DISTRIBUTED MUTUAL

EXCLUSION
DISTRIBUTED MUTUAL EXCLUSION:- CLASSIFICATION -REQUIREMENTS –
MEASURING PERFORMANCE – LAMPORT’S ALGORITHM – RICKART-AGARWALA
ALGORITHM – SUZUKI- KASAMI’S BROADCAST ALGORITHM.
MUTUAL EXCLUSION IN SINGLE-COMPUTER SYSTEM
VS DISTRIBUTED SYSTEM
• Solutions to Mutual exclusion problem can be easily implemented using shared variables in single
computer system.

• Because of the shared memory, the status of shared resources and users is readily available.

• But in distributed systems shared resources and users are distributed and shared memory doesn’t
exist.

• So approaches based on shared variables are not applicable and approaches based on message
passing must be used.
 CLASSIFICATION OF MUTUAL EXCLUSION
ALGORITHMS
• Mutual exclusion algorithms in distributed system are classified mainly into two classes:
• Token based
• Non-token based

• In the non-token-based approach, two or more successive rounds of messages are exchanged
among the Process to determine who will enter the CS next.

• A Process enters the critical section (CS) when an assertion, defined on its local variables,
becomes true.
 CLASSIFICATION OF MUTUAL EXCLUSION
ALGORITHMS

• In the token-based approach, a unique token is shared among the

process.

• A process is allowed to enter its CS if it possesses the token and it

continues to hold the token until the execution of the CS is over.

• Mutual exclusion is ensured because the token is unique.

 REQUIREMENTS OF ME ALGORITHMS

• The primary objective of ME algorithm is to guarantee that only one request access the
Cs at a time.
• In addition following characteristics are also considered important:

1. Freedom from dead locks: Two or more sites/process should not endlessly wait for
messages that will never arrive.

• Freedom from starvation:A site must not wait indefinitely to execute the CS while other
sites are repeatedly executing the CS.
 REQUIREMENTS OF ME ALGORITHMS

3. Fairness: Fairness property generally means that the CS execution

requests are executed in order of their arrival in the system.

4. Fault Tolerance: In case of a failure, the algorithm can reorganize

itself so that it continues to function without any disruptions
 MEASURING PERFORMANCE

• The performance of mutual exclusion algorithms are generally measured by the

following 4 metrics:

• Message Complexity
• Synchronization delay
• Response time
• System throughput
 MEASURING PERFORMANCE

• Message Complexity: This is the number of messages that are required per CS
execution by a site.

• Synchronization delay: After a site leaves the CS, it is the time required and before
the next site enters the CS

• Response time: This is the time interval a request waits for its CS execution to be
over after its request messages have been sent out

• System throughput: It is the rate at which the system executes requests for the CS.
 MEASURING PERFORMANCE
• If SD is the synchronization delay and E is the average critical section execution
time, then the throughput is given by the following equation:
System throughput = 1/(SD+E)
 LOW AND HIGH LOAD PERFORMANCE
• Performance of a mutual exclusion algorithm depends upon the load.

• Performance of mutual exclusion algorithms are studied under two special

loading conditions, “low load” and “high load.”

• Under low load conditions, there is seldom more than one request for the
critical section present in the system simultaneously.
 LOW AND HIGH LOAD PERFORMANCE

• Under heavy load conditions, there is always a pending request for

critical section at a site.

• A site is seldom in the idle state in heavy load conditions.

• Performance metrics for ME algorithms can be easily calculated with

mathematical reasoning.
 BEST AND WORST CASE PERFORMANCE

• In the best case, prevailing conditions are such that a performance

metric attains the best possible value.

• In most mutual exclusion algorithms the best value of the response

time is a roundtrip message delay plus the CS execution time, 2T +E.

• The best and worst cases coincide with low and high loads, respectively.
 BEST AND WORST CASE PERFORMANCE

• In the best case, prevailing conditions are such that a performance

metric attains the best possible value.

• In most mutual exclusion algorithms the best value of the response

time is a roundtrip message delay plus the CS execution time, 2T +E.

• The best and worst cases coincide with low and high loads, respectively.
 NON TOKEN BASED ALGORITHMS
• In non token based algorithms a site communicate with a set of other sites to
decide who should execute the CS next.

• For a site Si Request set Ri contains ids of all those sites from which site Si must
acquire permission before entering the CS

• Non token based algorithms uses time-stamps to order requests for CS and to
resolve conflicts between simultaneous requests for the CS.

