IoTRepair: Systematically Addressing Device Faults in Commodity IoT (Extended Paper)

02/17/2020 ∙ by Michael Norris, et al. ∙ 0

IoT devices are decentralized and deployed in un-stable environments, which causes them to be prone to various kinds of faults, such as device failure and network disruption. Yet, current IoT platforms require programmers to handle faults manually, a complex and error-prone task. In this paper, we present IoTRepair, a fault-handling system for IoT that (1)integrates a fault identification module to track faulty devices,(2) provides a library of fault-handling functions for effectively handling different fault types, (3) provides a fault handler on top of the library for autonomous IoT fault handling, with user and developer configuration as input. Through an evaluation in a simulated lab environment and with various fault injectio nmethods,IoTRepair is compared with current fault-handling solutions. The fault handler reduces the incorrect states on average 50.01 less unsafe and insecure device states. Overall, through a systematic design of an IoT fault handler, we provide users flexibility and convenience in handling complex IoT fault handling, allowing safer IoT environments.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 7

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

The Internet of Things is constantly being developed to allow for a wide array of devices to be deployed and interpret, react to, and modify elements of a diverse set of environments. These devices are distributed in an environment, and the connectivity between them enables applications to manage some or all of the decentralized devices autonomously. This autonomous functionality can be used to provide services to users in home, industrial, and vehicular deployments. However, decentralized autonomous devices that interact with physical environments must maintain high dependability for practical deployment.

IoT devices are abnormally prone to diverse faults due to constraints such as minimal computational and energy resources, architectural problems, and disruptive environmental conditions [1, 2, 3, 4]. Faults can be caused by a complication in the device, such as loss of power or a bug in the software. A faulty device could become unresponsive or manifest an incorrect state. These faults lead to improper behavior with severe consequences, such as leaving a door unlocked, allowing an adversary to break in the house, or leaving a valve open, flooding a factory. Fault tolerance that targets individual devices and applications is insufficient, as interactions between applications can cause complex failures.

The unique requirements for fault tolerance in IoT have been discussed [5], and prior works have proposed solutions for fault identification [6, 7, 8, 2] and addressing faults [9, 10, 11, 12, 13, 14, 15]. However, previous solutions target a narrow scope, i.e., only certain devices, faults, or environments, and often only notifies users about the fault—assuming the user is familiar enough with the deployed devices, installed applications, and fault types to act appropriately. Additionally, the solutions that do perform automatic handling rely on replication, which is not always effective [14] and may be prohibitively costly [5]. Since IoT systems are primarily autonomous, there is less interaction and oversight from users, which could lengthen the time to resolve the fault manually. The user must recognize the alert and respond to it, and there may not be a user on site. Therefore, an automatic response to faults is desirable to reduce dependency on swift user interventions and increase the reliability of IoT services.

In this paper, we develop a flexible multi-layer fault-handling system called IoTRepair specifically designed for IoT. At the lower layer, IoTRepair provides a fault-handling library with a set of functions for handling device faults and a configuration file. To handle diverse faults in IoT, users can write their own configuration files to customize the system and combine the fault-handling functions through the library’s API. At the higher layer, IoTRepair includes an automated fault handler on top of the lower layer to handle common situations of IoT faults. The automated handler can be installed onto the edge device of a deployed IoT system to provide autonomous fault handling. A configuration file is generated at installation time through querying the edge device for a list of devices and applications, and also modified at runtime by the fault handler for runtime adaptation; e.g., the fault handler discovers redundant devices at runtime and saves that information in the configuration file.

To evaluate IoTRepair, we implemented 11 distinct IoT apps to manage 17 IoT devices in a simulated smart home. We conducted three sets of experiments. The first is to measure the latency of different handling methods. The second is to measure effectiveness at reducing the errors in the system caused by injected faults. The third is to measure the energy overhead of the fault handler on devices. We inserted a comprehensive set of faults into the devices to measure errors that faults would cause that impact safety and security of the system, and how well the fault handler mitigated these errors. We evaluated the effectiveness in terms of incorrect states and energy overhead when a single fault and multiple faults were present. IoTRepair could reduce system errors by an average of 50.01%. In this paper, we make the following contributions:

  • We study the nature of faults in IoT systems. We show what makes fault behavior in IoT systems different from other environments and why addressing IoT faults is uniquely difficult and requires a generalized solution.

  • We design and implement a fault-handling library that implements a common set of functions for handling device faults, such as device restarts, retries, and checkpointing. We provide flexible APIs for developers to utilize our fault-handling library in their application code. On top of the fault-handling library, we develop an automated fault handler for IoT. The automated fault handler invokes fault-handling functions in customized orders and configures the functions automatically based on the IoT environment.

  • In designing IoTRepair, we propose a set of novel techniques, including a history-based checkpoint/rollback mechanism, and a technique for inferring redundant devices according to runtime information.

  • We evaluate IoTRepair on a simulated smarthome, including 17 devices and 11 IoT apps. We show what harm faults can cause and how IoTRepair mitigates the damage.

[b] Fault Type Description Fail stop Power Device loses power from battery or outlet and ceases to function Communication Device disconnects from network or otherwise cannot send or receive packets and ceases to respond requests Critical Error Hardware or software error causes device to cease to function Non fail-stop Outlier Device reports incorrect state for a single poll Stuck-at Device fails to change state when expected to

High-Variance

Device oscillates between states faster than environment dictates Spike Numeric device state increases/decreases faster than environment dictates Other Cascading Device enters incorrect state due to interaction with a faulty device through application code

TABLE I: Categorization of IoT device fault types and causes.

Ii Problem Statement and Motivation

We begin by introducing the fault types and the reasons that IoT diverges from other computing platforms by focusing on the IoT platform architectures, and then presenting an example of IoT implementation to illustrate the fault types (Section II-A). Lastly, we study eight IoT programming platforms to understand their capabilities for fault handling (Section II-B). Our study aims to characterize the current state of fault tolerance in IoT systems and demonstrate the unique challenges and design flaws that guide IoTRepair’s design.

Ii-a Faults in IoT Systems

IoT systems integrate physical processes with digital connectivity. These systems perform simple tasks such as motion-activated light switches, as well as complex tasks such as controlling traffic lights in a smart city. Regardless of purpose and complexity, IoT systems often use an edge device as a centralized gateway that connects devices in physical environments and use a cloud back-end to synchronize device states and provide interfaces to control and monitor devices.

Faults in IoT systems can occur due to flaws in components of devices, edge device, cloud, and communication between them. While faults may happen in any of these components, device failures are more common due to factors such as minimal computational resources, energy constraints, architectural problems, improperly configured systems, and disruptive environmental conditions [16, 17, 2, 11, 4]

. For instance, devices in smart homes could experience faults on average two hours a day due to the power loss, network disruption, and hardware failure 

[1]. In other veins, experiments in exposed environments recorded half of the devices reporting incorrect states due to severe weather conditions [3].

Scope. While fault tolerance includes techniques for both fault identification and fault handling [18], in this work, we focus entirely on the fault-handling aspect and assume there is already a fault-identification module that can accurately identify the faults in a timely manner. The fault can be simple fail-stop faults, Byzantine faults, or faults injected by an adversary who has gained remote or physical access to a device. At runtime, the fault identification module sends a signal with the faulty device ID to the handler when it detects a fault. The fault handler then determines the way the fault should be handled.

Fig. 1: IoT system architecture and illustration of fault types.

Classifying Faults. An IoT device often consists of five components (Figure 1, right): (i) a set of sensors such as location, temperature, and light sensors, (ii) an auxiliary Micro-Controller Unit (MCU) to read the raw sensor values, (iii) low power CPU cores, (iv) network interfaces to communicate the user-level events to end-users, and (v) a battery or a power supply unit to power all these components. Components (ii) to (v) are often housed in an edge device such as a hub. A fault in any of these components can lead to errors in the system. We will use a temp-control app that subscribes to a thermostat, a heater, and window actuators in order to illustrate the different fault types and their consequences (See Figure 1). The app opens the windows and notifies the user through SMS when the temperature exceeds a user-defined threshold, and closes the windows and sets heater to a user-defined temperature value when the temperature is below the threshold.

