Proving the Impossible with Alibi Protocols - Dave Levin - Victoria Lai, Cristian Lumezanu, Neil Spring, Bobby Bhattacharjee, Bo Han
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Proving the Impossible
with Alibi Protocols
Dave Levin
Victoria Lai, Cristian Lumezanu, Neil Spring, Bobby Bhattacharjee, Bo Han,
John Douceur, Jacob Lorch, Thomas MoscibrodaUncooperative behavior
Cooperation
Anything and everything for
the good of the network
Selfishness Malice
Gain at the potential Break the system for
expense of others notoriety or profitUncooperative behavior
Cooperation
Routing: ARPANet’s global policy
Selfishness Malice
Routing: BGP Local pref Routing: Prefix hijackingUncooperative behavior
Cooperation
Routing: ARPANet’s global policy
Transport: TCP congestion control
Selfishness Malice
Routing: BGP Local pref Routing: Prefix hijacking
Transport: TCP Opt-Ack Transport: Mitnick attackUncooperative behavior
Cooperation
Routing: ARPANet’s global policy
Transport: TCP congestion control
Selfishness Malice
Routing: BGP Local pref Routing: Prefix hijacking
Transport: TCP Opt-Ack Transport: Mitnick attackCensorship via DNS injection Censoring AS 208.80.152.201 [Anonymous authors, ACM CCR 2012]
Censorship via DNS injection www.wikipedia.org Censoring AS 208.80.152.201 [Anonymous authors, ACM CCR 2012]
Censorship via DNS injection
lemon IP
Censoring AS 208.80.152.201
[Anonymous authors, ACM CCR 2012]Censorship via DNS injection
Censor-free ASes
lemon IP
Censoring AS 208.80.152.201
[Anonymous authors, ACM CCR 2012]Censorship via DNS injection
Censor-free ASes
lemon IP
Censoring AS 208.80.152.201
[Anonymous authors, ACM CCR 2012]Censorship via DNS injection
Censor-free ASes
lemon IP
lemon IP
Censoring AS 208.80.152.201
[Anonymous authors, ACM CCR 2012]Censorship via DNS injection
Censor-free ASes
lemon IP
Censoring AS 208.80.152.201
[Anonymous authors, ACM CCR 2012]Building secure decentralized systems
Make malfeasance • Allow no progress if incorrect
impossible • DNSSEC, Secure BGP, . . .
• Heavyweight
Make malfeasance • Remove the incentive to be incorrect
unprofitable • Assumptions not always aligned
Make malfeasance • Allow incorrect progress
detectable • Prove that nothing bad happened
• Ideally, lighter-weightBuilding secure decentralized systems
Make malfeasance • Allow no progress if incorrect
impossible • DNSSEC, Secure BGP, . . .
• Heavyweight
Make malfeasance • Remove the incentive to be incorrect
unprofitable • Assumptions not always aligned
Make malfeasance • Allow incorrect progress
detectable • Prove that nothing bad happened
• Ideally, lighter-weightBuilding secure decentralized systems
Make malfeasance • Allow no progress if incorrect
impossible • DNSSEC, Secure BGP, . . .
• Heavyweight
Make malfeasance • Remove the incentive to be incorrect
unprofitable • Assumptions not always aligned
Make malfeasance • Allow incorrect progress
detectable • Prove that nothing bad happened
• Ideally, lighter-weightBuilding secure decentralized systems
Make malfeasance • Allow no progress if incorrect
impossible • DNSSEC, Secure BGP, . . .
