1 Secure Failure Detection in TrustedPals Felix Freiling University of Mannheim San Sebastian Aachen Mannheim Joint Work with: Marjan Ghajar-Azadanlou.

Slides:



Advertisements
Similar presentations
Fault Tolerance. Basic System Concept Basic Definitions Failure: deviation of a system from behaviour described in its specification. Error: part of.
Advertisements

Impossibility of Distributed Consensus with One Faulty Process
CS 542: Topics in Distributed Systems Diganta Goswami.
DISTRIBUTED SYSTEMS II FAULT-TOLERANT BROADCAST Prof Philippas Tsigas Distributed Computing and Systems Research Group.
The weakest failure detector question in distributed computing Petr Kouznetsov Distributed Programming Lab EPFL.
Teaser - Introduction to Distributed Computing
6.852: Distributed Algorithms Spring, 2008 Class 7.
An evaluation of ring-based algorithms for the Eventually Perfect failure detector class Joachim Wieland Mikel Larrea Alberto Lafuente The University of.
Failure detector The story goes back to the FLP’85 impossibility result about consensus in presence of crash failures. If crash can be detected, then consensus.
Computer Science 425 Distributed Systems CS 425 / ECE 428 Consensus
Consensus Hao Li.
1 © P. Kouznetsov On the weakest failure detector for non-blocking atomic commit Rachid Guerraoui Petr Kouznetsov Distributed Programming Laboratory Swiss.
UPV / EHU Efficient Eventual Leader Election in Crash-Recovery Systems Mikel Larrea, Cristian Martín, Iratxe Soraluze University of the Basque Country,
Byzantine Generals Problem: Solution using signed messages.
Failure Detectors. Can we do anything in asynchronous systems? Reliable broadcast –Process j sends a message m to all processes in the system –Requirement:
UPV / EHU Distributed Algorithms for Failure Detection and Consensus in Crash, Crash-Recovery and Omission Environments Mikel Larrea Distributed Systems.
UPV - EHU An Evaluation of Communication-Optimal P Algorithms Mikel Larrea Iratxe Soraluze Roberto Cortiñas Alberto Lafuente Department of Computer Architecture.
Failure Detectors & Consensus. Agenda Unreliable Failure Detectors (CHANDRA TOUEG) Reducibility ◊S≥◊W, ◊W≥◊S Solving Consensus using ◊S (MOSTEFAOUI RAYNAL)
Distributed systems Module 2 -Distributed algorithms Teaching unit 1 – Basic techniques Ernesto Damiani University of Bozen Lesson 3 – Distributed Systems.
 Idit Keidar, Principles of Reliable Distributed Systems, Technion EE, Spring Principles of Reliable Distributed Systems Lecture 7: Failure Detectors.
Asynchronous Consensus (Some Slides borrowed from ppt on Web.(by Ken Birman) )
1 Fault-Tolerant Consensus. 2 Failures in Distributed Systems Link failure: A link fails and remains inactive; the network may get partitioned Crash:
Outline Why distributed computing? Atomic Broadcast The atom system Relevance for e-textiles What’s next? Q&A.
1 Principles of Reliable Distributed Systems Lecture 5: Failure Models, Fault-Tolerant Broadcasts and State-Machine Replication Spring 2005 Dr. Idit Keidar.
UPV / EHU Brief Announcement: An Efficient Failure Detector for Omission Environments R. Cortiñas, I. Soraluze, A. Lafuente, M. Larrea University of the.
1 Principles of Reliable Distributed Systems Recitation 8 ◊S-based Consensus Spring 2009 Alex Shraer.
Distributed systems Module 2 -Distributed algorithms Teaching unit 1 – Basic techniques Ernesto Damiani University of Bozen Lesson 4 – Consensus and reliable.
 Idit Keidar, Principles of Reliable Distributed Systems, Technion EE, Spring Principles of Reliable Distributed Systems Lecture 6: Impossibility.
Aran Bergman, Principles of Reliable Distributed Systems, Technion EE, Spring Principles of Reliable Distributed Systems Recitation 5: Reliable.
 Idit Keidar, Principles of Reliable Distributed Systems, Technion EE, Spring Principles of Reliable Distributed Systems Lecture 12: Impossibility.
1 Failure Detectors: A Perspective Sam Toueg LIX, Ecole Polytechnique Cornell University.
