Rob Jansen

Users get routed: traffic correlation on tor by realistic adversaries

We present the first analysis of the popular Tor anonymity network that indicates the security of typical users against reasonably realistic adversaries in the Tor network or in the underlying Internet. Our results show that Tor users are far more susceptible to compromise than indicated by prior work. Specific contributions of the paper include(1)a model of various typical kinds of users,(2)an adversary model that includes Tor network relays, autonomous systems(ASes), Internet exchange points (IXPs), and groups of IXPs drawn from empirical study,(3) metrics that indicate how secure users are over a period of time,(4) the most accurate topological model to date of ASes and IXPs as they relate to Tor usage and network configuration,(5) a novel realistic Tor path simulator (TorPS), and(6)analyses of security making use of all the above. To show that our approach is useful to explore alternatives and not just Tor as currently deployed, we also analyze a published alternative path selection algorithm, Congestion-Aware Tor. We create an empirical model of Tor congestion, identify novel attack vectors, and show that it too is more vulnerable than previously indicated.

Membership-concealing overlay networks

We introduce the concept of membership-concealing overlay networks (MCONs), which hide the real-world identities of participants. We argue that while membership concealment is orthogonal to anonymity and censorship resistance, pseudonymous communication and censorship resistance become much easier if done over a membership-concealing network. We formalize the concept of membership concealment, discuss a number of attacks against existing systems and present real-world attack results. We then propose three proof-of-concept MCON designs that resist those attacks: one that is more efficient, another that is more robust to membership churn, and a third that balances efficiency and robustness. We show theoretical and simulation results demonstrating the feasibility and performance of our schemes.

Recruiting new tor relays with BRAIDS

Tor, a distributed Internet anonymizing system, relies on volunteers who run dedicated relays. Other than altruism, these volunteers have no incentive to run relays, causing a large disparity between the number of users and available relays. We introduce BRAIDS, a set of practical mechanisms that encourages users to run Tor relays, allowing them to earn credits redeemable for improved performance of both interactive and non-interactive Tor traffic. These performance incentives will allow Tor to support increasing resource demands with almost no loss in anonymity: BRAIDS is robust to well-known attacks. Using a simulation of 20,300 Tor nodes, we show that BRAIDS allows relays to achieve 75% lower latency than non-relays for interactive traffic, and 90% higher bandwidth utilization for non-interactive traffic.

Safely Measuring Tor

Tor is a popular network for anonymous communication. The usage and operation of Tor is not well-understood, however, because its privacy goals make common measurement approaches ineffective or risky. We present PrivCount, a system for measuring the Tor network designed with user privacy as a primary goal. PrivCount securely aggregates measurements across Tor relays and over time to produce differentially private outputs. PrivCount improves on prior approaches by enabling flexible exploration of many diverse kinds of Tor measurements while maintaining accuracy and privacy for each. We use PrivCount to perform a measurement study of Tor of sufficient breadth and depth to inform accurate models of Tor users and traffic. Our results indicate that Tor has 710,000 users connected but only 550,000 active at a given time, that Web traffic now constitutes 91% of data bytes on Tor, and that the strictness of relays connection policies significantly affects the type of application data they forward.

How Low Can You Go: Balancing Performance with Anonymity in Tor

Tor is one of the most popular anonymity systems in use today, in part because of its design goal of providing high performance. This has motivated research into performance enhancing modifications to Tor’s circuit scheduling, congestion control, and bandwidth allocation mechanisms. This paper investigates the effects of these proposed modifications on attacks that rely on network measurements as a side channel. We introduce a new class of induced throttling attacks in this space that exploit performance enhancing mechanisms to artificially throttle a circuit. We show that these attacks can drastically reduce the set of probable entry guards on a circuit, in many cases uniquely identifying the entry guard. Comparing to existing attacks, we find that although most of the performance enhancing modifications improve the accuracy of network measurements, the effectiveness of the attacks is reduced in some cases by making the Tor network more homogeneous. We conclude with an analysis of the total reduction in anonymity that clients face due to each proposed mechanism.

IMUX: Managing Tor Connections from Two to Infinity, and Beyond

We consider proposals to improve the performance of the Tor overlay network by increasing the number of connections between re- lays, such as Torchestra and PCTCP. We introduce a new class of attacks that can apply to these designs, socket exhaustion, and show that these attacks are effective against PCTCP. We also describe IMUX, a design that generalizes the principles behind these designs while still mitigating against socket exhaustion attacks. We demonstrate empirically that IMUX resists socket exhaustion while finding that web clients can realize up to 25% increase in performance compared to Torchestra. Finally, we empirically evaluate the interaction between these designs and the recently proposed KIST design, which aims to improve performance by intelligently scheduling kernel socket writes.