• These algorithms maintain logical clocks and update them according to Lamport’s
Scheme. Each request for CS gets a timestamp and smaller time stamp requests
gets priority over larger time stamp requests
 LAMPORT’S ALGORITHM
• Lamport developed a distributed mutual exclusion algorithm as an illustration of his
clock synchronization scheme. A request for CS are executed in the order of their
timestamps and time is determined by logical clocks.

• When a site processes a request for the CS, it updates its local clock and assigns the
request a timestamp. The algorithm executes CS requests in the increasing order of
timestamps.

• Every site Si keeps a queue, request_queuei, which contains mutual exclusion

requests ordered by their timestamps.
 LAMPORT’S ALGORITHM: Requesting Critical Section

• When a site Si wants to enter the CS, it broadcasts a REQUEST(tsi, i)

message to all other sites and places the request on request_queuei.

• When a site Sj receives the REQUEST(tsi, i) message from site Si, it places
site Si’s request on request_queuej and returns a timestamped REPLY
message to Si.
 LAMPORT’S ALGORITHM: Executing the critical section
• Site Si enters the CS when the following two conditions hold:

L1: Si has received a message with timestamp larger than (tsi, i)

from all other sites.

L2: Si’s request is at the top of request_queuei

LAMPORT’S ALGORITHM: Releasing the critical section

• Site Si, upon exiting the CS, removes its request from the top of its
request queue and broadcasts a timestamped RELEASE message to all
other sites.

• When a site Sj receives a RELEASE message from site Si, it removes Si’s
request from its request queue.

• When a site removes a request from its request queue, its own request
may come at the top of the queue, enabling it to enter the CS.
 LAMPORT’S ALGORITHM: Releasing the critical section
• Site Si, upon exiting the CS, removes its request from the top of its
request queue and broadcasts a timestamped RELEASE message to all
other sites.

• When a site Sj receives a RELEASE message from site Si, it removes Si’s
request from its request queue.

• When a site removes a request from its request queue, its own request
may come at the top of the queue, enabling it to enter the CS.
LAMPORT’S ALGORITHM: Example

S1 and S2 making request for CS

LAMPORT’S ALGORITHM: Example

S2 entering the CS
LAMPORT’S ALGORITHM: Example

S2 exits from CS and sends release message

LAMPORT’S ALGORITHM: Example

S1 entering the CS
 LAMPORT’S ALGORITHM: Performance
• For each CS execution, Lamport’s algorithm requires N −1 REQUEST messages, N −1
REPLY messages, and N −1 RELEASE messages.

• Ie, it requires 3(N-1) messages per CS invocation.

• The Lamport’s Algorithm can be optimized by reducing the no:of message to lie
between 3(N-1) and 2(N-1).

• This can be achieved by supressing REPLY messages in certain situations

 RICART–AGRAWALA ALGORITHM
• The Ricart–Agrawala algorithm assumes that the communication channels are FIFO.

• The algorithm uses two types of messages:

• REQUEST
• REPLY.
• A process sends a REQUEST message to all other processes to request their
permission to enter the critical section.

• A process sends a REPLY message to a process to give its permission to that process.
 RICART–AGRAWALA ALGORITHM
• Lamport-style logical clocks to assign a timestamp to critical section requests.

• Timestamps are used to decide the priority of requests in case of conflict.

• In this algorithm ,for every requesting site, the site with higher priority(smaller
timestamp) will always defer the request of the lower priority site.

• So the process with high priority gets to execute the CS

 RICART–AGRAWALA ALGORITHM- Requesting critical section
• When a site Si wants to enter the CS, it broadcasts a timestamped REQUEST message
to all other sites.
• When site Sj receives a REQUEST message from site Si, it sends a REPLY message to
site Si :
1) If site Sj is neither requesting nor executing the CS, or
2) If the site Sj is requesting and Si’s request’s timestamp is smaller than site Sj’s own
request timestamp.

• Otherwise the Request is deferred

 RICART–AGRAWALA ALGORITHM- Executing and Releasing critical
section
Executing the critical section
• Site Si enters the CS after it has received a REPLY message from every site it sent a
REQUEST message to.

Releasing the critical section

• When site Si exits the CS, it sends all the REPLY messages to all deferred requests.
• The site with next highest priority request receives the last needed REPLY message
and enters the CS
 RICART–AGRAWALA ALGORITHM- Performance
• For each CS execution, the Ricart–Agrawala algorithm requires N − 1 REQUEST
messages and N − 1 REPLY messages.

