Bounding the impact of unbounded attacks in stabilization.bak
460 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 23, NO. 3, MARCH 2012 Bounding the Impact of Unbounded Attacks in Stabilization ´ Swan Dubois, Toshimitsu Masuzawa, Member, IEEE, and Sebastien Tixeuil Abstract—Self-stabilization is a versatile approach to fault-tolerance since it permits a distributed system to recover from any transient fault that arbitrarily corrupts the contents of all memories in the system. Byzantine tolerance is an attractive feature of distributed systems that permit to cope with arbitrary malicious behaviors. Combining these two properties proved difficult: it is impossible to contain the spatial impact of Byzantine nodes in a self-stabilizing context for global tasks such as tree orientation and tree construction. We present and illustrate a new concept of Byzantine containment in stabilization. Our property, called Strong Stabilization enables to contain the impact of Byzantine nodes if they actually perform too many Byzantine actions. We derive impossibility results for strong stabilization and present strongly stabilizing protocols for tree orientation and tree construction that are optimal with respect to the number of Byzantine nodes that can be tolerated in a self-stabilizing context. Index Terms—Byzantine fault, distributed algorithm, fault tolerance, stabilization, spanning tree construction. Ç1 INTRODUCTIONT HE advent of ubiquitous large-scale distributed systems which the effect of permanent faults is masked. In , the advocates that tolerance to various kinds of faults and authors show that this Byzantine containment scheme ishazards must be included from the very early design of such possible only for local tasks. As many problems are notsystems. Self-stabilization , ,  is a versatile technique local, it turns out that it is impossible to provide strictthat permits forward recovery from any kind of transient stabilization for those.faults, while Byzantine Fault-tolerance  is traditionally used Our contribution. In this paper, we investigate theto mask the effect of a limited number of malicious faults. possibility of Byzantine containment in a self-stabilizingMaking distributed systems toleranthttp://ieeexploreprojects.blogspot.com global (i.e., for with there exists a to both transient and setting for tasks that aremalicious faults is appealing yet proved difficult , ,  causality chain of size r, where r depends on n the size ofas impossibility results are expected in many cases. the network), and focus on two global problems, namely Two main paths have been followed to study the impact tree orientation and tree construction. As strict stabilizationof Byzantine faults in the context of self-stabilization. The is impossible with such global tasks, we weaken thefirst one is Byzantine fault masking. In completely connected containment constraint by limiting the number of timessynchronous systems, one of the most studied problems in that correct processes can be disturbed by Byzantine ones.the context of self-stabilization with Byzantine faults is that Recall that strict stabilization requires that processesof clock synchronization. In , , probabilistic self-stabiliz- beyond the containment radius eventually achieve theiring protocols were proposed for up to one third of desired behavior and are never disturbed by ByzantineByzantine processors, while in ,  deterministic solu- processes afterward. We relax this requirement in thetions tolerate up to one fourth and one third of Byzantine following sense: we allow these correct processes beyondprocessors, respectively. The second one is Byzantine the containment radius to be disturbed by Byzantinecontainment. For local tasks (i.e., tasks whose correctness processes, but only a limited number of times, even if Byzantine nodes take an infinite number of actions.can be checked locally, such as vertex coloring, link The main contribution of this paper is to present newcoloring, or dining philosophers), the notion of strict possibility results for containing the influence of unboundedstabilization was proposed , , . Strict stabilization Byzantine behaviors. In more details, we define the notionguarantees that there exists a containment radius outside of strong stabilization as the novel form of the containment and introduce disruption times to quantify the quality of the. S. Dubois is with the UPMC Sorbonne Universite and INRIA, LIP6, containment. The notion of strong stabilization is