RANDOMIZEDINTRUSION-TOLERANT nuno/THESIS/HenriqueMoniz_  · RANDOMIZEDINTRUSION-TOLERANT ASYNCHRONOUSSERVICES…

  • View
    213

  • Download
    0

Embed Size (px)

Transcript

  • UNIVERSIDADE DE LISBOAFACULDADE DE CINCIAS

    DEPARTAMENTO DE INFORMTICA

    RANDOMIZED INTRUSION-TOLERANTASYNCHRONOUS SERVICES

    Henrique Lcias Senra Moniz

    MESTRADO EM INFORMTICA

    September 2006

  • RANDOMIZED INTRUSION-TOLERANTASYNCHRONOUS SERVICES

    Henrique Lcias Senra Moniz

    Dissertao submetida para obteno do grau deMESTRE EM INFORMTICA

    pela

    Faculdade de Cincias da Universidade de Lisboa

    Departamento de Informtica

    Orientador:Nuno Fuentecilla Maia Ferreira Neves

    Co-Orientador:Miguel Nuno Dias Alves Pupo Correia

    Jri:Henrique Joo Lopes DomingosAntnio Casimiro CostaMaria Teresa Caeiro Chambel

    September 2006

  • Resumo

    Os protocolos distribudos com recurso aleatoriedade foram propostos

    h mais de duas dcadas. Tradicionalmente, estes protocolos tm sido

    considerados demasiado ineficientes, uma vez que apresentam complex-

    idades tericas elevadas quer para a comunicao como para o tempo, o

    que tem impedido a sua utilizao prtica na concretizao de sistemas

    tolerantes a faltas. Esta tese pretende contrariar esta viso, demonstrando

    que a aleatoriedade pode ser uma soluo competitiva, mesmo em ambi-

    entes hostis sujeitos a faltas maliciosas. Na tese descrita a concretizao

    de uma de pilha de protocolos tolerantes a intruses com recurso aleto-

    riedade, sendo efectuada a respectiva anlise de desempenho sob diversos

    tipos de critrios. A pilha de protocolos fornece um conjunto de servios

    relevantes, desde primitivas bsicas de acordo at difuso atmica. Os

    protocolos partilham de um conjunto importante de propriedades estru-

    turais, nomeadamente, toleram faltas arbitrrias, possuem resistncia p-

    tima, so assncronos, completamente descentralizados, e apenas usam

    criptografia de chave simtrica. A anlise de desempenho mostra que os

    protocolos so eficientes e que o seu desempenho no sofre degradao

    mesmo quando sujeitos a certos tipos de faltas maliciosas.

    PALAVRAS-CHAVE: Tolerncia a Intruses, Acordo Bizantino, Algo-ritmos Aleatrios, Avaliao de Desempenho.

  • Abstract

    Randomized agreement protocols have been around for more than two

    decades. Often assumed to be inefficient due to their high expected com-

    munication and time complexities, they have remained largely overlooked

    by the community-at-large as a valid solution for the deployment of fault-

    tolerant distributed systems. This thesis aims to demonstrate that ran-

    domization can be a very competitive approach even in hostile environ-

    ments where arbitrary faults can occur. The implementation of a stack of

    randomized intrusion-tolerant protocols is described, and its performance

    evaluated under different faultloads. The stack provides a set of relevant

    services ranging from basic communication primitives up to atomic broad-

    cast. The protocols share a set of important structural properties, namely

    they tolerate arbitrary faults, have an optimal resilience, are time-free,

    completely decentralized, and signature-free. The experimental evalua-

    tion shows that the protocols are efficient and no performance reduction

    is observed under certain Byzantine faults.

    KEY WORDS: Intrusion Tolerance, Byzantine Agreement, Random-ized Protocols, Performance Evaluation.

  • Acknowledgments

    I want to thank a handful of people whom I believe had a significant im-

    pact, even if not in an obvious way, on this thesis.

    First of all, my parents for passing on to me their exceptional genes, for

    providing me with a purposeful foundation as a human being, and, within

    their means, for always backing up my professional choices. In particular,

    my mother for imprinting me with a resolute assurance in my intellectual

    prowess, and my father, for providing me the environment, patience, and

    support by which I began osmosing what became my professional play-

    ground and a most important form of expression.

    My advisors, Prof. Nuno Neves and Prof. Miguel Correia. Still to this

    day, I have no idea how they picked up me among the crowd. They in-

    vested in me, never failed to provide the space and tranquility I needed to

    develop my work, and always gave me a tremendous amount of trust and

    protection for which I am truly grateful. Along with Prof. Paulo Vers-

    simo, the support I received from them during my initial stages at the

    Navigators group was a fundamental encouragement for me to untangle

    the serious health problems I had then.

    A special word for my ex-girlfriend, Ana Teresa, who stood next to me

    during most of this journey. Almost stoically, endured the side-effects of

    my personality, was the pillar of the emotional serenity I experienced dur-

  • ing most of these two years, and, ultimately, was the catalyst for the fierce

    personal growth I am going through in my life. Thank you for everything.

