Mechanism Design and Computer Security

1
Mechanism Design and Computer Security

• John Mitchell Vanessa Teague
• Stanford University

2
The Internet
Three kinds of behavior Blind
obedience, rational self-interest, malicious
disruption
3
Outline for this workshop talk

• Some network problems
• Congestion control, Interdomain routing
• Algorithmic mechanism design
• Pricing function provides incentives
• Distributed mechanisms and security
• Distributed impl by rational agents
• Prevent malicious acts by rational agents
• Open problem irrational malicious agents

Warning bait and switch
4
TCP/IP Transmission
Source
Destination

• TCP guarantees packet delivery
• Source packets have sequence number
• Destination acknowledges
• If packet lost, source resends

5
TCP Congestion Control
Source
Destination

• If packets are lost, assume congestion
• Reduce transmission rate by half, repeat
• If loss stops, increase rate very slowly
• Design assumes routers blindly obey this policy

6
Competition
Source A
Destination
Source B
Destination

• Amiable Alice yields to boisterous Bob
• Alice and Bob both experience packet loss
• Alice backs off
• Bob disobeys protocol, gets better results

7
Whats the point?

• TCP/IP assumes honesty
• If everyone follows protocol, transmission rates
  adapt to load
• Incentive for dishonesty
• Dishonest TCP works better, as long as others
  follow standard TCP backoff
• Security risks
• Vulnerable to denial of service, IP-spoofing, etc.

8
Goal More robust networking

• Introduce economic incentives
• Routers administered autonomously
• Reward good behavior
• Prevent tragedy of the commons
• Include security measures
• Economics gt adaptive behavior
• Better load balancing to increase welfare
• Accounting gt increased instrumentation
• Detect, quarantine malicious behavior

9
Interdomain Routing
earthlink.net
Stanford.edu
Exterior Gateway Protocol
Autonomous System
Interior Gateway Protocol
connected group of one or more Internet Protocol
prefixes under a single routing policy (aka
domain)
10
Transit and Peering
Peering
Peering
Transit

• Transit ISP sells access
• Peering reciprocal connectivity
• BGP protocol routing announcements for both

11
BGP overview

• Iterative path announcement
• Path announcements grow from destination to
  source
• Subject to policy (transit, peering)
• Packets flow in reverse direction
• Protocol specification
• Announcements can be shortest path
• Nodes allowed to use other policies
• E.g., cold-potato routing by smaller peer
• Not obligated to use path you announce

12
BGP example D. Wetherall
3
4
1
8
2
5
6
7

• Transit 2 provides transit for 7
• 7 reaches and is reached via 2
• Peering 4 and 5 peer
• exchange customer traffic

13
Issues

• BGP convergence problems
• Protocol allows policy flexibility
• Some legal policies prevent convergence
• Even shortest-path policy converges slowly
• Incentive for dishonesty
• ISP pays for some routes, others free
• Security problems
• Potential for disruptive attacks

14
Evidence Asymmetric Routes
Alice
Bob

• Alice, Bob use cheapest routes to each other
• These are not always shortest paths
• Asymmetic routes are prevalent
• AS asymmetry in 30 of measured routes
• Finer-grained asymmetry far more prevalent

15
Mechanism Design

• Charge for goods
• Assume agents have rational self-interest
• Provide incentives via pricing function
• Traditional use
• Maximize social welfare
• Make honesty the best policy (revelation
  principle)
• Network applications
• Maximize throughput, resilience to attack
• Fake money as good as real money

16
Grand Plan
Goal
17
Multicast cost sharing
Node
link
Node

• Distribute some good
• Each node has some utility for the good
• Each link has some cost
• Which nodes get the transmission?

link
link
Node
Node
18
Multicast solutions

• Centralized scheme FPS
• Pricing algorithm that elicits true utility
• Controlled distributed scheme FPS
• Works for tamper-resistant nodes
• Problems if nodes are dishonest
• Autonomous distributed scheme
• Use signatures to verify data
• Verifying node must not share incentive to cheat

19
Traditional Goals

• Efficient
• Maximize overall welfare
• Welfare total utility of agents that get good
  
• ? total network costs for links
  used
• Strategyproof
• Agent cannot gain by lying about its utility
• May not maximize profit for sender

20
FPS Network Assumptions

• Nodes and agents
• Each node has trusted router
• Router connected to untrusted agents
• Transmission costs
• Link cost known to the two nodes at each end

Simplification will assume one agent per node
21
Centralized Scheme

• Data collection
• Agent reports utility to central authority
• Computation
• Compute welfare of each subtree
• Routing decision
• Transmit good to subtree if welfare ? 0

22
Welfare of Subtree

• Welfare of a subtree T i with cost ci
• W i u i ci if node i
  is leaf
• W i ui ci ? max(Wk, 0) otherwise
• Welfare is aggregate benefit minus cost

k child of i
23
Example Maximum welfare
cost 2
utility 3
cost 3
cost 4
utility 2
utility 1
cost 1
utility 7
If welfare is secret, how do we determine outcome?
24
How much should a node pay?