weaker Bureau 26-00/113, Campus Jussieu, 4 place Jussieu, 75252 Paris cedex 05, than the strict stabilization but is stronger than the classical France. E-mail: email@example.com. notion of self-stabilization (i.e., every strongly stabilizing. T. Masuzawa is with the Osaka University, 1-5 Yamadaoka, Suita, Osaka protocol is self-stabilizing, but not necessarily strictly 565-0871, Japan. E-mail: firstname.lastname@example.org.. S. Tixeuil is with the UPMC Sorbonne Universite and Institut stabilizing). While strict stabilization aims at tolerating an Universitaire de France (IUF), LIP6, Bureau 26-00/113, Campus Jussieu, unbounded number of Byzantine processes, we explicitly 4 place Jussieu, 75252 Paris cedex 05, France. refer the number of Byzantine processes to be tolerated. A E-mail: email@example.com. self-stabilizing protocol is ðt; c; fÞ-strongly stabilizing if theManuscript received 5 May 2010; revised 24 Nov. 2010; accepted 25 Feb. subsystem consisting of processes more than c hops away2011; published online 25 May 2011. from any Byzantine process is disturbed at most t times in aRecommended for acceptance by M. Yamashita.For information on obtaining reprints of this article, please send e-mail to: distributed system with at most f Byzantine firstname.lastname@example.org, and reference IEEECS Log Number TPDS-2010-05-0275. Here, c denotes the containment radius and t denotes theDigital Object Identifier no. 10.1109/TPDS.2011.158. disruption time. 1045-9219/12/$31.00 ß 2012 IEEE Published by the IEEE Computer Society
DUBOIS ET AL.: BOUNDING THE IMPACT OF UNBOUNDED ATTACKS IN STABILIZATION 461 To demonstrate the possibility and effectiveness of our there are two link registers ru;v and rv;u . Message transmis-notion of strong stabilization, we consider tree construction sion from u to v is realized as follows: u writes a message toand tree orientation. It is shown in  that there exists no link register ru;v and then v reads it from ru;v . The linkstrictly stabilizing protocol with a constant containment register ru;v is called an output register of u and is called anradius for these problems. The impossibility result can be input register of v. The set of all output (respectively, input)extended even when the number of Byzantine processes is registers of u is denoted by Outu (respectively, Inu ), i.e.,upper bounded (by one). In this paper, we provide a Outu ¼ fru;v j v 2 Nu g and Inu ¼ frv;u jv 2 Nu g.ðfÁd ; 0; fÞ-strongly stabilizing protocol for rooted tree The variables that are maintained by processes denoteconstruction, provided that correct processes remain con- process states. Similarly, the values of the variables storednected, where n (respectively, f) is the number of processes in each link register denote the state of the registers. A(respectively, Byzantine processes) and d is the diameter of process may take actions during the execution of thethe subsystem consisting of all correct processes. The system. An action is simply a function that is executed incontainment radius of 0 is obviously optimal. We show an atomic manner by the process. The actions executed bythat the problem of tree orientation has no constant bound each process is described by a finite set of guarded actionsfor the containment radius in a tree with two Byzantine of the form hguardi À hstatementi. Each guard of process u !processes even when we allow processes beyond the is a Boolean expression involving the variables of u and itscontainment radius to be disturbed a finite number of input registers. Each statement of process u is an update oftimes. Then, we consider the case of a single Byzantine its state and its output/input registers.process and present a ðÁ; 0; 1Þ-strongly stabilizing protocol A global state of a distributed system is called afor tree orientation, where Á is the maximum degree of configuration and is specified by a product of states of allprocesses. The containment radius of 0 is also optimal. processes and all link registers. We define C to be the set of allNotice that each process does not need to know the number possible configurations of a distributed system S. For af of Byzantine processes and that f can be n À 1 at the worst process set R P and two configurations and 0 , we denote Rcase. In other words, the algorithm is adaptive in the sense 7! 