Presentation is loading. Please wait.

Presentation is loading. Please wait.

TRUST Spring Conference, April 2-3, 2008 Write Markers for Probabilistic Quorum Systems Michael Merideth, Carnegie Mellon University Michael Reiter, University.

Published byLinda Townsend Modified over 9 years ago

Similar presentations

Presentation on theme: "TRUST Spring Conference, April 2-3, 2008 Write Markers for Probabilistic Quorum Systems Michael Merideth, Carnegie Mellon University Michael Reiter, University."— Presentation transcript:

1 TRUST Spring Conference, April 2-3, 2008 Write Markers for Probabilistic Quorum Systems Michael Merideth, Carnegie Mellon University Michael Reiter, University of North Carolina

2 4/3/08 Michael Merideth2 Replication via Quorum Systems Replicated data – Server becomes n replicas Server Clients

3 4/3/08 Michael Merideth3 Replicas Replicated data – Server becomes n replicas Clients issue read and write operations – Involve quorums (subsets) of replicas High availability – Yet, no writes lost, forged, or corrupted Clients Replication via Quorum Systems

4 4/3/08 Michael Merideth4 Types of Servers (in Examples) bowling ball ice creamfishany value non-faultyfaulty

5 4/3/08 Michael Merideth5 Types of Clients (in Examples) non-faultyfaulty

6 4/3/08 Michael Merideth6 Write Operation Client wants to write “ice cream” to system

7 4/3/08 Michael Merideth7 Write Operation Client submits write to write quorum

8 4/3/08 Michael Merideth8 Write Operation Complete Positive responses from quorum means write complete

9 4/3/08 Michael Merideth9 Write Operation Complete

10 4/3/08 Michael Merideth10 Read Operation Client queries read quorum for values

11 4/3/08 Michael Merideth11 Read Operation Determines read value based on votes (responses) from entire quorum (Chooses “ice cream”)

12 4/3/08 Michael Merideth12 Write Markers Concept Write marker: additional data (written with value) that identifies write quorum – Verified by clients during read Improves properties of probabilistic quorum systems – Tolerate more faults and use smaller quorums

13 4/3/08 Michael Merideth13 Outline Strict, Byzantine quorum systems Probabilistic, Byzantine quorum systems Benefits of write markers Idea for implementation

14 4/3/08 Michael Merideth14 Byzantine Quorum System [malkhi & reiter 98] Byzantine (arbitrary) faults – Faulty nodes may lie – Faulty clients and servers may collude b faulty servers – Identity of faulty nodes unknown by non-faulty nodes

15 4/3/08 Michael Merideth15 Write Operation Write quorum may contain faulty servers

16 4/3/08 Michael Merideth16 Write Operation Complete

17 4/3/08 Michael Merideth17 Read Operation Faulty servers may fabricate value

18 4/3/08 Michael Merideth18 Stale Values Stale (logically older) values are detectible

19 4/3/08 Michael Merideth19 Conflicting Values Faulty servers may also fabricate conflicting (logically concurrent) values – E.g., same timestamp Here “fish” conflicts with “ice cream” – But ice cream has more votes

20 4/3/08 Michael Merideth20 More Conflicting Values Non-faulty servers may also return conflicting values For example, in single-round write protocols – Such protocols are desirable for efficiency – Client may (perhaps unknowingly) submit a write that is conflicting

21 4/3/08 Michael Merideth21 Conflicting Write Same as normal write

22 4/3/08 Michael Merideth22 Conflicting Write Incomplete Accepted by non-faulty servers that have not accepted (conflicting) value Write does not complete

23 4/3/08 Michael Merideth23 Which Value is Correct? “Ice cream” was complete – … therefore is correct “Fish” was incomplete – … therefore should be ignored But ice cream and fish get equal votes Client uncertain ?

24 4/3/08 Michael Merideth24 Conflicting Values: Problematic Must outvote conflicting replicas Thus, many potentially conflicting replicas implies ability to tolerate (relatively) few faults ?

25 4/3/08 Michael Merideth25 Impact of Conflicting Replicas QuorumConflictFaultsProtocols Opaque < n/5 (least) e.g., Q/U Masking< n/4 e.g., Fleet, PASIS Dissemin- ation < n/3 (most) e.g., BFT, HQ ?

26 4/3/08 Michael Merideth26 Choice of Quorums Important Choices of read quorum and both write quorums led to problem – Other choices lead to correct answer ?

