Mechanism Design and Computer Security
description
Transcript of Mechanism Design and Computer Security
Mechanism Design and Computer Security
John Mitchell Vanessa Teague
Stanford University
The Internet
Three kinds of behavior: Blind obedience, rational self-interest, malicious disruption
Outline for this workshop talk
Some network problems• Congestion control, Interdomain routing
Algorithmic mechanism design• Pricing function provides incentives
Distributed mechanisms and security• Distributed impl by rational agents• Prevent malicious acts by rational agents• Open problem: irrational malicious
agentsWarning: bait and switch
TCP/IP Transmission
TCP guarantees packet delivery• Source packets have sequence number• Destination acknowledges• If packet lost, source resends
Source
Destination
TCP Congestion Control
If packets are lost, assume congestion• Reduce transmission rate by half, repeat• If loss stops, increase rate very slowly
Design assumes routers blindly obey this policy
Source
Destination
Competition
Amiable Alice yields to boisterous Bob• Alice and Bob both experience packet loss• Alice backs off• Bob disobeys protocol, gets better results
Source A
Source B
Destination
Destination
What’s the point?
TCP/IP assumes honesty• If everyone follows protocol,
transmission rates adapt to load Incentive for dishonesty
• Dishonest TCP works better, as long as others follow standard TCP backoff
Security risks• Vulnerable to denial of service, IP-
spoofing, etc.
Goal : More robust networking
Introduce economic incentives• Routers administered autonomously
Reward good behavior• Prevent tragedy of the commons
Include security measures• Economics => adaptive behavior
– Better load balancing to increase welfare
• Accounting => increased instrumentation– Detect, quarantine malicious behavior
Interdomain Routing
connected group of one or more Internet Protocol prefixes under a single routing policy (aka domain)
Interior Gateway Protocol
Exterior Gateway Protocol
Autonomous System
earthlink.net Stanford.edu
Transit and Peering
Transit: ISP sells access
Peering: reciprocal connectivity
BGP protocol: routing announcements for both
Peering Peering
Transit
BGP overview
Iterative path announcement• Path announcements grow from
destination to source• Subject to policy (transit, peering) • Packets flow in reverse direction
Protocol specification• Announcements can be shortest path• Nodes allowed to use other policies
– E.g., “cold-potato routing” by smaller peer
• Not obligated to use path you announce
BGP example [D.
Wetherall]
Transit: 2 provides transit for 7• 7 reaches and is reached via 2
Peering: 4 and 5 peer• exchange customer traffic
3 4
6 57
1
8 2
77
2 7
2 7
2 7
3 2 7
6 2 7
2 6 52 6 5
2 6 5
3 2 6 5
7 2 6 5
6 5
5
5
4
43 4
6 2 3 4
7 2 3 4
2 3 4
2 3 42 3 4
Issues
BGP convergence problems• Protocol allows policy flexibility• Some legal policies prevent convergence• Even shortest-path policy converges
slowly Incentive for dishonesty
• ISP pays for some routes, others free Security problems
• Potential for disruptive attacks
Evidence: Asymmetric Routes
Alice Bob
Alice, Bob use cheapest routes to each other These are not always shortest paths Asymmetic routes are prevalent
• AS asymmetry in 30% of measured routes• Finer-grained asymmetry far more prevalent
Mechanism Design
Charge for goods• Assume agents have rational self-interest• Provide incentives via pricing function
Traditional use• Maximize social welfare• Make honesty the best policy (revelation principle)
Network applications• Maximize throughput, resilience to attack• Fake money as good as real money
Grand Plan
Multicast distribution
Inter-domain routing
Congestion control
Pricing function
Distributed mechanism
Rational agents
Irrational agents
Goal
Multicast cost sharing
Nodelink
Node
NodeNode
link link • Distribute some good• Each node has some
utility for the good• Each link has some cost• Which nodes get the
transmission?
Multicast solutions
Centralized scheme [FPS]• Pricing algorithm that elicits true utility
Controlled distributed scheme [FPS]• Works for tamper-resistant nodes• Problems if nodes are dishonest
Autonomous distributed scheme• Use signatures to verify data• Verifying node must not share incentive
to cheat
Traditional Goals
• Efficient – Maximize overall welfare – Welfare = total utility of agents that get good total network costs for links used
• Strategyproof– Agent cannot gain by lying about its utility
May not maximize profit for sender
FPS Network Assumptions
Nodes and agents• Each node has trusted
router• Router connected to
untrusted agents
Transmission costs• Link cost known to the two
nodes at each end
Simplification: will assume one agent per node
Centralized Scheme
Data collection• Agent reports utility to central
authority Computation
• Compute welfare of each subtree Routing decision
• Transmit good to subtree if welfare 0
Welfare of Subtree
Welfare of a subtree T i with cost ci
• W i = u i – ci if node i is leaf
• W i = ui – ci + max(Wk, 0) otherwise
Welfare is aggregate benefit minus cost
k child of i
Welfare 2-4 = -2
Welfare 7-1 = 6
Welfare 1-3 +6 = 4
Welfare 3-2 +0+4 = 5
Example: Maximum welfare
cost 2
utility 3
utility 7
utility 1
utility 2
cost 1
cost 3cost
4
If welfare is secret, how do we determine outcome?
How much should a node pay?