0 when changes to 0 by executing an action of eachthat the disruption times depend on the actual number of process in R simultaneously. Notice that and 0 can beByzantine processes. Both algorithms are also optimal with different only in the states of processes in R and the states ofrespect to the number of tolerated Byzantine nodes. their output registers. For completeness of execution Due to space limitations, this paper contains only the semantics, we should clarify the configuration resultingformal definition of strong stabilization and a short from simultaneous actions of neighboring processes. Thepresentation of results related to tree construction. The action of a process depends only on its state at and the states http://ieeexploreprojects.blogspot.cominterested reader could find in the associated supplemen- of its input registers at , and the result of the action reflectstary file, which can be found on the Computer Society on the states of the process and its output registers at 0 .Digital Library at http://doi.ieeecomputersociety.org/ A schedule of a distributed system is an infinite sequence10.1109/TPDS.2011.158, 1) a discussion on relationshipbetween strong stabilization and pseudo stabilization of process sets. Let Q ¼ R1 ; R2 ; . . . be a schedule, where i(Section 1), 2) complete proofs and time complexities of R P holds for each i ði ! 1Þ. An infinite sequence ofthe tree construction (Section 2), and 3) the complete study configurations e ¼ 0 ; 1 ; . . . is called an execution from anof tree orientation (Section 3). initial i configuration 0 by a schedule Q, if e satisfies R iÀ1 7! i for each i ði ! 1Þ. Process actions are executed atomically, and we also assume that a distributed daemon2 PRELIMINARIES schedules the actions of processes, i.e., any subset of2.1 Distributed System processes can simultaneously execute their actions.A distributed system S ¼ ðP ; LÞ consists of a set P ¼ The set of all possible executions from 0 2 C isfv1 ; v2 ; . . . ; vn g of processes and a set L of bidirectional denoted by E0 . The set S all possible executions is ofcommunication links (simply called links). A link is an denoted by E, that is, E ¼ 2C E . We consider asynchro-unordered pair of distinct processes. A distributed system S nous distributed systems where we can make no assump-can be regarded as a graph whose vertex set is P and whose tion on schedules except that any schedule is weakly fair:link set is L, so we use graph terminology to describe a every process is contained in infinite number of subsetsdistributed system S. appearing in any schedule. Processes u and v are called neighbors if ðu; vÞ 2 L. The set In this paper, we consider (permanent) Byzantine faults: aof neighbors of a process v is denoted by Nv , and its Byzantine process (i.e., a Byzantine-faulty process) cancardinality (the degree of v) is denoted by Áv ð¼ jNv jÞ. The make arbitrary behavior independently from its actions. If vdegree Á of a distributed system S ¼ ðP ; LÞ is defined as is a Byzantine process, v can repeatedly change its variablesÁ ¼ maxfÁv j v 2 P g. We do not assume existence of a and its output registers arbitrarily.unique identifier for each process (that is, the system is In asynchronous distributed systems, time is usuallyanonymous). Instead, we assume each process can distin- measured by asynchronous rounds (simply called rounds). Letguish its neighbors from each other by locally arranging e ¼ 0 ; 1 ; . . . be an execution by a schedule Q ¼ R1 ; R2 ; . . .them in some arbitrary order: the kth neighbor of a process The first round of e is defined S be the minimum prefix of tov is denoted by Nv ðkÞ ð1 k Áv Þ. e, e0 ¼ 0 ; 1 ; . . . ; k , such that k Ri ¼ P 0 where P 0 is the i¼1 Processes can communicate with their neighbors through set of correct processes of P . Round t ðt ! 2Þ is definedlink registers. For each pair of neighboring processes u and v, recursively, by applying the above definition of the first
462 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 23, NO. 3, MARCH 2012round to e00 ¼ k ; kþ1 ; . . . Intuitively, every correct process two processes u and v that are at least r hops away. Anhas a chance to update its state in every round. important consequence related to Byzantine tolerance is that the containment radius of protocols solving those2.2 Self-Stabilizing Protocol Resilient to Byzantine specifications is at least r. For some problems, such as the Faults spanning tree construction we consider in this paper, rProblems considered in this paper are so-called static cannot be bounded to a constant. We can show that thereproblems, i.e., they require the system to find static