Please use the horus navigation bar under the title picture to visit the Horus Web pages with all publications, information on how to get the software, links to related projects and other useful information. A Quad chart with an overview of the project is also available.

OBJECTIVE

APPROACH

Reliable group communication arises whenever a collection of two or more programs need to cooperate in a networked environment. Our general interest is in providing tools for building reliable computing applications in extremely demanding NII environments, characterized by tight response time constraints, specifications that mandate certain levels of data throughput, latency and error supression, and in which security or privacy are combined with fault-tolerance considerations.

A good example of such an application would involve a co-processor for a modern telecommunication switch. Such co-processors must be highly fault-tolerant while respecting tight real-time constraints even as they reconfigure because of a failure or system upgrade. They raise challenging parallelism and security issues, and are clearly beyond the capabilities of first-generation process-group systems such as the Isis Toolkit, which we developed under ARPA funding during the period 1985-1990. A general discussion of the approach can be found in our May, 1996 Scientific American article, a copy of which is available online in the Scientific American web server.

The main criticism of process group systems like Isis is that they tend to be inflexible, providing all users with a single set of interfaces, and having a single fixed notion of ``reliability’’ that will often be mismatched with the specialized forms of reliability needed in demanding applications. No single reliability solution can satisfy all needs. For this reason, Horus is designed to be extremely flexible. The presentation of Horus can be varied depending on the need, by embedding it into existing operating system or language environments. And the properties of Horus process groups can also be customized, ranging from Isis-style process groups (used for fault-tolerant replication of data and services) to other sorts of groupware or collaborative workgroup applications, where reliability may involve providing isochronous communication, security, or other properties. Horus obtains this flexibilty using a unique plug-and-play architecture (we describe it as resembling a “lego” construction set).

Both Horus and Isis make use of a communication model called virtual synchrony, which was introduced by Isis in 1987. This model makes it possible to implement fault-tolerance in software, and also proves to be a powerful source of design simplification and a useful conceptual tool for distributed software designers. Horus and Isis support toolkits with solutions to problems such as consistent replication of data (with or without persistence), load balanced request execution, and even availability of services in the presense of network partitions.

Much of the distributed systems community has adopted this model, and the underlying theory is increasingly well understood. This theory is making it possible for us to develop security solutions that avoid denial of service attacks and that can provide security in the presense of network partitioning failures.

Process group distributed computing has been remarkably successful in settings that demand fault-tolerant or self-managed distributed solutions. Isis is now a \$8M/year product line of Stratus Computers Inc., and is being used in settings such as the forthcoming new generation of the French air traffic control system, cellular telephone systems, stock exchanges, VLSI chip fabrication lines, and many others. The military has applied Isis in a number of projects, and other government agencies are launching similar efforts. A visible example is the HiperD Naval project (a prototype of next-generation AEGIS technology), which is using Isis to manage a network of high performance computers in support of battle management tasks.

Horus goes far beyond Isis in terms of flexibility and much higher performance. On the performance side, we have been working with Thorsten von Eicken's UNet and Active Message technology to layer Horus over ATM networks. This permitted us to demonstrate a ten-fold performance improvement over what Horus achieves on ethernet, which is itself a substantial improvement over the performance of Isis for similar tasks. Horus is also much more predictable than Isis, both in terms of guaranteeing low deliver latencies, and high data throughput rates. Indeed, we believe that video data rates and groupware/conferencing applications are within reach with Horus technology over ATM.

Illustrating this point, we built a realistic emulation of a telecommunications switch co-processor as an experimental application of Horus. We were able to show scalability, high performance (22,000 ``calls’’ per second, all completed within 100ms deadlines), and fault-tolerance (we can service the processor or crash nodes while continuously guaranteeing that deadlines will be met). The potential military applications of this approach include tracking and target assessment functions in systems like AEGIS, on-board fly-by-wire aircraft control, and other advanced applications requiring extreme reliability, guaranteed performance, and a high degree of autonomy.

