210 likes | 229 Views
Intrusion Tolerance : The Killer App for BFT (?). Alysson Bessani , Miguel Correia, Paulo Sousa, Nuno Ferreira Neves, Paulo Veríssimo Universidade de Lisboa, Faculdade de Ciências Workshop on Theory and Practice of BFT. The Promise of BFT. From the abstract of Castro & Liskov OSDI’99 paper:
E N D
Intrusion Tolerance:The Killer App for BFT (?) Alysson Bessani, Miguel Correia, Paulo Sousa, Nuno Ferreira Neves, Paulo Veríssimo Universidade de Lisboa, Faculdade de Ciências Workshop on Theory and Practice of BFT BFT3W'09
The Promise of BFT • From the abstract of Castro & Liskov OSDI’99 paper: “We believe that Byzantine fault-tolerant algorithms will be increasingly important in the future because malicious attacks and software errors are increasingly common and can cause faulty nodes to exhibit arbitrary behavior.” BFT3W'09
The Promise of BFT Our claim: • BFT can be used to tolerate certain accidental value faults But there are simpler techniques to do that • The real appeal of the technique is to tolerate attacks, intrusions and bugs BFT → Intrusion Tolerance BFT3W'09
Intrusion Tolerance • Coined by Joni Fraga and David Powell “A Fault- and Intrusion-Tolerant File System”, IFIP SEC,1985 • An intrusion-tolerant system can maintain its security properties (confidentiality, integrity and availability) despite some of its components being compromised. • Appeal: since it’s impossible to prove that a system has no vulnerabilities, it is more safe to assume that intrusions can happen. BFT3W'09
Intrusion Tolerance • BFT replication protocols are a key mechanism for intrusion-tolerant systems • But there are others: • Diversity • Confidentiality schemes • Fault/Intrusion detection • Recovery and Self-healing Fault independence Fundamental for certain domains Accountability Fundamental for long-lived systems BFT3W'09
Intrusion Tolerance • The resulting system is very COMPLEX! • There comes the InTol dilemma: • Complex systems tend to have more vulnerabilities and be more prone to configuration errors • So, an intrusion-tolerant system build to be more secure, tend to be less secure… BFT3W'09
CIS CIS HUB HUB Intrusion-Tolerant Firewall But it can be done for simple critical systems! Distributed trusted component T x = dP(V,f)/dt T Incomming Traffic Controller CIS T Generator CIS T BFT3W'09
Substation A Substation B Substation C Intrusion-Tolerant Firewall • The CIS was used in an architecture to protect critical infrastructures (e.g., power systems) • This is a good application scenario for BFT/Intrusion tolerance BFT3W'09
The role of trusted components • Trusted components (TTCB, A2M, USIG, Trinc) should be used to simplify BFT protocols • Example: MinBFT (Veronese et al. 2008) uses the USIG service to implement the minimal non-speculative BFT SMR protocol: MinBFT PBFT Minimal: - Number of replicas - Communication steps - Trusted component A2M-EA BFT3W'09
Concerns for BFT/IT Adoption • BFT Usefulness • BFT Implementations • BFT Abstractions BFT3W'09
BFT Added Value • The key challenge: “How to show that an intrusion tolerant service is more secure than a non-intrusion-tolerant counterpart?” • The equivalent question: “How to measure the security of a system?” BFT3W'09
BFT Systems • We need at least one stable and robust BFT replication lib! • JBP (Java Byzantine Paxos) • Under development since 2007 for use on the replication layer of DepSpace • Peak throughput competitive to PBFT (~22 Kop/s*) • Key concerns on the current version: • Modularity is a top priority: scalable communication, total order multicast, Byzantine paxos consensus and checkpoint • Avoid optimizations that bring complexity (e.g., authenticators, agreement over message hashes) BFT3W'09
BFT Abstractions BFT ≠ BFT State Machine Replication BFT3W'09
BFT Abstractions • SMR has its limitations: • CFT systems are usually based on primary-backup • Most modern services do not employ consensus protocol on their critical path • What options? • High-level abstractions • Low-level abstractions BFT3W'09
High-level Abstractions: Coordination Services • Crash FT:Zookeper (name service + sequencers), Chubby (file system + locks), Sinfonia (registers + mini transactions) • BFT:DepSpace (policy enforced augmented tuple space) Traditional systems Coordination systems BFT3W'09
Shared Memory Shared Memory I’m Malicious! High-level Abstractions:Coordination Services PROCESSES SERVERS Two important questions: What is the synchronization power of the CS objects? What is the role of access control models? BFT3W'09
Low-level Abstractions:Active Quorum Systems SMR: the service as a replicated deterministic state machine SERVERS AQS: the service as a a set of independent objects accessed by different clients. BFT3W'09 SERVERS
Low-level Abstractions:Active Quorum Systems read Quorum-based asynchronous protocols for register Implementation. write PBFT with some modifications to deal with concurrent writes. rmw BFT3W'09
Low-level Abstractions:Active Quorum Systems • Is it useful? Some services: • LDAP: • Main AQS Object: LDAP Entry • Only Entry creation and removal require rmw • Smart block storage: • Main AQS Object: Data Block • Uses rmw to modify single bytes of large blocks • Tuple Space: • Main AQS Object: Tuple • Only tuple removal uses rmw BFT3W'09
Summary • The promise of BFT: tolerate intrusions • Can be done for simple services • Require other mechanisms • Concerns to be addressed: • How to show the improved security of BFT/intrusion tolerant systems? • Build a stable and robust BFT library • BFT is not SMR: • Coordination Services • Active Quorum Systems BFT3W'09
Some Related Publications • Bessani et al. The CRUTIAL way of protecting critical infrastructures. IEEE S&P Magazine (Dec 2008) • Sousa et al. Highly Available Intrusion Tolerance through Proactive and Reactive Recovery. IEEE TPDS (to appear) • Veronese et al. Minimal Byzantine Fault Tolerance: Algorithms and Evaluation. FCUL-DI-TR 09-15 (under submission). 2009 • Bessani et al. DepSpace: A Byzantine Fault-Tolerant Coordination Service. EuroSys’08 • Bessani et al. Sharing Memory between Byzantine Processes using a Police-enforced Augmented Tuple Space. IEEE TPDS (Mar 2009) • Bessani et al. An Efficient Byzantine-resilient Tuple Space. IEEE TC (Aug 2009) http://www.navigators.di.fc.ul.pt BFT3W'09