skip to main content

Asphalion: trustworthy shielding against Byzantine faults

Published:10 October 2019Publication History
Skip Abstract Section

Abstract

Byzantine fault-tolerant state-machine replication (BFT-SMR) is a technique for hardening systems to tolerate arbitrary faults. Although robust, BFT-SMR protocols are very costly in terms of the number of required replicas (3f+1 to tolerate f faults) and of exchanged messages. However, with "hybrid" architectures, where "normal" components trust some "special" components to provide properties in a trustworthy manner, the cost of using BFT can be dramatically reduced. Unfortunately, even though such hybridization techniques decrease the message/time/space complexity of BFT protocols, they also increase their structural complexity.

Therefore, we introduce Asphalion, the first theorem prover-based framework for verifying implementations of hybrid systems and protocols. It relies on three novel languages: (1) HyLoE: a Hybrid Logic of Events to reason about hybrid fault models; (2) MoC: a Monadic Component language to implement systems as collections of interacting hybrid components; and (3) LoCK: a sound Logic of events-based Calculus of Knowledge to reason about both homogeneous and hybrid systems at a high-level of abstraction (thereby allowing reusing proofs, and capturing the high-level logic of distributed systems). In addition, Asphalion supports compositional reasoning, e.g., through mechanisms to lift properties about trusted-trustworthy components, to the level of the distributed systems they are integrated in. As a case study, we have verified crucial safety properties (e.g., agreement) of several implementations of hybrid protocols.

Skip Supplemental Material Section

Supplemental Material

a138-vukotic

Presentation at OOPSLA '19

References

  1. 2014. DSN 2014. IEEE. http://ieeexplore.ieee.org/xpl/mostRecentIssue.jsp?punumber=6900116Google ScholarGoogle Scholar
  2. Ittai Abraham, Guy Gueta, Dahlia Malkhi, Lorenzo Alvisi, Ramakrishna Kotla, and Jean-Philippe Martin. 2017a. Revisiting Fast Practical Byzantine Fault Tolerance. CoRR abs/1712.01367 (2017). arXiv: 1712.01367 http://arxiv.org/abs/1712.01367Google ScholarGoogle Scholar
  3. Ittai Abraham, Dahlia Malkhi, Kartik Nayak, Ling Ren, and Alexander Spiegelman. 2017b. Solida: A Blockchain Protocol Based on Reconfigurable Byzantine Consensus, See [ Aspnes et al. 2018 ], 25:1–25:19. Google ScholarGoogle ScholarCross RefCross Ref
  4. Jean-Raymond Abrial. 2010. Modeling in Event-B - System and Software Engineering. Cambridge University Press. http: //www.cambridge.org/uk/catalogue/catalogue.asp?isbn=9780521895569Google ScholarGoogle Scholar
  5. Jean-Raymond Abrial, Michael J. Butler, Stefan Hallerstede, Thai Son Hoang, Farhad Mehta, and Laurent Voisin. 2010. Rodin: an open toolset for modelling and reasoning in Event-B. 12, 6 (2010), 447–466. Google ScholarGoogle ScholarCross RefCross Ref
  6. Gustavo Alonso, Ricardo Bianchini, and Marko Vukolic (Eds.). 2017. EUROSYS 2017. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Abhishek Anand and Ross A. Knepper. 2015. ROSCoq: Robots Powered by Constructive Reals. In ITP-6 (LNCS), Christian Urban and Xingyuan Zhang (Eds.), Vol. 9236. Springer, 34–50. Google ScholarGoogle ScholarCross RefCross Ref
  8. James Aspnes, Alysson Bessani, Pascal Felber, and João Leitão (Eds.). 2018. OPODIS 2017. LIPIcs, Vol. 95. Schloss Dagstuhl -Leibniz-Zentrum fuer Informatik. http://www.dagstuhl.de/dagpub/978- 3- 95977- 061- 3Google ScholarGoogle Scholar
