Robust Distributed Name Service: Baruch Awerbuch Baruch@cs - Jhu.edu Christian Scheideler Scheideler@cs - Jhu.edu

Download as pdf or txt
Download as pdf or txt
You are on page 1of 6

Robust Distributed Name Service

Baruch Awerbuch∗ Christian Scheideler∗


[email protected] [email protected]

Abstract tographic methods will not be able to keep adversarial


peers out. Thus, one should abandon classical methods
This paper suggests a method called Trust-but-Verify for securing peer-to-peer systems and instead search
that may turn DHT-based peer-to-peer systems into for mechanisms that ensure reliability despite the pres-
systems that are provably robust against even massive ence of adversarial peers.
adversarial attacks. The goal of this paper is to demonstrate that it seems
posssible to design completely open peer-to-peer sys-
tems that are provably robust against arbitrary Byzan-
1 Introduction tine attacks of a large fraction of its peers.
The Internet was originally designed for the purpose of
being extremely robust against hardware attacks, such 1.1 Security goal
as natural disasters or wars. However, software at-
tacks (such as viruses, worms, or denial-of-service at- In order provide a distributed name service, the follow-
tacks) have become increasingly severe over the past ing operations have to be implemented:
few years, whereas hardware attacks are negligible.
• p.Join(q, Name): peer p in the system receives a
Thus, for any distributed application to run reliably on
request to join the system from a peer q with iden-
the Internet, it is of utmost importance that it is ro-
tity Name.
bust against adversarial software attacks. This is espe-
cially important for critical applications such as name • p.Leave(): peer p leaves the system.
service, i.e. a service that translates names such as • p.Lookup(Name): peer p wants to obtain the
“machine.cs.school.edu” into IP addresses so that ma- IP address of the peer q in the system with
chines can communicate with each other. Name(q) = Name.
The current way name service is provided in the In-
ternet is server-based. However, server-based architec- These operations must be implemented so that they can
tures are vulnerable to attacks. A much more robust be run concurrently and reliably in an asynchronous
alternative appears to be the recently emerged peer-to- environment in spite of massive insider attacks, i.e. ar-
peer paradigm with its strictly decentralized approach. bitrary Byzantine behavior by a large number of peers
Unfortunately, despite the appeal of a decentralized ap- that are part of the service. An overlay network is
proach, it appears to be a daunting task to develop peer- called reliable if any of the three network operations
to-peer networks that are robust against adversarial at- Join, Leave, and Lookup can be executed reliably by
tacks. Most of the proposed solutions suggest the use any honest peer. The goal of this paper is to demon-
of classical methods such as certification authorities or strate that efficient and reliable overlay networks can
cryptography to secure peer-to-peer systems. However, be constructed under certain simplifying assumptions.
it should be clear that without being overly restrictive,
a certification authority will be ineffective in banning
adversarial peers. Also, in an open environment, cryp- 1.2 Fundamental principles for reliability

