ken birman i
play

Ken Birman i Cornell University. CS5410 Fall 2008. Background for - PowerPoint PPT Presentation

Feb 25, 2024 •249 likes •677 views

Ken Birman i Cornell University. CS5410 Fall 2008. Background for today Consider a system like Astrolabe. Node p announces: Ive computed the aggregates for the set of leaf nodes to which I belong hi h I b l It turns out that under

  1. Ken Birman i Cornell University. CS5410 Fall 2008.

  2. Background for today � Consider a system like Astrolabe. Node p announces: � I’ve computed the aggregates for the set of leaf nodes to which I belong hi h I b l � It turns out that under the rules, I’m one regional contact to use, and my friend node q is the second contact , y q � Nobody in our region has seen any signs of intrusion attempts. � Should we trust any of this? � Similar issues arise in many kinds of P2P and gossip ‐ b based systems d t

  3. What could go wrong? � Nodes p and q could be compromised � Perhaps they are lying about values other leaf nodes reported to them… t d t th � … and they could also have miscomputed the aggregates � … and they could have deliberately ignored values that and they could have deliberately ignored values that � they were sent, but felt were “inconvenient” (“oops, I thought that r had failed…”) � Indeed, could assemble a “fake” snapshot of the region using a mixture of old and new values, and then computed a completely correct aggregate using this computed a completely correct aggregate using this distorted and inaccurate raw data

  4. Astrolabe can’t tell � … Even if we wanted to check, we have no easy way to fix Astrolabe to tolerate such attacks � We could assume a public key infrastructure and have W ld bli k i f d h nodes sign values, but doing so only secures raw data � Doesn’t address the issue of who is up, who is down, or Doesnt address the issue of who is up, who is down, or whether p was using correct, current data � And even if p says “the mean was 6.7” and signs this, h how can we know if the computation was correct? k f h � Points to a basic security weakness in P2P settings � Points to a basic security weakness in P2P settings

  5. Today’s topic � We are given a system that uses a P2P or gossip protocol and does something important. Ask: Is there a way to strengthen it so that it will Is there a way to strengthen it so that it will tolerate attackers (and tolerate faults, too)? � Ideally, we want our solution to also be a symmetric, P2P Ideally, we want our solution to also be a symmetric, P2P or gossip solution � We certainly don’t want it to cost a fortune � For example, in Astrolabe, one could imagine sending raw data instead of aggregates: yes, this would work… but it would be far too costly and in fact would “break the gossip model” � And it needs to scale well

  6. … leading to � Concept of a Sybil attack � Broadly: � Attacker has finite resources k h f � Uses a technical trick to amplify them into a huge (virtual) army of zombies (virtual) army of zombies � These join the P2P system and then subvert it

  7. Who was Sybil? � Actual woman with a psychiatric problem � Termed “multiple T d “ l i l personality disorder” � Unclear how real this is Unclear how real this is � Sybil Attack: using small y g number of machines to mimic much larger set

  8. Relevance to us? � Early IPTPS paper suggested that P2P and gossip systems are particularly fragile in face of Sybil attacks � Researchers found that if one machine mimics many R h f d h if hi i i (successfully), the attackers can isolate healthy ones � Particularly serious if a machine has a way to pick its Particularly serious if a machine has a way to pick its own hashed ID (as occurs in systems where one node inserts itself multiple times into a DHT) � Having isolated healthy nodes, can create a “virtual” l d h l h d “ l” environment in which we manipulate outcome of queries and other actions queries and other actions

  9. Real world scenarios � Recording Industry of America (RIA) rumored to have used Sybil attacks to disrupt illegal file sharing � So ‐ called “Internet Honeypots” lure virus, worms other malware (like insects to a worms, other malware (like insects to a pot of honey) � Organizations like the NSA might use Sybil approach to evade onion ‐ routing and other information hiding methods

  10. Elements of a Sybil attack � In a traditional attack, the intruder takes over some machines, perhaps by gaining root privilages � Once on board, intruder can access files and other data O b d i d fil d h d managed by the P2P system, maybe even modify them � Hence the node runs correct protocol but is controlled Hence the node runs correct protocol but is controlled by the attacker � In a Sybil attack, the intruder has similar goals, but seeks a numerical advantage.

