Upload
calvin-barrett
View
212
Download
0
Embed Size (px)
Citation preview
CS717
Checking Data Structures
Greg Bronevetsky
CS717
The Problem
• So far covered ways to check results of algorithms
• Real computing systems have state
• Need ways to ensure this state not corrupted
CS717
The Problem
• Secure data structures allow checker flexibility– Checkers frequently assumed to be reliable
• Thus must run on secure hardware
– If can validate data structures, can use unsecured memory for checker storage
• Oftentimes, just want to keep data safe– Ex: trustworthy databases
CS717
The Papers
• [BEGKN] Blum, Evans, Gemmell, Kannan and Naor, “Checking the Correctness of Memories”, 1991– Online and offline checkers for Random Access
Memories, Stacks and Queues– Lower bounds on checking– Polynomial-time and Infinite Power Adversaries
• [DS] Devanbu and Stubblebine, “Stack and Queue Integrity on Hostile Platforms”, 1998– Offline checkers for Stacks and Queues– Weaker adversary
CS717
Outline
• Offline Checkers– RAMs– Stacks– Queues
• Online Checkers– RAMs– Stacks– Queues
• Definitions
[BE
GK
N]
[DS
]
• Lower Bounds• 3 Offline Checker Bounds
• Offline Checkers• Stacks• Queues
CS717
Data Structure
• Defined by operations and their return values
• Ex for stack: <push a, push b, pop, pop> must return<, , b, a>
• Checker must detect any deviation from target behavior
CS717
Memory Checker
• Reliably implements target data structure– May use original implementation or implement its
own
• Invasive Checker – checker stores own data in data structure
• Non-invasive Checker – all checker data outside data structure
• If data corrupted by adversary, checker reports error
CS717
Memory Checker
• Checker has small amount of reliable memory, large amounts of unreliable memory– Reliable = unchangeable by adversary, in few
cases invisible to adversary– Small checker can’t implement whole data
structure in reliable memory
• Offline Checker – at end of run reports if data corrupted mid-run
• Online Checker – reports on errors during run– Not necessarily promptly
CS717
Adversary
• Polynomial-time probabilistic algorithm
• Goal:– If original data structure works perfectly, checker’s
implementation works with probability > ¾• In checkers presented Prob=1
– If data structure incorrect for some operation, checker reports error with probability > ¾
CS717
Overall Picture
Unreliable Memory
User
CheckerReliable Memory
Adversary
CS717
Outline
• Offline Checkers– RAMs– Stacks– Queues
• Online Checkers– RAMs– Stacks– Queues
• Definitions
[BE
GK
N]
[DS
]
• Lower Bounds• 3 Offline Checker Bounds
• Offline Checkers• Stacks• Queues
CS717
-biased Hash Functions
• Presented in Naor and Naor, “Small Bias Probability Spaces: Efficient Constructions and Applications”, 1990.
• Given n-bit x creates k-bit hash h(x) – If xy then h(x)=h(y) with Prob 1/2k
– Uses O(log n + k) random bits• k<n
x
y
z
h(x)
h(y) = h(z) Low Probability
CS717
-biased Hash Functions
• Basic idea:– Given inputs x and y of length n– Pick l=O(k) random “distinguisher” vectors r1, … rl,
of length n• Special choices, not just uniform
– Compute inner products xri and yri, i– h(x) = <xr1, … xrl>– If xy then Prob[xri = yri for all i] 1/2k
• Better than comparing (x mod pi) and (y mod pi) for random prime pi’s
CS717
Updating a Hash
• Given x and h(x)• Wrote 1 to x[j]• Need to change h(x) to reflect change in x
• For all O(k) distinguishers r1, … rl see if ri[j]=1
– If ri[j]=1 then xrj=1
– Thus, set i-th bit of h(x)=1
• Total work required: O(k)
CS717
Offline Checkers
• Maintain record of reads and writes: R and W
• R and W encoded s.t. when finished, R=W
• Want to keep R and W in checker’s private memory
• Too large, so keep h(R) and h(W)– When finished if RW then h(R)h(W) with high
probability
CS717
Checking RAMs
• Assume memory of size n• Contains log(n)-bit words• R and W will maintain entire history of
changes to RAM– Contain records <v, a, t>
• v – value written/read• a – address• t – unique timestamp
– v, a, t all log(n)-bit words– R and W [v][a][t] = 1 <v, a, t> written to R or W
• |R|=|W|=O(n3)• |h(R)| = |h(W)| = log(n)
CS717
Checking RAMs
• Data locations keep “last-access” timestamp– <vi, ti>
• Checker maintains global timestamp– Unique– Greater than any timestamp used so far
CS717
Write to RAM
• Wish to write value v to address a• Read from address value v, timestamp t• t = global timestamp
– Check that t<t– Increment global timestamp
• Update h(R) with <v, a, t>– Makes sure value not corrupted since last touch
• Write <v,t> to address a• Update h(W) with <v, a, t>
– Records new value/timestamp for future operations
CS717
Read from RAM
• Wish to read value from address a• Read value v, timestamp t• t = global timestamp
– Check that t<t– Increment global timestamp
• Update h(R) with <v, a, t>– Makes sure value not corrupted since last touch
• Write <v, t> to address a• Update h(W) with <v, a, t>
– Records new timestamp for future operations
CS717
Basic Picture
write(v2)
• read <v1, t1>• <v1, a, t1> h(R)• <v2, a, t2> h(W)
read() • read <v2, t2>• <v2, a, t2> h(R)• <v2, a, t3> h(W)
• read <v1, t1>• <v1, a, t1> h(R)• <v1, a, t2> h(W)
read()
• read <v1, t2>• <v1, a, t2> h(R)• <v1, a, t3> h(W)
Read After Write Read After Read
• Two adjacent accesses to same locations• Leave identical records in h(R) and h(W)
read()
CS717
Basic Picture
• read <v1, t1>• <v1, a, t1> h(R)• <v2, a, t2> h(W)
write(v3)
• read <v2, t2>• <v2, a, t2> h(R)• <v3, a, t3> h(W)
read() • read <v1, t1>• <v1, a, t1> h(R)• <v1, a, t2> h(W)
write(v2)
• read <v1, t2>• <v1, a, t2> h(R)• <v2, a, t3> h(W)
Write After Write Write After Read
• Two adjacent accesses to same locations• Leave identical records in h(R) and h(W)
write(v2)
CS717
Final Reads
