Title: Byzantine Faults in Wireless Networks
1Byzantine Faults in Wireless Networks
- Nitin Vaidya
- University of Illinois at Urbana-Champaign
2Acknowledgements
- Talk based on joint work with
- Vartika Bhandari, UIUC
- Guanfeng Liang, UIUC
- Rachit Agrawal, UIUC
- Pradeep Kyasanur, UIUC
- Chandrakanth Chereddi, UIUC
- Chiu-Yuen Koo, University of Maryland
- Jonathan Katz, University of Maryland
- Research funded in part by
- US National Science Foundation
- US Army Research Office
- Vodafone
3Wireless Networks
- Wireless paradigms
- Single hop versus Multi-hop
- Multi-hop networks
- Mesh networks, ad hoc networks, sensor networks
4Network Performance
5What Makes Wireless Networks Interesting?
- Broadcast medium path loss
-
6What Makes Wireless Networks Interesting?
- Many forms of diversity
- Time
- Route
- Antenna
- Path
- Channel
7What Makes Wireless Networks Interesting?
8What Makes Wireless Networks Interesting?
High interference
D
B
C
A
D
B
C
A
Low interference
9Improving Wireless Performance
- Exploit physical resources diversity
- Requires appropriate cross-layer protocols
- Routing
- Scheduling
- Medium access control
10Example
- Multi-channel wireless networks
2
3
4
c
1
11Practical Scenario
- A host can only be on use a subset of channels at
any time
1
m
c
12Need for New Protocols
4 Channels 2 Radios per node
1,2
13Net-XTheory to Practice
Linux box
14Performance Security
15Security Performance
- How to ______ secure performance ?
- Define
- Analyze
- Improve
- How to exploit wireless properties ?
16Byzantine Faults in Wireless Networks
17Byzantine Fault Model
Arbitrary behavior
18Byzantine Faults
- Arbitrary behavior may be constrained
- Examples
- Transmit power (and range) constrained by
physical design of a wireless device - Misbehavior may be limited to the programmable
components of a wireless device
19Byzantine Agreement
If source s sends a message All non-faulty
nodes must agree on a single value for that
message If s is non-faulty, the agreed value
must be the one sent by s
s
20Byzantine Agreement
http//en.wikipedia.org/wiki/FilePlum_tree_with_f
ruit.jpg
21Is Wireless Different?
- Broadcast medium hinders duplicity
Time u gt t
Time t
y
B
B
S
S
x
A
A
22Is Wireless Different
- Many forms of diversity
- Time
- Route
- Antenna
- Path
- Channel
Diversity weakensbroadcast capability
23Is Wireless Different?
- Path loss limits range
- Not all nodes in the same broadcast domain
- ? Misbehaving node cannot cause collision
everywhere - ? Multi-hop network
24Is Wireless Different?
- f failures anywhere in the network
- ? n gt 3f connectivity gt
2f - In multi-hop networks,
- connectivity small compared to n
- ? f may not scale with n
- ? Alternative fault distribution models may
provide new insights
25Some Results
26Network Models
Random deployment
Grid network
27Grid Network
- Degree nodes at distance r in each direction
- Connectivity bounded by number of neighbors
2r1
L8 distance metric
28Grid Network
- Local fault model at most f faults in each
neighborhood - Byzantine agreement iff
- f lt ½ r(2r1)
- Potentially, network-wide faults linear in n
- Traditional model f faults network-wide
- Degree gt 2f
- Number of faults in the entire network
lt degree / 2
degree / 4
29Proof Outline
- Induction
- All neighbors of (a, b) can commit to correct
value - ? all neighbors of (a-1, b),(a1, b), (a, b-1),
(a, b1) also can - Base case
- All neighbors of source hear message directly
and can commit to it
(a, b)
30Grid Network
- Assumptions leading to improved fault-tolerance
- Locally bounded faults
- Reliable local broadcast
- No MAC layer cheating collisions
- address spoofing
31Grid Network
- Probabilistic failure model failure
probability p lt ½ - Reliable broadcast probability ? 1 whenn ? 8 ,
iff node degree - Expected number of faults linear in n
- Local fault model at most f faults in each
neighborhood - Byzantine agreement iff
- f lt ½ r(2r1)
- Potentially, network-wide faults linear in n
32Reliable Local Broadcast ?
- In reality
- Unreliable wireless channel
- If MAC layer is compromised, nodes maycause
collisions or spoof addresses
33Relaxing the Assumptions
- Unreliable channel non-faulty MAC
- Local broadcast with probabilistic guarantees
- Bounded number of collisions reliable channel
- A transformation that converts algorithm for
collision-free case to bounded-collision-resilient
algorithm - Other related work Gilbert Pelc
34Byzantine Agreement
- One shot analysis
- Connectivity requirements
- Number of messages
- Number of rounds
- Longer timescale analysis
- Throughput with fault-tolerance
35Throughput Analysis
- Multicast Single source, multiple destinations
- Unicast Single source , single destination
Requirement deliver data correctly
when source destination fault-free - We will consider unicast
36Related Work
- Significant related work
- Byzantine agreement Pease-Shostak-Lamport
- Information dispersal Rabin
- System level diagnosis Preparata-Metze-Chien
- Network coding Koetter,Medard
-
37Fault-Tolerance Objective
- Tolerate failures
- Detect failures
- Let us focus on detection of single failure
- Source destination fault-free
38Secure Capacity
- What is the maximum rate of reliable delivery
- in such that
- a single failure is detected ?
