Towards Scalable and Robust Distributed Systems
Christian Scheideler
Institut für Informatik
Technische Universität München
Basic Goals
Correctness
Efficiency Robustness ??
Development of Computer
Correctness, Efficiency, Robustness
Four Commandments of Distributed Systems
1. You shall not sleep.2. You shall not lie.3. You shall not steal.4. You shall not kill.Not enforceable in open distributed systems!
Countermeasures:1. Algorithmic solution as long as majority awake.2. Cryptography, error-correcting codes, verifiable secret
sharing,...3. Serious problem! (viruses, phishing, DRM,...)4. Serious problem! (DoS attacks)
Fundamental Dilemma
• Efficiency:Minimize resources needed for operations
• Robustness:Maximize resources needed for attacks
Scalable systems are easy to attack!!
Options
1. Restriction to „legal“ attacks– join-leave attacks
– insert-lookup attacks
2. New paradigm
Join-Leave Attacks
• Peer-to-peer systems have attracted a lot of attention in recent years
• In open peer-to-peer systems peers may frequently join and leave
Join-Leave Model
• n honest peers• n adversarial peers, <1
Operations:• Join(v): peer v joins the system• Leave(v): peer v leaves the system
Goal: maintain scalability and robustness for any sequence of polynomially many adversarial rejoin (leave+join) requests
More specific goal
• n honest peers, n adversarial peers
• every peer has point in [0,1)
For any interval I ½ [0,1) of size (c log n)/n:
• Balancing condition: (log n) peers in I
• Majority condition: honest peers in majority
How to satisfy conditions?
Chord: uses cryptographic hash function to map peers to points in [0,1)
• randomly distributes honest peers• does not randomly distribute adversarial peers
How to satisfy conditions?
CAN: map peers to random points in [0,1)
How to satisfy conditions?
Group spreading [AS04]:
• Map peers to random points in [0,1)
• Limit lifetime of peers
Too expensive!
How to satisfy conditions?
• Rule that works: k-cuckoo rule [AS06a]
evict k/n-region
n honest n adversarial
< 1-1/k
Rejoin: leave and join via k-cuckoo rule
Limitation of k-cuckoo rule
• Only works for any sequence of rejoin requests of adversarial peers.
• Does not work for any sequence of rejoin requests.
k-flip&cuckoo rule [AS07]
• Join: as before (k-cuckoo rule)
• Leave: random k/n-region among c log n neighboring
k/n-regions, empty & flip it with random k/n-region
n honest n adversarial
flip
DoS-attacks???
• Attacks oblivious to random bits: OK
• Attacks adaptive to random bits:
Insert-lookup attacks
• Mehlhorn & Vishkin 84: Any step of a CRCW PRAM can be simulated on a distributed memory system in O(log2 n) time (n: # processors).
• Needs O(log n) hash functions with certain expansion properties.
• Uses combining and filtering.
DoS attacks???
• Oblivious DoS attacks:Random peer distribution
• Adaptive DoS attacks:
• Past insider DoS attacks?Adversary knows everything till time t
Past insider DoS attack
Dilemma:• Explicit data structure can only make polylog
updates to be scalable, so easy to attack• Fixed hash function: insert and lookup cheap,
but easy to attack• Random placement: difficult to attack, but insert
and lookup expensive
Combine fixed hashing with random placement!!
What about arbitrary DoS attacks???
The problem is not openness.
The problem is exposure.
Some Facts
• More than 90% of Emails is SPAM
• Thousands of software bugs per year
• ~3 days until virus developed for bug, but 31 days till patch available
• ~8000 denial-of-service attacks per day
• >150.000 phishing attacks per year
Can exposure be prevented without losing openness???
Laws of Robustness
Owner consent and control
Principle of least authority
Not just for computers
[EU Recommendation on privacy of medical data1997, U.S. OCR HIPAA act]
• Owner consent and control:Patients should have full control over their medical data.
• Principle of least authority:Access should only be given to information necessary for the diagnosis and treatment.
Demands
Principle of least authority:
• Not more knowledge than necessary.
• Not more rights than necessary.
Owner consent and control:
• Universality: freedom of choice
• Simplicity: consequences transparent
New Paradigm
• Subjects
• Objects
• Relay points
Subjects and Objects
Atomic, anonymous, active, static,only reachable via relay points
Atomic, anonymous, passive, dynamic data, cannot be copied,info only accessible via keys
Consent and control, least authority?
Fixed identity, fixed outgoing connection,incoming connections controlled by owner
Descendents
Resource control
Mother Child
Consent and control, least authority?
communication
Creation of new child:
First contact
R
Public identity (TAN)
• Subjects have no identity• Relay points have fixed identities (that are not accessible by applications)• Outgoing connections cannot be changed
A B
R
Consent and control, least authority?
Introduction
B>A
A B
CA>B
Consent and control, least authority?
R>B
R
Realization
Internet
ISP
Relay points
Current State
• Simulation environment available(see www14.in.tum.de/personen/scheideler)
• Used in lectures
• Talks to set up DFG project and realize paradigm as operating system kernel
Questions?