The Efficient Server Audit Problem, Deduplicated Re-execution, and the Web

TL;DR

This paper addresses verifying server responses using untrusted logs by introducing efficient techniques for concurrent re-execution and verification, with a practical implementation for PHP web apps that significantly speeds up verification.

Contribution

It presents a novel approach to efficiently verify server responses from untrusted logs, including techniques for concurrent replay and verification, with a practical implementation for PHP applications.

Findings

Verifier achieves 5.6--10.9x speedup over re-execution

Less than 10% overhead for server performance

Applicable to real-world PHP web applications

Abstract

You put a program on a concurrent server, but you don't trust the server; later, you get a trace of the actual requests that the server received from its clients and the responses that it delivered. You separately get logs from the server; these are untrusted. How can you use the logs to efficiently _verify_ that the responses were derived from running the program on the requests? This is the _Efficient Server Audit Problem_, and it abstracts real-world scenarios, including running a web application on an untrusted provider. We give a solution based on several new techniques, including simultaneous replay and efficient verification of concurrent executions. We implement the solution for PHP web applications. For several applications, our verifier achieves 5.6--10.9x speedup versus simply re-executing, with less than 10 percent overhead for the server.