Upload
aubrie-baldwin
View
235
Download
0
Tags:
Embed Size (px)
Citation preview
BitTorrent
• BitTorrent consists of two protocols– Tracker HTTP protocol (THP)
• How an agent joins a swarm• How an agent learns of other agents in the swarm
– Peer Wire Protocol (PWP)• How agents connect with each other (handshake)• How agents tell each other what data they have• How agents request and send data• We focused on this part of the protocol
Peer Wire Protocol MessagesMsg Name Sender Recipient Payload
CHOKE Peer1 Remote peer
UNCHOKE Peer1 Remote peer
INTERESTED Peer1 Remote peer
UNINTERESTED Peer1 Remote peer
HAVE Peer1 Peer2 index the index of a piece that Peer1 has successfully downloaded and validated
BITFIELD Peer1 Peer2 Bitfield Contains bitfield of pieces successfully downloaded by Peer1
REQUEST Peer1 Peer2 Used to identify specific block
PIECE Peer1 Peer2
CANCEL Peer1 Peer2 Used to identify specific block
Overview
• PRISM is not a natural way to define distributed protocols with non-deterministic adversary
• Presentation:1. Overview of challenges of modeling a
complicated protocol in PRISM2. Techniques we used to overcome these
challenges3. Results
Generating PRISM Model
• We wrote PHP Script– Always generates:
• One seeder• One attacker
– Takes parameters:• # Agents• # Pieces• # Blocks per Piece
Issues with PRISM
• Problem #1: We want to model logical structures like:If received block “l” for piece “p”
If all blocks downloaded for “p”if all blocks for “p” verify
set status of “p” to dl/verifiedelse clear all blocks for “p”
• PRISM only allows commands of the following form:[condition] -> [probability distribution of results]
Issues with PRISM
• Solution: Hierarchical commandsCond: a = 1
Result: 0.5: a’=0 + 0.5: a’=2
Cond: b = 1 & c=1
Result: c’=2
Cond: b=2
Result: c’=3
Cond: ELSE
Result: NULL
[] a=1 & b=1 & c=1 -> 0.5: (a’=0) & (c’=2) + 0.5: (a’=2) & (c’=2);[] a=1 & b=2 -> 0.5: (a’=0) & (c’=3) + 0.5: (a’=2) & (c’=3);[] a=1 & !(b=1 & c=1) & !(b=2) -> 0.5: (a’=0) + 0.5: (a’=2);
ELSE <-> Conjunction of negations of siblings
Issues with PRISM
• Problem #2: ONLY the attacker can be nondeterministic AND all agents must be able to make progress at the same time
• If agents are nondeterministic:– “Attacks” PRISM finds will include attacker’s decisions
and agent’s decisions– This doesn’t make sense
• Attacker should only be allowed to do a certain amount of actions before letting the agents process their state/make requests/etc.
Issues with PRISM
• Solution Part 1:– Simulation is turn based– Turn counter increments from agent 0 to agent 1
to agent 2, etc. and eventually back to agent 0
Cond: turn=0
Result: NULL
Cond:ELSE
Result: turn’=1( ... Tasks for agent 0 …)
Issues with PRISM
• Solution Part 2: Force agent to execute tasks in sequence– Takes advantage of most tasks being self-
contained and independent• Ex: If I received an “interested” message from agent
“2”, set internal state of “thinks_agent_2_is_interested” to true
• Ex: If I think agent “2” has a block, make a request for that block with random probability
– Implemented with a “counter” variable
Issues with PRISM
• Solution Part 2
Cond: turn=0
Result: NULL
Cond:ELSE
Result: turn’=1 & counter’=0
Cond: counter=0
Result: counter’=1
Cond: counter=1
Result: counter’=2
Cond: ELSE
Result: NULL
Cond: ELSE
Result: NULL(Task 1)
(Task 2)
Issues with PRISM• Problem #3: State space must be kept small or else
PRISM runs out of memory– Various optimizations were made to reduce state space:
1. Counter variable instead of boolean flag for whether task was done during turn
2. Seeder doesn’t send requests and agents don’t send blocks to seeder
– Maximum feasible model was (unfortunately):• 2 agents• 2 pieces• 1 blocks• 1 seeder• 1 attacker• Anything bigger causes PRISM to run out of memory
Results
• Our feasible model is too small to simulate any realistic scenario– Key part of attacks is #blocks/piece– # agents changes how attacks would work– In realistic scenario, agents are downloading from
many different peers
Rational Reconstruction
• Handshaking protocol– Attackers can easily change agents perception of
other agents (what pieces they have, what pieces they are interested in)
– When something unusual happens, agents break connections
– When connection reestablished they reset their perceptions
Rational Reconstruction
• Verify message consistency– BitTorrent protocol is unclear about what to do
when a message is received– Example: What happens when an agent receives a
“Piece” message?• An agent should verify that they made a request for
that data from the source IP address• Otherwise, it could be an attacker sending bad data
– Similar verification of IP addresses should occur with other BitTorrent messages
DOS Opportunity in BitTorrent
Honest agent
Good block
Bad block
If an attacker can cause an agent to accept one bad block, the agent needs to re-download entire piece!
There are typically 200 blocks per piece by default!
#blocks/piece is a speed/security tradeoff