How to Securely Replicate Services

Abstract

Distributed systems are often structured in terms of clients and services. A service exports a set of commands, which clients invoke by issuing requests to the service. After executing a command, the service may return an appropriate response to the client that invoked the command. In the simplest case, the service is implemented by only one server. If this server is not sufficiently immune to failure, however, then the service must be replicated. In hostile environments, replication introduces other problems. For instance, it is often more difficult, or at least requires more resources, to protect many servers from corruption by an intruder that it is to protect only a single server. A replicated service should thus be designed to remain available and correct despite several servers being corrupted by an intruder (in addition to others failing benignly). One way to do this employs the state machine approach to replicating the service, so that each server individually computes the response and sends it to the client. If the client authenticates the response from each server and accepts the response, if any, sent by a majority of servers, then it obtains the correct response if a majority of servers are correct. Such schemes, however, require that the client be able to identify and authenticate the servers that comprise the service.