  11. O h h Once search reaches a Chord scenario compromised node attacker can “hijack” it N5 N10 N110 N110 K19 K19 N20 N99 N32 Lookup(K19) N80 N60

  12. Challenge is numerical… � In most P2P settings, there are LOTS of healthy clients � Attack won’t work unless the attacker has a huge number of machines at his disposal b f hi hi di l � Even a rich attacker is unlikely to have so much money � Solution? � Attacker amplies his finite number of attack nodes by � Attacker amplies his finite number of attack nodes by clever use of a kind of VMM

  13. VMM technology � Virtual machine technology dates to IBM in 1970’s � Idea then was to host a clone of an outmoded machine or operating system on a more modern one ti t d � Very popular… reduced costs of migration � Died back but then resurfaced during the OS wars � Died back but then resurfaced during the OS wars between Unix ‐ variants (Linux, FreeBSD, Mac ‐ OS…) and the Windows platforms � Goal was to make Linux the obvious choice � Want Windows? Just run it in a VMM partition

  14. Example: IBM VM/370 user processes MVS Virtual System/370 user processes user processes user processes user processes MVS MVS DOS/VS DOS/VS Virtual CP Virtual CP CMS CMS CMS CMS Virtual virtual Virtual Virtual Virtual Virtual System/370 System/370 hardware System/370 System/370 System/370 CP real hardware System/370 Adapted from Dietel, pp. 606–607

  15. VMM technology took off � Today VMWare is a huge company � Ironically, the actual VMM in widest use is Xen, from X XenSource in Cambridge S i C b id � Uses paravirtualization � Main application areas? � Main application areas? � Some “Windows on Linux” � But migration of VMM images has been very popular ut g at o o ages as bee ve y popu a � Leads big corporations to think of thin clients that talk to VMs hosted on cloud computing platforms � Term is “consolidation”

  16. Paravirtualization vs. Full Virtualization Ring 3 Control User User Applications Plane Plane Apps Apps Ring 2 Guest OS Ring 1 Guest OS Dom0 Binary VMM Ring 0 Xen Translation Full Virtualization Paravirtualization

  17. VMMs and Sybil � If one machine can host multiple VM images… then we have an ideal technology for Sybil attacks � Use one powerful machine, or a rack of them U f l hi k f h � Amplify them to look like thousands or hundreds of thousands of machines thousands of machines � Each of those machines offers to join, say, eMule � Similar for honeypots � Our system tries to look like thousands of tempting, not very protected Internet nodes d d

  18. Research issues � If we plan to run huge numbers of instances of some OS on our VM, there will be a great deal of replication of pages of pages � All are running identical code, configurations (or nearly identical) � Hence want VMM to have a smart memory manager that has just one copy of any given page � Research on this has yielded some reasonable solutions � Copy ‐ on ‐ write quite successful as a quick hack and by itself gives a dramatic level of scalability itself gives a dramatic level of scalability

  19. Other kinds of challenges � One issue relates to IP addresses � Traditionally, most organizations have just one or two primary IP domain addresses i IP d i dd � For example, Cornell has two “homes” that function as NAT boxes. All our machines have the same IP prefix p � This is an issue for the Sybil attacker � Systems like eMule have black lists � If they realize that one machine is compromised, it would be trivial to exclude others with the same prefix � But there may be a solution…. B h b l i

  20. Attacker is the “good guy” � In our examples, the attacker is doing something legal � And has a lot of money � Hence helping him is a legitimate line of business for ISP ISPs � So ISPs might offer the attacker a way to purchase lots � S ISP i ht ff th tt k t h l t and lots of seemingly random IP addresses � They just tunnel the traffic to the attack site They just tunnel the traffic to the attack site

  21. A very multi ‐ homed Sybil attacker

  22. Implications? � Without “too much” expense, attacker is able to � Create a potentially huge number of attack points � Situate them all over the network (with a little help from AT&T or Verizon or some other widely diversified ISP) � Run whatever he would like on the nodes rather � Run whatever he would like on the nodes rather efficiently, gaining a 50x or even 100’sx scale ‐ up factor! � And this really works… � See, for example, the Honeypot work at UCSD � U. Michigan (Brian Ford, Peter Chen) another example

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CS5412: HOW DURABLE SHOULD IT BE? Lecture XV Ken Birman Choices, choices 2 A system

CS5412: HOW DURABLE SHOULD IT BE? Lecture XV Ken Birman Choices, choices 2 A system

CS5412 Spring 2016 (Cloud Computing: Birman) 1 CS5412: HOW DURABLE SHOULD IT BE? Lecture XV Ken Birman Choices, choices 2 A system like Vsync lets you control message ordering, durability, while Paxos opts for strong guarantees.

