Re: [Ppm] Seeking input on DAP PR #297
Simon Friedberger <simon@mozilla.com> Wed, 17 August 2022 13:17 UTC
Return-Path: <sfriedberger@mozilla.com>
X-Original-To: ppm@ietfa.amsl.com
Delivered-To: ppm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A60FC1527AD for <ppm@ietfa.amsl.com>; Wed, 17 Aug 2022 06:17:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mozilla.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UeF17Vdvj6oo for <ppm@ietfa.amsl.com>; Wed, 17 Aug 2022 06:17:15 -0700 (PDT)
Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71366C1527A9 for <ppm@ietf.org>; Wed, 17 Aug 2022 06:17:15 -0700 (PDT)
Received: by mail-ej1-x630.google.com with SMTP id qn6so24426824ejc.11 for <ppm@ietf.org>; Wed, 17 Aug 2022 06:17:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mozilla.com; s=google; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc; bh=2vx6vQ5hrPFB4/6RqDn/kxdR++jSzJWkP561R56HFZA=; b=XzxlkWttxatIY0KpNabHzhmRfcC2YjqnRHLdLVgqC//zp5vUqP3we5VkhfZclUHUvV Pms4RBrYFV89eKsDiOpqABBHAhcTrn1U2Vh243pWnq8v+rIqMxz+U1kIztyklWGLbsRX AT/6MQfGQTBUNIsxCiY/cYJXmgLUHgFBc0z0E=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc; bh=2vx6vQ5hrPFB4/6RqDn/kxdR++jSzJWkP561R56HFZA=; b=rUUe3hXTylq8w36BDkvDYgNEqzvrwDNkdCAsDB1ulqCriFcPT2RzVNe/qaGyuD5uai qikiZv/A9swQJCLZ9NLgNFpPyTnGxIKtGrcbnsoQrfLhpqIFfVeCS9kn3yHhNoMdvWXn GJ56IbSZgk+ppEPkjV6be++S/pOw3PV/8B8j8+YT7hjNPwioZJYLDUTcph/Hk6E+/i5i tjk4Y6JLSnFZHCpYJghOOtX90pbyAwqHqwRQwz/pirPV5C4XW9SpW6QMXevghPD7TSC7 g63+H4gFaw6jtvq9S9t/GdoIDwDlIAZO6qkFT5al1EMNhl6XzABlOCtouVbIzqfu1XVT fE+Q==
X-Gm-Message-State: ACgBeo3vUWLM0WT5FiFFQU5TJrY1bXrVNpwHOJMvV/sHj283yBgMN3Yl P5RlTLwrUsjGIUs+KQKjg2Gh+34vZGLUqCLNoTg4gNxgYAUc2A==
X-Google-Smtp-Source: AA6agR7rVLqxeNocyEs9dq+MYGEuAacvZbuIr60NxOJsX1DS+OikKg/4fSVww3Ny4/qVeynw107685XHS9z6qZA8pYc=
X-Received: by 2002:a17:907:9694:b0:731:8022:94f6 with SMTP id hd20-20020a170907969400b00731802294f6mr16625678ejc.398.1660742232859; Wed, 17 Aug 2022 06:17:12 -0700 (PDT)
MIME-Version: 1.0
References: <CAG2Zi22BUdB+PhjWVneBSDb-c8-MnrpiYk5zV8PF4-mo6k7hqA@mail.gmail.com> <2aa207b5-7db5-cff5-aa41-eb00c8dc147b@mozilla.com> <CAG2Zi232UE3-TCy93dRM1u-jnS_1yuzbdmfxB3+4=+bnHyp5pA@mail.gmail.com>
In-Reply-To: <CAG2Zi232UE3-TCy93dRM1u-jnS_1yuzbdmfxB3+4=+bnHyp5pA@mail.gmail.com>
From: Simon Friedberger <simon@mozilla.com>
Date: Wed, 17 Aug 2022 15:17:02 +0200
Message-ID: <CAGkoAS3UaH4Gn-=R--siY8zG_FXg=a01mvXE55CAv1qmMsoNzA@mail.gmail.com>
To: ppm <ppm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000da967f05e66fae85"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ppm/toGJnlszhjt2ezOMEojiYx62q3M>
Subject: Re: [Ppm] Seeking input on DAP PR #297
X-BeenThere: ppm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Privacy Preserving Measurement technologies <ppm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ppm>, <mailto:ppm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ppm/>
List-Post: <mailto:ppm@ietf.org>
List-Help: <mailto:ppm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ppm>, <mailto:ppm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2022 13:17:16 -0000
