Measuring Masking Fault-Tolerance

In this paper we introduce a notion of fault-tolerance distance between labeled transition systems. Intuitively, this notion of distance measures the degree of fault-tolerance exhibited by a candidate system. In practice, there are different kinds of fault-tolerance, here we restrict ourselves to the analysis of masking fault-tolerance because it is often a highly desirable goal for critical systems. Roughly speaking, a system is masking fault-tolerant when it is able to completely mask the faults, not allowing these faults to have any observable consequences for the users. We capture masking fault-tolerance via a simulation relation, which is accompanied by a corresponding game characterization. We enrich the resulting games with quantitative objectives to define the notion of masking fault-tolerance distance. Furthermore, we investigate the basic properties of this notion of masking distance, and we prove that it is a directed pseudo metric. We have implemented our approach in a prototype tool that automatically compute the masking distance between a nominal system and a fault-tolerant version of it. We have used this tool to measure the masking tolerance of multiple instances of several case studies


Introduction
Fault-tolerance allows for the construction of systems that are able to overcome the occurrence of faults during their execution.Examples of fault-tolerant systems can be found everywhere: communication protocols, hardware circuits, avionic systems, cryptographic currencies, etc.So, the increasing relevance of critical software in everyday life has led to a renewed interest in the automatic verification of fault-tolerant properties.However, one of the main difficulties when reasoning about these kinds of properties is given by their quantitative nature, which is true even for non-probabilistic systems.A simple example is given by the introduction of redundancy in critical systems.This is, by far, one of the most used techniques in fault-tolerance.In practice, it is well-known that adding more redundancy to a system increases its reliability.Measuring this increment is a central issue for evaluating fault-tolerant software, protocols, etc.On the other hand, the formal characterization of fault-tolerant properties could be an involving task, usually these properties are encoded using ad-hoc mechanisms as part of a general design.
The usual flow for the design and verification of fault-tolerant systems consists in defining a nominal model (i.e., the "fault-free" or "ideal" program) and afterwards extending it with faulty behaviors that deviate from the normal behavior prescribed by the nominal model.This extended model represents the way in which the system operates under the occurrence of faults.There are different ways of extending the nominal model, the typical approach is fault injection [18,19], that is, the automatic introduction of faults into the model.An important property that any extended model has to satisfy is the preservation of the normal behavior under the absence of faults.In [10], we proposed an alternative formal approach for dealing with the analysis of fault-tolerance.This approach allows for a fully automated analysis and appropriately distinguishes faulty behaviors from normal ones.Moreover, this framework is amenable to fault-injection.In that work, three notions of simulation relations are defined to characterize masking, nonmasking, and failsafe fault-tolerance, as originally defined in [13].
During the last decade, significant progress has been made towards defining suitable metrics or distances for diverse types of quantitative models including real-time systems [17], probabilistic models [11], and metrics for linear and branching systems [5,7,16,21,27].Some authors have already pointed out that these metrics can be useful to reason about the robustness of a system, a notion related to fault-tolerance.Particularly, in [5] the traditional notion of simulation relation is generalized and three different simulation distances between systems are introduced, namely correctness, coverage, and robustness.These are defined using quantitative games with discounted-sum and mean-payoff objectives.
In this paper we introduce a notion of fault-tolerance distance between labelled transition systems.Intuitively, this distance measures the degree of faulttolerance exhibited by a candidate system.As it was mentioned above, there exist different levels of fault-tolerance, we restrict ourselves to the analysis of masking fault-tolerance because it is often classified as the most benign kind of fault-tolerance and it is a highly desirable property for critical systems.Roughly speaking, a system is masking fault-tolerant when it is able to completely mask the faults, not allowing these faults to have any observable consequences for the users.Formally, the system must preserve both the safety and liveness properties of the nominal model [13].In contrast to the robustness distance defined in [5], which measures how many unexpected errors are tolerated by the implementation, we consider a specific collection of faults given in the implementation and measure how many faults are tolerated by the implementation in such a way that they can be masked by the states.We also require that the normal behavior of the specification has to be preserved by the implementation when no faults are present.In this case, we have a bisimulation between the specification and the non-faulty behavior of the implementation.Otherwise, the distance is 1.That is, δ m (N, I) = 1 if and only if the nominal model N and I\F are not bisimilar, where I\F behaves like the implementation I where all actions in F are forbidden (\ is Milner's restriction operator).Thus, we effectively distinguish between the nominal model and its fault-tolerant version and the set of faults taken into account.
In order to measure the degree of masking fault-tolerance of a given system, we start characterizing masking fault-tolerance via simulation relations between two systems as defined in [10].The first one acting as a specification of the intended behavior (i.e., nominal model) and the second one as the fault-tolerant implementation (i.e., the extended model with faulty behavior).The existence of a masking relation implies that the implementation masks the faults.Afterwards, we introduce a game characterization of masking simulation and we enrich the resulting games with quantitative objectives to define the notion of masking faulttolerance distance, where the possible values of the game belong to the interval [0, 1].The fault-tolerant implementation is masking fault-tolerant if the value of the game is 0. Furthermore, the bigger the number, the farther the masking distance between the fault-tolerant implementation and the specification.Accordingly, a bigger distance remarkably decreases fault-tolerance.Thus, for a given nominal model N and two different fault-tolerant implementations I 1 and I 2 , our distance ensures that δ m (N, I 1 ) < δ m (N, I 2 ) whenever I 1 tolerates more faults than I 2 .We also provide a weak version of masking simulation, which makes it possible to deal with complex systems composed of several interacting components.We prove that masking distance is a directed semimetric, that is, it satisfies two basic properties of any distance, reflexivity and the triangle inequality.
Finally, we have implemented our approach in a tool that takes as input a nominal model and its fault-tolerant implementation and automatically compute the masking distance between them.We have used this tool to measure the masking tolerance of multiple instances of several case studies such as a redundant cell memory, a variation of the dining philosophers problem, the bounded retransmission protocol, N-Modular-Redundancy, and the Byzantine generals problem.These are typical examples of fault-tolerant systems.
The remainder of the paper is structured as follows.In Section 2, we introduce preliminaries notions used throughout this paper.We present in Section 3 the formal definition of masking distance build on quantitative simulation games and we also prove its basic properties.We describe in Section 4 the experimental evaluation on some well-known case studies.In Section 5 we discuss the related work.Finally, we discuss in Section 6 some conclusions and directions for further work.Full details and proofs can be found in [4].

