Presentation shown for the final discussion of my Master Degree in Engineering in Computer Science.
It resumes the achievements of my thesis: how to ensure a reliable communication on distributed loosely connected systems in presence of mobile attackers.
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Reliable Broadcast on Multihop Networks in presence of Mobile Byzantine attackers
1. Facoltà di Ingegneria dell’Informazione, Informatica e Statistica
Corso di Laurea Magistrale in Computer Science
Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
2. Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
2
The IT landscape is changing
Cloud Apps
3. Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
3
Applications are transforming
~2000 Today
Loosely
coupled
services
Many small
servers and
devices
Monolithic
Slow
changing
Big
servers
4. Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
4
Mobile adversaries in loosely connected networks
The real world
is a multihop
network of
microservices
and apps
Our daily life
depends on the
correct behavior
of these
networks
5. Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
4
Mobile adversaries in loosely connected networks
6. Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
4
Mobile adversaries in loosely connected networks
7. Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
4
Mobile adversaries in loosely connected networks
8. Mobile adversaries in loosely connected networks
Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
4
How to ensure that an authentic
message sent by a server is correctly
delivered by each other component of
the network, also in presence of
component failures?
Problem
9. 5
Related works
Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
• Garay’s model
• Buhrman’s model
• Bonnet’s model
• Sasaki’s model
Round-based models
Round-free models
Bonomi et al. model
• Assuming f Byzantines
o Sparse networks (trigger protocol, Maurer et al.)
o Dense networks (Disjoint path protocol, Lamport)
• Assuming f locally-bounded Byzantines
o CPA family of algorithms
Byzantine-tolerant Reliable
Broadcast protocols
10. 5
Related works
Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
• Garay’s model
• Buhrman’s model
• Bonnet’s model
• Sasaki’s model
Round-based models
Round-free models
Bonomi et al. model
• Assuming f Byzantines
o Sparse networks (trigger protocol, Maurer et al.)
o Dense network (Disjoint path protocol, Lamport)
• Assuming f locally-bounded Byzantines
o CPA family of algorithms
Byzantine-tolerant Reliable
Broadcast protocols
The problem has never been
solved on multihop network
with mobile adversaries!
The real world is composed
by multihop networks!
11. 6
My contribution
Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
1
Extension of Mobile
Byzantine attacker Models
to multihop networks
2
Design of some protocol
to cope with Mobile
Byzantine attackers
3
Correctness proofs
for the protocol
4
Study on the topological
requirements of
the protocol
12. 7
System model
Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
Synchronous
computational
model
Mobile Byzantine Failure
aversary model
Reliable communication
only between directly
linked processes
13. 8
Problem definition
Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
Reliable Broadcast
problem
Safety
Non-faulty processes never
deliver a malicious message
Reliability
Every non-faulty process
eventually delivers the
authentic message
14. 9
Trigger protocol (Maurer et al.)
s
Reliable Broadcast on Multihop Networks in presence of Mobile Byzantine attackers
* Maurer and Tixeuil, On Byzantine Broadcast in Loosely Connected Networks, HAL
The protocol is based on the
following operations:
• Reception of a message;
• Transmission of a valid trigger
message to the neighbors;
• Decision (delivery of a message).
It deals with static Byzantine Failures on Multihop networks.
Types of messages: standard messages and trigger messages.
Memory structures required: the set Trig and the set Wait.
15. 9Reliable Broadcast on Multihop Networks in presence of Mobile Byzantine attackers
* Maurer and Tixeuil, On Byzantine Broadcast in Loosely Connected Networks, HAL
The protocol is based on the
following operations:
• Reception of a message;
• Transmission of a valid trigger
message to the neighbors;
• Decision (delivery of a message).
Trigger protocol (Maurer et al.)
s
It deals with static Byzantine Failures on Multihop networks.
Types of messages: standard messages and trigger messages.
Memory structures required: the set Trig and the set Wait.
16. 9Reliable Broadcast on Multihop Networks in presence of Mobile Byzantine attackers
* Maurer and Tixeuil, On Byzantine Broadcast in Loosely Connected Networks, HAL
The protocol is based on the
following operations:
• Reception of a message;
• Transmission of a valid trigger
message to the neighbors;
• Decision (delivery of a message).
Trigger protocol (Maurer et al.)
s
It deals with static Byzantine Failures on Multihop networks.
