  Concurrent reading and writing , 1977, Commun. ACM.

[417]  Gavin Lowe Casper: a compiler for the analysis of security protocols , 1998 .

[418]  Michael D. Harrison,et al.  Allocation of function: scenarios, context and the economics of effort , 2000, Int. J. Hum. Comput. Stud..

[419]  Karsten Loer,et al.  An integrated framework for the analysis of dependable interactive systems (IFADIS): Its tool support and evaluation , 2006, Automated Software Engineering.

[420]  R.K. Cunningham,et al.  Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[421]  Jean-Charles Fabre,et al.  A Metaobject Architecture for Fault-Tolerant Distributed Systems: The FRIENDS Approach , 1998, IEEE Trans. Computers.

[422]  Leslie Lamport,et al.  Reaching Agreement in the Presence of Faults , 1980, JACM.

[423]  Mario Kolberg,et al.  Tools for Peer-to-Peer Network Simulation , 2006 .

[424]  William H. Sanders,et al.  Proteus: a flexible infrastructure to implement adaptive fault tolerance in AQuA , 1999, Dependable Computing for Critical Applications 7.

[425]  B. Littlewood,et al.  The Use of Multi-legged Arguments to Increase Confidence in Safety Claims for Software-based Systems : a Study Based on a BBN Analysis of an Idealised Example , 2005 .

[426]  Upkar Varshney,et al.  Improving the dependability of wireless networks using design techniques , 2001, Proceedings LCN 2001. 26th Annual IEEE Conference on Local Computer Networks.

[427]  Michael K. Reiter,et al.  An Architecture for Survivable Coordination in Large Distributed Systems , 2000, IEEE Trans. Knowl. Data Eng..

[428]  Hermann Kopetz,et al.  The time-triggered architecture , 2003 .

[429]  Sean Quinlan,et al.  Venti: A New Approach to Archival Storage , 2002, FAST.

[430]  Liang Yin,et al.  Hierarchical composition and aggregation of state-based availability and performability models , 2003, IEEE Trans. Reliab..

[431]  Boris Beizer,et al.  Software testing techniques (2. ed.) , 1990 .

[432]  Giovanni Della-Libera,et al.  Web Services Trust Language (WS-Trust) , 2002 .

[433]  Piotr Zieliński,et al.  Paxos at war , 2004 .

[434]  Angelos D. Keromytis,et al.  Fileteller: Paying and Getting Paid for File Storage , 2002, Financial Cryptography.

[435]  Mark Lillibridge,et al.  Peer-to-peer Cooperative Backup System , 2001 .

[436]  David A. Schmidt Abstract Interpretation of Small-Step Semantics , 1996, LOMAPS.

[437]  Shamus P. Smith,et al.  Qualitative analysis of dependability argument structure , 2006 .

[438]  Andrea Bondavalli,et al.  Evaluation of Fault-Tolerant Multiprocessor Systems for High Assurance Applications , 2001, Comput. J..

[439]  Michael Gertz,et al.  THE WILLOW SURVIVABILITY ARCHITECTURE , 2001 .

[440]  Yves Crouzet,et al.  Windows and Linux Robustness Benchmarks with Respect to Application Erroneous Behavior , 2008 .

[441]  Eugene H. Spafford,et al.  Penetration Analysis of a XEROX Docucenter DC 230ST: Assessing the Security of a Multi-purpose Office Machine , 1999 .

[442]  Marvin Theimer,et al.  Feasibility of a serverless distributed file system deployed on an existing set of desktop PCs , 2000, SIGMETRICS '00.

[443]  Birgit Pfitzmann,et al.  Intransitive non-interference for cryptographic purposes , 2003, 2003 Symposium on Security and Privacy, 2003..

[444]  Ramayya Krishnan,et al.  On Software Diversification, Correlated Failures and Risk Management , 2006 .

[445]  Neville A. Stanton,et al.  Book preview , 2003, INTR.

[446]  Prathima Agrawal,et al.  Fault Tolerance in Multiprocessor Systems without Dedicated Redundancy , 1988, IEEE Trans. Computers.

[447]  Miroslaw Malek,et al.  A comparison connection assignment for diagnosis of multiprocessor systems , 1980, ISCA '80.

[448]  K. J. Vicente,et al.  Cognitive Work Analysis: Toward Safe, Productive, and Healthy Computer-Based Work , 1999 .

[449]  Peter G. Bishop,et al.  A Methodology for Safety Case Development , 2000, SSS.

[450]  Noga Alon,et al.  Tight bounds for shared memory systems accessed by Byzantine processes , 2002, Distributed Computing.

[451]  Michel Sintzoff,et al.  Calculating properties of programs by valuations on specific models , 1972, Proving Assertions About Programs.

