You put a program on a concurrent server, but you don't trust the server; later, you get a trace of the actual requests that the server received from its clients and the responses that it delivered. You separately get logs from the server; these are untrusted. How can you use the logs to efficiently _verify_ that the responses were derived from running the program on the requests? This is the _Efficient Server Audit Problem_, and it abstracts real-world scenarios, including running a web application on an untrusted provider. We give a solution based on several new techniques, including simultaneous replay and efficient verification of concurrent executions. We implement the solution for PHP web applications. For several applications, our verifier achieves 5.6--10.9x speedup versus simply re-executing, with less than 10 percent overhead for the server.
@article{arxiv.1709.08501,
title = {The Efficient Server Audit Problem, Deduplicated Re-execution, and the Web},
author = {Cheng Tan and Lingfan Yu and Joshua B. Leners and Michael Walfish},
journal= {arXiv preprint arXiv:1709.08501},
year = {2018}
}
Comments
Extended version of a publication at SOSP 2017. v2 updates the extended version to be consistent with the published SOSP version, and corrects some additional typos