27 4/3/08 Michael Merideth27 Choice of Quorums Important Choices of read quorum and both write quorums led to problem – Other choices lead to correct answer

28 4/3/08 Michael Merideth28 Idea: Select Quorums at Random In fact, correct answer in expectation (in this example) – If quorums chosen uniformly at random (an access strategy)

29 4/3/08 Michael Merideth29 Probabilistic Quorum Systems [malkhi, reiter, wool, wright 01] Weakening intersection property to hold only with high probability – Provides better availability – Tolerates more faults Bounds error probability – Probability that quorums chosen according to access strategy yield incorrect (or uncertain) result

30 4/3/08 Michael Merideth30 Probabilistic Opaque Quorum Systems [merideth & reiter 07] Generalize access strategy – Quorums chosen from access sets – Access sets are chosen according to access strategy Tolerate Byzantine clients for all probabilistic quorum systems – Enforce access strategy

31 4/3/08 Michael Merideth31 Probabilistic Quorum Systems Reduce number of conflicting values in expectation – Therefore, tolerate more faults (with some bounded probability of error) Conflicting Faults StrictProb. Opaque < n/5 (fewest) Masking< n/4 Dissemination< n/3 < n/3.15 < n/2.62 < n (most)

32 4/3/08 Michael Merideth32 Reduce conflicting replicas further? Yes (for probabilistic masking and opaque quorum systems) – Write markers

33 4/3/08 Michael Merideth33 Write Markers Recall, – Write operations write values – Read operations poll replicas for values Write marker – Additional data (written with value) that identifies the write quorum (or access set) that was used – Client accepts vote (during read) only if replica was part of write quorum (or access set)

34 4/3/08 Michael Merideth34 Write Operations with Write Markers Create write marker for quorum

35 4/3/08 Michael Merideth35 Write Operation Complete

36 4/3/08 Michael Merideth36 Conflicting Write with Write Markers Same as normal write

37 4/3/08 Michael Merideth37 Conflicting Write Incomplete Accepted by non-faulty servers that have not accepted (conflicting) value

38 4/3/08 Michael Merideth38 Which Value is Correct? “Ice cream” was complete – … therefore is correct “Fish” was incomplete – … therefore should be ignored

39 4/3/08 Michael Merideth39 Which Value is Correct? Faulty client can only vote for “triangle” Faulty client cannot vote for “star”

40 4/3/08 Michael Merideth40 Benefit of Write Markers Faulty servers cannot vote for conflicting value unless they are part of write Due to probabilistic access strategy, faulty server not always part of write Thus, fewer conflicting servers to outvote in expectation

41 4/3/08 Michael Merideth41 Benefits of Write Markers Conflicting Faults StrictProb. Write- markers Opaque < n/5 (fewest) Masking< n/4 Dissemination< n/3 < n/3.15 < n/2.62 < n (most) < n/2.62 < n/2 < n (most) Tolerate more faults

42 4/3/08 Michael Merideth42 Benefits of Write Markers Tolerate more faults Use smaller quorums – See paper

43 4/3/08 Michael Merideth43 Example with Benign Clients For writes: clients choose access sets uniformly at random – Then encode and, e.g., digitally sign their choices (i.e., create a write marker) For reads: clients verify write marker

44 4/3/08 Michael Merideth44 Write Markers with Byzantine Clients Faulty clients: – Cannot be trusted to follow access strategy – May intentionally choose quorums that maximize conflicting values Constrain clients [merideth&reiter 07] – Even faulty clients follow access strategy – Avoids additional communication on critical path – Choice is verified by servers as (pseudo) random Treat choice as write marker – Modify protocol so that clients also verify choice

45 4/3/08 Michael Merideth45 Protocol Intuition Servers provide pseudorandom sequence of access sets per client – Threshold signature from servers …

46 4/3/08 Michael Merideth46 Servers provide pseudorandom sequence of access sets per client – Threshold signature from servers For each operation, client locally chooses next access set in sequence; servers verify choice Protocol Intuition …

47 4/3/08 Michael Merideth47 Protocol Intuition … Servers provide pseudorandom sequence of access sets per client – Threshold signature from servers For each operation, client locally chooses next access set in sequence; servers verify choice

48 4/3/08 Michael Merideth48 Misuse by Faulty Client What if faulty client: – Skips ahead to “better” access set? – Waits to perform operation until advantageous? In either case, access set no longer random …

49 4/3/08 Michael Merideth49 Defending Against Misuse Exponential increase in cost to use later access sets – Client puzzle (requires solution) Correct value propagates in background [c.f. malkhi et al. 03] Sequence becomes invalid as system progresses – Must obtain new sequence …

50 4/3/08 Michael Merideth50 Write Markers Mechanism Use client puzzle – Servers already verify solution Have clients verify as well – Treat solution and access set as write marker – Return during read operations Provides mechanism for write markers …

51 4/3/08 Michael Merideth51 Conclusion Write markers provide benefits for probabilistic quorum systems – Reduce number of faulty servers that can vote for conflicting value in expectation – Increase number of faults that can be tolerated Opaque: up to n/2.62 (probabilistic: n/3.15; strict: n/5) Masking: up to n/2 (probabilistic: n/2.62; strict: n/4) – Allow for smaller quorums in some cases For more information: – Write Markers for Probabilistic Quorum Systems. Michael G. Merideth and Michael K. Reiter. CMU Technical Report: CMU-ISR-08-110

52 4/3/08 Michael Merideth52 Questions?

53 4/3/08 Michael Merideth53

54 4/3/08 Michael Merideth54

55 4/3/08 Michael Merideth55

56 4/3/08 Michael Merideth56

57 4/3/08 Michael Merideth57

Download ppt "TRUST Spring Conference, April 2-3, 2008 Write Markers for Probabilistic Quorum Systems Michael Merideth, Carnegie Mellon University Michael Reiter, University."

