Mechanism Design and Computer Security John Mitchell Vanessa

Mechanism Design and Computer Security John Mitchell Vanessa Teague Stanford University

The Internet Three kinds of behavior: Blind obedience, rational self-interest, malicious disruption

Outline for this workshop talk u. Some network problems • Congestion control, Interdomain routing u. Algorithmic mechanism design • Pricing function provides incentives u. Distributed mechanisms and security • Distributed impl by rational agents • Prevent malicious acts by rational agents • Open problem: irrational malicious agents Warning: bait and switch

TCP/IP Transmission Source Destination u. TCP guarantees packet delivery • Source packets have sequence number • Destination acknowledges • If packet lost, source resends

TCP Congestion Control Source Destination u. If packets are lost, assume congestion • Reduce transmission rate by half, repeat • If loss stops, increase rate very slowly Design assumes routers blindly obey this policy

Competition Source A Source B Destination u. Amiable Alice yields to boisterous Bob • Alice and Bob both experience packet loss • Alice backs off • Bob disobeys protocol, gets better results

What’s the point? u. TCP/IP assumes honesty • If everyone follows protocol, transmission rates adapt to load u. Incentive for dishonesty • Dishonest TCP works better, as long as others follow standard TCP backoff u. Security risks • Vulnerable to denial of service, IPspoofing, etc.

Goal : More robust networking u. Introduce economic incentives • Routers administered autonomously u. Reward good behavior • Prevent tragedy of the commons u. Include security measures • Economics => adaptive behavior – Better load balancing to increase welfare • Accounting => increased instrumentation – Detect, quarantine malicious behavior

Interdomain Routing earthlink. net Stanford. edu Exterior Gateway Protocol Interior Gateway Protocol Autonomous System connected group of one or more Internet Protocol prefixes under a single routing policy (aka domain)

Transit and Peering Transit: ISP sells access Peering: reciprocal connectivity BGP protocol: routing announcements for both

BGP overview u. Iterative path announcement • Path announcements grow from destination to source • Subject to policy (transit, peering) • Packets flow in reverse direction u. Protocol specification • Announcements can be shortest path • Nodes allowed to use other policies – E. g. , “cold-potato routing” by smaller peer • Not obligated to use path you announce

BGP example 1 234 8 7265 7 7234 7 [D. Wetherall] 27 34 265 2 7 265 234 327 3 4 265 4 3265 27 6 5 4 627 6234 u Transit: 2 provides transit for 7 • 7 reaches and is reached via 2 u Peering: 4 and 5 peer • exchange customer traffic 5 5

Issues u. BGP convergence problems • Protocol allows policy flexibility • Some legal policies prevent convergence • Even shortest-path policy converges slowly u. Incentive for dishonesty • ISP pays for some routes, others free u. Security problems • Potential for disruptive attacks

Evidence: Asymmetric Routes Alice u Alice, Bob use cheapest routes to each other u These are not always shortest paths u Asymmetic routes are prevalent • AS asymmetry in 30% of measured routes • Finer-grained asymmetry far more prevalent Bob

Mechanism Design u. Charge for goods • Assume agents have rational self-interest • Provide incentives via pricing function u. Traditional use • Maximize social welfare • Make honesty the best policy (revelation principle) u. Network applications • Maximize throughput, resilience to attack • Fake money as good as real money

Grand Plan Multicast Interdistribution domain routing Pricing function Distributed mechanism Rational agents Irrational agents Go al Congestion control

Multicast cost sharing link Node • Distribute some good • Each node has some utility for the good • Each link has some cost • Which nodes get the transmission?

Multicast solutions u. Centralized scheme [FPS] • Pricing algorithm that elicits true utility u. Controlled distributed scheme [FPS] • Works for tamper-resistant nodes • Problems if nodes are dishonest u. Autonomous distributed scheme • Use signatures to verify data • Verifying node must not share incentive to cheat

Traditional Goals • Efficient – Maximize overall welfare – Welfare = total utility of agents that get good total network costs for links used • Strategyproof – Agent cannot gain by lying about its utility May not maximize profit for sender

FPS Network Assumptions u. Nodes and agents • Each node has trusted router • Router connected to untrusted agents u. Transmission costs • Link cost known to the two nodes at each end Simplification: will assume one agent per node

Centralized Scheme u. Data collection • Agent reports utility to central authority u. Computation • Compute welfare of each subtree u. Routing decision • Transmit good to subtree if welfare 0

Welfare of Subtree u. Welfare of a subtree T i with cost ci • W i = u i – ci • W i = ui – c i + if node i is leaf max(Wk, 0) otherwise k child of i Welfare is aggregate benefit minus cost

Example: Maximum welfare Welfare 3 -2 +0+4 = 5 cost 2 utility 3 Welfare 2 -4 = -2 cost 3 cost 4 Welfare 1 -3 +6 = 4 utility 2 utility 1 utility 7 cost 1 Welfare 7 -1 = 6 If welfare is secret, how do we determine outcome?