680 views • 39 slides
CS5412: CONSENSUS AND THE FLP IMPOSSIBILITY RESULT Lecture XII Ken Birman Generalizing Sam and

CS5412: CONSENSUS AND THE FLP IMPOSSIBILITY RESULT Lecture XII Ken Birman Generalizing Sam and

CS5412 Spring 2012 (Cloud Computing: Birman) 1 CS5412: CONSENSUS AND THE FLP IMPOSSIBILITY RESULT Lecture XII Ken Birman Generalizing Sam and Jills challenge 2 Recall from last time: Sam and Jill had difficulty agreeing where to meet

967 views • 42 slides
CS5412: CONSENSUS AND THE FLP IMPOSSIBILITY RESULT Lecture XII Ken Birman Generalizing Ron and

CS5412: CONSENSUS AND THE FLP IMPOSSIBILITY RESULT Lecture XII Ken Birman Generalizing Ron and

CS5412 Spring 2016 (Cloud Computing: Birman) 1 CS5412: CONSENSUS AND THE FLP IMPOSSIBILITY RESULT Lecture XII Ken Birman Generalizing Ron and Hermiones challenge 2 Recall from last time: Ron and Hermione had difficulty agreeing where

975 views • 42 slides
CS5412: TORRENTS AND TIT-FOR-TAT Lecture VI Ken Birman BitTorrent 2 Today well be

CS5412: TORRENTS AND TIT-FOR-TAT Lecture VI Ken Birman BitTorrent 2 Today well be

CS5412 Spring 2012 (Cloud Computing: Birman) 1 CS5412: TORRENTS AND TIT-FOR-TAT Lecture VI Ken Birman BitTorrent 2 Today well be focusing on BitTorrent The technology really has three aspects A standard tht BitTorrent client

478 views • 44 slides
CS5412: WHERE DID MY PERFORMANCE GO? Lecture XVIII Ken Birman Suppose you follow the rules

CS5412: WHERE DID MY PERFORMANCE GO? Lecture XVIII Ken Birman Suppose you follow the rules

CS5412 Spring 2015 (Cloud Computing: Birman) 1 CS5412: WHERE DID MY PERFORMANCE GO? Lecture XVIII Ken Birman Suppose you follow the rules 2 You set out to build a fairly complex large-scale system for some kind of important task

658 views • 48 slides
CS5412: HOW IT WORKS Lecture II Ken Birman Today: Lets look at some real apps 2 Well

CS5412: HOW IT WORKS Lecture II Ken Birman Today: Lets look at some real apps 2 Well

CS5412 Spring 2012 (Cloud Computing: Birman) 1 CS5412: HOW IT WORKS Lecture II Ken Birman Today: Lets look at some real apps 2 Well focus on two very standard examples Netflix movie player Siri, Apples new digital

917 views • 54 slides
CS5412: HOW MUCH ORDERING? Lecture XVI Ken Birman Ordering 2 The key to consistency turns

CS5412: HOW MUCH ORDERING? Lecture XVI Ken Birman Ordering 2 The key to consistency turns

CS5412 Spring 2012 (Cloud Computing: Birman) 1 CS5412: HOW MUCH ORDERING? Lecture XVI Ken Birman Ordering 2 The key to consistency turns has turned out to be delivery ordering (durability is a separate thing) Given replicas that

662 views • 47 slides
CS5412: TORRENTS AND TIT-FOR-TAT Lecture VII Ken Birman BitTorrent 2 Used in WAN setting

CS5412: TORRENTS AND TIT-FOR-TAT Lecture VII Ken Birman BitTorrent 2 Used in WAN setting

CS5412 Spring 2016 (Cloud Computing: Birman) 1 CS5412: TORRENTS AND TIT-FOR-TAT Lecture VII Ken Birman BitTorrent 2 Used in WAN setting by cloud providers Widely popular download technology Implementations specialized for setting

