Discussion Questions
- What parts of the papers were not clear to you?
- What was the trust model of BOINC & OceanStore?
- Do we currently use systems that are like BOINC & OceanStore? Why or why not?
Notes
Lecture 5
---------
Please report
- questions, views on trust, other key points
G1
- OceanStore: what trust model are they using? Is there even one?
- what do we mean by trust?
G2
- BOINC: not trusting individual participants, redundancy for trust
- OceanStore: infrastructure is untrusted, but aggregate is trusted
- what's going on with the encryption?
- crypto being used as a silver bullet, bad idea
- not a great security model
G3
- OceanStore was confusing
- lack of prior trust with OceanStore nodes could cause a problem
- BOINC: homogeneous redundancy, but how are edge cases dealt with?
- BOINC - participants are untrusted
- OceanStore - servers can be malicious or can fail, but works if enough servers work/are trustworthy
- blockchain, cloud storage are clearly related
- "most are good" leading to security is there in blockchain, could be used for elections
G4
- how do you permanantly delete data in OceanStore?
- how are keys managed in OceanStore?
- OceanStore: no one server is trusted, but most should be trustworthy
- BOINC: what about trojan malware? How can you trust the code?
- OceanStore got replaced by free cloud storage it seems
- BOINC - volunteer computing projects still exist!
G5
- not clear about the experimental setup, what did the tests show?
- would lab setting translate to real usage?
- not clear about trust models
- no TPM?
- BOINC still exists
Why did I assign these papers, and pair them together?
- relatively low trust systems
- trust is in aggregate, but not on individuals
BOINC
- started in a world of screensavers
- to prevent burn-in
- so we got flying toasters
- volunteer computing came from wanting to take advantage of these spare cycles
People who used to run BOINC or similar systems, what do they do now?
- blockchains!
- (chance of getting) money > status
BOINC and blockchain have some similarities
- distributed computing
- low-volume data transmission, lots of computation
https://asteroidsathome.net/boinc/team_display.php?teamid=2218
How do you break a blockchain system?
- break the cryptography
- break the software
- control a majority of the network
Want to mess up BOINC, just have lots of separate accounts that do bad work
- if it is just a little each, many won't be noticed
Trust is compromised through group collusion or failure of infrastructure (code, algorithms)
What is the trust model of OceanStore?
- don't trust the servers, but trust them in aggregate
- trust the software & cryptography
- looks kind of like a blockchain system doesn't it?
Why don't we do distributed storage like OceanStore?
- cloud storage is very different
- high trust servers vs low trust servers
- isn't high trust in cloud infrastructure a bad idea?
OceanStore isn't actually trustworthy in practice
- crypto failure is too dangerous, but that isn't the issue
Oceanstore is just distributed, cached, immutable blocks of data
- with a layer on top to define "files"
The overlay layer is a bit of a mess, what if clients lose keys?
How do you guarantee persistance? Or erasure?
- all about cache access patterns
There is no erasing data in oceanstore, you just throw away your keys and hope 1) nobody can decrypt it and 2) it won't be accessed
"Throw away keys" is the modern solution to deletion
- mostly okay, if you trust the crypto algorithms & implementations
OceanStore trust model is very similar to that of blockchain systems
- most servers are legit
- software is legit
- crypto works
Definitions of trust
- computer security: trusted component means that if it fails, security guarantees go out the window
- everywhere else: trust is conferred based on past and current behavior,
will systems do what is expected (conform to model, aligned interests)
- computer security trust is the same thing, except the model is implicit
and is never directly checked
With OceanStore & BOINC
- trust failures can be noticed in certain contexts (individual servers/nodes)
- but the failures that can be detected are for things that aren't actually trusted
- models are applied to untrusted components, never trusted ones
- in computer security, the things you trust are what you don't check
Question for Thursday:
- do you think trust is the central problem in computer security?
- if not, what do you think is a problem of similar or greater importance?
Please answer in your reading response in addition to discussing the readings