CS717 Checking Data Structures Greg Bronevetsky. CS717 The Problem So far covered ways to check results of algorithms Real computing systems have state

CS717

Checking Data Structures

Greg Bronevetsky

CS717

The Problem

• So far covered ways to check results of algorithms

• Real computing systems have state

• Need ways to ensure this state not corrupted

CS717

The Problem

• Secure data structures allow checker flexibility– Checkers frequently assumed to be reliable

• Thus must run on secure hardware

– If can validate data structures, can use unsecured memory for checker storage

• Oftentimes, just want to keep data safe– Ex: trustworthy databases

CS717

The Papers

• [BEGKN] Blum, Evans, Gemmell, Kannan and Naor, “Checking the Correctness of Memories”, 1991– Online and offline checkers for Random Access

Memories, Stacks and Queues– Lower bounds on checking– Polynomial-time and Infinite Power Adversaries

• [DS] Devanbu and Stubblebine, “Stack and Queue Integrity on Hostile Platforms”, 1998– Offline checkers for Stacks and Queues– Weaker adversary

CS717

Outline

• Offline Checkers– RAMs– Stacks– Queues

• Online Checkers– RAMs– Stacks– Queues

• Definitions

[BE

GK

N]

[DS

]

• Lower Bounds• 3 Offline Checker Bounds

• Offline Checkers• Stacks• Queues

CS717

Data Structure

• Defined by operations and their return values

• Ex for stack: <push a, push b, pop, pop> must return<, , b, a>

• Checker must detect any deviation from target behavior

CS717

Memory Checker

• Reliably implements target data structure– May use original implementation or implement its

own

• Invasive Checker – checker stores own data in data structure

• Non-invasive Checker – all checker data outside data structure

• If data corrupted by adversary, checker reports error

CS717

Memory Checker

• Checker has small amount of reliable memory, large amounts of unreliable memory– Reliable = unchangeable by adversary, in few

cases invisible to adversary– Small checker can’t implement whole data

structure in reliable memory

• Offline Checker – at end of run reports if data corrupted mid-run

• Online Checker – reports on errors during run– Not necessarily promptly

CS717

Adversary

• Polynomial-time probabilistic algorithm

• Goal:– If original data structure works perfectly, checker’s

implementation works with probability > ¾• In checkers presented Prob=1

– If data structure incorrect for some operation, checker reports error with probability > ¾

CS717

Overall Picture

Unreliable Memory

User

CheckerReliable Memory

Adversary

CS717

Outline



• Definitions

[BE

GK

N]

[DS

]



CS717

-biased Hash Functions

• Presented in Naor and Naor, “Small Bias Probability Spaces: Efficient Constructions and Applications”, 1990.

• Given n-bit x creates k-bit hash h(x) – If xy then h(x)=h(y) with Prob 1/2k

– Uses O(log n + k) random bits• k<n

x

y

z

h(x)

h(y) = h(z) Low Probability

CS717

-biased Hash Functions

• Basic idea:– Given inputs x and y of length n– Pick l=O(k) random “distinguisher” vectors r1, … rl,

of length n• Special choices, not just uniform

– Compute inner products xri and yri, i– h(x) = <xr1, … xrl>– If xy then Prob[xri = yri for all i] 1/2k

• Better than comparing (x mod pi) and (y mod pi) for random prime pi’s

CS717

Updating a Hash

• Given x and h(x)• Wrote 1 to x[j]• Need to change h(x) to reflect change in x

• For all O(k) distinguishers r1, … rl see if ri[j]=1

– If ri[j]=1 then xrj=1

– Thus, set i-th bit of h(x)=1

• Total work required: O(k)

CS717

Offline Checkers

• Maintain record of reads and writes: R and W

• R and W encoded s.t. when finished, R=W

• Want to keep R and W in checker’s private memory

• Too large, so keep h(R) and h(W)– When finished if RW then h(R)h(W) with high

probability

CS717

Checking RAMs

• Assume memory of size n• Contains log(n)-bit words• R and W will maintain entire history of

changes to RAM– Contain records <v, a, t>

• v – value written/read• a – address• t – unique timestamp

– v, a, t all log(n)-bit words– R and W [v][a][t] = 1 <v, a, t> written to R or W

• |R|=|W|=O(n3)• |h(R)| = |h(W)| = log(n)

CS717

Checking RAMs

• Data locations keep “last-access” timestamp– <vi, ti>

• Checker maintains global timestamp– Unique– Greater than any timestamp used so far

CS717

Write to RAM

• Wish to write value v to address a• Read from address value v, timestamp t• t = global timestamp

– Check that t<t– Increment global timestamp

• Update h(R) with <v, a, t>– Makes sure value not corrupted since last touch

• Write <v,t> to address a• Update h(W) with <v, a, t>

– Records new value/timestamp for future operations

CS717

Read from RAM

• Wish to read value from address a• Read value v, timestamp t• t = global timestamp

– Check that t<t– Increment global timestamp

• Update h(R) with <v, a, t>– Makes sure value not corrupted since last touch

• Write <v, t> to address a• Update h(W) with <v, a, t>

– Records new timestamp for future operations

CS717

Basic Picture

write(v2)

• read <v1, t1>• <v1, a, t1> h(R)• <v2, a, t2> h(W)

read() • read <v2, t2>• <v2, a, t2> h(R)• <v2, a, t3> h(W)


read()


Read After Write Read After Read

• Two adjacent accesses to same locations• Leave identical records in h(R) and h(W)

read()

CS717

Basic Picture


write(v3)



write(v2)


Write After Write Write After Read

• Two adjacent accesses to same locations• Leave identical records in h(R) and h(W)

write(v2)

CS717

Final Reads

• When finished with RAM, – Perform reads on all memory locations– Update h(R) with most recent v’s & t’s

• Reflects change made by last write to location

• Just like regular read without final update to h(W)– No operation follows it– Thus, no h(R) entry would match it