• When finished with RAM, – Perform reads on all memory locations– Update h(R) with most recent v’s & t’s
• Reflects change made by last write to location
• Just like regular read without final update to h(W)– No operation follows it– Thus, no h(R) entry would match it
CS717
Checking for Errors
• Confirm that h(R)=h(W)
• Claim: If data got changed by attacker, RW– Thus, with high Prob, h(R)h(W)
CS717
Proof of Correctness
• In order to fool checker into accepting erroneous RAM, adversary must change data between operations
• For example, Read-After-Write:(Same argument for all combinations)
write(v2)
• read <v1, t1>• <v1, a, t1> h(R)• <v2, a, t2> h(W)
read() • read <v2, t2>• <v2, a, t2> h(R)• <v2, a, t3> h(W)
CS717
Proof of Correctness
• Take last such occurrence
• Now read performs <v78, a, t2> h(R)
• To make h(R)=h(W) adversary must force checker to do <v2, a, t2> h(R)
write(v2)
• read <v1, t1>• <v1, a, t1> h(R)• <v2, a, t2> h(W)
read() • read <v78, t2>• <v78, a, t2> h(R)• <v78, a, t3> h(W)
Adversary changes v2 to v78
CS717
Proof of Correctness
• To force checker to <v2, a, t2>h(R) must change data at address a– Since a is in desired tuple
• v2 v78 was last change – Adversary must make another
change before that
– To force <v2, a, t2>h(R) must modify a to <v2, t2>
write(v2)
• read <v1, t1>• <v1, a, t1> h(R)• <v2, a, t2> h(W)
read()
• read <v78, t2>• <v78, a, t2> h(R)• <v78, a, t3> h(W)
read()
• read <v-9, t-9>• <v-9, a, t-9> h(R)• <v-9, a, t-8> h(W)
<v2, t2>
write(v-9)
• read <v-10, t1-10>• <v-10, a, t1-10> h(R)• <v-9, a, t-9> h(W)
CS717
Proof of Correctness
• But recall, in every operation checker reads recorded timestamp
• Checks if recorded timestamp < global timestamp– Global timestamp always increases
• During prior adversary change global timestamp < t2
• Thus, when next operation read t2, would declare error
write(v2)
• read <v1, t1>• <v1, a, t1> h(R)• <v2, a, t2> h(W)
read()
• read <v78, t2>• <v78, a, t2> h(R)• <v78, a, t3> h(W)
read()
• read <v2, t2>• <v2, a, t2> h(R)• <v2, a, t-8> h(W)
<v2, t2>
write(v-9)
• read <v-10, t1-10>• <v-10, a, t1-10> h(R)• <v-9, a, t-9> h(W)
CS717
Summary
• Similar argument for changes to timestamps• Probability of poly-time probabilistic adversary
of making unnoticed change
– Since only possible attack is breaking h(R), h(W) hashing property
• Reliable storage requirements:– O(log n + k) bits to store -biased hash function– h(W) and h(R) each k=log n bits long
(n = # words in memory)
k
2
1
CS717
Outline
• Offline Checkers– RAMs– Stacks– Queues
• Online Checkers– RAMs– Stacks– Queues
• Definitions
[BE
GK
N]
[DS
]
• Lower Bounds• 3 Offline Checker Bounds
• Offline Checkers• Stacks• Queues
CS717
Checking Stacks
• Stack checker follows same idea• Key difference:
– On push() new location is empty• Thus, no need to update h(R)
– On pop() popped location becomes empty• Thus, no need to update h(W)
• Must ensure that on pop(), stack returns value last pushed at that level
CS717
Basic Picture
• For any given sequence of pushes and pops• Corresponding pushes and pops must have
same value
pop()
pop()
pop()
pop()
pop()
push(v1)
push(v2)
push(v3)
push(v4)
push(v5)
v1
v2
v3
v4
v5
CS717
Basic Picture
• For any given sequence of pushes and pops• Corresponding pushes and pops must have
same value
pop()
pop()
pop()
pop()
pop()
push(v1)
push(v2)
push(v3)
push(v4)
push(v5)
Must Match
CS717
Protocol
• Keep around global timestamp t
• On Push(vi)
– Write to next location <vi, t>
– Update h(W) with <vi, a, t>
– Increment t
• On Pop()– Read <vi, ti> from current location
– Ensure ti<t
– Update h(R) with <vi, a, ti>
• At end do Pop() on rest of stack• No errors R=W
– So small probability of error if h(R)=h(W)
CS717
Outline
• Offline Checkers– RAMs– Stacks– Queues
• Online Checkers– RAMs– Stacks– Queues
• Definitions
[BE
GK
N]
[DS
]
• Lower Bounds• 3 Offline Checker Bounds
• Offline Checkers• Stacks• Queues
CS717
Checking Queues
• Address means– For enqueues: number of prior enqueues– For dequeues: number of prior dequeues
• Enqueue and dequeue have same address refer to same queue location
• Since addresses unique, no need for timestamps
• Otherwise same as for stacks
CS717
Checking Queues
• On Enqueue(vi)– Write to next location <vi>– Update h(W) with <vi, a>
• a = number of prior enqueues (“address”)
• Dequeue()– Read <vi> from front location (address a)– Update h(R) with <vi, a>
• At end do empty queue via Dequeue()’s• No errors R=W
– Small probability of error if h(R)=h(W)
• Note: queue protocol non-invasive
CS717
Checking Graphs
• Two representations for graphs– Adjacency matrix– Adjacency list
• Adjacency matrix checker– Use RAM checker
• Adjacency list checker– Variant of queue checker checks multiple lists
• List IDs and headers kept in array– Array checked via RAM checker
• Adds list ID to each h(R) and h(W) record
CS717
Outline
• Offline Checkers– RAMs– Stacks– Queues
• Online Checkers– RAMs– Stacks– Queues
• Definitions
[BE
GK
N]
[DS
]
• Lower Bounds• 3 Offline Checker Bounds
• Offline Checkers• Stacks• Queues
CS717
Online Checkers
• If adversary changes data want to know before program end– Don’t want to use erroneous data
• Solutions more expensive and restrictive– Restrictions on word sizes– Less memory available to application– Sometimes private memory must be secret
CS717
Basic Online RAM Checker
• Build binary tree– Leaves are actual data locations– Internal nodes contain sum of children
w x y z
w+x y+z
w+x+y+z
Leaves: UserMemory Cells
Internal Nodes:Hash of children
CS717
Basic Online RAM Checker
• On every read or write, verify sums• Since can’t verify root, must keep it in private
memory
w x y z
w+x y+z
w+x+y+z
Leaves: UserMemory Cells
Internal Nodes:Hash of children
Root kept in private memory
CS717
Tolerating Changes
