CATS: Certified Authenticated Tamper-evident State Store for Network Services

This paper presents the design, implementation, and evaluation of CATS, a toolkit for indexed state storage for network services. CATS is based on a new implementation of a persistent authenticated dictionary, which integrates signed action records and cryptographic state digests into an index. This storage abstraction enables a CATS-based network service to certify its operations: any client with sufficient knowledge of the service semantics can verify that it behaves consistently and correctly. CATS is a fundamental building block for accountable network systems that can detect, isolate, and prove misbehavior or tampering. The paper defines properties for accountable services, presents the state-based approach to accountability, and explores the design alternatives for the state storage layer. Novel aspects of the CATS design include the use of probabilistic audits to address the problem of replayed writes common to previous approaches. Experimental results illustrate the access and update costs for authenticated data structures based on the current state of the art.