University at Buffalo
CSE Department
SPIDER Lab
Shambhu Upadhyaya
14 September 2001
SECURE AND FAULT
TOLERANT VOTING IN
DISTRIBUTED INFORMATION
SYSTEMS
•
•
– Distributed monitoring and voter isolation
Techniques Used
Buffalo)
– Replication and voting for fault tolerance
– Secure voting is essential (AFRL/IF & University at
Problem Addressed
Overview
2
the Bush”?
“stop beating around
Just get an answer and
“Al Gore” - ithm?
Execute an
What About Voting?
3
Eliminating single point of failure in the voting
complex
Correctness and completion of the new voting
algorithm -- a formal methodology
Implementation and application
•
•
•
Requirements of Secure Voting
4
Voters exchange their votes and determine a majority
result; an arbitrary voter then commits that result to
the user
Fault-Tolerance: what if the committing voter
experiences a failure during committal?
Security: what if the committing voter is
compromised?
•
•
•
2-phase Commit Protocols
5
LAUNCH
User is sent
majority result -
majority result
User waits for
faulty
majority fault-free
6
• Phase 2: processor in the
majority commits result to the
user
• Phase 1: processors
distribute their results and
vote on them such that each
processor determines the
majority
2-Phase Commit Protocol
f(t)
time (t)
Time duration of committal
Safe Operation
7
SELF-DESTRUCT
User is sent
malicious result -
majority result
User waits for
majority trustworthy
8
• Phase 2: processor in the
majority commits result to the
user
• Phase 1: processors
distribute their results and
vote on them such that each
processor determines the
majority
Danger of
2-Phase Commit Protocol
and buffer released
Integrity restored
Suspect results
buffered
untrustworthy
trustworthy
– Prevents disastrous
commit phase - unlikely
for classical fault
tolerance but not
9
information attack
– Instead of voting then
committing - commits
first (to buffer) then votes
(period of dissension)
• Reverses 2-phase commit
protocol
• Buffer until “silence is
consent”
• Addresses “last mile” of
distributed voting
(Ref: Hardekopf, Kwiat, Upadhyaya, IEEE Aero 2001)
Timed-Buffer Distributed Voting
Used TLA+ to write a formal specification of the
algorithm
Used the specification and TLA to prove both partial
correctness and termination
•
•
(Ref: Hardekopf, Kwiat, Upadhyaya, SPECTS 2001)
Correctness
10
•
Stack for the Software Radio Development System
(SoRDS)
– Instantiation of TB-DVA in Configurable Protocol
Being transferred to Assured Communications
Research Center
Implementation and Application
11
GATEWAY
WIRELESS
CLIENT
SECURE WIRELESS LINK
• Apply fault tolerance techniques to protect, detect,
and react to attacks and enable service restoration
(when translated from IP standards to wireless and vice-a-versa)
SECURE DATA IS EXPOSED
SECURE WIRED LINK
SECURE SERVER
ACRC Application of TB-DVA
12
WIRELESS
CLIENT
Timed-buffer
distributed voting
algorithm assures
integrity, availability,
and helps curtail
confidentiality leaks
SECURE WIRELESS LINK
GATEWAY
SECURE WIRED LINK
SECURE SERVER
Multiple Wireless Hubs
13
•
•
distributed monitoring and voter isolation
– Guaranteeing owner’s intended result by
Techniques Used
– Security enhancement in distributed voting
Problems Addressed
Conclusion
14