Onions for Sale: Putting Privacy on the Market

We propose that Tor supports the purchase of its services. Problem Overview. Onion routing, and in particular the Tor network, is tech- nically well-designed to provide communications privacy. However, the resource constraints of a volunteer network result in unacceptable performance for many users. As a consequence, many users turn to paid services, but even when avail- able they arent ideal solutions. For example, Virtual Private Networks (VPNs) are often used for anonymous communication and censorship avoidance. How- ever, VPNs are not designed to work against an active or state-level adversary and present a fragile single source of trust, as well as suffering from more subtle flaws (1). As another example, users hide peer-to-peer file sharing via seedboxes that run the P2P protocol at a paid host. However, accessing such services is recognizable, and these solutions again present a single source of trust. Proposed Solution. We propose that Tor supports the optional purchase of its services to simultaneously provide communications privacy to a new population while improving privacy for the old. In this approach, the existing Tor network infrastructure will be used to provide both paid and unpaid service, but paid ser- vice will be prioritized to deliver acceptable performance. Users migrating their activity from existing services will improve their communication anonymity and privacy while at the same time providing additional cover traffic and additional resources for Tors existing user base. Technical Approach. There are several technical components needed to incorpo- rate payments into Tors main services. To provide incentive to pay for service, traffic from users who pay is prioritized over traffic from those who dont using a new circuit scheduling architecture (2). Communication between hidden service providers who pay and their clients is similarly prioritized. To enhance censor- ship evasion, users paying for this service are provided with access to a special reserved pool of bridges. To allow anonymous payments, we can take advantage of Bitcoin, although there are other possibilities. Similarly, there are multiple options for investing those payments into Tor network improvement without centralizing control or liability, such as using trusted third-parties that take di- rect payment. We feel that the challenges in this approach are surmountable and that the benefits outweigh the associated risks.

PeerFlow: Secure Load Balancing in Tor

Abstract We present PeerFlow, a system to securely load balance client traffic in Tor. Security in Tor requires that no adversary handle too much traffic. However, Tor relays are run by volunteers who cannot be trusted to report the relay bandwidths, which Tor clients use for load balancing. We show that existing methods to determine the bandwidths of Tor relays allow an adversary with little bandwidth to attack large amounts of client traffic. These methods include Tor’s current bandwidth-scanning system, TorFlow, and the peer-measurement system EigenSpeed. We present an improved design called PeerFlow that uses a peer-measurement process both to limit an adversary’s ability to increase his measured bandwidth and to improve accuracy. We show our system to be secure, fast, and efficient. We implement PeerFlow in Tor and demonstrate its speed and accuracy in large-scale network simulations.

Privacy-preserving Dynamic Learning of Tor Network Traffic

Experimentation tools facilitate exploration of Tor performance and security research problems and allow researchers to safely and privately conduct Tor experiments without risking harm to real Tor users. However, researchers using these tools configure them to generate network traffic based on simplifying assumptions and outdated measurements and without understanding the efficacy of their configuration choices. In this work, we design a novel technique for dynamically learning Tor network traffic models using hidden Markov modeling and privacy-preserving measurement techniques. We conduct a safe but detailed measurement study of Tor using 17 relays (~2% of Tor bandwidth) over the course of 6 months, measuring general statistics and models that can be used to generate a sequence of streams and packets. We show how our measurement results and traffic models can be used to generate traffic flows in private Tor networks and how our models are more realistic than standard and alternative network traffic generation~methods.

WPES 2015: The 14th Workshop on Privacy in the Electronic Society

We present a brief summary of The 14th Workshop on Privacy in the Electronic Society, held on October 12th, 2015, in conjunction with the 22nd ACM Conference on Computer and Communications Security in Denver, Colorado, USA. The goal of this workshop is to discuss the problems of privacy in the global interconnected societies and possible solutions to them. The workshop program includes 11 full papers and 3 short papers out of 32 total submissions. Specific areas that are covered in the program include, but are not limited to: web and social network privacy, mobile and location privacy, communications privacy, and privacy-preserving data analysis.