Distributed Algorithms: Agreement Protocols. Problems of Agreement l A set of processes need to agree on a value (decision), after one or more processes.
Distributed Systems Tutorial 4 – Solving Consensus using Chandra-Toueg’s unreliable failure detector: A general Quorum-Based Approach.
On the Cost of Fault-Tolerant Consensus When There are no Faults Idit Keidar & Sergio Rajsbaum Appears in SIGACT News; MIT Tech. Report.
Systems of Distributed systems Module 2 - Distributed algorithms Teaching unit 2 – Properties of distributed algorithms Ernesto Damiani University of Bozen.
 Idit Keidar, Principles of Reliable Distributed Systems, Technion EE, Spring Principles of Reliable Distributed Systems Lecture 7: Failure Detectors.
Efficient Algorithms to Implement Failure Detectors and Solve Consensus in Distributed Systems Mikel Larrea Departamento de Arquitectura y Tecnología de.
1 Principles of Reliable Distributed Systems Recitation 7 Byz. Consensus without Authentication ◊S-based Consensus Spring 2008 Alex Shraer.
Composition Model and its code. bound:=bound+1.
Consensus and Related Problems Béat Hirsbrunner References G. Coulouris, J. Dollimore and T. Kindberg "Distributed Systems: Concepts and Design", Ed. 4,
 Idit Keidar, Principles of Reliable Distributed Systems, Technion EE, Spring Principles of Reliable Distributed Systems Lecture 8: Failure Detectors.
Failure detection and consensus Ludovic Henrio CNRS - projet OASIS Distributed Algorithms.
Consensus and Its Impossibility in Asynchronous Systems.
Review for Exam 2. Topics included Deadlock detection Resource and communication deadlock Graph algorithms: Routing, spanning tree, MST, leader election.
CS4231 Parallel and Distributed Algorithms AY 2006/2007 Semester 2 Lecture 8 Instructor: Haifeng YU.
Approximation of δ-Timeliness Carole Delporte-Gallet, LIAFA UMR 7089, Paris VII Stéphane Devismes, VERIMAG UMR 5104, Grenoble I Hugues Fauconnier, LIAFA.
CS 425/ECE 428/CSE424 Distributed Systems (Fall 2009) Lecture 9 Consensus I Section Klara Nahrstedt.
Distributed systems Consensus Prof R. Guerraoui Distributed Programming Laboratory.
Chap 15. Agreement. Problem Processes need to agree on a single bit No link failures A process can fail by crashing (no malicious behavior) Messages take.
SysRép / 2.5A. SchiperEté The consensus problem.
1 © R. Guerraoui Distributed algorithms Prof R. Guerraoui Assistant Marko Vukolic Exam: Written, Feb 5th Reference: Book - Springer.
Agreement in Distributed Systems n definition of agreement problems n impossibility of consensus with a single crash n solvable problems u consensus with.
1 Fault tolerance in distributed systems n Motivation n robust and stabilizing algorithms n failure models n robust algorithms u decision problems u impossibility.
Failure Detectors n motivation n failure detector properties n failure detector classes u detector reduction u equivalence between classes n consensus.
Fault-Tolerant Broadcast Terminology: broadcast(m) a process broadcasts a message to the others deliver(m) a process delivers a message to itself 1.
Replication predicates for dependent-failure algorithms Flavio Junqueira and Keith Marzullo University of California, San Diego Euro-Par Conference, Lisbon,
Distributed Systems Lecture 9 Leader election 1. Previous lecture Middleware RPC and RMI – Marshalling 2.
Unreliable Failure Detectors for Reliable Distributed Systems Tushar Deepak Chandra Sam Toueg Presentation for EECS454 Lawrence Leinweber.
1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.
Distributed Systems, Consensus and Replicated State Machines
Presented By: Md Amjad Hossain
EEC 688/788 Secure and Dependable Computing
EEC 688/788 Secure and Dependable Computing
Distributed Algorithms for Failure Detection in Crash Environments
EEC 688/788 Secure and Dependable Computing
EEC 688/788 Secure and Dependable Computing
EEC 688/788 Secure and Dependable Computing
EEC 688/788 Secure and Dependable Computing
Failure Detectors motivation failure detector properties
Distributed systems Consensus
Presentation transcript:

