Towards Scalable and Robust Distributed Systems

1
Towards Scalable and Robust Distributed Systems

• Christian Scheideler
• Institut für Informatik
• Technische Universität München

2
Basic Goals
Correctness
??
Efficiency
Robustness
3
Development of Computer
Correctness, Efficiency, Robustness
4
Four Commandments of Distributed Systems

• You shall not sleep.
• You shall not lie.
• You shall not steal.
• You shall not kill.
• Not enforceable in open distributed systems!
• Countermeasures
• Algorithmic solution as long as majority awake.
• Cryptography, error-correcting codes, verifiable
  secret sharing,...
• Serious problem! (viruses, phishing, DRM,...)
• Serious problem! (DoS attacks)

5
Fundamental Dilemma

• EfficiencyMinimize resources needed for
  operations
• RobustnessMaximize resources needed for attacks

Scalable systems are easy to attack!!
6
Options

• Restriction to legal attacks
• join-leave attacks
• insert-lookup attacks
• New paradigm

7
Join-Leave Attacks

• Peer-to-peer systems have attracted a lot of
  attention in recent years
• In open peer-to-peer systems peers may frequently
  join and leave

8
Join-Leave Model

• n honest peers
• ?n adversarial peers, ?lt1
• Operations
• Join(v) peer v joins the system
• Leave(v) peer v leaves the system
• Goal maintain scalability and robustness for
  any sequence of polynomially many adversarial
  rejoin (leavejoin) requests

9
More specific goal

• n honest peers, ?n adversarial peers
• every peer has point in 0,1)
• For any interval I ½ 0,1) of size (c log n)/n
• Balancing condition ?(log n) peers in I
• Majority condition honest peers in majority

10
How to satisfy conditions?

• Chord uses cryptographic hash function to map
  peers to points in 0,1)
• randomly distributes honest peers
• does not randomly distribute adversarial peers

11
How to satisfy conditions?

• CAN map peers to random points in 0,1)

12
How to satisfy conditions?

• Group spreading AS04
• Map peers to random points in 0,1)
• Limit lifetime of peers

Too expensive!
13
How to satisfy conditions?

• Rule that works k-cuckoo rule AS06a

n honest ?n adversarial
evict k/n-region
? lt 1-1/k
Rejoin leave and join via k-cuckoo rule
14
Limitation of k-cuckoo rule

• Only works for any sequence of rejoin requests of
  adversarial peers.
• Does not work for any sequence of rejoin
  requests.

15
k-flipcuckoo rule AS07

• Join as before (k-cuckoo rule)
• Leave random k/n-region among c log n
  neighboring k/n-regions, empty flip it with
  random k/n-region

n honest ?n adversarial
flip
16
DoS-attacks???

• Attacks oblivious to random bits OK
• Attacks adaptive to random bits

17
Insert-lookup attacks

• Mehlhorn Vishkin 84 Any step of a CRCW PRAM
  can be simulated on a distributed memory system
  in O(log2 n) time (n processors).
• Needs O(log n) hash functions with certain
  expansion properties.
• Uses combining and filtering.

18
DoS attacks???

• Oblivious DoS attacksRandom peer distribution
• Adaptive DoS attacks
• Past insider DoS attacks?Adversary knows
  everything till time t

19
Past insider DoS attack

• Dilemma
• Explicit data structure can only make polylog
  updates to be scalable, so easy to attack
• Fixed hash function insert and lookup cheap, but
  easy to attack
• Random placement difficult to attack, but insert
  and lookup expensive
• Combine fixed hashing with random placement!!

20

• What about arbitrary DoS attacks???

21
The problem is not openness. The problem is
exposure.
22
Some Facts

• More than 90 of Emails is SPAM
• Thousands of software bugs per year
• 3 days until virus developed for bug, but 31
  days till patch available
• 8000 denial-of-service attacks per day
• gt150.000 phishing attacks per year

23
Can exposure be prevented without losing
openness???
24
Laws of Robustness

• Owner consent and control
• Principle of least authority

25
Not just for computers

• EU Recommendation on privacy of medical
  data1997, U.S. OCR HIPAA act
• Owner consent and controlPatients should have
  full control over their medical data.
• Principle of least authorityAccess should only
  be given to information necessary for the
  diagnosis and treatment.

26
Demands

• Principle of least authority
• Not more knowledge than necessary.
• Not more rights than necessary.
• Owner consent and control
• Universality freedom of choice
• Simplicity consequences transparent

27
New Paradigm

• Subjects
• Objects
• Relay points

28
Subjects and Objects
Atomic, anonymous, active, static,only reachable
via relay points
Atomic, anonymous, passive, dynamic data, cannot
be copied,info only accessible via keys
Fixed identity, fixed outgoing connection, incomin
g connections controlled by owner
Consent and control, least authority?
29
Descendents
Creation of new child
Resource control
communication
Mother
Child
Consent and control, least authority?
30
First contact
R
A
B
Public identity (TAN)
R

• Subjects have no identity
• Relay points have fixed identities (that are
  not accessible by applications)
• Outgoing connections cannot be changed

Consent and control, least authority?
31
Introduction
A
B
R
RgtB
C
BgtA
AgtB
Consent and control, least authority?
32
Realization
Internet
ISP
Relay points
33
Current State

• Simulation environment available(see
  www14.in.tum.de/personen/scheideler)
• Used in lectures
• Talks to set up DFG project and realize paradigm
  as operating system kernel

34
Questions?