Preliminaries
Let us introduce some basic definitions and results on game theory that will be necessary across the paper, the interested reader is referred to [1].
A transition system (TS) is a tuple A = S, Σ, E, s 0 , where S is a finite set of states, Σ is a finite alphabet, E ⊆ S ×Σ ×S is a set of labelled transitions, and s 0 is the initial state.In the following we use s w where ρ 0 = s 0 and for all i, ρ i σi − → ρ i+1 ∈ E. From now on, given a tuple (x 0 , . . ., x n ), we denote by pr i ((x 0 , . . ., x n )) its i-th projection.
A game graph G is a tuple G = S, S 1 , S 2 , Σ, E, s 0 where S, Σ, E and s 0 are as in transition systems and (S 1 , S 2 ) is a partition of S. The choice of the next state is made by Player 1 (Player 2) when the current state is in S 1 (respectively, S 2 ).A weighted game graph is a game graph along with a weight function v G from E to Q.A run in the game graph G is called a play.The set of all plays is denoted by Ω.
Given a game graph G, a strategy for Player 1 is a function π : A strategy for Player 2 is defined in a similar way.The set of all strategies for Player p is denoted by Π p .A strategy for player p is said to be memoryless (or positional) if it can be defined by a mapping f : S p → E such that for all s ∈ S p we have that pr 0 (f (s)) = s, that is, these strategies do not need memory of the past history.Furthermore, a play ρ 0 σ 0 ρ 1 σ 1 ρ 2 σ 2 . . .conforms to a player p strategy π if ∀i ≥ 0 : The outcome of a Player 1 strategy π 1 and a Player 2 strategy π 2 is the unique play, named out(π 1 , π 2 ), that conforms to both π 1 and π 2 .
A game is made of a game graph and a boolean or quantitative objective.A boolean objective is a function Φ : Ω → {0, 1} and the goal of Player 1 in a game with objective Φ is to select a strategy so that the outcome maps to 1, independently what Player 2 does.On the contrary, the goal of Player 2 is to ensure that the outcome maps to 0. Given a boolean objective Φ, a play ρ is winning for Player 1 (resp.Player 2) if Φ(ρ) = 1 (resp.Φ(ρ) = 0).A strategy π is a winning strategy for Player p if every play conforming to π is winning for Player p.We say that a game with boolean objective is determined if some player has a winning strategy, and we say that it is memoryless determined if that winning strategy is memoryless.Reachability games are those games whose objective functions are defined as Φ(ρ 0 σ 0 ρ 1 σ 1 ρ 2 σ 2 . . . ) = (∃i : ρ i ∈ V ) for some set V ⊆ S, a standard result is that reachability games are memoryless determined.
A quantitative objective is given by a payoff function f : Ω → R and the goal of Player 1 is to maximize the value f of the play, whereas the goal of Player 2 is to minimize it.For a quantitative objective f , the value of the game for a Player 1 strategy π 1 , denoted by v 1 (π 1 ), is defined as the infimum over all the values resulting from Player 2 strategies, i.e., v 1 (π 1 ) = inf π2∈Π2 f (out(π 1 , π 2 )).The value of the game for Player 1 is defined as the supremum of the values of all Player 1 strategies, i.e., sup π1∈Π1 v 1 (π 1 ).Analogously, the value of the game for a Player 2 strategy π 2 and the value of the game for Player 2 are defined as v 2 (π 2 ) = sup π1∈Π1 f (out(π 1 , π 2 )) and inf π2∈Π2 v 2 (π 2 ), respectively.We say that a game is determined if both values are equal, that is: sup π1∈Π1 v 1 (π 1 ) = inf π2∈Π2 v 2 (π 2 ).In this case we denote by val(G) the value of game G.The following result from [22] characterizes a large set of determined games.
Theorem 1.Any game with a quantitative function f that is bounded and Borel measurable is determined.

Masking Distance
We start by defining masking simulation.In [10], we have defined a state-based simulation for masking fault-tolerance, here we recast this definition using labelled transition systems.First, let us introduce some concepts needed for defining masking fault-tolerance.For any vocabulary Σ, and set of labels F = {F 0 , . . ., F n } not belonging to Σ, we consider Σ F = Σ ∪ F , where F ∩ Σ = ∅.Intuitively, the elements of F indicate the occurrence of a fault in a faulty implementation.Furthermore, sometimes it will be useful to consider the set Σ i = {e i | e ∈ Σ}, containing the elements of Σ indexed with superscript i.Moreover, for any vocabulary Σ we consider Σ M = Σ ∪ {M }, where M / ∈ Σ, intuitively, this label is used to identify masking transitions.Given a transition system A = S, Σ, E, s 0 over a vocabulary Σ, we denote

Strong Masking Simulation
Definition 1.Let A = S, Σ, E, s 0 and A ′ = S ′ , Σ F , E ′ , s ′ 0 be two transition systems.A ′ is strong masking fault-tolerant with respect to A if there exists a relation M ⊆ S × S ′ (considering A M = S, Σ M , E, s 0 instead of A) such that: (A) s 0 M s ′ 0 , and (B) for all s ∈ S, s ′ ∈ S ′ with s M s ′ and all e ∈ Σ the following holds: If such relation exist we denote it by A m A ′ and say that A ′ is a strong masking fault-tolerant implementation of A.
We say that state s ′ is masking fault-tolerant for s when s M s ′ .Intuitively, the definition states that, starting in s ′ , faults can be masked in such a way that the behavior exhibited is the same as that observed when starting from s and executing transitions without faults.In other words, a masking relation ensures that every faulty behavior in the implementation can be simulated by the specification.Let us explain in more detail the above definition.First, note that conditions A, B.1, and B.2 imply that we have a bisimulation when A and A ′ do not exhibit faulty behavior.Particularly, condition B.1 says that the normal execution of A can be simulated by an execution of A ′ .On the other hand, condition B.2 says that the implementation does not add normal (non-faulty) behavior.Finally, condition B.3 states that every outgoing faulty transition (F ) from s ′ must be matched to an outgoing masking transition (M ) from s.

