evaluating bft protocols for spire
play

Evaluating BFT Protocols for Spire Henry Schuh & Sam Beckley - PowerPoint PPT Presentation

Dec 18, 2023 •483 likes •1.01k views

Evaluating BFT Protocols for Spire Henry Schuh & Sam Beckley 600.667 Advanced Distributed Systems & Networks SCADA & Spire Overview High-Performance, Scalable Spire Trusted Platform Module Known Network Characteristics

  1. Evaluating BFT Protocols for Spire Henry Schuh & Sam Beckley 600.667 Advanced Distributed Systems & Networks

  2. • SCADA & Spire Overview • High-Performance, Scalable Spire • Trusted Platform Module • Known Network Characteristics • Evaluating BFT-SMART • Benchmarking Results • Conclusions

  3. Power Grid Overview

  4. SCADA Overview

  5. SCADA Requirements • Must have very low latencies (100-200ms) • Must have very high reliability • Must be able to run for decades

  6. SCADA Adopting IP & Internet • In the past SCADA used proprietary protocols on air gapped systems • Now moving to both IP & the Internet to reduce costs

  7. “These devices were not only internet facing, they did not have 
 security mechanisms to prevent unauthorized access” - Trend Micro Incorporated, Who’s Really Attacking Your ICS Systems

  8. 
 Attacks on SCADA Systems 28 Days: 39 Attacks 
 All targeted specifically at SCADA systems 
 The first attack was within 18 hours of the honeypot going live Source: Trend Micro Incorporated, Who’s Really Attacking Your ICS Systems

  9. 
 Distributed Replication • Several machines that coordinate their actions such that they appear to be a single unified machine to a client. 
 Pros: High Availability and Performance 
 Cons: Cost of Synchronization

  10. 
 Intrusion Tolerant Replication Somewhat Formally: The ability to make progress in the presence of some number of malicious replicas with guaranteed correctness. Some protocols also guarantee a level of performance under attack. Informally: If some of the replicas get hacked the system still works.

  11. Defense Across Space & Time Defense Across Time: Have to periodically regain control of a compromised machine to stop the attacker from eventually gaining control of the entire network. Defense Across Space: Every replica must present a unique attack surface so that one attack cannot be used to compromise every replica.

  12. • SCADA & Spire Overview • High-Performance, Scalable Spire • Trusted Platform Module • Known Network Characteristics • Evaluating BFT-SMART • Benchmarking Results • Conclusions

  13. Spire Open Source SCADA system that provides both standard crypto defense mechanisms as well as an intrusion tolerant SCADA Master. Spire uses several different technologies • Prime • Spines • PVBrowser

  14. Spire Internal Spines Network SCADA SCADA SCADA SCADA Master Master Master Master Prime Prime Prime Prime External Spines Network RTU / PLC RTU / PLC pvbrowser HMI Proxy Proxy RTU PLC

  15. Scaling Spire In order to tolerate more intrusions we need more replicas The more replicas, the higher the latency becomes We rely on having very low latency

  16. Our Mission Find a way to make Spire more scalable, to allow for more replicas, and thus more intrusions

  17. 3 Angles of Attack Trusted Hardware - using a TPM Taking Advantage of Known Network Characteristics Hierarchy of Protocols

  18. • SCADA & Spire Overview • High-Performance, Scalable Spire • Trusted Platform Module • Known Network Characteristics • Evaluating BFT-SMART • Benchmarking Results • Conclusions

  19. Trusted Platform Module Specialized chip that holds a secret key and can perform cryptographic functions for the rest of the machine The key never leaves the TPM Too slow :’(

  20. • SCADA & Spire Overview • High-Performance, Scalable Spire • Trusted Platform Module • Known Network Characteristics • Evaluating BFT-SMART • Benchmarking Results • Conclusions

  21. Leverage Network Characteristics SCADA deployments are static and predictable Most importantly, we know: • Geographically close - low latency communication • Consistent number of clients and messaging pattern

  22. The Three BFT Protocol Families PBFT Spinning Prime

  23. PBFT PBFT Spinning Prime

  24. 
 PBFT When the leader fails we must perform a “view change” This is by far the most expensive operation in PBFT 
 “[The view change] is the Achilles Heel” -Yair Amir

