Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mechanism Design and Computer Security John Mitchell Vanessa Teague Stanford University.

Similar presentations

Presentation on theme: "Mechanism Design and Computer Security John Mitchell Vanessa Teague Stanford University."— Presentation transcript:

1 Mechanism Design and Computer Security John Mitchell Vanessa Teague Stanford University

2 The Internet Three kinds of behavior: Blind obedience, rational self-interest, malicious disruption

3 Outline for this workshop talk uSome network problems Congestion control, Interdomain routing uAlgorithmic mechanism design Pricing function provides incentives uDistributed mechanisms and security Distributed impl by rational agents Prevent malicious acts by rational agents Open problem: irrational malicious agents Warning: bait and switch

4 TCP/IP Transmission uTCP guarantees packet delivery Source packets have sequence number Destination acknowledges If packet lost, source resends Source Destination

5 TCP Congestion Control uIf packets are lost, assume congestion Reduce transmission rate by half, repeat If loss stops, increase rate very slowly Design assumes routers blindly obey this policy Source Destination

6 Competition uAmiable Alice yields to boisterous Bob Alice and Bob both experience packet loss Alice backs off Bob disobeys protocol, gets better results Source A Source B Destination

7 What’s the point? uTCP/IP assumes honesty If everyone follows protocol, transmission rates adapt to load uIncentive for dishonesty Dishonest TCP works better, as long as others follow standard TCP backoff uSecurity risks Vulnerable to denial of service, IP- spoofing, etc.

8 Goal : More robust networking uIntroduce economic incentives Routers administered autonomously uReward good behavior Prevent tragedy of the commons uInclude security measures Economics => adaptive behavior –Better load balancing to increase welfare Accounting => increased instrumentation –Detect, quarantine malicious behavior

9 Interdomain Routing connected group of one or more Internet Protocol prefixes under a single routing policy (aka domain) Interior Gateway Protocol Exterior Gateway Protocol Autonomous System

10 Transit and Peering Transit: ISP sells access Peering: reciprocal connectivity BGP protocol: routing announcements for both Peering Transit

11 BGP overview uIterative path announcement Path announcements grow from destination to source Subject to policy (transit, peering) Packets flow in reverse direction uProtocol specification Announcements can be shortest path Nodes allowed to use other policies –E.g., “cold-potato routing” by smaller peer Not obligated to use path you announce

12 BGP example [ D. Wetherall ] uTransit: 2 provides transit for 7 7 reaches and is reached via 2 uPeering: 4 and 5 peer exchange customer traffic 34 6 5 7 1 82 7 7 2 7 3 2 7 6 2 7 2 6 5 3 2 6 5 7 2 6 5 6 5 5 5 4 4 3 4 6 2 3 4 7 2 3 4 2 3 4

13 Issues uBGP convergence problems Protocol allows policy flexibility Some legal policies prevent convergence Even shortest-path policy converges slowly uIncentive for dishonesty ISP pays for some routes, others free uSecurity problems Potential for disruptive attacks

14 Evidence: Asymmetric Routes AliceBob uAlice, Bob use cheapest routes to each other uThese are not always shortest paths uAsymmetic routes are prevalent AS asymmetry in 30% of measured routes Finer-grained asymmetry far more prevalent

15 Mechanism Design uCharge for goods Assume agents have rational self-interest Provide incentives via pricing function uTraditional use Maximize social welfare Make honesty the best policy (revelation principle) uNetwork applications Maximize throughput, resilience to attack Fake money as good as real money

16 Grand Plan Multicast distribution Inter- domain routing Congestion control Pricing function Distributed mechanism Rational agents Irrational agents Goal

17 Multicast cost sharing Node link Node link Distribute some good Each node has some utility for the good Each link has some cost Which nodes get the transmission?

18 Multicast solutions uCentralized scheme [FPS] Pricing algorithm that elicits true utility uControlled distributed scheme [FPS] Works for tamper-resistant nodes Problems if nodes are dishonest uAutonomous distributed scheme Use signatures to verify data Verifying node must not share incentive to cheat

19 Traditional Goals Efficient –Maximize overall welfare –Welfare = total utility of agents that get good  total network costs for links used Strategyproof –Agent cannot gain by lying about its utility May not maximize profit for sender

20 FPS Network Assumptions uNodes and agents Each node has trusted router Router connected to untrusted agents uTransmission costs Link cost known to the two nodes at each end Simplification: will assume one agent per node

21 Centralized Scheme uData collection Agent reports utility to central authority uComputation Compute welfare of each subtree uRouting decision Transmit good to subtree if welfare  0

22 Welfare of Subtree uWelfare of a subtree T i with cost c i W i = u i – c i if node i is leaf W i = u i – c i +  max(W k, 0) otherwise Welfare is aggregate benefit minus cost k child of i

23 Welfare 2-4 = -2 Welfare 7-1 = 6 Welfare 1-3 +6 = 4 Welfare 3-2 +0+4 = 5 Example: Maximum welfare cost 2 utility 3 utility 7 utility 1 utility 2 cost 1 cost 3 cost 4 If welfare is secret, how do we determine outcome?

