bft3w'091 intrusion tolerance: the killer app for bft (?) alysson bessani, miguel correia,...
TRANSCRIPT
BFT3W'09 1
Intrusion Tolerance:The Killer App for BFT (?)
Alysson Bessani, Miguel Correia, Paulo Sousa, Nuno Ferreira Neves, Paulo VeríssimoUniversidade de Lisboa, Faculdade de Ciências
Workshop on Theory and Practice of BFT
BFT3W'09 2
The Promise of BFT
• From the abstract of Castro & Liskov OSDI’99 paper:
“We believe that Byzantine fault-tolerant algorithms will be increasingly important in the future because malicious attacks and software errors are increasingly common and can cause faulty nodes to exhibit arbitrary behavior.”
BFT3W'09 3
The Promise of BFT
Our claim:
• BFT can be used to tolerate certain accidental value faults
But there are simpler techniques to do that
• The real appeal of the technique is to tolerate attacks, intrusions and bugs
BFT → Intrusion Tolerance
BFT3W'09 4
Intrusion Tolerance
• Coined by Joni Fraga and David Powell“A Fault- and Intrusion-Tolerant File System”, IFIP SEC,1985
• An intrusion-tolerant system can maintain its security properties (confidentiality, integrity and availability) despite some of its components being compromised.
• Appeal: since it’s impossible to prove that a system has no vulnerabilities, it is more safe to assume that intrusions can happen.
BFT3W'09 5
Intrusion Tolerance
• BFT replication protocols are a key mechanism for intrusion-tolerant systems
• But there are others:– Diversity– Confidentiality schemes– Fault/Intrusion detection– Recovery and Self-healing
Fault independence
Fundamental for certain domains
Accountability
Fundamental for long-lived systems
BFT3W'09 6
Intrusion Tolerance
• The resulting system is very COMPLEX!
• There comes the InTol dilemma:– Complex systems tend to have more
vulnerabilities and be more prone to configuration errors
– So, an intrusion-tolerant system build to be more secure, tend to be less secure…
BFT3W'09 7
Intrusion-Tolerant Firewall
IncommingTraffic
HUB HUB
CIS
CIS
CISController
Generator
x = dP(V,f)/dt
CIS
T
T
T
T
Distributed trusted component
But it can be done forsimple critical systems!
BFT3W'09 8
Intrusion-Tolerant Firewall
• The CIS was used in an architecture to protect critical infrastructures (e.g., power systems)
• This is a good application scenario for BFT/Intrusion tolerance
Substation ASubstation B
Substation C
BFT3W'09 9
The role of trusted components
• Trusted components (TTCB, A2M, USIG, Trinc) should be used to simplify BFT protocols
• Example: MinBFT (Veronese et al. 2008) uses the USIG service to implement the minimal non-speculative BFT SMR protocol:
MinBFT
A2M-EA
PBFT
Minimal:- Number of replicas- Communication steps- Trusted component
BFT3W'09 10
Concerns for BFT/IT Adoption
• BFT Usefulness
• BFT Implementations
• BFT Abstractions
BFT3W'09 11
BFT Added Value
• The key challenge:“How to show that an intrusion tolerant service is more secure than a non-intrusion-tolerant counterpart?”
• The equivalent question:“How to measure the security of a system?”
BFT3W'09 12
BFT Systems
• We need at least one stable and robust BFT replication lib!
• JBP (Java Byzantine Paxos)– Under development since 2007 for use on the
replication layer of DepSpace– Peak throughput competitive to PBFT (~22 Kop/s*)– Key concerns on the current version:
• Modularity is a top priority: scalable communication, total order multicast, Byzantine paxos consensus and checkpoint
• Avoid optimizations that bring complexity (e.g., authenticators, agreement over message hashes)
BFT3W'09 13
BFT Abstractions
BFT ≠ BFT State Machine Replication
BFT3W'09 14
BFT Abstractions
• SMR has its limitations:– CFT systems are usually based on primary-
backup– Most modern services do not employ
consensus protocol on their critical path
• What options?– High-level abstractions– Low-level abstractions
BFT3W'09 15
High-level Abstractions: Coordination Services
• Crash FT: Zookeper (name service + sequencers), Chubby (file system + locks), Sinfonia (registers + mini transactions)
• BFT: DepSpace (policy enforced augmented tuple space)
Traditional systems Coordination systems
BFT3W'09 16
High-level Abstractions:Coordination Services
SERVERSPROCESSES
I’m Malicious
!
Two important questions:
1. What is the synchronization power of the CS objects?
2. What is the role of access control models?
SharedMemoryShared
Memory
BFT3W'09 17
Low-level Abstractions:Active Quorum Systems
SERVERS
SERVERS
SMR: the service as a replicated deterministic
state machine
AQS: the service as a a set of independentobjects accessed by
different clients.
BFT3W'09 18
Low-level Abstractions:Active Quorum Systems
read
write
rmw
Quorum-based asynchronousprotocols for register
Implementation.
PBFT with somemodifications to
deal with concurrentwrites.
BFT3W'09 19
Low-level Abstractions:Active Quorum Systems
• Is it useful? Some services:– LDAP:
• Main AQS Object: LDAP Entry• Only Entry creation and removal require rmw
– Smart block storage: • Main AQS Object: Data Block• Uses rmw to modify single bytes of large blocks
– Tuple Space: • Main AQS Object: Tuple• Only tuple removal uses rmw
BFT3W'09 20
Summary
• The promise of BFT: tolerate intrusions– Can be done for simple services– Require other mechanisms
• Concerns to be addressed:– How to show the improved security of BFT/intrusion
tolerant systems?– Build a stable and robust BFT library– BFT is not SMR:
• Coordination Services• Active Quorum Systems
BFT3W'09 21
Some Related Publications• Bessani et al. The CRUTIAL way of protecting critical
infrastructures. IEEE S&P Magazine (Dec 2008)• Sousa et al. Highly Available Intrusion Tolerance through Proactive
and Reactive Recovery. IEEE TPDS (to appear)• Veronese et al. Minimal Byzantine Fault Tolerance: Algorithms and
Evaluation. FCUL-DI-TR 09-15 (under submission). 2009• Bessani et al. DepSpace: A Byzantine Fault-Tolerant Coordination
Service. EuroSys’08• Bessani et al. Sharing Memory between Byzantine Processes using
a Police-enforced Augmented Tuple Space. IEEE TPDS (Mar 2009)• Bessani et al. An Efficient Byzantine-resilient Tuple Space. IEEE TC
(Aug 2009)
http://www.navigators.di.fc.ul.pt