TrInc: Small Trusted Hardware for Large Distributed Systems

Size: px

Start display at page:

Download "TrInc: Small Trusted Hardware for Large Distributed Systems"

Marcus Shields
5 years ago
Views:

1 TrInc: Small Trusted Hardware for Large Distributed Systems University of Maryland John R. Douceur Jacob R. Lorch Thomas Moscibroda Microsoft Research

2 Trust in distributed systems Selfish Participants Malicious Participants 2

3 Trust in distributed systems Selfish Participants Malicious Participants Powerful tool: Equivocation A participant equivocates by sending conflicting messages to others 2

4 Equivocation is common and powerful Byz. Generals 3

5 Equivocation is common and powerful Byz. Generals Advance Retreat 3

6 Equivocation is common and powerful Byz. Generals Voting Advance Retreat 3

7 Equivocation is common and powerful Byz. Generals Voting Advance Counted your vote Retreat Tally w/o s vote 3

8 Equivocation is common and powerful Byz. Generals Voting BitTorrent Advance Counted your vote Retreat Tally w/o s vote 3

9 Equivocation is common and powerful Byz. Generals Voting BitTorrent Advance Counted your vote I have piece 5 Retreat Tally w/o s vote I don t have piece 5 3

10 Equivocation is common and powerful Byz. Generals Voting BitTorrent Advance Counted your vote I have piece 5 Retreat Tally w/o s vote I don t have piece 5 Leader election Trusted logs sobgp Digital cash Online games Version control Auctions DHTs 3

11 Equivocation is common and powerful Byz. Generals Advance f malicious users If completely untrusted, 3f+1 users needed for consensus [Lamport et al, 1982] Retreat 3

12 Equivocation is common and powerful Byz. Generals Advance Retreat f malicious users If completely untrusted, 3f+1 users needed for consensus [Lamport et al, 1982] If users cannot equivocate, only 2f+1 users are needed [Chun et al, 2007] 3

13 Enter Trusted Hardware Equivocation can be rendered impossible with trusted hardware New design space All participants have a trusted component 4

14 Enter Trusted Hardware Equivocation can be rendered impossible with trusted hardware New design space All participants have a trusted component 4

15 Enter Trusted Hardware Equivocation can be rendered impossible with trusted hardware New design space All participants have a trusted component 4

16 Enter Trusted Hardware Equivocation can be rendered impossible with trusted hardware New design space All participants have a trusted component To be practical, the hardware must be small Ubiquity via low cost Tamper-resilient Easier to verify a small TCB 4

17 Contributions 1 TrInc A new, practical primitive for eliminating equivocation 2 Applications of TrInc 3 Implementation in currently available hardware 5

18 Contributions 1 TrInc A new, practical primitive for eliminating equivocation 2 Applications of TrInc 3 Implementation in currently available hardware 5

19 Motivating question What is the minimal abstraction needed to make equivocation impossible? 6

20 Motivating question What is the minimal abstraction needed to make equivocation impossible? A counter and a key are enough 6

21 TrInc: Trusted Incrementer 1. Monotonically increasing counter 2. Key for signing attestations 34 K 7

22 TrInc: Trusted Incrementer 1. Monotonically increasing counter 2. Key for signing attestations 34 K Attestations bind data to counters 7

23 TrInc: Trusted Incrementer 1. Monotonically increasing counter 2. Key for signing attestations 34 K Attestations bind data to counters Bind this data to counter value 36 7

24 TrInc: Trusted Incrementer 1. Monotonically increasing counter 2. Key for signing attestations Attest( 36, data) 34 K Attestations bind data to counters Bind this data to counter value 36 7

25 TrInc: Trusted Incrementer 1. Monotonically increasing counter 2. Key for signing attestations Attest( 36, data) 34 K Attestations bind data to counters Bind this data to counter value 36 7

26 TrInc: Trusted Incrementer 1. Monotonically increasing counter 2. Key for signing attestations Attest( 36, data) K Attestations bind data to counters Bind this data to counter value 36 7

27 TrInc: Trusted Incrementer 1. Monotonically increasing counter 2. Key for signing attestations Attest( 36, data) K Attestations bind data to counters Bind this data to counter value 36 7

28 TrInc: Trusted Incrementer 1. Monotonically increasing counter 2. Key for signing attestations Attest( 36, data) < 34, 36, data >K K Attestations bind data to counters Bind this data to counter value 36 7

29 TrInc Attestations < 34, 36, data >K < 36, 36, nonce >K 8

30 TrInc Attestations Advance attestation Can only move to a state once data is forever bound to 36 There was nothing bound to 35 < 34, 36, data >K Status attestation < 36, 36, nonce >K What is your current counter? Nonces assure freshness There is nothing beyond 36 (yet) 8