• Heavyweight
Make malfeasance • Remove the incentive to be incorrect
unprofitable • Assumptions not always aligned
Make malfeasance • Allow incorrect progress
detectable • Prove that nothing bad happened
• Ideally, lighter-weight
But how do you prove something did not happen?One option: Monitor everything
Watch everything that everyone does
Watch those who watch everything that everyone does
Simulate the system based on its inputs and outputs
If it didn’t happen in simulation,
and if the monitoring was done well,
then it probably didn’t happenProving something didn’t happen
Provide a (small) proof that event A happened
If events A and B are mutually exclusive
Then B could not have happenedProving something didn’t happen
Provide a (small) proof that event A happened
If events A and B are mutually exclusive
Then B could not have happened
A serves as an alibiAlibi protocols TrInc: Small, trusted h/w Fighting equivocation with trusted counters NSDI ‘09 Alibi routing Provably avoiding regions of the network Ongoing
Alibi protocols TrInc: Small, trusted h/w Fighting equivocation with trusted counters NSDI ‘09 Alibi routing Provably avoiding regions of the network Ongoing
Trust in distributed systems Selfish Malicious Participants Participants
Trust in distributed systems
Selfish Malicious
Participants Participants
Powerful tool: Equivocation
A participant “equivocates”
by sending conflicting messages to othersEquivocation is versatile and powerful Byz. Generals
Equivocation is versatile and powerful Byz. Generals “Advance” “Retreat”
Equivocation is versatile and powerful
Byz. Generals Voting BitTorrent
“Counted “I have
“Advance” your vote” piece 5”
“Retreat” Tally w/o “I don’t have
’s vote piece 5”
Leader election Digital cash Auctions
Trusted logs Online games
soBGP Version control DHTsEquivocation is versatile and powerful
Byz. Generals
• f malicious users
“Advance” • If completely untrusted,
3f+1 users needed for consensus
[Lamport et al., 1982]
“Retreat”Equivocation is versatile and powerful
Byz. Generals
• f malicious users
“Advance” • If completely untrusted,
3f+1 users needed for consensus
[Lamport et al., 1982]
“Retreat” • If users cannot equivocate, only
2f+1 users are needed
[Chun et al., 2007]Enter Trusted Hardware
Equivocation can be rendered impossible
with trusted hardware
• New design space
• All participants have a
trusted componentEnter Trusted Hardware
Equivocation can be rendered impossible
with trusted hardware
• New design space
• All participants have a
trusted componentEnter Trusted Hardware
Equivocation can be rendered impossible
with trusted hardware
• New design space
• All participants have a
trusted componentEnter Trusted Hardware
Equivocation can be rendered impossible
with trusted hardware
• New design space
• All participants have a
trusted component
• To be practical, the hardware
must be small
• Ubiquity via low cost
• Tamper-resilient
• Easier to verify a small TCBMotivating question What is the minimal abstraction needed to make equivocation impossible?
Motivating question What is the minimal abstraction needed to make equivocation impossible? A counter and a key are enough
TrInc: Trusted Incrementer
1. Monotonically increasing counter
2. Key for signing attestations
34
KTrInc: Trusted Incrementer
1. Monotonically increasing counter
2. Key for signing attestations
Attest(36, data) 34
KTrInc: Trusted Incrementer
1. Monotonically increasing counter
2. Key for signing attestations
Attest(36, data) 34
KTrInc: Trusted Incrementer
1. Monotonically increasing counter
2. Key for signing attestations
Attest(36, data) 34
36
KTrInc: Trusted Incrementer
1. Monotonically increasing counter
2. Key for signing attestations
Attest(36, data) 34
36 < 34, 36, data >K
KTrInc: Trusted Incrementer
1. Monotonically increasing counter