• If adversary modifies some node xx– Sum in parent changed– Will notice if compare child values to parent sum
w x y z
w+x y+z
w+x+y+z
Leaves: UserMemory Cells
Internal Nodes:Hash of children
Root kept in private memory
CS717
Limits of Encoding
• However, if ww+q and xx-q then sum in parent doesn’t change
• Will not notice change
w x y z
w+x y+z
w+x+y+z
Leaves: UserMemory Cells
Internal Nodes:Hash of children
Root kept in private memory
CS717
Alternate Encoding
• Sums are poor encoding– Need something better
• Use two encoding techniques– Universal one-way hash functions (UOWHF)– Pseudorandom functions
CS717
Adversary
• Chooses read/write operations
• Returns any value to non-private memory reads
• Probabilistic algorithm
• Runs in time polynomial in memory size
CS717
Universal One-Way Hash Functions
• Hash function good if few inputs map to same outputs (collide)
• UOWHFs good against poly-time probabilistic adversary looking for collisions
• Presented in: – M. Naor and M. Yung, “Universal One-Way
Functions and Their Cryptographic Applications”, 1989
– J. Rompel, “One Way Functions are Necessary and Sufficient for Secure Signatures”, 1990
CS717
Universal One-Way Hash Functions
• Definition:– Given hash function h: {0,1}k{0,1}m
• m polynomially smaller than k
– A: probabilistic polynomial time adversary• Chooses input x• Hash function h picked randomly• Tries to find yx s.t. h(x)=h(y)
– Prob[A(x,h)=y, yx, h(x)=h(y)] < 1/poly(k) polynomials: worse than poly-small prob of success
– Need hash functions describable in poly bits, computable in poly time
– Need to pick hash functions uniformly at random
CS717
Checking RAMs: Encoding Tree
h(left·right) h
ID ofhash function(different nodes have their own)
Hash of children
Leaves: UserMemory Cells
Internal Nodes:Hash of children
Each Internal Node:
CS717
Checking RAMs: Encoding Tree
u v
h(u·v)
Leaves: UserMemory Cells
……
Internal Nodes:Hash of children h
ID ofhash function
Hash of children(“·” is concatenation)
CS717
Checking RAMs: Encoding Tree
xu
Memory
Hash Nodes hu
h(xu·hu·xv·hv) h
xv hv
General hash application
Node u Node v
CS717
Checking RAMs : Encoding Tree
Memory
Internal Hash Nodes
Root kept in private memory(keeps identities of 2nd level hash functions safe)
CS717
RAM Operations
• Read:– Look at target memory node: xu
– Walk up tree, check encodings
• Write– Modify xu
– Walk up tree, changing encodings accordingly• Pick new hash function for all nodes
CS717
On Adversary Change
• Adversary changes some node uu– Can’t find another value that results in same
hashcode in parent node• Low probability
– Thus, parent’s encoding won’t match child’s• Will detect error before erroneous value used
xu hu
h(xu·hu·xv·hv) h
xv hv
Node u Node v
CS717
Checking RAMs: Details
• Memory of k-bit words, n words total
• Our adversary runs in time poly(n)• UOWHF adversary runs in time poly(k)
• Thus, need k = n for >0– If k<O(poly(n)) then poly(n) adversary could
enumerate all possibilities– Set k = n to make two adversaries same
CS717
Alternative Tradeoffs
• Using UOWHFs places poly-size minimum on word size
• Can we do better?
• Another possibility: trade small words for secret private memory– Use pseudo-random functions
CS717
Pseudorandom Functions
• So close to random that poly-time algorithm can’t differentiate
• Given random seed S, get pseudorandom fS
– fS: {0,1}k {0,1}m
– |S|poly(k)
• Poly-time adversary given either random function or fS(x)
• Probability of telling apart < 1/poly(k) polynomials: worse than poly-small prob of
success
CS717
Pseudorandom Functions
• Reported in O. Goldreich, S. Goldwasser and S. Micali, “How to Construct Random Functions”, 1986.
• Construction requires private memory to be secret from adversary– Keep pseudorandom function there so adversary
doesn’t know what it is– No minimum on word size
CS717 Checking RAMs with
Pseudorandom functions
• Memory location i, value vi
• Augment with signature– Signature: fS(vi)
• Each node contains <vi, fS(vi)>
– Since adversary doesn’t know fS, can’t just change vivi and regenerate signature
– Must figure out fS(vi)=fS(vi) on its own
CS717
Secure Against Tampering
• If adversary can find vj s.t. fS(vi) = fS(vj) then can tell pseudorandom from random– Let Q be algorithm for finding vj with prob 1/poly
• On any input vi, use Q to generate partner tuple vj
– If fS(vi) = fS(vj) then return “Pseudorandom”
– Else, return “Truly Random”
• Algorithm differentiates with prob 1/poly• Contradiction!
CS717
Limitation of Encoding
• Not secure against replay
• Adversary can repeat earlier valid encodings later on
• Must keep timestamp generation secure
CS717
Tree Encoding
• Construct complete binary tree• Leaves: user memory locations• Every node has timestamp• Time stamp of parent i:
ti = tj + tk
vj, tj, j
vi, ti, i
vk, tk, k
Node j Node k
Node i
CS717
Tree Nodes
• Node signatures include node ID, timestamp
• Leaf Node:
• Internal Node i:
• Root node in private, secret memory
<vi, fS(vi, ti, i)>
<tj+tk, fS(0, tj+tk, i)>
CS717
Reading
• Read contents of target node• Walk up tree, verify
– Encoding– Child-parent timestamp
relationships
v8, fS(v8, t8, 8)v7, fS(v7, t7, 7)
t7+t8, fS(0, t7+t8,3)
t7+t8+t4, fS(0, t7+t8+t4, 1)
v4, fS(0, t4, 4)
v0, fS(0, t0, 0)
v2, fS(0, t2, 2)
Private, secret memory
Read node 8, check path to root
CS717
Writing
• Walk down tree, verify – Encoding– Child-parent timestamp relationships
• Write new value into target node• Increment its timestamp• Walk up tree, incrementing node timestamps
– (ti+1) + tj = (ti+tj) + 1
CS717
Proof of Correctness
• Node contents secure against tampering– Shown above– Poly-time adversary has < 1/poly Prob of success
• Replay attacks– Can adversary overwrite nodes with valid old
<value, signature>?