Weak Masking Simulation
For analysing nontrivial systems a weak version of masking simulation relation is needed, the main idea is that weak masking simulation abstracts away from internal behaviour, which is modeled by a special action τ .Note that internal transitions are common in fault-tolerance: the actions performed as part of a fault-tolerant procedure in a component are usually not observable by the rest of the system.The weak transition relations ⇒ ⊆ S × (Σ ∪ {τ } ∪ {M } ∪ F ) × S, also denoted as E W , considers the silent step τ and is defined as follow: ∈ {τ, M } ∪ F , then s e = ⇒ s ′ means that there is a sequence of zero or more τ transitions starting in s, followed by one transition labelled by e, followed again by zero or more τ transitions eventually reaching s ′ .s τ = ⇒ s ′ states that s can transition to s ′ via zero or more τ transitions.In particular, s τ = ⇒ s for avery s.For the case in which e ∈ {M } ∪ F , s e = ⇒ s ′ is equivalente to s e − → s ′ and hence no τ step is allowed before or after the e transition.

Definition 2. Let
If such relation exists, we denote it by A w m A ′ and say that A ′ is a weak masking fault-tolerant implementation of A.
The following theorem makes a strong connection between strong and weak masking simulation.It states that weak masking simulation becomes strong masking simulation whenever transition − → is replaced by = ⇒ in the original automata.

weak masking simulation if and only if:
(A) s 0 M s ′ 0 , and (B) for all s ∈ S, s ′ ∈ S ′ with s M s ′ and all e ∈ Σ ∪ {τ } the following holds: (1) if (s The proof of this theorem is straightforward following the same ideas of Milner in [24].
A natural way to check weak bisimilarity is to saturate the transition system [12,24] and then check strong bisimilarity on the saturated transition system.Similarly, Theorem 2 allows us to compute weak masking simulation by reducing it to strong masking simulation.Note that e = ⇒ can be alternatively defined by: As a running example, we consider a memory cell that stores a bit of information and supports reading and writing operations, presented in a state-based form in [10].A state in this system maintains the current value of the memory cell (m = i, for i = 0, 1), writing allows one to change this value, and reading returns the stored value.Obviously, in this system the result of a reading depends on the value stored in the cell.Thus, a property that one might associate with this model is that the value read from the cell coincides with that of the last writing performed in the system.
A potential fault in this scenario occurs when a cell unexpectedly loses its charge, and its stored value turns into another one (e.g., it changes from 1 to 0 due to charge loss).A typical technique to deal with this situation is redundancy: use three memory bits instead of one.Writing operations are performed simultaneously on the three bits.Reading, on the other hand, returns the value that is repeated at least twice in the memory bits; this is known as voting.
We take the following approach to model this system.Labels W 0 , W 1 , R 0 , and R 1 represent writing and reading operations.Specifically, W 0 (resp.W 1 ): writes a zero (resp.one) in the memory.R 0 (resp.R 1 ): reads a zero (resp.one) from the memory.Figure 1 depicts four transition systems.The leftmost one represents the nominal system for this example (denoted as A).The second one from the left characterizes the nominal transition system augmented with masking transitions, i.e., A M .The third and fourth transition systems are faulttolerant implementations of A, named A ′ and A ′′ , respectively.Note that A ′ contains one fault, while A ′′ considers two faults.Both implementations use triple redundancy; intuitively, state t 0 contains the three bits with value zero and t 1 contains the three bits with value one.Moreover, state t 2 is reached when one of the bits was flipped (either 001, 010 or 100).In A ′′ , state t 3 is reached after a second bit is flipped (either 011 or 101 or 110) starting from state t 0 .It is straightforward to see that there exists a relation of masking fault-tolerance between A M and A ′ , as it is witnessed by the relation M = {(s 0 , t 0 ), (s 1 , t 1 ), (s 0 , t 2 )}.It is a routine to check that M satisfies the conditions of Definition 1.On the other hand, there does not exist a masking relation between A M and A ′′ because state t 3 needs to be related to state s 0 in any masking relation.This state can only be reached by executing faults, which are necessarily masked with M -transitions.However, note that, in state t 3 , we can read a 1 (transition t 3 R1 − − → t 3 ) whereas, in state s 0 , we can only read a 0.

