The role of accountability in dependable distributed systems

This paper promotes accountability as a first-class design principle for dependable network systems. Conventional techniques for dependable systems design are insufficient to defend against an adversary that manipulates the system covertly in order to lie, cheat, or steal. This paper treats subversion as a form of fault, and suggests that designing accountability into the system provides the means to detect, isolate, and tolerate such faults, and even to prevent them by removing incentives for malicious behavior. A key challenge for the future is to extend the repertoire of dependable systems design and analysis with broadly applicable techniques to build systems with target levels of accountability quantified by the probability that an attacker will be exposed.

[1]  Brian Randell,et al.  Fundamental Concepts of Dependability , 2000 .

[2]  Hector Garcia-Molina,et al.  The Eigentrust algorithm for reputation management in P2P networks , 2003, WWW '03.

[3]  John M. Boone,et al.  INTEGRITY-ORIENTED CONTROL OBJECTIVES: PROPOSED REVISIONS TO THE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA (TCSEC), DoD 5200.28-STD , 1991 .

[4]  Brian D. Noble,et al.  Samsara: honor among thieves in peer-to-peer storage , 2003, SOSP '03.

[5]  Stefan Savage,et al.  Robust congestion signaling , 2001, Proceedings Ninth International Conference on Network Protocols. ICNP 2001.

[6]  Butler W. Lampson,et al.  31. Paper: Computer Security in the Real World Computer Security in the Real World , 2022 .

[7]  Fred B. Schneider,et al.  Implementing fault-tolerant services using the state machine approach: a tutorial , 1990, CSUR.

[8]  P. S. Tasker,et al.  DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA , 1985 .

[9]  Ivan E. Sutherland,et al.  Sketchpad a Man-Machine Graphical Communication System , 1899, Outstanding Dissertations in the Computer Sciences.

[10]  Miguel Oom Temudo de Castro,et al.  Practical Byzantine fault tolerance , 1999, OSDI '99.

[11]  Mary Baker,et al.  Enabling the Archival Storage of Signed Documents , 2002, FAST.

[12]  Craig A. N. Soules,et al.  Self-securing storage: protecting data in compromised systems , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[13]  H. Kopetz,et al.  Dependability: Basic Concepts and Terminology , 1992, Dependable Computing and Fault-Tolerant Systems.

[14]  Dennis Shasha,et al.  Secure Untrusted Data Repository (SUNDR) , 2004, OSDI.

[15]  Herman H. Goldstine,et al.  The Electronic Numerical Integrator and Computer (ENIAC) , 1996, IEEE Ann. Hist. Comput..

[16]  Jeffrey S. Chase,et al.  Trust but verify: accountability for network services , 2004, EW 11.

[17]  George Candea,et al.  Crash-Only Software , 2003, HotOS.

[18]  Ralph C. Merkle,et al.  Protocols for Public Key Cryptosystems , 1980, 1980 IEEE Symposium on Security and Privacy.

[19]  Ross J. Anderson Why cryptosystems fail , 1994, CACM.

[20]  Amin Vahdat,et al.  SHARP: an architecture for secure resource peering , 2003, SOSP '03.

[21]  Michael T. Goodrich,et al.  Persistent Authenticated Dictionaries and Their Applications , 2001, ISC.

[22]  Christian Cachin,et al.  Distributing trust on the Internet , 2001, 2001 International Conference on Dependable Systems and Networks.

[23]  Algirdas Avizienis,et al.  The N-Version Approach to Fault-Tolerant Software , 1985, IEEE Transactions on Software Engineering.

[24]  Sean W. Smith,et al.  Using a High-Performance, Programmable Secure Coprocessor , 1998, Financial Cryptography.