Department of Computer Science, Johns Hopkins University, To achieve efficiency and reliability, we believe that the
3400 N. Charles Street, Baltimore, MD 21218, USA following fundamental principles have to be fulfilled.
Regions instead of individual peers. Certainly, a reliably, we must make sure that in every region rele-
system in which the correct execution of an overlay vant to an honest peer, the honest peers are in the ma-
network operation depends on the correct behavior of jority. Taking this into account, our goal above can be
individual peers is not survivable. Hence, quorums of rephrased in the following, more formal way:
peers have to be formed to check each other’s behav-
ior and therefore ensure the reliable execution of op- Design overlay network operations so that for any
erations. However, forming separate quorums of peers arrival-departure sequence of honest and adversarial
(i.e. grouping the peers in disjoint clusters) in a dis- peers over t time steps in which the adversarial peers
tributed system is not an easy task. The problem here never represent more than an  fraction of the peers in
is that the number of clusters cannot be kept fixed if one the overlay network, the adversarial peers will not gain
wants the system to be scalable. Hence, once in a while the majority in any region relevant for honest peers,
clusters have to be created, deleted, split, or merged. with high probability.
However, since adversarial peers can create different
views of the current situation in honest peers, it is hard We call an overlay network survivable if it can en-
to find a consensus on a cluster operation between the sure this property for any t = poly(n), where n is
honest peers, creating inconsistencies. To avoid these the smallest number of peers in the overlay network
problems, we suggest not to form clusters but instead during the adversarial attack. Our goal will be to for-
allow each honest peer to decide by itself which re- mulate basic conditions and protocols for the network
gions of peers it considers to be safe. In our case, the operations to fulfill the survivability condition. Notice
ID space of the peers will be the interval [0, 1), and a that we have to add the term “with high probability”
region may be any subinterval of this interval. Overlay above, because a priori, it is not possible to distinguish
network operations initiated by a peer will be executed between honest and adversarial peers. So no absolute
on a region level. guarantees can be given, unless we put all peers into a
single region, which is highly inefficient and therefore
Flexible instead of fixed regions. We will adopt the out of question.
approach in DHT-based systems of using a pseudo-
random one-way hash function for assigning IDs in 1.4 Existing work
[0, 1) to the peers. One-way hash functions protect
against identity theft but they cannot protect against There is fair amount of work on the subject. The relia-
adversarially selected hash values to obtain the major- bility of hash-based peer-to-peer overlays (or DHT’s)
ity of peers in some region. Hence, any region-based such as Chord [12], Pastry [10], and Tapestry [13]
organization that wants to be survivable in an open en- hinges on the assumption that the IDs given to the peers
vironment must be flexible in the region size. In other are pseudo-random, so that they can cope with a con-
words, it does not suffice just to pick regions of size stant fraction of the peers failing concurrently, with
O((log n)/n) to ensure survivability but region sizes only logarithmic overhead. While this may seem to
have to be adapted to the scale of the attack on the peer- perfectly defeat massive attacks under these random-
to-peer system. Ideally, this should be done so that the ness assumptions, DHT’s cannot handle even small-
region size is kept at a minimum possible size neces- scale adaptive adversarial attacks involving the selec-
sary to cope with the attack, i.e. for scalability reasons tion of adversarial IP addresses (to get close to de-
it should be avoided just to group all the peers into a sired IDs). One such “sybil” attack is described in [5].
single region. Remarkably, the attackers do not need to do anything
complex such as inverting the hash function; all that
is needed is to get hold of a handful (actually, loga-
1.3 Basic approach
rithmic) number of IP addresses so that IDs can be ob-
We require that any execution of a Join, Leave, or tained that allow to disconnect some target from the
Lookup operation (by honest peers), as well as the stor- rest of the system. This can be accomplished by a lin-
age of data, has to be handled on a region level. To ear number of offline trial/errors. For similar attacks,
ensure that regions (and therefore the network) work see [4].

2
Much of the active sabotage attacks, such as forg- into the network. We allow arbitrary adversaries with
ing the correctness and authenticity of data as well bounded resources, i.e. an adversary may have an un-
as misrouting, can be addressed using cryptographic limited number of IDs for its peers but it can only own
techniques such as selfcertifying path names [8], end- at most an -fraction of the peers in the system at any
to-end acknowledgements, etc. These techniques al- time. Such adversaries are called -bounded. A priori,
low the system to detect and ignore nonauthentic data, adversarial peers cannot be distinguished from honest
avoid peers who incorrectly route, etc. Blocking of peers.
routing packets appears to be the most difficult to mon- We assume that every honest peer that wants to join
itor. Examples of routing attacks are discussed in Cas- the system knows some honest peer already in the sys-
tro et al. [3], and examples of data-related attacks are tem and thus can initiate the Join operation by one of
described by Sit and Morris [11], who give a series these peers. This is a reasonable assumption, because
of examples of particular weaknesses in existing hash- if a new honest peer does not know any honest peer in
based networks and discuss potential defenses against the system, there is certainly no (reliable) way that it
some of these problems. [3] describe attacks that can can join the system.
be mounted against such overlay networks and the ap- We consider asynchronous systems in which every
plications they support, and present the design of se- honest peer has roughly the same clock speed but there
cure techniques that may help thwart some of these at- is no global time. Since honest peers are considered
tacks in certain practical scenarios (such as using cer- reliable, we assume that at any point in time, any mes-
tified IDs). sage sent by an honest peer p to another honest peer q
Below we describe some of the more theoretical ap- will arrive at q within a unit of time. (Other message
proaches. transmissions may need any amount of time.) Further-
Classical distributed computing methods [6, 2, 7, 9] more, honest peers have unbounded bandwidth, i.e. an
use Byzantine agreement and two-phase commit ap- honest peer can receive and send out an unbounded
proaches with inherently Ω(n) redundancy and over- number of messages in a unit of time. The latter as-
head to maintain a safe state. sumption allows us to ignore denial-of-service attacks,
Random or unpredictable placement of data in a log- but it does not simplify the task of securing an overlay
arithmic size subset of locations (as in Freenet) ensures network against legal attacks (i.e. attacks exploiting
that data is difficult to attack, but also makes it diffi- security holes in its protocols). As long as adversarial
cult to retrieve. Specifically, data retrieval of randomly peers do not transmit unnecessary packets, the num-
placed data requires a linear number of queries, which ber of messages an honest peer will have to deal with
is definitely unscalable. in a time unit will normally be low so that our pro-
Provable randomness is the method pursued in [1]. tocols are practical despite this assumption. Designing
This results in fairly complex protocols, using various provably secure overlay networks for honest peers with
cryptographic assumptions. bounded bandwidth is very challenging and needs fur-
ther research.
We assume that a certification authority is available
2 The Trust-but-Verify approach to issue certified names to peers that want to enter the
system. This prevents peers from taking over the iden-
We start with a collection of basic assumptions explain- tities of other peers, but it does not prevent adversarial
ing the model of our approach. peers from registering under adaptively chosen names
that are different from names of the honest peers. An
2.1 Basic assumptions honest peer only establishes connections to peers with
correctly certified names. The identification number of
We consider a peer to be adversarial if it belongs to an a peer p, ID(p), in our overlay network is determined
adversary or it is simply unreliable. Otherwise, a peer by a pseudo-random one-way hash function mapping
is called honest. We assume that honest peers cannot names to real values in [0, 1). The pseudo-randomness
be taken over by the adversary. However, the adver- makes sure that IDs of honest peers are random, and
sary has a collection of own peers that it can integrate the one-way property makes sure that if the name of a

