Byzantine Replication for Trustworthy Systems

A trustworthy networked information system (NIS) must continue to operate correctly even in the presence of environmental disruptions, human errors, and hostile attacks [10]—in other words, it must be both faulttolerant and secure. Reasoning about such a system is, unfortunately, very hard. Our limited success to date in building reliable NISs is an indication of the complexity involved with guaranteeing “just” fault-tolerance; once security is added, complexity runs the risk of becoming unmanageable. To compound the challenge, faulttolerance and security do not seem to integrate nicely. On the one hand, they often duplicate efforts, since both are concerned with maintaining data integrity and availability. On the other hand, they can be at odds with each other—for instance, the very replication that improves data integrity and availability against faults, harms confidentiality. An attractive approach toward managing this complexity is to model a component whose security has been compromised as faulty according to the Byzantine failure model. A system can then be hardened to guarantee its correct operation even if a subset of its components, up to a given threshold, suffer Byzantine faults. This approach can potentially yield significant advantages. First, it holds the promise of simplifying reasoning about trustworthy systems by making security a byproduct of fault tolerance. Second, it opens the possibility of leveraging for security purposes the large body of existing research in Byzantine fault tolerance (BFT). Third, it suggests that it may be possible to assemble untrustworthy components into a trustworthy system, just as traditional fault-tolerance protocols assemble unreliable components to build reliable systems. This is especially attractive given the economics of today’s marketplace, where few components are rigorously tested or verified. At the same time, this approach raises several concerns. First, Byzantine fault tolerance is notoriously expensive. It is not just that Byzantine protocols, to operate correctly, typically require participants to engage in numerous rounds of communication; much more importantly, they require a very high degree of replication, The cost associated with this replication may be prohibitively high, especially when considering that nversion programming (or opportunistic n-version programming) may be required to reduce the possibility of a large number correlated Byzantine faults caused by a single security exploit. Second, traditional Byzantine fault-tolerance techniques do not address confidentiality, which is a crucial aspect of security. Indeed, the replication required by most existing Byzantine fault-tolerance techniques can actually hurt confidentiality. Third, the very soundness of modeling nodes compromised as a result of a security attack as if they were Byzantine faults is problematic. The ability to choose an accurate value for f , the maximum number of faults that can occur at any time, is critical to the safety of any BFT protocol. When Byzantine fault tolerance is not used against security attacks, it is reasonable to treat Byzantine failures as independent and compute f accordingly. But it is not obvious how to compute f so the system is safe when an attacker finds a new vulnerability in an operating system—when that happens, the probability that all replicas running the same OS will shortly be compromised increases sharply. It is not clear whether the diversity introduced through n-version programming is sufficient to reduce significantly the probability of this type of correlated faults. Our research agenda over the last three years has been to determine whether or not hardening distributed systems against Byzantine faults is a practical and sound approach towards increasing trustworthiness. We have focused on two architectural primitives, state-machines and quorum systems, with encouraging results [1, 3, 2, 8, 5, 6, 11]. We are currently moving our agenda forward along three directions.