CS717

Checking for Errors

• Confirm that h(R)=h(W)

• Claim: If data got changed by attacker, RW– Thus, with high Prob, h(R)h(W)

CS717

Proof of Correctness

• In order to fool checker into accepting erroneous RAM, adversary must change data between operations

• For example, Read-After-Write:(Same argument for all combinations)

write(v2)



CS717


• Take last such occurrence

• Now read performs <v78, a, t2> h(R)

• To make h(R)=h(W) adversary must force checker to do <v2, a, t2> h(R)

write(v2)



Adversary changes v2 to v78

CS717


• To force checker to <v2, a, t2>h(R) must change data at address a– Since a is in desired tuple

• v2 v78 was last change – Adversary must make another

change before that

– To force <v2, a, t2>h(R) must modify a to <v2, t2>

write(v2)


read()


read()

• read <v-9, t-9>• <v-9, a, t-9> h(R)• <v-9, a, t-8> h(W)

<v2, t2>

write(v-9)

• read <v-10, t1-10>• <v-10, a, t1-10> h(R)• <v-9, a, t-9> h(W)

CS717


• But recall, in every operation checker reads recorded timestamp

• Checks if recorded timestamp < global timestamp– Global timestamp always increases

• During prior adversary change global timestamp < t2

• Thus, when next operation read t2, would declare error

write(v2)


read()


read()

• read <v2, t2>• <v2, a, t2> h(R)• <v2, a, t-8> h(W)

<v2, t2>

write(v-9)

• read <v-10, t1-10>• <v-10, a, t1-10> h(R)• <v-9, a, t-9> h(W)

CS717

Summary

• Similar argument for changes to timestamps• Probability of poly-time probabilistic adversary

of making unnoticed change

– Since only possible attack is breaking h(R), h(W) hashing property

• Reliable storage requirements:– O(log n + k) bits to store -biased hash function– h(W) and h(R) each k=log n bits long

(n = # words in memory)

k

2

1

CS717

Outline



• Definitions

[BE

GK

N]

[DS

]



CS717

Checking Stacks

• Stack checker follows same idea• Key difference:

– On push() new location is empty• Thus, no need to update h(R)

– On pop() popped location becomes empty• Thus, no need to update h(W)

• Must ensure that on pop(), stack returns value last pushed at that level

CS717

Basic Picture

• For any given sequence of pushes and pops• Corresponding pushes and pops must have

same value

pop()

pop()

pop()

pop()

pop()

push(v1)

push(v2)

push(v3)

push(v4)

push(v5)

v1

v2

v3

v4

v5

CS717

Basic Picture

• For any given sequence of pushes and pops• Corresponding pushes and pops must have

same value

pop()

pop()

pop()

pop()

pop()

push(v1)

push(v2)

push(v3)

push(v4)

push(v5)

Must Match

CS717

Protocol

• Keep around global timestamp t

• On Push(vi)

– Write to next location <vi, t>

– Update h(W) with <vi, a, t>

– Increment t

• On Pop()– Read <vi, ti> from current location

– Ensure ti<t

– Update h(R) with <vi, a, ti>

• At end do Pop() on rest of stack• No errors R=W

– So small probability of error if h(R)=h(W)

CS717

Outline



• Definitions

[BE

GK

N]

[DS

]



CS717

Checking Queues

• Address means– For enqueues: number of prior enqueues– For dequeues: number of prior dequeues

• Enqueue and dequeue have same address refer to same queue location

• Since addresses unique, no need for timestamps

• Otherwise same as for stacks

CS717

Checking Queues

• On Enqueue(vi)– Write to next location <vi>– Update h(W) with <vi, a>

• a = number of prior enqueues (“address”)

• Dequeue()– Read <vi> from front location (address a)– Update h(R) with <vi, a>

• At end do empty queue via Dequeue()’s• No errors R=W

– Small probability of error if h(R)=h(W)

• Note: queue protocol non-invasive

CS717

Checking Graphs

• Two representations for graphs– Adjacency matrix– Adjacency list

• Adjacency matrix checker– Use RAM checker

• Adjacency list checker– Variant of queue checker checks multiple lists

• List IDs and headers kept in array– Array checked via RAM checker

• Adds list ID to each h(R) and h(W) record

CS717

Outline



• Definitions

[BE

GK

N]

[DS

]



CS717

Online Checkers

• If adversary changes data want to know before program end– Don’t want to use erroneous data

• Solutions more expensive and restrictive– Restrictions on word sizes– Less memory available to application– Sometimes private memory must be secret

CS717

Basic Online RAM Checker

• Build binary tree– Leaves are actual data locations– Internal nodes contain sum of children

w x y z

w+x y+z

w+x+y+z

Leaves: UserMemory Cells

Internal Nodes:Hash of children

CS717

Basic Online RAM Checker

• On every read or write, verify sums• Since can’t verify root, must keep it in private

memory

w x y z

w+x y+z

w+x+y+z



Root kept in private memory

CS717

Tolerating Changes

• If adversary modifies some node xx– Sum in parent changed– Will notice if compare child values to parent sum

w x y z

w+x y+z

w+x+y+z




CS717

Limits of Encoding

• However, if ww+q and xx-q then sum in parent doesn’t change

• Will not notice change

w x y z

w+x y+z

w+x+y+z




CS717

Alternate Encoding

• Sums are poor encoding– Need something better

• Use two encoding techniques– Universal one-way hash functions (UOWHF)– Pseudorandom functions

CS717

Adversary

• Chooses read/write operations

• Returns any value to non-private memory reads

• Probabilistic algorithm

• Runs in time polynomial in memory size

CS717

Universal One-Way Hash Functions

• Hash function good if few inputs map to same outputs (collide)

• UOWHFs good against poly-time probabilistic adversary looking for collisions

• Presented in: – M. Naor and M. Yung, “Universal One-Way

Functions and Their Cryptographic Applications”, 1989

– J. Rompel, “One Way Functions are Necessary and Sufficient for Secure Signatures”, 1990

