SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 1

SPORCGroup Collaboration using Untrusted Cloud Resources

Ariel J. Feldman, William P. Zeller,Michael J. Freedman, Edward W. Felten

SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 2

Cloud deployment: pro & con

Cloud deployment is attractive• Scalable, highly available, globally accessible• Real-time collaboration

For user-facing applications:(e.g. word processing, calendaring, e-mail, IM)

But, there’s a price…

Must trust the cloud provider for confidentiality and integrity

…

SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 3

SPORC goals

Untrusted servers• Can’t read user data• Can’t tamper with user data without

risking detection• Clients can recover from tampering

Practical cloud apps• Flexible framework• Real-time collaboration• Work offline

4

Server

Making servers untrusted

SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10

Encryptedstate

App logic

SPORC Server’s limited role:• Storage• Ordering msgs

State

Client 1

Copy of state

App logic

Client 2

Copy of state

App logic

ClientApp logic App logic

Server

5

Problem #1:

SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10

Client 1

Copy of state

App logic

Client 2

Copy of state

App logic

Client

How do you keep clients’ local copies consistent?

(esp. with offline access)Server

Encryptedstate

6

Problem #2:

SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10

Client 1

Copy of state

App logic

Client 2

Copy of state

App logic

Client

How do you deal with a malicious server?

Encryptedstate

SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 7

Keeping clients in syncOperational transformation (OT) [EG89]

(Used in Google Docs, EtherPad, etc.)

Alice Bob

Server

ins “ABC”

ins “DE”

del 4del 2 ins “ABC”

ins “DE”

Ops:

State:ABCDE ABCDEACDE ABCE

del 4del 2

del 2del 4

del 2del 4

ACD ACE

del 2del 3

T T

ACE ACE

OT can sync arbitrarily divergent clients

Ops:

State:

SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 8

Dealing with a malicious serverDigital signatures aren’t enough

Server can equivocate

A B C ACfork* consistency [LM07]

• Honest server: linearizability• Malicious server: Alice and Bob

detect equivocation after exchanging 2 messages

• Embed history hash in every message

Server can still fork the clients, but can’t unfork

Client Client

SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 9

System designClient app

Local state

SPORC lib

SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 10

System designClient app

Local state

SPORC lib

Committed Pending

fork*consistent

causallyconsistent

SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 11

System designClient app

Local state

SPORC lib

Committed Pending

ServerEncrypted state

Encrypt & sign

SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 12

System designClient app

Local state

SPORC lib

Committed Pending

ServerEncrypted state

Client

Verify & decrypt

Compare history hashes

SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 13

System designClient app

Local state

SPORC lib

Committed Pending

ServerEncrypted state

Client

Decrypt & verify

T

SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 14

System designClient app

Local state

SPORC lib

Committed Pending

ServerEncrypted state

Client

T

SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 15

Access control

Challenges• Server can’t do it — it’s untrusted!• Preserving causality• Concurrency makes it harder

Solutions• Ops encrypted with symmetric key shared by clients • ACL changes are ops too• Concurrent ACL changes handled with barriers

Encryptedstate

SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 16

Adding a user

Alice Bob

Server

CharlieGroup members:

ModifyUserOp

Add “Charlie”

ECharlie_pk(k)

SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 17

Removing a user

Alice Bob

Server

CharlieGroup members:

ModifyUserOp

Rm “Charlie”

Ealice_pk(k’)

Ebob_pk(k’)

Ek’(k)

SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 18

BARRIER BARRIER

Barriers: dealing with concurrency

Alice Bob

Server

Group members:

ModifyUserOp

Rm “Charlie”

Ek1(k)

ModifyUserOp

Rm “Eve”

Ek2(k)

ModifyUserOp

Rm “Eve”

Ek2(k)

10

ModifyUserOp

Rm “Charlie”

Ek1(k)

98

…

Clients check on the server

SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 19

Recovering from a fork

Alice’s history:

Bob’s history:

Can use OT to resolve malicious forks too

Fork!

SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 20

ImplementationClient lib + generic server

App devs only need to define ops and provide a transformation function

Demo apps: key value store, browser-based collaborative text editor

Java CLI version + browser-based version (GWT)

SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 21

EvaluationSetup• Tested Java CLI version• 8-core 2.3 GHz AMD machines

• 1 for server• 4 for clients (often >1 instance per machine)

• Gigabit LAN

Microbenchmarks• Latency• Server throughput• Time-to-join (in paper)

SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 22

Latency

Low load(1 client writer)

High load(all clients are writers)

(Text editor app)

SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 23

Latency

Low load(1 client writer)

High load(all clients are writers)

(Text editor app)

SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 24

Server throughput

SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 25

Conclusion

Practical cloud apps + untrusted servers

Operational transformation + fork* consistency

Dynamic access control and key distribution

Recovery from malicious forks

SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 26

Thank youQuestions?

ajfeldma@cs.princeton.edu*

*http://www.snowpeak.com/tableware/cutlery/titanium-original-spork-sct-004.html

SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 27

Comparison with Depot

Future work: SPORC + Depot? ;-)

SPORC Depot

Consistency with malicious servers ✔ ✔

Consistency with malicious clients ✔

Fork recovery ✔ ✔

Work offline ✔ ✔

Dynamic access control ✔

Confidentiality and key distribution ✔

Depot exposes conflicts, but leaves it to the app to resolve them

SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 28

Time-to-join