We divide faults into three categories extending the terminology in previous fault tolerance work [6] (See Table I). Fail-stop faults happen when a device stops functioning and is unresponsive to external requests; for example, when a device loses power, network communication fails, or a software or hardware error halts device operation. A fail-stop fault in the thermostat would cause an app to halt entirely, and such a fault in the window or heater would remove the functionality of those actuators.

Non-fail-stop faults relate to a response by the device that diverges from the desired device state. These faults can manifest in a variety of ways with different effects, as shown in [4]: an outlier fault appears when the temperature falls outside of a reasonable range for a single device poll. An unhandled outlier fault in thermostat could cause the app to send an unintended notification that incorrectly indicates the temperature is above the threshold. A stuck-at fault happens when a device cannot change state, maintaining the same state despite changes in environment or actuation commands. An example is if the application opens the window, but the temperature sensor fails to decrease the temperature as it should, which causes a safety issue because an open window enables a burglar to break in the house. A stuck-at fault could also cause energy data analytics to be incorrect and home temperature to surge if the heater gets stuck on. A high variance fault appears when a device’s state fluctuates back and forth more rapidly than the environment dictates. For example, the temperature value fluctuates between high and low more than the environment temperature. If this variance crosses the user-defined temperature threshold, this could cause several issues by repeatedly opening then closing the window and turning the heater on and off. A spike fault happens when there are a rapid increase and decrease in temperature faster than the actual temperature in the environment. This could cause a safety issue by incorrectly opening the window for periods and turning on the heater and overheating the house—wasting energy and causing discomfort.

A faulty device may cause cross-application cascading faults. Cascading faults happen when a faulty device in an app incorrectly triggers an event in another app. To illustrate, we consider a secure-home app co-located with the temp-control app. The secure-home app controls a presence sensor, a door lock, and a window actuator. The app keeps home secure—door-locked and window-closed—when the user is at not home and notifies the user if the house becomes insecure. An unhandled spike fault in a thermostat in the temp-control app causes an increase in temperature when the user is not home and causes the window to open. The secure-home app then sends an alert SMS to the user saying that the house is in an unsafe state—which makes the user become unnecessarily panicked and anxious. This behavior is correct from the secure-home app, as the window should not be open; however, the window is opened because of a fault that triggers the event handler of the temp-control app—faults that influence the physical spaces by a faulty device can propagate beyond the device through interactions through applications.

[b] Fail-Stop Faults Non-Fail-Stop Faults IoT Platform Comm. Power Crit Error Outlier Stuck-at High Var. Spike SmartThings [19] OpenHab [20] Vera [21] Homekit [22] Wink [23] AndroidThings [24] IoTivity [25] KaaIoT [26]

  • Silent

  • Generic Error

  • Detailed Error

  • Undetected

TABLE II: IoT platforms’ response to different device faults. Undetected means that the fault is not recognized by the platform; silent means no message sent to applications; generic error means message does not contain fault information; detailed error means message contains fault information.

Ii-B Fault Tolerance in IoT Platforms

We have studied eight major IoT platforms to characterize their fault identification and handling methods. The results for each platform are shown in Table II, with undetected meaning that the fault is not recognized by the platform, silent meaning that it does not inform the applications, general error meaning that applications are thrown an error that does not contain the fault type, and detailed error meaning that applications are given a thrown error that specifies the fault type. For instance, SmartThings provides developers APIs to obtain the current device state and can notify an app when the device state is changed [27], so that an app developer could check for the state changes before continuing execution. This requires additional developer effort, and if a developer neglects this check, an app would operate ignorant of whether a device failure exists. Additionally, if a failed device is queried, SmartThings returns the last known device state or some default value, which may potentially return stale sensor states when a device is unreachable. This enables an app to continue functioning, yet the stale states may inadvertently actuate incorrect device states.

The results in the table show that only Android Things gives enough information to handle fail-stop faults effectively, and no platforms give the means for applications to handle non-fail-stop faults. In contrast, IoTRepair is able to handle these types of faults automatically, and further provides a toolset to allow developers on any platform to perform their own handling.

Iii Approach Overview

The variety of faults that can occur in IoT systems, combined with the diversity of IoT deployments, requires a flexible fault-handling approach. It is important that users can customize a fault-handling system to address a variety of faulty devices, fault types, deployment environments, and their preferences. For this reason, we design IoTRepair to be flexible, with major components presented in Figure 2.

First, the system provides a menu of fault-handling functions as a library so that developers can invoke these functions to mitigate or repair the faults. For instance, it provides a retry function, which a developer can invoke to repeat some functionality of a device if a previous use of that functionality returned a fault. This is useful for resolving transient faults.

Second, the system provides an automated fault handler, which takes a configuration file (discussed soon) and performs fault handling without user involvement. It is parametrized by a fault identification module, which detects faults and provides the ID of the faulty device (and optionally provides the fault type). In IoTRepair, we introduce the notion of fault-handling schemes to organize and execute fault-handling functions autonomously. A scheme is a list of fault-handling functions to be invoked in a specific order. Each device is assigned a scheme in the configuration file that determines which fault-handling functions will be used to handle faults in that device, and what order they will be called in.

Fig. 2: Overview of IoTRepair architecture

Finally, the system includes a configuration file, which is created during an initialization phase and updated by the automated handler at runtime. During the initialization phase, our system requests information about loaded identification module and obtains a list of installed applications and connected devices, their types, and capabilities; e.g., a motion sensor has active and inactive states and hardware restart functionality. In detail, there are three types of information in the configuration file: (i) general parameters, defining the upper bound on how long fault identification takes defined by the identification module, as well as specifications for checkpoint cleanup and replicated device detection, specified by the user. (ii) device-based parameters, defining the list of devices running in the system and the parameters (e.g., which fault-handling scheme) for each device; a list of default configurations for various device types is defined in IoTRepair and each device has its default set from the matching type in this list, or to a conservative default if none exist default configurations are generated for each device connected to the edge device by selecting from a list of default configurations that best matches the device type; they can be modified by the user, by the automated handler at runtime, or by developers by making API calls in their applications; (iii) application parameters, listing what apps are installed on the edge device and whether the application suppression is enabled for each; by default application suppression is disabled. These components allow IoTRepair to be flexible in addressing a variety of faults and environments. We next discuss two modes through which IoTRepaircan be used.

Developer API. In this mode, a developer can customize and use IoTRepair through the fault-handling library. The library provides an API for its functions (discussed later). An application developer can utilize the API in two ways. The simplest is to use a set of auxiliary functions to modify the configuration file to customize the automated handler. The second is for the application to call fault-handling functions in the library directly. By using a try/catch block around application code that interacts with devices, the app can call handler functions in conjunction with their own code whenever a fault occurs in a device. This allows them to handle faults flexibly, although it is more effort on the developer part.

Automated Fault Handling. IoTRepair can be loaded into an edge device. Once a faulty device is identified, the handler performs device suppression, which blocks polls to the faulty device and events generated by faulty devices. This prevents faulty devices from triggering application code and causing incorrect actuations. The handler then uses the configuration file to see which scheme should be used for handling the fault for this device. The handler then calls fault-handling functions in the order specified in the scheme, and each function uses the information in the configuration file while attempting to handle the fault. If the fault is repaired at any stage of the scheme, fault handling immediately ends, and the device is added back for normal execution. If the scheme ends without the device being repaired, the user is notified that the device must be manually repaired and the handling ends.

Iv Challenges in IoT Fault Handling

Compared to the fault handling in other computing platforms such as distributed systems and cloud services, IoT systems raise a set of unique challenges. We present these challenges below and how we address each.

First, there is no single fault handler function that can address all possible device faults, due to the vast array of heterogeneous IoT devices and the diverse set of environments in which they are deployed. Implementing an optimal handling technique for a specific fault is highly contextual—one cannot define the impact or correctness of fault handling without understanding the environment. For instance, different devices may require reordering functions to be executed to fit power or computation constraints, or a device might be more prone to either transient or permanent failures. To address this, we developed a set of functions that can be combined in any order depending on the device and configuration. We also created several built-in schemes that can execute these functions in different orders or exclude some entirely. These schemes can be chosen to meet the system and environmental requirements such as safety and security, and availability. We present the fault-handling functions and schemes in Section V.