2. Key for signing attestations
Attest(36, data) 34
36 < 34, 36, data >K
K
Alibi: Nothing
was bound to 35TrInc: Trusted Incrementer
1. Monotonically increasing counter
2. Key for signing attestations
Attest(36, data) 34
36 < 34, 36, data >K
K
Alibi: Nothing
was bound to 35
36
KTrInc: Trusted Incrementer
1. Monotonically increasing counter
2. Key for signing attestations
Attest(36, data) 34
36 < 34, 36, data >K
K
Alibi: Nothing
was bound to 35
Attest(36, non) 36
KTrInc: Trusted Incrementer
1. Monotonically increasing counter
2. Key for signing attestations
Attest(36, data) 34
36 < 34, 36, data >K
K
Alibi: Nothing
was bound to 35
Attest(36, non) 36
KTrInc: Trusted Incrementer
1. Monotonically increasing counter
2. Key for signing attestations
Attest(36, data) 34
36 < 34, 36, data >K
K
Alibi: Nothing
was bound to 35
Attest(36, non) 36 < 36, 36, non >K
KTrInc: Trusted Incrementer
1. Monotonically increasing counter
2. Key for signing attestations
Attest(36, data) 34
36 < 34, 36, data >K
K
Alibi: Nothing
was bound to 35
Attest(36, non) 36 < 36, 36, non >K
K
Status attestationWhat can TrInc do? • Trusted append-only logs • Prevent under-reporting in BitTorrent • Reduces communication in PeerReview • BFT with fewer nodes and messages • Ensure fresh data in DHTs • Prevent Sybil attacks
Implementing a trusted log in TrInc
Append(data):
Bind new data to the
end of the log
Lookup(sequence num):
No equivocating on what
is or is not storedImplementing a trusted log in TrInc
Append(data):
Bind new data to the
end of the log
10 Lookup(sequence num):
No equivocating on what
is or is not storedImplementing a trusted log in TrInc
Append(data):
Bind new data to the
end of the log
10 Lookup(sequence num):
No equivocating on what
is or is not stored
< 3,8, >
< 8,9, >
Untrusted storageImplementing a trusted log in TrInc
Append(data):
append Bind new data to the
end of the log
10 Lookup(sequence num):
No equivocating on what
is or is not stored
< 3,8, >
< 8,9, >
Untrusted storageImplementing a trusted log in TrInc
Append(data):
attest(11,, ) Bind new data to the
end of the log
10 Lookup(sequence num):
No equivocating on what
is or is not stored
< 3,8, >
< 8,9, >
Untrusted storageImplementing a trusted log in TrInc
Append(data):
Bind new data to the
end of the log
10 Lookup(sequence num):
No equivocating on what
is or is not stored
< 3,8, >
< 8,9, >
Untrusted storageImplementing a trusted log in TrInc
Append(data):
Bind new data to the
end of the log
10
11 Lookup(sequence num):
No equivocating on what
is or is not stored
< 3,8, >
< 8,9, >
Untrusted storageImplementing a trusted log in TrInc
Append(data):
Bind new data to the
end of the log
10
11 Lookup(sequence num):
No equivocating on what
is or is not stored
< 3,8, >
< 8,9, >
Untrusted storageImplementing a trusted log in TrInc
Append(data):
Bind new data to the
end of the log
10
11 Lookup(sequence num):
No equivocating on what
is or is not stored
< 3,8, >
< 8,9, >
Untrusted storageImplementing a trusted log in TrInc
Append(data):
lookup 10 Bind new data to the
end of the log
10
11 Lookup(sequence num):
No equivocating on what
is or is not stored
< 3,8, >
< 8,9, >
Untrusted storageImplementing a trusted log in TrInc
Append(data):
lookup 10 Bind new data to the
end of the log
10
11 Lookup(sequence num):
No equivocating on what
is or is not stored
< 3,8, >
< 8,9, >
Untrusted storageImplementing a trusted log in TrInc
Append(data):
Bind new data to the
end of the log
10
11 Lookup(sequence num):
No equivocating on what
is or is not stored
< 3,8, >
< 8,9, >
Untrusted storageImplementing a trusted log in TrInc
Append(data):
Bind new data to the
end of the log
10
11 Lookup(sequence num):
No equivocating on what
is or is not stored
< 3,8, >
< 8,9, >
Untrusted storageImplementing a trusted log in TrInc
Append(data):