Similar presentations

Serializability in Multidatabases Ramon Lawrence Dept. of Computer Science

Serializability in Multidatabases Ramon Lawrence Dept. of Computer Science
Chapter 6 - Convergence in the Presence of Faults1-1 Chapter 6 Self-Stabilization Self-Stabilization Shlomi Dolev MIT Press, 2000 Shlomi Dolev, All Rights.

Chapter 6 - Convergence in the Presence of Faults1-1 Chapter 6 Self-Stabilization Self-Stabilization Shlomi Dolev MIT Press, 2000 Shlomi Dolev, All Rights.
Agreement: Byzantine Generals UNIVERSITY of WISCONSIN-MADISON Computer Sciences Department CS 739 Distributed Systems Andrea C. Arpaci-Dusseau Paper: “The.

Agreement: Byzantine Generals UNIVERSITY of WISCONSIN-MADISON Computer Sciences Department CS 739 Distributed Systems Andrea C. Arpaci-Dusseau Paper: “The.
CS 5204 – Operating Systems1 Paxos Student Presentation by Jeremy Trimble.

CS 5204 – Operating Systems1 Paxos Student Presentation by Jeremy Trimble.
Linearizability Linearizability is a correctness criterion for concurrent object (Herlihy & Wing ACM TOPLAS 1990). It provides the illusion that each operation.

Linearizability Linearizability is a correctness criterion for concurrent object (Herlihy & Wing ACM TOPLAS 1990). It provides the illusion that each operation.
Probabilistic Roadmaps. The complexity of the robot’s free space is overwhelming.

Probabilistic Roadmaps. The complexity of the robot’s free space is overwhelming.
1 The Case for Byzantine Fault Detection. 2 Challenge: Byzantine faults Distributed systems are subject to a variety of failures and attacks Hacker break-in.

1 The Case for Byzantine Fault Detection. 2 Challenge: Byzantine faults Distributed systems are subject to a variety of failures and attacks Hacker break-in.
P. Kouznetsov, 2006 Abstracting out Byzantine Behavior Peter Druschel Andreas Haeberlen Petr Kouznetsov Max Planck Institute for Software Systems.

P. Kouznetsov, 2006 Abstracting out Byzantine Behavior Peter Druschel Andreas Haeberlen Petr Kouznetsov Max Planck Institute for Software Systems.
Carnegie Mellon Approved for Public Release, Distribution Unlimited Increasing Intrusion Tolerance Via Scalable Redundancy Michael Reiter

Carnegie Mellon Approved for Public Release, Distribution Unlimited Increasing Intrusion Tolerance Via Scalable Redundancy Michael Reiter
CSE 486/586, Spring 2013 CSE 486/586 Distributed Systems Byzantine Fault Tolerance --- 2 Steve Ko Computer Sciences and Engineering University at Buffalo.

CSE 486/586, Spring 2013 CSE 486/586 Distributed Systems Byzantine Fault Tolerance Steve Ko Computer Sciences and Engineering University at Buffalo.
The Byzantine Generals Problem Boon Thau Loo CS294-4.

The Byzantine Generals Problem Boon Thau Loo CS294-4.
Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York 14853.

Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York
CSE 486/586, Spring 2012 CSE 486/586 Distributed Systems Replication --- 3 Steve Ko Computer Sciences and Engineering University at Buffalo.

CSE 486/586, Spring 2012 CSE 486/586 Distributed Systems Replication Steve Ko Computer Sciences and Engineering University at Buffalo.
QUORUMS By gil ben-zvi. definition Assume a universe U of servers, sized n. A quorum system S is a set of subsets of U, every pair of which intersect,

QUORUMS By gil ben-zvi. definition Assume a universe U of servers, sized n. A quorum system S is a set of subsets of U, every pair of which intersect,
Best-First Search: Agendas

Best-First Search: Agendas
1/6/2015HostAP1 P2P Security Case Study: COCA (Cornell Online Certification Authority) Mobile Multimedia Lab, AUEB, 04/04/2003.

1/6/2015HostAP1 P2P Security Case Study: COCA (Cornell Online Certification Authority) Mobile Multimedia Lab, AUEB, 04/04/2003.
1 Principles of Reliable Distributed Systems Lecture 3: Synchronous Uniform Consensus Spring 2006 Dr. Idit Keidar.

1 Principles of Reliable Distributed Systems Lecture 3: Synchronous Uniform Consensus Spring 2006 Dr. Idit Keidar.
CS 582 / CMPE 481 Distributed Systems Fault Tolerance.

CS 582 / CMPE 481 Distributed Systems Fault Tolerance.
1 On the Probabilistic Foundations of Probabilistic Roadmaps D. Hsu, J.C. Latombe, H. Kurniawati. On the Probabilistic Foundations of Probabilistic Roadmap.

1 On the Probabilistic Foundations of Probabilistic Roadmaps D. Hsu, J.C. Latombe, H. Kurniawati. On the Probabilistic Foundations of Probabilistic Roadmap.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 16 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 16 Wenbing Zhao Department of Electrical and Computer Engineering.

Similar presentations

Ads by Google