139 research outputs found
Finding Safety in Numbers with Secure Allegation Escrows
For fear of retribution, the victim of a crime may be willing to report it
only if other victims of the same perpetrator also step forward. Common
examples include 1) identifying oneself as the victim of sexual harassment,
especially by a person in a position of authority or 2) accusing an influential
politician, an authoritarian government, or ones own employer of corruption. To
handle such situations, legal literature has proposed the concept of an
allegation escrow: a neutral third-party that collects allegations anonymously,
matches them against each other, and de-anonymizes allegers only after
de-anonymity thresholds (in terms of number of co-allegers), pre-specified by
the allegers, are reached.
An allegation escrow can be realized as a single trusted third party;
however, this party must be trusted to keep the identity of the alleger and
content of the allegation private. To address this problem, this paper
introduces Secure Allegation Escrows (SAE, pronounced "say"). A SAE is a group
of parties with independent interests and motives, acting jointly as an escrow
for collecting allegations from individuals, matching the allegations, and
de-anonymizing the allegations when designated thresholds are reached. By
design, SAEs provide a very strong property: No less than a majority of parties
constituting a SAE can de-anonymize or disclose the content of an allegation
without a sufficient number of matching allegations (even in collusion with any
number of other allegers). Once a sufficient number of matching allegations
exist, the join escrow discloses the allegation with the allegers' identities.
We describe how SAEs can be constructed using a novel authentication protocol
and a novel allegation matching and bucketing algorithm, provide formal proofs
of the security of our constructions, and evaluate a prototype implementation,
demonstrating feasibility in practice.Comment: To appear in NDSS 2020. New version includes improvements to writing
and proof. The protocol is unchange
Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse
An "optimistic" acknowledgment (OptAck) is an acknowledgment
sent by a misbehaving client for a data segment that it has not
received. Whereas previous work has focused on OptAck as a means to
greedily improve end-to-end performance, we study OptAck exclusively
as a denial of service attack. Specifically, an attacker sends
optimistic acknowledgments to many victims in parallel, thereby
amplifying its effective bandwidth by a factor of 30 million (worst
case). Thus, even a relatively modest attacker can totally saturate
the paths from many victims back to the attacker. Worse, a
distributed network of compromised machines (``zombies'') can exploit
this attack in parallel to bring about wide-spread, sustained
congestion collapse.
We implement this attack both in simulation and in a wide-area
network, and show it severity both in terms of number of packets and
total traffic generated. We engineer and implement a novel solution
that does not require client or network modifications allowing for
practical deployment. Additionally, we demonstrate the solution's
efficiency on a real network
Analysis of the NICE Application Layer Multicast Protocol
Application layer multicast protocols organize a set of hosts into
an overlay tree for data delivery. Each host
on the overlay peers with a subset of other hosts. Since
application layer multicast relies only on an underlying
unicast architecture, multiple copies of the same packet
can be carried by a single physical link or node on the
overlay. The stress at a link or node is defined as the
number of identical copies of a packet carried by that
link or node. Stretch is another important metric in
application layer multicast, which measures the relative
increase in delay incurred by the overlay path between
pairs of members with respect to the direct unicast path.
In this paper we study the NICE application layer multicast
protocol to quantify and study the tradeoff between these
two important metrics --- stress and stretch in scalably building application layer multicast paths.
Also UMIACS-TR-2002-6
Slurpie: A Cooperative Bulk Data Transfer Protocol
We present Slurpie: a peer-to-peer protocol for bulk data transfer. Slurpie is specifically designed to reduce client download times for large, popular files, and to reduce load on servers that serve these files. Slurpie employs a novel adaptive downloading strategy to increase client performance, and employs a randomized backoff strategy to precisely control load on the server. We describe a full implementation of the Slurpie protocol, and present results from both controlled localarea and wide-area testbeds. Our results show that Slurpie clients improve performance as the size of the network increases, and the server is completely insulated from large flash crowds entering the Slurpie network
A Protocol for Scalable Application Layer Multicast
We describe a new application-layer multicast protocol that is
specifically
designed to scale to large groups.