Masking Simulation Game
We define a masking simulation game for two transition systems (the specification of the nominal system and its fault-tolerant implementation) that captures masking fault-tolerance.We first define the masking game graph where we have two players named by convenience the refuter (R) and the verifier (V ).
G for two players is defined as follows: , where the refuter starts playing -The refuter's states are and E G is the minimal set satisfying: The intuition of this game is as follows.The refuter chooses transitions of either the specification or the implementation to play, and the verifier tries to match her choice, this is similar to the bisimulation game [26].However, when the refuter chooses a fault, the verifier must match it with a masking transition (M ).The intuitive reading of this is that the fault-tolerant implementation masked the fault in such a way that the occurrence of this fault cannot be noticed from the users' side.R wins if the game reaches the error state, i.e., s err .On the other hand, V wins when s err is not reached during the game.(This is basically a reachability game [25]).We say Ver(v) (resp.Ref(v)) if v is a verifier's node (resp.refuter's node).
A weak masking game graph G W A M ,A ′ is defined in the same way as the strong masking game graph in Def. 3, with the exception that Σ M and Σ F may contain τ , and the set of labelled transitions (denoted as E G W ) is now defined using the weak transition relations (i.e., E W and E ′ W ) from the respective transition systems.
Figure 2 shows a part of the strong masking game graph for the running example considering the transition systems A M and A ′′ .We can clearly observe on the game graph that the verifier cannot mimic the transition (s 0 , #, t 3 , R) 1 , t 3 , V ) selected by the refuter which reads a 1 at state t 3 on the faulttolerant implementation.This is because the verifier can only read a 0 at state s 0 .Then, the s err is reached and the refuter wins.
As expected, there is a strong masking simulation between A and A ′ if and only if the verifier has a winning strategy in

the verifier has a winning strategy for the strong masking game graph G
By Theorems 2 and 3, the result replicates for weak masking game.
A ′ iff the verifier has a winning strategy for the weak masking game graph Using the standard properties of reachability games we get the following property.
Theorem 5.For any A and A ′ , the strong (resp.weak) masking game graph Furthermore, the strong (resp.weak) masking game graph can be determined in time

Fig. 2. Part of the masking game graph for memory cell model with two faults
The set of winning states for the refuter can be defined in a standard way from the error state [25].We adapt ideas in [25] to our setting.For i, j ≥ 0, sets U j i are defined as follows: U 1 1 ={s err }, Intuitively, the subindex i in U k i indicates that s err is reach after at most i − 1 faults occurred.The following lemma is straightforwardly proven using standard techniques of reachability games [8].

Lemma 1. The refuter has a winning strategy in G
for some k.

Quantitative Masking
In this section, we extend the strong masking simulation game introduced above with quantitative objectives to define the notion of masking fault-tolerance distance.Note that we use the attribute "quantitative" in a non-probabilistic sense.Definition 4. For transition systems A and A ′ , the quantitative strong masking game graph - where χ F is the characteristic function over set F , returning 1 if e ∈ F and 0 otherwise, and χ serr is the characteristic function over the singleton set {s err }.
Note that the cost function returns a pair of numbers instead of a single number.It is direct to codify this pair into a number, but we do not do it here for the sake of clarity.We remark that the quantitative weak masking game graph Q W A M ,A ′ is defined in the same way as the game graph defined above but using the weak masking game graph G W A M ,A ′ instead of G A M ,A ′ Given a quantitative strong masking game graph with the weight function v G and a play ρ = ρ 0 σ 0 ρ 1 σ 1 ρ 2 , . .., for all i ≥ 0, let ).We define the masking payoff function as follow: , which is proportional to the inverse of the number of masking movements made by the verifier.To see this, note that the numerator of pr 1 (vn) 1+ n i=0 pr 0 (vi) will be 1 when we reach the error state, that is, in those paths not reaching the error state this formula returns 0. Furthermore, if the error state is reached, then the denominator will count the number of fault transitions taken until the error state.All of them, except the last one, were masked successfully.The last fault, instead, while attempted to be masked by the verifier, eventually leads to the error state.That is, the transitions with value 1 are those corresponding to faults.The others are mapped to 0. Notice also that if s err is reached in v n without the occurrence of any fault, the nominal part of the implementation does not match the nominal specification, in which case pr 1 (vn) 1+ n i=0 pr 0 (vi) = 1.Then, the refuter wants to maximize the value of any run, that is, she will try to execute faults leading to the state s err .In contrast, the verifier wants to avoid s err and then she will try to mask faults with actions that take her away from the error state.More precisely, the value of the quantitative strong masking game for the refuter is defined as val Analogously, the value of the game for the verifier is defined as val . Then, we define the value of the quantitative strong masking game, denoted by val(Q A M ,A ′ ), as the value of the game either for the refuter or the verifier, i.e., val This can be done because quantitative strong masking games are determined as we prove below in Theorem 6. Definition 5. Let A and A ′ be transition systems.The strong masking distance between A and A ′ , denoted by δ m (A, A ′ ) is defined as: We would like to remark that the weak masking distance δ W m is defined in the same way for the quantitative weak masking game graph Q W A M ,A ′ .Roughly speaking, we are interesting on measuring the number of faults that can be masked.The value of the game is essentially determined by the faulty and masking labels on the game graph and how the players can find a strategy that leads (or avoids) the state s err , independently if there are or not silent actions.
In the following, we state some basic properties of this kind of games.As already anticipated, quantitative strong masking games are determined: Theorem 6.For any quantitative strong masking game The value of the quantitative strong masking game can be calculated as stated below.
i }, whenever s init ∈ U , and val(Q A M ,A ′ ) = 0 otherwise, where sets U j i and U are defined in equation (1).
Note that the sets U j i can be calculated using a bottom-up breadth-first search from the error state.Thus, the strategies for the refuter and the verifier can be defined using these sets, without taking into account the history of the play.That is, we have the following theorems: Theorem 8. Players R and V have memoryless winning strategies for Q A M ,A ′ .Theorems 6, 7, and 8 apply as well to Q W A M ,A ′ .The following theorem states the complexity of determining the value of the two types of games.

By using
, we can define the weak masking distance δ W m .The next theorem states that, if A and A ′ are at distance 0, there is a strong (or weak) masking simulation between them.

