From Byzantine-Tolerant to Intrusion-Safe Services Christian Cachin IBM Zurich Research Laboratory & LPD, EPFL With Idit Keidar and Alexander Shraer 22 September 2009
Overview ● BFT services – Are f < n/3 faults realistic? ● Intrusion-tolerant services – Provide graceful degradation ● Strong guarantee for f < n/3 ● Weak guarantee for n/3 ≤ f ≤ n
Byzantine Fault Tolerance ● n servers S1 ... Sn S1 S2 ● f < n/3 server faults ... ● Replicated state Sn Si ● Atomic broadcast ● Service tolerates f ... faulty servers
An appropriate deployment?
Independence "Many academics will confess to have made the assumption that failures of components are not correlated. This absolutely unrealistic assumption will come back to haunt you in real life (...)." Werner Vogels, CTO Amazon.com, "Life is not a State-Machine", 2006.
A better deployment
Independence against attacks ● Randomize the address space ● Use multiple administrators & trust domains ● Distribute geographically ● Run different operating systems ● Vary physical machines ● Refresh state periodically
Generalized adversaries ● Design protocols for non-threshold adversaries (with linear secret sharing) [C01] ● Ex. n=16 servers, vary by location and by OS – Tolerates corruption of one location and one OS Linux Sola- Linux Sola- ris ris Linux Sola- ris IBM MS IBM MS AIX Win AIX Win Linux Sola- IBM MS ris AIX Win Paris Madrid IBM MS AIX Win London Tolerates up to 7 faults Zurich (instead of only 5 = f < n/3)
Beyond n/3 faulty replicas? ● Asynchronous Byz. consensus: f < n/3 faults ● If assumption violated, then state-of-the-art BFT systems guarantee no consistency! ● Truly dependable systems offer graceful degradation to weaker notions.
Intrusion-safe services Application Any service Fail-awareness Eventual consistency Untrusted service Weak fork-linearizability protocol BFT replication Linearizability if f < n/3 ● System with n replicas – BFT replication – Untrusted service emulation (no client-client comm.) – Fail-aware untrusted service (with client interaction)
Benefits of intrusion-safety (1) Consistency (lin=linearizability, wfl=weak fork-lin.) Liveness (y=yes, n=no) BFT Untrusted service lin lin wfl y y n n f f n/3 2n/3 n n/3 2n/3 n Fail-aware service
Benefits of intrusion-safety (2) Consistency (lin=linearizability, f*=fork* linearizability, wfl=weak fork-lin.) Liveness (y=yes, n=no) BFT2F [LM07] Untrusted service lin lin f* wfl y y n n f f n/3 2n/3 n n/3 2n/3 n Fail-aware service
Model of untrusted service ● Clients: C 1 ... C m – Correct, but may crash Client – Invoke operations on server – Talk to each other occasionally Client – Small trusted memory ● Server S – Normally correct Client – Sometimes faulty (untrusted, Byzantine)
Using an [untrusted] service ● Clients interact with service through opera- tions (request/reply) ● Clients may sign with digital signatures → Server cannot forge values → But answer with outdated value ("replay attack") → But send different values to different clients ● First addressed by SUNDR storage system [MS02, LKMS04]
Ex. storage service C 1 C 3 C1 write(1,x) write(1,u) write(1,t) C 1 write(2,v) read(1) → x write(2,w) C 2 read(2) → v read(1) → u C 3
[Weak] Fork-linearizability ● Fork-linearizability restricts an untrusted server and guarantees "forking" linearizable client views ● Protocols to impose fork-linearizability – Untrusted storage [MS02] – Efficient untrusted storage [CSS07] ● Fork-linearizability contradicts wait-free client operations [CSS07] → Notion of weak fork-linearizability (w.f.l.) [CKS09] → W.f.l. untrusted storage protocol [CKS09] → W.f.l. untrusted service [unpublished]
Fork-linearizability C1 write(1,x) write(1,u) write(1,t) C 1 write(2,v) read(1) → x write(2,w) C 2 read(1) → u read(2) → v C 3 View of C 1 w(1,t) w(1,u) r(2) → v View of C 3 r(1) → u w(1,x) w(2,v) View of C 2 r(1) → x w(2,w)
Conclusion ● Diversity is important for BFT ● Beyond BFT, we need graceful degradation – BFT2F for f < 2n/3 – Novel modular intrusion-safe service protocol achieves for f ≤ n
References C. Cachin, a. shelat, A. Shraer. Efficient fork-linearizable ● access to untrusted shared memory. PODC 2007. C. Cachin, M. Geisler. Integrity Protection for Revision ● Control. ACNS 2009. C. Cachin, I. Keidar, A. Shraer. Fail-aware untrusted storage. ● DSN 2009. C. Cachin, I. Keidar, A. Shraer. Fork sequential consistency ● is blocking. Information Processing Letters, vol. 109, 2009. C. Cachin, I. Keidar, A. Shraer. Fail-aware untrusted ● services. In progress.
Recommend
More recommend