The leader can select the batches which will get aggregated which allows a powerful Sybil attack. I think there was an implicit assumption that the leader is somewhat restricted here due to `min_batch_duration` and the requirement for batches not to overlap. Now, with fixed size tasks we lose the restriction on `min_batch_duration` and with something like location-based batches as described in #183 we lose the non-overlapping property. Ideas for fixes: 1. We could have the collector sign the request and the helper authenticate it. However, that would require non-collusion between leader and collector to be useful. And then the collector might still be able to inject fake reports fairly easily and do a similar attack. 2. A non-colluding OHTTP proxy might help because it can prevent the leader from identifying individual reports. On Mon, Aug 15, 2022 at 5:17 PM Christopher Patton <cpatton@cloudflare.com> wrote: > > > >> First, the statement "the Client knows exactly which batch its report is >> included" is dubious. While the client technically knows that its report >> is in a batch that covers its timestamp, this does not constrain when >> that batch starts or ends, how many other reports there are in it, which >> reports from the same time window have been dropped, etc. So what kind >> of useful assurances can the client derive from this? >> > > That's the question here :) > > Only one thing comes to mind for me. Without (3.), it seems easy for a > malicious Leader to do a Sybil attack "on the side". In DAP-01, the Leader > can aggregate a batch of one honest report with min_batch_size -1 bogus > reports and, colluding with the Collector, learn the aggregate result. > However this attack has a cost: because the batch corresponds to an > interval of time which MUST NOT overlap with any previous or future batch > interval, the Leader has to throw away all other honestly generated reports > in the target interval. Without (3.) -- suppose we decide in DAP-02 not to > send the batch interval in the AggregateShareReq -- the Leader can run this > bogus aggregation on the side, without impacting throughput of real reports. > > Now, the fact that (3.) imposes this cost does not immediately benefit the > Client, but perhaps there is a way to audit the Leader to make sure it's > ingesting reports properly. (This is a bit contrived, but follow along with > me for a second.) In particular, after the batch interval elapses in which > its report would have been included, the Client could ask the Leader and > Helper to see if its report was ingested. > > Of course, this attack falls into a bucket of other Sybil attacks that we > currently don't have defenses for. We're not likely to find a > one-size-fits-all solution for this problem, but it seems like there is a > lot we can do to at least mitigate Sybil attacks or make them harder. > Property (3.) seems to me like it would help. > > That said, I view this as a "nice to have", but not a requirement for all > query types. I would like to spell the protocol in a way that enables it. > > > >> Second, there are technical issues. It is not clear that property (1.) >> holds because it clashes with >> https://github.com/ietf-wg-ppm/draft-ietf-ppm-dap/issues/183. We just >> have it because we haven't sorted out >> https://github.com/ietf-wg-ppm/draft-ietf-ppm-dap/issues/195 yet. >> > > We have (1.) because we prevent batches from overlapping, i.e., we have > (2.). You're right that, if/when we relax (2.), we'll definitely have to do > something else. > > Chris P. > >
- [Ppm] Seeking input on DAP PR #297 Christopher Patton
- Re: [Ppm] Seeking input on DAP PR #297 Simon Friedberger
- Re: [Ppm] Seeking input on DAP PR #297 Christopher Patton
- Re: [Ppm] Seeking input on DAP PR #297 Simon Friedberger