The second challenge is device replication. In IoT deployments, environmental factors can make device functionality less reliable, and permanent failures in sensor readings and actuations are frequent. The goal of replication is to switch between primary devices and replicas without user intervention. To do this, we automate detecting redundant devices that are an exact duplicate through exploring sensor states on startup, and every time a new device is plugged in to the IoT system. This enables the system to fail-over from a faulty to the replicating device and to revert automatically when the device is no longer faulty. This also allows for multiple replications in case of cascading or simultaneous faults. We discuss duplicate device detection and alternate devices to find devices that provide the same functionality in Section V-A.

The last challenge relates to implementing practical rollback functions, which must consider not only the faulty device but all devices in an environment to determine a valid checkpoint for rollback. In general, rollback in distributed systems such as IoT is exceptionally challenging. Most rollback mechanisms ask each distributed process to checkpoint individually, and each process rollbacks to its recently used checkpoint [28].

In IoT environments, many factors in the system deployment determine the optimal rollback, such as the number of devices, correlation of device states, the urgency of fault correction, and consistency of system states. For instance, it is essential that the door is locked when the user is away, so a rollback would lock the door as soon as a fault was identified in the presence sensor. For this purpose, we implement a rollback scheme that rejects partial rollbacks; so if any device that requires a state change to match the checkpoint is faulty, the rollback is canceled. This method guarantees that the system is not in an undesired state no matter the implementation or fault. We will discuss our rollback in Section V-B.

Design Requirements and Assumptions. We present the requirements of IoTRepair to operate effectively. First, some fault-handling functions, such as rollback and checkpoint, require access to the device states; thus, we assume that device states are available through polling. Second, IoTRepair relies on the edge device (e.g., the hub) being able to query or record the ID and model of all connected devices. Third, we assume that there is a fault-identification module that provides the faulty device ID for each detected fault. Any system that can provide the faulty device ID can be integrated into IoTRepair. Finally, we assume that our implementation is injected into the edge device and it can access the aforementioned capabilities and its library functions are exposed to applications.

V Fault-Handling Functions

We introduce a set of functions to handle faults effectively. We present these functions in three groups, presented in Table III. We then discuss four built-in fault-handling schemes that can be integrated into diverse IoT environments.

[b] Device-based Functions bool activate_redundant_device (String device_ID){…} int retry (String device_ID, FP verifyFunc†, String[][] expectedValues†, bool isFailstop†){…} bool device_software_restart (String device_ID)){…} bool device_hardware_restart (String device_ID){…} None notifyUser (String device_ID){…} Environment-based Functions bool checkpoint (String[] device_values){…} int rollback (String device_ID){…} int transaction (String[][] actuations){…} Auxiliary Functions bool AddDevice (String[] device_ID){…} bool RemoveDevice (String[] device_ID){…} bool UpdateDeviceConfig (String[] device_ID, ConfigOptions‡){…} bool UpdateAppConfig (ConfigOptions‡){…}

  • Marks optional arguments.

  • ConfigOptions represents a series of arguments for all configuration parameters for the device/application.

TABLE III: Fault handling functions prototypes.

V-a Device-based Functions

Device-based functions are an implementation of isolated fault handling, which considers only the state of the faulty device, but not the overall state of the system. The effectiveness of the function depends only on the specifications of the faulty device and the nature of the fault. The functions do not affect and are not affected by any other devices in the system.

Fig. 3: Example of Automatic Replication Detection.

Activate Redundant Device. We define redundant devices to be of two types: (a) an exact replicate of the primary device; for instance, a motion sensor may be a redundant device of another motion sensor; (b) providing the same capabilities as the primary device; for example, a security camera that is able to detect motion can be a redundant device for a motion sensor.

IoTRepair provides the support for both types by allowing the user to specify a device’s replicate or same-capability devices in the configuration file. The function ActivateRedundantDevice enables swapping active devices and allows for the system to continue to run unaffected by the detected fault, but requires the fault handler to know what devices can act as redundant devices for the faulty device. Specifically, it takes the faulty device ID as a parameter and then checks the configuration file to see if the device has redundant devices. If there is, it changes the device references in the edge device’s connections so that polls and actuation commands to the faulty device are redirected to a replicating device. Here, we use active replication [29] to reduce the device activation overhead. In this, replicating devices are always active; thus, there is no additional computation to be performed after a device is replicated. In the case where more than one replicated device is set, the devices will be used in the order specified by the configuration.

To ease the burden of writing configuration files, IoTRepair

’s detects redundant devices and automatically generates relevant configuration data. Currently, the support is only for type (a). Finding a redundant device for type (a) in an IoT environment must consider the fact that similar devices are not necessarily co-located. To address this, we collect the sensor states and check whether devices report the same states in a given time threshold. If the two device states are the same and the transition probabilities converge with the events, these devices are identified to be replicating. This auto-generated duplicate device information can also be manually edited by the user for confirmation. Figure 

3 illustrates two co-located motion sensors detected as replicating as their states match consistently, while an unrelated presence sensor and distant motion sensor are discarded. To detect redundant devices of type (b), recent techniques such as using device fingerprints to automatically pair co-located devices [30] could be easily integrated into IoTRepair as devices reacting to the context of their environment in similar manners means the fingerprint of one device can indicate what the value of the other device should be.

Retry Device State. Retry is effective at handling short, transient faults in devices, stalling device execution long enough to let the fault resolve itself and preventing excessive handling from being performed. Retry takes parameters of the device ID and three optional arguments: a function pointer for a validation function, a list of expected device states, and whether the fault is fail-stop or not. When used by the automated handler, these may be supplied by the fault identification module. Additionally, the configuration file specifies the max duration of retry for the faulty device. If no optional arguments are passed, the retry will delay other fault-handling functions for this length of time. If a function pointer is given, it is assumed that the function checks if the device is faulty, and it will be called continuously to determine if the fault is still present. If a list of expected values is passed, then the retry will poll the device continually for the duration; if the device returns the expected state several polls in a row, it will mark the fault as resolved and end fault handling. If the fault is identified as fail-stop, then any successfully returned state will be treated as the expected value. After the length of time expires, if the fault is non-fail-stop, the retry will disable the app and device suppression for the passed device and then wait for a time length equal to the upper bound on fault detection for the loaded fault identification module. If no fault is detected during this time, then the fault was transient and is marked as resolved, and fault handling ends. If a fault is detected or the fault was fail-stop, retry function terminates.

Software and Hardware Restart. Restarting can be useful for either a software or hardware fault. SoftwareRestart and HardwareRestart take a device ID and send a signal to the faulty device to initiate a software and hardware restart, respectively. The configuration file will also be read for the device to determine the max number of attempts to restart. If no acknowledgment signal is received, the command will be repeated, and if it is never acknowledged the restart will be aborted and return with an error code. If the restart is acknowledged, the function will continually poll the device to see when the restart is completed. Once the restart is completed, if the fault was not fail-stop, the function will disable the app and device suppression for the passed device and then wait for a length of time equal to the upper bound on fault detection for the loaded fault identification module. If no fault is detected during this time, then the restart resolved the fault and fault handling ends. If a fault is detected or the fault was fail-stop, the restart function ends unsuccessfully.

The implementation of restart functions are device-dependent. Many IoT market devices such as Honeywell Z-Wave Thermostat [31]

and open-source electronics platforms such as Arduino implement device restart functionality.

User Notification. Notify takes a device ID and notifies users of the fault and the result of fault handling. The implementation of the notify call is platform-dependent; we inform users through alert messages on the console, yet text messages or push notifications are possible through IoT platform APIs. Event triggers for user notification can be configured for each device to notify the user when a fault cannot be repaired by the handler when a fault has been repaired by the handler, when a fault occurs, or any combination of these.

V-B Environment-based Functions

Environment-based functions are an implementation linked fault handling, which mitigates cascading faults. It responds to a fault by considering the states of all devices in an IoT environment, e.g., linked fault handling should close the window that was incorrectly opened by an app due to the faulty thermostat. Our environment-based functions consider the state of all devices in the environment. As these functions can affect all device states in an environment, they are capable of mitigating cascading failures across the system.

Fig. 4: Checkpoint illustration taken during system execution.