31 Multiple counters Need multiple trusted counters Systems running concurrently Some systems benefit from more counters

32 Multiple counters Need multiple trusted counters Systems running concurrently Some systems benefit from more counters Trinket Hardware that contains 1 counter is a Trinket Allocates and frees counters Establishes session keys 9

33 TrInc is practical Trusted Platform Module (TPM) is ubiquitous Has what we need Tamper-resistance Counters (currently 4) Crypto Small amount of storage It just lacks the right interface 100% 80% 60% 40% 20% 0% TPM Penetration Source: IDC Desktop PCs Mobile PCs x86 Servers 10

34 Contributions 1 TrInc A new, practical primitive for eliminating equivocation 2 Applications of TrInc 3 Implementation in currently available hardware 11

35 Contributions 1 TrInc A new, practical primitive for eliminating equivocation 2 Applications of TrInc 3 Implementation in currently available hardware 11

36 What can TrInc do? Trusted append-only logs Prevent under-reporting in BitTorrent Reduces communication in PeerReview BFT with fewer nodes and messages Ensure fresh data in DHTs Prevent Sybil attacks 12

37 What can TrInc do? Trusted append-only logs Prevent under-reporting in BitTorrent Reduces communication in PeerReview BFT with fewer nodes and messages Ensure fresh data in DHTs Prevent Sybil attacks 12

38 What can TrInc do? Trusted append-only logs Prevent under-reporting in BitTorrent Reduces communication in PeerReview BFT with fewer nodes and messages Ensure fresh data in DHTs Prevent Sybil attacks 12

39 Implementing a trusted log in TrInc Append(data): Bind new data to the end of the log Lookup(sequence num): No equivocating on what is or is not stored 13

40 Implementing a trusted log in TrInc Append(data): Bind new data to the end of the log 10 Lookup(sequence num): No equivocating on what is or is not stored 13

41 Implementing a trusted log in TrInc Append(data): Bind new data to the end of the log 10 Lookup(sequence num): No equivocating on what is or is not stored < 3,8, > < 8,9, > < 9,10, > Untrusted storage 13

42 Implementing a trusted log in TrInc append Append(data): Bind new data to the end of the log 10 Lookup(sequence num): No equivocating on what is or is not stored < 3,8, > < 8,9, > < 9,10, > Untrusted storage 13

43 Implementing a trusted log in TrInc attest(11,, ) Append(data): Bind new data to the end of the log 10 Lookup(sequence num): No equivocating on what is or is not stored < 3,8, > < 8,9, > < 9,10, > Untrusted storage 13

44 Implementing a trusted log in TrInc Append(data): Bind new data to the end of the log 10 Lookup(sequence num): No equivocating on what is or is not stored < 3,8, > < 8,9, > < 9,10, > Untrusted storage 13

45 Implementing a trusted log in TrInc Append(data): Bind new data to the end of the log Lookup(sequence num): No equivocating on what is or is not stored < 3,8, > < 8,9, > < 9,10, > Untrusted storage 13

46 Implementing a trusted log in TrInc < 10,11, > Append(data): Bind new data to the end of the log Lookup(sequence num): No equivocating on what is or is not stored < 3,8, > < 8,9, > < 9,10, > Untrusted storage 13

47 Implementing a trusted log in TrInc Append(data): Bind new data to the end of the log Lookup(sequence num): No equivocating on what is or is not stored < 3,8, > < 8,9, > < 9,10, > < 10,11, > Untrusted storage 13

48 Implementing a trusted log in TrInc lookup 10 Append(data): Bind new data to the end of the log Lookup(sequence num): No equivocating on what is or is not stored < 3,8, > < 8,9, > < 9,10, > < 10,11, > Untrusted storage 13

49 Implementing a trusted log in TrInc Append(data): Bind new data to the end of the log lookup Lookup(sequence num): No equivocating on what is or is not stored < 3,8, > < 8,9, > < 9,10, > < 10,11, > Untrusted storage 13

50 Implementing a trusted log in TrInc Append(data): Bind new data to the end of the log lookup Lookup(sequence num): No equivocating on what is or is not stored < 3,8, > < 8,9, > < 9,10, > < 10,11, > Untrusted storage 13

51 Implementing a trusted log in TrInc Append(data): Bind new data to the end of the log Lookup(sequence num): No equivocating on what is or is not stored < 3,8, > < 8,9, > < 9,10, > < 10,11, > Untrusted storage 13