39Two Approaches
- Where is the failure (or attack) detected ?
- At the destination
- At intermediate nodes
40Detection at Destination
41Unicast with Byzantine Failure
- Attack not detected
- ? Detection requires connectivity 2
A
S
D
42Unicast with Byzantine Failure
- Attack not detected
- ? Detection requires connectivity 2
- Capacity 0
R2
A
R1
S
D
43Unicast with Byzantine Failures
- Forward data through A and W
- Compare at D to detect single failure
- f must have inverse f(x) x suffices
x
x
A
S
D
f(x)
f(x)
W
44Unicast with Byzantine Failures
- Forward data through A and W
- Compare at D to detect single failure
- Capacity min (R1, R2, R3, R4)
R2
A
R1
S
D
R3
R4
W
45Unicast with Byzantine Failures
- Forward data through A and W
- Compare at D to detect single failure
- What happens with broadcast links ?
R2
A
R1
S
D
R3
R4
W
46Unicast with Byzantine Failure
- S constrained to broadcast same informationto A
and W - Duplicate along two routes, and compare at D
- Capacity min (R, R2, R4)
R2
A
S
D
y
x
x
R
R4
W
47Example 2
1
A
a, b
a
- Each faulty node can
- Tamper 1 packet
- Capacity min-cut 1
- Network-coding
- Things more interesting,when each nodes
- capability different
b
S
D
B
1
1
2
C
ab
48Example 3
2
A
a1,a2
a1,a2
D
4
a1,a2 b1,b2
b1,b2
C
b1,b2
S
D
2
a1,a2 c1,c2
E
4
c1,c2
4
B
2
c1a1b1 c2a2b2
49Common Feature Code-then-Replicate
- Source broadcasts packets to one-hop neighbors
- One-hop neighbors
- Either forward some of the packets unmodified
- Or forward linear combination of the packets
- All other nodes
- Forward packets to neighbor, possibly replicating
the packets - No other coding
50Link Failures versus Node Failures
- If an adversary can only attack only f packets
(independent of its output rate)min-cut of
fc adequate to support capacity c - With node failures, situation more complex
- Characterized achievable rate forcode-then-replic
ate strategy with a node failure
51Detection in the Network
52Recall
- S constrained to broadcast same informationto A
and W - Duplicate along two routes, and compare at D
- Capacity min (R, R2, R4)
R2
A
S
D
y
x
x
R
R4
W
53Unicast with Byzantine Failure
- What if As transmission is a broadcast too ?
- Can do much better
A
S
D
W
54Watchdog Approach
- What if As transmission is a broadcast too ?
A
S
D
x
y
Alarm!
W
55Shared Wireless Channel
- If AD WD share a channel, throughput with
watchdog almost same as without watchdog
A
S
D
R-1
R-1
1
Binary value
W
R
A
R
S
D
56Shared Wireless Channel
- If AD WD share a channel, throughput with
watchdog almost same as without watchdog
A
S
D
R-1
R-1
1
Binary value
W
Much better than linear coding
57Watchdog Approach
- Watchdog function Non-linear
- Superior to linear coding strategies
- Can be generalized to multiple watchdogs
58Limitations of Wireless Channel
- Unreliable transmissions
- Watchdog cannot watch every transmission
- Solution Coding Watchdog
A
S
D
unreliable
W
59Detection at Destination
- Detection at destination,if not too many errors
introduced by attacker
a,b,x,abc
a,b,c,abc
A
S
D
?
abx abc
W
60Detection at Watchdog
- Suppose the watchdog can observe 75 packets from
attacker A
a,z,x,abc
a,b,c,abc
A
S
D
Alarm!
W
a,b,c,abc
61Coding Watchdog
- How much redundancy in transmission from S
enough? - Assume (n,k) maximum distance separable code
with distance n-k1 - Attack by A detected by D if A tampers n-k
packets - Attacker A must tamper at least n-k1 packets to
be undetected by D - Attack by W detected trivially
62Caveat
- Fault detection Fault identification
?
63Coding Watchdog
- Suppose watchdog can detect packet tampering with
probability q - Probability of not being detected by W
64- Construct (n,k) MDS code with
- ?
- Example
can be made small
65Trade-off Between Throughput Fault-Tolerance
- A and B collide at W
- Greater throughput ? Lower observability at W
66Locating Faulty Nodes
- Multiple watchdogs can also be used to identify a
faulty node (the watchdog may itself be faulty)
67On-Going Work
- Characterizing capacity with watchdogs
- Code-then-replicate strategy promising
68Wrap-Up
69Distributed Algorithms
Wireless Networking
Fault Diagnosis / Tolerance
70Thanks !
71Thanks !
72Thanks !
73Thanks !
74Grid Network
- Probabilistic failure model failure
probability p lt ½ - Critical node degree for reliable broadcast
probability ? 1 when n ? 8 - Expected number of faults linear in n
75Necessary Condition Proof Outline
If some fault-free nodes havegt half faulty
neighbors,reliable broadcast may fail
Show that if node degree
lt
broadcast failureprobability ? 1 as n ? 8
76Sufficiency Condition Constructive Proof
Algorithm Majority vote of a quarter
neighborhood
Claim If all fault-free nodes in a
neighborhood have committed to the correct
value, so can all nodes in the periphery of
this region
d/4
Inductive proof Each peripheral node has at
least d/4 neighbors in above region. Less than
half of these are faulty w.h.p. as n ?8 Thus
majority over these d/4 neighbors suffices!