How much should a node pay? u. Announced utility? • Agent may gain by lying cost 2 utility 5 Leaf will announce utility 2 since this is enough to get the good • Similar incentive for internal nodes

FPS Pricing Mechanism u. If agent does not receive the good • Agent pays nothing u. If agent receives the good • Agent pays: the minimum bid needed to get the transmission, given the other players’ bids This is a VCG mechanism

Example price calculations cost 2 utility 3 Welfare 2 -4 = -2 Agent pays 0 cost 4 cost 3 utility 2 utility 1 utility 7 3 cost 1 Welfare 3 -2 +0+4 = 3 0 1 Welfare 1 -3 +6 = 4 2 0 Welfare 7 -1 = 6 3 2 Agent pays 3

Strategyproof and Efficient u. Efficient (max welfare) by construction • Add omitted subtree -> decrease welfare • Remove routed subtree -> decrease welfare This argument assumes agents tell truth u. Agent can bid true utility • Payment is independent of bid, given outcome • Bid more than utility – doesn’t help, or pay too much • Bid less than utility – doesn’t help, or don’t get the transmission

min bid to get transmission Tell truth if you buy the good Don’t get transmission Get transmission Don’t get good you want true u utility bid

min bid to get transmission Tell truth if you don’t buy good Pay more than u Don’t get transmission Get transmission true u utility bid

Profit for content distributor? u. What’s the worst-case return? • Marginal-cost pricing does not guarantee profit • May lose money, fail to capture utility 0 Welfare 100 -0 = 100 utility 100 Welfare 0 -100 +100 = 100 cost 100 0 0 Welfare 100 -0 =100 cost 0 0 0 Agent pays 0 utility 100 0

Distributed implementation cost 2 Welfare 3 - 2 + 4 = 5 Wmin = 5 utility 3 Welfare 2 -4 = -2 lfa t 4 os c i sm an tr o n” s sio re co 1 -3 +6 st 3 =4 utility 1 “N 1) Send welfare up tree 2) Send min welfare Wmin down tree 3) Compute payment = utility -Wmin Welfare 7 -1 = 6 cost 1 utility 2 We Wmin = 5 utility 7 Wmin = 4

Autonomous distributed model u. Agents control nodes • They can use different utilities for different messages • An agent with children can lie about the children’s utilities • There is nothing to force an agent to pay the correct amount

Node can cheat its children source Welfare 2 -3+2 = 1 Wmin = 1 Welfare 7 -5 = 2 Wmin = 1 Wmin = 0 utility 2 cost 5 utility 2 Welfare 2 -3+2 = 1 cost 3 source cost 5 The cheat cost 3 The truth utility 7 Parent pays 1 Child pays 6 Wmin = 1 Welfare 2 utility 7 Parent pays 0 Child pays 7 Child can’t see that parent doesn’t pay

More ways to cheat • Second example – Node can cheat but all messages look consistent • Conclusion – Need to use payment and messages to detect cheating

Second Example Truthful computation source cost 2 Welfare 2 - 2 + 0 = 0 utility 2 ar e 1 lf We utility 1 2 Wmin = 0 1= Wmin = 0 1 ost c n mi W We lfar cost 1 e 1 -1= 0 =0 Pay: 2 1 1 3 utility 1

Agent 1 behaves as if utility=4 until time to pay, then utility=2 Each child thinks other has utility 3 Example 2 What agent 3 thinks Deception source cost 2 utility 4? 1 Welfare 1 -1=0 st co utility 1 Wmin = 2 Welfare 2 -2+0+2=2 utilty 2 co 1 st Wmin = 2 Welfare 3 -1=2 Welfare 1 -1=0 3 utility 1 Pay: 1 Wmin = 2 1 co 1 st Wmin = 2 1 Wmin = 2 Welfare 1 -1=0 2 3 utility 1 utility 3 Pay: 0 1 st co 1 Wmin = 2 2 cost 2 Welfare 2 0 1 1

Prevent cheating u. Assume public-key infrastructure • Each node has verifiable signature u. Augment messages • Sign data from FPS algorithm • Parent returns signed W to child u. Nodes send payment + proof • Proof is signed data showing payment is calculated correctly Two improvements yet to come

Node J sends payment and proof New data – used in j’s proof p Sign(p, Wmin), Sign(p, W j ) Sign(j, W j) W d 1, j d 1 ) Sig n(d n( Sig utility Wd 1 n mi ) ( ign S j, W Sign 2, W (j, W m d 2 ) in ) d 2 utility Wd 2 Agent j pays Pj = Uj – min(Wmin, Wj) where Uj = cj + Wj – (Wd 1 + Wd 2) Calculation of Pj is verifiable from messages signed by p, d 1, d 2.

Node J sends payment and proof u. Lemma • If parent p and children d 1, …, dk are honest, then node j cannot improve own welfare by not sending correct values u. Proof idea • If node does not send correct proof, we punish j node sends correct W j • Node j cannot gain by sending incorrect data down tree, since these do not change P j

Shortcomings u. Proof checked by central authority u. Node can be mischievous • Node cannot increase own welfare by sending bad values down tree • But node can make life worse for others Wmin too low => nodes below pay too much Wmin too high => pay too little, distributor loses

Randomized checking u. Nodes pay and save proof u. Randomly select node to audit • If node has correct proof, OK • If node cannot show proof, punish – Fine node, or prohibit from further transmission (route around bad node) • Make punishment high enough so expected benefit of cheating is negative u. Reduce traffic, same outcome Bombay bus fine…

Prevent Mischief p j d 1 S (j, ign n mi ) W Sign(d 1, Wmin) d 2 • Receive signed confirmation from child • Confirmation is required as part of proof

Status of Multicast Cost Sharing u. Pricing function provides incentive u. Distributed algorithm computes price u. Techniques to encourage compliance • Nodes save signed confirmation of msgs • Randomized auditing incents compliance – Alternative: neighbors rewarded for turning in cheaters • Route around nodes that cause trouble

Grand Plan Multicast Interdistribution domain routing Pricing function Distributed mechanism Rational agents Irrational agents Go al Congestion control