TrInc: Small Trusted Hardware for Large Distributed Systems

A simple yet remarkably powerful tool of selfish and malicious participants in a distributed system is "equivocation": making conflicting statements to others. We present TrInc, a small, trusted component that combats equivocation in large, distributed systems. Consisting fundamentally of only a non-decreasing counter and a key, TrInc provides a new primitive: unique, once-in-a-lifetime attestations. We show that TrInc is practical, versatile, and easily applicable to a wide range of distributed systems. Its deployment is viable because it is simple and because its fundamental components--a trusted counter and a key--are already deployed in many new personal computers today. We demonstrate TrInc's versatility with three detailed case studies: attested append-only memory (A2M), PeerReview, and BitTorrent. We have implemented TrInc and our three case studies using real, currently available trusted hardware. Our evaluation shows that TrInc eliminates most of the trusted storage needed to implement A2M, significantly reduces communication overhead in PeerReview, and solves an open incentives issue in BitTorrent. Microbenchmarks of our TrInc implementation indicate directions for the design of future trusted hardware.

[1]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[2]  Seif Haridi,et al.  Distributed Algorithms , 1992, Lecture Notes in Computer Science.

[3]  Ben Y. Zhao,et al.  OceanStore: an architecture for global-scale persistent storage , 2000, SIGP.

[4]  Radek Vingralek,et al.  How to build a trusted database system on untrusted storage , 2000, OSDI.

[5]  Sean W. Smith,et al.  SAM: a flexible and secure auction architecture using trusted hardware , 2001, Proceedings 15th International Parallel and Distributed Processing Symposium. IPDPS 2001.

[6]  David R. Karger,et al.  Chord: A scalable peer-to-peer lookup service for internet applications , 2001, SIGCOMM '01.

[7]  Brian Neil Levine,et al.  Cheat-proof playout for centralized and distributed online games , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[8]  Miguel Castro,et al.  Practical byzantine fault tolerance and proactive recovery , 2002, TOCS.

[9]  Miguel Castro,et al.  Farsite: federated, available, and reliable storage for an incompletely trusted environment , 2002, OPSR.

[10]  David Mazières,et al.  Kademlia: A Peer-to-Peer Information System Based on the XOR Metric , 2002, IPTPS.

[11]  Robert Tappan Morris,et al.  Ivy: a read/write peer-to-peer file system , 2002, OSDI '02.

[12]  Qian Wang,et al.  Plutus: Scalable Secure File Sharing on Untrusted Storage , 2003, FAST.

[13]  B. Cohen,et al.  Incentives Build Robustness in Bit-Torrent , 2003 .

[14]  Sheng Zhong,et al.  Sprite: a simple, cheat-proof, credit-based system for mobile ad-hoc networks , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[15]  Peter Druschel,et al.  Incentives-Compatible Peer-to-Peer Multicast , 2004 .

[16]  Daniel Zappala,et al.  Low latency and cheat-proof event ordering for peer-to-peer games , 2004, NOSSDAV '04.

[17]  John Kubiatowicz,et al.  Handling churn in a DHT , 2004 .

[18]  Dennis Shasha,et al.  Secure Untrusted Data Repository (SUNDR) , 2004, OSDI.

[19]  William Nagel Subversion Version Control: Using the Subversion Version Control System in Development Projects , 2005 .

[20]  Geoff Coulson,et al.  Free Riding on Gnutella Revisited: The Bell Tolls? , 2005, IEEE Distributed Syst. Online.

[21]  Alberto Blanc,et al.  Designing incentives for peer-to-peer routing , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[22]  Michael K. Reiter,et al.  Fault-scalable Byzantine fault-tolerant services , 2005, SOSP '05.

[23]  Srinivas Devadas,et al.  Virtual monotonic counters and count-limited objects using a TPM without a trusted OS , 2006, STC '06.

[24]  Marten van Dijk,et al.  Proof of Freshness : How to efficiently use an online single secure clock to secure shared untrusted memory , 2006 .

[25]  Stefan Schmid,et al.  Free Riding in BitTorrent is Cheap , 2006, HotNets.

[26]  Liuba Shrira,et al.  HQ replication: a hybrid quorum protocol for byzantine fault tolerance , 2006, OSDI '06.

[27]  Yu Peng,et al.  Robust incentives via multi‐level Tit‐for‐Tat , 2008, IPTPS.

[28]  José M. Vidal,et al.  Multiagent Coordination Using a Distributed Combinatorial Auction , 2006 .

[29]  Hari Balakrishnan,et al.  Tolerating byzantine faults in transaction processing systems using commit barrier scheduling , 2007, SOSP.

[30]  Michael Sirivianos,et al.  Dandelion: Cooperative Content Distribution with Robust Incentives , 2007, USENIX Annual Technical Conference.

[31]  Arun Venkataramani,et al.  Do incentives build robustness in bit torrent , 2007 .

[32]  Yehuda Lindell,et al.  Introduction to Modern Cryptography (Chapman & Hall/Crc Cryptography and Network Security Series) , 2007 .

[33]  Yehuda Lindell,et al.  Introduction to Modern Cryptography , 2004 .

[34]  Andreas Haeberlen,et al.  PeerReview: practical accountability for distributed systems , 2007, SOSP.

[35]  Scott Shenker,et al.  Attested append-only memory: making adversaries stick to their word , 2007, SOSP.

[36]  Michael Sirivianos,et al.  Free-riding in BitTorrent Networks with the Large View Exploit , 2007, IPTPS.

[37]  Mark Bickford,et al.  Nysiad: Practical Protocol Transformation to Tolerate Byzantine Failures , 2008, NSDI.

[38]  Bobby Bhattacharjee,et al.  Bittorrent is an auction: analyzing and improving bittorrent's incentives , 2008, SIGCOMM '08.

[39]  Ramakrishna Kotla,et al.  Zyzzyva , 2007, SOSP.

[40]  Ramaswamy Chandramouli,et al.  SP 800-81 Rev. 1. Secure Domain Name System (DNS) Deployment Guide , 2010 .