52 Implementing a trusted log in TrInc Append(data): Bind new data to the end of the log Lookup(sequence num): No equivocating on what is or is not stored < 3,8, > < 8,9, > < 9,10, > < 9,10, > < 10,11, > Untrusted storage 13

on what is or is not stored < 3,8, > < 8,9, > < 9,10, > < 10,11,

53 Implementing a trusted log in TrInc Append(data): Bind new data to the end of the log Lookup(sequence num): No equivocating on what is or is not stored < 3,8, > < 8,9, > < 9,10, > < 10,11, > < 9,10, > Fast lookups Few hardware accesses Untrusted storage 13

54 TrInc-A2M Attested Append-only Memory (A2M) Stores logs in trusted storage Accesses trusted storage for all methods A2M shown to solve Byzantine fault tolerance using fewer nodes SUNDR file system Quorum/Update protocol By construction, TrInc solves these systems, too 14

55 What can TrInc do? Trusted append-only logs Prevent under-reporting in BitTorrent Reduces communication in PeerReview BFT with fewer nodes and messages Ensure fresh data in DHTs Prevent Sybil attacks 15

56 What can TrInc do? Trusted append-only logs Prevent under-reporting in BitTorrent Reduces communication in PeerReview BFT with fewer nodes and messages Ensure fresh data in DHTs Prevent Sybil attacks 15

57 BitTorrent primer 16

58 BitTorrent primer File pieces Fast, users share the work 16

59 BitTorrent primer File pieces Fast, users share the work 16

60 BitTorrent primer Does not have piece File pieces Fast, users share the work 16

61 BitTorrent primer File pieces Fast, users share the work 16

62 BitTorrent primer File pieces Fast, users share the work 16

63 BitTorrent primer File pieces Fast, users share the work 16

64 BitTorrent primer File pieces Interested Fast, users share the work

65 BitTorrent primer File pieces Interested Fast, users share the work Interested

66 BitTorrent primer File pieces Interested Fast, users share the work Interested

67 Piece under-reporting is equivocation [SIGCOMM 08] Yields prolonged interest from others and faster download times 17

68 Piece under-reporting is equivocation 17

69 Piece under-reporting is equivocation 17

70 Piece under-reporting is equivocation Ack 17

71 Piece under-reporting is equivocation Ack 17

72 Piece under-reporting is equivocation I received 17

73 Piece under-reporting is equivocation I never received I received 17

74 Applying TrInc What does the counter represent? The number of pieces received To what do peers attest? Their bitfield The most recent piece received When do peers attest? When they receive When they sync their counters 18

75 TrInc-BitTorrent 19

76 TrInc-BitTorrent 19

77 TrInc-BitTorrent 1 I have and most recently received 19

78 TrInc-BitTorrent 1 I have and most recently received 2 I have and most recently received 3 I have and most recently received 19

79 TrInc-BitTorrent 1 I have and most recently received 2 I have and most recently received 3 I have and most recently received Counter matches the bitfield size 19

80 TrInc-BitTorrent 1 I have and most recently received 2 I have and most recently received 3 I have and most recently received Counter matches the bitfield size 19

81 TrInc-BitTorrent 1 I have and most recently received 2 I have and most recently received 3 I have and most recently received Counter matches the bitfield size Attests to most recent piece 19

82 TrInc-BitTorrent 1 I have and most recently received 2 I have and most recently received 3 I have and most recently received Counter matches the bitfield size Attests to most recent piece 19

83 Why attest to the latest piece? 20

84 Why attest to the latest piece? 20

85 Why attest to the latest piece? 1 I have 20

86 Why attest to the latest piece? 1 I have 20

87 Why attest to the latest piece? 1 I have 20

88 Why attest to the latest piece? 1 I have 2 I have 2 I have 20

89 Why attest to the latest piece? 1 I have Looks good to me 2 I have Looks good to me 2 I have Looks good to me 20

90 Why attest to the latest piece? 1 I have Looks good to me 2 I have Looks good to me 2 I have Looks good to me 20

91 Why attest to the latest piece? 1 I have Looks good to me 2 I have Looks good to me 2 I have Looks good to me Lesson: Without the full log, must ensure proper behavior at each step 20

92 Macrobenchmarks TrInc-BitTorrent Solves piece under-reporting TrInc-A2M Reduces hardware requirements Higher throughput TrInc-PeerReview Reduces the communication necessary to achieve fault detection 21

93 Contributions 1 TrInc A new, practical primitive for eliminating equivocation 2 Applications of TrInc 3 Implementation in currently available hardware 22

94 Contributions 1 TrInc A new, practical primitive for eliminating equivocation 2 Applications of TrInc 3 Implementation in currently available hardware 22

