Byzantine Faults in Wireless Networks

1
Byzantine Faults in Wireless Networks

• Nitin Vaidya
• University of Illinois at Urbana-Champaign

2
Acknowledgements

• Talk based on joint work with
• Vartika Bhandari, UIUC
• Guanfeng Liang, UIUC
• Rachit Agrawal, UIUC
• Pradeep Kyasanur, UIUC
• Chandrakanth Chereddi, UIUC
• Chiu-Yuen Koo, University of Maryland
• Jonathan Katz, University of Maryland

• Research funded in part by
• US National Science Foundation
• US Army Research Office
• Vodafone

3
Wireless Networks

• Wireless paradigms
• Single hop versus Multi-hop
• Multi-hop networks
• Mesh networks, ad hoc networks, sensor networks

4
Network Performance
5
What Makes Wireless Networks Interesting?

• Broadcast medium path loss

6
What Makes Wireless Networks Interesting?

• Many forms of diversity
• Time
• Route
• Antenna
• Path
• Channel

7
What Makes Wireless Networks Interesting?

• Time diversity

8
What Makes Wireless Networks Interesting?

• Channel diversity

High interference
D
B
C
A
D
B
C
A
Low interference
9
Improving Wireless Performance

• Exploit physical resources diversity
• Requires appropriate cross-layer protocols
• Routing
• Scheduling
• Medium access control

10
Example

• Multi-channel wireless networks

2
3
4

c
1
11
Practical Scenario

• A host can only be on use a subset of channels at
  any time

1
m
c
12
Need for New Protocols
4 Channels 2 Radios per node
1,2
13
Net-XTheory to Practice
Linux box
14
Performance Security
15
Security Performance

• How to ______ secure performance ?
• Define
• Analyze
• Improve

• How to exploit wireless properties ?

16
Byzantine Faults in Wireless Networks
17
Byzantine Fault Model
Arbitrary behavior
18
Byzantine Faults

• Arbitrary behavior may be constrained
• Examples
• Transmit power (and range) constrained by
  physical design of a wireless device
• Misbehavior may be limited to the programmable
  components of a wireless device

19
Byzantine Agreement
If source s sends a message All non-faulty
nodes must agree on a single value for that
message If s is non-faulty, the agreed value
must be the one sent by s
s
20
Byzantine Agreement
http//en.wikipedia.org/wiki/FilePlum_tree_with_f
ruit.jpg
21
Is Wireless Different?

• Broadcast medium hinders duplicity

Time u gt t
Time t
y
B
B
S
S
x
A
A
22
Is Wireless Different

• Many forms of diversity
• Time
• Route
• Antenna
• Path
• Channel

Diversity weakensbroadcast capability
23
Is Wireless Different?

• Path loss limits range
• Not all nodes in the same broadcast domain
• ? Misbehaving node cannot cause collision
  everywhere
• ? Multi-hop network

24
Is Wireless Different?

• f failures anywhere in the network
• ? n gt 3f connectivity gt
  2f
• In multi-hop networks,
• connectivity small compared to n
• ? f may not scale with n
• ? Alternative fault distribution models may
  provide new insights

25
Some Results
26
Network Models
Random deployment
Grid network
27
Grid Network

• Degree nodes at distance r in each direction
• Connectivity bounded by number of neighbors

2r1
L8 distance metric
28
Grid Network

• Local fault model at most f faults in each
  neighborhood
• Byzantine agreement iff
• f lt ½ r(2r1)
• Potentially, network-wide faults linear in n

• Traditional model f faults network-wide
• Degree gt 2f
• Number of faults in the entire network

lt degree / 2
degree / 4
29
Proof Outline

• Induction
• All neighbors of (a, b) can commit to correct
  value
• ? all neighbors of (a-1, b),(a1, b), (a, b-1),
  (a, b1) also can
• Base case
• All neighbors of source hear message directly
  and can commit to it

(a, b)
30
Grid Network

• Assumptions leading to improved fault-tolerance
• Locally bounded faults
• Reliable local broadcast
• No MAC layer cheating collisions
• address spoofing

31
Grid Network

• Probabilistic failure model failure
  probability p lt ½
• Reliable broadcast probability ? 1 whenn ? 8 ,
  iff node degree
• Expected number of faults linear in n

• Local fault model at most f faults in each
  neighborhood
• Byzantine agreement iff
• f lt ½ r(2r1)
• Potentially, network-wide faults linear in n

32
Reliable Local Broadcast ?

• In reality
• Unreliable wireless channel
• If MAC layer is compromised, nodes maycause
  collisions or spoof addresses

33
Relaxing the Assumptions

• Unreliable channel non-faulty MAC
• Local broadcast with probabilistic guarantees
• Bounded number of collisions reliable channel
• A transformation that converts algorithm for
  collision-free case to bounded-collision-resilient
  algorithm
• Other related work Gilbert Pelc

34
Byzantine Agreement

• One shot analysis
• Connectivity requirements
• Number of messages
• Number of rounds
• Longer timescale analysis
• Throughput with fault-tolerance

35
Throughput Analysis

• Multicast Single source, multiple destinations
• Unicast Single source , single destination
  Requirement deliver data correctly
  when source destination fault-free
• We will consider unicast

36
Related Work

• Significant related work
• Byzantine agreement Pease-Shostak-Lamport
• Information dispersal Rabin
• System level diagnosis Preparata-Metze-Chien
• Network coding Koetter,Medard

37
Fault-Tolerance Objective

• Tolerate failures
• Detect failures
• Let us focus on detection of single failure
• Source destination fault-free

38
Secure Capacity

• What is the maximum rate of reliable delivery
• in such that
• a single failure is detected ?