    Finally, my friends, for their relenteless faith and inconditional sup-

    port. I cant name them with the fear of leaving someone out, but they

    know who they are. During the rare moments I am able to rest my mind

    and truly contemplate what I have, you make me feel the most fortunate

    person on earth. I have no words to express the love I feel for all of you.

    Lisboa, September 2006

    Henrique Lcias Senra Moniz

  • To all who stand alone.

  • Contents

    Contents i

    List of Figures v

    List of Tables vii

    1 Introduction 1

    1.1 Impetus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

    1.2 Contributions of the Thesis . . . . . . . . . . . . . . . . . . . 5

    1.3 Organization of the Thesis . . . . . . . . . . . . . . . . . . . . 7

    2 Context and Related Work 9

    2.1 Consensus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

    2.1.1 Partial Synchrony . . . . . . . . . . . . . . . . . . . . . 13

    2.1.2 Failure Detectors . . . . . . . . . . . . . . . . . . . . . 14

    2.1.3 Wormholes . . . . . . . . . . . . . . . . . . . . . . . . 17

    2.1.4 Randomization: the non-deterministic solution . . . . 18

    2.2 Related Implementations . . . . . . . . . . . . . . . . . . . . . 20

    2.2.1 Rampart . . . . . . . . . . . . . . . . . . . . . . . . . . 21

    2.2.2 SecureRing . . . . . . . . . . . . . . . . . . . . . . . . 24

    2.2.3 BFT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

    i

  • 2.2.4 Worm-IT . . . . . . . . . . . . . . . . . . . . . . . . . . 292.2.5 SINTRA . . . . . . . . . . . . . . . . . . . . . . . . . . 31

    3 The Protocol Stack 35

    3.1 System Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 353.2 Protocol Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

    3.2.1 Reliable Channels . . . . . . . . . . . . . . . . . . . . . 383.2.2 Reliable Broadcast . . . . . . . . . . . . . . . . . . . . 393.2.3 Echo Broadcast . . . . . . . . . . . . . . . . . . . . . . 403.2.4 Binary Consensus . . . . . . . . . . . . . . . . . . . . . 433.2.5 Multi-valued Consensus . . . . . . . . . . . . . . . . . 453.2.6 Vector Consensus . . . . . . . . . . . . . . . . . . . . . 503.2.7 Atomic Broadcast . . . . . . . . . . . . . . . . . . . . . 52

    4 RITAS: The Implementation 59

    4.1 Design Considerations . . . . . . . . . . . . . . . . . . . . . . 594.1.1 Single-threaded vs. Multi-threaded Operation . . . . 604.1.2 Message Management . . . . . . . . . . . . . . . . . . 614.1.3 Multiple Protocol Instances . . . . . . . . . . . . . . . 624.1.4 Protocol Demultiplexing . . . . . . . . . . . . . . . . . 634.1.5 Header Construction . . . . . . . . . . . . . . . . . . . 644.1.6 Storage of Values . . . . . . . . . . . . . . . . . . . . . 644.1.7 Out-of-Context Messages . . . . . . . . . . . . . . . . 65

    4.2 Internals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654.2.1 The RITAS context . . . . . . . . . . . . . . . . . . . . 664.2.2 Message Buffers . . . . . . . . . . . . . . . . . . . . . . 674.2.3 Control Blocks and Protocol Handlers . . . . . . . . . 694.2.4 The RITAS Channel . . . . . . . . . . . . . . . . . . . . 71

    ii

  • 4.2.5 Control Block Chaining . . . . . . . . . . . . . . . . . 724.2.6 Out-of-Context Message Handling . . . . . . . . . . . 75

    4.3 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 754.3.1 Context Management Functions . . . . . . . . . . . . 764.3.2 Service Request Functions . . . . . . . . . . . . . . . . 77

    5 Performance Evaluation 81

    5.1 Testbeds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 815.2 Stack Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 825.3 Atomic Broadcast Analysis . . . . . . . . . . . . . . . . . . . 85

    5.3.1 Group Size and Faultload . . . . . . . . . . . . . . . . 875.3.2 Network Bandwidth and Message Size . . . . . . . . 945.3.3 Relative Cost of Agreement . . . . . . . . . . . . . . . 100

    5.4 Summary of Results . . . . . . . . . . . . . . . . . . . . . . . . 103

    6 Conclusion 105

    6.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1056.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

    Bibliography 109

    iii

  • List of Figures

    3.1 The RITAS protocol stack. . . . . . . . . . . . . . . . . . . . . 37

    3.2 Messages exchanged during a reliable broadcast execution

    with four processes. . . . . . . . . . . . . . . . . . . . . . . . . 40

    3.3 Messages exchanged during an echo broadcast execution

    with four processes. . . . . . . . . . . . . . . . . . . . . . . . . 42

    3.4 Protocols involved in an agreement t