[452]  Daniel P. Siewiorek,et al.  Error log analysis: statistical modeling and heuristic trend analysis , 1990 .

[453]  Atsushi Fujioka,et al.  A Practical Secret Voting Scheme for Large Scale Elections , 1992, AUSCRYPT.

[454]  Peter M. Chen,et al.  Whither generic recovery from application faults? A fault study using open-source software , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[455]  Michael D. Harrison,et al.  A toolset supported approach for designing and testing virtual environment interaction techniques , 2001, Int. J. Hum. Comput. Stud..

[456]  Marc Dacier,et al.  Reference audit information generation for intrusion-detection systems , 1998 .

[457]  Antony I. T. Rowstron,et al.  PAST: a large-scale, persistent peer-to-peer storage utility , 2001, Proceedings Eighth Workshop on Hot Topics in Operating Systems.

[458]  G. Griffiths,et al.  .NET & Web Services , 2004 .

[459]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[461]  Lorenzo Alvisi,et al.  Modeling the effect of technology trends on the soft error rate of combinational logic , 2002, Proceedings International Conference on Dependable Systems and Networks.

[462]  Glenford J. Myers,et al.  Art of Software Testing , 1979 .

[463]  Kian-Lee Tan,et al.  PeerStore: better performance by relaxing in peer-to-peer backup , 2004 .

[464]  Farnam Jahanian,et al.  Experimental study of Internet stability and backbone failures , 1999, Digest of Papers. Twenty-Ninth Annual International Symposium on Fault-Tolerant Computing (Cat. No.99CB36352).

[465]  Audun Jøsang,et al.  AIS Electronic Library (AISeL) , 2017 .

[466]  Rocco De Nicola,et al.  Action versus State based Logics for Transition Systems , 1990, Semantics of Systems of Concurrent Processes.

[467]  Darrell D. E. Long,et al.  Deep Store: an archival storage system architecture , 2005, 21st International Conference on Data Engineering (ICDE'05).

[468]  Valerie L. Shalin,et al.  Cognitive task analysis , 2000 .

[469]  Douglas M. Blough,et al.  The Broadcast Comparison Model for On-Line Fault Diagnosis in Multicomputer Systems , 1999, IEEE Trans. Computers.

[470]  David Mazières,et al.  Kademlia: A Peer-to-Peer Information System Based on the XOR Metric , 2002, IPTPS.

[471]  Miguel Correia,et al.  Intrusion-Tolerant Architectures: Concepts and Design , 2002, WADS.

[472]  T. Olovsson,et al.  On measurement of operational security , 1994, IEEE Aerospace and Electronic Systems Magazine.

[473]  Michael Hildebrandt,et al.  The temporal dimension of dynamic function allocation , 2002 .

[474]  Achour Mostéfaoui,et al.  Conditions on input vectors for consensus solvability in asynchronous distributed systems , 2003, J. ACM.

[475]  Vladimiro Sassone,et al.  A formal model for trust in dynamic networks , 2003, First International Conference onSoftware Engineering and Formal Methods, 2003.Proceedings..

[476]  Enrico Tronci,et al.  A Symbolic Model Checker for ACTL , 1998, FM-Trends.

[477]  Matjaz B. Juric,et al.  Business process execution language for web services , 2004 .

[478]  Shengming Jiang,et al.  A prediction-based link availability estimation for routing metrics in MANETs , 2005, IEEE/ACM Transactions on Networking.

[479]  Marco Winckler,et al.  StateWebCharts: A Formal Description Technique Dedicated to Navigation Modelling of Web Applications , 2003, DSV-IS.

[480]  Maarten van Steen,et al.  CYCLON: Inexpensive Membership Management for Unstructured P2P Overlays , 2005, Journal of Network and Systems Management.

[481]  John M. Rushby,et al.  Systematic Formal Verification for Fault-Tolerant Time-Triggered Algorithms , 1999, IEEE Trans. Software Eng..

[482]  Jean Arlat,et al.  Fault injection for formal testing of fault tolerance , 1996, IEEE Trans. Reliab..

[483]  John A. McDermid,et al.  Support for safety cases and safety arguments using SAM , 1994 .

[484]  Gerald M. Masson,et al.  Diagnosis Without Repair for Hybrid Fault Situations , 1980, IEEE Transactions on Computers.

[485]  Nancy A. Lynch,et al.  Reaching approximate agreement in the presence of faults , 1986, JACM.

[486]  Miguel Correia,et al.  The Design of a COTSReal-Time Distributed Security Kernel , 2002, EDCC.

[487]  Boudewijn R. Haverkort,et al.  Performance and reliability analysis of computer systems: An example-based approach using the sharpe software package , 1998 .

[488]  W. D. Obal,et al.  Measure-adaptive state-space construction methods , 1998 .

