University at Buffalo CSE Department SPIDER Lab Shambhu Upadhyaya 14 September 2001 SECURE AND FAULT TOLERANT VOTING IN DISTRIBUTED INFORMATION SYSTEMS • • – Distributed monitoring and voter isolation Techniques Used Buffalo) – Replication and voting for fault tolerance – Secure voting is essential (AFRL/IF & University at Problem Addressed Overview 2 the Bush”? “stop beating around Just get an answer and “Al Gore” - ithm? Execute an What About Voting? 3 Eliminating single point of failure in the voting complex Correctness and completion of the new voting algorithm -- a formal methodology Implementation and application • • • Requirements of Secure Voting 4 Voters exchange their votes and determine a majority result; an arbitrary voter then commits that result to the user Fault-Tolerance: what if the committing voter experiences a failure during committal? Security: what if the committing voter is compromised? • • • 2-phase Commit Protocols 5 LAUNCH User is sent majority result - majority result User waits for faulty majority fault-free 6 • Phase 2: processor in the majority commits result to the user • Phase 1: processors distribute their results and vote on them such that each processor determines the majority 2-Phase Commit Protocol f(t) time (t) Time duration of committal Safe Operation 7 SELF-DESTRUCT User is sent malicious result - majority result User waits for majority trustworthy 8 • Phase 2: processor in the majority commits result to the user • Phase 1: processors distribute their results and vote on them such that each processor determines the majority Danger of 2-Phase Commit Protocol and buffer released Integrity restored Suspect results buffered untrustworthy trustworthy – Prevents disastrous commit phase - unlikely for classical fault tolerance but not 9 information attack – Instead of voting then committing - commits first (to buffer) then votes (period of dissension) • Reverses 2-phase commit protocol • Buffer until “silence is consent” • Addresses “last mile” of distributed voting (Ref: Hardekopf, Kwiat, Upadhyaya, IEEE Aero 2001) Timed-Buffer Distributed Voting Used TLA+ to write a formal specification of the algorithm Used the specification and TLA to prove both partial correctness and termination • • (Ref: Hardekopf, Kwiat, Upadhyaya, SPECTS 2001) Correctness 10 • Stack for the Software Radio Development System (SoRDS) – Instantiation of TB-DVA in Configurable Protocol Being transferred to Assured Communications Research Center Implementation and Application 11 GATEWAY WIRELESS CLIENT SECURE WIRELESS LINK • Apply fault tolerance techniques to protect, detect, and react to attacks and enable service restoration (when translated from IP standards to wireless and vice-a-versa) SECURE DATA IS EXPOSED SECURE WIRED LINK SECURE SERVER ACRC Application of TB-DVA 12 WIRELESS CLIENT Timed-buffer distributed voting algorithm assures integrity, availability, and helps curtail confidentiality leaks SECURE WIRELESS LINK GATEWAY SECURE WIRED LINK SECURE SERVER Multiple Wireless Hubs 13 • • distributed monitoring and voter isolation – Guaranteeing owner’s intended result by Techniques Used – Security enhancement in distributed voting Problems Addressed Conclusion 14