CS717

Universal One-Way Hash Functions

• Definition:– Given hash function h: {0,1}k{0,1}m

• m polynomially smaller than k

– A: probabilistic polynomial time adversary• Chooses input x• Hash function h picked randomly• Tries to find yx s.t. h(x)=h(y)

– Prob[A(x,h)=y, yx, h(x)=h(y)] < 1/poly(k) polynomials: worse than poly-small prob of success

– Need hash functions describable in poly bits, computable in poly time

– Need to pick hash functions uniformly at random

CS717

Checking RAMs: Encoding Tree

h(left·right) h

ID ofhash function(different nodes have their own)

Hash of children



Each Internal Node:

CS717


u v

h(u·v)


……

Internal Nodes:Hash of children h

ID ofhash function

Hash of children(“·” is concatenation)

CS717


xu

Memory

Hash Nodes hu

h(xu·hu·xv·hv) h

xv hv

General hash application

Node u Node v

CS717

Checking RAMs : Encoding Tree

Memory

Internal Hash Nodes

Root kept in private memory(keeps identities of 2nd level hash functions safe)

CS717

RAM Operations

• Read:– Look at target memory node: xu

– Walk up tree, check encodings

• Write– Modify xu

– Walk up tree, changing encodings accordingly• Pick new hash function for all nodes

CS717

On Adversary Change

• Adversary changes some node uu– Can’t find another value that results in same

hashcode in parent node• Low probability

– Thus, parent’s encoding won’t match child’s• Will detect error before erroneous value used

xu hu

h(xu·hu·xv·hv) h

xv hv

Node u Node v

CS717

Checking RAMs: Details

• Memory of k-bit words, n words total

• Our adversary runs in time poly(n)• UOWHF adversary runs in time poly(k)

• Thus, need k = n for >0– If k<O(poly(n)) then poly(n) adversary could

enumerate all possibilities– Set k = n to make two adversaries same

CS717

Alternative Tradeoffs

• Using UOWHFs places poly-size minimum on word size

• Can we do better?

• Another possibility: trade small words for secret private memory– Use pseudo-random functions

CS717

Pseudorandom Functions

• So close to random that poly-time algorithm can’t differentiate

• Given random seed S, get pseudorandom fS

– fS: {0,1}k {0,1}m

– |S|poly(k)

• Poly-time adversary given either random function or fS(x)

• Probability of telling apart < 1/poly(k) polynomials: worse than poly-small prob of

success

CS717

Pseudorandom Functions

• Reported in O. Goldreich, S. Goldwasser and S. Micali, “How to Construct Random Functions”, 1986.

• Construction requires private memory to be secret from adversary– Keep pseudorandom function there so adversary

doesn’t know what it is– No minimum on word size

CS717 Checking RAMs with

Pseudorandom functions

• Memory location i, value vi

• Augment with signature– Signature: fS(vi)

• Each node contains <vi, fS(vi)>

– Since adversary doesn’t know fS, can’t just change vivi and regenerate signature

– Must figure out fS(vi)=fS(vi) on its own

CS717

Secure Against Tampering

• If adversary can find vj s.t. fS(vi) = fS(vj) then can tell pseudorandom from random– Let Q be algorithm for finding vj with prob 1/poly

• On any input vi, use Q to generate partner tuple vj

– If fS(vi) = fS(vj) then return “Pseudorandom”

– Else, return “Truly Random”

• Algorithm differentiates with prob 1/poly• Contradiction!

CS717

Limitation of Encoding

• Not secure against replay

• Adversary can repeat earlier valid encodings later on

• Must keep timestamp generation secure

CS717

Tree Encoding

• Construct complete binary tree• Leaves: user memory locations• Every node has timestamp• Time stamp of parent i:

ti = tj + tk

vj, tj, j

vi, ti, i

vk, tk, k

Node j Node k

Node i

CS717

Tree Nodes

• Node signatures include node ID, timestamp

• Leaf Node:

• Internal Node i:

• Root node in private, secret memory

<vi, fS(vi, ti, i)>

<tj+tk, fS(0, tj+tk, i)>

CS717

Reading

• Read contents of target node• Walk up tree, verify

– Encoding– Child-parent timestamp

relationships

v8, fS(v8, t8, 8)v7, fS(v7, t7, 7)

t7+t8, fS(0, t7+t8,3)

t7+t8+t4, fS(0, t7+t8+t4, 1)

v4, fS(0, t4, 4)

v0, fS(0, t0, 0)

v2, fS(0, t2, 2)

Private, secret memory

Read node 8, check path to root

CS717

Writing

• Walk down tree, verify – Encoding– Child-parent timestamp relationships

• Write new value into target node• Increment its timestamp• Walk up tree, incrementing node timestamps

– (ti+1) + tj = (ti+tj) + 1

CS717


• Node contents secure against tampering– Shown above– Poly-time adversary has < 1/poly Prob of success

• Replay attacks– Can adversary overwrite nodes with valid old

<value, signature>?