– Node address part of signature fS(vi, ti, i)
– Thus, can only place old <values, signature> at original address
CS717
Proof of Correctness
• Adversary changed some node– Pick highest change in tree
• Old <vi, fS(vi, ti, i)> New <vi, fS(vi, ti, i)>– Must pick pair from same address since node ID is
in signature
• Node timestamps always increase: ti<ti
• Node i has parent p, sibling s– Node s may be changed– Node p not changed (since this highest change)– Root in private memory, so always safe
CS717
Proof of Correctness
• Old <vi, fS(vi, ti, i)> New <vi, fS(vi, ti, i)>• Node timestamps always increase: ti<ti
• Node i has parent p, sibling s– Node s may be changed– Node p not changed (since this highest change)– Root in private memory, so always safe
• On next read or write will check that tp = ti + ts
– ti < ti (since i definitely changed)
– ts ts (since s possibly changed)
– Thus, ti + ts < tp
• Error detected on next read or write
CS717
Checking RAMs Summary
• Two online techniques for checking RAMs• Use different cryptographic encodings
– Universal One-Way Hash Functions• Require minimum word size
– Pseudorandom functions• Requires small secret private memory
• Both build trees on top of RAM• Detect error on next operation• Protect RAM against polynomial-time
randomized adversary
CS717
Outline
• Offline Checkers– RAMs– Stacks– Queues
• Online Checkers– RAMs– Stacks– Queues
• Definitions
[BE
GK
N]
[DS
]
• Lower Bounds• 3 Offline Checker Bounds
• Offline Checkers• Stacks• Queues
CS717
Review of Stack Offline Algorithm
• t: global timestamp• On Push(vi) (to stack height a)
– Write to next location <vi, t>– Update h(W) with <vi, a, t>– Increment t
• On Pop() (from stack height a)
– Read <vi, t> from current location– Update h(R) with <vi, a, t>
• At program end do Pop() on rest of stack• No errors R=W
– So small probability of error if h(R)=h(W)
Matching pushes and pops change R and W in same ways
CS717
Checking Stacks Online
• Trivial solution: – h(R) and h(W) keep track of pushes and pops– After every operation empty stack– Check that h(R) = h(W)
• Very expensive– Quadratically more operations
• Real solution follows similar idea– Uses multiple sub-stacks– Spills&checks at sub-stack boundaries– Auxiliary stack needed to perform stack spills
• Two real stacks can be each other’s auxiliary
CS717
Stack Organization
2 blocks of 2i wordsStack i
2 wordsStack 0
2 blocks of 21 wordsStack 1
…
Stack of height H turned into log(H) stacks
Stack i contains 2 blocks of
items, each 2i words long
Stacks filled from highest to
lowest
CS717
Stack Organization
Stack i
Stack 0
Stack 1
…• All operations first done with
Stack 0– Push and pop normally
CS717
Stack Organization
Stack i
Stack 0
Stack 1
…• All operations first done with
Stack 0• When pushing onto full
Stack 0
CS717
Stack Organization
Stack i
Stack 0
Stack 1
…• All operations first done with
Stack 0• When pushing onto full
Stack 0– Move Stack 0 contents onto
Stack 1• Pop off onto auxiliary stack• Push onto Stack 1• Called a “block operation”
CS717
Stack Organization
Stack i
Stack 0
Stack 1
…• All operations first done with
Stack 0• When pushing onto full
Stack 0– Move Stack 0 contents onto
Stack 1• Pop off onto auxiliary stack• Push onto Stack 1• Called a “block operation”
– Push new element into Stack 0
CS717
Stack Organization
Stack i
Stack 0
Stack 1
…• All operations first done with
Stack 0• When pushing onto full
Stack 0 again
CS717
Stack Organization
Stack i
Stack 0
Stack 1
…• All operations first done with
Stack 0• When pushing onto full
Stack 0 again– Move Stack 0 contents onto
Stack 1– Push new element into Stack 0
• Next time Stack 1 overflows– Push onto Stack 2
…
CS717
Stack Organization
Stack i
Stack 0
Stack 1
…• When popping off empty
Stack 0
Pop
CS717
Stack Organization
Stack i
Stack 0
Stack 1
…• When popping off empty
Stack 0• Move top block of Stack 1
onto Stack 0– Via auxiliary stack
Pop
CS717
Stack Organization
Stack i
Stack 0
Stack 1
…• When popping off empty
Stack 0• Move top block of Stack 1
onto Stack 0– Via auxiliary stack
• Pop off Stack 0• If Stack 1 is emptied, refilled
from Stack 2, etc.
Pop
CS717
Stack Organization
Stack i
Stack 0
Stack 1
…Pop
Note:
These stacks can be implemented as a single stack
CS717
Checking Stack Operations: Push
• Check every stack operation• On block push to Stack i
– Add all sub-pushes to h(W)– Then pop off entire stack (pops added to h(R))
• Onto auxiliary stack
– Verify that h(W) = h(R)– Push stack back in place
• Time cost:– O(2i) operations per block operation– O(2i) operations to check each block operation– Total time = O(2i)
CS717
Checking Stack Operations: Pop
• Check every stack operation• On block pop from Stack i
– Add all sub-pops to h(R)– Then pop off entire stack (pops added to h(R))
• Onto auxiliary stack
– Verify that h(W) = h(R)– Push stack back in place
• Time cost:– O(2i) operations per block operation– O(2i) operations to check each block operation– Total time = O(2i)
CS717
Amortized Overhead
• Theorem: to service n user operations reliable stack performs O(n·log H) operations(H = maximum height of stack)
• Proof:– Lemma 1: at most 1 in 2i user operations cause a
block operation in Stack i– Base Case:
• Every user operation causes operation in Stack 0
– Inductive Case: every other push to Stack i-1 causes Stack i push every other pop from Stack i-1 causes Stack i pop• Thus, takes Stack i-1 ops to cause Stack i op
CS717
Amortized Overhead
• Theorem: to service n user operations reliable stack performs O(n·log H) operations(H = maximum height of stack)
• Proof:– At most 1 in 2i user operations cause a block
operation in Stack i– Each Stack i block operation costs O(2i) time– Total cost per user operation =
)(log)2(/)2(log
0
HOOOH
i
ii
CS717
Outline
• Offline Checkers– RAMs– Stacks– Queues
• Online Checkers– RAMs– Stacks– Queues
• Definitions
[BE
GK
N]
[DS
]
• Lower Bounds• 3 Offline Checker Bounds
• Offline Checkers• Stacks• Queues
CS717
Checking Queues
• Can check queues like stacks– Create multiple queues– Spill from smaller to larger queues– Empty and check queues on every operation
• Not known how to merge sub-queues into single queue
CS717
Outline
• Offline Checkers– RAMs– Stacks– Queues
• Online Checkers– RAMs– Stacks– Queues
• Definitions
[BE
GK
N]
[DS
]
• Lower Bounds• 3 Offline Checker Bounds
• Offline Checkers• Stacks• Queues
CS717
Checker/Adversary Properties
• Checker– Works offline– Private memory is secret– Deterministic
• Adversary– Arbitrary power to change memory– Does not know
• User’s operations• Checker’s memory state (its secret afterall)
CS717
Checking Scenario
• Memory size = n• Assume that user issues
– n writes to distinct locations– Followed by n reads to those locations– Possible usage pattern; can use to establish lower
bound
• x = tuple of memory locations/values written by user (unknown to adversary)
• c = checker’s private, secret memory• M = fallible main memory
CS717
Picture of Checker
size = m
size = n
Main Memory = M
Request Sequence x
Checker Memory = c
Checker
size = n
CS717
Theorem
• Checker needs log(n)-1 bits of private memory to avoid being fooled by adversary– Else, may decode written tuple x as other tuple y
• Proof Outline– Count number of possible system configurations– Show: if too few checker memory bits, >1 valid
main memory states for same checker memory configurations for same
• Thus, adversary can freely change main memory from one such valid state to another
CS717
Proof
• n = size of main memory• m < log(n)-1 = size of checker memory• x = input string of writes, length n• sphere(x, M) = vector of length 2m
(one entry per checker memory state)– sphere(x, M)[c]=A if <M,c> is possible state of
main and checker memory on input x– sphere(x, M)[c]=* if <M,c> is possible state of
main and checker memory on input x– sphere(x, M)[c]=I if <M,c> is not a possible state
of main and checker memory on any input
CS717
Picture of sphere(x, M)
0,0..0
0,0..1
1,1..1
.