solutions. exists no ðoðnÞ; 1Þ-strictly stabilizing protocol for theFor example, the spanning-tree construction problem is a spanning tree construction.static problem, while the mutual exclusion problem is not. To circumvent the impossibility result, we define aSome static problems can be defined by a specification weaker notion than the strict stabilization. Here, thepredicate (shortly, specification), specðvÞ, for each process v: a requirement to the containment radius is relaxed, i.e., thereconfiguration is a desired one (with a solution) if every may exist processes outside the containment radius thatprocess satisfies specðvÞ. A specification specðvÞ is a Boolean invalidate the specification predicate, due to Byzantineexpression on variables of Pv ð P Þ where Pv is the set of actions. However, the impact of Byzantine triggered actionprocesses whose variables appear in specðvÞ. The variables is limited in times: the set of Byzantine processes may onlyappearing in the specification are called output variables impact the subsystem consisting of processes outside the(shortly, O-variables). In what follows, we consider a static containment radius a bounded number of times, even ifproblem defined by specification specðvÞ. Byzantine processes execute an infinite number of actions. A self-stabilizing protocol is a protocol that eventually From the states of c-correct processes, c-legitimate config-reaches a legitimate configuration, where specðvÞ holds at urations and c-stable configurations are defined as follows:every process v, regardless of the initial configuration. Onceit reaches a legitimate configuration, every process v never Definition 4 (c-legitimate configuration). A configuration changes its O-variables and always satisfies specðvÞ. From is c-legitimate for spec if every c-correct process v satisfiesthis definition, a self-stabilizing protocol is expected to spec(v).tolerate any number and any type of transient faults since it Definition 5 (c-stable configuration). A configuration is c-can eventually recover from any configuration affected by stable if every c-correct process never changes the values of itsthe transient faults. However, the recovery from any O-variables as long as Byzantine processes make no action.configuration is guaranteed only when every processcorrectly executes its action from the configuration, i.e., we Roughly speaking, the aim of self-stabilization is todo not consider existence of permanently faulty processes. guarantee that a distributed system eventually reaches a c- http://ieeexploreprojects.blogspot.com When (permanent) Byzantine processes exist, Byzantine legitimate and c-stable configuration. However, a self-processes may not satisfy specðvÞ. In addition, correct stabilizing system can be disturbed by Byzantine processesprocesses near the Byzantine processes can be influenced after reaching a c-legitimate and c-stable configuration.and may be unable to satisfy specðvÞ. Nesterenko and The c-disruption represents the period where c-correctArora  define a strictly stabilizing protocol as a self- processes are disturbed by Byzantine processes and isstabilizing protocol resilient to unbounded number of defined as follows:Byzantine processes. Given an integer c, a c-correct process is a process defined Definition 6 (c-disruption). A portion of execution e ¼as follows: 0 ; 1 ; . . . ; t (t 1) is a c-disruption if and only if the following holds:Definition 1 (c-correct process). A process is c-correct if it is correct (i.e., not Byzantine) and located at distance more than c 1. e is finite, from any Byzantine process. 2. e contains at least one action of a c-correct process forDefinition 2 ((c,f)-containment). A configuration is ðc; fÞ- changing the value of an O-variable, contained for specification spec if, given at most f 3. 0 is c-legitimate for spec and c-stable, and Byzantine processes, in any execution starting from , every 4. t is the first configuration after 0 such that t is c- c-correct process v always satisfies spec(v) and never legitimate for spec and c-stable. changes its O-variables. Now, we can define a self-stabilizing protocol such that Byzantine processes may only impact the subsystem The parameter c of Definition 2 refers to the containment consisting of processes outside the containment radius aradius defined in . The parameter f refers explicitly to the bounded number of times, even if Byzantine processesnumber of Byzantine processes, while  dealt with execute an infinite number of actions.unbounded number of Byzantine faults (that is, f 2 f0 . . . ng). Definition 7 ((t,k,c,f)-time contained configuration). ADefinition 3 ((c,f)-strict stabilization). A protocol is ðc; fÞ- configuration 0 is ðt; k; c; fÞ-time contained for spec if strictly stabilizing for specification spec if, given at most f given at most f Byzantine processes, the following properties Byzantine processes, any execution e ¼ 0 ; 1 ; . . . contains a are satisfied: configuration i , that is, ðc; fÞ-contained for spec. 1. 