– Node address part of signature fS(vi, ti, i)

– Thus, can only place old <values, signature> at original address

CS717


• Adversary changed some node– Pick highest change in tree

• Old <vi, fS(vi, ti, i)> New <vi, fS(vi, ti, i)>– Must pick pair from same address since node ID is

in signature

• Node timestamps always increase: ti<ti

• Node i has parent p, sibling s– Node s may be changed– Node p not changed (since this highest change)– Root in private memory, so always safe

CS717


• Old <vi, fS(vi, ti, i)> New <vi, fS(vi, ti, i)>• Node timestamps always increase: ti<ti

• Node i has parent p, sibling s– Node s may be changed– Node p not changed (since this highest change)– Root in private memory, so always safe

• On next read or write will check that tp = ti + ts

– ti < ti (since i definitely changed)

– ts ts (since s possibly changed)

– Thus, ti + ts < tp

• Error detected on next read or write

CS717

Checking RAMs Summary

• Two online techniques for checking RAMs• Use different cryptographic encodings

– Universal One-Way Hash Functions• Require minimum word size

– Pseudorandom functions• Requires small secret private memory

• Both build trees on top of RAM• Detect error on next operation• Protect RAM against polynomial-time

randomized adversary

CS717

Outline



• Definitions

[BE

GK

N]

[DS

]



CS717

Review of Stack Offline Algorithm

• t: global timestamp• On Push(vi) (to stack height a)

– Write to next location <vi, t>– Update h(W) with <vi, a, t>– Increment t

• On Pop() (from stack height a)

– Read <vi, t> from current location– Update h(R) with <vi, a, t>

• At program end do Pop() on rest of stack• No errors R=W

– So small probability of error if h(R)=h(W)

Matching pushes and pops change R and W in same ways

CS717

Checking Stacks Online

• Trivial solution: – h(R) and h(W) keep track of pushes and pops– After every operation empty stack– Check that h(R) = h(W)

• Very expensive– Quadratically more operations

• Real solution follows similar idea– Uses multiple sub-stacks– Spills&checks at sub-stack boundaries– Auxiliary stack needed to perform stack spills

• Two real stacks can be each other’s auxiliary

CS717

Stack Organization

2 blocks of 2i wordsStack i

2 wordsStack 0

2 blocks of 21 wordsStack 1

…

Stack of height H turned into log(H) stacks

Stack i contains 2 blocks of

items, each 2i words long

Stacks filled from highest to

lowest

CS717

Stack Organization

Stack i

Stack 0

Stack 1

…• All operations first done with

Stack 0– Push and pop normally

CS717

Stack Organization

Stack i

Stack 0

Stack 1


Stack 0• When pushing onto full

Stack 0

CS717

Stack Organization

Stack i

Stack 0

Stack 1



Stack 0– Move Stack 0 contents onto

Stack 1• Pop off onto auxiliary stack• Push onto Stack 1• Called a “block operation”

CS717

Stack Organization

Stack i

Stack 0

Stack 1



Stack 0– Move Stack 0 contents onto

Stack 1• Pop off onto auxiliary stack• Push onto Stack 1• Called a “block operation”

– Push new element into Stack 0

CS717

Stack Organization

Stack i

Stack 0

Stack 1



Stack 0 again

CS717

Stack Organization

Stack i

Stack 0

Stack 1



Stack 0 again– Move Stack 0 contents onto

Stack 1– Push new element into Stack 0

• Next time Stack 1 overflows– Push onto Stack 2

…

CS717

Stack Organization

Stack i

Stack 0

Stack 1

…• When popping off empty

Stack 0

Pop

CS717

Stack Organization

Stack i

Stack 0

Stack 1


Stack 0• Move top block of Stack 1

onto Stack 0– Via auxiliary stack

Pop

CS717

Stack Organization

Stack i

Stack 0

Stack 1


Stack 0• Move top block of Stack 1

onto Stack 0– Via auxiliary stack

• Pop off Stack 0• If Stack 1 is emptied, refilled

from Stack 2, etc.

Pop

CS717

Stack Organization

Stack i

Stack 0

Stack 1

…Pop

Note:

These stacks can be implemented as a single stack

CS717

Checking Stack Operations: Push

• Check every stack operation• On block push to Stack i

– Add all sub-pushes to h(W)– Then pop off entire stack (pops added to h(R))

• Onto auxiliary stack

– Verify that h(W) = h(R)– Push stack back in place

• Time cost:– O(2i) operations per block operation– O(2i) operations to check each block operation– Total time = O(2i)

CS717

Checking Stack Operations: Pop

• Check every stack operation• On block pop from Stack i

– Add all sub-pops to h(R)– Then pop off entire stack (pops added to h(R))

• Onto auxiliary stack

– Verify that h(W) = h(R)– Push stack back in place

• Time cost:– O(2i) operations per block operation– O(2i) operations to check each block operation– Total time = O(2i)

CS717

Amortized Overhead

• Theorem: to service n user operations reliable stack performs O(n·log H) operations(H = maximum height of stack)

• Proof:– Lemma 1: at most 1 in 2i user operations cause a

block operation in Stack i– Base Case:

• Every user operation causes operation in Stack 0

– Inductive Case: every other push to Stack i-1 causes Stack i push every other pop from Stack i-1 causes Stack i pop• Thus, takes Stack i-1 ops to cause Stack i op

CS717

Amortized Overhead

• Theorem: to service n user operations reliable stack performs O(n·log H) operations(H = maximum height of stack)

• Proof:– At most 1 in 2i user operations cause a block

operation in Stack i– Each Stack i block operation costs O(2i) time– Total cost per user operation =

)(log)2(/)2(log

0

HOOOH

i

ii

CS717

Outline



• Definitions

[BE

GK

N]

[DS

]



CS717

Checking Queues

• Can check queues like stacks– Create multiple queues– Spill from smaller to larger queues– Empty and check queues on every operation

• Not known how to merge sub-queues into single queue

CS717

Outline



• Definitions

[BE

GK

N]

[DS

]



CS717

Checker/Adversary Properties

• Checker– Works offline– Private memory is secret– Deterministic

• Adversary– Arbitrary power to change memory– Does not know

• User’s operations• Checker’s memory state (its secret afterall)

CS717

Checking Scenario

• Memory size = n• Assume that user issues

– n writes to distinct locations– Followed by n reads to those locations– Possible usage pattern; can use to establish lower

bound

• x = tuple of memory locations/values written by user (unknown to adversary)

• c = checker’s private, secret memory• M = fallible main memory

CS717

Picture of Checker

size = m

size = n

Main Memory = M

Request Sequence x

Checker Memory = c

Checker

size = n

CS717

Theorem

• Checker needs log(n)-1 bits of private memory to avoid being fooled by adversary– Else, may decode written tuple x as other tuple y

• Proof Outline– Count number of possible system configurations– Show: if too few checker memory bits, >1 valid

main memory states for same checker memory configurations for same

• Thus, adversary can freely change main memory from one such valid state to another

CS717

Proof

• n = size of main memory• m < log(n)-1 = size of checker memory• x = input string of writes, length n• sphere(x, M) = vector of length 2m

(one entry per checker memory state)– sphere(x, M)[c]=A if <M,c> is possible state of

main and checker memory on input x– sphere(x, M)[c]=* if <M,c> is possible state of

main and checker memory on input x– sphere(x, M)[c]=I if <M,c> is not a possible state

of main and checker memory on any input

CS717

Picture of sphere(x, M)

0,0..0

0,0..1

1,1..1

.