24 How much should a node pay? uAnnounced utility? Agent may gain by lying utility 5 cost 2 Leaf will announce utility 2 since this is enough to get the good Similar incentive for internal nodes

25 FPS Pricing Mechanism uIf agent does not receive the good Agent pays nothing uIf agent receives the good Agent pays: the minimum bid needed to get the transmission, given the other players’ bids This is a VCG mechanism

26 Welfare 2-4 = -2 Welfare 7-1 = 6 Welfare 1-3 +6 = 4 Welfare 3-2 +0+4 = 3 Example price calculations cost 2 utility 3 utility 7 utility 1 utility 2 cost 1 cost 3 cost 4 Agent pays 0 Agent pays 3 3 2 3 2 0 01

27 Strategyproof and Efficient uEfficient (max welfare) by construction Add omitted subtree -> decrease welfare Remove routed subtree -> decrease welfare This argument assumes agents tell truth uAgent can bid true utility Payment is independent of bid, given outcome Bid more than utility  –doesn’t help, or pay too much Bid less than utility  –doesn’t help, or don’t get the transmission

28 Tell truth if you buy the good utility bid Don’t get good you want true u min bid to get transmission Don’t get transmission Get transmission

29 Tell truth if you don’t buy good Pay more than u utility bid true u min bid to get transmission Don’t get transmission Get transmission

30 Profit for content distributor? uWhat’s the worst-case return? Marginal-cost pricing does not guarantee profit May lose money, fail to capture utility Welfare 100-0 = 100 Welfare 0-100 +100+100 = 100 cost 100 utility 0 utility 100 cost 0 Agent pays 0 0 0 00 0 cost 0

31 Distributed implementation cost 2 cost 4 cost 3 cost 1 utility 3 utility 7 utility 2 utility 1 Welfare 1-3 + 6 = 4 Welfare 2-4 = -2 Welfare 7-1 = 6 Welfare 3 - 2 + 4 = 5 W min = 5 W min = 4 “No transmission” W min = 5 1) Send welfare up tree 2) Send min welfare W min down tree 3) Compute payment = utility -W min

32 Autonomous distributed model uAgents control nodes They can use different utilities for different messages An agent with children can lie about the children’s utilities There is nothing to force an agent to pay the correct amount

33 Node can cheat its children utility 7 cost 5 cost 3 utility 2 Welfare 7-5 = 2 Welfare 2-3+2 = 1 W min = 1 The truth Parent pays 1 Child pays 6 source utility 7 cost 5 cost 3 utility 2 Welfare 2 Welfare 2-3+2 = 1 W min = 1 W min = 0 The cheat Child can’t see that parent doesn’t pay source Parent pays 0 Child pays 7

34 More ways to cheat Second example –Node can cheat but all messages look consistent Conclusion –Need to use payment and messages to detect cheating

35 Second Example utility 1 cost 1 cost 2 utility 2 Welfare 2 - 2 + 0 = 0 W min = 0 cost 1 utility 1 W min = 0 Welfare 1 - 1 = 0 W min = 0 Truthful computation 1 source 3 2 Pay: 2 1 1

36 Example 2 utility 1 cost 1 utility 4? Welfare 2 cost 2 W min = 2 cost 1 utility 1 W min = 2 Welfare 1-1=0 W min = 2 Deception 1 source 3 2 utility 3 cost 1 cost 2 utilty 2 Welfare 2-2+0+2=2 W min = 2 cost 1 utility 1 W min = 2 Welfare 3-1=2 Welfare 1-1=0 W min = 2 What agent 3 thinks 1 source 3 2 Agent 1 behaves as if utility=4 until time to pay, then utility=2 Each child thinks other has utility 3 Pay: 0 1 1 0 1 1

37 Prevent cheating uAssume public-key infrastructure Each node has verifiable signature uAugment messages Sign data from FPS algorithm Parent returns signed W to child uNodes send payment + proof Proof is signed data showing payment is calculated correctly Two improvements yet to come

38 Node J sends payment and proof utility Wd1 Sign(j, W j ) Sign(p, W min ), Sign(p, W j ) utility Wd2 Sign(d2, W d2 ) Sign (d1, W d1 ) Sign(j, W min ) Agent j pays P j = U j – min(W min, W j ) where U j = c j + W j – (Wd1 + Wd2) j p d2 d1 New data – used in j’s proof Calculation of P j is verifiable from messages signed by p, d1, d2.

39 Node J sends payment and proof uLemma If parent p and children d1, …, dk are honest, then node j cannot improve own welfare by not sending correct values uProof idea If node does not send correct proof, we punish j  node sends correct W j Node j cannot gain by sending incorrect data down tree, since these do not change P j

40 Shortcomings uProof checked by central authority uNode can be mischievous Node cannot increase own welfare by sending bad values down tree But node can make life worse for others W min too low => nodes below pay too much W min too high => pay too little, distributor loses

41 Randomized checking uNodes pay and save proof uRandomly select node to audit If node has correct proof, OK If node cannot show proof, punish –Fine node, or prohibit from further transmission (route around bad node) Make punishment high enough so expected benefit of cheating is negative uReduce traffic, same outcome Bombay bus fine…

42 Prevent Mischief Receive signed confirmation from child Confirmation is required as part of proof Sign(j, W min ) j p d2 d1 Sign(d1, W min )

43 Status of Multicast Cost Sharing uPricing function provides incentive uDistributed algorithm computes price uTechniques to encourage compliance Nodes save signed confirmation of msgs Randomized auditing incents compliance –Alternative: neighbors rewarded for turning in cheaters Route around nodes that cause trouble

44 Grand Plan Multicast distribution Inter- domain routing Congestion control Pricing function Distributed mechanism Rational agents Irrational agents Goal


Download ppt "Mechanism Design and Computer Security John Mitchell Vanessa Teague Stanford University."

Similar presentations

Ads by Google