  9. Amotz Bar-Noy, Danny Dolev, Cynthia Dwork, and H. Raymond Strong. 1992. Shifting Gears: Changing Algorithms on the Fly to Expedite Byzantine Agreement. Inf. Comput. 97, 2 (1992), 205–233. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Johannes Behl, Tobias Distler, and Rüdiger Kapitza. 2017. Hybrids on Steroids: SGX-Based High Performance BFT, See [ Alonso et al. 2017 ], 222–237. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Ido Ben-Zvi. 2011. Causality, Knowledge and Coordinaltion in Distributed Systems. Ph.D. Dissertation. Technion – Computer Science Department.Google ScholarGoogle Scholar
  12. Ido Ben-Zvi and Yoram Moses. 2014. Beyond Lamport’s Happened-before: On Time Bounds and the Ordering of Events in Distributed Systems. J. ACM 61, 2 (2014), 13:1–13:26. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Yves Bertot and Pierre Casteran. 2004. Interactive Theorem Proving and Program Development. SpringerVerlag. http: //www.labri.fr/perso/casteran/CoqArt .Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Alysson Neves Bessani, João Sousa, and Eduardo Adílio Pelinson Alchieri. 2014. State Machine Replication for the Masses with BFT-SMART, See [ DBL 2014 ], 355–362. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Mark Bickford. 2009. Component Specification Using Event Classes. In CBSE 2009 (LNCS), Grace A. Lewis, Iman Poernomo, and Christine Hofmeister (Eds.), Vol. 5582. Springer, 140–155.Google ScholarGoogle Scholar
  16. Mark Bickford, Robert L. Constable, Joseph Y. Halpern, and Sabina Petride. 2004. Knowledge-Based Synthesis of Distributed Systems Using Event Structures. In LPAR 2004 (LNCS), Franz Baader and Andrei Voronkov (Eds.), Vol. 3452. Springer, 449–465. Google ScholarGoogle ScholarCross RefCross Ref
  17. Mark Bickford, Robert L. Constable, and Vincent Rahli. 2012. Logic of Events, a framework to reason about distributed systems. In Languages for Distributed Algorithms Workshop. http://www.nuprl.org/documents/Bickford/LOE- LADA2012.htmlGoogle ScholarGoogle Scholar
  18. Martin Biely, Josef Widder, Bernadette Charron-Bost, Antoine Gaillard, Martin Hutle, and André Schiper. 2007. Tolerating corrupted communication. In PODC 2007, Indranil Gupta and Roger Wattenhofer (Eds.). ACM, 244–253. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. William J. Bolosky, John R. Douceur, and Jon Howell. 2007. The Farsite project: a retrospective. Operating Systems Review 41, 2 (2007), 17–26. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. BPaxos 2018. Mechanically Checked Safety Proof of a Byzantine Paxos Algorithm. http://lamport.azurewebsites.net/tla/ byzpaxos.htmlGoogle ScholarGoogle Scholar
  21. Armando Castañeda, Yannai A. Gonczarowski, and Yoram Moses. 2014. Unbeatable Consensus. In Distributed Computing -28th International Symposium, DISC 2014, Austin, TX, USA, October 12-15, 2014. Proceedings (LNCS), Fabian Kuhn (Ed.), Vol. 8784. Springer, 91–106. Google ScholarGoogle ScholarCross RefCross Ref
  22. Armando Castañeda, Yannai A. Gonczarowski, and Yoram Moses. 2016. Unbeatable Set Consensus via Topological and Combinatorial Reasoning. In Proceedings of the 2016 ACM Symposium on Principles of Distributed Computing, PODC 2016, Chicago, IL, USA, July 25-28, 2016, George Giakkoupis (Ed.). ACM, 107–116. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Miguel Castro. 2001. Practical Byzantine Fault Tolerance. Ph.D. MIT. Also as Technical Report MIT-LCS-TR-817.Google ScholarGoogle Scholar
  24. Miguel Castro and Barbara Liskov. 1999a. A Correctness Proof for a Practical Byzantine-Fault-Tolerant Replication Algorithm. Technical Memo MIT-LCS-TM-590. MIT.Google ScholarGoogle Scholar
  25. Miguel Castro and Barbara Liskov. 1999b. Practical Byzantine Fault Tolerance. In OSDI 1999, Margo I. Seltzer and Paul J. Leach (Eds.). USENIX Association, 173–186. Google ScholarGoogle ScholarCross RefCross Ref
  26. Saksham Chand, Yanhong A. Liu, and Scott D. Stoller. 2016. Formal Verification of Multi-Paxos for Distributed Consensus. In FM 2016 (LNCS), John S. Fitzgerald, Constance L. Heitmeyer, Stefania Gnesi, and Anna Philippou (Eds.), Vol. 9995. 119–136. Google ScholarGoogle ScholarCross RefCross Ref
