Proving the Impossible with Alibi Protocols

Transcription

1 Proving the Impossible with Alibi Protocols Dave Levin Victoria Lai, Cristian Lumezanu, Neil Spring, Bobby Bhattacharjee, Bo Han, John Douceur, Jacob Lorch, Thomas Moscibroda

2 Uncooperative behavior Cooperation Anything and everything for the good of the network Selfishness Malice Gain at the potential expense of others Break the system for notoriety or profit

3 Uncooperative behavior Cooperation Routing: ARPANet s global policy Selfishness Malice Routing: BGP Local pref Routing: Prefix hijacking

4 Uncooperative behavior Cooperation Routing: Transport: ARPANet s global policy TCP congestion control Selfishness Malice Routing: BGP Local pref Routing: Prefix hijacking Transport: TCP Opt-Ack Transport: Mitnick attack

5 Uncooperative behavior Cooperation Routing: Transport: ARPANet s global policy TCP congestion control Selfishness Malice Routing: BGP Local pref Routing: Prefix hijacking Transport: TCP Opt-Ack Transport: Mitnick attack

6 Censorship via DNS injection Censoring AS [Anonymous authors, ACM CCR 2012]

7 Censorship via DNS injection Censoring AS [Anonymous authors, ACM CCR 2012]

8 Censorship via DNS injection lemon IP Censoring AS [Anonymous authors, ACM CCR 2012]

9 Censorship via DNS injection Censor-free ASes lemon IP Censoring AS [Anonymous authors, ACM CCR 2012]

10 Censorship via DNS injection Censor-free ASes lemon IP Censoring AS [Anonymous authors, ACM CCR 2012]

11 Censorship via DNS injection Censor-free ASes lemon IP lemon IP Censoring AS [Anonymous authors, ACM CCR 2012]

12 Censorship via DNS injection Censor-free ASes lemon IP Censoring AS [Anonymous authors, ACM CCR 2012]

13 Building secure decentralized systems Make malfeasance impossible Make malfeasance unprofitable Allow no progress if incorrect DNSSEC, Secure BGP,... Heavyweight Remove the incentive to be incorrect Assumptions not always aligned Make malfeasance detectable Allow incorrect progress Prove that nothing bad happened Ideally, lighter-weight

14 Building secure decentralized systems Make malfeasance impossible Make malfeasance unprofitable Allow no progress if incorrect DNSSEC, Secure BGP,... Heavyweight Remove the incentive to be incorrect Assumptions not always aligned Make malfeasance detectable Allow incorrect progress Prove that nothing bad happened Ideally, lighter-weight

15 Building secure decentralized systems Make malfeasance impossible Make malfeasance unprofitable Allow no progress if incorrect DNSSEC, Secure BGP,... Heavyweight Remove the incentive to be incorrect Assumptions not always aligned Make malfeasance detectable Allow incorrect progress Prove that nothing bad happened Ideally, lighter-weight

16 Building secure decentralized systems Make malfeasance impossible Make malfeasance unprofitable Allow no progress if incorrect DNSSEC, Secure BGP,... Heavyweight Remove the incentive to be incorrect Assumptions not always aligned Make malfeasance detectable Allow incorrect progress Prove that nothing bad happened Ideally, lighter-weight But how do you prove something did not happen?

17 One option: Monitor everything Watch everything that everyone does Watch those who watch everything that everyone does Simulate the system based on its inputs and outputs If it didn t happen in simulation, and if the monitoring was done well, then it probably didn t happen

18 Proving something didn t happen Provide a (small) proof that event A happened If events A and B are mutually exclusive Then B could not have happened

19 Proving something didn t happen Provide a (small) proof that event A happened If events A and B are mutually exclusive Then B could not have happened A serves as an alibi

20 Alibi protocols TrInc: Small, trusted h/w Fighting equivocation with trusted counters NSDI 09 Alibi routing Provably avoiding regions of the network Ongoing

21 Alibi protocols TrInc: Small, trusted h/w Fighting equivocation with trusted counters NSDI 09 Alibi routing Provably avoiding regions of the network Ongoing

22 Trust in distributed systems Selfish Participants Malicious Participants

23 Trust in distributed systems Selfish Participants Malicious Participants Powerful tool: Equivocation A participant equivocates by sending conflicting messages to others

24 Equivocation is versatile and powerful Byz. Generals

25 Equivocation is versatile and powerful Byz. Generals Advance Retreat

26 Equivocation is versatile and powerful Byz. Generals Voting BitTorrent Advance Counted your vote I have piece 5 Retreat Tally w/o s vote I don t have piece 5 Leader election Trusted logs sobgp Digital cash Online games Version control Auctions DHTs

27 Equivocation is versatile and powerful Byz. Generals Advance f malicious users If completely untrusted, 3f+1 users needed for consensus [Lamport et al., 1982] Retreat

