The philosophy behind the acceptability-oriented computing project is to enhance flawed computer systems to ensure that they respect basic acceptability properties. Some acceptability properties might capture essential safety requirements (for example, the system must never accelerate the vehicle beyond a specified velocity), others capture basic system goals (for example, the system should continue to execute even if it has a memory error). Our OOPLA 2003 Onward! paper presents the basic philosophy and provides several examples of how developers might implement components that enforce acceptability properties.
Failure-oblivious computing is an instance of acceptability-oriented computing. The basic idea behind failure-oblivious computing is to change the behavior of the program to make it execute through memory errors without memory corruption - in other words, to make the program oblivious to its failure to access memory correctly. We have implemented a C compiler that generates failure-oblivious code - it augments the generated code with bounds checks that detect attempts to access memory that beyond the bounds of the accessed memory allocation unit. The bounds checks discard out of bounds writes and synthesize values for out of bounds reads. Our experimental results show that this technique enables a range of servers to execute successfully through attacks that trigger otherwise fatal memory errors. A side effect is that the servers are also immune to buffer-overflow attacks that exploit memory errors. See our OSDI 2004 paper for more information.
One of the basic principles behind acceptability-oriented computing is that complex computer systems should have a natural resilience to errors, but this resilience has been explicitly removed by attempts to make programs fail at the first sign of an error. One of goals of our ongoing research project is to develop new mechanisms that help deployed programs execute successfully through errors. The ideal end result will be more robust and resilient computer systems.