0 is c-legitimate for spec and c-stable, An important limitation of the model of  is the notion 2. every execution starting from 0 contains a c-of r-restrictive specifications. Intuitively, a specification is r- legitimate configuration for spec after which therestrictive if it prevents combinations of states that belong to values of all the O-variables of c-correct processes
DUBOIS ET AL.: BOUNDING THE IMPACT OF UNBOUNDED ATTACKS IN STABILIZATION 463 remain unchanged (even when Byzantine processes make actions repeatedly and forever), 3. every execution starting from 0 contains at most tc- disruptions, and 4. every execution starting from 0 contains at most k actions of changing the values of O-variables for each c-correct process.Definition 8 ((t,c,f)-strongly stabilizing protocol). A proto- col A is ðt; c; fÞ-strongly stabilizing if and only if starting from any arbitrary configuration, every execution involving at Fig. 1. A legitimate configuration for spanning tree construction most f Byzantine processes contains a ðt; k; c; fÞ-time (numbers denote the level of processes). r is the (real) root and b is a contained configuration that is reached after at most l rounds. Byzantine process which acts as a (fake) root. Parameters l and k are, respectively, the ðt; c; fÞ-stabilization time and the ðt; c; fÞ-process-disruption time of A. It is impossible, for example, to distinguish the (real) root r from the faulty processes behaving as the root, we have to Note that a ðt; k; c; fÞ-time contained configuration is a allow that a spanning forest (consisting of multiple trees) isðc; fÞ-contained configuration when t ¼ k ¼ 0, and thus, constructed, where each tree is rooted with a root, correct orðt; k; c; fÞ-time contained configuration is a generalization faulty one.(relaxation) of a ðc; fÞ-contained configuration. Thus, a We define the specification predicate specðvÞ of the treestrongly stabilizing protocol is weaker than a strictly construction as follows: specðvÞ is the predicate ðprntv ¼stabilizing one (as processes outside the containment radius 0Þ ^ ðlevelv ¼ 0Þ if v is the root r and ðprntv 2 f1; . . . ; Áv gÞ ^may take incorrect actions due to Byzantine influence). ððlevelv ¼ levelprntv þ 1Þ _ ðprntv is ByzantineÞÞ otherwise.However, a strongly stabilizing protocol is stronger than a Notice that specðvÞ requires that a spanning tree isclassical self-stabilizing one (that may never meet their constructed at any 0-legitimate configuration, when nospecification in the presence of Byzantine processes). Byzantine process exists. The parameters t, k, and c are introduced to quantify the Fig. 1 shows an example of 0-legitimate configurationstrength of fault containment, we do not require each with Byzantine processes. The arrow attached to eachprocess to know the values of the parameters. Actually, the process points the neighbor designated as its parent. http://ieeexploreprojects.blogspot.comprotocols proposed in this paper assume no knowledge onthe parameters. 3.2 Protocol ss-ST In many self-stabilizing tree construction protocols (see the survey of ), each process checks locally the consistence3 STRONGLY-STABILIZING SPANNING TREE of its level variable with respect to the one of its neighbors. CONSTRUCTION When it detects an inconsistency, it changes its prnt3.1 Problem Definition variable in order to choose a “better” neighbor. The notionIn this section, we consider only distributed systems in which of “better” neighbor is based on the global desireda given process r is distinguished as the root of the tree. property on the tree (e.g., shortest path tree, minimum For spanning tree construction, each process v has an O- spanning tree. . . ).variable prntv to designate a neighbor as its parent. Since When the system may contain Byzantine processes, theyprocesses have no identifiers, prntv actually stores kð2 may disturb their neighbors by providing alternativelyf1; 2; . . . ; Áv gÞ to designate its kth neighbor as its