3
peer cannot be taken over, it is also hard to take over In the following, a region always means an interval of
its ID. Finally, we need some assumptions about how size 1/2i for some integer i ≥ 0 starting at an integer
messages are passed. We assume that the source of a multiple of 1/2i . I.e. every region has a unique tree
message cannot be forged so that adversarial peers can- node.
p
not forge messages from honest peers. Also, a message Given a peer p and a region R, let CR denote p’s
sent between honest peers cannot be deleted or altered view of R, i.e. the set of peers p is connected to in
by the adversary. However, the adversary may know R. p’s view of R is called reliable if the number of
p p
about every message sent in the system. adversarial peers in CR is at most |CR |/4. Given that
all honest peers have random IDs, the following result
2.2 Outline of Trust-but-Verify approach holds, where n is the current number of honest peers in
the system.
The basis of the trust-but-verify approach is the as-
sumption that the hash value of every honest peer is Theorem 2.1 Let 0 <  ≤ 1/8 and c > 0 be con-
like an independent, random value in [0, 1), but hash stants. If for some peer p and region R, |R| ≥
p p
values of adversarial peers may be any values differ- (c log n)/n and |CR | ≤ (1 + )|R| · n, CR contains
ent from the values of honest peers. The honest peers all honest peers in R, and c is sufficiently large com-
will organize in regions R ⊆ [0, 1) they consider to pared to , then p’s view of R is reliable, with high
be safe (i.e. the honest peers are in the majority) and probability.
will form a hypercubic pointer structure between these
regions. If an honest peer feels that one of its regions The theorem directly follows from the well-known
is no longer safe, it will change it to a larger region. Chernoff bounds because if |R| ≥ (c log n)/n for a
On the other hand, if an honest peer feels that a subre- sufficiently large c, then the number of honest nodes in
gion within one of its regions is now safe, it will move R is at least (1 − )|R| · n, with high probability. In this
p
to the subregion. Each honest peer will continuously case, the fraction of adversarial nodes in C R can be at
probe peers it knows in its regions. If some peer does most 2 ≤ 1/4 if  ≤ 1/8.
not respond, the honest peer will drop its connection Hence, honest nodes p should, as a prerequisite, try
to it. Since we assume honest peers to be reliable, this to maintain connections to regions R so that |R| ≥
p
will not happen to honest peers. Messages are routed (c log n)/n and |CR | ≤ (1+)|R|·n. If this is true, we
along safe regions to make sure that adversarial peers say that p views its region to be reliable, or the region is
cannot alter, delay, or delete them. Next we give a more safe. There are several issues that have to be addressed
detailed description of how to select regions, how to in- in order to maintain these safeness requirements. For
terconnect the peers, and how to join, leave, and search example, honest peers need a good approximation of n,
in the overlay network. and they need to be able to send region queries in order
to expand their region view if necessary. Also, as we
2.3 Region decomposition will see, just maintaining safe regions is not sufficient
for reliable communication as required for estimating
Consider an infinite complete binary tree T with root n.
r. We use T to decompose [0, 1) into a hierarchy of
intervals. For this, let each edge to a left child have 2.4 Overlay network
label 0 and each edge to a right child have label 1. For
each node v in T , we define its label `(v) to be the The level of a region R is defined as the level of its tree
bit string resulting from the edge labels when going node and denoted by `R , where the root of the decom-
along the unique path from r to v. (I.e. the leftmost position tree has level 0.
node in level 4 of T has label 0000, and its sibling has The aim of every honest peer p is to maintain the
label 0001.) For any node label ` = (x 1 x2 x3 . . .), we smallest region Sp containing ID(p) that is safe from
P
define b(`) = i≥1 xi 2−i . Using this terminology, we p’s point of view. Sp is also called p’s home region.
can associate a unique region in [0, 1) with each tree Also, a set of active regions Ap = {Api | i ∈ ZZ} is
node v at level i in T : Rv = [b(`(v)), b(`(v)) + 1/2i ). maintained so that for every i ≥ 0,

