Ch 9 Goals

(1)

- Introduce Byzantine Faults - Define pulse synchronization

- Show equivalence between solving clock synchronization and pulse synchronization

- Present a fault tolerant pulse synchronization algorithm

- Show basic lower bounds on the fraction of Byzantine faults that can be tolarated.

Ch 9 Goals

(2)

A Byzantine faulty node is a node that may behave arbitrarily.

That is, such a node does not need to follow any algorithm prescribed by the system designer.

An algorithm is resilient to f Byzantine faults if its

performance guarantees hold for any execution in which there are at most f Byzantine faulty nodes.

In the following, for a network G=(V,E) and a set F of faulty nodes, we denote by V _g the set of correct nodes.

Byzantine Faults

(3)

Coverage

- no need to worry about a specific fault model Testing

- saves the need to test whether the assumed fault model holds in practice

Scalability

- increasing system size and clock speed violates previously assumed fault models

Reusability

- moving from one system version to another does not require adapting it to fault variants that may pop up.

Why Byzantine Faults

(4)

• Faults may crash systems

• A domino effect caused major power failures accross USA

• Running a distributed system on a multi core computer does not increase reliability

• Need to identify independent elements, units , or regions, such that a single fault doesn’t

propogate beyond that

• Need to continuesly obey the asssumed ratio of correct to faulty and handle dynamic changes to the system

Fault Containment Regions

(5)

- arbitrary deterministic computations

- computations and message delivery satisfy (known) bounds - hardware clock runs at rates between 1 and ϑ:

t – t' ≤ H _v (t) – H _v (t') ≤ ϑ(t – t’)

Clock Synchronization: compute logical clocks s.t. for every v,w ϵ V _g

H _v (t) – H _v (t') ≤ L _v (t) – L _v (t') ≤ (1 + μ)(H _v (t) – H _v (t’)) (skew bound) max _{v,w ϵ} _V _g {L _v (t)-L _w (t)} ≤ 𝓖

We define H _v (t) – H _v (t') ≤ L _v (t) – L _v (t') ≤ 𝛃 (t – t’)

Clock Synchronization – correct nodes

(6)

For each i ∈ 𝓝 , v ∈ V _g generate pulse i exactly once, (p _v,i is the time when v generates pulse i),

such that there exists S, P _min , P _max , satisfying:

1) sup i ∈ 𝓝, v,w ϵ Vg {|p _v,i -p _w,i |} = S (skew)

2) inf _{i ∈ 𝓝} {min _v,ϵVg {p _v,i+1 }-max _v,ϵVg { p _v,i } } ≥ P _min 3) sup _{i ∈ 𝓝} {max _v,ϵVg {p _v,i+1 }-min _v,ϵVg { p _v,i } } ≤ P _max

Thus, pulses are well aligned and well separated

Pulse synchronization goals:

(7)

Any pulse synchronization algorithm must satisfy:

1) P _max - P _min ≥ S 2) P _max ≥ ϑ P _min

The first claim can be proved by a simple algebraic manipulation.

The proof of the second claim requires better understanding of the model and the

uncertainties within it.

Basic Observation

(8)

The Timed Message Passing model (TMP)

- Each network node has a local hardware clock

- Nodes actions are deterministic, i.e, actions are a function of the inputs, messages received and the local harware clock

- There is a bound d on end-to-end message transmission and processing time

- Unknow elements: actual hardware clock drift, actual message transmission time,

which nodes are faulty and their behavior

(9)

A State Machine in TSM

Inputs / messages

messages outputs

state

The sequence of messages and outputs depends solely on 1. the initial state and initial input

2. the sequence of messages and inputs it receives 3. hardware clock readings

H

(10)

10

w v

t

¹

t

³

t

²

Due to drift and message transmission time uncertainties,

nodes can’t know when a non-local event takes place.

(11)

11

w v

t

¹

t

³

t

²

t

²

t

²

The hardware clock time difference H(t

³

) – H(t

¹

)

is bounded by 2d and clock drift, i.e., 2d ϑ

(12)

12

On the left all delays are d and clock rates are 1

On the right all delays are d /ϑ and clock rates are ϑ H(t

¹

), H(t

³

) at v are the same in both scenarios

and H(t

²

) at w as well w

v

t

¹

t

³

t

²

d d

2d

Scenario rate = 1 Scenario rate = ϑ

w

v d /ϑ d /ϑ

2d /ϑ

t ₁ /ϑ

t ₂ /ϑ

t ₃ /ϑ

(13)

13

H(t

¹

), H(t

³

) and H(t

²

) are the same --

Therefore –identical messages are being exchanged.

