278 research outputs found
Bounding the Impact of Unbounded Attacks in Stabilization
Self-stabilization is a versatile approach to fault-tolerance since it
permits a distributed system to recover from any transient fault that
arbitrarily corrupts the contents of all memories in the system. Byzantine
tolerance is an attractive feature of distributed systems that permits to cope
with arbitrary malicious behaviors. Combining these two properties proved
difficult: it is impossible to contain the spatial impact of Byzantine nodes in
a self-stabilizing context for global tasks such as tree orientation and tree
construction. We present and illustrate a new concept of Byzantine containment
in stabilization. Our property, called Strong Stabilization enables to contain
the impact of Byzantine nodes if they actually perform too many Byzantine
actions. We derive impossibility results for strong stabilization and present
strongly stabilizing protocols for tree orientation and tree construction that
are optimal with respect to the number of Byzantine nodes that can be tolerated
in a self-stabilizing context
Self-Stabilization, Byzantine Containment, and Maximizable Metrics: Necessary Conditions
Self-stabilization is a versatile approach to fault-tolerance since it
permits a distributed system to recover from any transient fault that
arbitrarily corrupts the contents of all memories in the system. Byzantine
tolerance is an attractive feature of distributed systems that permits to cope
with arbitrary malicious behaviors. We consider the well known problem of
constructing a maximum metric tree in this context. Combining these two
properties leads to some impossibility results. In this paper, we provide two
necessary conditions to construct maximum metric tree in presence of transients
and (permanent) Byzantine faults
On Byzantine Broadcast in Loosely Connected Networks
We consider the problem of reliably broadcasting information in a multihop
asynchronous network that is subject to Byzantine failures. Most existing
approaches give conditions for perfect reliable broadcast (all correct nodes
deliver the authentic message and nothing else), but they require a highly
connected network. An approach giving only probabilistic guarantees (correct
nodes deliver the authentic message with high probability) was recently
proposed for loosely connected networks, such as grids and tori. Yet, the
proposed solution requires a specific initialization (that includes global
knowledge) of each node, which may be difficult or impossible to guarantee in
self-organizing networks - for instance, a wireless sensor network, especially
if they are prone to Byzantine failures. In this paper, we propose a new
protocol offering guarantees for loosely connected networks that does not
require such global knowledge dependent initialization. In more details, we
give a methodology to determine whether a set of nodes will always deliver the
authentic message, in any execution. Then, we give conditions for perfect
reliable broadcast in a torus network. Finally, we provide experimental
evaluation for our solution, and determine the number of randomly distributed
Byzantine failures than can be tolerated, for a given correct broadcast
probability.Comment: 1
A Scalable Byzantine Grid
Modern networks assemble an ever growing number of nodes. However, it remains
difficult to increase the number of channels per node, thus the maximal degree
of the network may be bounded. This is typically the case in grid topology
networks, where each node has at most four neighbors. In this paper, we address
the following issue: if each node is likely to fail in an unpredictable manner,
how can we preserve some global reliability guarantees when the number of nodes
keeps increasing unboundedly ? To be more specific, we consider the problem or
reliably broadcasting information on an asynchronous grid in the presence of
Byzantine failures -- that is, some nodes may have an arbitrary and potentially
malicious behavior. Our requirement is that a constant fraction of correct
nodes remain able to achieve reliable communication. Existing solutions can
only tolerate a fixed number of Byzantine failures if they adopt a worst-case
placement scheme. Besides, if we assume a constant Byzantine ratio (each node
has the same probability to be Byzantine), the probability to have a fatal
placement approaches 1 when the number of nodes increases, and reliability
guarantees collapse. In this paper, we propose the first broadcast protocol
that overcomes these difficulties. First, the number of Byzantine failures that
can be tolerated (if they adopt the worst-case placement) now increases with
the number of nodes. Second, we are able to tolerate a constant Byzantine
ratio, however large the grid may be. In other words, the grid becomes
scalable. This result has important security applications in ultra-large
networks, where each node has a given probability to misbehave.Comment: 17 page
Reliable Communication in a Dynamic Network in the Presence of Byzantine Faults
We consider the following problem: two nodes want to reliably communicate in
a dynamic multihop network where some nodes have been compromised, and may have
a totally arbitrary and unpredictable behavior. These nodes are called
Byzantine. We consider the two cases where cryptography is available and not
available. We prove the necessary and sufficient condition (that is, the
weakest possible condition) to ensure reliable communication in this context.