Our scheme is based upon a hierarchical clustering of the
application-layer multicast peers and can be used to produce a number
of different data delivery trees with specific properties. On
average, group members using our protocol maintain only a constant
amount of state about other group members, and incur a constant amount
of control overhead.
We present extensive simulations of both our protocol and the Narada
protocol over Internet-like topologies. Our results show that for
groups of size 32 or more, we reduce control overhead by orders of
magnitude, and link stress by 25%, while retaining similar
end-to-end latencies and failure recovery properties
A Security Infrastructure for Mobile Transactional Systems
In this paper, we present an infrastructure for providing secure transactional
replication support for peer-to-peer, decentralized databases. We first
describe how to effectively provide protection against external threats,
malicious actions by servers not authorized to access data, using conventional
cryp-tography-based mechanisms. We then classify and present algorithms that
provide protection against internal threats, malicious actions by authenticated
servers that misrepresent protocol-specific infor-mation. Our approach to
handling internal threats uses both cryptographic techniques and modifica-tions
to the update commit criteria. The techniques we propose are unique in that
they not only enable a tradeoff between performance and the degree of tolerance
to malicious servers, but also allow for indi-vidual servers to support
non-uniform degrees of tolerance without adversely affecting the performance of
the rest of the system.
We investigate the cost of our security mechanisms in the context of Deno: a
prototype object replica-tion system designed for use in mobile and
weakly-connected environments. Experimental results reveal that protecting
against internal threats comes at a cost, but the marginal cost for protecting
against larger cliques of malicious insiders is generally low. Furthermore,
comparison with a decentralized Read-One Write-All protocol shows that our
approach performs significantly better under various workloads.
(Also cross-referenced as UMIACS-TR-2000-59
BitTorrent is an Auction: Analyzing and Improving BitTorrent’s Incentives, in:
ABSTRACT Incentives play a crucial role in BitTorrent, motivating users to upload to others to achieve fast download times for all peers. Though long believed to be robust to strategic manipulation, recent work has empirically shown that BitTorrent does not provide its users incentive to follow the protocol. We propose an auction-based model to study and improve upon BitTorrent's incentives. The insight behind our model is that BitTorrent uses, not tit-for-tat as widely believed, but an auction to decide which peers to serve. Our model not only captures known, performance-improving strategies, it shapes our thinking toward new, effective strategies. For example, our analysis demonstrates, counter-intuitively, that BitTorrent peers have incentive to intelligently under-report what pieces of the file they have to their neighbors. We implement and evaluate a modification to BitTorrent in which peers reward one another with proportional shares of bandwidth. Within our game-theoretic model, we prove that a proportional-share client is strategy-proof. With experiments on PlanetLab, a local cluster, and live downloads, we show that a proportional-share unchoker yields faster downloads against BitTorrent and BitTyrant clients, and that underreporting pieces yields prolonged neighbor interest
Efficient Peer-to-Peer Namespace Searches
In this paper we describe new methods for efficient and exact search
(keyword and full-text) in distributed namespaces. Our methods can be
used in conjunction with existing distributed lookup schemes, such as
Distributed Hash Tables, and distributed directories. We describe how
indexes for implementing distributed searches can be efficiently
created, located, and stored. We describe techniques for creating
approximate indexes that can be used to bound the space requirement at
individual hosts; such techniques are particularly useful for full-text
searches that may require a very large number of individual indexes to
be created and maintained.
Our methods use a new distributed data structure called the view tree.
View trees can be used to efficiently cache and locate results from
prior queries. We describe how view trees are created, and maintained.
We present experimental results, using large namespaces and realistic
data, showing that the techniques introduced in this paper can reduce
search overheads (both network and processing costs) by more than an
order of magnitude.
(UMIACS-TR-2004-13
- …