  25. Spinning Every ordering is done by a different leader A bad leader can delay exactly one ordering before it is evicted from the protocol

  26. Prime Designed to remove load from the leader to allow for many clients without performance degradation Performs one ordering every X milliseconds

  27. Prime

  28. • SCADA & Spire Overview • High-Performance, Scalable Spire • Trusted Platform Module • Known Network Characteristics • Evaluating BFT-SMART • Benchmarking Results • Conclusions

  29. BFT-SMART Implements “ Yet Another Visit to Paxos” protocol 
 • (IBM Zurich) in Java Modular, multi-threaded server replicas • Standard BFT message pattern • Modern protocol with ongoing development •

  30. Multithreaded Design Request Request Service Reply Client Request Server Reply Timer Thread 1 Replica Thread Thread Message Leader Processor Thread Thread … … Sender Sender Receiver Receiver Thread 1 Thread n-1 Thread 1 Thread n-1 Server Consensus Communication

  31. BFT-SMART and Performance Attacks Consensus relies on leader to order messages • A malicious leader could delay progress • Timeouts limit the leader’s worst-cast performance • Propose (Pre-Prepare) Pre-Prepare Client Malicious Delay Malicious Delay 0 Leader (primary) Replica 1 1 Replica 2 2 Replica 3 3

  32. • SCADA & Spire Overview • High-Performance, Scalable Spire • Trusted Platform Module • Known Network Characteristics • Evaluating BFT-SMART • Benchmarking Results • Conclusions

  33. Simulating a SCADA Network 3 replicas per site n = 12 NYC f = 3 4ms 4ms 3ms JHU SVG 3ms 2ms 2ms WAS

  34. Normal-Case Latency Mean Latency vs. Number of Clients Me 45 40 35 30 Mean Latency (ms) 25 20 15 10 5 0 0 10 20 30 40 50 60 70 80 90 100 Number of Clients BFT-SMART Prime

  35. Normal-Case Latency • Significantly lower with BFT-SMART, but increasing with number of clients • Matches expectations given fewer consensus rounds • Constant with Prime, due to batch ordering on a preset interval of 20ms

  36. Performance Attack Latency Tested 4 timeouts, chosen based on normal performance • 1. 8ms (aggressive) 2. 10ms (conservative)

  37. Performance Attack Latency Tested 4 timeouts, chosen based on normal performance • 1. 8ms (aggressive) 2. 10ms (conservative) 3. 16ms (aggressive, forwarding request at 8ms) 4. 20ms (conservative, forwarding request at 10ms)

  38. Performance Attack Latency • Developed a malicious replica to delay sending pre-prepare messages as leader • Experimentally maximized delay up to each view change timeout • Measured worst-case latency seen by client under this condition

  39. Performance Attack Latency Measured Latency vs. Timeout Me 35 30 Mean Worst-Case Latency (ms) 25 20 15 10 5 0 5 7 9 11 13 15 17 19 21 23 Pre-Prepare Timeout (ms) Worst-Case Latency Normal Latency

  40. Performance Attack Latency • With a tight timeout, performance degradation is minimal • With a conservative timeout, performance degradation approaches 50% (26ms latency) • In either case, lower than normal-case Prime and exceeds the required performance • This performance attack would not pose a risk to the SCADA system

  41. View Change 50-70ms depending on number of pending requests • Slow due to unoptimized serialization, data structures, taking up • to 40ms Sequential view changes are an issue with multiple faulty replicas • With f ≥ 3 , view change must be improved to meet the • 200ms requirement Prime view changes are on the order of 60-90ms •

  42. Scalability Overhead LA LAN La Latency vs. Number of Replicas 600 500 400 Latency (µs) 300 La 200 100 0 0 5 10 15 20 25 Nu Number of replicas (n)

  43. Scalability Overhead • Shows the computational overhead of increasing n • Latency appears linear with n , and grows at a reasonable rate • Actual latency determined by location of added replicas • Another geographic site vs. more replicas 
 per site