  27. K. Mani Chandy and Leslie Lamport. 1985. Distributed Snapshots: Determining Global States of Distributed Systems. ACM Trans. Comput. Syst. 3, 1 (1985), 63–75. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. K. Mani Chandy and Jayadev Misra. 1986. How Processes Learn. Distributed Computing 1, 1 (1986), 40–52. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Mouna Chaouch-Saad, Bernadette Charron-Bost, and Stephan Merz. 2009. A Reduction Theorem for the Verification of Round-Based Distributed Algorithms. In RP 2009 (LNCS), Olivier Bournez and Igor Potapov (Eds.), Vol. 5797. Springer, 93–106. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Bernadette Charron-Bost, Henri Debrat, and Stephan Merz. 2011. Formal Verification of Consensus Algorithms Tolerating Malicious Faults. In SSS 2011 (LNCS), Xavier Défago, Franck Petit, and Vincent Villain (Eds.), Vol. 6976. Springer, 120–134. Google ScholarGoogle ScholarCross RefCross Ref
  31. Bernadette Charron-Bost and André Schiper. 2009. The Heard-Of model: computing in distributed systems with benign faults. Distributed Computing 22, 1 (2009), 49–71. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Kaustuv Chaudhuri, Damien Doligez, Leslie Lamport, and Stephan Merz. 2010. Verifying Safety Properties with the TLA+ Proof System. In IJCAR 2010 (LNCS), Jürgen Giesl and Reiner Hähnle (Eds.), Vol. 6173. Springer, 142–148. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Byung-Gon Chun, Petros Maniatis, Scott Shenker, and John Kubiatowicz. 2007. Attested append-only memory: making adversaries stick to their word. In SOSP 2007, Thomas C. Bressoud and M. Frans Kaashoek (Eds.). ACM, 189–204. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. R.L. Constable, S.F. Allen, H.M. Bromley, W.R. Cleaveland, J.F. Cremer, R.W. Harper, D.J. Howe, T.B. Knoblock, N.P. Mendler, P.Panangaden, J.T. Sasaki, and S.F. Smith. 1986. Implementing mathematics with the Nuprl proof development system. Prentice-Hall, Inc., Upper Saddle River, NJ, USA.Google ScholarGoogle Scholar
  35. Coq 2019. The Coq Proof Assistant. http://coq.inria.fr/Google ScholarGoogle Scholar
  36. Miguel Correia, Nuno Ferreira Neves, Lau Cheuk Lung, and Paulo Veríssimo. 2005. Low complexity Byzantine-resilient consensus. Distributed Computing 17, 3 (2005), 237–249. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Miguel Correia, Nuno Ferreira Neves, and Paulo Veríssimo. 2004. How to Tolerate Half Less One Byzantine Nodes in Practical Distributed Systems. In SRDS 2004. IEEE Computer Society, 174–183. Google ScholarGoogle ScholarCross RefCross Ref
  38. Miguel Correia, Nuno Ferreira Neves, and Paulo Veríssimo. 2013. BFT-TO: Intrusion Tolerance with Less Replicas. Comput. J. 56, 6 (2013), 693–715. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Miguel Correia, Paulo Veríssimo, and Nuno Ferreira Neves. 2002. The Design of a COTSReal-Time Distributed Security Kernel. In EDCC-4 (LNCS), Fabrizio Grandoni and Pascale Thévenod-Fosse (Eds.), Vol. 2485. Springer, 234–252. Google ScholarGoogle ScholarCross RefCross Ref
  40. Asa Dan, Rajit Manohar, and Yoram Moses. 2017. On Using Time Without Clocks via Zigzag Causality. In PODC 2017, Elad Michael Schiller and Alexander A. Schwarzmann (Eds.). ACM, 241–250. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Christian Decker, Jochen Seidel, and Roger Wattenhofer. 2016. Bitcoin meets strong consistency. In ICDCN 2016. ACM, 13:1–13:10. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Ankush Desai, Amar Phanishayee, Shaz Qadeer, and Sanjit A. Seshia. 2018. Compositional programming and testing of dynamic distributed systems. PACMPL 2, OOPSLA (2018), 159:1–159:30. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Tobias Distler, Christian Cachin, and Rüdiger Kapitza. 2016. Resource-Efficient Byzantine Fault Tolerance. IEEE Trans. Computers 65, 9 (2016), 2807–2819. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Cezara Dragoi, Thomas A. Henzinger, Helmut Veith, Josef Widder, and Damien Zufferey. 2014. A Logic-Based Framework for Verifying Consensus Algorithms. In VMCAI 2014 (LNCS), Kenneth L. McMillan and Xavier Rival (Eds.), Vol. 8318. Springer, 161–181. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Cezara Dragoi, Thomas A. Henzinger, and Damien Zufferey. 2015. The Need for Language Support for Fault-Tolerant Distributed Systems. In SNAPL 2015 (LIPIcs), Thomas Ball, Rastislav Bodík, Shriram Krishnamurthi, Benjamin S. Lerner, and Greg Morrisett (Eds.), Vol. 32. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, 90–102. Google ScholarGoogle ScholarCross RefCross Ref
  46. Cezara Dragoi, Thomas A. Henzinger, and Damien Zufferey. 2016. PSync: a partially synchronous language for faulttolerant distributed algorithms. In POPL 2016, Rastislav Bodík and Rupak Majumdar (Eds.). ACM, 400–415. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Derek Dreyer, Amal Ahmed, and Lars Birkedal. 2011. Logical Step-Indexed Logical Relations. Logical Methods in Computer Science 7, 2 (2011). Google ScholarGoogle ScholarCross RefCross Ref
  48. Cynthia Dwork and Yoram Moses. 1990. Knowledge and Common Knowledge in a Byzantine Environment: Crash Failures. Inf. Comput. 88, 2 (1990), 156–186. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Karim Eldefrawy, Norrathep Rattanavipanon, and Gene Tsudik. 2017. HYDRA: hybrid design for remote attestation (using a formally verified microkernel). In WiSec 2017, Guevara Noubir, Mauro Conti, and Sneha Kumar Kasera (Eds.). ACM, 99–110. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Ronald Fagin, Joseph Halpern, Yoram Moses, and Moshe Vardi. 2003. Reasoning About Knowledge. Google ScholarGoogle ScholarCross RefCross Ref
  51. Ronald Fagin, Joseph Y. Halpern, Yoram Moses, and Moshe Y. Vardi. 1997. Knowledge-Based Programs. Distributed Computing 10, 4 (1997), 199–225. Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. Pedro Fonseca, Kaiyuan Zhang, Xi Wang, and Arvind Krishnamurthy. 2017. An Empirical Study on the Correctness of Formally Verified Distributed Systems, See [ Alonso et al. 2017 ], 328–343. Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. Andreas Fürst, Thai Son Hoang, David A. Basin, Krishnaji Desai, Naoto Sato, and Kunihiko Miyazaki. 2014. Code Generation for Event-B. In IFM 2014 (LNCS), Elvira Albert and Emil Sekerinski (Eds.), Vol. 8739. Springer, 323–338. Google ScholarGoogle ScholarCross RefCross Ref
  54. S. Garland, N. Lynch, J. Tauber, and M. Vaziri. 2004. IOA user guide and reference manual. Technical Report MIT/LCS/TR-961. Laboratory for Computer Science, Massachusetts Institute of Technology, Cambridge, MA.Google ScholarGoogle Scholar
  55. Stephen J. Garland and Nancy Lynch. 2000. Using I/O automata for developing distributed systems. In Foundations of componentbased systems, Gary T. Leavens and Murali Sitaraman (Eds.). Cambridge University Press, New York, NY, USA, 285–312. http://dl.acm.org/citation.cfm?id=336431.336455Google ScholarGoogle Scholar
  56. Chryssis Georgiou, Nancy Lynch, Panayiotis Mavrommatis, and Joshua A. Tauber. 2009. Automated implementation of complex distributed algorithms specified in the IOA language. Int. J. Softw. Tools Technol. Transf. 11 (February 2009), 153–171. Issue 2. Google ScholarGoogle ScholarCross RefCross Ref
  57. Guy Goren and Yoram Moses. 2018. Silence. In PODC 2018, Calvin Newport and Idit Keidar (Eds.). ACM, 285–294. Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. Joseph Y. Halpern. 1987. Using Reasoning About Knowledge to Analyze Distributed Systems. Annual Review of Computer Science 2, 1 (1987), 37–68. Google ScholarGoogle ScholarCross RefCross Ref