Checkpoint. Checkpoint stores all device states in the system at the time it is called. We divide device states into sensor states and actuator states. Sensor states are read-only states that collectively represent the state of the environment and drive behavior. Actuator states can be read and modified through actuation, and they are the states that can be rolled back.

We assume that there is a causal relation from sensor to actuator states; in other words, an app follows the well-known sensor-computation-actuator structure: it takes the sensor states, performs some computation, and then performs actuation to modify the actuator states. Based on this, IoTRepair includes a novel, history-based checkpoint/rollback mechanism (1) that during checkpointing records the history of device states, and (2) that during rolling back restores the most likely actuator states by looking up the history according to the current sensor states. We next discuss this mechanism in detail.

First, the automated fault handler invokes the checkpoint function after every actuation that does not trigger cascading actuations. This means a checkpoint is taken after actuations where no subscribing application initiates an actuation based on the new state. The handler determines these states by checking all apps logic subscribed to the actuated device to ensure no additional actuation is performed as a result.

Second, after a checkpoint is taken, some time must pass before it is considered valid and appended to a history log of checkpoints. The delay period is determined by the upper bound on the fault-detection time so that the module can ensure that no faults were present at the time the checkpoint was taken.

When the delay expires, the new checkpoint is then stored in a history log, which holds checkpoints and their frequencies. If no previous checkpoint has matching sensor states, a new checkpoint is appended to the log. If the sensor states match an existing checkpoint’s sensor states, the frequency is incremented if actuator states also match, or the actuator states are overwritten, and the frequency is reset to be one if the actuator states differ. Only storing the most recent sensor states for a set of sensor states keeps the log from exploding in size. For the same reasons, checkpoints are removed from history if they remain unused for an extended time, as determined by the configuration. Figure 4 provides an example of how checkpoints are taken over time in a system as a result of changes in actuator states. The example uses a simple system with two devices: a motion sensor and a light actuator. The figure shows checkpoints being taken during a series of actuations, which occur at time-stamps through , with initial time before actuations. On the left side of the figure, the state of the system after the actuation completes is shown. On the right is the list of checkpoints at each time, starting from an empty set and updating after each actuation. The first two checkpoints at times and are new states, since there are no existing checkpoints that match the sensor states. For these new checkpoints, the time they occurred and current device states are recorded, and the frequency is set to 1. The checkpoint taken at has the same device states as an existing checkpoint; so it updates the checkpoint time-stamp and the frequency. At time , a checkpoint that matches the sensor states is taken, but the actuator states do not match those of an existing checkpoint; so the matching checkpoint’s time-stamp is updated, actuator states are overwritten, and frequency is reset.

0.9 Input : The of the device that triggered this rollback
Output : Success or Failure
1 Read configuration file to get Get for Search through to find checkpoint that fits and store it in if  equals  then
2       return Failure
3if any in is an actuator, its state does not match , and is faulty then
4        return Failure
Actuate each actuator in to match Change each faulty sensor state in to match return Success
Algorithm 1 Algorithm For Rollback

Rollback. Rollback performs a series of actuations to match the system state to the checkpoint that best reflects the current system sensor values. Algorithm 1 details the steps for computing rollback that finds all potential matches, determines the best match and performs actuation to match the best match.

We have designed three techniques for choosing the best checkpoint to target for rollback. The configuration for the faulty device determines which technique will be used. Most Recent targets the checkpoint that has occurred in the system most recently. This technique is suitable for a system where faults can be detected quickly or system state changes slowly. Fail-safe uses the fail-safe configurations for all of the actuators in the system to reduce the list of checkpoints to only those where actuators match their fail-safe states; e.g., the fail-safe configuration for an alarm might be to have it on. From this reduced list, a checkpoint whose sensor states match the current sensor states in the system is selected. As the states of faulty sensors cannot be trusted, their sensor states cannot be considered when determining if a checkpoint matches the current sensor states. Because of this, it is possible that multiple checkpoints match the current known state of non-faulty sensors. If there is more than one match (or no match is found), then the frequency is used as a tiebreaker. Fail-norm finds checkpoint matches in the same fashion as fail-safe, but does not reduce the list based on fail-safe configurations first and will not roll back to a checkpoint if none matches.

Rollbacks can be dangerous, as a partial rollback can result in an otherwise impossible transition and enter an invalid system state. For this reason, our rollback fails if any actuator that needs to be changed is currently faulty (lines 6–7). We note that this captures the heterogeneous nature of IoT devices when compared to similar functions in distributed systems [28] and cyber-physical systems [32]. We also implement a data rollback as part of the system rollback. Specifically, as long as the rollback does not fail, the values of any faulty sensors also set to their values at the time of the checkpoint until the device is repaired or another rollback occurs (Line 9).

Fig. 5: New example of Fail-norm Rollback

Figure 5 gives an example of how fail-norm rollback would operate in a system with two sensors, motion and presence, and a lock actuator for a door. It shows that IoTRepair’s rollback can mitigate dangerous faults that would otherwise persist until the user can repair the faulty device, as long as another sensor’s state is correlated with the faulty sensor’s state with high frequency. In the example of Figure 5, a presence sensor that is stuck at home could cause the door to remain unlocked indefinitely. Fortunately, the motion sensor’s state is largely correlated with the presence sensor’s state, because it is likely to detect user motion when the user is at home. As a result, IoTRepair’s rollback can then use the motion sensor’s state to correct the door to be locked and secure the home, even when the presence sensor is faulty.

Transaction. A transaction performs a series of actuations and ensures that the actuations are performed atomically as a group, either all successfully completing or none completing. Currently, the transaction function is not automated, yet app developers can invoke it to cause a series of actuations to execute atomically when a partially executed series may leave the system in an unsafe state. For instance, a developer can issue a call “transaction([[Window, Closed], [Heater, On]])” to close the Windows and turn on the heater as a transaction. Transaction operates as a standard undo-log-based algorithm. It performs each of these actuations in the order given in the passed array while recording the original states in an undo log. If any actuation fails, the transaction is aborted, all devices are reset to their previous states, and an error is returned.

V-C Auxiliary Functions

We describe functions necessary for the operation of the fault handler. These functions are not directly used during fault handling but can be invoked by the automated handler or application developers to modify handler configuration.

Device Suppression. It is not a library function, but rather a capability injected into the code of an edge device (e.g., hub). This is because it is required to interrupt polls and event hooks at the edge device. Through this capability, the edge device can terminate polling the device’s state and block actuation commands sent to the device. This prevents events from a faulty device triggering incorrect actuations to other devices through app code. Device suppression is effective in correcting non-fail-stop faults. For example, if the smoke detector experiences a high variance fault, it may rapidly switch between smoke-detected and smoke-not-detected states. This would cause the alarm to turn on and off until the fault is resolved. With device suppression, the smoke detector can be suppressed once it is identified as faulty.

Application Suppression. Similar to device suppression, application suppression is also a capability injected into the in the edge device code. Application suppression can be enabled or disabled for each app based on the configuration file. When a device is identified as faulty, application suppression checks the list of apps subscribed to the device’s events. For every app that application suppression is enabled, all events that would be sent to the app and all commands generated by the app are suppressed. This halts the execution of the app, which is desirable when an app has functionality that may put the system into an unsafe state if the state of one of its dependent devices is unknown. For example, an app that opens the window when the presence sensor indicates the user is home and the house is too hot may open the window while the presence sensor is faulty if the temperature gets too hot.

Update Configuration. This allows the automated fault handler to update the configuration file at runtime. Configuration data for a device or an application can be updated, if the passed arguments are deemed valid for the configuration options.

Scheme Function Ordering
Conservative 1 2 3 4 5 6
Transient-resistant 1 3 4 5 6
Long-Restart 1 2 5 3 4 6
Time-sensitive 1 5 2 3 4 6
TABLE IV: Execution order of functions in schemes. (1) Replicate; (2) Retry; (3) Software Restart; (4) Hardware Restart; (5) Rollback; (6) Notify User.