  44. • SCADA & Spire Overview • High-Performance, Scalable Spire • Trusted Platform Module • Known Network Characteristics • Evaluating BFT-SMART • Benchmarking Results • Conclusions

  45. BFT-SMART: Pros & Cons PROS • Lightweight protocol & implementation • Possible to apply aggressive timeout • Low normal-case latency • Support for dynamic state transfer, reconfiguration/recovery CONS • Latency increases with number of clients, concurrent requests • High view change cost • Java implementation

  46. Prime: Pros & Cons PROS • Leader is not burdened by client requests • Bounded performance guarantee under attack • Latency remains constant as number of clients increases • Measurements performed so replicas can adapt to network conditions CONS • 2 more consensus rounds per ordering • High view change cost • Significantly higher normal-case latency

  47. Conclusions • Strict limit on performance attacks possible with a lightweight protocol and bounded network latencies • View change still a high cost, but could be optimized • A viable path to scaling Spire • However, BFT-SMART introduces some new issues

Recommend

SCIMP 2014 Peter Martin/Eddie Adie SPIRE Project Team Workshop Format 1. Update on Progress

SCIMP 2014 Peter Martin/Eddie Adie SPIRE Project Team Workshop Format 1. Update on Progress

SCIMP 2014 Peter Martin/Eddie Adie SPIRE Project Team Workshop Format 1. Update on Progress with the SPIRE Project 2. Demonstration of the software that will support SPIRE SPIRE 3. Questions /Discussion High-Level Objectives To provide

575 views • 31 slides
Evaluating PoW Consensus Protocols' Security Ren Zhang Bart Preneel ren@nervos.org

Evaluating PoW Consensus Protocols' Security Ren Zhang Bart Preneel ren@nervos.org

Lay Down the Common Metrics Evaluating PoW Consensus Protocols' Security Ren Zhang Bart Preneel ren@nervos.org bart.preneel@esat.kuleuven.be @nirenzang PUBLISH OR PERISH SUBCHAINS BYZCOIN GOSHAWK TORTOISE AND HARES BITCOIN-NG (AETERNITY,

446 views • 27 slides
An Extensible Platform for Evaluating Security Protocols Seny Kamara joint with L. Ballard, R.

An Extensible Platform for Evaluating Security Protocols Seny Kamara joint with L. Ballard, R.

An Extensible Platform for Evaluating Security Protocols Seny Kamara joint with L. Ballard, R. Caudy, D.Davis, F. Monrose Outline Objectives High-level architecture Plugin architecture Case studies Objectives Security

1k views • 47 slides
Among 27,438 High Risk Patients The SPIRE 1 and SPIRE 2 Cardiovascular Outcome Trials Paul M

Among 27,438 High Risk Patients The SPIRE 1 and SPIRE 2 Cardiovascular Outcome Trials Paul M

Lipid Lowering Efficacy of Bococizumab Among 4,449 High Risk Patients The SPIRE Lipid Lowering Trials Safety and Cardiovascular Efficacy of Bococizumab Among 27,438 High Risk Patients The SPIRE 1 and SPIRE 2 Cardiovascular Outcome Trials Paul

732 views • 27 slides
Sustainable Process Industries SPIRE Prparation de l a ppel 2015 Pierre Fiasse 4/06/2014

Sustainable Process Industries SPIRE Prparation de l a ppel 2015 Pierre Fiasse 4/06/2014

Sustainable Process Industries SPIRE Prparation de l a ppel 2015 Pierre Fiasse 4/06/2014 1 Objectifs du workshop Appel SPIRE 2015 77 M 4 Topics ouverts, publis Deadline : le 9 dcembre 2014 Consortium :

826 views • 44 slides
ATTACK-AWARENESS FOR SPIRE (INTRUSION-TOLERANT SCADA) Tiger Gao, Dan Qian, Elaine Wong, &

ATTACK-AWARENESS FOR SPIRE (INTRUSION-TOLERANT SCADA) Tiger Gao, Dan Qian, Elaine Wong, &