  59. Joseph Y. Halpern and Yoram Moses. 1990. Knowledge and Common Knowledge in a Distributed Environment. J. ACM 37, 3 (1990), 549–587. Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. Joseph Y. Halpern and Rafael Pass. 2017. A Knowledge-Based Analysis of the Blockchain Protocol. In TARK 2017 (EPTCS), Jérôme Lang (Ed.), Vol. 251. 324–335. Google ScholarGoogle ScholarCross RefCross Ref
  61. Joseph Y. Halpern and Lenore D. Zuck. 1992. A Little Knowledge Goes a Long Way: Knowledge-Based Derivations and Correctness Proofs for a Family of Protocols. J. ACM 39, 3 (1992), 449–478. Google ScholarGoogle ScholarDigital LibraryDigital Library
  62. Chris Hawblitzel, Jon Howell, Manos Kapritsos, Jacob R. Lorch, Bryan Parno, Michael L. Roberts, Srinath T. V. Setty, and Brian Zill. 2015. IronFleet: proving practical distributed systems correct. In SOSP 2015, Ethan L. Miller and Steven Hand (Eds.). ACM, 1–17. Google ScholarGoogle ScholarDigital LibraryDigital Library
  63. Chris Hawblitzel, Jon Howell, Manos Kapritsos, Jacob R. Lorch, Bryan Parno, Michael L. Roberts, Srinath T. V. Setty, and Brian Zill. 2017. IronFleet: proving safety and liveness of practical distributed systems. Commun. ACM 60, 7 (2017), 83–92. Google ScholarGoogle ScholarDigital LibraryDigital Library
  64. Gerard J. Holzmann. 2004. The SPIN Model Checker - primer and reference manual. Addison-Wesley.Google ScholarGoogle ScholarDigital LibraryDigital Library
  65. Rajeev Joshi, Leslie Lamport, John Matthews, Serdar Tasiran, Mark R. Tuttle, and Yuan Yu. 2003. Checking Cache-Coherence Protocols with TLA + . Formal Methods in System Design 22, 2 (2003), 125–131. Google ScholarGoogle ScholarDigital LibraryDigital Library
  66. Rüdiger Kapitza, Johannes Behl, Christian Cachin, Tobias Distler, Simon Kuhnle, Seyed Vahid Mohammadi, Wolfgang Schröder-Preikschat, and Klaus Stengel. 2012. CheapBFT: resource-efficient byzantine fault tolerance. In EuroSys ’12, Pascal Felber, Frank Bellosa, and Herbert Bos (Eds.). ACM, 295–308. Google ScholarGoogle ScholarDigital LibraryDigital Library
  67. Eleftherios Kokoris-Kogias, Philipp Jovanovic, Nicolas Gailly, Ismail Khoffi, Linus Gasser, and Bryan Ford. 2016. Enhancing Bitcoin Security and Performance with Strong Consistency via Collective Signing. In USENIX Security Symposium, Thorsten Holz and Stefan Savage (Eds.). USENIX Association, 279–296. https://www.usenix.org/conference/ usenixsecurity16/technical- sessions/presentation/kogiasGoogle ScholarGoogle Scholar
  68. Igor Konnov, Helmut Veith, and Josef Widder. 2015. SMT and POR Beat Counter Abstraction: Parameterized Model Checking of Threshold-Based Distributed Algorithms. In CAV 2015 (LNCS), Daniel Kroening and Corina S. Pasareanu (Eds.), Vol. 9206. Springer, 85–102. Google ScholarGoogle ScholarCross RefCross Ref
  69. Igor V. Konnov, Marijana Lazic, Helmut Veith, and Josef Widder. 2017a. A short counterexample property for safety and liveness verification of fault-tolerant distributed algorithms. In POPL 2017, Giuseppe Castagna and Andrew D. Gordon (Eds.). ACM, 719–734. Google ScholarGoogle ScholarDigital LibraryDigital Library
  70. Igor V. Konnov, Helmut Veith, and Josef Widder. 2017b. On the completeness of bounded model checking for threshold-based distributed algorithms: Reachability. Inf. Comput. 252 (2017), 95–109. Google ScholarGoogle ScholarDigital LibraryDigital Library
  71. Roman Krenický and Mattias Ulbrich. 2010. Deductive Verification of a Byzantine Agreement Protocol. Technical Report 2010-7. Karlsruhe Institute of Technology, Department of Computer Science. https://lfm.iti.kit.edu/english/769.phpGoogle ScholarGoogle Scholar
