Abstract
You put a program on a concurrent server, but you don't trust the server,
later, you get a trace of the actual requests that the server received from its
clients and the responses that it delivered. You separately get logs from the
server, these are untrusted. How can you use the logs to efficiently verify
that the responses were derived from running the program on the requests? This
is the Efficient Server Audit Problem, and it abstracts real-world scenarios,
including running a web application on an untrusted provider. We present a
solution based on several new techniques, including SIMD-on-demand replay of
requests that share the same control flow, and simulate-and-check, in which the
verifier re-executes read operations from logs, and validates the logs
opportunistically. We build a system that implements the solution for PHP-based
web applications. For several applications, our implemented verifier achieves
5.6--10.9x speedup versus simply re-executing, at the cost of less than 10
percent overhead on the server's execution.
Description
The Efficient Server Audit Problem, Deduplicated Re-execution, and the
Web
Links and resources
Tags
community