Theorem 10. For any transition systems
This follows from Theorem 7. Noting that A m A (and A w m A) for any transition system A, we obtain that δ m (A, A) = 0 (resp.δ W m (A, A) = 0) by Theorem 10, i.e., both distance are reflexive.
For our running example, the masking distance is 1/3 with a redundancy of 3 bits and considering two faults.This means that only one fault can be masked by this implementation.We can prove a version of the triangle inequality for our notion of distance.
Reflexivity and the triangle inequality imply that both masking distances are directed semi-metrics [6,9].Moreover, it is interesting to note that the triangle inequality property has practical applications.When developing critical software is quite common to develop a first version of the software taking into account some possible anticipated faults.Later, after testing and running of the system, more plausible faults could be observed.Consequently, the system is modified with additional fault-tolerant capabilities to be able to overcome them.Theorem 11 states that incrementally measuring the masking distance between these different versions of the software provides an upper bound to the actual distance between the nominal system and its last fault-tolerant version.That is, if the sum of the distances obtained between the different versions is a small number, then we can ensure that the final system will exhibit an acceptable masking tolerance to faults w.r.t. the nominal system.

Experimental Evaluation
The approach described in this paper have been implemented in a tool in Java called MaskD: Masking Distance Tool [?].MaskD takes as input a nominal model and its fault-tolerant implementation, and produces as output the masking distance between them.The input models are specified using the guarded command language introduced in [?], a simple programming language common for describing fault-tolerant algorithms.More precisely, a program is a collection of processes, where each process is composed of a collection of actions of the style: Guard → Command, where Guard is a boolean condition over the actual state of the program and Command is a collection of basic assignments.These syntactical constructions are called actions.The language also allows user to label an action as internal (i.e., τ actions).Moreover, usually some actions are used to represent faults.The tool has several additional features, for instance it can print the traces to the error state or start a simulation from the initial state.
We report on Table 1 the results of the masking distance for multiple instances of several case studies.These are: a Redundant Cell Memory (our running example), N-Modular Redundancy (a standard example of fault-tolerant system [?]), a variation of the Dining Philosophers problem [?], the Byzantine Generals problem introduced by Lamport et al. [20], and the Bounded Retransmission Protocol (a well-known example of fault-tolerant protocol [14]).Some words are useful to interpret the results.For the case of a 3 bit memory the masking distance is 0.333, the main reason for this is that the faulty model in the worst case is only able to mask 2 faults (in this example, a fault is an unexpected change of a bit value) before failing to replicate the nominal behaviour (i.e.reading the majority value), thus the result comes from the definition of masking distance and taking into account the occurrence of two faults.The situation is similar for the other instances of this problem with more redundancy.
N-Modular-Redundancy consists of N systems, in which these perform a process and that results are processed by a majority-voting system to produce a single output.Assuming a single perfect voter, we have evaluated this case study for different numbers of modules.Note that the distance measures for this case study are similar to the memory example.
For the dining philosophers problem we have adopted the odd/even philosophers implementation (it prevents from deadlock), i.e., there are n − 1 even philosophers that pick the right fork first, and 1 odd philosopher that picks the left fork first.The fault we consider in this case occurs when an even philosopher behaves as an odd one, this could be the case of a byzantine fault.For two philosophers the masking distance is 0.5 since a single fault leads to a deadlock, when more philosophers are added this distance becomes smaller.
Another interesting example of a fault-tolerant system is the Byzantine generals problem, introduced originally by Lamport et al. [20].This is a consensus problem, where we have a general with n − 1 lieutenants.The communication between the general and his lieutenants is performed through messengers.The general may decide to attack an enemy city or to retreat; then, he sends the order to his lieutenants.Some of the lieutenants might be traitors.We assume that the messages are delivered correctly and all the lieutenants can communicate directly with each other.In this scenario they can recognize who is sending a message.Faults can convert loyal lieutenants into traitors (byzantines faults).As a consequence, traitors might deliver false messages or perhaps they avoid sending a message that they received.The loyal lieutenants must agree on attacking or retreating after m + 1 rounds of communication, where m is the maximum numbers of traitors.
The Bounded Retransmission Protocol (BRP) is a well-known industrial case study in software verification.While all the other case studies were treated as toy examples and analyzed with δ m , the BRP was modeled closer to the implementation following [14], considering the different components (sender, receiver, and models of the channels).To analyze such a complex model we have used instead the weak masking distance δ W m .We have calculated the masking distance for the bounded retransmission protocol with 1, 3 and 5 chunks, denoted BRP(1), BRP(3) and BRP (5), respectively.We observe that the distance values are not affected by the number of chunks to be sent by the protocol.This is expected because the masking distance depends on the redundancy added to mask the faults, which in this case, depends on the number of retransmissions.We have run our experiments on a MacBook Air with Processor 1.3 GHz Intel Core i5 and a memory of 4 Gb.The tool and case studies for reproducing the results are available in the tool repository.

Related Work
In recent years, there has been a growing interest in the quantitative generalizations of the boolean notion of correctness and the corresponding quantitative verification questions [3,5,15,16].The framework described in [5] is the closest related work to our approach.The authors generalize the traditional notion of simulation relation to three different versions of simulation distance: correctness, coverage, and robustness.These are defined using quantitative games with discounted-sum and mean-payoff objectives, two well-known cost functions.Similarly to that work, we also consider distances between purely discrete (non-probabilistic, untimed) systems.Correctness and coverage distances are concerned with the nominal part of the systems, and so faults play no role on them.On the other hand, robustness distance measures how many unexpected errors can be performed by the implementation in such a way that the resulting behavior is tolerated by the specification.So, it can be used to analyze the resilience of the implementation.Note that, robustness distance can only be applied to correct implementations, that is, implementations that preserve the behavior of the specification but perhaps do not cover all its behavior.As noted in [5], bisimilarity sometimes implies a distance of 1.In this sense a greater grade of robustness (as defined in [5]) is achieved by pruning critical points from the specification.Furthermore, the errors considered in that work are transitions mimicking the original ones but with different labels.In contrast to this, in our approach we consider that faults are injected into the fault-tolerant implementation, where their behaviors are not restricted by the nominal system.This follows the idea of model extension in fault-tolerance where faulty behavior is added to the nominal system.Further, note that when no faults are present, the masking distance between the specification and the implementation is 0 when they are bisimilar, and it is 1 otherwise.It is useful to note that robustness distance of [5] is not reflexive.We believe that all these definitions of distance between systems capture different notions useful for software development, and they can be used together, in a complementary way, to obtain an in-depth evaluation of fault-tolerant implementations.

