Mechanism Design and Computer Security

John Mitchell Vanessa Teague

Stanford University

The Internet

Three kinds of behavior: Blind obedience, rational self-interest, malicious disruption

Outline for this workshop talk

Some network problems• Congestion control, Interdomain routing

Algorithmic mechanism design• Pricing function provides incentives

Distributed mechanisms and security• Distributed impl by rational agents• Prevent malicious acts by rational agents• Open problem: irrational malicious

agentsWarning: bait and switch

TCP/IP Transmission

TCP guarantees packet delivery• Source packets have sequence number• Destination acknowledges• If packet lost, source resends

Source

Destination

TCP Congestion Control

If packets are lost, assume congestion• Reduce transmission rate by half, repeat• If loss stops, increase rate very slowly

Design assumes routers blindly obey this policy

Source

Destination

Competition

Amiable Alice yields to boisterous Bob• Alice and Bob both experience packet loss• Alice backs off• Bob disobeys protocol, gets better results

Source A

Source B

Destination

Destination

What’s the point?

TCP/IP assumes honesty• If everyone follows protocol,

transmission rates adapt to load Incentive for dishonesty

• Dishonest TCP works better, as long as others follow standard TCP backoff

Security risks• Vulnerable to denial of service, IP-

spoofing, etc.

Goal : More robust networking

Introduce economic incentives• Routers administered autonomously

Reward good behavior• Prevent tragedy of the commons

Include security measures• Economics => adaptive behavior

– Better load balancing to increase welfare

• Accounting => increased instrumentation– Detect, quarantine malicious behavior

Interdomain Routing

connected group of one or more Internet Protocol prefixes under a single routing policy (aka domain)

Interior Gateway Protocol

Exterior Gateway Protocol

Autonomous System

earthlink.net Stanford.edu

Transit and Peering

Transit: ISP sells access

Peering: reciprocal connectivity

BGP protocol: routing announcements for both

Peering Peering

Transit

BGP overview

Iterative path announcement• Path announcements grow from

destination to source• Subject to policy (transit, peering) • Packets flow in reverse direction

Protocol specification• Announcements can be shortest path• Nodes allowed to use other policies

– E.g., “cold-potato routing” by smaller peer

• Not obligated to use path you announce

BGP example [D.

Wetherall]

Transit: 2 provides transit for 7• 7 reaches and is reached via 2

Peering: 4 and 5 peer• exchange customer traffic

3 4

6 57

1

8 2

77

2 7

2 7

2 7

3 2 7

6 2 7

2 6 52 6 5

2 6 5

3 2 6 5

7 2 6 5

6 5

5

5

4

43 4

6 2 3 4

7 2 3 4

2 3 4

2 3 42 3 4

Issues

BGP convergence problems• Protocol allows policy flexibility• Some legal policies prevent convergence• Even shortest-path policy converges

slowly Incentive for dishonesty

• ISP pays for some routes, others free Security problems

• Potential for disruptive attacks

Evidence: Asymmetric Routes

Alice Bob

Alice, Bob use cheapest routes to each other These are not always shortest paths Asymmetic routes are prevalent

• AS asymmetry in 30% of measured routes• Finer-grained asymmetry far more prevalent

Mechanism Design

Charge for goods• Assume agents have rational self-interest• Provide incentives via pricing function

Traditional use• Maximize social welfare• Make honesty the best policy (revelation principle)

Network applications• Maximize throughput, resilience to attack• Fake money as good as real money

Grand Plan

Multicast distribution

Inter-domain routing

Congestion control

Pricing function

Distributed mechanism

Rational agents

Irrational agents

Goal

Multicast cost sharing

Nodelink

Node

NodeNode

link link • Distribute some good• Each node has some

utility for the good• Each link has some cost• Which nodes get the

transmission?

Multicast solutions

Centralized scheme [FPS]• Pricing algorithm that elicits true utility

Controlled distributed scheme [FPS]• Works for tamper-resistant nodes• Problems if nodes are dishonest

Autonomous distributed scheme• Use signatures to verify data• Verifying node must not share incentive

to cheat

Traditional Goals

• Efficient – Maximize overall welfare – Welfare = total utility of agents that get good total network costs for links used

• Strategyproof– Agent cannot gain by lying about its utility

May not maximize profit for sender

FPS Network Assumptions

Nodes and agents• Each node has trusted

router• Router connected to

untrusted agents

Transmission costs• Link cost known to the two

nodes at each end

Simplification: will assume one agent per node

Centralized Scheme

Data collection• Agent reports utility to central

authority Computation

• Compute welfare of each subtree Routing decision

• Transmit good to subtree if welfare 0

Welfare of Subtree

Welfare of a subtree T i with cost ci

• W i = u i – ci if node i is leaf

• W i = ui – ci + max(Wk, 0) otherwise

Welfare is aggregate benefit minus cost

k child of i

Welfare 2-4 = -2

Welfare 7-1 = 6

Welfare 1-3 +6 = 4

Welfare 3-2 +0+4 = 5

Example: Maximum welfare

cost 2

utility 3

utility 7

utility 1

utility 2

cost 1

cost 3cost

4

If welfare is secret, how do we determine outcome?

How much should a node pay?