ATTACK-AWARENESS FOR SPIRE (INTRUSION-TOLERANT SCADA) Tiger Gao, Dan Qian, Elaine Wong, & Jason Wong 1. BACKGROUND What is Spire? What is SCADA? What is SCADA? Supervisory Control and Data Acquisition Allows for centralized

530 views • 18 slides
Spire ENERGY EFFICIENCY PORTFOLIO 1 Sp ir e | E n er gy E fficien cy We see no lim it to what

Spire ENERGY EFFICIENCY PORTFOLIO 1 Sp ir e | E n er gy E fficien cy We see no lim it to what

Spire ENERGY EFFICIENCY PORTFOLIO 1 Sp ir e | E n er gy E fficien cy We see no lim it to what our energy can do for you. We serve to enrich the lives of our 1.7 m illion custom ers across Missouri, Mississippi and Alabama. Our mission:

338 views • 13 slides
Too perfect? Where are the fluctuations? Gil Holder Herschel (Spire) 100 sq deg with full

Too perfect? Where are the fluctuations? Gil Holder Herschel (Spire) 100 sq deg with full

Too perfect? Where are the fluctuations? Gil Holder Herschel (Spire) 100 sq deg with full overlap with SPT deep field (23h30,-55d) 250,350,500 um Clustering of Galaxies: Projected sky maps of large scale structure have ~1-10%

219 views • 19 slides
DASHED LINE REPRESENTS AREA OF WORK F U L T O N S T R E E T BROADWAY TOP OF SPIRE

DASHED LINE REPRESENTS AREA OF WORK F U L T O N S T R E E T BROADWAY TOP OF SPIRE

CHURCH STREET V E S E Y S T R E E T DASHED LINE REPRESENTS AREA OF WORK F U L T O N S T R E E T BROADWAY TOP OF SPIRE TOP OF SPIRE EL +205'-8" EL +205'-8" RIDGE OF MAIN ROOF RIDGE OF MAIN ROOF EL

642 views • 12 slides
Application-Layer Protocols: The World-Wide Web (HTTP) Reliable file transfer (FTP) The

Application-Layer Protocols: The World-Wide Web (HTTP) Reliable file transfer (FTP) The

COMP 431 Application-Layer Protocols Internet Services & Protocols Outline application application transport network Example client/server systems and link their application-level protocols: physical Application-Layer Protocols:

432 views • 10 slides
Application-Layer Protocols The World-Wide Web (HTTP) Reliable file transfer (FTP)

Application-Layer Protocols The World-Wide Web (HTTP) Reliable file transfer (FTP)

COMP 431 Application-Layer Protocols Internet Services & Protocols Outline application application transport Example client/server systems and network their application-level protocols: link physical Application-Layer Protocols

281 views • 13 slides
Using U Unikernels to E o Enhan ance t the Attac ack- Resistance of S of Spire, a Ne a

Using U Unikernels to E o Enhan ance t the Attac ack- Resistance of S of Spire, a Ne a

Using U Unikernels to E o Enhan ance t the Attac ack- Resistance of S of Spire, a Ne a Network work-A -Attac ack-R -Resili lient t Intr In trus usion on-Tole olerant S SCADA f for or th the P Powe ower Gr r Grid Brad

677 views • 30 slides
Energy in motion Investor presentation March 2019 2 2 Spire | Investor Presentation | December

Energy in motion Investor presentation March 2019 2 2 Spire | Investor Presentation | December

Energy in motion Investor presentation March 2019 2 2 Spire | Investor Presentation | December 2018 Spire | Investor presentation March 2019 Forward-looking statements and use of non-GAAP measures This presentation contains

751 views • 34 slides
Communication Chapter 2 Layered Protocols (1) 2-1 Layers, interfaces, and protocols in the OSI

Communication Chapter 2 Layered Protocols (1) 2-1 Layers, interfaces, and protocols in the OSI

Communication Chapter 2 Layered Protocols (1) 2-1 Layers, interfaces, and protocols in the OSI model. 1 Layered Protocols (2) 2-2 A typical message as it appears on the network. Data Link Layer 2-3 Discussion between a receiver and a

577 views • 23 slides
4 Application Layer Protocols Device Management Protocols Application layer protocols offering