Conclusions and Future Work
In this paper, we presented a notion of masking fault-tolerance distance between systems built on a characterization of masking tolerance via simulation relations and a corresponding game representation with quantitative objectives.Our framework is well-suited to support engineers for the analysis and design of fault-tolerant systems.More precisely, we have defined a computable masking distance function such that an engineer can measure the masking tolerance of a given fault-tolerant implementation, i.e., the number of faults that can be masked.Thereby, the engineer can measure and compare the masking faulttolerance distance of alternative fault-tolerant implementations, and select one that fits best to her preferences.
There are many directions for future work.We have only defined a notion of fault-tolerance distance for masking fault-tolerance, similar notions of distance can be defined for other levels of fault-tolerance like failsafe and non-masking, we leave this as a further work.
A Definitions Definition 6.Given two transition systems A = S, Σ, E, s 0 and A ′ = S ′ , Σ F , E ′ W , s ′ 0 (where Σ and Σ F possible contains the distinguished silent action τ ), we define the weak masking game graph for two players as follows: , where the refuter starts playing -The refuter's states are and E G W is the minimal set satisfying:

B Proofs of Properties
Proof of Lemma 1.The refuter has a winning strategy in G A M ,A ′ (or G W A M ,A ′ ) iff s init ∈ U k , for some k.Proof.⇒) Suppose that the Refuter has a winning strategy namely π and that s init / ∈ U k i for any i and k.This means that π(s init ) returns a node v such that v / ∈ U k i (for any i and k) (by definition of U k i ), and from there the Verifier can select a node v ′ / ∈ U k i (for any i and k), and again this can be repeated forever.Therefore, the play never reaches s err , which means that the Verifier wins and that leads to a contradiction.⇐) Consider s init ∈ U k for some k, where we have that s init ∈ U k i for some i by definition.Any winning strategy for the refuter is simple, for any v ∈ U j i , π(v) = v ′ being v ′ some node in U j−1 i which exists by definition.Since s init ∈ U k and the Refuter has to play, then the play will reach in j − 1 steps the set U 1 , i.e., the s err state.
The proof also apply for the weak masking game graph G W A M ,A ′ .⋄ Proof of Theorem 3. Let A = S, Σ, E, s 0 and A ′ = S ′ , Σ F , E ′ , s ′ 0 .A m A ′ iff the verifier has a winning strategy for the strong masking game graph G A M ,A ′ .
Proof.⇒) Suppose that A m A ′ , then there exists a masking simulation M ⊆ S × S ′ by Definition 1.Then, the strategy of the verifier is constructed as follows, for states (s, σ i , s ′ , V ) with s M s ′ and σ / ∈ F , the strategy selects either a transition s σ − → w or s ′ σ − → w ′ depending if i = 1 or i = 2, respectively.In case of σ ∈ F , then the strategy returns the transition (s, F 2 j , s ′ , V ) M −→ (s, #, s ′ , R), for any F j ∈ F .This can be done since s M s ′ .Furthermore, in any case we have w M s ′ , s M w ′ or s M s ′ , respectively.Thus, the strategy can be applied again for any movement of the Refuter.Summing up, the Verifier can play forever and then the strategy is winning for her.Hence, the strategy is winning for game G A M ,A ′ since s init M s ′ init .⇐) Suppose that the verifier has a winning strategy from the initial state.Then, we define a masking simulation relation as M = {(s, s ′ ) | V has a winning strategy for (s, #, s ′ , R)}.It is simple to see that it is a masking simulation.Furthermore, The proof is similar for the theorem that A w m A ′ iff the verifier has a winning strategy for the weak masking game graph G W A M ,A ′ , but using G W A M ,A ′ instead of G A M ,A ′ and by theorem 2. ⋄ Proof of Theorem 6.For any quantitative strong masking game Proof.In order to prove that the masking payoff function f m is determined we have to prove that it is bounded and Borel measurable (Martin's theorem [22]).
First, f m is bounded by definition.Second, to see that f m is Borel measurable note that f m (Ω) ⊆ [0, 1], and then it is sufficient to prove that, for every rational x, f −1 m ((−∞, x]) is Borel in the Cantor topology of infinite executions.Consider f −1 m ([−∞, x]) for an arbitrary x, this is the same as f −1 m ([0, 1 a ]) for a given a.
b} where C ρ0σ0...ρi is the cone corresponding to initial segment ρ 0 σ 0 . . .ρ i which is Borel measurable, and so A i b , A b and f −1 m ((−∞, x]) are Borel measurable.⋄ Proof of Theorem 7. Let Q A M ,A ′ be a quantitative strong masking game.Then, val(Q A M ,A ′ ) = 1 w , with w = min{i | ∃j : s init ∈ U j i }, whenever s init ∈ U , and val(Q A M ,A ′ ) = 0 otherwise, where sets U j i and U are defined in equation (1).