V-D Built-in Fault-Handling Schemes

[b] ID App Name Description S/A† App1 Motion-Activated-Lights When motion detected, turn on lights. Turn off lights when motion not active. S.1, A.1 App2 Smoke-Alarm When smoke is detected sound alarm and unlock doors. When no smoke is detected turn off alarm. S.5, A.2 App3 Temperature-Control Keep temperature between 70-80 degrees (F) by turning heater and air conditioner on and off S.3, A.2 App4 Water-Leak-Detector When leak is detected sound alarm and close water valve. When no leak is detected turn off alarm and open water valve. S.6, A.2 App5 Welcome-Home When the user arrives home, unlock doors and turn on coffee machine S.4, A.1 App6 Secure-Patio When user is not present and contact is detected, send text message to user S.2, S.4, A.2 App7 Energy-Saver If window is open and either heater or air conditioner is on, close window. A.1, A.2 App8 Secure-Home when user is not present home, lock doors and close windows. S.4,A.1 App9 Intruder-Detector When user is not present home and motion is detected, send text message to user S.1, S.4, A.2 App10 Alarm-Safety When alarm is activated, turn on lights A.1, A.2 App11 Morning-Air Open windows and close windows at specific times A.1, A.2

  • S is for Sensor and A is for Actuator device (Sensors and actuators are listed in Table VI.)

TABLE V: IoT apps, their sensors/actuators and descriptions, developed to evaluate IoTRepair.

We introduce a set of built-in schemes to automate the functions above (See Table IV). These schemes modify the execution order of the functions to address requirements such as safety and security and real-time fault detection and correction. We chose to use the device type as a primary determinant of each scheme as IoT devices introduce several limitations, e.g., duration of restarts, and whether a replicated device is available, which impacts the optimal functions ordering. We created four schemes for our evaluation based on properties we discovered across our device set. These are not designed to address all possible deployments, and additional schemes can easily be created considering the deployment requirements as new handling functions are developed.

We describe the purpose of each scheme and show the order they execute the functions. Each scheme starts with trying to activate a redundant device to see if the fault can be repaired. If not, the conservative scheme then uses retry to fix the fault, which will be successful if the fault is transient. This fits in environments where there are no strict time requirements. The transient-resistant scheme is similar to the conservative scheme, yet it skips the retry function. This aims at devices that are unlikely to experience transient faults. For instance, this would be suitable for a temperature sensor deployed in a stable home environment, since it is capable of restarting and does not control time-sensitive operations. The long-restart scheme is used in devices that have excessively long software and hardware restart times, such as security cameras and a smart refrigerator. The restart functions are moved to the end of the scheme so that other functions are attempted prior to the long restart. The time-sensitive scheme removes retry and moves rollback ahead of the restart functions. It aims to return the system to the desired state as the device impacts the safety, for instance, when the security system is unresponsive. This scheme fits industrial or vehicle environments where many devices are deployed, and system integrity is the top priority. This would be implemented in devices like smoke alarms, which could cause a fire hazard if down for even a short time.

[b] ID† Device‡ Power (mW) Read (ms) Output S.1 Motion sensor 66 0.1 double, 8B S.2 Contact sensor 0.1 0.1 int, 4B S.3 Temperature, pressure, altitude sensor 19.5 37.5 double, 8B S.4 Presence sensor 1.3 0.5 int*3,12B S.5 Smoke detector 30 0.96 double, 8B S.6 Leak detector 80 0.1 double, 8B A.1 Door lock, coffee machine, light 0.01 0.1 - A.2 Alarm, air conditioner, heater, window, valve 100 0.1 -

  • S is for Sensor and A is for Actuator.

  • We use Arduiono compatible devices to simulate the devices in IoT apps. For instance, a flame detector is used for smoke-alarm, and switches are used for the lights (see Section VI).

TABLE VI: Details of sensors/actuators used in our IoT apps.

Vi Implementation

We simulated a smart home in a lab setting using a set of IoT devices and applications. In this section, we begin by introducing our simulated devices and applications, and then present fault injection and fault identification techniques required for our evaluation of IoTRepair.

Implementation Setup. We deployed a set of Arduino devices that were connected to and run in parallel on an AVR Arduino Mega 2560 Rev 3 Board [33]. We utilized a mixture of analog and digital devices. The initial data collection was run until 50K device states gathered to collect the patterns of device behaviors. The polled data was output into a file that stores the behavior of sensors and actuators as the environment changes were observed. We use the sensor data to generate a realistic trace through simulated devices that represent a range of activity in a smart home. We use this trace of sensor states as input to a trace-driven simulation, which simulates the behavior of eleven IoT applications (detailed below).

IoT Devices and Applications. We deployed six different types of sensors and two types of actuators, for a total of eight types of Arduino devices. Table VI presents the types of devices by ID, characteristics of each including the power consumption, read time for states, and the type of sensor output values. These devices are used in a simulated smart home environment where IoT applications are deployed. In the simulated environment, we deployed seven sensors, one for each type of sensors and also a replicated smoke detector. We also deployed 10 actuators of the two types, as our environment required a higher number of actuators than we had available in our lab. Table V shows the description of applications and devices used in each of them. These apps are selected to cover all spectrum of home environment functionality, including green living, convenience, home automation, security and safety, and personal care.

Fault Injection. In our evaluation, we use fault injection to evaluate the effectiveness of fault handling. There is an explosion of possible fault scenarios that can occur in an IoT environment due to the many factors that can influence a fault. Our fault injection aims to take into account these factors, including fault type, fault length, device type, whether a fault can be repaired automatically, the state of other devices when the fault occurs, and the events that occur during the fault’s presence. First, we inject faults evenly across all devices. Second, we specify that a fault can be repaired through software/hardware restarts, with equal chances.

The fault type, fault length, device states, and events are injected within reasonable distributions because these values impact the number of incorrect states that occurs from faults, rather than how the faults should be handled. After we have specified the fault injection parameters, we construct an input file that specifies when and what faults are injected and optionally when and what faults are removed in the trace. This allows our simulation to accept custom sets of faults to represent diverse IoT environments. Here, we generate permanent and transient faults based on the specifications of each evaluation (Section VII). Permanent faults are characterized through arrival time, length, type, and false value of every desired injected fault. For example, an injected fault entry, (1000, 0, UNFIXABLE, 1), injects a fault at the 1000th poll time into the motion sensor (with device ID 1), it cannot be repaired (UNFIXABLE), and it causes the devices to be stuck at value motion-detected (device state being 0). For transient faults, an additional line must be added, such as (2000, 0, NO_FAULT, 0), which removes the fault from the 0th device at poll time 2000. Faults are injected or removed at the beginning of each 1-second polling cycle before any application or handler code is run.

Fault Identification. As discussed earlier, IoTRepair is parameterized by a fault identification module. There are a wide array of identification algorithms available, discussed in Section IX. In our evaluation, we choose to use a perfect identification module that identifies faults instantly and correctly to show the maximum possible benefit of IoTRepair.

Vii Evaluation

We present our evaluation on the performance of IoTRepair’s fault-handling functions and automated handler (Section VII-A). Furthermore, we assess the effectiveness of IoTRepair through injecting single and multiple faults (Section VII-B). Finally, we evaluated the power consumption of each run, and found that IoTRepair reduced power consumption over not having any handler. The detailed results of power consumption evaluation can be found in Appendix  B.

We discuss a couple of notes before we proceed. First, unless otherwise specified, we assume that the smoke detector and smart lights have replicated devices. These devices were chosen to demonstrate device replication because smart homes are likely to deploy multiple such devices. Second, in our evaluation, we found that the fail-norm checkpoint is consistently the best match for all devices. We also found that several devices, such as the contact sensor, did not have sufficient correlation with other devices for an effective rollback. Therefore, we used fail-norm or no rollback accordingly across our devices.

Fig. 6: The numbers illustrate the avg. time for each function to execute in msecs. This time is averaged across simulated devices, possible function parameters, and runtime environments.

Vii-a Fault Handling Latency

In this experiment, we evaluate the latency of functions in IoTRepair’s fault-handling library and also the latency of its automated handler when using a specific fault-handling scheme. To get timing information, we examine the logic of a fault-handling function to track CPU operations and device interactions. Time spent on CPU operations is then calculated based on the processing speed of a representative SmartThings IoT Hub [34]. Time for device interactions is determined by device manuals for the simulated physical devices, or our implemented Arduino devices when datasheets are insufficient.

Function Timing.