28 Equivocation is versatile and powerful Byz. Generals Advance Retreat f malicious users If completely untrusted, 3f+1 users needed for consensus [Lamport et al., 1982] If users cannot equivocate, only 2f+1 users are needed [Chun et al., 2007]

29 Enter Trusted Hardware Equivocation can be rendered impossible with trusted hardware New design space All participants have a trusted component

30 Enter Trusted Hardware Equivocation can be rendered impossible with trusted hardware New design space All participants have a trusted component

31 Enter Trusted Hardware Equivocation can be rendered impossible with trusted hardware New design space All participants have a trusted component

32 Enter Trusted Hardware Equivocation can be rendered impossible with trusted hardware New design space All participants have a trusted component To be practical, the hardware must be small Ubiquity via low cost Tamper-resilient Easier to verify a small TCB

33 Motivating question What is the minimal abstraction needed to make equivocation impossible?

34 Motivating question What is the minimal abstraction needed to make equivocation impossible? A counter and a key are enough

35 TrInc: Trusted Incrementer 1. Monotonically increasing counter 2. Key for signing attestations 34 K

36 TrInc: Trusted Incrementer 1. Monotonically increasing counter 2. Key for signing attestations Attest(36, data) 34 K

37 TrInc: Trusted Incrementer 1. Monotonically increasing counter 2. Key for signing attestations Attest(36, data) 34 K

38 TrInc: Trusted Incrementer 1. Monotonically increasing counter 2. Key for signing attestations Attest(36, data) K

39 TrInc: Trusted Incrementer 1. Monotonically increasing counter 2. Key for signing attestations Attest(36, data) < 34, 36, data >K K

40 TrInc: Trusted Incrementer 1. Monotonically increasing counter 2. Key for signing attestations Attest(36, data) < 34, 36, data >K K Alibi: Nothing was bound to 35

41 TrInc: Trusted Incrementer 1. Monotonically increasing counter 2. Key for signing attestations Attest(36, data) < 34, 36, data >K K Alibi: Nothing was bound to K

42 TrInc: Trusted Incrementer 1. Monotonically increasing counter 2. Key for signing attestations Attest(36, data) < 34, 36, data >K K Alibi: Nothing was bound to 35 Attest(36, non) 36 K

43 TrInc: Trusted Incrementer 1. Monotonically increasing counter 2. Key for signing attestations Attest(36, data) < 34, 36, data >K K Alibi: Nothing was bound to 35 Attest(36, non) 36 K

44 TrInc: Trusted Incrementer 1. Monotonically increasing counter 2. Key for signing attestations Attest(36, data) < 34, 36, data >K K Alibi: Nothing was bound to 35 Attest(36, non) 36 < 36, 36, non >K K

45 TrInc: Trusted Incrementer 1. Monotonically increasing counter 2. Key for signing attestations Attest(36, data) < 34, 36, data >K K Alibi: Nothing was bound to 35 Attest(36, non) 36 < 36, 36, non >K K Status attestation

46 What can TrInc do? Trusted append-only logs Prevent under-reporting in BitTorrent Reduces communication in PeerReview BFT with fewer nodes and messages Ensure fresh data in DHTs Prevent Sybil attacks

47 Implementing a trusted log in TrInc Append(data): Bind new data to the end of the log Lookup(sequence num): No equivocating on what is or is not stored

48 Implementing a trusted log in TrInc Append(data): Bind new data to the end of the log 10 Lookup(sequence num): No equivocating on what is or is not stored

49 Implementing a trusted log in TrInc Append(data): Bind new data to the end of the log 10 Lookup(sequence num): No equivocating on what is or is not stored < 3,8, > < 8,9, > < 9,10, > Untrusted storage

50 Implementing a trusted log in TrInc append Append(data): Bind new data to the end of the log 10 Lookup(sequence num): No equivocating on what is or is not stored < 3,8, > < 8,9, > < 9,10, > Untrusted storage

51 Implementing a trusted log in TrInc attest(11,, ) Append(data): Bind new data to the end of the log 10 Lookup(sequence num): No equivocating on what is or is not stored < 3,8, > < 8,9, > < 9,10, > Untrusted storage

52 Implementing a trusted log in TrInc Append(data): Bind new data to the end of the log 10 Lookup(sequence num): No equivocating on what is or is not stored < 3,8, > < 8,9, > < 9,10, > Untrusted storage

53 Implementing a trusted log in TrInc Append(data): Bind new data to the end of the log Lookup(sequence num): No equivocating on what is or is not stored < 3,8, > < 8,9, > < 9,10, > Untrusted storage