[489]  Dan S. Wallach,et al.  Analysis of an electronic voting system , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[490]  Jean Arlat,et al.  Building SWIFI tools from temporal logic specifications , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[491]  Karama Kanoun,et al.  Construction and stepwise refinement of dependability models , 2004, Perform. Evaluation.

[492]  Ravishankar K. Iyer,et al.  Networked Windows NT system field failure data analysis , 1999, Proceedings 1999 Pacific Rim International Symposium on Dependable Computing.

[493]  Amir Pnueli,et al.  Control and data abstraction: the cornerstones of practical formal verification , 2000, International Journal on Software Tools for Technology Transfer.

[494]  Mark Bartel,et al.  Xml-Signature Syntax and Processing , 2000 .

[495]  Gary E. Bolton,et al.  ERC: A Theory of Equity, Reciprocity, and Competition , 2000 .

[496]  Jaynarayan H. Lala,et al.  Hardware and software fault tolerance: a unified architectural approach , 1988, [1988] The Eighteenth International Symposium on Fault-Tolerant Computing. Digest of Papers.

[497]  Leonid A. Levin,et al.  Fair Computation of General Functions in Presence of Immoral Majority , 1990, CRYPTO.

[498]  Lau Cheuk Lung,et al.  FTWeb: a fault tolerant infrastructure for Web services , 2005, Ninth IEEE International EDOC Enterprise Computing Conference (EDOC'05).

[499]  Hagit Attiya,et al.  Renaming in an asynchronous environment , 1990, JACM.

[500]  Gary L. Peterson,et al.  Concurrent Reading While Writing , 1983, TOPL.

[501]  Cecília M. F. Rubira,et al.  Fault tolerance in concurrent object-oriented software through coordinated error recovery , 1995, Twenty-Fifth International Symposium on Fault-Tolerant Computing. Digest of Papers.

[502]  Philip Koopman,et al.  Comparing the robustness of POSIX operating systems , 1999, Digest of Papers. Twenty-Ninth Annual International Symposium on Fault-Tolerant Computing (Cat. No.99CB36352).

[503]  Marco Winckler,et al.  Supporting Usability Evaluation of Multimodal Man-Machine Interfaces for Space Ground Segment Applications Using Petri nets Based Formal Specification , 2006 .

[504]  Kishor S. Trivedi,et al.  Componentwise decomposition for an efficient reliability computation of systems with repairable components , 1995, Twenty-Fifth International Symposium on Fault-Tolerant Computing. Digest of Papers.

[505]  Jiwei Chen,et al.  Dealing with Node Mobility in Ad Hoc Wireless Network , 2005, SFM.

[506]  Miguel Correia,et al.  Service and Protocol Architecture for the MAFTIA Middleware , 2001 .

[507]  Pedro J. Gil,et al.  Non-intrusive Software-Implemented Fault Injection in Embedded Systems , 2003, LADC.

[508]  Hong Zhao,et al.  Stress-Based and Path-Based Fault Injection , 1999, IEEE Trans. Computers.

[509]  Marcos K. Aguilera,et al.  A pleasant stroll through the land of infinitely many creatures , 2004, SIGA.

[510]  D. Eastlake,et al.  XML Encryption Syntax and Processing , 2003 .

[511]  Rachid Guerraoui,et al.  The information structure of indulgent consensus , 2004, IEEE Transactions on Computers.

[512]  Sang-Yong Han,et al.  WS-QDL containing static, dynamic, and statistical factors of Web services quality , 2004 .

[513]  Matti A. Hiltunen,et al.  Customizing dependability attributes for mobile service platforms , 2004, International Conference on Dependable Systems and Networks, 2004.

[514]  ABS : The Apportioned Backup System , 2004 .

[515]  B. Cheswick An Evening with Berferd In Which a Cracker is Lured, Endured, and Studied , 1997 .

[516]  SWCEDITOR: a Model-Based Tool for Interactive Modelling of Web Navigation , 2004, CADUI.

[517]  David H. Ackley,et al.  Building diverse computer systems , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[518]  Fred B. Schneider What good are models and what models are good , 1993 .

[519]  Karama Kanoun,et al.  Dependability modelling of instrumentation and control systems. A comparison of competing architectures , 2004 .

[520]  M. V. Steen,et al.  Newscast Computing , 2003 .

[521]  Fred B. Schneider,et al.  COCA: a secure distributed online certification authority , 2002 .

[522]  Yves Deswarte,et al.  An authorization scheme for distributed object systems , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[523]  Stefan Savage,et al.  The Phoenix Recovery System: Rebuilding from the Ashes of an Internet Catastrophe , 2003, HotOS.

[524]  M. Massink,et al.  Using LOTOS for the evaluation of design options in the PREMO standard , 1997, FME 1997.