For this evaluation, we analyzed our fault-handling functions to get the CPU operations and device interactions performed across all devices, parameters, and fault types. We then calculated the running time of each execution, and the mean and standard deviation across all executions of each function. We used permanent faults and short (under 1 second) transient faults to represent the most likely fault conditions. We also did not consider fault-identification time when calculating runtime as our work focuses on fault handling.

The results are illustrated in Figure 6. Retry takes the longest to execute because it always waits for either the duration of the fault, the device based timeout, or at least one read of the faulty device’s state to confirm that the fault is resolved. In an environment with longer fault durations and longer timeouts, retry’s runtime increases; for this reason, retry’s runtime has a large standard deviation. Conversely, checkpoint, and replicate’s runtime are mostly stable; their operations are independent of devices and fault type and are primarily composed of CPU operations. Actuation commands dominate Rollback’s runtime, and so the deviation is caused by how many devices require actuation to rollback to the selected checkpoint. In our example setup, the average number of actuations is 1.76; so the rollback time can increase for deployments with more devices. Software and hardware restart vary depending on device restart time and how many restart commands are sent. They vary a little across devices but do not vary much across system deployments, as most devices have similar restart times.

From these latencies, we find that all of our functions are fast enough to handle faults effectively. Reading a device state for most Arduino devices takes 6ms, and this is even longer in a real home deployment with distributed devices that must communicate over a network. This means most of our functions consistently take less time to execute than a device-state read.

Fig. 7: Avg. timings in msecs to illustrate how long each scheme takes to handle different types of faults, and how long each scheme takes to rollback.

Time to Handle Faults. We evaluated IoTRepair’s automated handler by organizing the fault-handling functions into the schemes defined in Section V-D. We calculated the running time across all possible permutations of devices, function parameters, fault types, and schemes to obtain the average time each scheme takes to handle each fault type. We aim at evaluating the completion time of schemes for different fault types such as power and hardware. The results are shown in Figure 7, where the average time to handle a fault is shown for each scheme, alongside the average time each scheme takes to rollback. Rollback is the only form of fault mitigation that takes significant time. The rollback time to complete is dependent on where in the scheme rollback is called and system factors such as the checkpoint list size; therefore, we show rollback time for each scheme separately. In the graph, optimal is the time it will take if fault-handling functions were chosen with perfect knowledge of the fault and system. Using the proper scheme can result in repairs or mitigation occurring over twice as fast. In the figure, power and communication faults are underlined in red since our handling techniques cannot repair the fault. In these cases, rollback time is more critical, as mitigation techniques can still remove some errors caused by faults. For these faults, the handling time is only an indication of how long it takes the handler to recognize that the fault is unfixable and notify the user. We also found that, for most cases, it may take 10ms or longer to handle the fault, so IoTRepair is most useful for faults that last longer than a few milliseconds. However, even for short faults, suppression and replication help mitigate errors.

Vii-B Effectiveness

To evaluate the effectiveness of IoTRepair, we measure the number of incorrect devices states that occur over executions. A device is in an incorrect state when it differs from the state it was in at that time in the faultless execution, for the same input. This metric is used to show the effectiveness of IoTRepair in reducing the effects of faults in devices. Note that this metric is a conservative definition since a fault handler may correct a device to a state acceptable to users even if it differs from the faultless execution state. However, we use the incorrect-state metric since it does not require an acceptable-state definition, which is user and application-specific.

For evaluation, we execute the simulation: a⃝ when no faults are present, b⃝ when faults occur without a fault-handling system, c⃝ when faults are addressed with device suppression, and d⃝ when IoTRepair handles faults. The baseline of the correct device states is obtained through the execution of a⃝. We evaluate the effectiveness of the four fault-handling schemes discussed in Sec. V-D, and compare the baseline with each experiment by computing the number of incorrect device states caused by the injected faults across each of the executions. The reduction in incorrect states towards execution a⃝ evaluates the effectiveness of each scheme’s fault handling. We detail our findings when a single fault and multiple faults occur and The Table  VII in appendix  A gives examples of injected faults in the system and their effects in each execution.

Fig. 8: The number of incorrect states in each execution type for Single and Multiple fault evaluations. The results show a significant decrease in incorrect states from No Handle and Suppression only to our fault handling schemes.

Single Faults. In our first effectiveness experiment, we consider single faults–when no more than one fault is in the system at any given time. This is typically caused in an IoT system when a single device runs out of battery, gets damaged by the environment, or experiences a communication interruption. The “Single” section of Figure 8 presents the number of incorrect states over different executions. The transient-resistant scheme was the most effective scheme for handling single faults. It shows a 63.51% decrease in incorrect states over no handler and a 60.43% decrease over device suppression; this represents significant mitigation of the effects of faulty devices. Other schemes, although performing slightly worse than the transient-resistant scheme, also show a significant improvement over the cases of no handler and suppression.

We found during our experiments that our fault-handling functions can cause incorrect states that are not present in the no-handler case. 22.84% of the incorrect states in the transient-resistant execution are caused by the handler and occur because of an incorrect rollback or because the system with no handler happens to be correct by coincidence. For the first reason, our rollback chooses a checkpoint most likely to be correct based on prior states and configuration, but this can cause incorrect states if the system was in an undesired state at the time the checkpoint was taken, or if the usual type of rollback for this device is wrong for the current fault or environmental conditions. For the second reason, the faulty state of a sensor may happen to match what the correct state should be, but IoTRepair decides to suppress events from faulty devices. An example of this is an error where the faulty temperature value causes the heater on, but during the time it takes IoTRepair to fix the fault, the temperature falls, changing the environment so that the heater being on is correct. In this case, the no-handler execution turning on the heater achieved the correct state while IoTRepair causes an incorrect state.

To conclude, the fault-handling functions reduce the incorrect states over device suppression and when no fault handling is used. For the incorrect states that the handler does not cause, the state cannot be corrected through any means we are aware of. This is because no handling function can perfectly solve a core device experiencing a permanent fault, and faulty states can occur after fault is identified, but before fault handling completes. For the incorrect states caused by IoTRepair, our evaluation shows that suppression and rollback remove many more incorrect states than they generate.

Multiple Faults. In our second set of experiments, we consider multiple faults—the case where there are two or more faulty devices in an IoT environment at a time. To do this, we inject additional faults into our single faults experiments to cause cases where possibly all devices can have fail-stop and non-fail stop faults simultaneously. We primarily inject fail-stop faults in this evaluation, because power outages and connection disruptions are common ways for multiple faults to occur at once. However, it is also possible for hazards in the environment to causes simultaneous non-fail stop faults, so we inject some non-fail stops as well in this evaluation.

Multiple device faults increase the incorrect states, cause more unreliability in devices, and cause our handling functions to be less effective. The “Multiple“ section in Figure 8 shows the number of incorrect states caused by multiple faults. This scenario decreases the reduction in incorrect states from the no-handle case; the transient-resistant scheme reduces the number of incorrect states by 36.68%. It still performs the best, but it showed less than a 1.00% improvement over the other schemes.

While multiple faults cause more incorrect states that can potentially be fixed, both our redundant device functions and rollback are less effective. Multiple faults can cause failures in redundant devices at the same time as the devices they are backing up. Also, checkpoints become less accurate for use in rollback, as faulty devices cannot be used when finding a matching checkpoint, thus increasing the number of possibly matching checkpoints to choose. Finally, as a system approaches total failure, partially successful handling may have a reduced effect or none at all. For example, multiple faults cause both the leak sensor and the alarm actuator to be faulty, affecting Apps 1-4,6,7,10. If only one of the devices were faulty, handling the fault would correct the state of the alarm. With both devices being faulty, correcting only one device has no impact on the alarm’s correctness. Therefore, the more concurrent faults in the system, the less impact a fault handler will have. Even so, in this worst-case, IoTRepair still substantially reduces the effects of faults.

