Principles of untrusted storage: a new look at consistency conditions
暂无分享,去创建一个
We are interested in the integrity of data stored on an untrusted server, which provides a storage service to multiple clients that access it over an asynchronous network. In this model, some malicious actions by the server can never be prevented [4, 1]. For example, even if the clients sign all their data, the server may use an outdated value in the reply to a reader and omit a more recent update. Nevertheless, clients of such a storage service would normally be interested in the following three properties. First, when the server is correct, the service should be as easy to use as if it were provided by a trusted entity. Because this situation is expected to be the normal case, client operations should have strong liveness guarantees (i.e., wait-freedom) and exhibit strong consistency under concurrent access (e.g., linearizability). We call the combination of these features strong failure-free semantics. Second, when the server is faulty (potentially Byzantine faulty), the service should still provide some guarantees, most notably, integrity in the sense that no client reads data that was never written. Furthermore, the service should prevent inconsistencies between clients to the amount possible, for example, by ensuring causal consistency, which has been shown to be useful for a variety of applications (e.g., collaboration tools). We call this property graceful degradation. Finally, the clients should have means to detect when the server answers them inconsistently and to recover from such a situation. For example, a roll-back procedure may bring their internal states again to a point where their operations are consistent. We call this property traceability. The SUNDR system [2, 4] is the first realization of an untrusted storage system satisfying most of these properties. It ensures that, although a client may fail to see some operations of other clients, all the operations a client does see are observed in the agreed linearization order. We call this property of SUNDR fork-linearizability. For a system with n clients, the SUNDR protocol incurs a communication overhead proportional to n bits per operation. Recently, Cachin et al. [1] presented a more efficient fork-linearizable storage protocol with only O(n) communication overhead per operation. This improvement comes at the cost of in-
[1] David Mazières,et al. Beyond One-Third Faulty Replicas in Byzantine Fault Tolerant Systems , 2007, NSDI.
[2] Dennis Shasha,et al. Building secure file systems out of byzantine storage , 2002, PODC '02.
[3] Dennis Shasha,et al. Secure Untrusted Data Repository (SUNDR) , 2004, OSDI.
[4] Abhi Shelat,et al. Efficient fork-linearizable access to untrusted shared memory , 2007, PODC '07.