Consensus in Networks Prone to Link Failures

We consider deterministic distributed algorithms solving Consensus in synchronous networks of arbitrary topologies. Links are prone to failures. Agreement is understood as holding in each connected component of a network obtained by removing faulty links. We introduce the concept of stretch, which is a function of the number of connected components of a network and their respective diameters. Fast and early-stopping algorithms solving Consensus are defined by referring to stretch resulting in removing faulty links. We develop algorithms that rely only on nodes knowing their own names and the ability to associate communication with local ports. A network has $n$ nodes and it starts with $m$ functional links. We give a general algorithm operating in time $n$ that uses messages of $O(\log n)$ bits. If we additionally restrict executions to be subject to a bound $\Lambda$ on stretch, then there is a fast algorithm solving Consensus in time $O(\Lambda)$ using messages of $O(\log n)$ bits. Let $\lambda$ be an unknown stretch occurring in an execution; we give an algorithm working in time $(\lambda+2)^3$ and using messages of $O(n\log n)$ bits. We show that Consensus can be solved in the optimal $O(\lambda)$ time, but at the cost of increasing message size to $O(m\log n)$. We also demonstrate how to solve Consensus by an algorithm that uses only $O(n)$ non-faulty links and works in time $O(n m)$, while nodes start with their ports mapped to neighbors and messages carry $O(m\log n)$ bits. We prove lower bounds on performance of Consensus solutions that refer to parameters of evolving network topologies and the knowledge available to nodes

Scaling Permissioned Blockchains via Sharding

Traditional distributed systems, such as those used in banking and real estate, require a trusted third party to operate and maintain them, which is highly dependent on the reliability of the operator. Since Bitcoin was introduced by Nakamoto in 2008, blockchain technology has been considered as a promising solution to the trust issue raised by the traditional centralized approach.Blockchain is now used by most cryptocurrencies and has meaningful applications in other areas, such as logistics and supply chain management. However, scalability remains a major limitation. Various techniques are being investigated to tackle the scalability issue. Sharding is an intuitive approach to improve the scalability of blockchain systems. This thesis explores sharding techniques in permissioned blockchains. First of all, two techniques are examined for interleaving the shards of permissioned blockchains, which are referred to as strong temporal coupling and weak temporal coupling. The analysis and experiment results show that strong coupling loses performance when different shards grow unevenly, but outperforms weak coupling in a wide-area environment due to its inherent efficiency. Weak coupling, in contrast, deals naturally with load imbalance across shards and in fact tolerates shard failures without any additional effort, but loses performance when running on a high-latency network due to the additional coordination performed. Second, we propose Antipaxos, a leaderless consensus protocol that reaches agreement on multiple proposals with a fast path solution in the failure-free case, and falls back on a slow path to handle other cases. A new agreement problem, termed as k-Interactive Consistency is formalized first. Then, two algorithms to solve this problem are proposed under the crash failure model and Byzantine failure model, respectively. We prove the safety and liveness of the proposed algorithms, and present an experimental evaluation of their performance in the Amazon cloud. Both the crash-tolerant and Byzantine-tolerant designs reach agreement on n batches of proposals with Θ(n2) messages. This leads to the linear complexity of each batch in one consensus cycle, rather than a single batch of proposals per cycle in conventional solutions. The experiments show that our algorithms achieve not only lower execution latency but also higher peak throughput in the failure-free case when deployed in a geo-distributed environment. Lastly, we introduce a full sharding protocol, Geochain, for permissioned blockchains. The transaction latency is minimized by clustering participants using their geographical properties--locality. In addition, the locality is also being used to decide the transaction placement which suggests a low ratio of cross-shard transactions for applications, such as everyday banking, retail payments, and electric vehicle charging. We also propose a client-driven efficient mechanism to handle cross-shard transactions and present an analysis. This enables clients to manage their assets across different shards directly. A prototype is implemented on top of Hyperleder Fabric v2.3 and evaluated on Amazon EC2. The experiments show that our protocol doubles the peak throughput even with a high ratio of cross-shard transactions while minimizing the transaction latency

TLA+ Model Checking Made Symbolic

International audienceTLA + is a language for formal specification of all kinds of computer systems. System designers use this language to specify concurrent, distributed, and fault-tolerant protocols, which are traditionally presented in pseudo-code. TLA + is extremely concise yet expressive: The language primitives include Booleans, integers, functions, tuples, records, sequences, and sets thereof, which can be also nested. This is probably why the only model checker for TLA + (called TLC) relies on explicit enumeration of values and states. In this paper, we present APALACHE-a first symbolic model checker for TLA +. Like TLC, it assumes that all specification parameters are fixed and all states are finite structures. Unlike TLC, APALACHE translates the underlying transition relation into quantifier-free SMT constraints, which allows us to exploit the power of SMT solvers. Designing this translation is the central challenge that we address in this paper. Our experiments show that APALACHE outperforms TLC on examples with large state spaces