Cascading Faults. Our applications are susceptible to cascading faults—which are cases where a fault in one device causes incorrect states in a second device through inter-application interactions. These cascading faults can be unpredictable because the application that places a device in a faulty state might not directly utilize the value of the faulty device, and the application interaction may not even be intended. For example, a temperature sensor becoming stuck at a low temperature causes the following sequence of events and actuations in App3, App7, and App11:

heater-offApp3: heater-on App7:close-window

which contradicts another completely separate sequence:

window-closedApp11: open-window

In this example, App7 causes the window to close as a cascading result of App3’s action responding to a fault in the temperature sensor. This contradicts App11, which dictates that the window should be open due to the current time. Because of this, even if the temperature sensor is repaired, the system may not return to the proper state. The complicated inter-application relationship of cascading faults lends additional value to our environmental functions. For instance, since rollback considers the entire system state when choosing a checkpoint, it recognizes that the heater should be off and windows should be open, correcting the fault.

Viii Limitations and Discussions

The evaluation of the effectiveness of IoTRepair’s fault handling is limited for several reasons. First, for every run, every device used the same scheme. This means that device-based differences in optimal schemes are not shown to their full effect, as improvements in one device could be canceled out by another device that performs better under a different scheme. Second, we did not design our experiments to target the key distinguishing features of the schemes, such as adding frequent short transient faults to thwart the transient-resistant scheme or adding metrics to represent time sensitivity. Lastly, as indicated in our implementation, the randomness in fault injection, while necessary for practical evaluation, also causes fluctuation in results between device executions. This may cause the most effective scheme to change between executions. We plan to conduct more extensive experiments in a simulated IoT testbed to cover various IoT device failures through injecting more targeted faults with different types and sequences.

We restrict our evaluation to a moderate set of IoT devices and applications. It allows more tractable outputs to evaluate our fault-handling functions and the effect of faults. More sophisticated systems with a diverse set of devices and apps, especially in the settings of industrial IoT and automobiles, would allow for a more thorough evaluation. For instance, the increase in the number of devices would lead to more cascading faults, as well as increasing the probability of device correlation and allowing some of our underutilized functions such as device redundancy to be more effective. This would also allow for suppression of entire apps to be effective, as the primary use of this technique is to stop cascading faults.

Ix Related Work

We present related work on recent literature that explores fault identification and handling in IoT systems.

Fault Identification. Fault identification techniques aim to determine the presence of a fault and determine the faulty device and type. We characterize the fault identification techniques for IoT systems into three groups. First, network traffic-based techniques analyze sensor data packets to detect faults [35, 36]. Network-level techniques are effective at identifying fail-stop failures but ignore non-fail-stop faults. Second, redundant sensor-based techniques use data from multiple homogeneous sensors and exploit the fact that spatial sensing of close sensors should yield similar sensor states [37, 7, 2]. However, these systems are costly due to the requirement of multiple sensors and, more importantly, ineffective when considering that simultaneous sensor faults are common in IoT. Lastly, sensor-based techniques use data obtained from various types of sensors for fault identification. These techniques apply to environments such as smart homes where various sensors states are available and often correlated [8, 12, 11]. While these techniques differ in scope, precision, and methodology, they limit their analysis to sensors that have binary readings and do not identify fault types.

Fault Handling. Very little work has been done in fault handling in IoT systems. The explored techniques often aim at specific environments and faults. A fault-tolerant technique [14] for redundancy-free UAV sensors use imperfect replication to allow near-correct device operation in the presence of a sensor failure. While this work poses a good argument for the value of imperfect replication, the functions are specific to UAV sensors and do nothing to repair faults. Rivulet [9] aims at removing the edge device as a single point of failure to mitigate connection faults by distributing communication to devices. The core drawback of this technique is that it does not handle the far more common sensor and actuator faults. Transactuations is a fault-handling technique introduced in [15] to address some flaws that transactions have in IoT environments. This enhanced technique better prevents physical device states from losing synchronization with software variables. While this is useful for preserving dependencies, it does nothing to repair faults and cannot correct errors that occur before the fault is detected. To the best of our knowledge, no current techniques develop a fault handler for diverse IoT device failures and bundles fault identification and fault handling to mitigate faults.

X Conclusions

We presented IoTRepair111An extended version of this paper is available with substantially more methodology description, performance evaluation details, and commentary [38]., a novel fault handler for IoT deployments in the form of a flexible library that integrates with edge devices and can be customized to meet the requirements for diverse environments. IoTRepair is organized by a set of schemes to fit the handler to different deployments, and uses runtime redundant device detection and fault history to autonomously adapt to the devices and faults in the environment. With a good identification module, IoTRepair could remove more than 50.01% or more of errors caused by faults.

Appendix A Safety and Security Examples

[b] ID App ID Fault Description Implication of Faults on IoT environment

1
App1 Motion sensor fails to report its state

1
Light is off when the user is in the room

2
Light is on when the user is not in the room

3
Light is on when the user is in the room and off when not
App2 Smoke detector stuck at smoke-detected

1
Alarm sounds and door is unlocked when there is no smoke

2
and

3
Alarm is off and door is locked when there is no smoke
App3 Temperature sensor fails to report its state

1
Heater is on when it is warm and AC is off when it is too hot

2
and

3
Heater is off when it is too cold and AC is off when it is too hot
App4 Leak-detector stuck at leak-not-detected

1
Alarm is off when there is a water leak

2
Alarm sounds briefly when there is no leak

3
Alarm sounds when there is a leak and off when there is no water leak
App5 Door lock fails to report or change its state

1
Door is unlocked when the user is not home

2
and

3
Door is unlocked when the user is not home
App6 Presence sensor stuck at not-present

1
and

2
Several SMS sent to users about insecure patio when they are home

3
No SMS sent to users about insecure patio when they are home
App7 Window opener stuck at window-open

1
and

2
Window is open when heater or air conditioner is active

3
Window is briefly open when heater or air conditioner is active
App4 Watervalve actuator stuck at open

1
and

2
Watervalve is open when there is a leak

3
Watervalve is briefly open when there is a leak
App9 Motion sensor stuck at motion-inactive

1
,

2
and

3
SMS is not sent when motion is active and user is not home
App2,10 Smoke detector stuck at smoke-detected

1
and

2
Alarm is on, door is unlocked, and lights flash when there is no smoke

3
Alarm is off, door is locked, and lights are off when there is no smoke

2
App 1,5,6,8-11 Presence sensor stuck at user-home, and light switch stuck at on

1
and

2
Door is unlocked and window is open when the user is not home (App8), SMS is failed to notify user when there is movement at patio (App6) and in the house when user is away (App9), light switch is on when there is no alarm (App10) and user is not in the room (App1)

3
Door is unlocked when user is not home (App8), SMS fails to send when there is movement on the patio (App6) and movement in the house when user is away (App9), window is closed at user-specified time (App11)
App1,3,9 Motion sensor stuck at motion-inactive, AC stuck at on, heater fails to report its state

1
and

2
SMS is not sent when motion is active while user is not home (App9), light-switch off when user is in a room (App1), air conditioner on when temp is too low (App3), heater is off when temp is too low (App3)

3
Light switch is off when user is in room(App1), AC on while temperature is too low (App3)
App1-4,6,7,10 Temp sensor and contact sensor fails to report its state, leak detector and light switch stuck at leak detected and on, alarm stuck at off

1
and

2
Alarm is off when there is a leak (App4) and when there is smoke (App2), SMS is not sent to the user when there is activity at patio (App6), light switch is on when there is no alarm (App10) and when user is not in the room (App1), heater is off when temperature is too low and air conditioner is off when temperature is too high(App3)

3
Alarm off when there is a leak (App4) and when there is smoke (App2)

3
App3,7,11 Temp sensor stuck at a low temp value The low temp sensor causes the heater on by App3, even when the real temperature is high. The heater being on then causes the window to close due to App7, but the window was supposed to be open due to App11.
App1,2,10 Smoke detector stuck at smoke-detected state App2 turns on alarm when smoke is detected, which then causes App10 to turn on the lights, but the lights should be off because of the App1.

  • 1

    is for single faults,

    2
    is for multiple faults, and

    3
    is for cascading faults.

  • 1

    is without fault handling,

    2
    uses device suppression, and

    3
    uses conservative fault handling scheme.

TABLE VII: Examples of various faults, their impact IoT environments, and results of fault handling schemes.

Table VII

1
presents examples of single device faults for each IoT App. For instance, A failure in window opener in App7, Energy-Saver, causes the window to be open incorrectly for 1,620 polls, but the fault handler corrects the state after 300 polls, reducing incorrect states by 81.48%.