• Thus, it requires 2(N −1) messages per CS execution.

S1 & S2 making request to enter critical section
S2 exits the critical Section
S1 exits the critical Section
 TOKEN-BASED ALGORITHM
• A unique token is shared among all sites
• A site is allowed to enter its critical session if it possesses the token
• Token based algorithms uses sequence numbers instead of time stamps
• Every request for token contains a sequence number and sequence numbers of sites
advance independently.
• A site increments its sequence number counter every time it makes a request for
token
• Primary function of sequence number is to distinguish b/w old and current request for
token
 SUZUKI –KASAMI’S BROADCAST ALGORITHM
• If a site attempting to enter a CS does not have the token, it broadcasts a REQUEST
message for the token to all other sites.

• A site that possesses the token sends it to the site that sends the REQUEST message.

• If the site possessing the token is executing the CS, it sends the token only after it has
exited the CS.

• A site holding the token can repeatedly enter the critical session until it sends the
token to some other site.
 SUZUKI –KASAMI’S BROADCAST ALGORITHM
• The main design issues in this algorithm are:

• How to distinguishing an outdated REQUEST message from a current

REQUEST message.

• How to determine which site has an outstanding request for the CS

 SUZUKI –KASAMI’S BROADCAST ALGORITHM
• Outdated REQUEST messages are distinguished from current REQUEST messages in
the following manner:
• A REQUEST message of site Sj has the form REQUEST(j, n) where n (n = 1, 2 ) is a
sequence number that indicates that site Sj is requesting its nth CS execution.

• A site Si keeps an array of integers RNi[1, … ,N] where RNi[j] denotes the largest
sequence number received in a REQUEST message so far from site Sj.

• When site Si receives a REQUEST(j, n) message, it sets RNi[j]= max(RNi[j], n).

 SUZUKI –KASAMI’S BROADCAST ALGORITHM
• When a site Si receives a REQUEST(j, n) message, the request is outdated if RNi[j]> n.
• Sites with outstanding requests for the CS are determined in the following manner:
• the token consists of a queue of requesting sites, Q, and an array of integers LN[1, …
,N], where LN[j] is the sequence number of the request which site Sj executed most
recently.
• After executing its CS, a site Si updates LN[i] : = RNi[i] to indicate that its request
corresponding to sequence number RNi[i] has been executed.
• Token array LN[1, … ,N] permits a site to determine if a site has an outstanding request
for the CS.
 SUZUKI –KASAMI’S BROADCAST ALGORITHM
• In Site Si if RNi[j]=LN[j]+1, then site Sj is currently requesting a token.

• After executing the CS, a site checks this condition for all the j’s to determine all the
sites that are requesting the token and places their i.d.’s in queue Q if these i.d.’s are
not already present in Q.

• Finally the site sends the token to the site whose i.d. is at the head of Q.
 REQUESTING THE CRITICAL SECTION:

• If requesting site Si does not have the token, then it increments its
sequence number, RNi[i], and sends a REQUEST(i, sn) message to all other
sites. (“sn” is the updated value of RNi[i])

• When a site Sj receives this message, it sets RNj[i] to max(RNj[i], sn). If Sj

has the idle token, then it sends the token to Si if RNj[i]=LN[i]+1.
 EXECUTING AND RELEASING THE CRITICAL SECTION:
Executing CS
• Site Si executes the CS after it has received the token.
Releasing the CS
Having finished the execution of the CS, site Si takes the following actions:
• It sets LN[i] element of the token array equal to RNi[i].
• For every site Sj whose i.d. is not in the token queue, it appends its i.d. to the token
queue if RNi[j] = LN[j]+1.

• If the token queue is nonempty after the above update, Si deletes the top site i.d.
from the token queue and sends the token to the site indicated
 SECURITY
Potential Security Violations – Design Principles
for Secure Systems –The Access Matrix Model and
Implementation- The Access Control list Method.
Potential Security Violations
• Protection and security deals with the control of unauthorized access and use of
software and hardware resources of a computer.
• Potential security violations are classified into three categories:

• Unauthorized Information release :Unauthorized person is able to read and take

advantage of the information stored in a computer system.
• Unauthorized Information Modification: An unauthorized person is able to alter
the information stored in a computer
• Unauthorized denial of service: Unauthorized person prevents an authorized
user from accessing the information stored in a computer
Design Principles for secure Systems
• Following are the principles for designing a secure computer system:
• Economy
• Complete Mediation
• Open Design
• Separation of privileges
• Least Privilege
• Least common Mechanism
• Acceptability
• Fail-safe Defaults
Design Principles for secure systems
• Economy: Protection mechanism should be economical to develop and use and
should not cause overhead to the system.

