Presentation on theme: "Accountable Coordination and Control Jeff Chase Duke University Computer Science."— Presentation transcript:
Accountable Coordination and Control Jeff Chase Duke University Computer Science
Grand Challenges? Distributed, adaptive infrastructure control –Control systems for electrical system, traffic, etc. Enterprise information systems / workflow –Medicine [Wallach], e-science [Welsh] –Commerce and finance Supply chain, brokering/trading –Government Control of systems we understand and “own” –Internet control plane –Network utilities / Grid
Still a Challenge… Use IT and distributed systems technology to manage real-world systems better…or greener [Carla]. –Shared –Federated –Local autonomy: local sensors and local control Decentralized/delegated power and authority –Global coordination –It really matters when things go wrong. Failure of the enterprise Sanctions and liability: legal, financial, political
Some Worthy Challenges Pervasive instrumentation / sensors Dynamic, decentralized control/adaptation Reliable and secure service from unreliable and insecure components. Autonomic, self-diagnosing, self-healing… This talk: accountability is a fundamental requirement with a fundamental impact on the structure of these systems.
Incentives are Paramount P2P: massive scale, anonymous participants, randomized dispersion of functions and roles. What have we learned? –Complex systems are federated. –Any federated system is a game. Self-interested actors Local choices, emergent global behavior –Primacy of incentive/mechanism –Recognize and reward faithfulness and punish disruptive, faulty, or anti-social behavior.
The Social Contract Participants obtain benefits from membership in a collective or community. –Well-structured communities are self-sustaining –Bottom-up growth and evolution / interconnection Membership entails rights and obligations. Negotiated roles rather than random assignment Control networks and enterprises are at modest scale. –Low churn –Strong identity is possible.
Vulnerabilities and Defenses Security: trust establishment, integrity of communications –Extend the secure perimeter…if you have one. –Authorization: useful for rights, but not obligations BFT: all actors are vulnerable to attack and subversion May manifest as a fault or disruptive behavior –But BFT is not enough: tyranny of majority, must deal with strategic/rational behavior [Alvisi, Dahlin] Accountability issues: compliance with the contract, faithfulness to assigned roles, self-consistent behavior, correctness and effectiveness of action within the community.
Accountability “What did he know and when did he know it.” “There were failures at all levels of government.” We must know who did what to whom when. –Maintain secure history of states and actions [Shrira] Non-repudiability of history –Prevent actors from misrepresenting the claims or actions of themselves or other actors. –Assign responsibility for failures, and prove it Auditing “Trust but verify.”
Some Challenges Transitive integrity in communication protocols Recording and maintaining tamper-evident history –How to prove the absence of actions? Reasoning about action history and causality Supplement protocols to permit peers to verify self- consistent behavior and faithfulness. –Auditing or consistency checking by other actors against previous actions or states.
Framing? Negative security framing applies –Catch problems early and limit the damage –Learn from history; avoid repeating disasters Build distributed service infrastructures that promote safe cooperation/coordination. –Overcome fear that discourages coordination –Sustainable distributed systems –Enable accountable institutions E.g., Assure data quality for distributed information sharing, e.g., in exchange of medical records or scientific data.
Problems/thoughts Devise practical techniques that enable an actor to prove that a claim or action is justified by its certified inputs according to accepted rules. –E.g., a router cannot advertise a path upstream unless it can show that the path is legitimate given advertisements received from its downstream neighbors. Transitively unwind actions and beliefs resulting from claims and directives by an actor subsequently discovered to be faulty. Are there common state representations and protocols that transfer to a wide range of services, i.e., toolkits to facilitate construction of accountable systems? What is the role of non-repudiable messaging and accountability in systems that involve contractual arrangements? What are the limits to services built without trust, relative to services that embody trust but whose behavior is audited to validate it against expected semantics? How can we reconcile accountability with privacy?