Tiny Groups Tackle Byzantine Adversaries

A popular technique for tolerating malicious faults in open distributed systems is to establish small groups of participants, each of which has a non-faulty majority. These groups are used as building blocks to design attack-resistant algorithms. Despite over a decade of active research, current constructions require group sizes of $O(\log n)$, where $n$ is the number of participants in the system. This group size is important since communication and state costs scale polynomially with this parameter. Given the stubbornness of this logarithmic barrier, a natural question is whether better bounds are possible. Here, we consider an attacker that controls a constant fraction of the total computational resources in the system. By leveraging proof-of-work (PoW), we demonstrate how to reduce the group size exponentially to $O(\log\log n)$ while maintaining strong security guarantees. This reduction in group size yields a significant improvement in communication and state costs.Comment: This work is supported by the National Science Foundation grant CCF 1613772 and a C Spire Research Gif

Adding Query Privacy to Robust DHTs

Interest in anonymous communication over distributed hash tables (DHTs) has increased in recent years. However, almost all known solutions solely aim at achieving sender or requestor anonymity in DHT queries. In many application scenarios, it is crucial that the queried key remains secret from intermediate peers that (help to) route the queries towards their destinations. In this paper, we satisfy this requirement by presenting an approach for providing privacy for the keys in DHT queries. We use the concept of oblivious transfer (OT) in communication over DHTs to preserve query privacy without compromising spam resistance. Although our OT-based approach can work over any DHT, we concentrate on communication over robust DHTs that can tolerate Byzantine faults and resist spam. We choose the best-known robust DHT construction, and employ an efficient OT protocol well-suited for achieving our goal of obtaining query privacy over robust DHTs. Finally, we compare the performance of our privacy-preserving protocols with their more privacy-invasive counterparts. We observe that there is no increase in the message complexity and only a small overhead in the computational complexity.Comment: To appear at ACM ASIACCS 201

Automated performance attack discovery in distributed system implementations

Security and performance are critical goals for distributed systems. The increased complexity in design, incomplete expertise of developers, and limited functionality of existing testing tools often result in implementations with vulnerabilities and make the debugging process difficult and costly. The deployed vulnerabilities are often exploited by adversaries preventing the system from achieving its design goals. We refer to attacks that slow down the performance of a system as performance attacks. In the past, finding performance attacks has been a painstaking manual process that involved an expert of the target implementation. Given the cost associated with each vulnerability that occurs in the production, there is a need for tools to automatically check that the implementation of a protocol achieves its performance goals with respect to malicious components in the system. In this dissertation, we find performance attacks automatically from implementations of distributed systems. We do not try to show that an implementation is free from all attacks. Our goal is to find attacks and report them to the user in a timely manner. We first investigate how to find attacks automatically from implementations under a simulated environment. A simulated approach, however, has a fundamental limitation in terms of applicable target systems, as certain assumptions are made about languages, operating systems or libraries used. Therefore, we next investigate challenges and requirements to automatically find attacks in implementations of distributed systems under an emulated environment where no limiting assumptions are made

Scalable and Secure Aggregation in Distributed Networks

We consider the problem of computing an aggregation function in a \emph{secure} and \emph{scalable} way. Whereas previous distributed solutions with similar security guarantees have a communication cost of $O(n^3)$, we present a distributed protocol that requires only a communication complexity of $O(n\log^3 n)$, which we prove is near-optimal. Our protocol ensures perfect security against a computationally-bounded adversary, tolerates $(1/2-\epsilon)n$ malicious nodes for any constant $1/2 > \epsilon > 0$ (not depending on $n$), and outputs the exact value of the aggregated function with high probability

PeerCube: an Hypercube-based P2P Overlay Robust against Collusion and Churn

International audienceIn this paper we present PeerCube, a DHT-based system that aims at minimizing performance penalties caused by high churn while preventing malicious peers from subverting the system through collusion. This is achieved by i) applying a clustering strategy to support quorum-based operations; ii) using a randomised insertion algorithm to reduce the probability with which colluding Byzantine peers corrupt clusters, and; iii) leveraging on the properties of PeerCube's hypercube structure to allow operations to be successfully handled despite the corruption of some clusters. Despite a powerful adversary that can inspect the whole system and issue malicious join requests as often as it wishes, PeerCube guarantees robust operations in O(logN) messages, with N the number of peers in the system. Extended simulations validate PeerCube robustness

Dependability Evaluation of Cluster-based Distributed Systems

19International audienceAwerbuch and Scheideler have shown that peer-to-peer overlay networks can survive Byzantine attacks only if malicious nodes are not able to predict what will be the topology of the network for a given sequence of join and leave operations. In this paper we inves- tigate adversarial strategies by following speci c protocols. Our analysis demonstrates rst that an adversary can very quickly subvert overlays based on distributed hash tables by simply never triggering leave operations. We then show that when all nodes (honest and malicious ones) are imposed on a limited lifetime, the system eventually reaches a stationary regime where the ratio of polluted clusters is bounded, independently from the initial amount of corruption in the system