650 views • 45 slides
CS5412: HOW DURABLE SHOULD IT BE? Lecture XV Ken Birman Durability 2 When a system accepts

CS5412: HOW DURABLE SHOULD IT BE? Lecture XV Ken Birman Durability 2 When a system accepts

CS5412 Spring 2012 (Cloud Computing: Birman) 1 CS5412: HOW DURABLE SHOULD IT BE? Lecture XV Ken Birman Durability 2 When a system accepts an update and wont lose it, we say that event has become durable Everyone jokes that the

653 views • 38 slides
CS5412: ADAPTIVE OVERLAYS Lecture V Ken Birman A problem with Chord: Adaptation 2 As

CS5412: ADAPTIVE OVERLAYS Lecture V Ken Birman A problem with Chord: Adaptation 2 As

CS5412 Spring 2012 (Cloud Computing: Birman) 1 CS5412: ADAPTIVE OVERLAYS Lecture V Ken Birman A problem with Chord: Adaptation 2 As conditions in a network change Some items may become far more popular than others and be referenced

461 views • 43 slides
CS5412: TRANSACTIONS (I) Lecture XVII Ken Birman Transactions A widely used reliability

CS5412: TRANSACTIONS (I) Lecture XVII Ken Birman Transactions A widely used reliability

CS5412 Spring 2012 (Cloud Computing: Birman) 1 CS5412: TRANSACTIONS (I) Lecture XVII Ken Birman Transactions A widely used reliability technology, despite the BASE methodology we use in the first tier Goal for this week: in-depth

1.36k views • 49 slides
CS5412: TRANSACTIONS (I) Lecture XVI Ken Birman Transactions 2 A widely used reliability

CS5412: TRANSACTIONS (I) Lecture XVI Ken Birman Transactions 2 A widely used reliability

CS5412 Spring 2016 (Cloud Computing: Birman) 1 CS5412: TRANSACTIONS (I) Lecture XVI Ken Birman Transactions 2 A widely used reliability technology, despite the BASE methodology we use in the first tier Goal for this lecture and the

681 views • 57 slides
CS5412: TIER 2 OVERLAYS Lecture VI Ken Birman Recap 2 A week ago we discussed RON and

CS5412: TIER 2 OVERLAYS Lecture VI Ken Birman Recap 2 A week ago we discussed RON and

CS5412 Spring 2016 (Cloud Computing: Birman) 1 CS5412: TIER 2 OVERLAYS Lecture VI Ken Birman Recap 2 A week ago we discussed RON and Chord: typical examples of P2P network tools popular in the cloud They were invented purely as

973 views • 50 slides
Ken Birman i Cornell University. CS5410 Fall 2008. Welcome to CS5140! A course on cloud

Ken Birman i Cornell University. CS5410 Fall 2008. Welcome to CS5140! A course on cloud

Ken Birman i Cornell University. CS5410 Fall 2008. Welcome to CS5140! A course on cloud computing, edge computing, and related systems technologies Were using a textbook written by Professor Birman, (a W i b k i b P f Bi ( bit

603 views • 48 slides
OTHER DATA CENTER SERVICES Lecture V Ken Birman Tier two and Inner Tiers 2 If tier one

OTHER DATA CENTER SERVICES Lecture V Ken Birman Tier two and Inner Tiers 2 If tier one

CS5412 Spring 2014 (Cloud Computing: Birman) 1 CS5412: OTHER DATA CENTER SERVICES Lecture V Ken Birman Tier two and Inner Tiers 2 If tier one faces the user and constructs responses, what lives in tier two? Caching services are very

660 views • 49 slides
CS5412: OTHER DATA CENTER SERVICES Lecture IX Ken Birman Tier two and Inner Tiers 2 If

CS5412: OTHER DATA CENTER SERVICES Lecture IX Ken Birman Tier two and Inner Tiers 2 If

CS5412 Spring 2012 (Cloud Computing: Birman) 1 CS5412: OTHER DATA CENTER SERVICES Lecture IX Ken Birman Tier two and Inner Tiers 2 If tier one faces the user and constructs responses, what lives in tier two? Caching services are

1.01k views • 48 slides
Diabetes: the key things to understand Naveed Sattar Professor of Metabolic Medicine Duality of