Bind new data to the
end of the log
10
11 Lookup(sequence num):
No equivocating on what
is or is not stored
< 3,8, >
< 8,9, >
Fast lookups
Few hardware accesses
Untrusted storageTrInc Summary • Equivocation is versatile and powerful • A small amount of trust can secure a large system • TrInc is • Minimal? – A counter and a key • Versatile – Applies to a wide range of systems • Practical – Uses the familiar components (in unfamiliar ways)
Alibi protocols TrInc: Small, trusted h/w Fighting equivocation with trusted counters NSDI ‘09 Alibi routing Provably avoiding regions of the network Ongoing
Alibi protocols TrInc: Small, trusted h/w Fighting equivocation with trusted counters NSDI ‘09 Alibi routing Provably avoiding regions of the network Ongoing
Avoiding censors
Censor-free ASes
lemon IP
Censoring AS 208.80.152.201Avoiding censors
Censor-free ASes
lemon IP
Censoring AS 208.80.152.201Avoiding censors
Censor-free ASes
www.wikipedia.org
but avoid
lemon IP
Censoring AS 208.80.152.201Alibi routing
Alibi routing
Alibi routing Solicit participation from a relay
Alibi routing
A signature proves
the relay forwarded it
Solicit participation from a relayAlibi routing
A signature proves
the relay forwarded it
Solicit participation from a relayAlibi routing
Alibi routing
Alibi routing The triangle inequality mostly holds in the Internet
Alibi routing
The triangle inequality
mostly holds in the Internet
Going through the boycotted region would increase latencyAlibi routing
The farther away the relay,
the greater the latency increase.
The triangle inequality
mostly holds in the Internet
Going through the boycotted region would increase latencyFinding relays
Embed end hosts and
regions into a
coordinate space
Query regions of the
space that are far
from the avoideeFinding relays
Embed end hosts and
regions into a
coordinate space
Query regions of the
space that are far
from the avoideeFinding relays
Embed end hosts and
regions into a
coordinate space
Query regions of the
space that are far
from the avoideeFinding relays
Embed end hosts and
regions into a
coordinate space
Query regions of the
space that are far
from the avoideeFinding relays
Embed end hosts and
regions into a
coordinate space
Query regions of the
space that are far
from the avoideeCan countries avoid one another?
1 NorthAmerica
MiddleEast
Europe
0.8 SouthAmerica
Asia
0.6
CDF
0.4
0.2
0
0 5 10 15 20
Number of reachable destinationsCan countries avoid one another?
1
Ideal NorthAmerica
MiddleEast
Europe
0.8 SouthAmerica
Asia
0.6
CDF
0.4
0.2
0
0 5 10 15 20
Number of reachable destinationsCan countries avoid one another?
1 NorthAmerica
MiddleEast
Europe
0.8 SouthAmerica
Asia
0.6
CDF
0.4
0.2
0
0 5 10 15 20
Number of reachable destinationsCan countries avoid one another?
1 NorthAmerica
MiddleEast
Europe
0.8 SouthAmerica
Asia
0.6
Multiple
CDF
0.4 relays may
be necessary
0.2
0
0 5 10 15 20
Number of reachable destinationsCan countries avoid one another?
1 NorthAmerica
MiddleEast
Europe
0.8 SouthAmerica
Asia
0.6
Multiple
CDF
0.4 relays may
be necessary
0.2
A few tens of
0 milliseconds
0 5 10 15 20
Number of reachable destinations
often suffices
(not shown)Alibi routing is not a panacea • Packets can always be copied • Provides a small but useful signal to systems: • This packet didn’t go somewhere bad • Or else it might have • Systems must decide how to react to that signal • Drop the connection? • Initiate stronger end-to-end protection?
Proving the impossible with alibis • Global systems require interactions among self-interested parties • Alibi protocols prove something untoward did not happen • Without having to prove everything that did • An attractive alternative to traditional accountability systems • Lightweight • Easy to deploy • Easy to incorporate with existing systems
You can also read