[525]  Miguel Correia,et al.  From Consensus to Atomic Broadcast: Time-Free Byzantine-Resistant Protocols without Signatures , 2006, Comput. J..

[526]  P. Ryan,et al.  Coercion-resistance as Opacity in Voting Systems , 2006 .

[527]  Lars Harms-Ringdahl Hazard and operability studies , 2001 .

[528]  Jean Arlat,et al.  A Framework for Dependability Benchmarking , 2002 .

[529]  Philip Koopman,et al.  Robust software - no more excuses , 2002, Proceedings International Conference on Dependable Systems and Networks.

[530]  Ravishankar K. Iyer,et al.  Characterization of linux kernel behavior under errors , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[531]  Andrew D. Gordon,et al.  Secure sessions for Web services , 2004, TSEC.

[532]  Irith Pomeranz,et al.  Properties of maximally dominating faults , 2004, 13th Asian Test Symposium.

[533]  Michael Ben-Or,et al.  Another advantage of free choice (Extended Abstract): Completely asynchronous agreement protocols , 1983, PODC '83.

[534]  Achour Mostéfaoui,et al.  From Binary Consensus to Multivalued Consensus in asynchronous message-passing systems , 2000, Inf. Process. Lett..

[535]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[536]  Birgit Pfitzmann,et al.  Formal Methods and Cryptography , 2006, FM.

[537]  William C. Carter,et al.  Reliability Modeling for Fault-Tolerant Computers , 1971, IEEE Transactions on Computers.

[538]  Jinyang Li,et al.  Grid : Building a Robust Ad Hoc Network , .

[539]  L. Cabrera,et al.  Web Services Business Activity Framework (WS-BusinessActivity) , 2004 .

[540]  Michael K. Reiter,et al.  Secure agreement protocols: reliable and atomic group multicast in rampart , 1994, CCS '94.

[541]  Bev Littlewood,et al.  E-voting: dependability requirements and design for dependability , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[542]  Patrick Cousot,et al.  Semantic foundations of program analysis , 1981 .

[543]  R. P. Hughes,et al.  A new approach to common cause failure , 1987 .

[544]  Barry Kirwan,et al.  Development and application of a human error identification tool for air traffic control. , 2002, Applied ergonomics.

[545]  M R Endsley,et al.  Level of automation effects on performance, situation awareness and workload in a dynamic control task. , 1999, Ergonomics.

[546]  Zbigniew T. Kalbarczyk,et al.  Reflections on industry trends and experimental research in dependability , 2004, IEEE Transactions on Dependable and Secure Computing.

[547]  Ravishankar K. Iyer,et al.  Reliability of Internet Hosts: A Case Study from the End User's Perspective , 1999, Comput. Networks.

[548]  David R. Karger,et al.  Wide-area cooperative storage with CFS , 2001, SOSP.

[549]  Jie Xu,et al.  Assessing the dependability of OGSA middleware by fault injection , 2003, 22nd International Symposium on Reliable Distributed Systems, 2003. Proceedings..

[550]  Biswanath Mukherjee,et al.  A Software Platform for Testing Intrusion Detection Systems , 1997, IEEE Softw..

[551]  Luís Moura Silva,et al.  Software Aging and Rejuvenation in a SOAP-based Server , 2006, Fifth IEEE International Symposium on Network Computing and Applications (NCA'06).

[552]  Holger Pfeifer Formal Verification of the TTP Group Membership Algorithm , 2000, FORTE.

[553]  Hagit Attiya,et al.  Polynominal and Adaptive Long-Lived (2k-1)-Renaming , 2000, DISC.

[554]  Daniel A. Menascé,et al.  QoS Issues in Web Services , 2002, IEEE Internet Comput..

[555]  Miguel Castro,et al.  Practical byzantine fault tolerance and proactive recovery , 2002, TOCS.

[556]  Antonella Santone,et al.  Formal Validation of Fault-tolerance Mechanisms , 1998 .

[557]  John B. Shoven,et al.  I , Edinburgh Medical and Surgical Journal.

[558]  Jean-Philippe Martin,et al.  Fast Byzantine Consensus , 2006, IEEE Transactions on Dependable and Secure Computing.

[559]  David H. Jonassen,et al.  Handbook of Task Analysis Procedures , 1989 .

[560]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[561]  Andrea Bondavalli,et al.  Modeling and Analysis of a Scheduled Maintenance System: a DSPN Approach , 2004, Comput. J..

[562]  Andrea Bondavalli,et al.  Automatic Dependability Modelling of Systems Described in UML , 1998 .

[563]  Scott D. Sagan,et al.  The Problem of Redundancy Problem: Why More Nuclear Security Forces May Produce Less Nuclear Security † , 2004, Risk analysis : an official publication of the Society for Risk Analysis.