Diabetes: the key things to understand Naveed Sattar Professor of Metabolic Medicine Duality of

Diabetes: the key things to understand Naveed Sattar Professor of Metabolic Medicine Duality of Interest Declaration Consultant or speaker for: Eli Lilly, Boehringer Ingelheim, Janssen, AstraZeneca, Novo Nordisk, Sanofi Grants: Boehringer

1.08k views • 19 slides
NET ETRC C - Sum umme mer Web ebinar nar Ser eries es Se Septem ember ber 23, , 2014

NET ETRC C - Sum umme mer Web ebinar nar Ser eries es Se Septem ember ber 23, , 2014

NET ETRC C - Sum umme mer Web ebinar nar Ser eries es Se Septem ember ber 23, , 2014 www.netrc.org Andrew Solomon, MPH - Project Manager Danielle Louder Program Manager; Co-PI Dr. Terry Rabinowitz, DDS, MD Co-PI Judy Amour,

733 views • 37 slides
Critical Care Setting John G Toffaletti, PhD Director of Blood Gas and Clinical Pediatric Labs

Critical Care Setting John G Toffaletti, PhD Director of Blood Gas and Clinical Pediatric Labs

Use of Blood Lactate Measurements in the Critical Care Setting John G Toffaletti, PhD Director of Blood Gas and Clinical Pediatric Labs Professor of Pathology Duke University Medical Center Chief, VAMC Clinical Chemistry Lab Durham, NC

590 views • 42 slides
Myeloma(Clinical(Presenta1on( (the(need(for(a(changing(paradigm? ( Professor'Gordon'Cook'

Myeloma(Clinical(Presenta1on( (the(need(for(a(changing(paradigm? ( Professor'Gordon'Cook'

Myeloma(Clinical(Presenta1on( (the(need(for(a(changing(paradigm? ( Professor'Gordon'Cook' St'Jamess'Ins4tute'of'Oncology ' Leeds'Teaching'Hospital ' Multiple Myeloma 28,700 & 19,920 new diagnoses p.a. in the EU 1 & USA 2 ,

316 views • 31 slides
Haryadi S. Gunawi, Pallavi Joshi, Peter Alvaro, ! Joseph M. Hellerstein, and Koushik Sen ! ! Thanh

Haryadi S. Gunawi, Pallavi Joshi, Peter Alvaro, ! Joseph M. Hellerstein, and Koushik Sen ! ! Thanh

Haryadi S. Gunawi, Pallavi Joshi, Peter Alvaro, ! Joseph M. Hellerstein, and Koushik Sen ! ! Thanh Do, Andrea C. Arpaci-Dusseau, ! and Remzi H. Arpaci-Dusseau ! ! Dhruba Borthakur ! 1 ! Cloud ! " Thousands of commodity machines ! "

503 views • 39 slides
Keeping Movies Running Amid Thunderstorms Fault-tolerant Systems @ Netflix Sid Anand (@r39132)

Keeping Movies Running Amid Thunderstorms Fault-tolerant Systems @ Netflix Sid Anand (@r39132)

Keeping Movies Running Amid Thunderstorms Fault-tolerant Systems @ Netflix Sid Anand (@r39132) QCon SF 2011 1 Thursday, November 17, 2011 Backgrounder Netflix Then and Now 2 Thursday, November 17, 2011 Netflix Then and Now Netflix prior

766 views • 72 slides
Why do Internet services fail, and what can be done about it? David Oppenheimer

Why do Internet services fail, and what can be done about it? David Oppenheimer

Why do Internet services fail, and what can be done about it? David Oppenheimer davidopp@cs.berkeley.edu ROC Group, UC Berkeley ROC Retreat, June 2002 Slide 1 Motivation Little understanding of real problems in maintaining 24x7 Internet

713 views • 23 slides
Distributed Systems CS425/ECE428 01/29/2020 Logistics Slide policy: Lecture slides v1

Distributed Systems CS425/ECE428 01/29/2020 Logistics Slide policy: Lecture slides v1

Distributed Systems CS425/ECE428 01/29/2020 Logistics Slide policy: Lecture slides v1 By noon the day of the lecture. Lecture slides v2 By 6pm on the day of the lecture. MP0: Please sign up for groups if you have not

770 views • 50 slides

More recommend