BFT3W'091 Intrusion Tolerance: The Killer App for BFT (?) Alysson Bessani, Miguel Correia, Paulo Sousa, Nuno Ferreira Neves, Paulo Veríssimo Universidade de Lisboa, Faculdade de Ciências Workshop on Theory and Practice of BFT
BFT3W'092 The Promise of BFT From the abstract of Castro & Liskov OSDI’99 paper: “We believe that Byzantine fault-tolerant algorithms will be increasingly important in the future because malicious attacks and software errors are increasingly common and can cause faulty nodes to exhibit arbitrary behavior.”
BFT3W'093 The Promise of BFT Our claim: BFT can be used to tolerate certain accidental value faults But there are simpler techniques to do that The real appeal of the technique is to tolerate attacks, intrusions and bugs BFT → Intrusion Tolerance
BFT3W'094 Intrusion Tolerance Coined by Joni Fraga and David Powell “A Fault- and Intrusion-Tolerant File System”, IFIP SEC,1985 An intrusion-tolerant system can maintain its security properties (confidentiality, integrity and availability) despite some of its components being compromised. Appeal: since it’s impossible to prove that a system has no vulnerabilities, it is more safe to assume that intrusions can happen.
BFT3W'095 Intrusion Tolerance BFT replication protocols are a key mechanism for intrusion-tolerant systems But there are others: –Diversity –Confidentiality schemes –Fault/Intrusion detection –Recovery and Self-healing Fault independence Fundamental for certain domains Accountability Fundamental for long-lived systems
BFT3W'096 Intrusion Tolerance The resulting system is very COMPLEX! There comes the InTol dilemma: –Complex systems tend to have more vulnerabilities and be more prone to configuration errors –So, an intrusion-tolerant system build to be more secure, tend to be less secure…
BFT3W'097 Intrusion-Tolerant Firewall Incomming Traffic HUB CIS Controller Generator x = dP(V,f)/dt CIS T T T T Distributed trusted component But it can be done for simple critical systems!
BFT3W'098 Intrusion-Tolerant Firewall The CIS was used in an architecture to protect critical infrastructures (e.g., power systems) This is a good application scenario for BFT/Intrusion tolerance Substation A Substation B Substation C
BFT3W'099 The role of trusted components Trusted components (TTCB, A2M, USIG, Trinc) should be used to simplify BFT protocols Example: MinBFT (Veronese et al. 2008) uses the USIG service to implement the minimal non- speculative BFT SMR protocol: MinBFT A2M-EA PBFT Minimal: - Number of replicas - Communication steps - Trusted component
BFT3W'0910 Concerns for BFT/IT Adoption BFT Usefulness BFT Implementations BFT Abstractions
BFT3W'0911 BFT Added Value The key challenge: “How to show that an intrusion tolerant service is more secure than a non-intrusion- tolerant counterpart?” The equivalent question: “How to measure the security of a system?”
BFT3W'0912 BFT Systems We need at least one stable and robust BFT replication lib! JBP (Java Byzantine Paxos) –Under development since 2007 for use on the replication layer of DepSpace –Peak throughput competitive to PBFT (~22 Kop/s*) –Key concerns on the current version: Modularity is a top priority: scalable communication, total order multicast, Byzantine paxos consensus and checkpoint Avoid optimizations that bring complexity (e.g., authenticators, agreement over message hashes)
BFT3W'0913 BFT Abstractions BFT ≠ BFT State Machine Replication
BFT3W'0914 BFT Abstractions SMR has its limitations: –CFT systems are usually based on primary- backup –Most modern services do not employ consensus protocol on their critical path What options? –High-level abstractions –Low-level abstractions
BFT3W'0915 High-level Abstractions: Coordination Services Crash FT: Zookeper (name service + sequencers), Chubby (file system + locks), Sinfonia (registers + mini transactions) BFT: DepSpace (policy enforced augmented tuple space) Traditional systemsCoordination systems
BFT3W'0916 High-level Abstractions: Coordination Services SERVERS PROCESSES I’m Malicious ! Two important questions: 1.What is the synchronization power of the CS objects? 2.What is the role of access control models? Shared Memory Shared Memory
BFT3W'0917 Low-level Abstractions: Active Quorum Systems SERVERS SMR: the service as a replicated deterministic state machine AQS: the service as a a set of independent objects accessed by different clients.
BFT3W'0918 Low-level Abstractions: Active Quorum Systems read write rmw Quorum-based asynchronous protocols for register Implementation. PBFT with some modifications to deal with concurrent writes.
BFT3W'0919 Low-level Abstractions: Active Quorum Systems Is it useful? Some services: –LDAP: Main AQS Object: LDAP Entry Only Entry creation and removal require rmw –Smart block storage: Main AQS Object: Data Block Uses rmw to modify single bytes of large blocks –Tuple Space: Main AQS Object: Tuple Only tuple removal uses rmw
BFT3W'0920 Summary The promise of BFT: tolerate intrusions –Can be done for simple services –Require other mechanisms Concerns to be addressed: –How to show the improved security of BFT/intrusion tolerant systems? –Build a stable and robust BFT library –BFT is not SMR: Coordination Services Active Quorum Systems
BFT3W'0921 Some Related Publications Bessani et al. The CRUTIAL way of protecting critical infrastructures. IEEE S&P Magazine (Dec 2008) Sousa et al. Highly Available Intrusion Tolerance through Proactive and Reactive Recovery. IEEE TPDS (to appear) Veronese et al. Minimal Byzantine Fault Tolerance: Algorithms and Evaluation. FCUL-DI-TR (under submission) Bessani et al. DepSpace: A Byzantine Fault-Tolerant Coordination Service. EuroSys’08 Bessani et al. Sharing Memory between Byzantine Processes using a Police-enforced Augmented Tuple Space. IEEE TPDS (Mar 2009) Bessani et al. An Efficient Byzantine-resilient Tuple Space. IEEE TC (Aug 2009)