\section{Attacks on the Trust System}
\label{sec:attacks-trust}

\footnote{This section was written by Brian Sniffen.}
There are a variety of attacks which are possible on the Free Haven
system.  Many of these attacks are far outside the scope of the Trust
Module: social attacks on system security and servnet node operators,
political attacks to discourage servnet use, government and legal
attacks to shut down nodes or arrest operators, denial of service
attacks on the communications anonymous channel, and attacks on the
infrastructure of the server network.

Some of these attacks, such as temporary denials of service, have
negative repercussions on the trust of a node.  These repercussions
might be qualified as ``unfair,'' but are best considered in the
following light: if a node is vulnerable to these attacks, it is not
capable of meeting the specifications of the Free Haven protocol.
Such a node is not worthy of trust to meet those specifications.  The
trust system does not judge intent, merely actions.

\subsection{Simple Betrayal}
The simplest attack is this: Become part of the Servnet, earn trust,
then betray it by deleting files before their expiration dates.  The
trust economy is designed to make this as unprofitable as possible.
The size-time currency means that a corrupt node has to donate at
least as much to the Free Haven as it removes.  This 50\% useful work
ratio is a rather loose lower bound --- it requires duping a great
number of high-metatrust nodes into recommending you.  

A node which engages in this behavior should be caught by the buddy
system when it deletes each share.  

\subsection{Buddy Coopting}
It is possible for a corrupt node to gain control of both a share and
its buddy; at this point it can delete one of them without
repercussions.  This means that corrupt nodes can defeat the buddy
system by capturing both buddies, then deleting them.

A possible work-around to this attack involved separating the contact
addresses for trading and for buddy checking, preventing corrupt nodes
from acquiring the buddies of the shares they already have.  Such an
approach adds a great deal of complexity, and opens other attack
avenues.

\subsection{Trading Receipt Games}
The receipts used in trading are a complicated mechanism, and we have
no formal system for talking about how they interact.  While we
believe that the signed timestamp makes it clear who did what and
when, it is possible that some attacks exist, likely involving
multi-node adversaries engaging in coordinated bait-and-switch games
with target nodes.

\subsection{Pollution}
An adversary can join the server network, then trade away garbage for
valuable data.  A sufficiently wealthy adversary could even purchase a
series of very large drives, then trade away enough garbage to have
the majority of the data in the server network on his drives, subject
to deletion.

We have no defense against this attack.  However, any adversary capable
of perpetrating the above attack against a widely-used Free Haven is
equally capable of many cheaper, easier, non-technical attacks.

\subsection{False Referrals}
An adversary can broadcast false referrals, or direct them to specific
hosts.  The metaconfidence system combined with the single-reporting
policy provide somewhat of a guard against this.  Based on field tests
of Free Haven, we may need to switch to a policy of ignoring referrals
which do not have receipts.

\subsection{Entrapment}
There are several ways in which an adversary can appear to violate the
protocols.  When someone points this out, the adversary can present
receipts which show him wrong and accuse him of the above attack.

There is no defense in the present implementation against this attack;
a more thorough system of attestations and protests is necessary.