[Show abstract][Hide abstract] ABSTRACT: Celeste is a robust peer-to-peer object store built on top of a distributed hash table (DHT). Celeste is a working system, developed by Sun Microsystems Laboratories. During the development of Celeste, we faced the challenge of complete object deletion, and moreover, of deleting “files” composed of several different objects. This important problem is not solved by merely deleting meta-data, as there are scenarios in which all file contents must be deleted, e.g., due to a court order. Complete file deletion in a realistic peer-to-peer storage system has not been previously dealt with due to the intricacy of the problem — the system may experience high churn rates, nodes may crash or have intermittent connectivity, and the overlay network may become partitioned at times. We present an algorithm that eventually deletes all file contents, data and meta-data, in the aforementioned complex scenarios. The algorithm is fully functional and has been successfully integrated into Celeste.
Full-text · Article · Jul 2009 · Proceedings of the IEEE Symposium on Reliable Distributed Systems
[Show abstract][Hide abstract] ABSTRACT: A common challenge in fully distributed storage systems is the management of access rights to stored files. PACISSO is an efficient and scalable solution for distributed access control, applicable to systems consisting entirely of untrusted nodes. We give both theoretical bounds on the cost of basic operations, and also include end-to-end measurements based on an implementation within a complete P2P object store named Celeste. All measurements revealed an efficient behavior which scales to very large numbers of users and objects. In more detail, our access control scheme requires only minimal trust in single peers. Write access control is carried out by a set of Gatekeeper nodes which act on behalf of the file owner, and assert authorization of write operations by a Byzantine-fault-tolerant protocol and a shared-signature scheme. While the same Gatekeepers assure read access to the latest writ-ten version through a new protocol, we adapt previous research on group key management to achieve scalable read access control. Our approach allows for re-constitution of the Gatekeep-ers at runtime, in effect making them self-organizing for changing object ownership, for estab-lishing messaging services, and also for allowing users to determine the groups and objects to which they have access.
[Show abstract][Hide abstract] ABSTRACT: The research project KTI Da CaPo++ is based on the project Da CaPo (Dynamic Configuration of Protocols) at the ETH. The extended system of Da CaPo++ provides a basis for an application framework for, e.g., banking environments and tele-seminars. It includes the support of prototypical multimedia applications to be used on top of high-speed networks including dynamically configurable security and multicast aspects. This report is structured in two separate, but interconnected parts. Part I, the Architectural Design, presents in the beginning the set of ideas and their architectural design for various aspects. It dates from February 1996 and determines this status of the project. Within the following 44 pages many important issues are discussed. Part II, the Detailed Design, presents the deatiled design goals achieved for the Da CaPo++ project. Its content determines the project status in July 1996 in the next 84 pages. The structure of both parts is identical and shown by two separate tables of contents. However, part II discusses many refinements of initially stated design issues, while referring to the architectural design once in a while.
[Show abstract][Hide abstract] ABSTRACT: To be considered a viable storage solution, modern peer-to-peer (P2P) storage systems must exhibit high availability and data persistence characteristics. In an attempt to provide these, most systems assume a continuously connected and available underlying communication infrastructure. This however is not warranted in any real large-scale distributed system, and thus needs to be addressed. Continuous update systems that allow updating data by multiple writers have harder problems to overcome since the ordering of updates needs to be maintained independently of connectivity conditions. In this paper we propose a solution for maintaining a global view of the ordering even when severe connectivity disruptions take place, allowing the system to continue functioning while connectivity is disrupted and to recover from the disruption smoothly when connectivity is restored. To this end, we introduce and discuss three new concepts to the realm of P2P storage systems: 1) the maintenance of additional state information to detect and trace object updates during partitioning, 2) the usage of active decentralized object replication through shadow roots, and 3) the deployment of cryptographic technologies to allow for the recovery of private state information.