• Announced utility?
• Agent may gain by lying

Leaf will announce utility 2 since this is enough
to get the good
cost 2
utility 5

• Similar incentive for internal nodes

25
FPS Pricing Mechanism

• If agent does not receive the good
• Agent pays nothing
• If agent receives the good
• Agent pays
• the minimum bid needed to get the transmission,
  given the other players bids
• This is a VCG mechanism

26
Example price calculations
cost 2
utility 3
Welfare 1-3 6 4
cost 3
cost 4
Agent pays 0
utility 2
utility 1
Welfare 7-1 6
cost 1
Agent pays 3
utility 7
27
Strategyproof and Efficient

• Efficient (max welfare) by construction
• Add omitted subtree -gt decrease welfare
• Remove routed subtree -gt decrease welfare
• This argument assumes agents tell truth
• Agent can bid true utility
• Payment is independent of bid, given outcome
• Bid more than utility ?
• doesnt help, or pay too much
• Bid less than utility ?
• doesnt help, or dont get the transmission

28
Tell truth if you buy the good
Dont get transmission
min bid to get transmission
Get transmission
utility bid
true u
Dont get good you want
29
Tell truth if you dont buy good
Pay more than u
Dont get transmission
min bid to get transmission
Get transmission
utility bid
true u
30
Profit for content distributor?

• Whats the worst-case return?
• Marginal-cost pricing does not guarantee profit
• May lose money, fail to capture utility

cost 100
utility 0
cost 0
cost 0
utility 100
Agent pays 0
utility 100
31
Distributed implementation
cost 2
utility 3
cost 3
cost 4
utility 1
utility 2
cost 1
1) Send welfare up tree
2) Send min welfare Wmin down tree
utility 7
3) Compute payment utility -Wmin
32
Autonomous distributed model

• Agents control nodes
• They can use different utilities for different
  messages
• An agent with children can lie about the
  childrens utilities
• There is nothing to force an agent to pay the
  correct amount

33
Node can cheat its children
The truth
The cheat
source
source
cost 3
cost 3
utility 2

utility 2

cost 5
cost 5
utility 7
utility 7

Parent pays 0 Child pays 7
Parent pays 1 Child pays 6
Child cant see that parent doesnt pay
34
More ways to cheat

• Second example
• Node can cheat but all messages look consistent
• Conclusion
• Need to use payment and messages to detect
  cheating

35
Second Example
Truthful computation
source
cost 2
utility 2
1
cost 1
cost 1
utility 1
3
utility 1
2
36
Example 2
Agent 1 behaves as if utility4 until time to
pay, then utility2 Each child thinks other has
utility 3
What agent 3 thinks
Deception
source
source
cost 2
cost 2
utility 4?
utilty 2
1
1
cost 1
cost 1
cost 1
cost 1
3
3
2
2
utility 1
utility 1
utility 3
utility 1
37
Prevent cheating

• Assume public-key infrastructure
• Each node has verifiable signature
• Augment messages
• Sign data from FPS algorithm
• Parent returns signed W to child
• Nodes send payment proof
• Proof is signed data showing payment is
  calculated correctly
• Two improvements yet to come

38
Node J sends payment and proof
New data used in js proof
p
Sign(p, Wmin), Sign(p, W j )
Sign(j, W j)
j
Sign(d2, W d2 )
Sign (d1, W d1 )
Sign(j, Wmin)
Sign(j, Wmin)
utility Wd2
d2
utility Wd1
d1
Agent j pays Pj Uj min(Wmin, Wj)
where Uj cj Wj (Wd1 Wd2)
Calculation of Pj is verifiable from messages
signed by p, d1, d2.
39
Node J sends payment and proof

• Lemma
• If parent p and children d1, , dk are honest,
  then node j cannot improve own welfare by not
  sending correct values
• Proof idea
• If node does not send correct proof, we punish j
  ? node sends correct W j
• Node j cannot gain by sending incorrect data down
  tree, since these do not change P j

40
Shortcomings

• Proof checked by central authority
• Node can be mischievous
• Node cannot increase own welfare by sending bad
  values down tree
• But node can make life worse for others
• Wmin too low gt nodes below pay too much
• Wmin too high gt pay too little, distributor loses

41
Randomized checking

• Nodes pay and save proof
• Randomly select node to audit
• If node has correct proof, OK
• If node cannot show proof, punish
• Fine node, or prohibit from further transmission
  (route around bad node)
• Make punishment high enough so expected benefit
  of cheating is negative
• Reduce traffic, same outcome
• Bombay bus fine

42
Prevent Mischief
p
j
Sign(j, Wmin)
Sign(d1, Wmin)
d2
d1

• Receive signed confirmation from child
• Confirmation is required as part of proof

43
Status of Multicast Cost Sharing

• Pricing function provides incentive
• Distributed algorithm computes price
• Techniques to encourage compliance
• Nodes save signed confirmation of msgs
• Randomized auditing incents compliance
• Alternative neighbors rewarded for turning in
  cheaters
• Route around nodes that cause trouble

44
Grand Plan
Goal
45
(No Transcript)