95 Implementation Gemalto.NET Smartcard Crypto unit (RSA & 3-DES) 32-bit micro-controller 80 KB persistent memory A few dozen lines of C# Case studies TrInc-A2M TrInc-PeerReview TrInc-BitTorrent 23

96 TrInc microbenchmarks 250 Operation time (msec) noop Asym Attest Asym Attest Symm attest Symm Attest Verify (advance) (status) (advance) (status) 24

97 TrInc microbenchmarks 250 Operation time (msec) noop Asym Attest Asym Attest Symm attest Symm Attest Verify (advance) (status) (advance) (status) 24

98 TrInc microbenchmarks msec to write a counter Operation time (msec) noop Asym Attest Asym Attest Symm attest Symm Attest Verify (advance) (status) (advance) (status) 24

99 TrInc microbenchmarks msec to write a counter Operation time (msec) Only 2x noop Asym Attest Asym Attest Symm attest Symm Attest Verify (advance) (status) (advance) (status) 24

100 Why so slow? Fundamentally new application of trusted hardware Typically used for bootstrapping TrInc makes it intrinsic to the protocol It can be faster There just has not been the call for it prior to TrInc 25

101 Summary Equivocation is a versatile and powerful A small amount of trust can secure a large system TrInc is Minimal A counter and a key Versatile Applies to a wide range of systems Practical Uses the same components available today 26

102 TrInc speeds up A2M 600 TrInc-A2M A2M Operation time (msec) Append Lookup Lookup Lookup End Truncate Advance (successful) (too early) (forgotten) 27

103 TrInc speeds up A2M 600 TrInc-A2M A2M Operation time (msec) TrInc does not go to h/w for successful lookups Append Lookup Lookup Lookup End Truncate Advance (successful) (too early) (forgotten) 27

104 TrInc speeds up A2M 600 TrInc-A2M A2M Operation time (msec) TrInc does not go to h/w for successful lookups TrInc requires attestations 0 Append Lookup Lookup Lookup End Truncate Advance (successful) (too early) (forgotten) 27

105 Block Revelation SIGCOMM 08 - BitTorrent is an Auction 28

106 Block Revelation SIGCOMM 08 - BitTorrent is an Auction 28

107 Block Revelation SIGCOMM 08 - BitTorrent is an Auction 28

108 Block Revelation SIGCOMM 08 - BitTorrent is an Auction 28

109 Block Revelation SIGCOMM 08 - BitTorrent is an Auction 28

110 Block Revelation SIGCOMM 08 - BitTorrent is an Auction 28

111 Block Revelation SIGCOMM 08 - BitTorrent is an Auction 28

112 Block Revelation SIGCOMM 08 - BitTorrent is an Auction 28

113 Block Revelation SIGCOMM 08 - BitTorrent is an Auction 28

114 Block Revelation SIGCOMM 08 - BitTorrent is an Auction 28

115 Block Revelation SIGCOMM 08 - BitTorrent is an Auction 28

116 Block Revelation SIGCOMM 08 - BitTorrent is an Auction 28

117 Block Revelation Strategically under-report SIGCOMM 08 - BitTorrent is an Auction 28

118 TrInc-BitTorrent Results Cumulative number of blocks obtained Time into the download (sec) 29

119 TrInc-BitTorrent Results Cumulative number of blocks obtained Representative peer Time into the download (sec) 29

120 TrInc-BitTorrent Results Cumulative number of blocks obtained Representative peer Under-reporter: from all Time into the download (sec) 29

121 TrInc-BitTorrent Results Cumulative number of blocks obtained Representative peer Under-reporter: from all Time into the download (sec) Under-reporter pulls ahead 29

122 TrInc-BitTorrent Results But ultimately downloads slower Cumulative number of blocks obtained Representative peer Under-reporter: from all Time into the download (sec) Under-reporter pulls ahead 29

123 TrInc-BitTorrent Results But ultimately downloads slower Cumulative number of blocks obtained Representative peer Under-reporter: from all Under-reporter: from seed Time into the download (sec) Under-reporter pulls ahead 29

124 TrInc-BitTorrent Results But ultimately downloads slower Cumulative number of blocks obtained Representative peer Under-reporter: from all Under-reporter: from seed Truth-tellers A median of 6% from the seeder Under-reporter 73% of file from the seeder Time into the download (sec) Under-reporter pulls ahead 29

Proving the Impossible with Alibi Protocols

Proving the Impossible with Alibi Protocols Dave Levin Victoria Lai, Cristian Lumezanu, Neil Spring, Bobby Bhattacharjee, Bo Han, John Douceur, Jacob Lorch, Thomas Moscibroda Uncooperative behavior Cooperation