    Petros Maniatis,Intel Research Berkeleywith Mary Baker (HP), TJ Giuli (Stanford),David S. H. Rosenthal (Stanford Libraries),Mema Roussopoulos (Harvard)11/15/2004 Duke University    • Academic publishing is moving from paper to electronic media– Instead of purchasing paper copies, libraries rent access to on-line digital materials11/15/2004 Duke University    • Librarians are scared with good reason– Access depends on the fate of the publisher– Time is unkind to bits after decades– Plenty of enemies (ideologies, governments, corporations)• Goal: Preserve access for a very long time11/15/2004 Duke University     • Librarians are scared with good reason– Access depends on the fate of the publisher– Time is unkind to bits after decades– Plenty of enemies (ideologies, governments, corporations)• Goal: Preserve access for a very long time11/15/2004 Duke University!    • Librarians are scared with good reason– Access depends on the fate of the publisher– Time is unkind to bits after decades– Plenty of enemies (ideologies, governments, corporations)• Goal: Preserve access for a very long time11/15/2004 Duke University" #$%   $ • Preserve access to replicas of an “Archival Unit” (AU)– AU may be a year-long run of a journal• Requirements– Very low-cost hardware, operation and administration– No central control– Acceptable to publishers (e.g., no disruption or changes)– Respect for access controls– Independent of publisher’s fate– A long-term horizon• Must anticipate and degrade gracefully with– Undetected storage failures (bit rot, human error,…)– Sustained attacks11/15/2004 Duke University& • Assume conventional platform/social attacks• Mitigate further damage through protocol• Top adversary goals:– Stealth Modification• Modify replicas to contain adversary’s version• Hard to reinstate original content after large fraction of replicas are modified– Attrition• Waste peers’ resources (network, application, human)• Storage failures overwhelm and damage the system• Other adversary goals– Content theft, free-riding, unreliability, etc.11/15/2004 Duke University'$   • Long-term horizon– A patient adversary can take 30 years to change history• Use of crypto with long-term secrets over decades is tricky– Signing/encryption keys would have to be protected from disclosure– Verification/decryption keys would have to be preserved• recursive instance of the same problem– Content must be re-encrypted/re-signed• when keys expire, when hash functions break, when quantum computing takes off, etc.– All of the above require publisher modifications• No affordable storage medium is perfectly reliable– Even if one existed, we’d still have catastrophes, human error, bit rot• Short-term guarantees of maximum malice are difficult to maintain– Majority of population can be taken over for a short while (e.g., worm)• The Internet is (still) wide-open– DDoS is almost a turn-key application, at least for short-term attacks11/15/2004 Duke University($ ))* • Digital preservation must prevent change, not precipitate it– Operate no faster than necessary, not as fast as possible• Efficiency is not a goal; feasibility is– Inflate cost of operations to improve attack economics within budget• We get massive redundancy “for free”– Peers (libraries) demand whole local replicas of content– Cannot fiddle with erasure coding, etc.• Population is relatively stable– Peers expected to have repeat interactions, have social network• Preservation need not include end-users (readers) in the loop– Traffic/operation patterns can be relatively stationary– Can model “ostensibly legitimate” workloads for anomaly detection11/15/2004 Duke University+, *• Peer-to-peer auditing and repair system– For replicated archival units– No file sharing• A peer periodically audits its AU replica– It calls an opinion poll among those with same AU• When a peer suspects an attack, it raises an alarm for a human operator– Correlated failures– IP address spoofing– System slowdown• New iteration of a deployed system11/15/2004 Duke University++) )• Each peer holds for every preserved AU– reference list of peers it has discovered– friends list of peers its operator knows externally– history of interactions with others (balance of contributions)• Periodically (faster than rate of storage failures)– Poller takes a sample of the peers in its reference list– Invites them to vote: send a hash of their replica• Compares votes with its local copy– Overwhelming agreement (>70%) F Sleep blissfully– Overwhelming disagreement (<30%) F Repair– Too close to call F Raise an alarm• To repair, the peer gets the copy of somebody who disagreed and then reevaluates the same votes11/15/2004 Duke University+ -) • Reference List– Take out voters, so that the next poll is based on different group– Replenish with some “strangers” and some “friends”• Strangers: Accepted nominees proposed by voters who agree with poll outcome• Friends: From the friends list• The measure of favoring friends is called friend bias• History– Poller owes its voters a vote (for their future polls)– Detected misbehavior penalized in victim’s historyAsk for details   11/15/2004 Duke University+   • Limit the rate of operation• Effort balancing• Bimodal