In Table VII

3
, we show two cascading faults that each involve three different applications.

Appendix B Power Consumptions Evaluation

Fig. 9: Power overhead of Fault Handling: Consumed energy from events, actuations, and restarts across no-handle, suppression, and schemes for our evaluations.

In this set of experiments, we tracked how many events occurred, actuations were performed, and restarts were issued with and without fault handling. We then convert these metrics into the power cost of each action to get the power overhead of each execution in the evaluations. We found that power overhead for IoTRepair is negligible. In Figure 9, we show the power consumption of each experiment execution. In single fault evaluation, the worst scheme reduces power consumption from no handler by 64.23%. Multiple faults has a worst case of 89.36% decrease in power consumption from no handle to scheme. This decrease in power consumption is because faults cause many unnecessary events and actuations, and fault handling reduces these by suppressing and repairing the faulty devices. Relative to the power consumption caused by unhandled faults, the additional power for restarts and functions like rollback are minor. Similar to the effectiveness evaluations Overall, we find that our power overhead of our functions is small and insignificant compared to the power consumption generated by unhandled faults.

References

  • [1] T. W. Hnat, V. Srinivasan, J. Lu, T. I. Sookoor, R. Dawson, J. Stankovic, and K. Whitehouse, “The hitchhiker’s guide to successful residential sensing deployments,” in Conference on Embedded Networked Sensor Systems, 2011.
  • [2] A. B. Sharma, L. Golubchik, and R. Govindan, “Sensor faults: Detection methods and prevalence in real-world datasets,” ACM Transactions on Sensor Networks (TOSN), 2010.
  • [3] R. Szewczyk, J. Polastre, A. Mainwaring, and D. Culler, “Lessons from a sensor network expedition,” in European Workshop on Wireless Sensor Networks, 2004.
  • [4] K. Ni, N. Ramanathan, M. N. H. Chehade, L. Balzano, S. Nair, S. Zahedi, E. Kohler, G. Pottie, M. Hansen, and M. Srivastava, “Sensor network data fault types,” ACM Transactions on Sensor Networks (TOSN), 2009.
  • [5] D. Terry, “Toward a new approach to IoT fault tolerance,” IEEE Computer, 2016.
  • [6] J. Choi, H. Jeoung, J. Kim, Y. Ko, W. Jung, H. Kim, and J. Kim, “Detecting and identifying faulty IoT devices in smart home with context extraction,” in Dependable Systems and Networks (DSN), 2018.
  • [7] L. Fang and S. Dobson, “Unifying sensor fault detection with energy conservation,” in Workshop on Self-Organizing Systems, 2013.
  • [8] S. Munir and J. A. Stankovic, “Failuresense: Detecting sensor failure using electrical appliances in the home,” in IEEE Mobile Ad Hoc and Sensor Systems, 2014.
  • [9] M. S. Ardekani, R. P. Singh, N. Agrawal, D. B. Terry, and R. O. Suminto, “Rivulet: a fault-tolerant platform for smart-home applications,” in ACM Middleware Conference, 2017.
  • [10] P. K. Choubey, S. Pateria, A. Saxena, S. Vaisakh Punnekkattu Chirayil, K. K. Jha, and P. Sharana Basaiah, “Power efficient, bandwidth optimized and fault tolerant sensor management for iot in smart home,” in IEEE International Advance Computing Conference (IACC), 2015.
  • [11] K. Kapitanova, E. Hoque, J. A. Stankovic, K. Whitehouse, and S. H. Son, “Being smart about failures: assessing repairs in smart homes,” in ACM Conference on Ubiquitous Computing, 2012.
  • [12] P. A. Kodeswaran, R. Kokku, S. Sen, and M. Srivatsa, “Idea: A system for efficient failure management in smart iot environments,” in ACM MobiSys, 2016.
  • [13] P. H. Su, C.-S. Shih, J. Y.-J. Hsu, K.-J. Lin, and Y.-C. Wang, “Decentralized fault tolerance mechanism for intelligent iot/m2m middleware,” in World Forum on Internet of Things (WF-IoT), 2014.
  • [14] Z. Tu, F. Fei, M. Eagon, X. Zhang, D. Xu, and X. Deng, “Redundancy-free UAV sensor fault isolation and recovery,” arXiv preprint:1812.00063, 2018.
  • [15] A. Sengupta, T. Leesatapornwongsa, M. S. Ardekani, and C. A. Stuardo, “Transactuations: where transactions meet the physical world,” in USENIX Annual Technical Conference, 2019.
  • [16] D. G. Padmavathi, M. Shanmugapriya et al., “A survey of attacks, security mechanisms and challenges in wireless sensor networks,” arXiv preprint arXiv:0909.0576, 2009.
  • [17] T. Kavitha and D. Sridharan, “Security vulnerabilities in wireless sensor networks: A survey,” information Assurance and Security, 2010.
  • [18] A. S. Tanenbaum and M. Van Steen, Distributed systems: principles and paradigms.    Prentice-Hall, 2007.
  • [19] “Samsung SmartThings add a little smartness to your things,” https://www.smartthings.com/, 2018, [Online; accessed 9-August-2018].
  • [20] “OpenHAB: Open source automation software,” https://www.openhab.org/, 2018, [Online; accessed 9-Aug-2018].
  • [21] “Vera Control: Smart home control,” https://support.getvera.com/customer/en/portal/articles/1710500-plugin-development, 2018, [Online; accessed 15-August-2018].
  • [22] “Apple: Homekit,” https://developer.apple.com/homekit/, 2018, [Online; accessed 15-August-2018].
  • [23] “Wink: A simpler smart home,” https://winkapiv2.docs.apiary.io/#reference/a-restful-service, 2018, [Online; accessed 15-August-2018].
  • [24] “Google: Android things,” https://developer.android.com/things/, 2018, [Online; accessed 15-August-2018].
  • [25] “IoTivity,” https://iotivity.org/, 2018, [Online; accessed 15-Aug-2019].
  • [26] “KaaIoT,” https://kaaproject.org/, 2018, [Online; accessed 15-Aug-2019].
  • [27] “Samsung SmartThings developer documentation,” https://docs.smartthings.com/, 2018, [Online; accessed 14-August-2018].
  • [28] A. D. Kshemkalyani and M. Singhal, Distributed computing: principles, algorithms, and systems.    Cambridge University Press, 2011.
  • [29] Z. Zheng and M. R. Lyu, “Selecting an optimal fault tolerance strategy for reliable service-oriented systems with local and global constraints,” IEEE Transactions on Computers, 2015.
  • [30] J. Han, A. J. Chung, M. K. Sinha, M. Harishankar, S. Pan, H. Y. Noh, P. Zhang, and P. Tague, “Do you feel what I hear? enabling autonomous iot device pairing using different sensor types,” in IEEE Symposium on Security and Privacy (SP), 2018.
  • [31] “Honeywell z-wave thermostat,” https://tinyurl.com/yyzknakl, 2017, [Online; accessed 22-April-2019].
  • [32] F. Kong, M. Xu, J. Weimer, O. Sokolsky, and I. Lee, “Cyber-physical system checkpointing and recovery,” in International Conference on Cyber-Physical Systems (ICCPS), 2018.
  • [33] “Arduino mega 2560 rev3,” https://store.arduino.cc/usa/mega-2560-r3, 2019, [Online; accessed 19-April-2019].
  • [34] “Smarthings hub,” https://www.smartthings.com/products/smartthings-hub, 2018, [Online; accessed 10-September-2019].
  • [35] N. Ramanathan, K. Chang, R. Kapur, L. Girod, E. Kohler, and D. Estrin, “Sympathy for the sensor network debugger,” in ACM International conference on Embedded networked sensor systems, 2005.
  • [36] J. Ye, S. Dobson, and S. McKeever, “Situation identification techniques in pervasive computing,” Pervasive and mobile computing, 2012.
  • [37] I. M. Atakli, H. Hu, Y. Chen, W. S. Ku, and Z. Su, “Malicious node detection in wireless sensor networks using weighted trust evaluation,” in Simulation multiconference, 2008.
  • [38] A. Authors, “IoTRepair: Extended version,” https://tinyurl.com/y4wzu4zr, 2019.