parent. “better” and “worse” states. The key idea of protocol ss-STNo neighbor is designated as the parent of v when to circumvent this kind of perturbation is the following:prntv ¼ 0 holds. For simplicity, we use prntv ¼ k ð2 f1; when a correct process detects a local inconsistency, it does2; . . . ; Áv g) and prntv ¼ u (where u is the kth neighbor of not choose a “better” neighbor but it chooses anotherv 2 Nv ðkÞ) interchangeably, and prntv ¼ 0 and prntv ¼ ? neighbor according to a round robin order (along the set ofinterchangeably. its neighbor). The goal of spanning tree construction is to set prntv of Fig. 2 presents our strongly stabilizing spanning treeevery process v to form a rooted spanning tree, where construction protocol ss-ST that can tolerate any number ofprntr ¼ 0 should hold for the root process r. Byzantine processes other than the root process (providing We consider Byzantine processes that can behave that the subset of correct processes remains connected).arbitrarily. The faulty processes can behave as if they were These assumptions are necessary since a Byzantine root or aany internal processes of the spanning tree, or even as if set of Byzantine processes that disconnects the set of correctthey were the root processes. The first restriction we make processes may disturb all the tree infinitely often. Then, it ison Byzantine processes is that we assume the root process r impossible to provide a ðt; k; fÞ-strongly stabilizing protocolcan start from an arbitrary state, but behaves correctly for any finite integer t.according to a protocol. Another restriction on Byzantine The protocol is composed of three rules. Only the rootprocesses is that we assume that all the correct processes can execute the first one (GA0). This rule sets the root in aform a connected subsystem; Byzantine processes never legitimate state if it is not the case. Nonroot processes maypartition the system. execute the two other rules (GA1 and GA2). The rule GA1
464 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 23, NO. 3, MARCH 2012Fig. 2. Protocol ss-ST (actions of process v).is executed when the state of a process is not legitimate. and that any correct process is not enabled in such aIts execution leads the process to choose a new parent and configuration. We can deduceto compute its local state in function of this new parent. Lemma 1. Any configuration of LC is 0-legitimate and 0-stable. http://ieeexploreprojects.blogspot.comThe last rule (GA2) is enabled when a process is in alegitimate state but there exists an inconsistence between We can observe that there exists some 0-legitimateits variables and its shared registers. The execution of this configurations which not belong to LC (for example, therule leads the process to compute the consistent values for one of Fig. 2).all its shared registers. To prove the convergence of ss-ST to LC starting from any configuration, we prove that any execution reaches a3.3 Proof of Strong Stabilization of ss-ST configuration in which every correct process is disabled. WeIn this section, we provide a sketch of the proof of the show that the root r executes its rule at most once. Then,strong stabilization of ss-ST . any of its correct neighbor v executes its rule at most Áv We cannot make any assumption on the initial values of before pointing to r. After that, v is never enabled. Byregister variables. But, we can observe that if an output repeating the reasoning, we obtainregister of a correct process has inconsistent values with theprocess variables, then this process is enabled by a rule of Lemma 2. Given at most n À 1 Byzantine processes, for anyss-ST . By fairness assumption, any such process takes a initial configuration 0 and any execution e ¼ 0 ; 1 ; . . .step in a finite time. starting from 0 , there exists a configuration i such that Once a correct process v executes one of its action, i 2 LC.variables of its output registers have values consistentwith the process variables: r-prntv;prntv ¼ true, r-prntv;w ¼ It remains to prove that any execution starting from anfalse ðw 2 Nv À fprntv gÞ, and r-levelv;w ¼ levelv ðw 2 Nv Þ arbitrary configuration of LC contains only a finite numberhold. of 0-disruptions. First, we prove by induction on the Consequently, we can assume in the following that all distance between the root and a correct process v in thethe variables of output registers of every correct process subgraph of correct processes that v executes its action athave consistent values with the process variables. most Á times. We say that a Byzantine process b deceives a We denote by LC the following set of configurations: correct neighbor v in the step 7! 