Brief Announcement: Twins - BFT Systems Made Robust

Proceedings of the ... International Symposium on High Performance Distributed Computing Pub Date : 2021-01-01 DOI:10.4230/LIPIcs.DISC.2021.46

S. Bano, A. Sonnino, A. Chursin, D. Perelman, Zekun Li, A. Ching, D. Malkhi

{"title":"Brief Announcement: Twins - BFT Systems Made Robust","authors":"S. Bano, A. Sonnino, A. Chursin, D. Perelman, Zekun Li, A. Ching, D. Malkhi","doi":"10.4230/LIPIcs.DISC.2021.46","DOIUrl":null,"url":null,"abstract":"Twins is an effective strategy for generating test scenarios with Byzantine [10] nodes in order to find flaws in Byzantine Fault Tolerant (BFT) systems. Twins finds flaws in the design or implementation of BFT protocols that may cause correctness issues. The main idea of Twins is the following: running twin instances of a node that use correct, unmodified code and share the same network identity and credentials allows to emulate most interesting Byzantine behaviors. Because a twin executes normal, unmodified node code, building Twins only requires a thin wrapper over an existing distributed system designed for Byzantine tolerance. To emulate material, interesting scenarios with Byzantine nodes, it instantiates one or more twin copies of the node, giving the twins the same identities and network credentials as the original node. To the rest of the system, the node and all its twins appear indistinguishable from a single node behaving in a “questionable” manner. This approach generates many interesting Byzantine behaviors, including equivocation, double voting, and losing internal state, while forgoing uninteresting behavior scenarios that can be filtered at the transport layer, such as producing semantically invalid messages. Building on configurations with twin nodes, Twins systematically generates scenarios with Byzantine nodes via enumeration over protocol rounds and communication patterns among nodes. Despite this being inherently exponential, one new flaw and several known flaws were materialized by Twins in the arena of BFT consensus protocols. In all cases, protocols break within fewer than a dozen protocol rounds, hence it is realistic for the Twins approach to expose the problems. In two of these cases, it took the community more than a decade to discover protocol flaws that Twins would have surfaced within minutes. Additionally, Twins has been incorporated into the continuous release testing process of a production setting (DiemBFT","PeriodicalId":89463,"journal":{"name":"Proceedings of the ... International Symposium on High Performance Distributed Computing","volume":"21 1","pages":"46:1-46:4"},"PeriodicalIF":0.0000,"publicationDate":"2021-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the ... International Symposium on High Performance Distributed Computing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.4230/LIPIcs.DISC.2021.46","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Twins is an effective strategy for generating test scenarios with Byzantine [10] nodes in order to find flaws in Byzantine Fault Tolerant (BFT) systems. Twins finds flaws in the design or implementation of BFT protocols that may cause correctness issues. The main idea of Twins is the following: running twin instances of a node that use correct, unmodified code and share the same network identity and credentials allows to emulate most interesting Byzantine behaviors. Because a twin executes normal, unmodified node code, building Twins only requires a thin wrapper over an existing distributed system designed for Byzantine tolerance. To emulate material, interesting scenarios with Byzantine nodes, it instantiates one or more twin copies of the node, giving the twins the same identities and network credentials as the original node. To the rest of the system, the node and all its twins appear indistinguishable from a single node behaving in a “questionable” manner. This approach generates many interesting Byzantine behaviors, including equivocation, double voting, and losing internal state, while forgoing uninteresting behavior scenarios that can be filtered at the transport layer, such as producing semantically invalid messages. Building on configurations with twin nodes, Twins systematically generates scenarios with Byzantine nodes via enumeration over protocol rounds and communication patterns among nodes. Despite this being inherently exponential, one new flaw and several known flaws were materialized by Twins in the arena of BFT consensus protocols. In all cases, protocols break within fewer than a dozen protocol rounds, hence it is realistic for the Twins approach to expose the problems. In two of these cases, it took the community more than a decade to discover protocol flaws that Twins would have surfaced within minutes. Additionally, Twins has been incorporated into the continuous release testing process of a production setting (DiemBFT

查看原文本刊更多论文

简短公告:双胞胎- BFT系统变得健壮

双胞胎是一种有效的策略，用于生成带有拜占庭[10]节点的测试场景，以便发现拜占庭容错(BFT)系统中的缺陷。Twins发现了BFT协议设计或实现中可能导致正确性问题的缺陷。Twins的主要思想如下:运行一个节点的两个实例，使用正确的、未修改的代码，共享相同的网络身份和凭证，可以模拟最有趣的拜占庭行为。由于twin执行正常的、未修改的节点代码，因此构建twin只需要在现有的分布式系统上使用一个瘦包装器，该包装器是为拜占庭容忍而设计的。为了模拟具有拜占庭节点的有趣场景，它实例化了节点的一个或多个孪生副本，为孪生副本提供与原始节点相同的身份和网络凭据。对于系统的其余部分来说，该节点及其所有孪生节点似乎与以“可疑”方式行为的单个节点无法区分。这种方法生成了许多有趣的拜占庭行为，包括模棱两可、双重投票和丢失内部状态，同时放弃了可以在传输层过滤的无趣行为场景，例如产生语义无效的消息。基于双节点的配置，Twins通过枚举协议轮数和节点之间的通信模式，系统地生成带有拜占庭节点的场景。尽管这本质上是指数级的，但双胞胎在BFT共识协议的舞台上实现了一个新的缺陷和几个已知的缺陷。在所有情况下，协议在不到12个协议回合内就会中断，因此使用Twins方法暴露问题是现实的。在其中的两个案例中，社区花了十多年的时间才发现协议缺陷，而Twins本可以在几分钟内浮出水面。此外，Twins已被纳入生产环境(DiemBFT)的持续发布测试过程中

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the ... International Symposium on High Performance Distributed Computing

自引率

0.00%

发文量