PeerReview: Practical Accountability for Distributed Systems SOSP 07.
-
Upload
margery-jordan -
Category
Documents
-
view
214 -
download
0
Transcript of PeerReview: Practical Accountability for Distributed Systems SOSP 07.
![Page 1: PeerReview: Practical Accountability for Distributed Systems SOSP 07.](https://reader035.fdocuments.us/reader035/viewer/2022062806/5697c0301a28abf838cdac2f/html5/thumbnails/1.jpg)
PeerReview: Practical Accountability for
Distributed Systems
SOSP 07
![Page 2: PeerReview: Practical Accountability for Distributed Systems SOSP 07.](https://reader035.fdocuments.us/reader035/viewer/2022062806/5697c0301a28abf838cdac2f/html5/thumbnails/2.jpg)
Why have Accountability?
Nodes can fail An attacker can compromise a node Accidental Mis-configuration Multiple administrative domains
![Page 3: PeerReview: Practical Accountability for Distributed Systems SOSP 07.](https://reader035.fdocuments.us/reader035/viewer/2022062806/5697c0301a28abf838cdac2f/html5/thumbnails/3.jpg)
Distributed state, incomplete information General case: Multiple admins with different interests
Admin
www.sosp2007.org/talks/sosp118-haeberlen.ppt
![Page 4: PeerReview: Practical Accountability for Distributed Systems SOSP 07.](https://reader035.fdocuments.us/reader035/viewer/2022062806/5697c0301a28abf838cdac2f/html5/thumbnails/4.jpg)
What is Accountability?
Fault = Anything besides expected behavior
Ideal Accountability: Detect a fault Identify the faulty node (Completeness) Correct node can prove its correctness
(Accuracy) Expose the faulty node
![Page 5: PeerReview: Practical Accountability for Distributed Systems SOSP 07.](https://reader035.fdocuments.us/reader035/viewer/2022062806/5697c0301a28abf838cdac2f/html5/thumbnails/5.jpg)
A few advantages:
Deterring faults Augment fault tolerant systems Augmenting best-effort systems
![Page 6: PeerReview: Practical Accountability for Distributed Systems SOSP 07.](https://reader035.fdocuments.us/reader035/viewer/2022062806/5697c0301a28abf838cdac2f/html5/thumbnails/6.jpg)
Challenges: What can/cannot be detected? Un-observable faults:
Node’s internal state CPU overheating, Display failed Need trusted probes!
Observable faults: Affect a correct node causally No trusted entity required!
How to verify if a node reports correctly? How to distinguish omission from long
delays?
![Page 7: PeerReview: Practical Accountability for Distributed Systems SOSP 07.](https://reader035.fdocuments.us/reader035/viewer/2022062806/5697c0301a28abf838cdac2f/html5/thumbnails/7.jpg)
A B CREQ_ 8
GNT_ 8 REQ_ 5
REL_ 8
GNT_ 5
REL_ 5
•Request•Grant•Release
![Page 8: PeerReview: Practical Accountability for Distributed Systems SOSP 07.](https://reader035.fdocuments.us/reader035/viewer/2022062806/5697c0301a28abf838cdac2f/html5/thumbnails/8.jpg)
A B C
REQ_ 8
GNT_ 5REQ_ 5
GNT_ 5
REL_ 5
![Page 9: PeerReview: Practical Accountability for Distributed Systems SOSP 07.](https://reader035.fdocuments.us/reader035/viewer/2022062806/5697c0301a28abf838cdac2f/html5/thumbnails/9.jpg)
A B C
REQ_ 8
GNT_ 8REQ_ 5
GNT_ 5
REL_ 5
REL_ 8
![Page 10: PeerReview: Practical Accountability for Distributed Systems SOSP 07.](https://reader035.fdocuments.us/reader035/viewer/2022062806/5697c0301a28abf838cdac2f/html5/thumbnails/10.jpg)
A B C
REQ_ 8
REQ_ 5
GNT_ 5
REL_ 5
![Page 11: PeerReview: Practical Accountability for Distributed Systems SOSP 07.](https://reader035.fdocuments.us/reader035/viewer/2022062806/5697c0301a28abf838cdac2f/html5/thumbnails/11.jpg)
A B C
REQ_ 8
REQ_ 2
GNT_ 3
REL_ 5
GNT_ 2
REQ_ 3
GNT_ 8
REL_ 8
![Page 12: PeerReview: Practical Accountability for Distributed Systems SOSP 07.](https://reader035.fdocuments.us/reader035/viewer/2022062806/5697c0301a28abf838cdac2f/html5/thumbnails/12.jpg)
Accountability: How much can we do?