.
.
.
.
Checker Memory States
(2m of them)
A
I
I
*
*A
.
.
x,M
x,M
x,M
x,M
x,M
x,M
x,M
x,M
Is <M,c> possible
encoding of x?
c
• If memory unchanged, checker must decode <M,c> as x with Prob=1– x was set of values written, so must be retrieved
CS717
Picture of sphere(x, M)
0,0..0
0,0..1
1,1..1
.
.
.
.
.
Checker Memory States
(2m of them)
A
I
I
*
*A
.
.
x,M
x,M
x,M
x,M
x,M
x,M
x,M
x,M
Is <M,c> possible
encoding of x?
c
• Invariant 1: On input x, state of M and c must be s.t. sphere(x,M)[c] = A
• By definition of sphere()
CS717
Invariant 2
• On inputs xy, c,M sphere(x,M)[c] & sphere(y,M)[c] can’t both = A– Otherwise two inputs could map to same
checker/main memory state
• Both = * if <M,c> gets mapped to by some other input z
• Both = I if no input maps to <M,c>
CS717
Picture of sphere(x, M)
0,0..0
0,0..1
1,1..1
.
.
.
.
.
Checker Memory States
(2m of them)
A
I
I
*
*A
.
.
x,M
x,M
x,M
x,M
x,M
x,M
x,M
x,M
c
• If x s.t. M, yx and M s.t. sphere(x, M) = sphere(y, M) then on input x adversary can cause checker to decode y by changing MM
Is <M,c> possible
encoding of x?
CS717
Proof of Claim
• Claim: If x s.t. M, yx and M s.t. sphere(x, M) = sphere(y, M) then adversary can cause checker to decode y by changing MM
• Proof– Checker gets input x, produces M, c s.t.
sphere(x,M)[c] = A– For this M y, M with same sphere– Thus, sphere(y,M)[c] = A– Therefore, if adversary switches MM then
checker decodes <M, c> as y– Error undetected. Checker fooled!
CS717
Breaking the Checker
• Adversary needs to break checker on only one input x
• Thus, always guesses that input=x and always replaces M with M (appropriate for this x)
– Uses MM mapping table ( Ms)
• Note:– If memory state=M but input is zx,y then
sphere(x,M)[c] = * = sphere(y,M)[c] – Thus, if adversary MM then checker will still
decode some input w (not x or y)
• Error undetected. Checker fooled!
CS717
Is This Possible?
• To defeat adversary checker needs – For each x, M s.t. sphere(x, M) unique– If so, checker can safely set memory to M on input x
• Will prove Collision Lemma: input x s.t. M. yx and M where sphere(x,M) = sphere(y,M)– For n possible inputs x, n unique main memory
states M• Since checker deterministic
– Assumption: total number of spheres = a < < total number of inputs/memory states = b
CS717
Visualization of Collisions
b Inputs
b MainMemory
States
• For each of b inputs, b main memory states
• For each state, one of a possible spheres
• a<b
input x s.t. M. yx and M where sphere(x,M) = sphere(y,M)
CS717
Visualization of Collisions input x s.t. M. yx and M
where sphere(x,M) = sphere(y,M)
• Must find some column s.t.
• For every entry in column
another entry in another column
• With same value
n Inputs
n MainMemory
States
CS717
Proof of Lemma
• Will go left to right looking for our column• Look at leftmost column
n Inputs
n MainMemory
States
CS717
Proof of Lemma
• If is it, then done• If not, then
entry in column with value contained in no other column
• Will go left to right looking for our column• Look at leftmost column
ANot A
n Inputs
n MainMemory
States
CS717
Proof of Lemma
• Same thing for other columns
• If target column, then done
• If not, then entry in column with value contained in no other column
Not QNot QQ
n Inputs
n MainMemory
States
CS717
Proof of Lemma
• At each step, either finished or rightmost columns have 1 less possible value
ANot A
n Inputs
n MainMemory
States
CS717
Proof of Lemma
• At each step, either finished or rightmost columns have 1 less possible value
BNot A,B
A
n Inputs
n MainMemory
States
CS717
Proof of Lemma
• At each step, either finished or rightmost columns have 1 less possible value
A B CNot A,B,C
n Inputs
n MainMemory
States
CS717
Proof of Lemma
• At each step, either finished or rightmost columns have 1 less possible value
A B C D Not A,B,C,D
n Inputs
n MainMemory
States
CS717
Proof of Lemma
• Reach 2nd to last column on step b-1(If not already finished)
• Total possible values < b
• Thus, 1 value remains
• Last two columns satisfy criterion
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
n Inputs
n MainMemory
States
CS717
Proof of Lemma
input x s.t. M. yx and M where sphere(x,M) = sphere(y,M)
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
x y
n Inputs
n MainMemory
States
CS717
Proving That Too Few Spheres
• Must still prove that fewer spheres than inputs• Total inputs states: a = 2n
• Total unique spheres: b = (2m 3-ary values)• m<log(n)-1 and so,
– Fewer spheres than inputs– b<a
• Thus, Collision Lemma precondition satisfied
m23
nnnnnm
233333 2/2222 1log1log
CS717
Checker Fooled
• Adversary can find xy s.t. sphere(x,M) = sphere(y,M) M– Since checker known
• Determines main memory remapping table MM– For each M picks M s.t. spheres equal
• For any input remaps main memory according to table
• If input=x, memory changed to MM and checker decodes it as y– Error undetected. Checker fooled!