Our proof is constructive, as we provide Byzantine-resilient algorithms for
reliable communication that are optimal with respect to our impossibility
results. In a second part, we investigate the impact of our conditions in three
case studies: participants interacting in a conference, robots moving on a grid
and agents in the subway. Our simulations indicate a clear benefit of using our
algorithms for reliable communication in those contexts
Parameterizable Byzantine Broadcast in Loosely Connected Networks
We consider the problem of reliably broadcasting information in a multihop
asynchronous network, despite the presence of Byzantine failures: some nodes
are malicious and behave arbitrarly. We focus on non-cryptographic solutions.
Most existing approaches give conditions for perfect reliable broadcast (all
correct nodes deliver the good information), but require a highly connected
network. A probabilistic approach was recently proposed for loosely connected
networks: the Byzantine failures are randomly distributed, and the correct
nodes deliver the good information with high probability. A first solution
require the nodes to initially know their position on the network, which may be
difficult or impossible in self-organizing or dynamic networks. A second
solution relaxed this hypothesis but has much weaker Byzantine tolerance
guarantees. In this paper, we propose a parameterizable broadcast protocol that
does not require nodes to have any knowledge about the network. We give a
deterministic technique to compute a set of nodes that always deliver authentic
information, for a given set of Byzantine failures. Then, we use this technique
to experimentally evaluate our protocol, and show that it significantely
outperforms previous solutions with the same hypotheses. Important disclaimer:
these results have NOT yet been published in an international conference or
journal. This is just a technical report presenting intermediary and incomplete
results. A generalized version of these results may be under submission
Constraining Attacker Capabilities Through Actuator Saturation
For LTI control systems, we provide mathematical tools - in terms of Linear
Matrix Inequalities - for computing outer ellipsoidal bounds on the reachable
sets that attacks can induce in the system when they are subject to the
physical limits of the actuators. Next, for a given set of dangerous states,
states that (if reached) compromise the integrity or safe operation of the
system, we provide tools for designing new artificial limits on the actuators
(smaller than their physical bounds) such that the new ellipsoidal bounds (and
thus the new reachable sets) are as large as possible (in terms of volume)
while guaranteeing that the dangerous states are not reachable. This guarantees
that the new bounds cut as little as possible from the original reachable set
to minimize the loss of system performance. Computer simulations using a
platoon of vehicles are presented to illustrate the performance of our tools
Universal Loop-Free Super-Stabilization
We propose an univesal scheme to design loop-free and super-stabilizing
protocols for constructing spanning trees optimizing any tree metrics (not only
those that are isomorphic to a shortest path tree). Our scheme combines a novel
super-stabilizing loop-free BFS with an existing self-stabilizing spanning tree
that optimizes a given metric. The composition result preserves the best
properties of both worlds: super-stabilization, loop-freedom, and optimization
of the original metric without any stabilization time penalty. As case study we
apply our composition mechanism to two well known metric-dependent spanning
trees: the maximum-flow tree and the minimum degree spanning tree
X-Vine: Secure and Pseudonymous Routing Using Social Networks
Distributed hash tables suffer from several security and privacy
vulnerabilities, including the problem of Sybil attacks. Existing social
network-based solutions to mitigate the Sybil attacks in DHT routing have a
high state requirement and do not provide an adequate level of privacy. For
instance, such techniques require a user to reveal their social network
contacts. We design X-Vine, a protection mechanism for distributed hash tables
that operates entirely by communicating over social network links. As with
traditional peer-to-peer systems, X-Vine provides robustness, scalability, and
a platform for innovation. The use of social network links for communication
helps protect participant privacy and adds a new dimension of trust absent from
previous designs. X-Vine is resilient to denial of service via Sybil attacks,
and in fact is the first Sybil defense that requires only a logarithmic amount
of state per node, making it suitable for large-scale and dynamic settings.
X-Vine also helps protect the privacy of users social network contacts and
keeps their IP addresses hidden from those outside of their social circle,
providing a basis for pseudonymous communication. We first evaluate our design
with analysis and simulations, using several real world large-scale social
networking topologies. We show that the constraints of X-Vine allow the
insertion of only a logarithmic number of Sybil identities per attack edge; we
show this mitigates the impact of malicious attacks while not affecting the
performance of honest nodes. Moreover, our algorithms are efficient, maintain
low stretch, and avoid hot spots in the network. We validate our design with a
PlanetLab implementation and a Facebook plugin.Comment: 15 page
- …