By induction, assuming no faults, throughout the whole algorithm all nodes exchange the same messages

in both scenarios.

w v

t

¹

t

³

t

²

d d

2d

Scenario rate = 1 Scenario rate = ϑ

w

v d /ϑ d /ϑ

2d /ϑ

t ₁ /ϑ

t ₂ /ϑ

t ₃ /ϑ

(14)

14

To prove: P _max ≥ ϑ P _min

Observe that the values are external time values.

Any pulse difference time in the left scenario is divided by ϑ on the other scenario.

Therefore, the value of P _max / ϑ needs also be ≥ P _min w

v

t

¹

t

³

t

²

d d

2d

Scenario rate = 1 Scenario rate = ϑ

w

v d /ϑ d /ϑ

2d /ϑ

t ₁ /ϑ

t ₂ /ϑ

t ₃ /ϑ

(15)

Clock Synchronization to Pulse Synchronization - Assume we have a fault tolerant clock synch alg

with parameters 𝓖 and 𝛃

- We show how to construct pulse syncronization with parameters

- S = 𝓖 (skew)

- P _min = (T- 𝓖 ) / 𝛃 (min period)

- P _max = T + 𝓖 (max period)

for any choice of T satisfying T > 𝓖

(16)

Pulse algorithm

Assume – L ^v (0) ∈ [0, 𝓖 ] for all v ∈ V _g 1. i := 0 (performed only on wakeup)

2. While true do

3. wait until getL() = iT

4. generate the i-th pulse 5. i := i +1

6. end while

v generates its i-th pulse at a unique time p _v,i satisfying L ^{v (p}

v,i

) = iT.

Notice that faults do not affect the algorithm

(17)

17

(18)

The Skew

Assume – L ^v (0) ∈ [0, 𝓖 ] for all v ∈ V _g 1. i := 0 (performed only on wakeup)

2. While true do

3. wait until getL() = iT 4. general i-th pulse 5. i := i +1

6. end while

i-th pulse: v at Lv (p _v,i ) = iT and w at Lw (p _w,i ) = iT

S = 𝓖 , because 𝓖 bounds the logical clocks difference

(19)

The Min – Max Periods

We prove just one of them, since both are a simple

derivation

(20)

Pulse Synchronization to Clock Synchronization - We now assume we have a fault tolerant pulse

synch alg with parameters S, P _min and P _max

- We show how to construct clock synchronization with parameters

- 𝛃 = ϑ ² P _max / P _min

- 𝓖 = (ϑ – 1) P _max + 𝛃 S

(21)

21

(22)

22

(23)

The Drift Bound

- We have a fault tolerant pulse synch alg with parameters S, P _min and P _max

- The rate of the logical clock we produce is

bounded from above by the drift of the hardware clocks (ϑ ) multiplied by the drift caused by the amortization of the extra P _max we add at each pulse.

- We amortize it over P _min time, which implies a factor of ϑ P _max / P _min.

- So the resulting bound is 𝛃 = ϑ ² P _max / P _min

(24)

Ch 9 Goals

- Introduce Byzantine Faults - Define pulse synchronization

- Show equivalence between solving clock synchronization and pulse synchronization

- Present a fault tolerant pulse synchronization algorithm

- Show basic lower bounds on the fraction of Byzantine faults that can be tolarated.

Ch 9 Goals

A Byzantine faulty node is a node that may behave arbitrarily.

That is, such a node does not need to follow any algorithm prescribed by the system designer.

An algorithm is resilient to f Byzantine faults if its

performance guarantees hold for any execution in which there are at most f Byzantine faulty nodes.

In the following, for a network G=(V,E) and a set F of faulty nodes, we denote by V g the set of correct nodes.

Byzantine Faults

Coverage

- no need to worry about a specific fault model Testing

- saves the need to test whether the assumed fault model holds in practice

Scalability

- increasing system size and clock speed violates previously assumed fault models

Reusability

- moving from one system version to another does not require adapting it to fault variants that may pop up.

