Worm-IT – A wormhole-based intrusion-tolerant group communication system Miguel Correia a, * , Nuno Ferreira Neves a , Lau Cheuk Lung b , Paulo Verı ´ssimo a a Faculdade de Cie ˆncias da Universidade de Lisboa, Departamento de Informa ´ tica, Campo Grande, Bloco C6, Piso 3, 1749-016 Lisboa, Portugal b Programa de Po ´ s-Graduac ¸a ˜o em Informa ´ tica Aplicada, Pontifı ´cia Universidade Cato ´ lica do Parana ´ , Rua Imaculada Conceic ¸a ˜o, 1155, 80.215-901, Brazil Received 26 October 2005; received in revised form 28 March 2006; accepted 30 March 2006 Abstract This paper presents Worm-IT, a new intrusion-tolerant group communication system with a membership service and a view-synchro- nous atomic multicast primitive. The system is intrusion-tolerant in the sense that it behaves correctly even if some nodes are corrupted and become malicious. It is based on a novel approach that enhances the environment with a special secure distributed component used by the protocols to execute securely a few crucial operations. Using this approach, we manage to bring together two important features: Worm-IT tolerates the maximum number of malicious members possible; it does not have to detect the failure of primary-members, a problem in previous intrusion-tolerant group communication systems. Ó 2006 Elsevier Inc. All rights reserved. Keywords: Byzantine fault tolerance; Intrusion tolerance; Group communication; View synchrony; Asynchronous distributed algorithms 1. Introduction Group communication is a well-known paradigm for the construction of distributed applications. This paradigm has been successfully used to support a large range of fault-tol- erant applications, from databases to web servers. Some examples of current applications are the Internet Seismic Processing System (INSP) 1 , the Zope Replication Service 2 and PostgreSQL-R. 3 These applications use group commu- nication to support replication, thus increasing fault tolerance. The two main components of a group communication system are the membership and the communication ser- vices. The membership service is the component in charge of keeping an updated list of the group members, process- ing joins and leaves of the group, and assessing the failure of members. The communication service provides primitives for data transmission in the group, e.g., reliable, causal order or total order multicasts. This paper presents the design and evaluation of the Wormhole-based Intrusion-Tolerant Group Communication System (Worm-IT). This system appears in the context of recent work in intrusion tolerance, i.e., on the application of fault tolerance concepts and techniques to the security field (Fraga and Powell, 1985; Adelsbach et al., 2002; Verı ´s- simo et al., 2003). A system is intrusion-tolerant if it toler- ates arbitrary faults, including both accidental and malicious faults, such as attacks and intrusions (also called Byzantine faults in the literature after Lamport et al., 1982). In other words, the system should continue to provide cor- rect services and follow its specification despite a number of intrusions in the processors and attacks in the network (e.g., delay, modification, or replay of messages), so that it can be used to implement secure distributed applications. For instance, take the example applications above that use 0164-1212/$ - see front matter Ó 2006 Elsevier Inc. All rights reserved. doi:10.1016/j.jss.2006.03.034 * Corresponding author. Tel.: +351 217500125; fax: +351 217500084. E-mail addresses: mpc@di.fc.ul.pt (M. Correia), nuno@di.fc.ul.pt (N.F. Neves), lau@ppgia.pucpr.br (L.C. Lung), pjv@di.fc.ul.pt (P. Verı ´ssimo). 1 http://www.3dgeo.com/products/insp.html. 2 http://www.zope.com/products/zope_replication_services.html. 3 http://gborg.postgresql.org/project/pgreplication/ www.elsevier.com/locate/jss The Journal of Systems and Software xxx (2006) xxx–xxx ARTICLE IN PRESS