  72. Leslie Lamport. 1978. Time, Clocks, and the Ordering of Events in a Distributed System. Commun. ACM 21, 7 (1978), 558–565. Google ScholarGoogle ScholarDigital LibraryDigital Library
  73. Leslie Lamport. 1994. The Temporal Logic of Actions. ACM Trans. Program. Lang. Syst. 16, 3 (1994), 872–923. Google ScholarGoogle ScholarDigital LibraryDigital Library
  74. Leslie Lamport. 2004. Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers. Addison-Wesley.Google ScholarGoogle Scholar
  75. Leslie Lamport, Robert E. Shostak, and Marshall C. Pease. 1982. The Byzantine Generals Problem. ACM Trans. Program. Lang. Syst. 4, 3 (1982), 382–401. Google ScholarGoogle ScholarDigital LibraryDigital Library
  76. Marijana Lazic, Igor Konnov, Josef Widder, and Roderick Bloem. 2017. Synthesis of Distributed Algorithms with Parameterized Threshold Guards, See [ Aspnes et al. 2018 ], 32:1–32:20. Google ScholarGoogle ScholarCross RefCross Ref
  77. Dave Levin, John R. Douceur, Jacob R. Lorch, and Thomas Moscibroda. 2009. TrInc: Small Trusted Hardware for Large Distributed Systems. In USENIX 2009, Jennifer Rexford and Emin Gün Sirer (Eds.). USENIX Association, 1–14. http: //www.usenix.org/events/nsdi09/tech/full_papers/levin/levin.pdfGoogle ScholarGoogle Scholar
  78. Tianxiang Lu, Stephan Merz, and Christoph Weidenbach. 2011. Towards Verification of the Pastry Protocol Using TLA + . In FORTE 2011 (LNCS), Roberto Bruni and Jürgen Dingel (Eds.), Vol. 6722. Springer, 244–258. Google ScholarGoogle ScholarCross RefCross Ref
  79. Loi Luu, Viswesh Narayanan, Chaodong Zheng, Kunal Baweja, Seth Gilbert, and Prateek Saxena. 2016. A Secure Sharding Protocol For Open Blockchains. In CCS 2016, Edgar R. Weippl, Stefan Katzenbeisser, Christopher Kruegel, Andrew C. Myers, and Shai Halevi (Eds.). ACM, 17–30. Google ScholarGoogle ScholarDigital LibraryDigital Library
  80. Nancy A. Lynch. 1996. Distributed Algorithms. Morgan Kaufmann.Google ScholarGoogle Scholar
  81. Nancy A. Lynch and Mark R. Tuttle. 1987. Hierarchical Correctness Proofs for Distributed Algorithms. In PODC 1987, Fred B. Schneider (Ed.). ACM, 137–151. Google ScholarGoogle ScholarDigital LibraryDigital Library
  82. Ognjen Maric, Christoph Sprenger, and David A. Basin. 2017. Cutoff Bounds for Consensus Algorithms. In CAV 2017 (LNCS), Rupak Majumdar and Viktor Kuncak (Eds.), Vol. 10427. Springer, 217–237. Google ScholarGoogle ScholarCross RefCross Ref
  83. Dominique Méry and Neeraj Kumar Singh. 2011. Automatic code generation from event-B models. In Symposium on Information and Communication Technology, SoICT 2011, Huynh Quyet Thang and Dinh Khang Tran (Eds.). ACM, 179–188. Google ScholarGoogle ScholarDigital LibraryDigital Library
  84. Eugenio Moggi. 1989. Computational Lambda-Calculus and Monads. In LICS. IEEE Computer Society, 14–23.Google ScholarGoogle ScholarDigital LibraryDigital Library
  85. Chris Newcombe, Tim Rath, Fan Zhang, Bogdan Munteanu, Marc Brooker, and Michael Deardeuff. 2015. How Amazon web services uses formal methods. Commun. ACM 58, 4 (2015), 66–73. Google ScholarGoogle ScholarDigital LibraryDigital Library
  86. OCaml2C 2019. Interfacing C with OCaml. https://caml.inria.fr/pub/docs/manual- ocaml/intfc.htmlGoogle ScholarGoogle Scholar
  87. Diego Ongaro and John K. Ousterhout. 2014. In Search of an Understandable Consensus Algorithm. In 2014 USENIX Annual Technical Conference, USENIX ATC ’14, Philadelphia, PA, USA, June 19-20, 2014., Garth Gibson and Nickolai Zeldovich (Eds.). USENIX Association, 305–319. https://www.usenix.org/conference/atc14/technical- sessions/presentation/ongaroGoogle ScholarGoogle ScholarDigital LibraryDigital Library
  88. Sam Owre, John M. Rushby, Natarajan Shankar, and Friedrich W. von Henke. 1995. Formal Verification for Fault-Tolerant Architectures: Prolegomena to the Design of PVS. IEEE Trans. Software Eng. 21, 2 (1995), 107–125. Google ScholarGoogle ScholarDigital LibraryDigital Library
