Upload
helia
View
45
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Intrusion Tolerance : The Killer App for BFT (?). Alysson Bessani , Miguel Correia, Paulo Sousa, Nuno Ferreira Neves, Paulo Veríssimo Universidade de Lisboa, Faculdade de Ciências Workshop on Theory and Practice of BFT. The Promise of BFT. From the abstract of Castro & Liskov OSDI’99 paper: - PowerPoint PPT Presentation
Citation preview
BFT3W'09 1
Intrusion Tolerance:The Killer App for BFT (?)
Alysson Bessani, Miguel Correia, Paulo Sousa, Nuno Ferreira Neves, Paulo VeríssimoUniversidade de Lisboa, Faculdade de Ciências
Workshop on Theory and Practice of BFT
BFT3W'09 2
The Promise of BFT
• From the abstract of Castro & Liskov OSDI’99 paper:
“We believe that Byzantine fault-tolerant algorithms will be increasingly important in the future because malicious attacks and software errors are increasingly common and can cause faulty nodes to exhibit arbitrary behavior.”
BFT3W'09 3
The Promise of BFT
Our claim:
• BFT can be used to tolerate certain accidental value faults
But there are simpler techniques to do that
• The real appeal of the technique is to tolerate attacks, intrusions and bugs
BFT → Intrusion Tolerance
BFT3W'09 4
Intrusion Tolerance
• Coined by Joni Fraga and David Powell“A Fault- and Intrusion-Tolerant File System”, IFIP SEC,1985
• An intrusion-tolerant system can maintain its security properties (confidentiality, integrity and availability) despite some of its components being compromised.
• Appeal: since it’s impossible to prove that a system has no vulnerabilities, it is more safe to assume that intrusions can happen.
BFT3W'09 5
Intrusion Tolerance
• BFT replication protocols are a key mechanism for intrusion-tolerant systems
• But there are others:– Diversity– Confidentiality schemes– Fault/Intrusion detection– Recovery and Self-healing
Fault independence
Fundamental for certain domains
Accountability
Fundamental for long-lived systems
BFT3W'09 6
Intrusion Tolerance
• The resulting system is very COMPLEX!
• There comes the InTol dilemma:– Complex systems tend to have more
vulnerabilities and be more prone to configuration errors
– So, an intrusion-tolerant system build to be more secure, tend to be less secure…
BFT3W'09 7
Intrusion-Tolerant Firewall
IncommingTraffic
HUB HUB
CIS
CIS
CISController
Generator
x = dP(V,f)/dt
CIS
T
T
T
T
Distributed trusted component
But it can be done forsimple critical systems!
BFT3W'09 8
Intrusion-Tolerant Firewall
• The CIS was used in an architecture to protect critical infrastructures (e.g., power systems)
• This is a good application scenario for BFT/Intrusion tolerance
Substation ASubstation B
Substation C
BFT3W'09 9
The role of trusted components
• Trusted components (TTCB, A2M, USIG, Trinc) should be used to simplify BFT protocols
• Example: MinBFT (Veronese et al. 2008) uses the USIG service to implement the minimal non-speculative BFT SMR protocol:
MinBFT
A2M-EA
PBFT
Minimal:- Number of replicas- Communication steps- Trusted component
BFT3W'09 10
Concerns for BFT/IT Adoption
• BFT Usefulness
• BFT Implementations
• BFT Abstractions
BFT3W'09 11
BFT Added Value
• The key challenge:“How to show that an intrusion tolerant service is more secure than a non-intrusion-tolerant counterpart?”
• The equivalent question:“How to measure the security of a system?”
BFT3W'09 12
BFT Systems
• We need at least one stable and robust BFT replication lib!
• JBP (Java Byzantine Paxos)– Under development since 2007 for use on the
replication layer of DepSpace– Peak throughput competitive to PBFT (~22 Kop/s*)– Key concerns on the current version:
• Modularity is a top priority: scalable communication, total order multicast, Byzantine paxos consensus and checkpoint
• Avoid optimizations that bring complexity (e.g., authenticators, agreement over message hashes)
BFT3W'09 13
BFT Abstractions
BFT ≠ BFT State Machine Replication
BFT3W'09 14
BFT Abstractions
• SMR has its limitations:– CFT systems are usually based on primary-
backup– Most modern services do not employ
consensus protocol on their critical path
• What options?– High-level abstractions– Low-level abstractions
BFT3W'09 15
High-level Abstractions: Coordination Services
• Crash FT: Zookeper (name service + sequencers), Chubby (file system + locks), Sinfonia (registers + mini transactions)
• BFT: DepSpace (policy enforced augmented tuple space)
Traditional systems Coordination systems
BFT3W'09 16
High-level Abstractions:Coordination Services
SERVERSPROCESSES
I’m Malicious
!
Two important questions:
1. What is the synchronization power of the CS objects?
2. What is the role of access control models?
SharedMemoryShared
Memory
BFT3W'09 17
Low-level Abstractions:Active Quorum Systems
SERVERS
SERVERS
SMR: the service as a replicated deterministic
state machine
AQS: the service as a a set of independentobjects accessed by
different clients.
BFT3W'09 18
Low-level Abstractions:Active Quorum Systems
read
write
rmw
Quorum-based asynchronousprotocols for register
Implementation.
PBFT with somemodifications to
deal with concurrentwrites.
BFT3W'09 19
Low-level Abstractions:Active Quorum Systems
• Is it useful? Some services:– LDAP:
• Main AQS Object: LDAP Entry• Only Entry creation and removal require rmw
– Smart block storage: • Main AQS Object: Data Block• Uses rmw to modify single bytes of large blocks
– Tuple Space: • Main AQS Object: Tuple• Only tuple removal uses rmw
BFT3W'09 20
Summary
• The promise of BFT: tolerate intrusions– Can be done for simple services– Require other mechanisms
• Concerns to be addressed:– How to show the improved security of BFT/intrusion
tolerant systems?– Build a stable and robust BFT library– BFT is not SMR:
• Coordination Services• Active Quorum Systems
BFT3W'09 21
Some Related Publications• Bessani et al. The CRUTIAL way of protecting critical
infrastructures. IEEE S&P Magazine (Dec 2008)• Sousa et al. Highly Available Intrusion Tolerance through Proactive
and Reactive Recovery. IEEE TPDS (to appear)• Veronese et al. Minimal Byzantine Fault Tolerance: Algorithms and
Evaluation. FCUL-DI-TR 09-15 (under submission). 2009• Bessani et al. DepSpace: A Byzantine Fault-Tolerant Coordination
Service. EuroSys’08• Bessani et al. Sharing Memory between Byzantine Processes using
a Police-enforced Augmented Tuple Space. IEEE TPDS (Mar 2009)• Bessani et al. An Efficient Byzantine-resilient Tuple Space. IEEE TC
(Aug 2009)
http://www.navigators.di.fc.ul.pt