.

.

.

.

Checker Memory States

(2m of them)

A

I

I

*

*A

.

.

x,M

x,M

x,M

x,M

x,M

x,M

x,M

x,M

Is <M,c> possible

encoding of x?

c

• If memory unchanged, checker must decode <M,c> as x with Prob=1– x was set of values written, so must be retrieved

CS717


0,0..0

0,0..1

1,1..1

.

.

.

.

.


(2m of them)

A

I

I

*

*A

.

.

x,M

x,M

x,M

x,M

x,M

x,M

x,M

x,M

Is <M,c> possible

encoding of x?

c

• Invariant 1: On input x, state of M and c must be s.t. sphere(x,M)[c] = A

• By definition of sphere()

CS717

Invariant 2

• On inputs xy, c,M sphere(x,M)[c] & sphere(y,M)[c] can’t both = A– Otherwise two inputs could map to same

checker/main memory state

• Both = * if <M,c> gets mapped to by some other input z

• Both = I if no input maps to <M,c>

CS717


0,0..0

0,0..1

1,1..1

.

.

.

.

.


(2m of them)

A

I

I

*

*A

.

.

x,M

x,M

x,M

x,M

x,M

x,M

x,M

x,M

c

• If x s.t. M, yx and M s.t. sphere(x, M) = sphere(y, M) then on input x adversary can cause checker to decode y by changing MM

Is <M,c> possible

encoding of x?

CS717

Proof of Claim

• Claim: If x s.t. M, yx and M s.t. sphere(x, M) = sphere(y, M) then adversary can cause checker to decode y by changing MM

• Proof– Checker gets input x, produces M, c s.t.

sphere(x,M)[c] = A– For this M y, M with same sphere– Thus, sphere(y,M)[c] = A– Therefore, if adversary switches MM then

checker decodes <M, c> as y– Error undetected. Checker fooled!

CS717

Breaking the Checker

• Adversary needs to break checker on only one input x

• Thus, always guesses that input=x and always replaces M with M (appropriate for this x)

– Uses MM mapping table ( Ms)

• Note:– If memory state=M but input is zx,y then

sphere(x,M)[c] = * = sphere(y,M)[c] – Thus, if adversary MM then checker will still

decode some input w (not x or y)

• Error undetected. Checker fooled!

CS717

Is This Possible?

• To defeat adversary checker needs – For each x, M s.t. sphere(x, M) unique– If so, checker can safely set memory to M on input x

• Will prove Collision Lemma: input x s.t. M. yx and M where sphere(x,M) = sphere(y,M)– For n possible inputs x, n unique main memory

states M• Since checker deterministic

– Assumption: total number of spheres = a < < total number of inputs/memory states = b

CS717

Visualization of Collisions

b Inputs

b MainMemory

States

• For each of b inputs, b main memory states

• For each state, one of a possible spheres

• a<b

input x s.t. M. yx and M where sphere(x,M) = sphere(y,M)

CS717

Visualization of Collisions input x s.t. M. yx and M

where sphere(x,M) = sphere(y,M)

• Must find some column s.t.

• For every entry in column

another entry in another column

• With same value

n Inputs

n MainMemory

States

CS717

Proof of Lemma

• Will go left to right looking for our column• Look at leftmost column

n Inputs

n MainMemory

States

CS717

Proof of Lemma

• If is it, then done• If not, then

entry in column with value contained in no other column

• Will go left to right looking for our column• Look at leftmost column

ANot A

n Inputs

n MainMemory

States

CS717

Proof of Lemma

• Same thing for other columns

• If target column, then done

• If not, then entry in column with value contained in no other column

Not QNot QQ

n Inputs

n MainMemory

States

CS717

Proof of Lemma

• At each step, either finished or rightmost columns have 1 less possible value

ANot A

n Inputs

n MainMemory

States

CS717

Proof of Lemma


BNot A,B

A

n Inputs

n MainMemory

States

CS717

Proof of Lemma


A B CNot A,B,C

n Inputs

n MainMemory

States

CS717

Proof of Lemma


A B C D Not A,B,C,D

n Inputs

n MainMemory

States

CS717

Proof of Lemma

• Reach 2nd to last column on step b-1(If not already finished)

• Total possible values < b

• Thus, 1 value remains

• Last two columns satisfy criterion

Z

Z

Z

Z

Z

Z

Z

Z

Z

Z

Z

Z

n Inputs

n MainMemory

States

CS717

Proof of Lemma

input x s.t. M. yx and M where sphere(x,M) = sphere(y,M)

Z

Z

Z

Z

Z

Z

Z

Z

Z

Z

Z

Z

x y

n Inputs

n MainMemory

States

CS717

Proving That Too Few Spheres

• Must still prove that fewer spheres than inputs• Total inputs states: a = 2n

• Total unique spheres: b = (2m 3-ary values)• m<log(n)-1 and so,

– Fewer spheres than inputs– b<a

• Thus, Collision Lemma precondition satisfied

m23

nnnnnm

233333 2/2222 1log1log

CS717

Checker Fooled

• Adversary can find xy s.t. sphere(x,M) = sphere(y,M) M– Since checker known

• Determines main memory remapping table MM– For each M picks M s.t. spheres equal

• For any input remaps main memory according to table

• If input=x, memory changed to MM and checker decodes it as y– Error undetected. Checker fooled!