[Show abstract][Hide abstract] ABSTRACT: Collaborative intrusion detection systems (IDSs) have a great potential for addressing the challenges posed by the increasing aggressiveness of current Internet attacks. However, one of the major concerns with the proposed collaborative IDSs is their vulnerability to the insider threat. Malicious intruders, infiltrating such a system, could poison the collaborative detectors with false alarms, disrupting the intrusion detection functionality and placing at risk the whole system. In this paper, we propose a P2P-based overlay for intrusion detection (overlay IDS) that addresses the insider threat by means of a trust-aware engine for correlating alerts and an adaptive scheme for managing trust. We have implemented our system using JXTA framework and we have evaluated its effectiveness for preventing the spread of a real Internet worm over an emulated network. The evaluation results show that our overlay IDS significantly increases the overall survival rate of the network
[Show abstract][Hide abstract] ABSTRACT: One of the fundamental challenges for peer-to-peer (P2P) systems is the ability to manage risks involved in interacting and collaborating with priorly unknown and potentially malicious parties. Reputation-based trust management can mitigate this risk by deriving the trustworthiness of a certain peer from that peer's behavior history. However, the existing reputation systems do not provide adequate reaction to quick changes in peers' behavior, raising serious concerns regarding their effectiveness in coping with dynamic malicious peers. In this paper we investigate the requirements on the dynamics of trust in P2P systems and propose a versatile trust metric which satisfies these requirements. In particular, our proposed metric is capable to detect and penalize both the sudden changes in peers' behavior and their potential oscillatory malicious behavior. Moreover, our metric is flexible to implement different types of trust dynamics. We evaluate our metric through simulation and show its unique features and advantages over the existing metrics.
[Show abstract][Hide abstract] ABSTRACT: The notion of procuring computer services from a utility, much the way we get water and electricity and phone service, is not new. The idea at the center of the public utility trend in computer services is to allow firms to focus less on administering and supporting their information technology and more on running their business. Supernets and their implementation as hardware devices (snHubs) are our approach to make networks part of the public utility computing (PUC) infrastructure. The infrastructure is a key to integrating and enabling such "remote access" constituencies as B2B, out-sourcing vendors, and workers who telecommute in a safe and scalable manner. We have designed, developed, and deployed a prototype whose viability is now being demonstrated by a small deployment throughout Sun Microsystems.
[Show abstract][Hide abstract] ABSTRACT: Corporate IT as well as individuals show increasing interest in reliable outsourcing of storage infrastructure. Decentralized solutions with their resilience against partial outages are among the most attractive approaches. Irrespective of the form of the relationship, be it based on a contract or on the more flexible cooperative model, the problem of verifying whether someone promising to store one's data actually does so remains to be solved, especially in the presence of multiple replicas. We introduce a lightweight mechanism that allows the data originator or a dedicated verification agent to build up trust in the replica holder by means of protocols that do not require prior trust or key establishment. We show how naive versions of the protocol do not prevent cheating, and then strengthen it by adding means that make it economically attractive to be honest. This provides a foundation for further work in providing trustworthy distributed storage.
[Show abstract][Hide abstract] ABSTRACT: With the advent of more and more small devices with networking capabilities, the interest in their secure self organisation has grown. These devices -- smartlets as we named them -- may have multiple transient ownerships and the resulting trust environment can become quite complex. Our paper takes a look at a fictious next generation casino and some necessary hardware as an illustration, and examines what operations (such as cryptographically secure group management) could become relevant in solving the problems observed there.
[Show abstract][Hide abstract] ABSTRACT: Middleware supporting secure applications in a distributed environment faces several challenges. Scalable security in the context of multicasting or broadcasting is especially hard when privacy and authenticity is to be assured to highly dynamic groups where the application allows participants to join and leave at any time. Unicast security is well-known and has widely advanced into production state. But proposals for multicast security solutions that have been published so far are complex, often require trust in network components or are inefficient. In this paper, we propose a framework of new approaches for achieving scalable security in IP multicasting. Our solutions assure that that newly joining members are not able to understand past group traffic, and that leaving members may not follow future communication. For versatility, our framework supports a range of closely related schemes for key management, ranging from tightly centralized to fully distributed and even allows switching between these schemes on-the-fly with low overhead. Operations have low complexity (O(log N) for joins or leaves), thus granting scalability even for very large groups. We also present a novel concurrency-enabling scheme, which was devised for fully distributed key management. In this paper we discuss the requirements for secure multicasting, present our flexible system, and evaluate its properties, based on the existing prototype implementation.
