BFT3W'09 1

Intrusion Tolerance:The Killer App for BFT (?)

Alysson Bessani, Miguel Correia, Paulo Sousa, Nuno Ferreira Neves, Paulo VeríssimoUniversidade de Lisboa, Faculdade de Ciências

Workshop on Theory and Practice of BFT

BFT3W'09 2

The Promise of BFT

• From the abstract of Castro & Liskov OSDI’99 paper:

“We believe that Byzantine fault-tolerant algorithms will be increasingly important in the future because malicious attacks and software errors are increasingly common and can cause faulty nodes to exhibit arbitrary behavior.”

BFT3W'09 3

The Promise of BFT

Our claim:

• BFT can be used to tolerate certain accidental value faults

But there are simpler techniques to do that

• The real appeal of the technique is to tolerate attacks, intrusions and bugs

BFT → Intrusion Tolerance

BFT3W'09 4

Intrusion Tolerance

• Coined by Joni Fraga and David Powell“A Fault- and Intrusion-Tolerant File System”, IFIP SEC,1985

• An intrusion-tolerant system can maintain its security properties (confidentiality, integrity and availability) despite some of its components being compromised.

• Appeal: since it’s impossible to prove that a system has no vulnerabilities, it is more safe to assume that intrusions can happen.

BFT3W'09 5

Intrusion Tolerance

• BFT replication protocols are a key mechanism for intrusion-tolerant systems

• But there are others:– Diversity– Confidentiality schemes– Fault/Intrusion detection– Recovery and Self-healing

Fault independence

Fundamental for certain domains

Accountability

Fundamental for long-lived systems

BFT3W'09 6

Intrusion Tolerance

• The resulting system is very COMPLEX!

• There comes the InTol dilemma:– Complex systems tend to have more

vulnerabilities and be more prone to configuration errors

– So, an intrusion-tolerant system build to be more secure, tend to be less secure…

BFT3W'09 7

Intrusion-Tolerant Firewall

IncommingTraffic

HUB HUB

CIS

CIS

CISController

Generator

x = dP(V,f)/dt

CIS

T

T

T

T

Distributed trusted component

But it can be done forsimple critical systems!

BFT3W'09 8

Intrusion-Tolerant Firewall

• The CIS was used in an architecture to protect critical infrastructures (e.g., power systems)

• This is a good application scenario for BFT/Intrusion tolerance

Substation ASubstation B

Substation C

BFT3W'09 9

The role of trusted components

• Trusted components (TTCB, A2M, USIG, Trinc) should be used to simplify BFT protocols

• Example: MinBFT (Veronese et al. 2008) uses the USIG service to implement the minimal non-speculative BFT SMR protocol:

MinBFT

A2M-EA

PBFT

Minimal:- Number of replicas- Communication steps- Trusted component

BFT3W'09 10

Concerns for BFT/IT Adoption

• BFT Usefulness

• BFT Implementations

• BFT Abstractions

BFT3W'09 11

BFT Added Value

• The key challenge:“How to show that an intrusion tolerant service is more secure than a non-intrusion-tolerant counterpart?”

• The equivalent question:“How to measure the security of a system?”

BFT3W'09 12

BFT Systems

• We need at least one stable and robust BFT replication lib!

• JBP (Java Byzantine Paxos)– Under development since 2007 for use on the

replication layer of DepSpace– Peak throughput competitive to PBFT (~22 Kop/s*)– Key concerns on the current version:

• Modularity is a top priority: scalable communication, total order multicast, Byzantine paxos consensus and checkpoint

• Avoid optimizations that bring complexity (e.g., authenticators, agreement over message hashes)

BFT3W'09 13

BFT Abstractions

BFT ≠ BFT State Machine Replication

BFT3W'09 14

BFT Abstractions

• SMR has its limitations:– CFT systems are usually based on primary-

backup– Most modern services do not employ

consensus protocol on their critical path

• What options?– High-level abstractions– Low-level abstractions

BFT3W'09 15

High-level Abstractions: Coordination Services

• Crash FT: Zookeper (name service + sequencers), Chubby (file system + locks), Sinfonia (registers + mini transactions)

• BFT: DepSpace (policy enforced augmented tuple space)

Traditional systems Coordination systems

BFT3W'09 16

High-level Abstractions:Coordination Services

SERVERSPROCESSES

I’m Malicious

!

Two important questions:

1. What is the synchronization power of the CS objects?

2. What is the role of access control models?

SharedMemoryShared

Memory

BFT3W'09 17

Low-level Abstractions:Active Quorum Systems

SERVERS

SERVERS

SMR: the service as a replicated deterministic

state machine

AQS: the service as a a set of independentobjects accessed by

different clients.

BFT3W'09 18

Low-level Abstractions:Active Quorum Systems

read

write

rmw

Quorum-based asynchronousprotocols for register

Implementation.

PBFT with somemodifications to

deal with concurrentwrites.

BFT3W'09 19

Low-level Abstractions:Active Quorum Systems

• Is it useful? Some services:– LDAP:

• Main AQS Object: LDAP Entry• Only Entry creation and removal require rmw

– Smart block storage: • Main AQS Object: Data Block• Uses rmw to modify single bytes of large blocks

– Tuple Space: • Main AQS Object: Tuple• Only tuple removal uses rmw

BFT3W'09 20

Summary

• The promise of BFT: tolerate intrusions– Can be done for simple services– Require other mechanisms

• Concerns to be addressed:– How to show the improved security of BFT/intrusion

tolerant systems?– Build a stable and robust BFT library– BFT is not SMR:

• Coordination Services• Active Quorum Systems

BFT3W'09 21

Some Related Publications• Bessani et al. The CRUTIAL way of protecting critical

infrastructures. IEEE S&P Magazine (Dec 2008)• Sousa et al. Highly Available Intrusion Tolerance through Proactive

and Reactive Recovery. IEEE TPDS (to appear)• Veronese et al. Minimal Byzantine Fault Tolerance: Algorithms and

Evaluation. FCUL-DI-TR 09-15 (under submission). 2009• Bessani et al. DepSpace: A Byzantine Fault-Tolerant Coordination

Service. EuroSys’08• Bessani et al. Sharing Memory between Byzantine Processes using

a Police-enforced Augmented Tuple Space. IEEE TPDS (Mar 2009)• Bessani et al. An Efficient Byzantine-resilient Tuple Space. IEEE TC

(Aug 2009)

http://www.navigators.di.fc.ul.pt