Types of messages: standard messages and trigger messages.
Memory structures required: the set Trig and the set Wait.
17. The protocol is based on the
following operations:
• Reception of a message;
• Transmission of a valid trigger
message to the neighbors;
• Decision (delivery of a message).
9Reliable Broadcast on Multihop Networks in presence of Mobile Byzantine attackers
* Maurer and Tixeuil, On Byzantine Broadcast in Loosely Connected Networks, HAL
Trigger protocol (Maurer et al.)
s
It deals with static Byzantine Failures on Multihop networks.
Types of messages: standard messages and trigger messages.
Memory structures required: the set Trig and the set Wait.
18. 10Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
Garay’s model
pi
pj
round i+1round i
19. Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
pi
pj
S R C S R C
10
Garay’s model
20. Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
pi
pj
S R C S R C
10
Garay’s model
21. Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
pi
pj
S R C S R C
10
Garay’s model
22. Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
pi
pj
S R C S R C
10
Garay’s model
23. Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
pi
pj
S R C S R C
10
Garay’s model
24. 11
Critical issues
Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
Switching from
BF to MBF model
Making active the
cured processes
25. 12
Improvements within the protocol
Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
New memory structures required: Tail FIFO list
Reporting Maintainance
Main correct
state operations:
Removal Initial decision
Main cured
state operations:
Final decision
26. 12
Improvements within the protocol
Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
New memory structures required: Tail FIFO list
Main correct
state operations:
Removal
Main cured
state operations:
Final decision
R
Initial decision
Reporting
27. 12
Improvements within the protocol
Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
New memory structures required: Tail FIFO list
Main correct
state operations:
Removal
Main cured
state operations:
Final decision
Signal of a
cured process
Initially decided
process
R+1
Initial decision
Reporting
28. 12
Improvements within the protocol
Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
New memory structures required: Tail FIFO list
Reporting
Main correct
state operations:
Removal Initial decision
Main cured
state operations:
Final decision
R+2
29. 12
Improvements within the protocol
Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
New memory structures required: Tail FIFO list
Main correct
state operations:
Main cured
state operations:
R
Maintainance
30. 12
Improvements within the protocol
Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
New memory structures required: Tail FIFO list
Main correct
state operations:
Main cured
state operations:
R+1
Maintainance
Initially decided
process
31. 12
Improvements within the protocol
Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
New memory structures required: Tail FIFO list
Main correct
state operations:
Main cured
state operations:
R+2
Maintainance
1
32. 13
Results
Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
The constraints required to provide
the Safety property are:
Given the following constraints:
• distance between the attackers (D)
• period of movement for the attackers (𝚫)
• maximum movement length (H)
• distance for valid triggers (h)
• ∆ ≥ R
• D ≥ 4 • H = 1
• h = 2
The constraints required to provide the
Reliability property are:
• ∆ ≥ 2R
• D ≥ 5 • H = 1
• h = 2
33. 13
Results
Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
The constraints required to provide
the Safety property are:
Given the following constraints:
• distance between the attackers (D)
• period of movement for the attackers (𝚫)
• maximum movement length (H)
• distance for valid triggers (h)
• ∆ ≥ R
• D ≥ 4 • H = 1
• h = 2
The constraints required to provide the
Reliability property are:
• ∆ ≥ 2R
• D ≥ 5 • H = 1
• h = 2
These constraints are
the same obtained
dealing with static
Byzantine adversaries!
34. 14
Correctness proofs
Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
Theorem (Reliability): If h = 2, D ≥ 5, H = 1 and 𝚫 ≥ 2R, then all non-faulty processes of the
network eventually deliver the authentic message.
Theorem (Reliability impossibility with D = 4): If D = 4 and the trigger parameter of the protocol is
h = 2, then some non-faulty process may never deliver the authentic message.
Theorem (Safety impossibility with D = 3): If D = 3 and the trigger parameter of the protocol is h =
2, then some correct process may deliver a malicious message.
Theorem (Safety): If h = 2, D ≥ 4, H = 1 and 𝚫 ≥ R, then no correct process delivers a malicious
message.
35. 15Reliable Broadcast on Multihop Networks
in presence of Mobile Byzantine attackers
Topological requirements
Network requirement:
k-connected planar
networks (k ≥ 4),
composed by
triangles and squares