[Show abstract][Hide abstract] ABSTRACT: Proposals for multicast security that have been published so far are complex, often require trust in network components or are inefficient. In this paper we propose a series of novel approaches for achieving scalable security in IP multicast, providing privacy and authentication on a group-wide basis. They can be employed to efficiently secure multi-party applications where members of highly dynamic groups of arbitrary size may participate. Supporting dynamic groups implies that newly joining members must not be able to understand past group communications, and that leaving members may not follow future communications. Key changes are required for all group members when a leave or join occurs, which poses a problem if groups are large. The algorithms presented here require no trust in third parties, support either centralized or fully distributed management of keying material, and have low complexity ( -33612 or less). This grants scalability even for large groups. Keywords: Secure multicasting, tree-based key distribution, multicast key distribution schemes, distributed key management 1
[Show abstract][Hide abstract] ABSTRACT: As the variety of applications, especially distributed multimedia applications, explodes, their requirements on communication-relevant tasks increase. Besides a communication architecture for dealing with traditional communication protocol processing, multicast features and security requirements have to be considered in an integrated manner. Therefore, a multicast-capable and security-aware communication subsystem is developed to provide necessary functionality to support an integrated set of reuseable application elements, e.g., audio/video-presentation, application sharing, picture phone, extended WWW browser, tele-banking, or tele-seminar. The main goal includes the provision of a real-world application framework, where different traditional and emerging applications can be managed modularily. Their needs and communication demands in terms of Quality-of-Service (QoS) attributes are specified by numerical values, e.g., bandwidth requirements, delay boundaries, reliability issues. Furthermore, functional features, such as multicast groups, encryption desires, or authentication requests can be selected. In turn, the developed communication subsystem allows for the preparation of flexibly adjusted communication protocols that provide requested functionality, e.g., error control schemes, multicast addressing, encryption, or authentication. Finally, a best suited service for these application requests is offered.
[Show abstract][Hide abstract] ABSTRACT: The research project KTI Da CaPo++ is based on the project Da CaPo (Dynamic Configuration of Protocols) at the ETH. The extended system of Da CaPo++ provides a basis for an application framework for banking environments and tele-seminars. It includes the support of prototypical multimedia applications to be used on top of high-speed networks including dynamically configurable security and multicast aspects. The main goal for this document is the description of the implemented design as stated elsewhere. It covers the application framework parts carried out at ETH and Da CaPo++ core system internal details concerning the security and relevant C-modules. These goals have been achieved and implemented under Solaris 2.5.1 on Sun workstations including multimedia equipment, such as cameras, microphones, and speakers. Finally, the implemented design of Da CaPo++ has remained independent of any specific transport infrastructure, as long as the considered network offers minimal features, e.g., bandwidth, delay, or bit error rates that are requested by an application. A heterogeneous infrastructure, including Ethernet and ATM (Asynchronous Transfer Mode), is supported, which has been demonstrated in the final project demonstration July 1, 1997.
[Show abstract][Hide abstract] ABSTRACT: Distributed multimedia applications require a variety of communication services. These services and different application demands have to be provided and supported within end-systems in an efficient and integrated manner, combining the precise specification of Quality-of-Service (QoS) requirements, application interfaces, multicast support, and security features. The Da CaPo++ system presented in this paper provides an efficient middleware and application framework for multimedia applications, capable of handling various types of applications in a modular fashion. Applications' needs and communication demands are specified by values in terms of QoS attributes and functional properties, such as multicast groups, encryption or authentication requirements. Da CaPo++ automatically generates suitable communication protocols, provides for an efficient run-time support and offers an easy-to-use, object-oriented application programming interface. Its applicability for real-life scenarios was shown by various prototype implementations. Extensive performance evaluations have been carried out and practical experiences have yielded numerical results and conclusions.
[Show abstract][Hide abstract] ABSTRACT: Performance evaluations of advanced communication subsystems and their applications are necessary methods to prove that a certain level of communication functionality demanded and a required minimal processing power of end-systems (workstations) and of intermediate systems (networks and routers) have been achieved. The communication middleware package Da CaPo++ provides a modern communication platform that supports flexible communication services, in particular for end-systems. Based on an implementation of Da CaPo++ on workstations (Sun SPARCStations and Sun UltraSPARCs) a performance evaluation has been carried out. Specifically, the performance for relevant communication tasks is identified and overhead required for providing various degrees of communication service flexibility is illustrated.
[Show abstract][Hide abstract] ABSTRACT: We present a vision of computing environments in which enterprise networks are built using untrusted public infrastructures. The vision allows for networks to dynamically change depending on the need of their users, rather than forcing the users to build organizations around networks. This vision is realized through a design abstraction called Virtual Enterprise Networking, or short Supernetworking. A first prototype of such a Supernet has been implemented on Linux. Supernetworking introduces a new layer of abstraction in a layered model of computer networking. The Supernet layer sits directly above the network layer and includes its own addressing structure and security services which protect all data transmitted by the network layer. A key component of a Supernet is communications tunneling. Instead of the traditional two endpoints, our tunnels have as many endpoints as there are computers participating in a Supernet. While tunneling has been repeatedly used to implement infrastructure services such as multicasting, virtual private networks, and support for mobility, we distill these technologies into a single, simple abstraction. This new abstraction enables the ability to out-source network infrastructure services in a transparent and secure manner, mobility, and the creation and administration of secure ad-hoc virtual computer networks. 1