Towards Scalable and Robust Distributed Systems

Christian Scheideler

Institut für Informatik

Technische Universität München

Basic Goals

Correctness

Efficiency Robustness ??

Development of Computer

Correctness, Efficiency, Robustness

Four Commandments of Distributed Systems

1. You shall not sleep.2. You shall not lie.3. You shall not steal.4. You shall not kill.Not enforceable in open distributed systems!

Countermeasures:1. Algorithmic solution as long as majority awake.2. Cryptography, error-correcting codes, verifiable secret

sharing,...3. Serious problem! (viruses, phishing, DRM,...)4. Serious problem! (DoS attacks)

Fundamental Dilemma

• Efficiency:Minimize resources needed for operations

• Robustness:Maximize resources needed for attacks

Scalable systems are easy to attack!!

Options

1. Restriction to „legal“ attacks– join-leave attacks

– insert-lookup attacks

2. New paradigm

Join-Leave Attacks

• Peer-to-peer systems have attracted a lot of attention in recent years

• In open peer-to-peer systems peers may frequently join and leave

Join-Leave Model

• n honest peers• n adversarial peers, <1

Operations:• Join(v): peer v joins the system• Leave(v): peer v leaves the system

Goal: maintain scalability and robustness for any sequence of polynomially many adversarial rejoin (leave+join) requests

More specific goal

• n honest peers, n adversarial peers

• every peer has point in [0,1)

For any interval I ½ [0,1) of size (c log n)/n:

• Balancing condition: (log n) peers in I

• Majority condition: honest peers in majority

How to satisfy conditions?

Chord: uses cryptographic hash function to map peers to points in [0,1)

• randomly distributes honest peers• does not randomly distribute adversarial peers

How to satisfy conditions?

CAN: map peers to random points in [0,1)

How to satisfy conditions?

Group spreading [AS04]:

• Map peers to random points in [0,1)

• Limit lifetime of peers

Too expensive!

How to satisfy conditions?

• Rule that works: k-cuckoo rule [AS06a]

evict k/n-region

n honest n adversarial

< 1-1/k

Rejoin: leave and join via k-cuckoo rule

Limitation of k-cuckoo rule

• Only works for any sequence of rejoin requests of adversarial peers.

• Does not work for any sequence of rejoin requests.

k-flip&cuckoo rule [AS07]

• Join: as before (k-cuckoo rule)

• Leave: random k/n-region among c log n neighboring

k/n-regions, empty & flip it with random k/n-region

n honest n adversarial

flip

DoS-attacks???

• Attacks oblivious to random bits: OK

• Attacks adaptive to random bits:

Insert-lookup attacks

• Mehlhorn & Vishkin 84: Any step of a CRCW PRAM can be simulated on a distributed memory system in O(log2 n) time (n: # processors).

• Needs O(log n) hash functions with certain expansion properties.

• Uses combining and filtering.

DoS attacks???

• Oblivious DoS attacks:Random peer distribution

• Adaptive DoS attacks:

• Past insider DoS attacks?Adversary knows everything till time t

Past insider DoS attack

Dilemma:• Explicit data structure can only make polylog

updates to be scalable, so easy to attack• Fixed hash function: insert and lookup cheap,

but easy to attack• Random placement: difficult to attack, but insert

and lookup expensive

Combine fixed hashing with random placement!!

What about arbitrary DoS attacks???

The problem is not openness.

The problem is exposure.

Some Facts

• More than 90% of Emails is SPAM

• Thousands of software bugs per year

• ~3 days until virus developed for bug, but 31 days till patch available

• ~8000 denial-of-service attacks per day

• >150.000 phishing attacks per year

Can exposure be prevented without losing openness???

Laws of Robustness

Owner consent and control

Principle of least authority

Not just for computers

[EU Recommendation on privacy of medical data1997, U.S. OCR HIPAA act]

• Owner consent and control:Patients should have full control over their medical data.

• Principle of least authority:Access should only be given to information necessary for the diagnosis and treatment.

Demands

Principle of least authority:

• Not more knowledge than necessary.

• Not more rights than necessary.

Owner consent and control:

• Universality: freedom of choice

• Simplicity: consequences transparent

New Paradigm

• Subjects

• Objects

• Relay points

Subjects and Objects

Atomic, anonymous, active, static,only reachable via relay points

Atomic, anonymous, passive, dynamic data, cannot be copied,info only accessible via keys

Consent and control, least authority?

Fixed identity, fixed outgoing connection,incoming connections controlled by owner

Descendents

Resource control

Mother Child

Consent and control, least authority?

communication

Creation of new child:

First contact

R

Public identity (TAN)

• Subjects have no identity• Relay points have fixed identities (that are not accessible by applications)• Outgoing connections cannot be changed

A B

R

Consent and control, least authority?

Introduction

B>A

A B

CA>B

Consent and control, least authority?

R>B

R

Realization

Internet

ISP

Relay points

Current State

• Simulation environment available(see www14.in.tum.de/personen/scheideler)

• Used in lectures

• Talks to set up DFG project and realize paradigm as operating system kernel

Questions?