Previous | 
Home
Section: New Results
Accidental and Malicious Faults in Distributed Systems
Induced Churn to Face Malicious Behaviors :
In reputation mechanisms, ensuring durable access to feedbacks is a first barrier against simple attacks. To bias the reputation mechanism, an adversary can create and use several distinct identities. In that case, if the reputation mechanism is solely based on statistical measurements, the trustworthiness can be violated. Our contribution is centered around the study of robust mechanisms that can resist such attacks.
Toward this goal, we have first investigating the problem of uniform sampling in large scale open systems in presence of adversarial nodes. Uniform sampling ensures that any individual in a population has the same probability to be selected as sample. Uniform sampling finds its root in many problems such as data collection, dissemination, load balancing, and data-caching.
By relying on the topological properties of structured peer-to-peer systems, it has been shown that it is possible to guarantee with high probability that any node is equally likely to appear in the local view of each other honest node in a number of rounds polynomial in the size of the system. This is achieved by imposing nodes to frequently depart from their position and move to another random position in the system. Indeed, in [15] , we have shown that an adversary can very quickly subvert overlays based on distributed hash tables by simply never triggering leave operations. We have also demonstrated that when all nodes (honest and malicious ones) are imposed on a limited lifetime, the system eventually reaches a stationary regime where the ratio of polluted clusters is bounded, independently from the initial amount of corruption in the system.
In unstructured peer-to-peer systems, nodes cannot rely on the topological nature of structured graphs to detect undesirable behaviors. The sampling has to be uniform and ergodic. Informally, this second property guarantees that each received node id infinitely often has a non-null probability to locally appear as a sample. In [21] , we determine necessary and sufficient conditions under which uniform and ergodic sampling is achievable in unstructured peer-to-peer systems potentially populated with a large proportion of Byzantine nodes. Strict restrictions are imposed on the number of messages gossiped by malicious nodes during a given period of time and providing each honest node with a very large memory (in the size of the system).
In [38] , we consider the problem of targeted attacks in large scale peer-to-peer overlays. These attacks aimed at exhausting key resources of targeted hosts to diminish their capacity to provide or receive services. To defend the system against such attacks, we rely on clustering and implement induced churn to preserve randomness of nodes identifiers so that adversarial predictions are impossible. We propose robust join, leave, merge and split operations to discourage brute force denial of services and pollution attacks.
Sequence of Consensus Instances :
To be able to coordinate efficiently the activities of replicas, a significant body of work on replication techniques, group communication services and agreement problems has been done. The Consensus service has been recognized as a fundamental building block for fault-tolerant distributed systems. Many different protocols to implement such a service have been proposed, however, little effort has been placed in evaluating their performance. During her PhD thesis [14] , Izabela Moise has presented a protocol designed to solve several consecutive consensus instances in an asynchronous distributed system prone to crash failures and message omissions. The protocol [31] follows the Paxos approach [49] , [47] and integrates two different optimizations to reduce the latency of learning a decision value. As one optimization is risky [48] , dynamics triggering criterion are defined to check at runtime if the context seems to be favorable or not. The proposed protocol [34] is adaptive as it tries to obtain the best performance gain depending on the current context. Moreover, it guarantees the persistence of all decision values. Our experimentation results [36] focus on the impact of the prediction of collisions (i.e., the cases where the use of the risky optimization is counterproductive).
Transactional Mobile Agent :
Mobile devices are now equipped with multiple sensors and networking capabilities. They can gather information about their surrounding environment and interact both with nearby nodes, using a dynamic and self-configurable ad-hoc network, and with distant nodes via the Internet. While the concept of mobile agent is appropriate to explore the ad-hoc network and autonomously discover service providers, it is not suitable for the implementation of strong distributed synchronization mechanisms. Moreover, the termination of a task assigned to an agent may be compromised if the persistence of the agent itself is not ensured. In the case of a transactional mobile agent, we identify two services, Availability of the Sources and Atomic Commit, that can be supplied by more powerful entities located in a cloud. In [33] , we propose a solution where these two services are provided in a reliable and homogeneous way. To guarantee reliability, the proposed solution relies on a single agreement protocol that orders continuously all the new actions whatever the related transaction and service.