  89. Oded Padon, Jochen Hoenicke, Giuliano Losa, Andreas Podelski, Mooly Sagiv, and Sharon Shoham. 2018. Reducing liveness to safety in first-order logic. PACMPL 2, POPL (2018), 26:1–26:33. Google ScholarGoogle ScholarDigital LibraryDigital Library
  90. Oded Padon, Giuliano Losa, Mooly Sagiv, and Sharon Shoham. 2017. Paxos made EPR: decidable reasoning about distributed protocols. PACMPL 1, OOPSLA (2017), 108:1–108:31. Google ScholarGoogle ScholarDigital LibraryDigital Library
  91. Oded Padon, Kenneth L. McMillan, Aurojit Panda, Mooly Sagiv, and Sharon Shoham. 2016. Ivy: safety verification by interactive generalization. In PLDI 2016, Chandra Krintz and Emery Berger (Eds.). ACM, 614–630. Google ScholarGoogle ScholarDigital LibraryDigital Library
  92. Prakash Panangaden and Kim Taylor. 1992. Concurrent Common Knowledge: Defining Agreement for Asynchronous Systems. Distributed Computing 6, 2 (1992), 73–93. Google ScholarGoogle ScholarDigital LibraryDigital Library
  93. Rafael Pass and Elaine Shi. 2017. Hybrid Consensus: Efficient Consensus in the Permissionless Model. In DISC 2017 (LIPIcs), Andréa W. Richa (Ed.), Vol. 91. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, 39:1–39:16. Google ScholarGoogle ScholarCross RefCross Ref
  94. Vincent Rahli, David Guaspari, Mark Bickford, and Robert L. Constable. 2015. Formal Specification, Verification, and Implementation of Fault-Tolerant Systems using EventML. ECEASST 72 (2015). http://journal.ub.tu- berlin.de/eceasst/ article/view/1013Google ScholarGoogle Scholar
  95. Vincent Rahli, David Guaspari, Mark Bickford, and Robert L. Constable. 2017. EventML: Specification, Verification, and Implementation of Crash-Tolerant State Machine Replication Systems. SCP (2017).Google ScholarGoogle Scholar
  96. Vincent Rahli, Nicolas Schiper, Robbert van Renesse, Mark Bickford, and Robert L. Constable. 2012. A diversified and correctby-construction broadcast service. In ICNP 2012. IEEE Computer Society, 1–6. Google ScholarGoogle ScholarDigital LibraryDigital Library
  97. Vincent Rahli, Ivana Vukotic, Marcus Völp, and Paulo Jorge Esteves Veríssimo. 2018. Velisarios: Byzantine Fault-Tolerant Protocols Powered by Coq. In ESOP 2018 (LNCS), Amal Ahmed (Ed.), Vol. 10801. Springer, 619–650. Google ScholarGoogle ScholarCross RefCross Ref
  98. Nicolas Schiper, Vincent Rahli, Robbert Van Renesse, Mark Bickford, and Robert L. Constable. 2012. ShadowDB: A Replicated Database on a Synthesized Consensus Core. In Eighth Workshop on Hot Topics in System Dependability (HotDep’12). http: //www.nuprl.org/documents/Schiper/ShadowDB_A_Replicated_Database_on_a_Synthesized_Consensus_Core.pdfGoogle ScholarGoogle Scholar
  99. Nicolas Schiper, Vincent Rahli, Robbert van Renesse, Mark Bickford, and Robert L. Constable. 2014. Developing Correctly Replicated Databases Using Formal Tools, See [ DBL 2014 ], 395–406. Google ScholarGoogle ScholarDigital LibraryDigital Library
  100. Ulrich Schmid, Bettina Weiss, and John M. Rushby. 2002. Formally Verified Byzantine Agreement in Presence of Link Faults. In ICDCS. 608–616. Google ScholarGoogle ScholarCross RefCross Ref
  101. SecureBlue 2019. Secure Blue. https://researcher.watson.ibm.com/researcher/view_page.php?id=6904Google ScholarGoogle Scholar
  102. Ilya Sergey, James R. Wilcox, and Zachary Tatlock. 2018. Programming and Proving with Distributed Protocols. In POPL 2018.Google ScholarGoogle Scholar
  103. SGX 2019. SGX. https://software.intel.com/en- us/sgxGoogle ScholarGoogle Scholar
  104. João Sousa, Alysson Bessani, and Marko Vukolic. 2018. A Byzantine Fault-Tolerant Ordering Service for the Hyperledger Fabric Blockchain Platform. In DSN 2018. IEEE Computer Society, 51–58. Google ScholarGoogle ScholarCross RefCross Ref