39
Two Approaches

• Where is the failure (or attack) detected ?
• At the destination
• At intermediate nodes

40
Detection at Destination
41
Unicast with Byzantine Failure

• Attack not detected
• ? Detection requires connectivity 2

A
S
D
42
Unicast with Byzantine Failure

• Attack not detected
• ? Detection requires connectivity 2
• Capacity 0

R2
A
R1
S
D
43
Unicast with Byzantine Failures

• Forward data through A and W
• Compare at D to detect single failure
• f must have inverse f(x) x suffices

x
x
A
S
D
f(x)
f(x)
W
44
Unicast with Byzantine Failures

• Forward data through A and W
• Compare at D to detect single failure
• Capacity min (R1, R2, R3, R4)

R2
A
R1
S
D
R3
R4
W
45
Unicast with Byzantine Failures

• Forward data through A and W
• Compare at D to detect single failure
• What happens with broadcast links ?

R2
A
R1
S
D
R3
R4
W
46
Unicast with Byzantine Failure

• S constrained to broadcast same informationto A
  and W
• Duplicate along two routes, and compare at D
• Capacity min (R, R2, R4)

R2
A
S
D
y
x
x
R
R4
W
47
Example 2

• Capacity 2

1
A
a, b
a

• Each faulty node can
• Tamper 1 packet
• Capacity min-cut 1
• Network-coding
• Things more interesting,when each nodes
• capability different

b
S
D
B
1
1
2
C
ab
48
Example 3

• Capacity 4

2
A
a1,a2
a1,a2
D
4
a1,a2 b1,b2
b1,b2
C
b1,b2
S
D
2
a1,a2 c1,c2
E
4
c1,c2
4
B
2
c1a1b1 c2a2b2
49
Common Feature Code-then-Replicate

• Source broadcasts packets to one-hop neighbors
• One-hop neighbors
• Either forward some of the packets unmodified
• Or forward linear combination of the packets
• All other nodes
• Forward packets to neighbor, possibly replicating
  the packets
• No other coding

50
Link Failures versus Node Failures

• If an adversary can only attack only f packets
  (independent of its output rate)min-cut of
  fc adequate to support capacity c
• With node failures, situation more complex
• Characterized achievable rate forcode-then-replic
  ate strategy with a node failure

51
Detection in the Network
52
Recall

• S constrained to broadcast same informationto A
  and W
• Duplicate along two routes, and compare at D
• Capacity min (R, R2, R4)

R2
A
S
D
y
x
x
R
R4
W
53
Unicast with Byzantine Failure

• What if As transmission is a broadcast too ?
• Can do much better

A
S
D
W
54
Watchdog Approach

• What if As transmission is a broadcast too ?

A
S
D
x
y
Alarm!
W
55
Shared Wireless Channel

• If AD WD share a channel, throughput with
  watchdog almost same as without watchdog

A
S
D
R-1
R-1
1
Binary value
W
R
A
R
S
D
56
Shared Wireless Channel

• If AD WD share a channel, throughput with
  watchdog almost same as without watchdog

A
S
D
R-1
R-1
1
Binary value
W
Much better than linear coding
57
Watchdog Approach

• Watchdog function Non-linear
• Superior to linear coding strategies
• Can be generalized to multiple watchdogs

58
Limitations of Wireless Channel

• Unreliable transmissions
• Watchdog cannot watch every transmission
• Solution Coding Watchdog

A
S
D
unreliable
W
59
Detection at Destination

• Detection at destination,if not too many errors
  introduced by attacker

a,b,x,abc
a,b,c,abc
A
S
D
?
abx abc
W
60
Detection at Watchdog

• Suppose the watchdog can observe 75 packets from
  attacker A

a,z,x,abc
a,b,c,abc
A
S
D
Alarm!
W
a,b,c,abc
61
Coding Watchdog

• How much redundancy in transmission from S
  enough?
• Assume (n,k) maximum distance separable code
  with distance n-k1
• Attack by A detected by D if A tampers n-k
  packets
• Attacker A must tamper at least n-k1 packets to
  be undetected by D
• Attack by W detected trivially

62
Caveat

• Fault detection Fault identification

?
63
Coding Watchdog

• Suppose watchdog can detect packet tampering with
  probability q
• Probability of not being detected by W

64

• Construct (n,k) MDS code with
• ?
• Example

can be made small
65
Trade-off Between Throughput Fault-Tolerance

• A and B collide at W
• Greater throughput ? Lower observability at W

66
Locating Faulty Nodes

• Multiple watchdogs can also be used to identify a
  faulty node (the watchdog may itself be faulty)

67
On-Going Work

• Characterizing capacity with watchdogs
• Code-then-replicate strategy promising

68
Wrap-Up
69
Distributed Algorithms
Wireless Networking
Fault Diagnosis / Tolerance
70
Thanks !
71
Thanks !
72
Thanks !
73
Thanks !
74
Grid Network

• Probabilistic failure model failure
  probability p lt ½
• Critical node degree for reliable broadcast
  probability ? 1 when n ? 8
• Expected number of faults linear in n

75
Necessary Condition Proof Outline
If some fault-free nodes havegt half faulty
neighbors,reliable broadcast may fail
Show that if node degree
lt
broadcast failureprobability ? 1 as n ? 8
76
Sufficiency Condition Constructive Proof
Algorithm Majority vote of a quarter
neighborhood
Claim If all fault-free nodes in a
neighborhood have committed to the correct
value, so can all nodes in the periphery of
this region
d/4
Inductive proof Each peripheral node has at
least d/4 neighbors in above region. Less than
half of these are faulty w.h.p. as n ?8 Thus
majority over these d/4 neighbors suffices!