[564]  Eli Gafni,et al.  Immediate atomic snapshots and fast renaming , 1993, PODC '93.

[565]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[566]  Timothy Fraser,et al.  Hardening COTS software with generic software wrappers , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[567]  Michael K. Reiter,et al.  Objects shared by Byzantine processes , 2000, Distributed Computing.

[568]  Jean Arlat,et al.  Reliability growth of fault-tolerant software , 1993 .

[569]  Hector Garcia-Molina,et al.  The Eigentrust algorithm for reputation management in P2P networks , 2003, WWW '03.

[570]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[571]  Dániel Varró,et al.  Modeling of Reliable Messaging in Service Oriented Architectures 3 , 2006 .

[572]  Zhe Xia,et al.  Tear and Destroy: Chain voting and destruction problems shared by Pret a Voter and Punchscan and a solution using Visual Encryption , 2007 .

[573]  Gavin Lowe,et al.  Casper: a compiler for the analysis of security protocols , 1997, Proceedings 10th Computer Security Foundations Workshop.

[574]  Jean-Pierre Hubaux,et al.  Nuglets: a Virtual Currency to Stimulate Cooperation in Self-Organized Mobile Ad Hoc Networks , 2001 .

[575]  Andrea Bondavalli,et al.  Hierarchical modelling of complex control systems: dependability analysis of a railway interlocking , 2001, Comput. Syst. Sci. Eng..

[576]  Brian D. Noble,et al.  Samsara: honor among thieves in peer-to-peer storage , 2003, SOSP '03.

[577]  Michel Banâtre,et al.  Ubibus: Ubiquitous Computing to Help Blind People in Public Transport , 2004, Mobile HCI.

[578]  Péter Urbán,et al.  Solving Agreement Problems with Weak Ordering Oracles , 2002, EDCC.

[579]  Sudhakar M. Reddy,et al.  FAULT-DIAGNOSIS IN FULLY DISTRIBUTED SYSTEMS , 1995, Twenty-Fifth International Symposium on Fault-Tolerant Computing, 1995, ' Highlights from Twenty-Five Years'..

[580]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[581]  Birgit Pfitzmann,et al.  Limits of the Reactive Simulatability/UC of Dolev-Yao Models with Hashes , 2006, IACR Cryptol. ePrint Arch..

[582]  Marc Dacier,et al.  Models and tools for quantitative assessment of operational security , 1996, SEC.

[583]  Lorenzo Strigini,et al.  Optimal discrimination between transient and permanent faults , 1998, Proceedings Third IEEE International High-Assurance Systems Engineering Symposium (Cat. No.98EX231).

[584]  Robert P. Kurshan,et al.  A structural induction theorem for processes , 1989, PODC.

[585]  Munindar P. Singh,et al.  Network Computing , 1999 .

[586]  Jean-Claude Laprie,et al.  Diversity against accidental and deliberate faults , 1998, Proceedings Computer Security, Dependability, and Assurance: From Needs to Solutions (Cat. No.98EX358).

[587]  Achour Mostéfaoui,et al.  Conditions on input vectors for consensus solvability in asynchronous distributed systems , 2001, STOC '01.

[588]  David A. Patterson,et al.  Including the Human Factor in Dependability Benchmarks , 2002 .

[589]  Yves Deswarte,et al.  Internet Security: An Intrusion-Tolerance Approach , 2006, Proceedings of the IEEE.

[590]  Rachid Guerraoui,et al.  Encapsulating Failure Detection: From Crash to Byzantine Failures , 2002, Ada-Europe.

[591]  Jean Arlat,et al.  Fault Injection and Dependability Evaluation of Fault-Tolerant Systems , 1993, IEEE Trans. Computers.

[592]  Matthieu Roy,et al.  Sauvegarde coopérative entre pairs pour dispositifs mobiles , 2005, UbiMob '05.

[593]  Dave Edwards,et al.  An Approach to Injecting faults into Hardened Software , 2002 .

[594]  Kevin A. Kwiat,et al.  Modeling the spread of active worms , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[595]  Robert S. Swarz,et al.  Reliable Computer Systems: Design and Evaluation , 1992 .

[596]  Karama Kanoun and Yves Crouzet Dependability Benchmarks for Operating Systems , 2006 .

[597]  Paulo Veríssimo,et al.  Travelling through wormholes: a new look at distributed systems models , 2006, SIGA.

[598]  Michael O. Rabin,et al.  Randomized byzantine generals , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).

[599]  Joanne Bechta Dugan,et al.  Automatic synthesis of dynamic fault trees from UML system models , 2002, 13th International Symposium on Software Reliability Engineering, 2002. Proceedings..

