Byzantine Fault Tolerance in Long-Lived Systems

Byzantine fault tolerance comprises a set of techniques for building fault-tolerant systems where no assumptions are made about the behavior of faulty nodes. This makes Byzantine-fault-tolerant systems particularly attractive as a defense against malicious attacks that may cause faulty nodes to exhibit arbitrary behavior. A service that tolerates Byzantine failures (e.g., [1, 8]) must store the service state at a set of replicas. The replicas carry out a protocol that tolerates failures of a subset of them. Usually the system contains 3f + 1 replicas, and the protocols guarantee correct behavior provided no more than f of them are faulty at the same moment. These systems do well provided the assumption about the number of simultaneous failures is valid. But if more than f replicas fail, the system fails and no guarantees can be made about its behavior. The question we address in this paper is: what can be done to increase the probability that no more than f replicas are faulty simultaneously? We address this question using the following simple model. For any attack that could be mounted, there is an attack window, A; this is the length of time needed to compromise more than f replicas using that attack. Different attacks have different attack windows. Some attacks require a very small A. For example, if the code on the replicas has a deterministic software bug that allows an attacker to exploit a buffer overrun, then an attacker can launch such legal calls simultaneously and bring the system down in a very short time. Other attacks require more time. For example, an attack that relies on a non-deterministic error might take quite a while. A system has a window of vulnerability, W , during which it allows an adversary to mount an attack. We would like to have W < A since this means that the system cannot be compromised by an attack. This condition is unlikely to be satisfied in a long-lived system with no defenses against the accumulation of faulty nodes; in this case W is infinite (or at least equal to the system lifetime) and therefore we can expect that ultimately an attack will succeed. This paper proposes counter-measures that can be deployed as part of a replicated system to reduce the size of W , and thus reduce the class of attacks to which the system