54 Implementing a trusted log in TrInc < 10,11, > Append(data): Bind new data to the end of the log Lookup(sequence num): No equivocating on what is or is not stored < 3,8, > < 8,9, > < 9,10, > Untrusted storage

55 Implementing a trusted log in TrInc Append(data): Bind new data to the end of the log Lookup(sequence num): No equivocating on what is or is not stored < 3,8, > < 8,9, > < 9,10, > < 10,11, > Untrusted storage

56 Implementing a trusted log in TrInc lookup 10 Append(data): Bind new data to the end of the log Lookup(sequence num): No equivocating on what is or is not stored < 3,8, > < 8,9, > < 9,10, > < 10,11, > Untrusted storage

57 Implementing a trusted log in TrInc lookup 10 Append(data): Bind new data to the end of the log Lookup(sequence num): No equivocating on what is or is not stored < 3,8, > < 8,9, > < 9,10, > < 10,11, > Untrusted storage

58 Implementing a trusted log in TrInc Append(data): Bind new data to the end of the log Lookup(sequence num): No equivocating on what is or is not stored < 3,8, > < 8,9, > < 9,10, > < 10,11, > Untrusted storage

59 Implementing a trusted log in TrInc Append(data): Bind new data to the end of the log Lookup(sequence num): No equivocating on what is or is not stored < 3,8, > < 8,9, > < 9,10, > < 9,10, > < 10,11, > Untrusted storage

60 Implementing a trusted log in TrInc Append(data): Bind new data to the end of the log Lookup(sequence num): No equivocating on what is or is not stored < 3,8, > < 8,9, > < 9,10, > < 10,11, > < 9,10, > Fast lookups Few hardware accesses Untrusted storage

61 TrInc Summary Equivocation is versatile and powerful A small amount of trust can secure a large system TrInc is Minimal? A counter and a key Versatile Applies to a wide range of systems Practical Uses the familiar components (in unfamiliar ways)

62 Alibi protocols TrInc: Small, trusted h/w Fighting equivocation with trusted counters NSDI 09 Alibi routing Provably avoiding regions of the network Ongoing

63 Alibi protocols TrInc: Small, trusted h/w Fighting equivocation with trusted counters NSDI 09 Alibi routing Provably avoiding regions of the network Ongoing

64 Avoiding censors Censor-free ASes lemon IP Censoring AS

65 Avoiding censors Censor-free ASes lemon IP Censoring AS

66 Avoiding censors Censor-free ASes but avoid lemon IP Censoring AS

67 Alibi routing

68 Alibi routing

69 Alibi routing Solicit participation from a relay

70 Alibi routing A signature proves the relay forwarded it Solicit participation from a relay

71 Alibi routing A signature proves the relay forwarded it Solicit participation from a relay

72 Alibi routing

73 Alibi routing

74 Alibi routing The triangle inequality mostly holds in the Internet

75 Alibi routing The triangle inequality mostly holds in the Internet Going through the boycotted region would increase latency

76 Alibi routing The farther away the relay, the greater the latency increase. The triangle inequality mostly holds in the Internet Going through the boycotted region would increase latency

77 Finding relays Embed end hosts and regions into a coordinate space Query regions of the space that are far from the avoidee

78 Finding relays Embed end hosts and regions into a coordinate space Query regions of the space that are far from the avoidee

79 Finding relays Embed end hosts and regions into a coordinate space Query regions of the space that are far from the avoidee

80 Finding relays Embed end hosts and regions into a coordinate space Query regions of the space that are far from the avoidee

81 Finding relays Embed end hosts and regions into a coordinate space Query regions of the space that are far from the avoidee

82 Can countries avoid one another? NorthAmerica MiddleEast Europe SouthAmerica Asia 0.6 CDF Number of reachable destinations

83 Can countries avoid one another? Ideal NorthAmerica MiddleEast Europe SouthAmerica Asia 0.6 CDF Number of reachable destinations

84 Can countries avoid one another? NorthAmerica MiddleEast Europe SouthAmerica Asia 0.6 CDF Number of reachable destinations

85 Can countries avoid one another? NorthAmerica MiddleEast Europe SouthAmerica Asia CDF Multiple relays may be necessary Number of reachable destinations

86 Can countries avoid one another? NorthAmerica MiddleEast Europe SouthAmerica Asia CDF Multiple relays may be necessary A few tens of Number of reachable destinations milliseconds often suffices (not shown)

87 Alibi routing is not a panacea Packets can always be copied Provides a small but useful signal to systems: This packet didn t go somewhere bad Or else it might have Systems must decide how to react to that signal Drop the connection? Initiate stronger end-to-end protection?

88 Proving the impossible with alibis Global systems require interactions among self-interested parties Alibi protocols prove something untoward did not happen Without having to prove everything that did An attractive alternative to traditional accountability systems Lightweight Easy to deploy Easy to incorporate with existing systems