synchronous/korg-paper
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

more

Browse Source
This commit is contained in:
JakeGinesin
2024-11-29 08:17:00 -05:00
parent 1846062f93
commit 3434cb3a97
10 changed files with 1010 additions and 1055 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
sections/case_studies.tex
View File

@@ -1,10 +1,11 @@
%!TEX root = ../main.tex
In this section we describe two case study, TCP transport protocol and RAFT state machine replication protocol.
In this section we describe two case studies: the Transmission Control Protocol, a data transfer protocol, and Raft, a state machine replication protocol.
\subsection{TCP}%
\label{sub:TCP}
TCP (Transmission Control Protocol) is a transport-layer protocol designed to establish reliable, ordered communications between two peers. TCP is ubiquitous in today's internet, and therefore has seen ample formal verification efforts \cite{Cluzel_Georgiou_Moy_Zeller_2021, Smith_1997, Pacheco2022}, including using \promela and \spin \cite{Pacheco2022}.
Transmission Control Protocol (TCP) is a transport-layer protocol designed to establish reliable, ordered communications between two peers. TCP is ubiquitous in today's internet, and therefore has seen ample formal verification efforts \cite{Cluzel_Georgiou_Moy_Zeller_2021, Smith_1997, Pacheco2022}, including using \promela and \spin \cite{Pacheco2022}.
%A previous version of \korg has been applied TCP in \cite{Pacheco2022, Hippel2022};
%in particular, we study our \korg extensions using the hand-written TCP \promela model from \cite{Pacheco2022}.
We construct a TCP \promela model referencing the set of TCP RFCs.
@@ -39,7 +40,9 @@ $\phi_4$ & & &\\
\end{scriptsize}
\label{res:tcp-table}
\caption{Automatically discovered attacks against the hand-written TCP model from Pacheco et al. and our own, for $\phi_1$ through $\phi_4$. "x" indicates an attack was discovered, and no "x" indicates \korg proved the absence of an attack via an exhaustive search. Full attack traces are available in the artifact.}
\caption{Automatically discovered attacks against
%the hand-written TCP model from Pacheco et al. and our own,
our TCP model for $\phi_1$ through $\phi_4$. "x" indicates an attack was discovered, and no "x" indicates \korg proved the absence of an attack via an exhaustive search. These experiments were ran on a laptop with an eighth generation i7 and 16gb of memory. Full attack traces are available in the artifact.}
\end{figure}
\begin{comment}
@@ -81,6 +84,32 @@ Referencing the original Raft thesis \cite{Ongaro} and other raft models \cite{W
\phi_5 &= \text{\parbox[t]{20em}{If any two servers commit the same log entry, the log entry at the previous index must be equivalent}}
\end{aligned}
\]
We construct our Raft model such that we can model-check an arbitrary number of peers. We also designed our model such that each peer maintains separate channels for receiving AppendEntry requests, AppendEntry responses, RequestVote requests, and RequestVote responses. This gives \korg ample handle to reason about Raft. In particular, we study Raft in the presence of drop and replay attackers on all four aforementioned channel types, attacking both a minority and majority of peers. A breakdown of our findings is shown in Figure \ref{}.
We construct our Raft model such that we can model-check an arbitrary number of peers. We also designed our model such that each peer maintains separate channels for receiving AppendEntry requests, AppendEntry responses, RequestVote requests, and RequestVote responses. This gives \korg ample handle to reason about Raft. In particular, we study Raft in the presence of drop and replay attackers on all four aforementioned channel types, attacking both a minority and majority of peers. A breakdown of our findings is shown in Figure \ref{res:raft-table}.
\begin{figure}[h!]
\centering
\begin{scriptsize}
\label{res:raft-table}
\begin{tabular}{|c|c|}
\hline
Scenario & Attack found? \\
\hline
Dropping AppendEntries messages & no \\
Dropping RequestVote messages & no \\
Replaying RequestVote messages & yes ($\phi_1, \phi_4$ violated) \\
Replaying AppendEntry messages & no \\
Dropping RequestVoteResponse messages & no \\
Dropping AppendEntryResponse messages & no \\
\hline
\end{tabular}
\end{scriptsize}
\caption{Breakdown of the attacker scenarios assessed with \korg against our Raft \promela model. In all experiments, Raft was set to five peers and the drop/replay limits of the gadgets \korg synthesized were set to two. We conducted our experiments on a research computing cluster, allocating 250GB of memory to each verification run. The full models and attacker traces are included in the artifact.}
%\caption{Automatically discovered attacks against
%the hand-written TCP model from Pacheco et al. and our own,
%our TCP model for $\phi_1$ through $\phi_4$. "x" indicates an attack was discovered, and no "x" indicates \korg proved the absence of an attack via an exhaustive search. These experiments were ran on a laptop with an eighth generation i7 and 16gb of memory. Full attack traces are available in the artifact.}
\end{figure}
In our experiments, we found just one attack on our Raft \promela model, violating election safety in particular. In this scenario, peer A and peer B are candidates for election. Peer A receives three votes, one from itself and two from other peers, and Peer B receives two votes, one from itself and one from another peer. The replay attacker simply replays the vote sent to peer B. Then, both Peer A and Peer B are convinced they won the election and change their state to leader. Following this, leader completeness is also naturally violated.
To be clear, this is not an attack on the general Raft protocol, but rather an attack on our specific Raft implementation: in this case, the bug \korg exploits involves our Raft model not ensuring votes received are from unique peers\footnote{Naturally, this requires cryptography and therefore is challenging to express in the semantics of \promela.}. In general, the complete Raft protocol has been proven to resist drop and replay attackers \cite{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016}. In this scenario, \korg demonstrates its ability to discover subtle bugs in protocol logic ; our Raft model satisfies $\phi_1$-$\phi_5$ assuming perfect channels, and \korg allowed us to reason precisely about the effect of imperfect, vulnerable channels.
% We note our analysis is in no

2
sections/design.tex
View File

@@ -11,7 +11,7 @@ A high-level overview of the \korg pipeline is given in the Figure \ref{fig:korg
\begin{figure}[h]
\centering
\includegraphics[width=0.5\textwidth]{assets/diagram3.png}
\includegraphics[width=0.5\textwidth]{assets/diagram-anon.png}
\caption{A high-level overview of the \korg workflow}
\label{fig:korg_workflow}
\end{figure}