CS717

Deterministic Probabilistic

• Paper describes proof in fairly deterministic terms

• But seems to be saying that proof works for probabilistic checkers

• Seems plausible, but should check

CS717

Checkers With 2-sided Error

• Above theorem extended to relate reliability to number of bits in checker memory

• Applies to checkers with 2-sided error:– If main memory untouched by adversary, checker

correctly decodes with Prob p– If main memory corrupted, checker notices or

correctly decodes with Prob p

• Theorem:– If decoding probability p ½+ ½l+1 then checker

private memory must have m log n – log l bits– l 1

CS717

Meaning of Theorem



• Meaning:– The fewer bits in checker’s memory, the closer

prob of success gets to ½.• Prob = ½ user can’t differentiate success from failure

CS717

Meaning of Theorem



• Connection to last theorem:– Case where 100% Prob of decoding non-

corrupted (i.e. l=0) covered by last theorem• Need log n – 1 bits• This theorem generalizes last theorem

– Will now relate probability of success to reliable memory size

CS717

Proof

• Last proof looked at encoding process– sphere(x,M)[c] = is input x encodable into <M,c>?

• This proof looks at decoding– sphere(x,M)[c] = l-bit approximation of

Prob[checker decodes <M,c> into x]– sphere(x,M) is l2m bit vector– Number of spheres = – Number of inputs = – Suppose opposite: m < log n – log l– Then

• Fewer spheres than inputs

ml22n2

nlnlll lnm

2222 /)(22 loglog

CS717

Collision Lemma

• : Fewer spheres than inputs

• Recall Collision Lemma: input x s.t. M. yx and M where sphere(x,M) = sphere(y,M)

• Thus, adversary can find input x for which it can switch main memory MM

• Claim: Probability of success >1-p– Recall: Checker must have success Prob p

nl m

22 2

CS717

Playing Probabilities

• Let

• Given x was input– q = Prob of decoding x with untouched memory– q = Prob of decoding y with corrupted memory

• Assuming adversary switched M with M

cM cMfromxdecodesercheck

xfromcMgeneratesercheckq

, ],Pr[

],Pr[

cM cMfromydecodesercheck

xfromcMgeneratesercheckq

, ],Pr[

],Pr[

CS717


• sphere(x,M)[c] = l-bit approximation of Prob[checker decodes <M,c> into x]– Thus, Prob[checker decodes <M,c> into x] <

sphere(x,M)[c] + ½ l

• Know that input x s.t. M. yx and M where sphere(x,M) = sphere(y,M) – Since fewer spheres than inputs

• Thus– Prob[checker decodes <M,c> into x] <

Prob[checker decodes <M,c> into y] + ½l

CS717


• Prob[checker decodes <M,c> into x] < Prob[checker decodes <M,c> into y] + ½l

• Via basic algebra: q>q- ½l

– q = Prob of decoding x with untouched memory– q = Prob of decoding y with corrupted memory

• By definition, p = prob of success p Prob of correct operation or fault detection– p q

• Since q is probability of correct operation on input x

– q 1-p• Since q is probability of not detecting xy decoding

CS717


• q>q- ½l

– q = Prob of decoding x with untouched memory– q = Prob of decoding y with corrupted memory

• pq, q1-p• q > q- ½l

1-p q > q- ½l p- ½l

1-p > p- ½l

1+½l > 2p ½+½l+1 > p– (Assumption was: m < log n – log l)

• If decoding probability p ½+ ½l+1 then checker memory has m log n – log l bits

CS717

Checker with Public Memory

• Previous checkers had secret memories• What if checker has some public memory?

(Public but incorruptible)

• Can we get away with less private memory?

• Will give proof for sequences of n writes• Checker gets dn public memory, d<1

(if d=1 then checker can save writes in memory)

• Will show: checker needs bits of secret memory

d

lnm

1log)log(

New Element

CS717

Public Memory Theorem

• Theorem: If checker functions correctly with Prob p ½+ ½l+1 then checker secret

memory must have bits

Proof• Assume opposite: • Let

– M : corruptible main memory– B : incorruptible public checker memory– c : incorruptible private checker memory

d

lnm

1log)log(

d

lnm

1log)log(

CS717

Proof of Theorem

• Spheres defined as in last proof– old_sphere(x,M)[c] = l-bit approximation of

Prob[checker decodes <M,c> into x]

• New element: spheres depend on B’s state– sphere(x,M,B)[c] = l-bit approximation of

Prob[checker decodes <M,B,c> into x]

• Still possible spheres• possible public memory configurations

•

ml22dn2

ndnl m

thend

lnmif 222

1log)log( 2

CS717

Proof of Theorem

• As before: adversary assumes input is x– Since only needs to fool on one input

• Adversary wants some MM mapping s.t. <M, c, B> decoded as y

• Will work if sphere(y,M,B) = sphere(x,M,B)

x <M,c,B>

y <M,c,B>Adversary

CS717

Proof of Theorem

• Adversary wants sphere(y,M,B) = sphere(x,M,B)

• Since (number of spheres ) < (number of inputs ) apply Collision Lemma: <x,B> s.t. M yx and M s.t. sphere(y,M,B) =

sphere(x,M,B)

• Now must show Prob of fooling checker >p

dnl m

22 2

n2

CS717


• As before, assuming x was input, compute:– q = Prob of decoding x with untouched memory– q = Prob of decoding y with corrupted memory

• Via algebra: q>q- ½l

• p = prob of success, q, 1- q• Basic Algebra p < ½ + ½l+1

(Assumption was: )

• If decoding probability p ½+ ½l+1 then secure memory has bits )1/(1log)log( dnm

)1/(1log)log( dnm

CS717

Summary

• Showed lower bounds for checker memory sizes

• Deterministic checker: log(n)-1 bits of reliable, secret checker memory

• 2-sided error checker: log n – log l bits of reliable, secret memory– Probability of success ½ + ½l+1

• Checker with dn bits reliable, public memory– log(n) – log(1/(1-d) bits reliable, secret memory– Probability of success ½ + ½l+1

CS717

Outline



• Definitions

[BE

GK

N]

[DS

]



CS717

Different Flavor of Checking

• [DS] Devanbu and Stubblebine, “Stack and Queue Integrity on Hostile Platforms”, 1998

• Offline checkers for Stacks and Queues• Weaker adversary

– Adversary “constant factor faster” than checker– No explanation for adversary limitation

• Time Overhead: constant factor• Space Overhead: constant sized trusted

memory (secret?)