0 if the state of b makes the guard of an action of v true in and if v executes this LC ¼ f 2 Cjðprntr ¼ 0Þ ^ ðlevelr ¼ 0Þ action in this step. As a 0-disruption can be caused only by ^ ð8v 2 V À ðB [ frgÞ; ðprntv 2 f1; . . . ; Áv gÞ an action of a Byzantine process from a legitimate ^ ðlevelv ¼ levelprntv þ 1ÞÞg: configuration, we can bound the number of 0-disruptions by counting the total number of times that correct processes We interest now on properties of configurations of LC. are deceived of neighboring Byzantine processes. If a 0-We can observe that any configuration of LC is 0-legitimate correct v is deceived by a Byzantine neighbor b, it takes
DUBOIS ET AL.: BOUNDING THE IMPACT OF UNBOUNDED ATTACKS IN STABILIZATION 465necessarily Áv actions before being deceiving again by b of Byzantine nodes, that is, is a single Byzantine node(recall that we use a round-robin policy for prntv ). As any 0- more effective to harm the system than a team ofcorrect process v takes at most Ád actions in any execution, Byzantine nodes, considering the same total number ofv can be deceived by a given Byzantine neighbor at most Byzantine actions ? A first step in this direction wasÁdÀ1 times. A Byzantine process can have at most Á recently taken by Yamauch et al. , where Byzantineneighboring correct processes and thus can deceive correct actions are assumed to be upper bounded, for the (global)processes at most Á Â ÁdÀ1 ¼ Ád times. We have at most f problem of leader election. Their result hints that onlyByzantine processes, so the total number of times that Byzantine actions are relevant, independently of thecorrect processes are deceived by neighboring Byzantine number of processes that perform them. It is, thus, interesting to see if the result still holds in the case ofprocesses is fÁd . Hence, the number of 0-disruption in e is potentially infinite number of Byzantine actions.bounded by fÁD . Now, assume by contradiction that thereexists an infinite 0-disruption d ¼ i ; . . . in e. This impliesthat for all j ! i, j is not in LC, which contradicts Lemma 2. ACKNOWLEDGMENTSThen, we can state A preliminary version of this work appears in theLemma 3. Any configuration in LC is a ðfÁd ; Ád ; 0; fÞ-time proceedings of the Eighth International Symposium on contained configuration of the spanning tree construction, Stabilization, Safety, and Security of Distributed Systems where f is the number of Byzantine processes and d is the (SSS ’06), see . This work is supported in part by ANR diameter of the subsystem consisting of all the correct processes. projects SHAMAN, ALADDIN and SPADES and by Global Centers of Excellence (COE) Program of MEXT and Grant- Hence, the following theorem. in-Aid for Scientific Research (B)22300009 of JSPS.Theorem 1 (Strong-stabilization). Protocol ss-ST is a ðfÁd ; 0; fÞ-strong stabilizing protocol for the spanning tree REFERENCES construction, where f is the number of Byzantine processes  M. Ben-Or, D. Dolev, and E.N. Hoch, “Fast Self-Stabilizing and d is the diameter of the subsystem consisting of all the Byzantine Tolerant Digital Clock Synchronization,” Proc. ACM correct processes. Symp. Principles of Distributed Computing (PODC ’08), pp. 385-394, 2008.  A. Daliot and D. Dolev, “Self-Stabilization of Byzantine Proto-4 CONCLUDING REMARKS cols,” Proc. Seventh Symp. Self-Stabilizing Systems (SSS ’05), pp. 48- 67, 2005.We introduced the notion of strong stabilization, a  E.W. Dijkstra, “Self-Stabilizing Systems in Spite of Distributed http://ieeexploreprojects.blogspot.com vol. 17, no. 11, pp. 643-644, 1974.property that permits self-stabilizing protocols to contain Control,” Comm. ACM,  D. Dolev and E.N. Hoch, “On Self-Stabilizing SynchronousByzantine behaviors for tasks where strict stabilization is Actions despite Byzantine Attacks,” Proc. Int’l Symp. Distributedimpossible. In strong stabilization, only the first Byzantine Computing (DISC ’07), pp. 193-207, 2007.actions that are performed by a Byzantine process may  S. Dolev, Self-Stabilization. MIT Press, 2000.  