1 Secure Failure Detection in TrustedPals Felix Freiling University of Mannheim San Sebastian Aachen Mannheim Joint Work with: Marjan Ghajar-Azadanlou RWTH Aachen University, Germany Lucia Draque Penso University of Mannheim, Germany Roberto Cortiñas, Alberto Lafuente, Mikel Larrea, Iratxe Soraluze University of the Basque Country, San Sebastian, Spain

2 Secure Multiparty Computation (SMC) ● Set of parties with inputs ● Jointly want to compute a function and receive the result ● Input must remain as secret as possible x1x1 x2x2 x3x3 x4x4 x5x5 F(x 1,..., x n ) ● Lots of applications (fair exchange of digital items, e-voting) ● Easy if you have Trusted Third Party (TTP) ● Can be done without TTP using heavy crypto and many messages

3 Distributed TTP? ● Practical example: Mobile phones with SIM Cards – Mobile phone: multi purpose computing device ● Owner can install applications – SIM Card: special purpose computing device ● Certified and tamper proof, only operator can install ● "I trust your SIM Card but not your mobile phone" ● Can all SIM Cards together simulate a TTP? me you

4 TrustedPals ● Smartcard-based implementation of SMC ● Reduces SMC to Consensus Z. Benenson, M. Fort, F. Freiling, D. Kesdogan, L. Draque Penso: TrustedPals: Secure Multiparty Computation Implemented with Smart Cards. ESORICS security module untrusted host security module untrusted host Byzantine general omission untrusted system trusted subsystem host 3 host 2 host 1 sec. mod. 1 sec. mod. 2 sec. mod. 3 security module Assumes a synchronous setting... information barrier

5 Question and Outline ● Can we redesign TrustedPals so that it works in a system with weaker synchrony assumptions? ● We follow the failure detector approach: – Delegate synchrony assumptions into a module called failure detector – Implement "asynchronous" consensus algorithm – Implement failure detector under weaker synchrony assumptions – Integrate failure detection and consensus into TrustedPals so that security properties are maintained see also: C. Delporte- Gallet, H. Fauconnier, F. C. Freiling: Revisiting failure detection and consensus in omission failure environments. ICTAC 2005 Asynchronous General Omission Consensus Algorithm General Omission Failure Detector Eventually synchronous system model

6 Trusted System ● System Model: – Reliable channels – Eventual synchrony (à la Dwork, Lynch, Stockmeyer) ● Failure model: General omission – Process crashes – Send and receive omissions of messages ● Correct process = a process which does not fail ● Faulty process = not correct process ● Assume a majority of correct processes ● Difficulty: Omissive processes are hard to determine – p sends message m to q but message doesn't arrive – Did p send omit or q receive omit m? general omission trusted subsystem sec. mod. 1 sec. mod. 2 sec. mod. 3

7 Classes of Processes ● A process p is in-connected iff – p is correct or – p does not crash and there exists a process q such that q is in- connected and all messages sent by q to p are eventually received timely by p (i.e. no omissions from q to p) ● A process p is out-connected iff – p is correct or – p does not crash and there exists a process q such that q is out- connected and all messages sent by p to q are eventually received timely by q (i.e. no omissions from p to q) ● Intuition: – In-connected processes are able to receive information from correct processes – Out-connected processes are able to send information to correct processes ● Note that correct processes are both in- and out-connected.

8 Examples ● a  b means "unomissive eventual timely message flows" from a to b (not a communication channel) ● Examples: – q is out-connected, p is also out-connected – r and v are in-connected and also out-connected, but not correct – s is in-connected – u is neither in- nor out-connected

9  P Failure Detector ● Class of eventually perfect failure detectors  P satisfies: – Strong Completeness: Eventually every process that is not out- connected will be permanently considered as not out-connected by every in-connected process. – Eventual Strong Accuracy: Eventual Strong Accuracy. Eventually every process that is out-connected will be permanently considered as out-connected by every in-connected process. – In-connectivity: Eventually every process that is in-connected will permanently consider itself as in-connected. ● Intuition: Eventually suspect all processes from which I am not able to receive information – Only necessary for in-connected processes ● Implemented using heartbeats, sequence numbers, connectivity matrices (see paper)

10  P-based Consensus ● Termination: Every in-connected process eventually decides some value. ● Integrity: Every process decides at most once. ● Uniform agreement: No two processes decide differently. ● Validity: If a process decides v, then v was proposed by some process. ● Algorithm similar to classic Chandra-Toueg algorithm (see paper) ● Difficulties: – Need a relaying mechanism since omissions make simple "all- to-all" communication impossible – Only in-connected processes volunteer as coordinators

11 Integration in TrustedPals ● Adversary has full control over messages at faulty processes ● Adversary can fool a naive implementation as follows: – Omit only consensus protocol messages and not failure detector messages – Result: protocol blocks ● Attack is possible even if all messages are encrypted (traffic analysis) Asynchronous General Omission Consensus Algorithm General Omission Failure Detector Eventually synchronous system model with adversary Asynchronous General Omission Consensus Algorithm General Omission Failure Detector

12 Secure Integration ● Use a scrambler to obfuscate traffic – Pad messages to fixed size – Encrypt and authenticate every message ● Use failure detector messages as transport mechanism for (fragmented) consensus messages ● Security analysis technique: Attack trees (similar to fault-tree analysis) Scrambler in action... Module architecture on smartcard

13 Conclusions ● We made TrustedPals work in partially synchronous systems with correct majority ● Open questions: – Is correct majority necessary? Or only connected majority? – Are smartcard-based systems really partially synchronous? ● In practice the owner of the smartcard can slow down clock arbitrarily (clock attack) ● Or he can buffer messages arbitrarily ● Conjecture: Problem is impossible in the presence of such attacks ● How can they still be solved?