Proof.First, note that any play avoiding state s err has value 0. By definition of the game, each transition performed by the Refuter must be followed by a transition selected by the Verifier.These transitions (the matches performed by the Verifier) have cost (1, 0) since the target of any of these transition is different from s err .Because we have an infinite number of these matches, when state s err is not reached, the valuation of these plays is lim n→∞ 0 1+ n i=0 vi = 0. Otherwise, if s init ∈ U j i for some j ≥ 1, we denote by Π the set of Refuter's strategies satisfying the following: If v ∈ U j i for i, j > 1 and post(v . Note that Π = ∅, since any Refuter's node in a set U j i has a successor belonging to U j−1 i .Now, any play from s init following a strategy in Π contains the occurrence of at most i faults since the unique way of decreasing i is by performing a masking after a fault, and i ≤ j always.That is, for any π Now, note that for those nodes s i / ∈ U i j for every i and j, the Verifier has strategies π V such that val(π V , π R ) = 0 for any Refuter's strategy π R .Then, for any Refuter's strategy π R / ∈ Π we have that inf πR∈ΠR val(π V , π R ) = 0.That is, for any Refuter's strategy we have inf πV ∈ΠV val(π Proof.Let us consider any node (s, #, s ′′ , R) of the game Q A M ,A ′′ belonging to U j i with j ≥ 2. Note that j cannot be the error state and so j = 1; moreover, after the movement of the Refuter we have at least one movement from the Verifier.In addition, for every nodes (s, #, For the sake of convenience, when a node s does not belong to any U k i , we assume s ∈ U ∞ ∞ .Then, we just define 1 ∞ = 0.The result follows from this fact and theorem 7. The proof is by induction on i. Base Case: For i = 1, we perform an induction on j.Let j = 2 and suppose that (s, #, s ′′ , R) ∈ U 2  1 .This means that we have a transition (s, #, s ′′ , R) σ − → (w, σ t , w ′′ , V ), where t ∈ {1, 2}, that cannot be matched by the Verifier.In case that t = 1, then this play is a transition (s, #, s ′′ , R) σ t − → (w, σ t , s ′′ , V ) from A. Now, let (s, #, s ′ , R) and (s ′ , #, s ′′ , R) be a pair of nodes of A and A ′ , respectively.By definition, we have a transition (s, #, s ′ , R) In case that the Verifier cannot match this play in that game we have that (s, #, s ′ , R) ∈ U 2 1 .This finishes the proof since 1 ≤ 1 + k ′′ , regardless of the value of k ′′ .Otherwise, we have a play by the refuter (w, #, s ′ , R) and we also have a transition (s ′ , #, s ′′ , R) σ − → (w ′ , σ, s ′′ , V ).But, this cannot be matched by our initial assumption, that is, (s ′ , #, s ′′ , R) ∈ U 2 1 .This finalizes the base case for j.For t = 2, the reasoning is similar using the transitions of A ′′ .Now, for the inductive case of the second induction consider j > 2 and i = 1, that is, (s, #, s ′′ , R) ∈ U j 1 .This means that we have a transition (s, #, s ′′ , R) σ t − → (w, σ t , w ′′ , V ) with t ∈ {1, 2}.Consider now any pairs of states (s, #, s ′ , R) in Q A,A ′ and (s ′ , #, s ′′ , R) in Q A ′ ,A ′′ .In case of t = 1, then we have a transition (s, #, s ′′ , R) In case that it cannot be matched, then the result follows.Otherwise, we have transitions (w, σ, s ′ , V ) σ − → (w, #, w ′ , R) for w ′ ∈ S ′ .Therefore, there must be also a transition (s ′ , #, s ′′ , R) σ − → (w ′ , σ, s ′′ , V ).Similarly, in case that this cannot be matched we have (s ′ , #, s ′′ , R) ∈ U 2  1 and the proof finishes.In other case, we have a collection of transitions (w ′ , σ, s ′′ , V ) − → (w ′ , #, w ′′ , R) for w ′′ ∈ S ′′ .Note that for any of these pairs (w, #, w ′ , R) and (w ′ , #, w ′′ , R), we have that (s, #, s ′′ , R) and by inductive hypothesis for all of these pairs we have (w, #, w ′ , R) ∈ U j ′ 1 and (w ′ , #, w ′′ , R) ∈ U j ′′ 1 , Now, taking k ′ as the maximum of all these j ′ and k ′′ as the maximum of all these j ′′ , we obtain that (w, σ, s , which finishes the proof.Inductive Case: For i > 1 the proof is as follows.Assume that (s, #, s ′′ , R) ∈ U j i .Since 1 < i < j, we have a transition (s, #, s ′′ , R) In case that F ∈ F ′ , then F ∈ Σ ′ .On the contrary, if it cannot be matched, then the result follows.Otherwise, we have a collection of transitions (s ′ , F 2 , w ′′ , V ) F − → (w ′ , #, w ′′ , R).So, in game Q A,A ′ we have at least an edge (s, #, s ′ , R) F − → (s, F 2 , w ′ , V ).By the initial assumption, this can be masked, and then there is a transition (s, F 2 , w ′ , V ) M − → (s, #, w ′ , R).By induction, we have (s, #, w ′ , R) ∈ U j ′ i ′ and (w ′ , #, w ′′ , R) ∈ U j ′′ i ′′ such that 1 i−1 ≤ 1 i ′ + 1 i ′′ .Note that (s, F 2 , w ′ , V ) ∈ U j ′ −1 i ′ −1 , since we have a unique (masking) transition from (s, F 2 , V, w ′ ).Now, let us define k ′′ = max{i ′′ | for all states (s ′ , #, w ′′ , V ) ∈ U j ′′ i ′′ }.Then, (s ′ , F 2 , s ′′ , V ) ∈ U k ′′ i ′′ and we have that (s, #, s ′ , R) ∈ U j ′ i ′ +1 and (s ′ , #, s ′′ , V ) ∈ U k ′′ i ′′ with 1 i ≤ 1 i ′ +1 + 1 i ′′ by definition of sets U 's.This finishes the proof for this case.In case that σ t = F 2 , the proof proceeds by induction on j as the second induction in the base case.
The proof for δ W m is similar to the δ m but using Q W A M ,A ′ instead of Q A M ,A ′ and by theorem 2.