CS717

Mechanisms

• Assumes signature scheme s.t.– Collision resistant – computationally infeasible to

find two inputs that map to same output– 2nd preimage resistant – given an input,

computationally infeasible to find other input mapping to same output

• Creates hashes of prior stack activity• Stores hashes with stack elements

CS717

Checking Stacks

• Every stack element also contains signature• Signature: encoding of all elements below = signature function

• Stack initially empty

Trusted MemoryMain Memory

CS717

Checking Stacks: Push• Every stack element also contains signature• Signature: encoding of all elements below = signature function

<x1, srand>

• First push– User pushes x1

– Checker pushes <x1, srand>

• srand is random

• Trusted Memory– srand

– s1 = (x1, srand)Trusted MemoryMain Memory

s1= (x1, srand)

srand

CS717

Checking Stacks: Push

• Every stack element also contains signature• Signature: encoding of all elements below

<x1, srand>s1= (x1, srand)

• General Push:– Given user op push(xi)

– Issue push(xi, sh)

• sh is stack signature

– New stack signature:sh+1 = (xi, sh)


<x2, s1>s2= (x2, s1)

s1= (x1, srand)

s3= (x3, s2)

<x3, s2>s2= (x2, s1)

s4= (x4, s3)

<x4, s3> s3= (x3, s2)

srand

CS717

Checking Stacks: Pop

• Invariant: stack signature computable from top element

• Pop:– Pop alleged <xi, sh> off

stack

– Check if sh+1 = (xi, sh)

• Sh+1 is stack signature

– sh: new stack signature<x1, srand>

s1= (x1, srand)


<x2, s1>s2= (x2, s1

)

s1= (x1, srand)

s3= (x3, s2)

<x3, s2>s2= (x2, s1

)

s4= (x4, s3)

<x4, s3> s3= (x3, s2)

srand

CS717




stack


• Sh+1: prior stack signature

– sh: new stack signature<x1, srand>

s1= (x1, srand)


<x2, s1>s2= (x2, s1

)

s1= (x1, srand)

s3= (x3, s2)

<x3, s2>s2= (x2, s1

)

<x4, s3>

srand

CS717




stack


• Sh+1: prior stack signature

– sh: new stack signature

• Invariant Preserved<x1, srand>

s1= (x1, srand)


<x2, s1>s2= (x2, s1

)

s1= (x1, srand)

s3= (x3, s2)

<x3, s2>s2= (x2, s1

)

srand

CS717

Intuition to Encoding

• Encoding has simple intuition: () calls nested in stack fashion

s4= (x4, s3) = (x4, (x3, s2)) = (x4, (x3, (x2, s1))) = (x4, (x3, (x2, (x1, srand))))

<x1, srand>

<x2, s1>

<x3, s2>

<x4, s3>

s4= (x4, s3)

s3= (x3, s2)

s2= (x2, s1)

s1= (x1, srand)

CS717

Can’t Pop Wrong Entry

• Suppose wrong entry popped– Should’ve been <xi, sh>

– Was <xj, sq>

• But sh+1= (xi, sh) was in trusted memory

• To escape detection <xj, sq> must be s.t.(xj, sq) = (xi, sh) = sh+1

• Computationally hard to pick such <xj, sq>– Since is 2nd preimage resistant

CS717

Popping Empty Stack

• On pop of last element: stack signature = srand

• Can’t be fooled into popping more

<x1, srand>s1= (x1, srand

)


s0= srand

• To fool, adversary must produce <xi, s> s.t.(xi, sh) = srand

• This is computationally hard is 2nd preimage

resistant

srand

CS717

Checking Stacks: Summary

• Trusted memory keeps digest of stack state– Preserved across pushes, pops– Small trusted memory size

• Unknowns– Where is signature function recorded?

• Must be trusted memory

– What is power limit of adversary?

CS717

Outline



• Definitions

[BE

GK

N]

[DS

]



CS717

Checking Queues

• Stack checker keeps digest of stack contents• Works because encoding’s function calls nest

in stack fashion• Function calls don’t nest like queues

– No clear way to remove “bottom” call

• If keep digests of all elements ever enqueued, no need to remove

CS717

Checker’s Digests

• Keep two digests:– sq – signature of all items ever enqueued

• Including dequeued items

– sdel – signature of all dequeued items

• Both sets act like queues– New data gets pushed– Nothing gets popped

CS717

Initial State

• srand = initial random signature

• sq = sdel = (srand)

– Pretend that enqueued and dequeued srand

srand

Dequeued nodes (not stored)Queue nodes

sq0

= (srand)

MainMemory

sdel = (srand) = sq0

(srand)srand

TrustedMemory

CS717

First Enqueue

• User operation: enqueue(x1)

• Issued operation: enqueue((x1, sq1))

• sq1 = (x1, sq

0)


sq1

x1

sq1

= (x1,sq0)

sq0

= (srand)

MainMemory

same

srandsdel = (srand) = sq0

(srand)srand

TrustedMemory

CS717

General Enqueues

• User operation: enqueue(xi)

• Issued operation: enqueue((xi, sqj))

• Sqj+1 = (xi, sq

j)