CS717
Deterministic Probabilistic
• Paper describes proof in fairly deterministic terms
• But seems to be saying that proof works for probabilistic checkers
• Seems plausible, but should check
CS717
Checkers With 2-sided Error
• Above theorem extended to relate reliability to number of bits in checker memory
• Applies to checkers with 2-sided error:– If main memory untouched by adversary, checker
correctly decodes with Prob p– If main memory corrupted, checker notices or
correctly decodes with Prob p
• Theorem:– If decoding probability p ½+ ½l+1 then checker
private memory must have m log n – log l bits– l 1
CS717
Meaning of Theorem
• Theorem:– If decoding probability p ½+ ½l+1 then checker
private memory must have m log n – log l bits– l 1
• Meaning:– The fewer bits in checker’s memory, the closer
prob of success gets to ½.• Prob = ½ user can’t differentiate success from failure
CS717
Meaning of Theorem
• Theorem:– If decoding probability p ½+ ½l+1 then checker
private memory must have m log n – log l bits– l 1
• Connection to last theorem:– Case where 100% Prob of decoding non-
corrupted (i.e. l=0) covered by last theorem• Need log n – 1 bits• This theorem generalizes last theorem
– Will now relate probability of success to reliable memory size
CS717
Proof
• Last proof looked at encoding process– sphere(x,M)[c] = is input x encodable into <M,c>?
• This proof looks at decoding– sphere(x,M)[c] = l-bit approximation of
Prob[checker decodes <M,c> into x]– sphere(x,M) is l2m bit vector– Number of spheres = – Number of inputs = – Suppose opposite: m < log n – log l– Then
• Fewer spheres than inputs
ml22n2
nlnlll lnm
2222 /)(22 loglog
CS717
Collision Lemma
• : Fewer spheres than inputs
• Recall Collision Lemma: input x s.t. M. yx and M where sphere(x,M) = sphere(y,M)
• Thus, adversary can find input x for which it can switch main memory MM
• Claim: Probability of success >1-p– Recall: Checker must have success Prob p
nl m
22 2
CS717
Playing Probabilities
• Let
• Given x was input– q = Prob of decoding x with untouched memory– q = Prob of decoding y with corrupted memory
• Assuming adversary switched M with M
cM cMfromxdecodesercheck
xfromcMgeneratesercheckq
, ],Pr[
],Pr[
cM cMfromydecodesercheck
xfromcMgeneratesercheckq
, ],Pr[
],Pr[
CS717
Playing Probabilities
• sphere(x,M)[c] = l-bit approximation of Prob[checker decodes <M,c> into x]– Thus, Prob[checker decodes <M,c> into x] <
sphere(x,M)[c] + ½ l
• Know that input x s.t. M. yx and M where sphere(x,M) = sphere(y,M) – Since fewer spheres than inputs
• Thus– Prob[checker decodes <M,c> into x] <
Prob[checker decodes <M,c> into y] + ½l
CS717
Playing Probabilities
• Prob[checker decodes <M,c> into x] < Prob[checker decodes <M,c> into y] + ½l
• Via basic algebra: q>q- ½l
– q = Prob of decoding x with untouched memory– q = Prob of decoding y with corrupted memory
• By definition, p = prob of success p Prob of correct operation or fault detection– p q
• Since q is probability of correct operation on input x
– q 1-p• Since q is probability of not detecting xy decoding
CS717
Playing Probabilities
• q>q- ½l
– q = Prob of decoding x with untouched memory– q = Prob of decoding y with corrupted memory
• pq, q1-p• q > q- ½l
1-p q > q- ½l p- ½l
1-p > p- ½l
1+½l > 2p ½+½l+1 > p– (Assumption was: m < log n – log l)
• If decoding probability p ½+ ½l+1 then checker memory has m log n – log l bits
CS717
Checker with Public Memory
• Previous checkers had secret memories• What if checker has some public memory?
(Public but incorruptible)
• Can we get away with less private memory?
• Will give proof for sequences of n writes• Checker gets dn public memory, d<1
(if d=1 then checker can save writes in memory)
• Will show: checker needs bits of secret memory
d
lnm
1log)log(
New Element
CS717
Public Memory Theorem
• Theorem: If checker functions correctly with Prob p ½+ ½l+1 then checker secret
memory must have bits
Proof• Assume opposite: • Let
– M : corruptible main memory– B : incorruptible public checker memory– c : incorruptible private checker memory
d
lnm
1log)log(
d
lnm
1log)log(
CS717
Proof of Theorem
• Spheres defined as in last proof– old_sphere(x,M)[c] = l-bit approximation of
Prob[checker decodes <M,c> into x]
• New element: spheres depend on B’s state– sphere(x,M,B)[c] = l-bit approximation of
Prob[checker decodes <M,B,c> into x]
• Still possible spheres• possible public memory configurations
•
ml22dn2
ndnl m
thend
lnmif 222
1log)log( 2
CS717
Proof of Theorem
• As before: adversary assumes input is x– Since only needs to fool on one input
• Adversary wants some MM mapping s.t. <M, c, B> decoded as y
• Will work if sphere(y,M,B) = sphere(x,M,B)
x <M,c,B>
y <M,c,B>Adversary
CS717
Proof of Theorem
• Adversary wants sphere(y,M,B) = sphere(x,M,B)
• Since (number of spheres ) < (number of inputs ) apply Collision Lemma: <x,B> s.t. M yx and M s.t. sphere(y,M,B) =
sphere(x,M,B)
• Now must show Prob of fooling checker >p
dnl m
22 2
n2
CS717
Playing Probabilities
• As before, assuming x was input, compute:– q = Prob of decoding x with untouched memory– q = Prob of decoding y with corrupted memory
• Via algebra: q>q- ½l
• p = prob of success, q, 1- q• Basic Algebra p < ½ + ½l+1
(Assumption was: )
• If decoding probability p ½+ ½l+1 then secure memory has bits )1/(1log)log( dnm
)1/(1log)log( dnm
CS717
Summary
• Showed lower bounds for checker memory sizes
• Deterministic checker: log(n)-1 bits of reliable, secret checker memory
• 2-sided error checker: log n – log l bits of reliable, secret memory– Probability of success ½ + ½l+1
• Checker with dn bits reliable, public memory– log(n) – log(1/(1-d) bits reliable, secret memory– Probability of success ½ + ½l+1
CS717
Outline
• Offline Checkers– RAMs– Stacks– Queues
• Online Checkers– RAMs– Stacks– Queues
• Definitions
[BE
GK
N]
[DS
]
• Lower Bounds• 3 Offline Checker Bounds
• Offline Checkers• Stacks• Queues
CS717
Different Flavor of Checking
• [DS] Devanbu and Stubblebine, “Stack and Queue Integrity on Hostile Platforms”, 1998
• Offline checkers for Stacks and Queues• Weaker adversary
– Adversary “constant factor faster” than checker– No explanation for adversary limitation
• Time Overhead: constant factor• Space Overhead: constant sized trusted
memory (secret?)