• Complete Meditation: design of a good secure system requires that every

request to access an object be checked.

• Open Design: A protection mechanism should not be dependent on the ignorance

of the attackers regarding the protection mechanism. The protection mechanism
should work even if its principles are known to attacker.

• Separation of privileges: A mechanism that requires two keys to unlock a key is

more robust than one key approach.(2 keys-2 conditions satisfied)
Design Principles for secure systems
• Least Privilege: A subject/user should be given bare minimum access rights that
are sufficient to complete the task.

• Least common Mechanism: Mechanism that is common to more than one user
should be minimized as shared mechanism represent potential information path
b/w users and thus a threat to security.

• Acceptability: A protection mechanism should be simple to use or else it will deter

users from using it.

• Fail-safe Default: Default case should be lack of access. If a design or

implementation mistake is responsible for denial of access it will eventually be
discovered and fixed.
 Access Matrix Model
•A protection system consists of mechanisms to control user
access to system resources or to control information flow in the
system.

•A model of protection abstracts the essential features of a

protection system.

• Access matrix model is the most fundamental model of

protection which was first proposed by Lampson.
 Access Matrix Model
The model consists of following 3 components:

• Current Objects: Finite set of entities to which access is to be controlled.

The set is denoted by O. (For example file)

• Current Subjects: Finite set of entities that access current objects, denoted
by ‘S’. (Example: a process.) Usually S is a subset of O

• Generic Rights: A finite set of Generic rights R={r1,r2,r3,….rm},gives

various access rights that subjects can have to objects
 The Protection State of a System
• Protection state of a system is represented by a triplet (S,O,P)

✓S is a set of current subjects,

✓O is the set of current objects and

✓P is a matrix called access matrix, with a row for every current subject and
a column for every current object

• Each entry P[s,o] in access matrix is a subset of R, the generic rights.

• It denotes the access rights which subject s has to object o.
 Access matrix: Example
• Access matrix model of a protection system is very popular because of its
simplicity elegant structure and amenability to various implementations.
The Protection State of a System
 Enforcing a security policy
• A security policy is enforced by validating every user access for appropriate
access rights.
• Every Object has a monitor that validates all accesses to that object in the
following manner.

1. A subject s requests an access α to object o

2. The protection system presents triplet(s, α ,o) to the monitor of o.
3. The monitor looks into the access rights of s to o. If α Є P[s,o] then the
access is permitted. Else it is denied
 Implementation of Access Matrix
• There are 3 main implementation techniques of the access matrix :

1. Capabilities
2. The Access Control List Method
3. The Lock-key Method
Implementation of Access Matrix: Capabilities
• This method corresponds to the row-wise decomposition of the access matrix.

• Each subject s is assigned a list of tuples (o, P[s,o]) for all objects o that it is
allowed to access.

• The tuples are referred to as capabilities.

• The list of capabilities assigned to a subject corresponds to the access rights

contained in the row for subject s in access matrix.

• At any time a subject is authorized to access only those objects for which it has
capabilities.
Capabilities
• Capability has 2 fields:

• Object descriptor- An identifier for an object

• Access rights-indicates allowed access rights to an object.
• The object descriptor, in most cases will be address of the object, making
this technique useful as an addressing mechanism ,aside from protection.
• The main advantage of using capabilities as addressing mechanism is that
it provides absolute addresses
Capability Based Addressing
• A user program issues a request to access a word within the object, which contains the
capability ID of the object and an offset (location of word within object).

• The capability id is used to search the capability list of user to locate the capability which
contains the allowed access rights and object descriptor.

• System checks whether the requested access is permitted by checking the capability.

• The base address of object is obtained from object table by using the object descriptor.

• Base address is added to offset in request to access exact memory location of the word.
Capability Based Addressing
Capability Based Addressing
• There are 2 features of capability based addressing
• Relocatability
• Sharing

• An object can be relocated anywhere in the memory without making any

change to the capabilities that refer to it.

• Sharing is made easy as several programs can share the same object with
different names(object descriptors) for the object.
Capability :Implementation
• There are two ways to implement capabilities:

• Tagged Approach
• Partitioned Approach

• In tagged approach one ore more bits are attached to each memory
location and to every processor register.
• If the tag bit is 1(ON), it indicates the presence of capability in the memory
word or register.
Capability :Implementation
• In partitioned approach capabilities and ordinary data are partitioned ,ie,
stored separately.