MainMemory


same

sq1

= (x1,sq0)

sq0

= (srand)sq1

= (x1,sq0)

sq0

= (srand)

sq2 = (x2, sq

1)

sq2

x2

sq1

x1

sq1

= (x1,sq0)

sq0

= (srand)

sq2 = (x2, sq

1)sq

1 = (x1,sq

0)sq

0 = (srand)sq

1 = (x1,sq

0)sq

0 = (srand)

sq2 = (x2, sq

1)

sq3

x3

sq2

x2

sq3 = (x3, sq

2)

sq1

x1

sq1

= (x1,sq0)

sq0

= (srand)

sq2 = (x2, sq

1)sq

1 = (x1,sq

0)sq

0 = (srand)sq

1 = (x1,sq

0)sq

0 = (srand)

sq2 = (x2, sq

1)sq

3 = (x3, sq2)

sq1

= (x1,sq0)

sq0

= (srand)

sq2 = (x2, sq

1)sq

3 = (x3, sq2)

sq1

= (x1,sq0)

sq0

= (srand)

sq2 = (x2, sq

1)sq

1 = (x1,sq

0)sq

0 = (srand)sq

1 = (x1,sq

0)sq

0 = (srand)

sq2 = (x2, sq

1)

sq4

x4

sq3

x3

sq3 = (x3, sq

2)

sq2

x2

sq4 = (x4, sq

3)

sq1

x1


(srand)srand

TrustedMemory

CS717

First Dequeue

• User operation: dequeue()

• Issued operation: dequeue() <x1, sq1>

• Recall: sq1 = (x1, sq

0) = (x1, srand)

– In general, dequeued sqj = (x1, sdel)

sq1

= (x1,sq0)

MainMemory


sq2 = (x2, sq

1)sq3 = (x3, sq

2)

sq4

x4

sq3

x3

sq2

x2

sq4 = (x4, sq

3)

sq1

x1

sdel = (srand) = sq0 srand

(srand)srand

TrustedMemory

CS717

First Dequeue

• sdel (x1,sdel) = (x1, (srand))

• Check dequeue– Is sdel = sq

1?

sq1

= (x1,sq0)

MainMemory

TrustedMemory


(srand)srand

sq2 = (x2, sq

1)sq3 = (x3, sq

2)

sq4

x4

sq3

x3

sq2

x2

sq4 = (x4, sq

3)

sq1

x1

sq1

= (x1, (srand))


same

CS717

Checking Dequeue

• Two ways to compute same thing– With sdel : (x1, (srand))– With sq

1 : dequeued

• Computationally hard to find y,t x1,sq1 s.t.

t = (y, (srand))

sq1

= (x1,sq0)

MainMemory

TrustedMemory


(srand)srand

sq2 = (x2, sq

1)sq3 = (x3, sq

2)

sq4

x4

sq3

x3

sq2

x2

sq4 = (x4, sq

3)

sq1

x1

sq1

= (x1, (srand))


same

CS717

First Dequeue

• Invariant Preserved– sq = digest of all elements ever enqueued– sdel = digest of all dequeued elements

• Return x1 to user

sq1

= (x1,sq0)

MainMemory

srandsdel = sq1 = (x1, srand)


(srand)srand

sq2 = (x2, sq

1)sq3 = (x3, sq

2)

sq4

x4

sq3

x3

sq2

x2

sq4 = (x4, sq

3)

sq1

x1

TrustedMemory

CS717

General Dequeues

MainMemory

srand


sq4 = (x4, sq

3)sdel = sq

1 = (x1, srand)

(srand)srand

sq4

x4

sq3

x3

sq2

x2

sq1

x1

sdel = sq1 = (x1, srand)

sdel = sq2 = (x2, sdel)

(srand)srand

sq4

x4

sq3

x3

sq2

x2

sq1

x1




sdel = sq2 = (x2, sdel)sdel = sq3 = (x3, sdel)

(srand)srand

sq4

x4

sq3

x3

sq2

x2

sq1

x1





sdel = sq3 = (x3, sdel)sdel = sq4 = (x4, sdel)sdel = sq1 = (x1, srand)

(srand)srand

sq4

x4

sq3

x3

sq2

x2

sq1

x1

• Dequeue <xi, sqj>

• sdel = (xi, sdel)• Check that sdel = sq

j

– Computationally hard to find y,t xi,sqj s.t.

t = (y, (xi, sdel))

TrustedMemory

CS717

General Dequeues

• Invariant preserved at each step– sq = digest of all elements ever enqueued– sdel = digest of all dequeued elements

• Return xi to user

MainMemory


sq4 = (x4, sq

3)

(srand)srand

sq4

x4

sq3

x3

sq2

x2

sq1

x1





sdel = sq3 = (x3, sdel)sdel = sq4 = (x4, sdel) srandTrusted

Memory

CS717

General Queue Trick

• Signature function calls nest like stack

• Solution: – Let digest also represent removed elements– Second digest just for removed elements– Perform checks on element removal

CS717

General Queue Trick

• Checking validity– Keep track of main digest value for each element

+ any valid subset of removed elements• For queue: element + prior elements

– On element removal• Add element to second digest• Compare new second digest value to main digest value

for that element + some valid removed subset

• More general than just queues– Useful if data structure can be represented as

repeated applications of signature function

CS717

Outline



• Definitions

[BE

GK

N]

[DS

]



CS717

Summary

• Covered several checkers for data structures• Data Structures

– RAMs– Stacks– Queues

• Types– Online– Offline

• Adversaries– Polynomial-time– Infinite power– “Weak”

CS717

Summary

• Exist solutions for trees and graphs

• Efficient checkers for weak adversaries appear possible

• Is it possible to generate checker at compile-time?– i.e. guarantee that for every state change low

probability of corruption– Can it be cheaper than a RAM checker?

Documents

CS717 Checking Data Structures Greg Bronevetsky. CS717 The Problem So far covered ways to check results of algorithms Real computing systems have state