CS717
Mechanisms
• Assumes signature scheme s.t.– Collision resistant – computationally infeasible to
find two inputs that map to same output– 2nd preimage resistant – given an input,
computationally infeasible to find other input mapping to same output
• Creates hashes of prior stack activity• Stores hashes with stack elements
CS717
Checking Stacks
• Every stack element also contains signature• Signature: encoding of all elements below = signature function
• Stack initially empty
Trusted MemoryMain Memory
CS717
Checking Stacks: Push• Every stack element also contains signature• Signature: encoding of all elements below = signature function
<x1, srand>
• First push– User pushes x1
– Checker pushes <x1, srand>
• srand is random
• Trusted Memory– srand
– s1 = (x1, srand)Trusted MemoryMain Memory
s1= (x1, srand)
srand
CS717
Checking Stacks: Push
• Every stack element also contains signature• Signature: encoding of all elements below
<x1, srand>s1= (x1, srand)
• General Push:– Given user op push(xi)
– Issue push(xi, sh)
• sh is stack signature
– New stack signature:sh+1 = (xi, sh)
Trusted MemoryMain Memory
<x2, s1>s2= (x2, s1)
s1= (x1, srand)
s3= (x3, s2)
<x3, s2>s2= (x2, s1)
s4= (x4, s3)
<x4, s3> s3= (x3, s2)
srand
CS717
Checking Stacks: Pop
• Invariant: stack signature computable from top element
• Pop:– Pop alleged <xi, sh> off
stack
– Check if sh+1 = (xi, sh)
• Sh+1 is stack signature
– sh: new stack signature<x1, srand>
s1= (x1, srand)
Trusted MemoryMain Memory
<x2, s1>s2= (x2, s1
)
s1= (x1, srand)
s3= (x3, s2)
<x3, s2>s2= (x2, s1
)
s4= (x4, s3)
<x4, s3> s3= (x3, s2)
srand
CS717
Checking Stacks: Pop
• Invariant: stack signature computable from top element
• Pop:– Pop alleged <xi, sh> off
stack
– Check if sh+1 = (xi, sh)
• Sh+1: prior stack signature
– sh: new stack signature<x1, srand>
s1= (x1, srand)
Trusted MemoryMain Memory
<x2, s1>s2= (x2, s1
)
s1= (x1, srand)
s3= (x3, s2)
<x3, s2>s2= (x2, s1
)
<x4, s3>
srand
CS717
Checking Stacks: Pop
• Invariant: stack signature computable from top element
• Pop:– Pop alleged <xi, sh> off
stack
– Check if sh+1 = (xi, sh)
• Sh+1: prior stack signature
– sh: new stack signature
• Invariant Preserved<x1, srand>
s1= (x1, srand)
Trusted MemoryMain Memory
<x2, s1>s2= (x2, s1
)
s1= (x1, srand)
s3= (x3, s2)
<x3, s2>s2= (x2, s1
)
srand
CS717
Intuition to Encoding
• Encoding has simple intuition: () calls nested in stack fashion
s4= (x4, s3) = (x4, (x3, s2)) = (x4, (x3, (x2, s1))) = (x4, (x3, (x2, (x1, srand))))
<x1, srand>
<x2, s1>
<x3, s2>
<x4, s3>
s4= (x4, s3)
s3= (x3, s2)
s2= (x2, s1)
s1= (x1, srand)
CS717
Can’t Pop Wrong Entry
• Suppose wrong entry popped– Should’ve been <xi, sh>
– Was <xj, sq>
• But sh+1= (xi, sh) was in trusted memory
• To escape detection <xj, sq> must be s.t.(xj, sq) = (xi, sh) = sh+1
• Computationally hard to pick such <xj, sq>– Since is 2nd preimage resistant
CS717
Popping Empty Stack
• On pop of last element: stack signature = srand
• Can’t be fooled into popping more
<x1, srand>s1= (x1, srand
)
Trusted MemoryMain Memory
s0= srand
• To fool, adversary must produce <xi, s> s.t.(xi, sh) = srand
• This is computationally hard is 2nd preimage
resistant
srand
CS717
Checking Stacks: Summary
• Trusted memory keeps digest of stack state– Preserved across pushes, pops– Small trusted memory size
• Unknowns– Where is signature function recorded?
• Must be trusted memory
– What is power limit of adversary?
CS717
Outline
• Offline Checkers– RAMs– Stacks– Queues
• Online Checkers– RAMs– Stacks– Queues
• Definitions
[BE
GK
N]
[DS
]
• Lower Bounds• 3 Offline Checker Bounds
• Offline Checkers• Stacks• Queues
CS717
Checking Queues
• Stack checker keeps digest of stack contents• Works because encoding’s function calls nest
in stack fashion• Function calls don’t nest like queues
– No clear way to remove “bottom” call
• If keep digests of all elements ever enqueued, no need to remove
CS717
Checker’s Digests
• Keep two digests:– sq – signature of all items ever enqueued
• Including dequeued items
– sdel – signature of all dequeued items
• Both sets act like queues– New data gets pushed– Nothing gets popped
CS717
Initial State
• srand = initial random signature
• sq = sdel = (srand)
– Pretend that enqueued and dequeued srand
srand
Dequeued nodes (not stored)Queue nodes
sq0
= (srand)
MainMemory
sdel = (srand) = sq0
(srand)srand
TrustedMemory
CS717
First Enqueue
• User operation: enqueue(x1)
• Issued operation: enqueue((x1, sq1))
• sq1 = (x1, sq
0)
Dequeued nodes (not stored)Queue nodes
sq1
x1
sq1
= (x1,sq0)
sq0
= (srand)
MainMemory
same
srandsdel = (srand) = sq0
(srand)srand
TrustedMemory
CS717
General Enqueues
• User operation: enqueue(xi)
• Issued operation: enqueue((xi, sqj))
• Sqj+1 = (xi, sq
j)
MainMemory
Dequeued nodes (not stored)Queue nodes
same
sq1
= (x1,sq0)
sq0
= (srand)sq1
= (x1,sq0)
sq0
= (srand)
sq2 = (x2, sq
1)
sq2
x2
sq1
x1
sq1
= (x1,sq0)
sq0
= (srand)
sq2 = (x2, sq
1)sq
1 = (x1,sq
0)sq
0 = (srand)sq
1 = (x1,sq
0)sq
0 = (srand)
sq2 = (x2, sq
1)
sq3
x3
sq2
x2
sq3 = (x3, sq
2)
sq1
x1
sq1
= (x1,sq0)
sq0
= (srand)
sq2 = (x2, sq
1)sq
1 = (x1,sq
0)sq
0 = (srand)sq
1 = (x1,sq
0)sq
0 = (srand)
sq2 = (x2, sq
1)sq
3 = (x3, sq2)
sq1
= (x1,sq0)
sq0
= (srand)
sq2 = (x2, sq
1)sq
3 = (x3, sq2)
sq1
= (x1,sq0)
sq0
= (srand)
sq2 = (x2, sq
1)sq
1 = (x1,sq
0)sq
0 = (srand)sq
1 = (x1,sq
0)sq
0 = (srand)
sq2 = (x2, sq
1)
sq4
x4
sq3
x3
sq3 = (x3, sq
2)
sq2
x2
sq4 = (x4, sq
3)
sq1
x1
srandsdel = (srand) = sq0
(srand)srand
TrustedMemory
CS717
First Dequeue
• User operation: dequeue()
• Issued operation: dequeue() <x1, sq1>
• Recall: sq1 = (x1, sq
0) = (x1, srand)
– In general, dequeued sqj = (x1, sdel)
sq1
= (x1,sq0)
MainMemory
Dequeued nodes (not stored)Queue nodes
sq2 = (x2, sq
1)sq3 = (x3, sq
2)
sq4
x4
sq3
x3
sq2
x2
sq4 = (x4, sq
3)
sq1
x1
sdel = (srand) = sq0 srand
(srand)srand
TrustedMemory
CS717
First Dequeue
• sdel (x1,sdel) = (x1, (srand))
• Check dequeue– Is sdel = sq
1?