[600]  Jim Gray,et al.  Benchmark Handbook: For Database and Transaction Processing Systems , 1992 .

[601]  Susanna Donatelli,et al.  Stochastic Petri nets and inheritance for dependability modelling , 2004, 10th IEEE Pacific Rim International Symposium on Dependable Computing, 2004. Proceedings..

[602]  Hany H. Ammar,et al.  Time Scale Decomposition of a Class of Generalized Stochastic Petri Net Models , 1989, IEEE Trans. Software Eng..

[603]  Louise E. Moser,et al.  Byzantine Fault Detectors for Solving Consensus , 2003, Comput. J..

[604]  Felix C. Freiling,et al.  Using Smart Cards for Fair Exchange , 2001, WELCOM.

[605]  Xin Zhou,et al.  Regulations Expressed As Logical Models (REALM) , 2005, JURIX.

[606]  Emilie M. Roth USING OBSERVATIONAL STUDY AS A TOOL FOR DISCOVERY: UNCOVERING COGNITIVE AND COLLABORATIVE DEMANDS AND ADAPTIVE STRATEGIES , .

[607]  Stefania Gnesi,et al.  Model checking fault tolerant systems , 2002, Softw. Test. Verification Reliab..

[608]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[609]  Birgit Pfitzmann,et al.  Composition and integrity preservation of secure reactive systems , 2000, CCS.

[610]  Roberto Baldoni,et al.  Evaluation of Unstructured Overlay Maintenance Protocols under Churn , 2006, 26th IEEE International Conference on Distributed Computing Systems Workshops (ICDCSW'06).

[611]  Leslie Lamport,et al.  Paxos Made Simple , 2001 .

[612]  Michael Hildebrandt,et al.  Analysing Dynamic Function Scheduling Decisions , 2004, Human Error, Safety and Systems Development.

[613]  István Majzik,et al.  Model-based Automatic Test Generation for Event-Driven Embedded Systems using Model Checkers , 2006, 2006 International Conference on Dependability of Computer Systems.

[614]  Audun Jøsang,et al.  A survey of trust and reputation systems for online service provision , 2007, Decis. Support Syst..

[615]  Michael Hildebrandt,et al.  Time-related trade-offs in dynamic function scheduling , 2002 .

[616]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[617]  Pascal Traverse AIRBUS and ATR System Architecture and Specification , 1988 .

[618]  Miguel Correia,et al.  Solving vector consensus with a wormhole , 2005, IEEE Transactions on Parallel and Distributed Systems.

[619]  Michel Raynal Wait-free objects for real-time systems? , 2002, Proceedings Fifth IEEE International Symposium on Object-Oriented Real-Time Distributed Computing. ISIRC 2002.

[620]  Louise E. Moser,et al.  The SecureRing group communication system , 2001, TSEC.

[621]  Andy Oram,et al.  Peer-to-peer , 2008, Nature Immunology.

[622]  John Kubiatowicz,et al.  Erasure Coding Vs. Replication: A Quantitative Comparison , 2002, IPTPS.

[623]  Markus Jakobsson,et al.  Making Mix Nets Robust for Electronic Voting by Randomized Partial Checking , 2002, USENIX Security Symposium.

[624]  David Parker,et al.  Symbolic Representations and Analysis of Large Probabilistic Systems , 2004, Validation of Stochastic Systems.

[625]  Karsten Loer,et al.  Connecting Rigorous System Analysis to Experience-Centered Design , 2008, Maturing Usability.

[626]  William H. Sanders,et al.  Formal specification and verification of a group membership protocol for an intrusion-tolerant group communication system , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[627]  Peter Szolovits,et al.  Ratings in Distributed Systems: A Bayesian Approach , 2002 .

[628]  Giuseppe Lettieri,et al.  A Space-Aware Bytecode Verifier for Java Cards , 2005, Bytecode@ETAPS.

[629]  Nancy A. Lynch,et al.  Consensus in the presence of partial synchrony , 1988, JACM.

[630]  Andrew A. Chien,et al.  Breaking the barriers: high performance security for high performance computing , 2002, NSPW '02.

[631]  Lorenzo Strigini,et al.  Estimating Bounds on the Reliability of Diverse Systems , 2003, IEEE Trans. Software Eng..

[632]  Sheau-Dong Lang,et al.  A Frequency-Based Approach to Intrusion Detection , 2004 .

[633]  Carrie Gates,et al.  A Model for Opportunistic Network Exploits: The Case of P2P Worms , 2006, WEIS.

[634]  Magnus Almgren,et al.  An Architecture for an Adaptive Intrusion-Tolerant Server , 2002, Security Protocols Workshop.

[635]  Tudor Dumitras,et al.  MEAD: support for Real‐Time Fault‐Tolerant CORBA , 2005, Concurr. Pract. Exp..