Announced utility?• Agent may gain by lying

utility 5

cost 2

Leaf will announce utility 2 since this is enough to get the

good

• Similar incentive for internal nodes

FPS Pricing Mechanism

If agent does not receive the good•Agent pays nothing

If agent receives the good•Agent pays: the minimum bid needed to get the

transmission, given the other players’ bids

This is a VCG mechanism

Welfare 2-4 = -2

Welfare 7-1 = 6

Welfare 1-3 +6 = 4

Welfare 3-2 +0+4 = 3

Example price calculations

cost 2

utility 3

utility 7

utility 1

utility 2

cost 1

cost 3cost

4Agent pays 0

Agent pays 3

3

23

2 0

0 1

Strategyproof and Efficient

Efficient (max welfare) by construction• Add omitted subtree -> decrease welfare• Remove routed subtree -> decrease welfare This argument assumes agents tell truth

Agent can bid true utility• Payment is independent of bid, given outcome• Bid more than utility

– doesn’t help, or pay too much

• Bid less than utility – doesn’t help, or don’t get the transmission

Tell truth if you buy the good

utility bid

Don’t get goodyou want

true umin

bid

to g

et

tran

smis

sion

Don’t get transmission

Get transmission

Tell truth if you don’t buy good

Pay more than u

utility bidtrue umin

bid

to g

et

tran

smis

sion

Don’t get transmission

Get transmission

Profit for content distributor?

What’s the worst-case return?• Marginal-cost pricing does not guarantee

profit• May lose money, fail to capture utility

Welfare 100-0 = 100 Welfare 100-0 =100

Welfare 0-100 +100+100 = 100cost 100

utility 0

utility 100

utility 100

cost 0

Agent pays 00 0

0 0

0

cost 0

Distributed implementation

cost 2

cost

4 cost 3

cost 1

utility 3

utility 7

utility 2

utility 1

Welfare 1-3 + 6 =

4Welfare 2-4 = -2

Welfare 7-1 = 6

Welfare 3 - 2 + 4 = 5

Wmin =

5

Wmin =

4“N

o

transm

ission”

Wmin =

5

1) Send welfare up tree

2) Send min welfare Wmin down tree3) Compute payment = utility -Wmin

Autonomous distributed model

Agents control nodes• They can use different

utilities for different messages

• An agent with children can lie about the children’s utilities

• There is nothing to force an agent to pay the correct amount

Node can cheat its children

utility 7

cost

5co

st 3

utility 2

Welfare 7-5 = 2

Welfare 2-3+2 = 1

Wmin = 1

Wmin = 1

The truth

Parent pays 1 Child pays 6

source

utility 7

cost

5co

st 3

utility 2

Welfare 2

Welfare 2-3+2 = 1

Wmin = 1

Wmin = 0

The cheat

Child can’t see that parent doesn’t pay

source

Parent pays 0 Child pays 7

More ways to cheat

• Second example – Node can cheat but all messages look

consistent

• Conclusion– Need to use payment and messages to

detect cheating

Second Example

utility 1

cost 1co

st 2

utility 2

Welfare 2 - 2 + 0 = 0

Wmin = 0

cost 1

utility 1

Wmin = 0

Welfare 1 - 1 =

0 Welfare 1 - 1 =

0

Wmin =

0

Truthful computation

1

source

3 2

Pay: 2

1 1

Example 2

utility 1

cost 1

utility 4?

Welfare 2

cost 2

Wmin = 2

cost

1

utility 1

Wmin = 2Welfare 1-1=0

Welfare 1-1=0

Wmin = 2

Deception

1

source

3 2utility 3

cost 1

cost 2

utilty 2

Welfare 2-2+0+2=2

Wmin = 2

cost

1

utility 1

Wmin = 2

Welfare 3-1=2

Welfare 1-1=0

Wmin = 2

What agent 3 thinks

1

source

3 2

Agent 1 behaves as if utility=4 until time to pay, then utility=2Each child thinks other has utility 3

Pay: 0

1 1

Pay: 0

1 1

Prevent cheating

Assume public-key infrastructure• Each node has verifiable signature

Augment messages• Sign data from FPS algorithm• Parent returns signed W to child

Nodes send payment + proof• Proof is signed data showing payment is

calculated correctly Two improvements yet to come

Node J sends payment and proof

utility Wd1

Sign(j, W j) Sign(p, Wmin), Sign(p, W j )

utility Wd2

Sign(d2, W d2 )Sign (d

1, W d

1 )

Sign(j, Wmin)Sign(j, W

min )

Agent j pays Pj = Uj – min(Wmin, Wj)

where Uj = cj + Wj – (Wd1 +

Wd2)

j

p

d2d1

New data – used in j’s proof

Calculation of Pj is verifiable from messages signed by p, d1, d2.

Node J sends payment and proof

Lemma• If parent p and children d1, …, dk are

honest, then node j cannot improve own welfare by not sending correct values

Proof idea• If node does not send correct proof, we

punish j node sends correct W j

• Node j cannot gain by sending incorrect data down tree, since these do not change P j

Shortcomings

Proof checked by central authority Node can be mischievous

• Node cannot increase own welfare by sending bad values down tree

• But node can make life worse for others

Wmin too low => nodes below pay too much

Wmin too high => pay too little, distributor loses

Randomized checking

Nodes pay and save proof Randomly select node to audit

• If node has correct proof, OK• If node cannot show proof, punish

– Fine node, or prohibit from further transmission (route around bad node)

• Make punishment high enough so expected benefit of cheating is negative

Reduce traffic, same outcomeBombay bus fine…

Prevent Mischief

• Receive signed confirmation from child• Confirmation is required as part of proof

Sign(j, W

min )

j

p

d2d1Sign(d1, Wmin)

Status of Multicast Cost Sharing

Pricing function provides incentive Distributed algorithm computes price Techniques to encourage compliance

• Nodes save signed confirmation of msgs• Randomized auditing incents compliance

– Alternative: neighbors rewarded for turning in cheaters

• Route around nodes that cause trouble

Grand Plan

Multicast distribution

Inter-domain routing

Congestion control

Pricing function

Distributed mechanism

Rational agents

Irrational agents

Goal