4 Application Layer Protocols Device Management Protocols Application layer protocols offering

EPFL, Spring 2017 4 Application Layer Protocols Device Management Protocols Application layer protocols offering remote services for large networks of devices: - Monitoring (health of devices and network, get current state) - Management

1.31k views • 93 slides
for easY Life-cycle Evaluation 1 About STYLE A SPIRE project (international non-profit

for easY Life-cycle Evaluation 1 About STYLE A SPIRE project (international non-profit

Sustainability Toolkit for easY Life-cycle Evaluation 1 About STYLE A SPIRE project (international non-profit association formed to represent the private sector as a partner in the Sustainable Process Industry through Resource and Energy

658 views • 27 slides
Energy in motion Investor presentation December 2018 2 2 Spire | Investor Presentation |

Energy in motion Investor presentation December 2018 2 2 Spire | Investor Presentation |

Energy in motion Investor presentation December 2018 2 2 Spire | Investor Presentation | December 2018 Spire | Investor presentation | December 2018 Forward-looking statements and use of non-GAAP measures This presentation contains

596 views • 34 slides
Is the efficacy of the pediatric-like protocols for ALL superior to the protocols for adult ALL?

Is the efficacy of the pediatric-like protocols for ALL superior to the protocols for adult ALL?

The 1 st World Congress on Controversies in Hematology (COHEM) Rome, September, 2-5, 2010 Session 4. Acute Lymphoblastic Leukemia Is the efficacy of the pediatric-like protocols for ALL superior to the protocols for adult ALL? No No JM

990 views • 44 slides
IN-SPIRE Training Office of Portfolio Analysis Division of Program Coordination, Planning, and

IN-SPIRE Training Office of Portfolio Analysis Division of Program Coordination, Planning, and

IN-SPIRE Training Office of Portfolio Analysis Division of Program Coordination, Planning, and Strategic Initiatives National Institutes of Health Todays Instructors: Patricia Forcinito and Matt Perkins OPA_T#1192_Dec-13-2016 Office of

536 views • 22 slides
Spire Missouri STL Pipeline November 13, 2019 STL Pipeline Supports strategy to modernize

Spire Missouri STL Pipeline November 13, 2019 STL Pipeline Supports strategy to modernize

Spire Missouri STL Pipeline November 13, 2019 STL Pipeline Supports strategy to modernize our 60-mile pipeline gas assets to: with capacity of 400 MMcf/d Achieve more diverse supply portfolio Improve reliability and resiliency

622 views • 11 slides
Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Authentication Confidentiality Example: HTTPS (HTTP + TLS)

669 views • 42 slides
Presented by: Marco A. Gonzalez mgonzalez321@yahoo.com The spire keypad Click Button The

Presented by: Marco A. Gonzalez mgonzalez321@yahoo.com The spire keypad Click Button The

Presented by: Marco A. Gonzalez mgonzalez321@yahoo.com The spire keypad Click Button The Nav Pad Home Escape Tab Menu Control Clear or Key Backspace Shift Key Catalog Ctl + (Eq. Ed) Ctl + (Math Template) This is the home screen

516 views • 16 slides
Evaluating the Productivity of a Evaluating the Productivity of a Multicore Architecture

Evaluating the Productivity of a Evaluating the Productivity of a Multicore Architecture

Evaluating the Productivity of a Evaluating the Productivity of a Multicore Architecture Multicore Architecture Jeremy Kepner and Nadya Bliss MIT Lincoln Laboratory HPEC 2008 This work is sponsored by the Department of Defense under Air Force

343 views • 31 slides
1 Pitfalls of Lock-Based Protocols (Cont.) The Two-Phase Locking Protocol The potential for

1 Pitfalls of Lock-Based Protocols (Cont.) The Two-Phase Locking Protocol The potential for

Concurrency Control Lock-Based Protocols Timestamp-Based Protocols Lecture 9 Concurrency Control Validation-Based Protocols Multiple Granularity Multiversion Schemes Deadlock Handling Chapter 16 Insert and Delete

780 views • 8 slides

More recommend