[636]  Paulo Veríssimo,et al.  Distributed Systems for System Architects , 2001, Advances in Distributed Computing and Middleware.

[637]  Ronald L. Rivest,et al.  Scratch & vote: self-contained paper-based cryptographic voting , 2006, WPES '06.

[638]  Philippe A. Palanque,et al.  A model-based tool for interactive prototyping of highly interactive applications , 2002, CHI Extended Abstracts.

[639]  H. T. Mouftah,et al.  QoS routing for wireless ad hoc networks: problems, algorithms, and protocols , 2005, IEEE Communications Magazine.

[640]  Oliver P. Waldhorst,et al.  A special-purpose peer-to-peer file sharing system for mobile ad hoc networks , 2003, 2003 IEEE 58th Vehicular Technology Conference. VTC 2003-Fall (IEEE Cat. No.03CH37484).

[641]  Laurent Mounier,et al.  A Model-Based Approach for Robustness Testing , 2005, TestCom.

[642]  Leslie Lamport,et al.  The part-time parliament , 1998, TOCS.

[643]  Rachid Guerraoui,et al.  Unconscious Eventual Consistency with Gossips , 2006, SSS.

[644]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[645]  Elaine J. Weyuker,et al.  The Automatic Generation of Load Test Suites and the Assessment of the Resulting Software , 1995, IEEE Trans. Software Eng..

[646]  John A. McDermid,et al.  Safety Case Construction and Reuse Using Patterns , 1997, SAFECOMP.

[647]  Bev Littlewood,et al.  Validation of ultrahigh dependability for software-based systems , 1993, CACM.

[648]  Jean Arlat,et al.  Dependability of COTS Microkernel-Based Systems , 2002, IEEE Trans. Computers.

[649]  Michael K. Reiter A Secure Group Membership Protocol , 1996, IEEE Trans. Software Eng..

[650]  Domenico Cotroneo,et al.  Implementation of threshold-based diagnostic mechanisms for COTS-based applications , 2002, 21st IEEE Symposium on Reliable Distributed Systems, 2002. Proceedings..

[651]  Robert Tappan Morris,et al.  Ivy: a read/write peer-to-peer file system , 2002, OSDI '02.

[652]  Roberto Beraldi,et al.  Unicast Routing Techniques for Mobile Ad Hoc Networks (Chapter 7) , 2002 .

[653]  Andrea Bondavalli,et al.  Evaluation of the Impact of Congestion on Service Availability in GPRS Infrastructures , 2005, ISAS.

[654]  Lorenzo Strigini,et al.  Automation bias and system design: a case study in a medical application , 2005 .

[655]  Eugene H. Spafford,et al.  An analysis of the internet worm , 1989 .

[656]  Birgit Pfitzmann,et al.  Non-determinism in multi-party computation , 2006 .

[657]  Andrea Bondavalli,et al.  May 2006 , 2006, European Spine Journal.

[658]  Ran Canetti,et al.  Fast asynchronous Byzantine agreement with optimal resilience , 1993, STOC.

[659]  Algirdas Avizienis An Immune System Paradigm for the Assurance of Dependability of Collaborative Self-organizing Systems , 2006, BICC.

[660]  David A. Duce,et al.  Syndetic Modelling , 1998, Hum. Comput. Interact..

[661]  Achour Mostéfaoui,et al.  From static distributed systems to dynamic systems , 2005, 24th IEEE Symposium on Reliable Distributed Systems (SRDS'05).

[662]  Sheng Zhong,et al.  Sprite: a simple, cheat-proof, credit-based system for mobile ad-hoc networks , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[663]  Leslie Lamport,et al.  Time, clocks, and the ordering of events in a distributed system , 1978, CACM.

[664]  N. Asokan,et al.  Optimistic protocols for fair exchange , 1997, CCS '97.

[665]  Brian N. Bershad,et al.  Recovering device drivers , 2004, TOCS.

[666]  Roberto Beraldi,et al.  A directional gossip protocol for path discovery in MANETs , 2006, 26th IEEE International Conference on Distributed Computing Systems Workshops (ICDCSW'06).

[667]  Michael R. Clarkson,et al.  Coercion-Resistant Remote Voting using Decryption Mixes , 2005 .

[668]  Artem Boyarchuk,et al.  Development of Dependable Web Services out of Undependable Web Components , 2004 .

[669]  Kishor S. Trivedi,et al.  Dependability modeling of a heterogeneous VAX-cluster system using stochastic reward nets , 1992 .

[670]  Gaetano Borriello,et al.  Peer-To-Peer Backup for Personal Area Networks , 2003 .