Completeness: Eventually suspected Eventually exposed
Accuracy No correct node is forever suspected No correct node ever exposed by a
correct node
![Page 13: PeerReview: Practical Accountability for Distributed Systems SOSP 07.](https://reader035.fdocuments.us/reader035/viewer/2022062806/5697c0301a28abf838cdac2f/html5/thumbnails/13.jpg)
FullReview Characteristics:
A trusted entity exists All messages go through trusted entity Each node maintains a log for every other node Check the log Suspect/Expose a deviant node
Complete? Accurate? Practical?
![Page 14: PeerReview: Practical Accountability for Distributed Systems SOSP 07.](https://reader035.fdocuments.us/reader035/viewer/2022062806/5697c0301a28abf838cdac2f/html5/thumbnails/14.jpg)
PeerReview: Practical Accountability
No trusted entity Nodes only keep their own log
May retrieve others when needed Logs are tamper-evident Witness nodes: check correctness of a
node Challenge/Response protocol
![Page 15: PeerReview: Practical Accountability for Distributed Systems SOSP 07.](https://reader035.fdocuments.us/reader035/viewer/2022062806/5697c0301a28abf838cdac2f/html5/thumbnails/15.jpg)
System Model Each node modeled as:
A state machine A detector An application
Assumptions: Deterministic state machine Correct nodes can communicate A reference implementation of node SW A secure signature mechanism available
![Page 16: PeerReview: Practical Accountability for Distributed Systems SOSP 07.](https://reader035.fdocuments.us/reader035/viewer/2022062806/5697c0301a28abf838cdac2f/html5/thumbnails/16.jpg)
Overview
Nodes maintain a log of I/O Witnesses of a node audit its log
If faulty, gather evidence Make it known
![Page 17: PeerReview: Practical Accountability for Distributed Systems SOSP 07.](https://reader035.fdocuments.us/reader035/viewer/2022062806/5697c0301a28abf838cdac2f/html5/thumbnails/17.jpg)
Tamper-evident logs Append-only list of I/O Log-entries connected in a hash-chain Authenticator: A signed statement by a
node If a node tampers the log, it will be evident
Logs must be complete No entries missed
Logs must be correct No forged entries No multiple logs
![Page 18: PeerReview: Practical Accountability for Distributed Systems SOSP 07.](https://reader035.fdocuments.us/reader035/viewer/2022062806/5697c0301a28abf838cdac2f/html5/thumbnails/18.jpg)
Fault Detection Audit
Replay the inputs to a reference implementation
Output == Log ? Evidence Transfer
Fetch evidence from witnesses
Module B
Module A
Module B
=?
LogNetwork
Input
Output
Sta
te m
ach
ine
if ≠
Module A
![Page 19: PeerReview: Practical Accountability for Distributed Systems SOSP 07.](https://reader035.fdocuments.us/reader035/viewer/2022062806/5697c0301a28abf838cdac2f/html5/thumbnails/19.jpg)
PeerReview: Applications Overlay Multicast
Large amounts of data Freeloaders
Network File System Latency-sensitive Data tampering Message loss in the network
Peer-to-peer email DoS attack
![Page 20: PeerReview: Practical Accountability for Distributed Systems SOSP 07.](https://reader035.fdocuments.us/reader035/viewer/2022062806/5697c0301a28abf838cdac2f/html5/thumbnails/20.jpg)
Results: Multicast with Freeloader
![Page 21: PeerReview: Practical Accountability for Distributed Systems SOSP 07.](https://reader035.fdocuments.us/reader035/viewer/2022062806/5697c0301a28abf838cdac2f/html5/thumbnails/21.jpg)
Results: Throughput
![Page 22: PeerReview: Practical Accountability for Distributed Systems SOSP 07.](https://reader035.fdocuments.us/reader035/viewer/2022062806/5697c0301a28abf838cdac2f/html5/thumbnails/22.jpg)
Results:
![Page 23: PeerReview: Practical Accountability for Distributed Systems SOSP 07.](https://reader035.fdocuments.us/reader035/viewer/2022062806/5697c0301a28abf838cdac2f/html5/thumbnails/23.jpg)
Discussion
What if all witnesses are faulty? How to choose Ttrunc, Taudit, Tbuf