The Failure Detector Abstraction

A failure detector is a fundamental abstraction in distributed computing. This paper surveys this abstraction through two dimensions. First we study failure detectors as building blocks to simplify the design of reliable distributed algorithms. In particular, we illustrate how failure detectors can factor out timing assumptions to detect failures in distributed agreement algorithms. Second, we study failure detectors as computability benchmarks. That is, we survey the weakest failure detector question and illustrate how failure detectors can be used to classify problems. We also highlight some limitations of the failure detector abstraction along each of the dimensions

Data bases and data base systems related to NASA's Aerospace Program: A bibliography with indexes

This bibliography lists 641 reports, articles, and other documents introduced into the NASA scientific and technical information system during the period January 1, 1981 through June 30, 1982. The directory was compiled to assist in the location of numerical and factual data bases and data base handling and management systems

Programming Languages and Systems

This open access book constitutes the proceedings of the 29th European Symposium on Programming, ESOP 2020, which was planned to take place in Dublin, Ireland, in April 2020, as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2020. The actual ETAPS 2020 meeting was postponed due to the Corona pandemic. The papers deal with fundamental issues in the specification, design, analysis, and implementation of programming languages and systems

Efficient and scalable replication of services over wide-area networks

PhD ThesisService replication ensures reliability and availability, but accomplishing it requires solving the total-order problem of guaranteeing that all replicas receive service requests in the same order. The problem, however, cannot be solved for a specific combination of three factors, namely, when (i) the message transmission delays cannot be reliably bounded, as often the case over wide-area networks such as the Internet, (ii) replicas can fail, e.g., by crashing, the very events that have to be tolerated through replication, and finally (iii) the solution has to be deterministic as distributed algorithms generally are. Therefore, total-order protocols are developed by avoiding one or more of these three factors by resorting to realistic assumptions based on system contexts. Nevertheless, they tend to be complex in structure and impose time overhead with potentials to slow down the performance of replicated services themselves. This thesis work develops an efficient total-order protocol by leveraging the emergence of cluster computing. It assumes that a server replica is not a stand-alone computer but is a part of a cluster from which it can enlist the cooperation of some of its peers for solving the total-order problem locally. The local solution is then globalised with replicas spread over a wide-area network. This two-staged solution is highly scalable and is experimentally demonstrated to have a smaller performance overhead than a single-stage solution applied directly over a wide-area network. The local solution is derived from an existing, multi-coordinator protocol, Mencius, which is known to have the best performance. Through a careful analysis, the derivation modifies some aspects of Mencius for further performance improvements while retaining the best aspects

Enhancing intrusion resilience in publicly accessible distributed systems

PhD ThesisThe internet is increasingly used as a means of communication by many businesses. Online shopping has become an important commercial activity and many governmental bodies offer services online. Malicious intrusion into these systems can have major negative consequences, both for the providers and users of these services. The need to protect against malicious intrusion, coupled with the difficulty of identifying and removing all possible vulnerabilities in a distributed system, have led to the use of systems that can tolerate intrusions with no loss of integrity. These systems require that services be replicated as deterministic state machines, a relatively hard task in practice, and do not ensure that confidentiality is maintained when one or more replicas are successfully intruded into. This thesis presents FORTRESS, a novel intrusion-resilient system that makes use of proactive obfuscation techniques and cheap off-the-shelf hardware to enhance intrusionresilience. FORTRESS uses proxies to prevent clients accessing servers directly, and regular replacement of proxies and servers with differently obfuscated versions. This maintains both confidentiality and integrity as long as an attacker does not compromise the system as a whole. The expected lifetime until system compromise of the FORTRESS system is compared to those of state machine replicated and primary backup systems when confronted with an attacker capable of launching distributed attacks against known vulnerabilities. Thus, FORTRESS is demonstrated to be a viable alternative to building intrusion-tolerant systems using deterministic state machine replication. The performance overhead of the FORTRESS system is also evaluated, using both a general state transfer framework for distributed systems, and a lightweight framework for large scale web applications. This shows the FORTRESS system has a sufficiently small performance overhead to be of practical use

Human decision-making in computer security incident response

Background: Cybersecurity has risen to international importance. Almost every organization will fall victim to a successful cyberattack. Yet, guidance for computer security incident response analysts is inadequate. Research Questions: What heuristics should an incident analyst use to construct general knowledge and analyse attacks? Can we construct formal tools to enable automated decision support for the analyst with such heuristics and knowledge? Method: We take an interdisciplinary approach. To answer the first question, we use the research tradition of philosophy of science, specifically the study of mechanisms. To answer the question on formal tools, we use the research tradition of program verification and logic, specifically Separation Logic. Results: We identify several heuristics from biological sciences that cybersecurity researchers have re-invented to varying degrees. We consolidate the new mechanisms literature to yield heuristics related to the fact that knowledge is of clusters of multi-field mechanism schema on four dimensions. General knowledge structures such as the intrusion kill chain provide context and provide hypotheses for filling in details. The philosophical analysis answers this research question, and also provides constraints on building the logic. Finally, we succeed in defining an incident analysis logic resembling Separation Logic and translating the kill chain into it as a proof of concept. Conclusion: These results benefits incident analysis, enabling it to expand from a tradecraft or art to also integrate science. Future research might realize our logic into automated decision-support. Additionally, we have opened the field of cybersecuity to collaboration with philosophers of science and logicians