Why Byzantine Faults

• Faults may crash systems

• A domino effect caused major power failures accross USA

• Running a distributed system on a multi core computer does not increase reliability

• Need to identify independent elements, units , or regions, such that a single fault doesn’t

propogate beyond that

• Need to continuesly obey the asssumed ratio of correct to faulty and handle dynamic changes to the system

Fault Containment Regions

- arbitrary deterministic computations

- computations and message delivery satisfy (known) bounds - hardware clock runs at rates between 1 and ϑ:

t – t' ≤ H v (t) – H v (t') ≤ ϑ(t – t’)

Clock Synchronization: compute logical clocks s.t. for every v,w ϵ V g

H v (t) – H v (t') ≤ L v (t) – L v (t') ≤ (1 + μ)(H v (t) – H v (t’)) (skew bound) max v,w ϵ V g {L v (t)-L w (t)} ≤ 𝓖

We define H v (t) – H v (t') ≤ L v (t) – L v (t') ≤ 𝛃 (t – t’)

Clock Synchronization – correct nodes

For each i ∈ 𝓝 , v ∈ V g generate pulse i exactly once, (p v,i is the time when v generates pulse i),

such that there exists S, P min , P max , satisfying:

1) sup i ∈ 𝓝, v,w ϵ Vg {|p v,i -p w,i |} = S (skew)

2) inf i ∈ 𝓝 {min v,ϵVg {p v,i+1 }-max v,ϵVg { p v,i } } ≥ P min 3) sup i ∈ 𝓝 {max v,ϵVg {p v,i+1 }-min v,ϵVg { p v,i } } ≤ P max

Thus, pulses are well aligned and well separated

Pulse synchronization goals:

Any pulse synchronization algorithm must satisfy:

1) P max - P min ≥ S 2) P max ≥ ϑ P min

The first claim can be proved by a simple algebraic manipulation.

The proof of the second claim requires better understanding of the model and the

uncertainties within it.

Basic Observation

The Timed Message Passing model (TMP)

- Each network node has a local hardware clock

- Nodes actions are deterministic, i.e, actions are a function of the inputs, messages received and the local harware clock

- There is a bound d on end-to-end message transmission and processing time

- Unknow elements: actual hardware clock drift, actual message transmission time,

which nodes are faulty and their behavior

A State Machine in TSM

Inputs / messages

messages outputs

state

The sequence of messages and outputs depends solely on 1. the initial state and initial input

2. the sequence of messages and inputs it receives 3. hardware clock readings

H

w v

t

t

t

Due to drift and message transmission time uncertainties,

nodes can’t know when a non-local event takes place.

w v

t

t

t

t

t

The hardware clock time difference H(t

) – H(t

)

is bounded by 2d and clock drift, i.e., 2d ϑ

On the left all delays are d and clock rates are 1

On the right all delays are d /ϑ and clock rates are ϑ H(t

), H(t

) at v are the same in both scenarios

and H(t

In the following, for a network G=(V,E) and a set F of faulty nodes, we denote by V _g the set of correct nodes.

t – t' ≤ H _v (t) – H _v (t') ≤ ϑ(t – t’)

Clock Synchronization: compute logical clocks s.t. for every v,w ϵ V _g

H _v (t) – H _v (t') ≤ L _v (t) – L _v (t') ≤ (1 + μ)(H _v (t) – H _v (t’)) (skew bound) max _{v,w ϵ} _V _g {L _v (t)-L _w (t)} ≤ 𝓖

We define H _v (t) – H _v (t') ≤ L _v (t) – L _v (t') ≤ 𝛃 (t – t’)

For each i ∈ 𝓝 , v ∈ V _g generate pulse i exactly once, (p _v,i is the time when v generates pulse i),

such that there exists S, P _min , P _max , satisfying:

1) sup i ∈ 𝓝, v,w ϵ Vg {|p _v,i -p _w,i |} = S (skew)

2) inf _{i ∈ 𝓝} {min _v,ϵVg {p _v,i+1 }-max _v,ϵVg { p _v,i } } ≥ P _min 3) sup _{i ∈ 𝓝} {max _v,ϵVg {p _v,i+1 }-min _v,ϵVg { p _v,i } } ≤ P _max

1) P _max - P _min ≥ S 2) P _max ≥ ϑ P _min

t ₁ /ϑ

t ₂ /ϑ

t ₃ /ϑ

t ₁ /ϑ

t ₂ /ϑ

t ₃ /ϑ

To prove: P _max ≥ ϑ P _min

Therefore, the value of P _max / ϑ needs also be ≥ P _min w

t ₁ /ϑ

t ₂ /ϑ

t ₃ /ϑ

- P _min = (T- 𝓖 ) / 𝛃 (min period)

- P _max = T + 𝓖 (max period)

Assume – L ^v (0) ∈ [0, 𝓖 ] for all v ∈ V _g 1. i := 0 (performed only on wakeup)

v generates its i-th pulse at a unique time p _v,i satisfying L ^{v (p}

Assume – L ^v (0) ∈ [0, 𝓖 ] for all v ∈ V _g 1. i := 0 (performed only on wakeup)