Client Security in Scalable and Survivable Object Systems

Abstract : This report describes an architecture for defending against client capture in a survivable distributed object store called Fleet. The work was primarily concerned with the case in which clients accessing objects are user-driven devices that should be rendered unusable if taken from their rightful owners, but yet are otherwise authorized to invoke methods on objects. Toward this end, we integrate a technique called "capture resilience" into the Fleet system. We demonstrate that capture resilience has a symbiotic relationship with Fleet: in addition to hardening Fleet against client compromise due to physical capture, the capabilities that Fleet offers permit the construction of a capture protection infrastructure with better properties than were previously attainable. This infrastructure is the primary focus of this document.

[1]  Edsger W. Dijkstra,et al.  Cooperating sequential processes , 2002 .

[2]  Nitin H. Vaidya,et al.  A Mutual Exclusion Algorithm for Ad Hoc Mobile Networks , 2001, Wirel. Networks.

[3]  Michael K. Reiter,et al.  Delegation of cryptographic servers for capture-resilient devices , 2001, CCS '01.

[4]  Miguel Oom Temudo de Castro,et al.  Practical Byzantine fault tolerance , 1999, OSDI '99.

[5]  Pradip K. Srimani,et al.  A new fault tolerant distributed mutual exclusion algorithm , 1992, SAC '92.

[6]  Michael K. Reiter,et al.  The Rampart Toolkit for Building High-Integrity Services , 1994, Dagstuhl Seminar on Distributed Systems.

[7]  Yu Chen,et al.  Self-stabilizing mutual exclusion using tokens in mobile ad hoc networks , 2002, DIALM '02.

[8]  Maurice Herlihy,et al.  The Arrow Distributed Directory Protocol , 1998, DISC.

[9]  Mukesh Singhal,et al.  A fault tolerant algorithm for distributed mutual exclusion , 1990, Proceedings Ninth Symposium on Reliable Distributed Systems.

[10]  Divyakant Agrawal,et al.  An efficient and fault-tolerant solution for distributed mutual exclusion , 1991, TOCS.

[11]  Fred B. Schneider,et al.  Implementing fault-tolerant services using the state machine approach: a tutorial , 1990, CSUR.

[12]  Michael K. Reiter,et al.  Persistent objects in the Fleet system , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[13]  Gene Tsudik,et al.  Experimenting with Server-Aided Signatures , 2002, NDSS.

[14]  Masaaki Mizuno,et al.  A DAG-based algorithm for distributed mutual exclusion , 1991, [1991] Proceedings. 11th International Conference on Distributed Computing Systems.

[15]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[16]  Michael K. Reiter,et al.  Backoff protocols for distributed mutual exclusion and ordering , 2001, Proceedings 21st International Conference on Distributed Computing Systems.

[17]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[18]  Kerry Raymond,et al.  A tree-based algorithm for distributed mutual exclusion , 1989, TOCS.

[19]  Roberto Baldoni,et al.  A distributed mutual exclusion algorithm for mobile ad-hoc networks , 2002, Proceedings ISCC 2002 Seventh International Symposium on Computers and Communications.

[20]  Michael K. Reiter,et al.  Secure agreement protocols: reliable and atomic group multicast in rampart , 1994, CCS '94.

[21]  Louise E. Moser,et al.  The SecureRing group communication system , 2001, TSEC.

[22]  Michael K. Reiter,et al.  Networked cryptographic devices resilient to capture , 2003, International Journal of Information Security.

[23]  Ravi Ganesan,et al.  Yaksha: augmenting Kerberos with public key cryptography , 1995, Proceedings of the Symposium on Network and Distributed System Security.

[24]  Dan Boneh,et al.  A Method for Fast Revocation of Public Key Certificates and Security Capabilities , 2001, USENIX Security Symposium.