Self-stabilizing Byzantine Resilient Topology Discovery and Message Delivery [chapter]

Shlomi Dolev, Omri Liba, Elad M. Schiller
2013 Lecture Notes in Computer Science  
Traditional Byzantine resilient algorithms use 2f +1 vertex disjoint paths to ensure message delivery in the presence of up to f Byzantine nodes. The question of how these paths are identified is related to the fundamental problem of topology discovery. Distributed algorithms for topology discovery cope with a never ending task, dealing with frequent changes in the network topology and unpredictable transient faults. Therefore, algorithms for topology discovery should be self-stabilizing to
more » ... re convergence of the topology information following any such unpredictable sequence of events. We present the first such algorithm that can cope with Byzantine nodes. Starting in an arbitrary global state, and in the presence of f Byzantine nodes, each node is eventually aware of all the other non-Byzantine nodes and their connecting communication links. Using the topology information, nodes can, for example, route messages across the network and deliver messages from one end user to another. We present the first deterministic, cryptographicassumptions-free, self-stabilizing, Byzantine-resilient algorithms for network topology discovery and end-to-end message delivery. We also consider the task of r-neighborhood discovery for the case in which r and the degree of nodes are bounded by constants. The use of r-neighborhood discovery facilitates polynomial time, communication and space solutions for the above tasks. The obtained algorithms can be used to authenticate parties, in particular during the establishment of private secrets, thus forming public key schemes that are resistant to man-in-the-middle attacks of the compromised Byzantine nodes. A polynomial and efficient end-to-end algorithm that is based on the established private secrets can be employed in between periodical re-establishments of the secrets. 1 to cyber-attacks. Self-stabilizing Byzantine resilient algorithms naturally cope with mobile attacks [e.g., 16]. Whenever the set of compromised components is fixed (or dynamic, but small) during a period that suffice for convergence of the algorithm the system starts demonstrating useful behavior following the convergence. For example, consider the case in which nodes of the smart-grid are constantly compromised by an adversary while local recovery techniques, such as local node reset and/or refresh, ensure the recovery of a compromised node after a bounded time. Once the current compromised set does not imply a partition of the communication graph, the distributed control of the smart grid automatically recovers. Self-stabilizing Byzantine resilient algorithms for topology discovery and message delivery are important for systems that have to cope with unanticipated transient violations of the assumptions that the algorithms are based upon, such as unanticipated violation of the upper number of compromised nodes and unanticipated transmission interferences that is beyond the error correction code capabilities. The dynamic and difficult-to-predict nature of electrical smart-grid and intelligent transportation systems give rise to many fault-tolerance issues and require efficient solutions. Such networks are subject to transient faults due to hardware/software temporal malfunctions or short-lived violations of the assumed settings for the location and state of their nodes. Fault-tolerant systems that are self-stabilizing [5] can recover after the occurrence of transient faults, which can drive the system to an arbitrary system state. The system designers consider all configurations as possible configurations from which the system is started. The selfstabilization design criteria liberate the system designer from dealing with specific fault scenarios, risking neglecting some scenarios, and having to address each fault scenario separately. We also consider Byzantine faults that address the possibility of a node to be compromised by an adversary and/or to run a corrupted program, rather than merely assuming that they start in an arbitrary local state. Byzantine components may behave arbitrarily (selfishly, or even maliciously) as message senders and/or as relaying nodes. For example, Byzantine nodes may block messages, selective omit messages, redirect the route of messages, playback messages, or modify messages. Any system behavior is possible, when all (or one third or more of) the nodes are Byzantine nodes. Thus, the number of Byzantine nodes, f , is usually restricted to be less than one third of the nodes [5, 13] . The task of r-neighborhood network discovery allows each node to know the set of nodes that are at most r hops away from it in the communication network. Moreover, the task provides information about the communication links attached to these nodes. The task topology discovery considers knowledge regarding the node's entire connected component. The r-neighborhood network discovery and network topology discovery tasks are identical when r is the diameter of the communication graph. This work presents the first deterministic self-stabilizing algorithms for r-neighborhood discovery in the presence of Byzantine nodes. We assume that every r-neighborhood cannot be partitioned by the Byzantine nodes. In particular, we assume the existence of at least 2f + 1 vertex disjoint paths in the r-neighborhood, between any two non-Byzantine nodes, where at most f Byzantine nodes are present in the r-neighborhood, rather than in the entire network. 