Looking to the future, we see a major opportunity to unify the major themes of parallel, fault-tolerant, real-time, and secure distributed computing in a single, highly modular architecture. By doing so, and making the solutions sufficiently transparent and easy to use, Horus can offer a major step forward in our ability to engineer demanding distributed applications. Today, robust distributed computing remains an ad-hoc problem that we deal with largely as an after-thought. With Horus, security and fault-tolerance can be introduced transparently into conventional distributed systems, even as more ambitious distributed systems benefit from a uniquely powerful, flexible, and high performance technology base. Such a technology is urgently needed by industry, and we believe Horus will demonstrate that extremely powerful integrated solutions are reaching the level of maturity demanded by ambitious commercial application developers.

All our research on Horus is freely available to other research groups in academic settings, industry, or the military. Through industry collaborations with Isis Distributed Systems, a subsidiary of Stratus Computer, BBN, and others, Horus will also become a commercial product line within the next two years or so.

Recent Acccomplishments

• Developed a protocol accelerator that eliminates overheads in the layered Horus architecture. Over the U-Net technology, demonstrated 10-fold to 100-fold performance improvements over our prior group communication technology, Isis, on the same hardware. Horus can multicast as many as 85,000 small messages per second to groups of 3 or 4 members, with end-to-end latencies as low as 35usecs.
• Showed how this version of Horus can be used to build cluster-styled servers with guaranteed realtime response and fault-tolerance. Focusing on a realistic telecommunications application, prototyped a telecommunications co-processor architecture that guarantees 100ms response times on 22,000 requests per second with predicted downtown of less than 3 seconds per year. Our architecture is fully fault-tolerant and can adapt itself to overcome hardware or software failures in realtime, without missing request deadlines.
• Integrated Horus with the Fortezza security architecture and hardware. The resulting security tools let us transparently add message signatures or encryption to a Horus application that also has fault-tolerance or realtime properties.
• Used Horus to build a fault-tolerant web browser. We believe this is the first browser that can distribute updates to web pages in realtime. We used it to build a distribued whiteboard on the web, featuring fault-tolerance, state transfer, dynamic protocol switching, and (if desired) Fortezza security.
• Ported Horus to Windows/NT. Developed an ML version of Horus that is suitable for formal analysis and verification, made it available for general use.
• Publications: Our effort and the Transis and NuPrl groups with which we collaborate have resulted in numberous publications during 1995-1996, including a book to be published by Prentice Hall later in 1996, a special section of the April 1996 Communications of the ACM, and an article in Scientific American in May 1996.

Plans for 1997.

• Use a version of Horus integrated with Brian Smith’s Tcl/DP tools as basis for Cornell’s new CU-Links system, an ATM campus network that will provide groupware and collaborative work solutions for 15,000 researchers, medical workers and students at Cornell and in its hospital.
• Package the existing Horus real-time solutions for distribution to a serious early user community. Explore possible relationships with Microsoft based on our Windows/NT work with Horus.
• Continue to collaborate with Hebrew University Transis group to extend the fault-tolerance properties of our initial security architecture, addressing such issues as security in disconnected and partitionable networks. Collaborate with theoretically oriented research groups at Cornell, Hebrew University and MIT to explore the use of formal tools to ``harden'' critical Horus layers for highly assured applications.
• Extend the new Fortezza-based Horus security architecture to include flexible firewalls and wrappers that can intercept system calls and apply security policies to them. Collaborate with Hebrew University group to explore security issues in the presence of network partitioning and disconnected operation.

Technology transition

Isis plans to launch a Horus-based product line focused on real-time applications, high performance embedded availability applications, and other Horus applications that exceed the performance or flexibility capabilities of Isis. The Isis commercial effort focuses on adding value to Horus, incorporating it into end-user deliverables, and supporting the resulting technology. Stratus Computer, the parent company

of Isis, is exploring the use of Horus in its RADIO architecture: a new generation of PC based scalable, parallel, highly available cluster computing products that run the NT operating system.