• There are two segments for every object: One segment storing only the
ordinary data and other storing only capabilities of the object.

• Processor also has 2 sets of registers: one for ordinary data and other for
capabilities.

• Users cannot manipulate segments and registers storing capabilities.

Capability : Advantages
• Capability based protection system has 3 main advantages:
• Efficiency
• Simplicity
• flexibility
• It is efficient because the validity of an access can be easily tested.
• It is simple due to the natural correspondence b/w the structural properties of
capabilities and semantic properties of addressing variables.
• It is flexible as the capability system allows users to decide which of his
addresses contain capabilities.
Capability :Drawbacks
• Control of propagation: The copy of capability for an object is propagated to
many subjects ,without knowledge of the first subject which shared the
capability
• Review: The determination of all subjects who have access to an object is
difficult
• Revocation of access rights: As the copy of capability for an object is being
passed on from one object to other, revocation of access rights for the object is
a difficult task.
• Garbage collection: When the capabilities for an object disappear from the
system, the object is left inaccessible to users and becomes garbage.
Access Control List Method
• This method corresponds to column wise decomposition of access
matrix.

• Each object o is assigned a list of pairs (s, P[s,o]) for all subjects s
that are allowed to access the object.

• The access list assigned to the object o corresponds to all access

rights contained in the column for object o in the access matrix.
Access Control List Method
• When a subject s requests access α to object o it is executed in the
following manner:

• The system searches access control list of o to find out if any entry (s,Φ) exists
for the subject s.

• If an entry (s,Φ) exists for subject s, then the system checks to see if the
requested access is permitted.(ie, α Є Φ)

• If requested access is permitted, then the request is executed. Otherwise

appropriate exception is raised.
Access Control List Method: Implementation Considerations
• The execution efficiency of access control list method is poor because an
access control list has to searched for every access to a protected object.
• Main features of access control list method are:

• Easy Revocation: Revocation of access rights from a subject can be easily

achieved by removing the subject’s entry from objects access control list.

• Easy Review of an Access: It is easy to determine the subjects which have

access to the object by directly examining the access control list of the object
Access Control List Method: Implementation issues
• There are 2 main issues in the implementation of Access control list
method:

• Efficiency of Execution: For every access to a protected object, we have to

search access control list

• Efficiency of storage: Since list contains the subject and access rights which
have access to the corresponding protected object, list requires huge amount
of storage
Access Control List Method: Implementation
Efficiency of execution: Solution

Shadow register:
• stores the access rights of a subject w.r.t an object, when object is first
accessed.
• Subsequent access of object can refer shadow register for access rights
• When revoking the access rights of a particular subject, the corresponding
shadow register also should be cleared
Access Control List Method: Implementation
Efficiency of Storage: Solution

Protection group:
• solution to large storage requirement due to large no: of users.
• Subjects are divided into protection groups and the access control list consists
of names of groups along with their access rights.
• All subjects in a protection group have identical access rights to the object
• Subject gives protection group name and request access to the system
Access Control List Method:
Authority to change Access control list
• There are two methods to control the propagation of access rights:

• Self Control
• Hierarchical control

Self Control Policy: Owner process of object has special access right by which
it can modify the access control list of the object
• Owner is the creator of the object
• Disadvantage: Control is centralized to one process
Access Control List Method:
Authority to change Access control list

Hierarchical control Method:

when an object is created, its owner specifies set of processes which have the
right to modify access control list of new object
Processes are arranged in hierarchy
A process can modify access control list associated with all processes below it
in the hierarchy
 The Lock-Key Method
• Hybrid of capability based method and the access control method
• Includes the features of both the methods

• Every subject has a capability list that contains tuples of form(O,K)

• Each tuple indicates that subject can access object O with key k
• Every object has an access control list that contain tuples of the form (l, Ψ) called a lock
entry.
• It indicates that any subject which can open the lock l can access this object in modes
contained in the set Ψ
 The Lock-Key Method
• When a subject makes the request to access object o in mode α,the system
executes it in the following manner:
• System locates the tuple (0,k) in the capability list of the subject.
• If no such tuple is found access is not permitted

• Otherwise access is permitted only if there exists a lock entry (l, Ψ) in the
access control list of the object o such that k=l and α Є Ψ
• To revoke the access rights of a subject to an object simply delete the lock
entry corresponding to the key of the subject