⋄ C.3 Byzantine Agreement (4 generals)
This is a model for Byzantine Agreement with 4 generals, we differentiate the commander as a separate process Commander, and the other generals are instances of a Lieutenant process.In this case, there are two rounds of messages, the first one is an order from the commander to the lieutenants of attack or retreat, then comes the second round which involves a forward of the commander order from each lieutenant to all other lieutenants.Lieutenants may become traitors at any moment and send conflicted messages.
G l o b a l g1g2A , g1g3A , g1g4A : BOOL ; //Commander ( g1 ) a t t a c k m e s s a g e s G l o b a l g2g3A , g2g4A : BOOL ; // L i e u t e n a n t 1 ( g2 ) a t t a c k m e s s a g e s G l o b a l g3g2A , g3g4A : BOOL ; // L i e u t e n a n t 2 ( g3 ) a t t a c k m e s s a g e s G l o b a l g4g2A , g4g3A : BOOL ; // L i e u t e n a n t 3 ( g4 ) a t t a c k m e s s a g e s G l o b a l g1g2R , g1g3R , g1g4R : BOOL ; //Commander ( g1 ) r e t r e a t m e s s a g e s G l o b a l g2g3R , g2g4R : BOOL ; // L i e u t e n a n t 1 ( g2 ) r e t r e a t m e s s a g e s G l o b a l g3g2R , g3g4R : BOOL ; // L i e u t e n a n t 2 ( g3 ) r e t r e a t m e s s a g e s G l o b a l g4g2R , g4g3R : BOOL ; // L i e u t e n a n t 3 ( g4 ) r e t r e a t m e s s a g e s G l o b a l A2 , A3 , A4 : BOOL ; // The A t t a c k d e c i s i o n o f e a c h l i e u t e n a n t G l o b a l R2 , R3 , R4 : BOOL ; // The R e t r e a t d e c i s i o n o f e a c h l i e u t e n a n t P r o c e s s Commander{ s 0 , s 1 : BOOL ; I n i t i a l : s 0 && !s 1 ; N o r m a t i v e : t r u e ; [ sA ] s 0 −> g1g2A = t r u e , g1g3A = t r u e , g1g4A = t r u e , s 0= f a l s e , s 1=t r u e ; [ sR ] s 0 −> g1g2R = t r u e , g1g3R = t r u e , g1g4R = t r u e , s 0= f a l s e , s 1=t r u e ; } P r o c e s s L i e u t e n a n t ( a t t a c k : BOOL, r e t r e a t : BOOL, fw1A : BOOL, fw2A : BOOL, fw1R : BOOL, fw2R : BOOL, a1 : BOOL, a2 : BOOL, r 1 : BOOL, r 2 : BOOL, dA : BOOL, dR : BOOL) { // PARAMS: a t t a c k : a t t a c k o r d e r from commander , fw1A and fw2A : m e s s a g e s s e n t // t o o t h e r l i e u t e n a n t s , a1 and a2 : m e s s a g e s r e c e i v e d from o t h e r l i e u t e n a n t s , // dA : d e c i d e t o a t t a c k , t h e r e s t o f param s a r e s i m i l a r but w i t h r e t r e a t s 0 , s 1 , s 2 , i s B e t r a y e r : BOOL ; I n i t i a l : s 0 && !s 1 && !s 2 && !i s B e t r a y e r ; N o r m a t i v e : t r u e ;

C.4 Dining Philosophers (3 philosophers)
Here we show a model for the Dining Philosophers in the case of 3 philosophers, 2 of which take the right fork first and the other takes the left one first, these are modeled as processes EvenPhil and OddPhil respectively.We incorporate a faulty behaviour on EvenPhil that makes it behave as OddPhil, i.e takes the left fork first.

e−
→ s ′ ∈ E to denote (s, e, s ′ ) ∈ E. Let |S| and |E| denote the number of states and edges, respectively.We define post(s) = {s ′ ∈ S | s e − → s ′ ∈ E} as the set of successors of s.Similarly, pre(s ′ ) = {s ∈ S | s e − → s ′ ∈ E} as the set of predecessors of s ′ .Moreover, post * (s) denotes the states which are reachable from s. Without loss of generality, we require that every state s has a successor, i.e., ∀s ∈ S : post if e ∈ {M } ∪ F .The symbol • stands for composition of binary relations and ( τ − →) * is the reflexive and transitive closure of the binary relation τ − →.Intuitively, if e /
there is no outgoing transition from some state s then transitions s σ − → s err and s err σ − → s err for every σ ∈ Σ, are added.
there is no outgoing transition from some state s then transitions s σ − → s err and s err σ − → s err for every σ ∈ Σ, are added.
[ fA ]  s 0 && a t t a c k && !i s B e t r a y e r −> fw1A = t r u e , fw2A= t r u e , s 0 = f a l s e , s 1 = t r u e ; [ fR ] s 0 && r e t r e a t && !i s B e t r a y e r −> fw1R = t r u e , fw2R = t r u e , s 0 = f a l s e , s 1 = t r u e ; [ fA ] s 0 && a t t a c k && i s B e t r a y e r −> fw1R = t r u e , fw2R= t r u e , s 0 = f a l s e , s 1 = t r u e ; [ fR ] s 0 && r e t r e a t && i s B e t r a y e r −> fw1A = t r u e , fw2A= t r u e , s 0 = f a l s e , s 1 = t r u e ; [ B e t r a y ] f a u l t y s 0 && !i s B e t r a y e r −> i s B e t r a y e r = t r u e ; [ A t t a c k ] s 1 && !i s B e t r a y e r && ( ( a t t a c k && a1 ) | | ( a t t a c k && a2 ) | | ( a1 && a2 ) ) −> s 1 = f a l s e , s 2 = t r u e , dA = t r u e ;[ R e t r e a t ] s 1 && !i s B e t r a y e r && ( ( r e t r e a t && r 1 ) | | ( r e t r e a t && r 2 ) | | ( r 1 && r 2 ) ) −> s 1 = f a l s e , s 2 = t r u e , dR = t r u e ;

Table 1 .
Results of the masking distance for the case studies.