Announced utility?• Agent may gain by lying
utility 5
cost 2
Leaf will announce utility 2 since this is enough to get the
good
• Similar incentive for internal nodes
FPS Pricing Mechanism
If agent does not receive the good•Agent pays nothing
If agent receives the good•Agent pays: the minimum bid needed to get the
transmission, given the other players’ bids
This is a VCG mechanism
Welfare 2-4 = -2
Welfare 7-1 = 6
Welfare 1-3 +6 = 4
Welfare 3-2 +0+4 = 3
Example price calculations
cost 2
utility 3
utility 7
utility 1
utility 2
cost 1
cost 3cost
4Agent pays 0
Agent pays 3
3
23
2 0
0 1
Strategyproof and Efficient
Efficient (max welfare) by construction• Add omitted subtree -> decrease welfare• Remove routed subtree -> decrease welfare This argument assumes agents tell truth
Agent can bid true utility• Payment is independent of bid, given outcome• Bid more than utility
– doesn’t help, or pay too much
• Bid less than utility – doesn’t help, or don’t get the transmission
Tell truth if you buy the good
utility bid
Don’t get goodyou want
true umin
bid
to g
et
tran
smis
sion
Don’t get transmission
Get transmission
Tell truth if you don’t buy good
Pay more than u
utility bidtrue umin
bid
to g
et
tran
smis
sion
Don’t get transmission
Get transmission
Profit for content distributor?
What’s the worst-case return?• Marginal-cost pricing does not guarantee
profit• May lose money, fail to capture utility
Welfare 100-0 = 100 Welfare 100-0 =100
Welfare 0-100 +100+100 = 100cost 100
utility 0
utility 100
utility 100
cost 0
Agent pays 00 0
0 0
0
cost 0
Distributed implementation
cost 2
cost
4 cost 3
cost 1
utility 3
utility 7
utility 2
utility 1
Welfare 1-3 + 6 =
4Welfare 2-4 = -2
Welfare 7-1 = 6
Welfare 3 - 2 + 4 = 5
Wmin =
5
Wmin =
4“N
o
transm
ission”
Wmin =
5
1) Send welfare up tree
2) Send min welfare Wmin down tree3) Compute payment = utility -Wmin
Autonomous distributed model
Agents control nodes• They can use different
utilities for different messages
• An agent with children can lie about the children’s utilities
• There is nothing to force an agent to pay the correct amount
Node can cheat its children
utility 7
cost
5co
st 3
utility 2
Welfare 7-5 = 2
Welfare 2-3+2 = 1
Wmin = 1
Wmin = 1
The truth
Parent pays 1 Child pays 6
source
utility 7
cost
5co
st 3
utility 2
Welfare 2
Welfare 2-3+2 = 1
Wmin = 1
Wmin = 0
The cheat
Child can’t see that parent doesn’t pay
source
Parent pays 0 Child pays 7
More ways to cheat
• Second example – Node can cheat but all messages look
consistent
• Conclusion– Need to use payment and messages to
detect cheating
Second Example
utility 1
cost 1co
st 2
utility 2
Welfare 2 - 2 + 0 = 0
Wmin = 0
cost 1
utility 1
Wmin = 0
Welfare 1 - 1 =
0 Welfare 1 - 1 =
0
Wmin =
0
Truthful computation
1
source
3 2
Pay: 2
1 1
Example 2
utility 1
cost 1
utility 4?
Welfare 2
cost 2
Wmin = 2
cost
1
utility 1
Wmin = 2Welfare 1-1=0
Welfare 1-1=0
Wmin = 2
Deception
1
source
3 2utility 3
cost 1
cost 2
utilty 2
Welfare 2-2+0+2=2
Wmin = 2
cost
1
utility 1
Wmin = 2
Welfare 3-1=2
Welfare 1-1=0
Wmin = 2
What agent 3 thinks
1
source
3 2
Agent 1 behaves as if utility=4 until time to pay, then utility=2Each child thinks other has utility 3
Pay: 0
1 1
Pay: 0
1 1
Prevent cheating
Assume public-key infrastructure• Each node has verifiable signature
Augment messages• Sign data from FPS algorithm• Parent returns signed W to child
Nodes send payment + proof• Proof is signed data showing payment is
calculated correctly Two improvements yet to come
Node J sends payment and proof
utility Wd1
Sign(j, W j) Sign(p, Wmin), Sign(p, W j )
utility Wd2
Sign(d2, W d2 )Sign (d
1, W d
1 )
Sign(j, Wmin)Sign(j, W
min )
Agent j pays Pj = Uj – min(Wmin, Wj)
where Uj = cj + Wj – (Wd1 +
Wd2)
j
p
d2d1
New data – used in j’s proof
Calculation of Pj is verifiable from messages signed by p, d1, d2.
Node J sends payment and proof
Lemma• If parent p and children d1, …, dk are
honest, then node j cannot improve own welfare by not sending correct values
Proof idea• If node does not send correct proof, we
punish j node sends correct W j
• Node j cannot gain by sending incorrect data down tree, since these do not change P j
Shortcomings
Proof checked by central authority Node can be mischievous
• Node cannot increase own welfare by sending bad values down tree
• But node can make life worse for others
Wmin too low => nodes below pay too much
Wmin too high => pay too little, distributor loses
Randomized checking
Nodes pay and save proof Randomly select node to audit
• If node has correct proof, OK• If node cannot show proof, punish
– Fine node, or prohibit from further transmission (route around bad node)
• Make punishment high enough so expected benefit of cheating is negative
Reduce traffic, same outcomeBombay bus fine…
Prevent Mischief
• Receive signed confirmation from child• Confirmation is required as part of proof
Sign(j, W
min )
j
p
d2d1Sign(d1, Wmin)
Status of Multicast Cost Sharing
Pricing function provides incentive Distributed algorithm computes price Techniques to encourage compliance
• Nodes save signed confirmation of msgs• Randomized auditing incents compliance
– Alternative: neighbors rewarded for turning in cheaters
• Route around nodes that cause trouble
Grand Plan
Multicast distribution
Inter-domain routing
Congestion control
Pricing function
Distributed mechanism
Rational agents
Irrational agents
Goal