4
1. Api (resp. Ap−i ) is the smallest region containing p still keeps a backup of Sp for a limited time to
ID(p) + 1/2i (resp. ID(p) − 1/2i ) that is safe from avoid problems for regions A ∈ Aq containing p.)
p’s point of view and
2. N Sp is still unsafe. Then p moves one level up-
p p
2. at least |CA p |/3 (resp. |C p |/3) of the peers q in
A
wards with N Sp . (We explain below how to real-
i −i
Api (resp. Ap−i ) reported to p that `Sq ≥ `Ap (resp. ize that.)
i
`Sq ≥ `Ap ). 3. A region N Api ∈ N Ap is now safe. Then p sends
−i

Using the 1/3 rule in condition 2 has two benefits: (p, i, `N Sp ) to all peers q it knows of that contain
First, it guarantees that if an active region A is reli- p in one of their untrusted regions and updates A pi
able, then there is at least one honest peer having its to N Api .
safe region inside A, which is useful for routing. Sec- 4. A set N Api ∈ N Ap is still unsafe or violates the
ond, if the 1/3 rule is violated at some point, then the 1/3 rule. Then p moves one level upwards with
majority of peers having a safe region larger than A is N Api .
honest, allowing p to use a majority rule for view fil-
tering to expand A to a region of higher level. If the arrival rate of honest and adversarial peers is lim-
Notice that there can be different values i 1 and i2 ited to / log 2 n, then the size of currently trusted re-
with Api1 ⊆ Api2 , so regions may sometimes be con- gions is accurate enough to estimate n. Also, if the de-
tained in other regions, but for any two active regions parture rate of honest peers is limited to / log 2 n, then
R1 and R2 of a peer p it must hold that either R1 ⊆ R2 the honest peers will be able to find new safe regions
(resp. R2 ⊆ R1 ) or R1 ∩ R2 = ∅. Those regions R1 for Sp and some Api quickly enough before the old ver-
with R1 ⊆ R2 only have to be maintained implicitly, sions of these sets become unreliable. More precisely,
so that p only has to explicitly store O(log n) regions the following result can be shown.
at any point in time.
Besides Sp and Ap , each honest peer p also main- Theorem 2.2 If the adversary is -bounded for some
tains a region N Sp representing the new but not yet sufficiently small constant  > 0 and the arrival and
safe version of Sp and a set of regions N Ap represent- departure rate of honest and adversarial peers is at
ing the new but not yet safe version of A p . All new most 0 / log 2 n for some sufficiently small constant
peers are only added to N Sp and N Ap . If N Sp is safe 0 > 0, then our protocols ensure that for any honest
at some point, Sp is replaced by N Sp . The same is peer p, Sp and any A ∈ Ap are reliable at any time,
done for regions in N Ap . Hence, Sp and Ap are safe with high probability.
snapshots of the system. p views the regions S p and
In order to prove this result, we have to describe how
Ap as trusted and the other regions N Sp and N Ap as
to grow the size of a region. This is handled by region
untrusted.
requests. Before explaining them, we start with lookup
p maintains connections to all peers in S p (and some
requests.
limited number of older versions of S p ), Ap , N Sp , and
N Ap and all peers q (it knows of) with p in S q , Aq ,
N Sq , or N Aq , but p only forwards requests with a ma- 2.6 Lookup requests
jority consensus in one of its trusted regions. The peer p initiating a request M sends M to all nodes
of its active region Ap0 . Every peer q that receives M
2.5 Maintaining safe and active regions will forward M to all peers q 0 it knows within Ap0 . Ev-
An honest peer p performs the following actions to ery peer q that receives M from at least half of the
nodes in Sq sends it on to all nodes of its active re-
maintain its safe and active regions:
gion representing the next hop of M to its destination.
1. N Sp is now safe. Then p sends (p, `N Sp ) to all There, the same spreading and checking is done as in
peers q it knows of that contain p in one of their p’s active region until M reaches the destination.
untrusted regions and updates Sp to N Sp . (N Sp Condition 2 of an active region and Theorem 2.2
may be smaller or larger than Sp . If `N Sp < `Sp , make sure that if p is honest, there is always at least

