Distributed Systems Risks and how to tackle them
Slides by Peter Thanisch & Jyrki Nummenmaa ‘
Internet Commerce - Distributed Application Example Area To exemplify the potential risks in safety and credibility of distributed systems, we will discuss an example application area. Internet commerce is a good example area, because it deals with money and there is a lot of interest in application development.
Internet Commerce defined The use of the global Internet for purchase and sale of goods and services, including service and support after the sale.
Internet Commerce: our focus Internet Commerce: our focus n Advertising n Browsing n Purchasing n Billing n Payments
Electronic Commerce: the old way Electronic Commerce: the old way Customer Financial Adviser MortgageLenders LifeInsurers
RentalCompanies’ Web Sites Exhibition Hall’s Web site stands Brokerageservice Exhibitor PC Web browser Internet Commerce Example: Exhibition Hall computerscommunicationsfurniture
So what is changing? n Electronic commerce Fixed set of participating companiesFixed set of participating companies Proprietary, special- purpose protocols.Proprietary, special- purpose protocols. Specialist agent drives the dialogue, with special-purpose softwareSpecialist agent drives the dialogue, with special-purpose software n Internet commerce Transient sets of companies, maybe with brokers. Protocols are Internet standards The customer drives the dialogue from a general-purpose Web browser.
The state of the market n Projections about the growth of Internet commerce have been wildly optimistic. n Not many retailers have been making big bucks. n Market for Internet commerce software is not hugely profitable either.
Internet Commerce n A person, running a web browser on a desktop computer, electronically purchases a set of goods or services from several vendors at different web sites. This person wants either the complete set of purchases to go through, or none of them.This person wants either the complete set of purchases to go through, or none of them.
Technical Problems with Internet Commerce Technical Problems with Internet Commerce n Security n Failure n Multiple sites n Protocol problems n Server product limitations n Response time
Security
Security: the end user’s view n Confidentiality: Preventing sniffing on your communication. n IdentificationVerifying that the sender truly is who it is stated to be. n Identification: Verifying that the sender truly is who it is stated to be. n Authentication: Verifying that the message has not be altered. n Non-repudiation: Ensuring that the sender cannot deny sending the message.
YourPC YourInternetServiceProvider Web site of company selling the product you want to buy Internet Backbone Confidentiality A sniffer
YourPC YourInternetServiceProvider Web site of company selling the product you want to buy Internet Backbone IdentificationandAuthentication XYZ XYZ ABC ABC XYZ
Security: some solutions n Confidentiality: Encryption. n AuthenticationCertification. n Authentication: Certification. n Integrity: Digitally signed message digest codes. n Non-repudiation: Receipts containing a digital signature. n You can do these through SSL/TLS or using the Java APIs.
Failure
Failures: single computer n Hardware failure n Software crash n User switched off the PC n Active attack
Failure: Additional Problems for Multiple Sites n Network failure Or is it just congestion?Or is it just congestion? Or has the remote computer crashed?Or has the remote computer crashed? Or is it just running slowly?Or is it just running slowly? n Message loss? n Denial-of-service attack? n Typically, these failures are partial.
Distributed Transaction n Changes two or more autonomous databases from one consistent state to another consistent state. n Server Autonomy - any server can unilaterally decide to abort the transaction. n Changes must be durable: information is preserved despite system failures. n System failures are typically partial.
Subtle Difference: transaction n Traditional data processing transaction: set of read and update operations collectively transform the database from one consistent state to another. n Internet Commerce transaction: set of read and update operations collectively provide the user with his/her required package
Protocol Problems
TIP: Transaction Internet Protocol n Proposed as an Internet Standard. Backed by Microsoft and Tandem.Backed by Microsoft and Tandem. n Heterogeneous Transaction Managers can implement TIP to communicate with each other.
‘Conventional’ vs. Internet Transaction Processing Conventional: OSI TP, LU6.2 One-pipe: n the application may only use the communications services supported by the transaction protocol. Internet: ‘Open’: TIP? Two-pipe?: n inter-application communication via some other protocol.
TIP Design
TIP: Two-pipe model Site A ApplicationProgram TIP API TIP txn manager Site B ApplicationProgram TIP API TIP txn manager Pipe 1 Pipe 2 TIP commit protocol
A Browsing Transaction User’s Web Browser Server A Server B Server C (1) Initiate txn (2) txn URL (3) PUSH txn (4) txn URL (5) PULL txn
A C PUSH ‘txn1a’ PUSH ‘txn1c’ D PUSH ‘txn1b’ B PUSH ‘txn1a’ Multiple inclusions of a site
TIP vulnerability n Communication is pairwise point-to- point. n Vulnerable to single link failures.
The Commit Protocol: Ensuring Atomicity n Once the pushing and pulling is over, a coordinator must ensure that all sites can complete their work, writing their results into their databases. n The method used to achieve this is called a Commit Protocol. n The Commit Protocol must behave sensibly even when there are failures.
Transaction Commit (no failures!) Coordinator Participants VOTE-REQUEST COMMIT or ABORT votes Multicast decision
Two-Phase Commit Blocks (1) COMMIT sent (2) C crashes C (3) P1 crashes (4) P2 is blocked COMMIT P1P2
TIP Security n Requires Secure-HTTP/SSL/TLS with encryption andencryption and end-to-end authentication.end-to-end authentication. n Operator intervention is needed when the commit protocol fouls up. How will this work on the Internet?How will this work on the Internet?
Internet Transaction Security n Big value transactions will not be conducted in this way. n Thus any scams will take the form of having a small effect on a large number of transactions. (Salami scams.)
SSL/TLS does NOT solve all of the problems n TIP with TLS does not ensure non- repudiation. n Various Denial-of-Service attacks are possible. n A rogue participant could block progress by refusing to commit.
Denial-of-Service n PULL-based: A rogue company that knows the transaction ID sends a PULL to a site then closes the connection.A rogue company that knows the transaction ID sends a PULL to a site then closes the connection. n PUSH-based Flood a sites with PUSHes so that it cannot service legitimate requests.Flood a sites with PUSHes so that it cannot service legitimate requests.
Broken connection n If a site loses its connection to its superior, the rogue sites sends it a RECONNECT command and tells it the wrong result of the commit.
Repudiation n General point about how to repudiate: n The site that wants to repudiate a transaction can always cause itself to crash and then recover, meanwhile losing all information that was in vulnerable storage.
Repudiation n n Interaction of 2PC and authenticated protocol messages The semantics of the authenticated messages only apply if the txn is committed.
Repudiation n n If a message from A to B is part of a 2PC protocol, then B’s possession of the digital signature proves nothing. A can claim: Yes, that was sent, but the action was rolled back. B must prove that the action was committed. B must also prove that the message was part of that txn.
Implications for Internet Commerce n Existing protocols are inappropriate for the way people expect to be able to do business on the Internet. n The TIP approach looks promising, but... n For particular business sectors, a detailed analysis of likely transaction behaviour will be needed. n Market opportunities for brokerage companies.
Conclusions n Security: techniques exist, but you have to know when to use them and how n Failure: Protocols exist, but they have several shortcomings, some more and some less serious n We did not discuss performance this time, but performance can be strongly related to failure (and perhaps to an extent to security).