The traditional approach to address security threats in distributed computations is based on the Byzantine faults model. From an economic viewpoint the idea that the adversary will be bounded to break into k machines is questionable. Indeed today the cost to break into k+1 machines running the same operating system is clearly less than breaking into k machines using very different platforms. The cost of the attack and the budget of the adversary define a dual access structure: i.e., a family of subsets of machines the adversary can attack with the given budget. (As is classical in economics costs and budgets do need to be expressed in monetary values. E.g. a student hacker's budget could better be expressed in available free time for hacking.)
A hacker may just penetrate a system to demonstrate the feasibility of the attack. A more sophisticated adversary, given the choice to distribute the communications about a students party or shut down computers used in a critical infrastructure, will choose the latter. In fact the adversary may want to optimize the attack. We discuss how to attach an economic impact factor to distributed systems to study the vulnerability of systems and how to defend against those.
We also consider security models based on the artificial intelligence concept of AND/OR graphs. We argue that AND/OR graphs are more suited to model realistic secure distributed computations than graphs. We study how these two models can be combined and used to study a wide variety of secure distributed systems issues.
Based on joint works with M. Burmester and Y. Wang.
Gates 4B (opposite 490), Tuesday 5/14/02, 4:30 PM