5
one honest peer at each hop that receives the message size, i.e. (c log n)/n. If this does not provide a safe
from a majority of nodes in its safe region so that the region for some Api or Sp , p moves upwards with that
message is delivered in O(log n) steps. region until it obtains a region satisfying the require-
ments of a safe or active region. For each such region
2.7 Region requests that p obtains, p integrates itself into the system. After
O(log 2 n) steps, p is fully integrated.
Region requests also use active regions to obtain a le- Leaving is simple: a peer may leave with or without
gal view of some requested region. A peer is called a notice. It is only important that the departure rate of
legal member of the system if at least one honest peer honest peers does not exceed / log 2 n.
is connected to it, and a view of a region R is called
legal if it only contains legal members. We intend to prove the following conjecture as the
A region request that is still outside the requested end result of all the conditions and protocols.
region is handled like a lookup request. Once a region Conjecture 2.3 The Trust-but-Verify method results in
request for R is in R, the request is split into two re- a survivable overlay network.
quests, one for each subregion of R, and this division
is continued at lower stages until the considered region References
R0 is a subset of the region Aq0 of peer q handling the
request. Then q sends its view of R 0 backwards, which [1] B. Awerbuch and C. Scheideler. Group Spreading: A protocol for
provably secure distributed name service. Unpublished manuscript.
is combined and filtered by majority rule upwards till
[2] Castro and Liskov. Practical Byzantine fault tolerance. In OSDI,
the request gets back to its origin. 1999.
Every region request by an honest peer is processed
[3] M. Castro, P. Druschel, A. Ganesh, A. Rowstron, and D. S. Wallach.
correctly in O(log n) steps. Secure routing for structured peer-to-peer overlay networks. In OSDI,
2002.

2.8 Estimating n [4] S. Crosby and D. Wallach. Denial of service via algorithmic com-
plexity attacks. In Usenix Security, 2003.
The estimation of n is done recursively, starting with [5] J. R. Douceur. The sybil attack. In IPTPS, 2002.
each peer p reporting the size and level of A p0 to all
[6] L. Lamport. The weak Byzantine generals problem. Journal of the
peers q it knows of in the next higher region containing ACM, 30(3):669–676, 1983.
p. Suppose now that up to level ` each honest peer p [7] L. Lamport and N. Lynch. Distributed computing. Chapter of Hand-
has computed an estimate of the number of peers in book on Theoretical Computer Science. Also, to be published as
its home region (i.e. the region containing it) of level Technical Memo MIT/LCS/TM-384, Laboratory for Computer Sci-
ence, Massachusetts Institute of Technology, Cambridge, MA, 1989.
`. If p reports its view to all peers it knows of in its
home region of level `−1, then every honest peer q will [8] D. Mazieres, M. Kaminsky, M. F. Kaashoek, and E. Witchel. Sep-
arating key management from file system security. In SOSP, pages
obtain views for the two regions of level ` contained in 124–139, 1999.
its home region of level ` − 1, because q has active [9] R. D. Prisco, B. W. Lampson, and N. A. Lynch. Revisiting the Paxos
regions overlapping with each of these regions. Since algorithm. In Workshop on Distributed Algorithms, pages 111–125,
q’s active regions are safe, it can use the median rule 1997.

once it has received views from a majority of peers in [10] A. Rowstron and P. Druschel. Pastry: Scalable, distributed object lo-
each region to compute an estimate for the size of its cation and routing for large-scale peer-to-peer systems. In IFIP/ACM
International Conference on Distributed Systems Platforms (Middle-
home region of size ` − 1. This is continued upwards ware), 2001.
until every honest peer has an estimate of the number [11] E. Sit and R. Morris. Security considerations for peer-to-peer dis-
of peers in [0, 1). tributed hash tables. In MIT workshop on Peer-Peer Systems, 2001.
The estimation procedure takes O(log n) steps. [12] I. Stoica, R. Morris, D. Karger, M. F. Kaashoek, and H. Balakrishnan.
Chord: A scalable peer-to-peer lookup service for internet applica-
tions. In SIGCOMM ’01, 2001.
2.9 Join and leave
[13] B. Y. Zhao, J. Kubiatowicz, and A. Joseph. Tapestry: An infras-
tructure for fault-tolerant wide-area location and routing. In UCB
If a new peer p wants to join via some peer q in the sys- Technical Report UCB/CSD-01-1141, 2001.
tem, it starts with requesting regions of lowest possible

You might also like