S. Dolev and J.L. Welch, “Self-Stabilizing Clock Synchronization indisturb the system. If the Byzantine node does not execute the Presence of Byzantine Faults,” J. ACM, vol. 51, no. 5, pp. 780-Byzantine actions, but only correct actions, its existence 799, 2004. ¨remains unnoticed by the correct processes. So, by  F.C. Gartner, “A Survey of Self-Stabilizing Spanning-Tree Construction Algorithms,” Technical Report ic/2003/38, EPFL,behaving properly, the Byzantine node may have the 2003.system disturbed arbitrarily far in the execution. By  E.N. Hoch, D. Dolev, and A. Daliot, “Self-Stabilizing Byzantinecontrast, if the Byzantine node executes many Byzantine Digital Clock Synchronization,” Proc. Int’l Conf. Stabilization,actions at the beginning of the execution, there exists a Safety, and Security of Distributed Systems (SSS ’06), pp. 350-362, 2006.time after which those Byzantine actions have no impact  L. Lamport, R.E. Shostak, and M.C. Pease, “The Byzantineon the system. As a result, the faster an attacker spends its Generals Problem,” ACM Trans. Programming Languages andByzantine actions, the faster the system become resilient to Systems, vol. 4, no. 3, pp. 382-401, 1982.  T. Masuzawa and S. Tixeuil, “Bounding the Impact of Un-subsequent Byzantine actions. An interesting trade-off bounded Attacks in Stabilization,” Proc. Int’l Conf. Stabilization,appears: the more actually Byzantine actions are per- Safety, and Security of Distributed Systems (SSS ’06), pp. 440-453,formed, the faster the stabilization of our protocols is (since 2006.the number of steps performed by correct processes in  T. Masuzawa and S. Tixeuil, “Stabilizing Link-Coloration of Arbitrary Networks with Unbounded Byzantine Faults,” Int’l J.response to Byzantine disruption is independent from the Principles and Applications of Information Science and Technology,number of Byzantine actions). Our work raises several vol. 1, no. 1, pp. 1-13, 2007.important open questions.  M. Nesterenko and A. Arora, “Tolerance to Unbounded Byzantine Faults,” Proc. IEEE Symp. Reliable Distributed Systems (SRDS ’02), First, is there a trade-off between the number of pp. 22-29, 2002.perturbations Byzantine nodes can cause and the contain-  Y. Sakurai, F. Ooshita, and T. Masuzawa, “A Self-Stabilizing Link-ment radius ? In this paper, we strove to obtain optimal Coloring Protocol Resilient to Byzantine Faults in Tree Networks,”containment radius in strong stabilization, but it is likely Proc. Int’l Conf. Principles of Distributed Systems (OPODIS ’04), pp. 283-298, 2005.that some problems do not allow strong stabilization with  S. Tixeuil, “Self-Stabilizing Algorithms,” Algorithms and Theory ofcontainment radius 0. It is then important to characterize Computation Handbook, second ed., pp. 26.1-26.45, Chapman the difference in containment radius when the task to be Hall/CRC Applied Algorithms and Data Structures, 2009.  Y. Yamauchi, T. Masuzawa, and D. Bein, “Adaptive Contain-solved is “harder” than, e.g., tree construction. ment of Time-Bounded Byzantine Faults,” Proc. Int’l Conf. Second, is there a trade-off between the total number of Stabilization, Safety, and Security of Distributed Systems (SSS ’10),perturbations Byzantine nodes can cause and the number pp. 126-140, 2010.
466 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 23, NO. 3, MARCH 2012 Swan Dubois is currently working toward the ´ Sebastien Tixeuil received the PhD degree PhD degree in computer science at the Uni- from University of Paris Sud-XI in 2000. He is versity Pierre and Marie Curie, Paris 6 and at the a full professor at the University Pierre and INRIA, France. His research interests are fault Marie Curie, Paris 6, France and Institut tolerance in distributed systems (especially self- Universitaire de France, where he leads the stabilization) and graph theory. NPA research group. His research interests include fault and attack tolerance in dynamic networks and systems. Toshimitsu Masuzawa received the BE, ME and DE degrees in computer science from . For more information on this or any other computing topic, Osaka University in 1982, 1984, and 1987. He please visit our Digital Library at www.computer.org/publications/dlib. had worked at Osaka University during 1987- 1994, and was an associate professor of Graduate School of Information Science, Nara Institute of Science and Technology (NAIST) during 1994-2000. He is now a professor of Graduate School of Information Science and Technology, Osaka University. He was also avisiting associate professor of Department of Computer Science, CornellUniversity, between 1993-1994. His research interests include distrib-uted algorithms, parallel algorithms and graph theory. He is a member ofthe ACM, the IEEE, IEICE, and IPSJ. http://ieeexploreprojects.blogspot.com