Resilience in System Design Quiz

Questions and Answers

What is the main cause of the tipping-point situations described in the text?

Sudden external events that impact the system

Gradual accumulation of complexity in the system (correct)

Intentional changes made to the system

Lack of proper testing and review processes

What was the root cause of the major failure in the Debian OpenSSL library?

Removal of two lines of code to eliminate Valgrind warnings (correct)

A bug introduced in 2006 that was discovered later

Weak cryptographic key generation due to limited seed values

Insufficient testing and review of the code changes

What is the key lesson from the Google/YouTube example described in the text?

Proper testing and review processes are essential to prevent failures

Reliance on third-party libraries can introduce hidden risks

Even small changes can have unintended consequences at scale (correct)

Logging and monitoring are critical for identifying system issues

Which of the following is the best way to assess the risk of system failures due to complexity?

Proactively simplify the system by removing unnecessary complexity

What is the primary design consideration highlighted in the text to improve system reliability?

Minimizing complexity and inadvertent accumulation of changes

What was the primary reason for the service outage described in the text?

The engineers initially inserted the smart cards into the reader incorrectly.

Which of the following design considerations is highlighted as a challenge in the text?

Balancing reliability and security in the system design.

What risk assessment strategy did the engineers in Australia employ when they could not access the safe?

They decided a brute-force approach with a power drill was warranted.

What was the cryptic error message displayed when the engineers tried to restart the service?

'The password could not load any of the cards protecting this key.'

What was the ultimate cause of the service outage described in the text?

The engineers were initially inserting the smart cards into the reader incorrectly.

What was the primary cause of the cascading failures in the internal password manager service?

A large spike in traffic due to a password change announcement

What design flaw contributed to the failure of the password manager service?

Insufficient load testing for high traffic scenarios

What should have been done to prevent the failure of the password manager service?

Increase the number of replicas for better load distribution

What risk was introduced by the reliance on a hardware security module (HSM) for the password manager service?

The HSM could be difficult to replace or upgrade

What was the ultimate solution to recover from the failure of the password manager service?

Using a power drill to physically access the server

What is the primary cause of the global service outage described in the text?

A memory utilization problem

Which of the following is NOT a recommended approach for achieving resilience in a system?

Relying solely on the resilience of individual components

What is the purpose of implementing distinct failure domains in a system design?

To limit the impact of failures by rerouting requests

What is the concept of "defense in depth" in the context of system design?

Applying multiple, sometimes redundant, defense mechanisms

Which of the following statements about risk assessment in complex systems is true, according to the text?

Once a system becomes sufficiently complex, it is difficult to demonstrate that the entire system is immune to compromise

Study Notes

Complexity and Reliability

• Complexity can accumulate inadvertently, leading to tipping-point situations where a small change has major consequences for a system's reliability or security.
• Example: A bug in the Debian GNU/Linux version of the OpenSSL library introduced in 2006, which was only fixed almost two years later, caused a major failure in cryptographic keys.

OpenSSL Bug Example

• A developer removed two lines of code to eliminate warnings from Valgrind, a debugging tool.
• This caused OpenSSL's pseudo-random number generator to only be seeded with a process ID, which was limited to a number between 1 and 32,768.
• As a result, brute force could easily break cryptographic keys.

YouTube Outage Example

• In October 2018, a small change in a generic logging library caused YouTube to be down globally for more than an hour.
• The change was intended to improve the granularity of event logging but had unintended consequences at YouTube scale.
• The change caused YouTube servers to run out of memory and crash.

Smart Card Fiasco

• A Google service failed to restart due to a password manager issue.
• The solution required a smart card stored in a safe in a different location.
• The engineer in Australia couldn't open the safe, and the engineer in California had to retrieve the card.
• The service still failed to restart, and the team eventually used a power drill to open the safe.

Reliability and Security

• Reliability and security are crucial components of a trustworthy system.
• Building systems that are both reliable and secure is difficult.

Password Manager Failure

• An innocent Google-wide announcement caused a series of cascading failures in an internal password manager.
• The failure was caused by a spike in traffic, which the password manager couldn't handle.
• The load balancer diverted traffic to a secondary replica, which also failed.
• The on-call engineer didn't know how to restart the service, leading to a global outage.

Resilience

• Systems should be designed to be resilient under adverse or unexpected circumstances.
• Resilience can be achieved by shedding load or reducing processing costs.
• Redundancy and distinct failure domains can limit the impact of failures by rerouting requests.
• Defense in depth and distinct failure domains can increase reliability.

Description

Test your knowledge on designing resilient systems to withstand unexpected circumstances and prevent global service outages. This quiz covers concepts such as handling high load, component failures, and ensuring system reliability.