1 Note that by the self-stabilizing nature of our algorithms, recovery is guaranteed after a temporal violation of the above assumption. When r is defined to be the diameter of the communication graph, our assumptions are equivalent to the standard assumption for Byzantine agreement in general (rather than only complete) communication graphs. In particular the standard assumption is that 2f + 1 vertex disjoint paths exist and are known (see e.g., [13]) while we present distributed algorithms to find these paths starting in an arbitrary state. Related work. Self-stabilizing algorithms for finding vertex disjoint paths for at most two paths between 1 Section 4 considers cases in which r and the node degree, ∆, are constants. For these case, we have O(n) disjoint rneighborhoods. Each of these (disjoint) r-neighborhoods may have up to f Byzantine nodes, and yet the above assumptions, about at least 2f + 1 vertex disjoint paths in the r-neighborhood, hold. 2 any pair of nodes, and for all vertex disjoint paths in anonymous mesh networks appear in [1] and in [11], respectively. We propose self-stabilizing Byzantine resilient procedures for finding f + 1 vertex disjoint paths in 2f + 1-connected graphs. In [9] , the authors study the problem of spanning tree construction in the presence of Byzantine nodes. Nesterenko and Tixeuil [15] presented a deterministic non-stabilizing algorithm for topology discovery in the presence of Byzantine nodes. The authors do not consider the automatic recovery implied by the self-stabilization property. [[Awerbuch and Sipser [3] consider algorithms that were designed for synchronous static network and give topology update as an example. They show how to use such algorithms in asynchronous dynamic networks. Unfortunately, their scheme starts from a consistent state and cannot cope with transient faults or Byzantine.]] Byzantine gossip [2, 4, 6, 10, 12, 14] and Byzantine Broadcast [8, 17] consider the dissemination of information in the presence of Byzantine nodes rather than self-stabilizing topology discovery. Non-selfstabilizing Byzantine resilient gossip in the presence of one selfish node is considered in [2, 12] . In [6], the authors study oblivious deterministic gossip algorithms for multi-channel radio networks with a malicious adversary. They assume that the adversary can disrupt one channel per round, preventing communication on that channel. In [4], the authors consider probabilistic gossip mechanisms for reducing the redundant transmissions of flooding algorithms. They present several protocols that exploit local connectivity to adaptively correct propagation failures and protect against Byzantine attacks. Probabilistic gossip mechanisms in the context of recommendations and social networks are considered in [10] . In [14] the authors consider rules for avoiding a combinatorial explosion in (non-self-stabilizing) gossip protocol. Note that deterministic and self-stabilizing solutions are not presented in [2, 4, 6, 10, 12, 14] . Drabkin et al. [8] consider non-self-stabilizing broadcast protocols that overcome Byzantine failures by using digital signatures, message signature gossiping, and failure detectors. Our deterministic selfstabilizing algorithm merely use the topological properties of the communication graph to ensure that messages dropped or modified by Byzantine nodes will be detected, and retransmitted in a way that guarantees correct delivery to the application layer. A non-self-stabilizing broadcasting algorithm is considered in [17] . The authors assume the restricted case in which links and nodes of a communication network are subject to Byzantine failures, and that faults are distributed randomly and independently. Our contribution. We present two cryptographic-assumptions-free yet secure algorithms that are deterministic, self-stabilizing and Byzantine resilient. We start by showing the existence of deterministic, self-stabilizing, Byzantine resilient algorithms for network topology discovery and end-to-end message delivery. [[The algorithms convergence time is in O(n). They take in to account every possible path and requiring bounded (yet exponential) memory and bounded (yet exponential) communication costs.]] Therefore, we also consider the task of r-neighborhood discovery, where r is a constant. We assume that if the r-neighborhood of a node has f Byzantine nodes, there are 2f + 1 vertex independent paths between the node and any non-Byzantine node in its r-neighborhood. The obtained r-neighborhood discovery requires polynomial memory and communication costs and supports deterministic, self-stabilizing, Byzantine resilient algorithm for end-to-end message delivery across the network. [[Unlike topology update, the proposed end-to-end message delivery algorithm establishes message exchange synchronization between end-users that is based on message reception acknowledgments. ]] Document structure. Settings and requirements appear in Section 2. The self-stabilizing Byzantine resilient distributed algorithm for topology discovery is presented in Section 3. The end-to-end communication
doi:10.1007/978-3-319-03089-0_27 fatcat:g3xn6htj2rcita35z6etb324im