Transcript Document
Intrusion Tolerance
: The Killer App for BFT (?)
Alysson Bessani, Miguel Correia, Paulo Sousa, Nuno Ferreira Neves, Paulo Veríssimo
Universidade de Lisboa, Faculdade de Ciências
Workshop on Theory and Practice of BFT
BFT3W'09 1
The Promise of BFT
• From the abstract of Castro & Liskov OSDI’99 paper:
“We believe that Byzantine fault-tolerant algorithms will be increasingly important in the future because malicious attacks and software errors are increasingly common and can cause faulty nodes to exhibit arbitrary behavior.”
BFT3W'09 2
The Promise of BFT
Our claim:
• BFT can be used to tolerate certain accidental value faults
But there are simpler techniques to do that
• The real appeal of the technique is to tolerate attacks, intrusions and bugs
BFT → Intrusion Tolerance
BFT3W'09 3
Intrusion Tolerance
• Coined by Joni Fraga and David Powell
“A Fault- and Intrusion-Tolerant File System”, IFIP SEC,1985
• An
intrusion-tolerant system
can maintain its security properties (
confidentiality
,
integrity
and
availability
) despite some of its components being compromised.
•
Appeal:
since it’s impossible to prove that a system has no vulnerabilities, it is more safe to assume that intrusions can happen.
BFT3W'09 4
Intrusion Tolerance
• BFT replication protocols are a key mechanism for intrusion-tolerant systems • But there are others: – Diversity
Fault independence
– Confidentiality schemes Fundamental for certain domains – Fault/Intrusion detection Accountability – Recovery and Self-healing Fundamental for long-lived systems BFT3W'09 5
Intrusion Tolerance
• The resulting system is very COMPLEX!
• There comes the InTol dilemma: – Complex systems tend to have more vulnerabilities and be more prone to configuration errors – So, an intrusion-tolerant system build to be more secure, tend to be less secure… BFT3W'09 6
Intrusion-Tolerant Firewall
CIS
But it can be done for simple critical systems!
Distributed trusted component
T CIS
Incomming Traffic
HUB CIS T CIS T HUB
x = dP(V,f)/dt
Controller Generator 7
Intrusion-Tolerant Firewall
Substation A Substation B Substation C
• The CIS was used in an architecture to protect critical infrastructures (e.g., power systems) • This is a good application scenario for BFT/Intrusion tolerance BFT3W'09 8
The role of trusted components
• Trusted components (TTCB, A2M, USIG, Trinc) should be used to simplify BFT protocols • Example: MinBFT (Veronese et al. 2008) uses the USIG service to implement the minimal non speculative BFT SMR protocol: MinBFT Minimal: - Number of replicas - Communication steps - Trusted component PBFT A2M-EA 9 BFT3W'09
Concerns for BFT/IT Adoption
• BFT Usefulness • BFT Implementations • BFT Abstractions BFT3W'09 10
BFT Added Value
• The key challenge:
“How to show that an intrusion tolerant service is more secure than a non-intrusion tolerant counterpart?”
• The equivalent question:
“How to measure the security of a system?”
BFT3W'09 11
BFT Systems
• We need at least one
stable
replication lib!
and
robust
BFT • JBP (Java Byzantine Paxos) – Under development since 2007 for use on the replication layer of DepSpace – Peak throughput competitive to PBFT (~22 Kop/s*) – Key concerns on the current version: • Modularity is a top priority: scalable communication, total order multicast, Byzantine paxos consensus and checkpoint • Avoid optimizations that bring complexity (e.g., authenticators, agreement over message hashes) BFT3W'09 12
BFT Abstractions BFT ≠ BFT State Machine Replication
BFT3W'09 13
BFT Abstractions
• SMR has its limitations: – CFT systems are usually based on primary backup – Most modern services do not employ consensus protocol on their critical path • What options?
– High-level abstractions – Low-level abstractions BFT3W'09 14
High-level Abstractions: Coordination Services
Traditional systems Coordination systems • Crash FT: Zookeper (name service + sequencers),
Chubby
system + locks),
Sinfonia
(registers + mini transactions) (file • BFT: DepSpace (policy enforced augmented tuple space) BFT3W'09 15
I’m Malicious !
High-level Abstractions: Coordination Services
PROCESSES SERVERS Two important questions:
1. What is the synchronization power of the CS objects?
16
Low-level Abstractions: Active Quorum Systems
SMR: the service as a replicated deterministic state machine SERVERS AQS: the service as a a set of independent objects accessed by different clients.
17
Low-level Abstractions: Active Quorum Systems
read
Quorum-based asynchronous protocols for register Implementation.
write
PBFT with some modifications to deal with concurrent writes.
rmw
BFT3W'09 18
Low-level Abstractions: Active Quorum Systems
• Is it useful? Some services: – LDAP: • Main AQS Object:
LDAP Entry
• Only Entry creation and removal require
rmw
– Smart block storage: • Main AQS Object:
Data Block
• Uses
rmw
to modify single bytes of large blocks – Tuple Space: • Main AQS Object:
Tuple
• Only tuple removal uses
rmw
BFT3W'09 19
Summary
• The promise of BFT: tolerate intrusions – Can be done for simple services – Require other mechanisms • Concerns to be addressed: – How to show the improved security of BFT/intrusion tolerant systems?
– Build a stable and robust BFT library – BFT is not SMR: • Coordination Services • Active Quorum Systems BFT3W'09 20
Some Related Publications
• Bessani et al.
The CRUTIAL way of protecting critical infrastructures
. IEEE S&P Magazine (Dec 2008) • Sousa et al.
Highly Available Intrusion Tolerance through Proactive and Reactive Recovery
. IEEE TPDS (to appear) • Veronese et al.
Minimal Byzantine Fault Tolerance: Algorithms and Evaluation
. FCUL-DI-TR 09-15 (under submission). 2009 • Bessani et al.
DepSpace: A Byzantine Fault-Tolerant Coordination Service
. EuroSys’08 • Bessani et al.
Sharing Memory between Byzantine Processes using a Police-enforced Augmented Tuple Space
. IEEE TPDS (Mar 2009) • Bessani et al.
An Efficient Byzantine-resilient Tuple Space
. IEEE TC (Aug 2009)
http://www.navigators.di.fc.ul.pt
BFT3W'09 21