Post on 19-Dec-2015
transcript
SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 1
SPORCGroup Collaboration using Untrusted Cloud Resources
Ariel J. Feldman, William P. Zeller,Michael J. Freedman, Edward W. Felten
SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 2
Cloud deployment: pro & con
Cloud deployment is attractive• Scalable, highly available, globally accessible• Real-time collaboration
For user-facing applications:(e.g. word processing, calendaring, e-mail, IM)
But, there’s a price…
Must trust the cloud provider for confidentiality and integrity
…
SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 3
SPORC goals
Untrusted servers• Can’t read user data• Can’t tamper with user data without
risking detection• Clients can recover from tampering
Practical cloud apps• Flexible framework• Real-time collaboration• Work offline
4
Server
Making servers untrusted
SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10
Encryptedstate
App logic
SPORC Server’s limited role:• Storage• Ordering msgs
State
Client 1
Copy of state
App logic
Client 2
Copy of state
App logic
ClientApp logic App logic
Server
5
Problem #1:
SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10
Client 1
Copy of state
App logic
Client 2
Copy of state
App logic
Client
How do you keep clients’ local copies consistent?
(esp. with offline access)Server
Encryptedstate
6
Problem #2:
SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10
Client 1
Copy of state
App logic
Client 2
Copy of state
App logic
Client
How do you deal with a malicious server?
Encryptedstate
SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 7
Keeping clients in syncOperational transformation (OT) [EG89]
(Used in Google Docs, EtherPad, etc.)
Alice Bob
Server
ins “ABC”
ins “DE”
del 4del 2 ins “ABC”
ins “DE”
Ops:
State:ABCDE ABCDEACDE ABCE
del 4del 2
del 2del 4
del 2del 4
ACD ACE
del 2del 3
T T
ACE ACE
OT can sync arbitrarily divergent clients
Ops:
State:
SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 8
Dealing with a malicious serverDigital signatures aren’t enough
Server can equivocate
A B C ACfork* consistency [LM07]
• Honest server: linearizability• Malicious server: Alice and Bob
detect equivocation after exchanging 2 messages
• Embed history hash in every message
Server can still fork the clients, but can’t unfork
Client Client
SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 9
System designClient app
Local state
SPORC lib
SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 10
System designClient app
Local state
SPORC lib
Committed Pending
fork*consistent
causallyconsistent
SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 11
System designClient app
Local state
SPORC lib
Committed Pending
ServerEncrypted state
Encrypt & sign
SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 12
System designClient app
Local state
SPORC lib
Committed Pending
ServerEncrypted state
Client
Verify & decrypt
Compare history hashes
SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 13
System designClient app
Local state
SPORC lib
Committed Pending
ServerEncrypted state
Client
Decrypt & verify
T
SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 14
System designClient app
Local state
SPORC lib
Committed Pending
ServerEncrypted state
Client
T
SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 15
Access control
Challenges• Server can’t do it — it’s untrusted!• Preserving causality• Concurrency makes it harder
Solutions• Ops encrypted with symmetric key shared by clients • ACL changes are ops too• Concurrent ACL changes handled with barriers
Encryptedstate
SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 16
Adding a user
Alice Bob
Server
CharlieGroup members:
ModifyUserOp
Add “Charlie”
ECharlie_pk(k)
SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 17
Removing a user
Alice Bob
Server
CharlieGroup members:
ModifyUserOp
Rm “Charlie”
Ealice_pk(k’)
Ebob_pk(k’)
Ek’(k)
SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 18
BARRIER BARRIER
Barriers: dealing with concurrency
Alice Bob
Server
Group members:
ModifyUserOp
Rm “Charlie”
Ek1(k)
ModifyUserOp
Rm “Eve”
Ek2(k)
ModifyUserOp
Rm “Eve”
Ek2(k)
10
ModifyUserOp
Rm “Charlie”
Ek1(k)
98
…
Clients check on the server
SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 19
Recovering from a fork
Alice’s history:
Bob’s history:
Can use OT to resolve malicious forks too
Fork!
SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 20
ImplementationClient lib + generic server
App devs only need to define ops and provide a transformation function
Demo apps: key value store, browser-based collaborative text editor
Java CLI version + browser-based version (GWT)
SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 21
EvaluationSetup• Tested Java CLI version• 8-core 2.3 GHz AMD machines
• 1 for server• 4 for clients (often >1 instance per machine)
• Gigabit LAN
Microbenchmarks• Latency• Server throughput• Time-to-join (in paper)
SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 22
Latency
Low load(1 client writer)
High load(all clients are writers)
(Text editor app)
SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 23
Latency
Low load(1 client writer)
High load(all clients are writers)
(Text editor app)
SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 24
Server throughput
SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 25
Conclusion
Practical cloud apps + untrusted servers
Operational transformation + fork* consistency
Dynamic access control and key distribution
Recovery from malicious forks
SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 26
Thank youQuestions?
ajfeldma@cs.princeton.edu*
*http://www.snowpeak.com/tableware/cutlery/titanium-original-spork-sct-004.html
SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 27
Comparison with Depot
Future work: SPORC + Depot? ;-)
SPORC Depot
Consistency with malicious servers ✔ ✔
Consistency with malicious clients ✔
Fork recovery ✔ ✔
Work offline ✔ ✔
Dynamic access control ✔
Confidentiality and key distribution ✔
Depot exposes conflicts, but leaves it to the app to resolve them
SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 28
Time-to-join