  105. Marcelo Taube, Giuliano Losa, Kenneth L. McMillan, Oded Padon, Mooly Sagiv, Sharon Shoham, James R. Wilcox, and Doug Woos. 2018. Modularity for decidability of deductive verification with applications to distributed systems. In PLDI 2018, Jeffrey S. Foster and Dan Grossman (Eds.). ACM, 662–677. Google ScholarGoogle ScholarDigital LibraryDigital Library
  106. Joshua A. Tauber. 2004. Verifiable Compilation of I/O Automata without Global Synchronization. Ph.D. Dissertation. Departement of Electrical Engineering and Computer Science, Massachusetts Institute of Technology, Cambridge, MA.Google ScholarGoogle Scholar
  107. TrustZone 2019. ARM TrustZone. https://www.arm.com/products/security- on- arm/trustzoneGoogle ScholarGoogle Scholar
  108. Chia-che Tsai, Donald E. Porter, and Mona Vij. 2017. Graphene-SGX: A Practical Library OS for Unmodified Applications on SGX, Dilma Da Silva and Bryan Ford (Eds.). USENIX Association, 645–658. https://www.usenix.org/conference/atc17/ technical- sessions/presentation/tsaiGoogle ScholarGoogle Scholar
  109. Tatsuhiro Tsuchiya and André Schiper. 2007. Model Checking of Consensus Algorithm. In SRDS 2007. IEEE Computer Society, 137–148. Google ScholarGoogle ScholarCross RefCross Ref
  110. Tatsuhiro Tsuchiya and André Schiper. 2008. Using Bounded Model Checking to Verify Consensus Algorithms. In DISC 2008 (LNCS), Gadi Taubenfeld (Ed.), Vol. 5218. Springer, 466–480. Google ScholarGoogle ScholarDigital LibraryDigital Library
  111. Paulo Veríssimo. 2006. Travelling through wormholes: a new look at distributed systems models. SIGACT News 37, 1 (2006), 66–81. Google ScholarGoogle ScholarDigital LibraryDigital Library
  112. Paulo Veríssimo and Antonio Casimiro. 2002. The Timely Computing Base Model and Architecture. IEEE Trans. Computers 51, 8 (2002), 916–930. Google ScholarGoogle ScholarDigital LibraryDigital Library
  113. Paulo Veríssimo, Antonio Casimiro, and Christof Fetzer. 2000. The timely computing base: Timely actions in the presence of uncertain timeliness. In DSN 2000. IEEE Computer Society, 533–542. Google ScholarGoogle ScholarCross RefCross Ref
  114. Guiliana Santos Veronese. 2010. Intrusion Tolerance in Large Scale Networks. Ph.D. Dissertation. Universidade de Lisboa.Google ScholarGoogle Scholar
  115. Giuliana Santos Veronese, Miguel Correia, Alysson Neves Bessani, and Lau Cheuk Lung. 2010. EBAWA: Efficient Byzantine Agreement for Wide-Area Networks. IEEE Computer Society, 10–19. Google ScholarGoogle ScholarDigital LibraryDigital Library
  116. Giuliana Santos Veronese, Miguel Correia, Alysson Neves Bessani, Lau Cheuk Lung, and Paulo Veríssimo. 2013. Efficient Byzantine Fault-Tolerance. IEEE Trans. Computers 62, 1 (2013), 16–30. Google ScholarGoogle ScholarDigital LibraryDigital Library
  117. Ivana Vukotic, Vincent Rahli, and Paulo Verissimo. 2019. Asphalion: Trustworthy Shielding Against Byzantine Faults. (2019). https://vrahli.github.io/articles/asphalion- long.pdf Extended version.Google ScholarGoogle Scholar
  118. James R. Wilcox, Doug Woos, Pavel Panchekha, Zachary Tatlock, Xi Wang, Michael D. Ernst, and Thomas E. Anderson. 2015. Verdi: a framework for implementing and formally verifying distributed systems. In PLDI 2015, David Grove and Steve Blackburn (Eds.). ACM, 357–368. Google ScholarGoogle ScholarDigital LibraryDigital Library
  119. Doug Woos, James R. Wilcox, Steve Anton, Zachary Tatlock, Michael D. Ernst, and Thomas E. Anderson. 2016. Planning for change in a formal verification of the raft consensus protocol. In CPP 2016, Jeremy Avigad and Adam Chlipala (Eds.). ACM, 154–165. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Asphalion: trustworthy shielding against Byzantine faults

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!