[671]  Marc Dacier,et al.  Empirical analysis and statistical modeling of attack processes based on honeypots , 2007, ArXiv.

[672]  K. H. Kim ROAFTS: a middleware architecture for real-time object-oriented adaptive fault tolerance support , 1998, Proceedings Third IEEE International High-Assurance Systems Engineering Symposium (Cat. No.98EX231).

[673]  Kishor S. Trivedi,et al.  An Aggregation Technique for the Transient Analysis of Stiff Markov Chains , 1986, IEEE Transactions on Computers.

[674]  Philippe A. Palanque,et al.  A Tool Suite for Integrating Task and System Models through Scenarios , 2001, DSV-IS.

[675]  Jean Arlat,et al.  Dependability of CORBA systems: service characterization by fault injection , 2002, 21st IEEE Symposium on Reliable Distributed Systems, 2002. Proceedings..

[676]  Rajeev Motwani,et al.  The PageRank Citation Ranking : Bringing Order to the Web , 1999, WWW 1999.

[677]  Silvio Micali,et al.  Secure Computation (Abstract) , 1991, CRYPTO.

[678]  Jack W. Davidson,et al.  Automatic Detection and Diagnosis of Faults in Generated Code for Procedure Calls , 2003, IEEE Trans. Software Eng..

[679]  Marco Winckler,et al.  Tasks and scenario-based evaluation of information visualization techniques , 2004, TAMODIA '04.

[680]  Phil McMinn,et al.  Search‐based software test data generation: a survey , 2004, Softw. Test. Verification Reliab..

[681]  Barry Kirwan,et al.  A Guide to Practical Human Reliability Assessment , 1994 .

[682]  Ahmad-Reza Sadeghi,et al.  Final Report on Verification and Assessment , 2002 .

[683]  Marco Vieira,et al.  Benchmarking the dependability of different OLTP systems , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[684]  David J. Duke Reasoning About Gestural Interaction , 1995, Comput. Graph. Forum.

[685]  Michael A. Harrison,et al.  Complementary methods for the iterative design of interactive systems , 1989 .

[686]  Douglas R. Stinson,et al.  Cryptography: Theory and Practice , 1995 .

[687]  Mark Moir,et al.  Wait-Free Algorithms for Fast, Long-Lived Renaming , 1995, Sci. Comput. Program..

[688]  André Schiper,et al.  Muteness detectors for consensus with Byzantine processes , 1998, PODC '98.

[689]  Abhijit Sengupta,et al.  On Self-Diagnosable Multiprocessor Systems: Diagnosis by the Comparison Approach , 1992, IEEE Trans. Computers.

[690]  Hélène Waeselynck,et al.  Deriving test sets from partial proofs , 2004, 15th International Symposium on Software Reliability Engineering.

[691]  Mieke Massink,et al.  Reasoning about Interactive Systems with Stochastic Models , 2001, DSV-IS.

[692]  Andrea Bondavalli,et al.  A new Heuristic to Discriminate Transient from Intermittent Faults , 1998 .

[693]  Howard Bowman,et al.  Analysing Cognitive Behaviour using LOTOS and Mexitl , 1999, Formal Aspects of Computing.

[694]  Lorenzo Strigini,et al.  Protective Wrapping of Off-the-Shelf Components , 2005, ICCBSS.

[695]  G. P. Faconti Reasoning on gestural interfaces through syndetic modelling] , 1996, SGCH.

[696]  A CSP Framework for Analysing Fault-Tolerant Distributed Systems , 2004 .

[697]  Charles E. Perkins,et al.  Ad hoc On-Demand Distance Vector (AODV) Routing , 2001, RFC.

[698]  Friedrich W. von Henke,et al.  Modular Formal Analysis of the Central Guardian in the Time-Triggered Architecture , 2004, SAFECOMP.

[699]  Lorenzo Strigini,et al.  Formalising Engineering Judgement on Software Dependability via Belief Networks , 1998 .

[700]  Roy Friedman,et al.  Simple and Efficient Oracle-Based Consensus Protocols for Asynchronous Byzantine Systems , 2005, IEEE Trans. Dependable Secur. Comput..

[701]  G. Hardin,et al.  The Tragedy of the Commons , 1968, Green Planet Blues.

[702]  Jean Arlat,et al.  MAFALDA-RT: a tool for dependability assessment of real-time systems , 2002, Proceedings International Conference on Dependable Systems and Networks.

[703]  Volkmar Sieh,et al.  UMLinux - A Versatile SWIFI Tool , 2002, EDCC.

[704]  Brian A. Coan,et al.  Extending Binary Byzantine Agreement to Multivalued Byzantine Agreement , 1984, Inf. Process. Lett..

[705]  Richard Lippmann,et al.  Analysis and Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation , 2000, Recent Advances in Intrusion Detection.