sq1
= (x1,sq0)
MainMemory
TrustedMemory
Dequeued nodes (not stored)Queue nodes
(srand)srand
sq2 = (x2, sq
1)sq3 = (x3, sq
2)
sq4
x4
sq3
x3
sq2
x2
sq4 = (x4, sq
3)
sq1
x1
sq1
= (x1, (srand))
srandsdel = (srand) = sq0
same
CS717
Checking Dequeue
• Two ways to compute same thing– With sdel : (x1, (srand))– With sq
1 : dequeued
• Computationally hard to find y,t x1,sq1 s.t.
t = (y, (srand))
sq1
= (x1,sq0)
MainMemory
TrustedMemory
Dequeued nodes (not stored)Queue nodes
(srand)srand
sq2 = (x2, sq
1)sq3 = (x3, sq
2)
sq4
x4
sq3
x3
sq2
x2
sq4 = (x4, sq
3)
sq1
x1
sq1
= (x1, (srand))
srandsdel = (srand) = sq0
same
CS717
First Dequeue
• Invariant Preserved– sq = digest of all elements ever enqueued– sdel = digest of all dequeued elements
• Return x1 to user
sq1
= (x1,sq0)
MainMemory
srandsdel = sq1 = (x1, srand)
Dequeued nodes (not stored)Queue nodes
(srand)srand
sq2 = (x2, sq
1)sq3 = (x3, sq
2)
sq4
x4
sq3
x3
sq2
x2
sq4 = (x4, sq
3)
sq1
x1
TrustedMemory
CS717
General Dequeues
MainMemory
srand
Dequeued nodes (not stored)Queue nodes
sq4 = (x4, sq
3)sdel = sq
1 = (x1, srand)
(srand)srand
sq4
x4
sq3
x3
sq2
x2
sq1
x1
sdel = sq1 = (x1, srand)
sdel = sq2 = (x2, sdel)
(srand)srand
sq4
x4
sq3
x3
sq2
x2
sq1
x1
sdel = sq1 = (x1, srand)
sdel = sq1 = (x1, srand)
sdel = sq2 = (x2, sdel)
sdel = sq2 = (x2, sdel)sdel = sq3 = (x3, sdel)
(srand)srand
sq4
x4
sq3
x3
sq2
x2
sq1
x1
sdel = sq1 = (x1, srand)
sdel = sq1 = (x1, srand)
sdel = sq2 = (x2, sdel)
sdel = sq2 = (x2, sdel)sdel = sq3 = (x3, sdel)
sdel = sq3 = (x3, sdel)sdel = sq4 = (x4, sdel)sdel = sq1 = (x1, srand)
(srand)srand
sq4
x4
sq3
x3
sq2
x2
sq1
x1
• Dequeue <xi, sqj>
• sdel = (xi, sdel)• Check that sdel = sq
j
– Computationally hard to find y,t xi,sqj s.t.
t = (y, (xi, sdel))
TrustedMemory
CS717
General Dequeues
• Invariant preserved at each step– sq = digest of all elements ever enqueued– sdel = digest of all dequeued elements
• Return xi to user
MainMemory
Dequeued nodes (not stored)Queue nodes
sq4 = (x4, sq
3)
(srand)srand
sq4
x4
sq3
x3
sq2
x2
sq1
x1
sdel = sq1 = (x1, srand)
sdel = sq1 = (x1, srand)
sdel = sq2 = (x2, sdel)
sdel = sq2 = (x2, sdel)sdel = sq3 = (x3, sdel)
sdel = sq3 = (x3, sdel)sdel = sq4 = (x4, sdel) srandTrusted
Memory
CS717
General Queue Trick
• Signature function calls nest like stack
• Solution: – Let digest also represent removed elements– Second digest just for removed elements– Perform checks on element removal
CS717
General Queue Trick
• Checking validity– Keep track of main digest value for each element
+ any valid subset of removed elements• For queue: element + prior elements
– On element removal• Add element to second digest• Compare new second digest value to main digest value
for that element + some valid removed subset
• More general than just queues– Useful if data structure can be represented as
repeated applications of signature function
CS717
Outline
• Offline Checkers– RAMs– Stacks– Queues
• Online Checkers– RAMs– Stacks– Queues
• Definitions
[BE
GK
N]
[DS
]
• Lower Bounds• 3 Offline Checker Bounds
• Offline Checkers• Stacks• Queues
CS717
Summary
• Covered several checkers for data structures• Data Structures
– RAMs– Stacks– Queues
• Types– Online– Offline
• Adversaries– Polynomial-time– Infinite power– “Weak”
CS717
Summary
• Exist solutions for trees and graphs
• Efficient checkers for weak adversaries appear possible
• Is it possible to generate checker at compile-time?– i.e. guarantee that for every state change low
probability of corruption– Can it be cheaper than a RAM checker?