Zhen Ling

A new cell counter based attack against tor

Various low-latency anonymous communication systems such as Tor and Anoymizer have been designed to provide anonymity service for users. In order to hide the communication of users, many anonymity systems pack the application data into equal-sized cells (e.g., 512 bytes for Tor, a known real-world, circuit-based low-latency anonymous communication network). In this paper, we investigate a new cell counter based attack against Tor, which allows the attacker to confirm anonymous communication relationship among users very quickly. In this attack, by marginally varying the counter of cells in the target traffic at the malicious exit onion router, the attacker can embed a secret signal into the variation of cell counter of the target traffic. The embedded signal will be carried along with the target traffic and arrive at the malicious entry onion router. Then an accomplice of the attacker at the malicious entry onion router will detect the embedded signal based on the received cells and confirm the communication relationship among users. We have implemented this attack against Tor and our experimental data validate its feasibility and effectiveness. There are several unique features of this attack. First, this attack is highly efficient and can confirm very short communication sessions with only tens of cells. Second, this attack is effective and its detection rate approaches 100% with a very low false positive rate. Third, it is possible to implement the attack in a way that appears to be very difficult for honest participants to detect (e.g. using our hopping-based signal embedding).

Fingerprint attack against touch-enabled devices

Oily residues left by tapping fingers on a touch screen may breach user privacy. In this paper, we introduce the fingerprint attack against touch-enabled devices. We dust the touch screen surface to reveal fingerprints, and use an iPhone camera to carefully photograph fingerprints while striving to remove the virtual image of the phone from the fingerprint image. We then sharpen the fingerprints in an image via various image processing techniques and design effective algorithms to automatically map fingerprints to a keypad in order to infer tapped passwords. Extensive experiments were conducted on iPad, iPhone and Android phone and the results show that the fingerprint attack is effective and efficient in inferring passwords from fingerprint images. To the best of our knowledge, we are the first using fingerprint powder on touch screen and inferring passwords from fingerprints. Video at http://www.youtube.com/watch?v=vRUbJIcV9vg shows the dusting process on iPhone and video at http://www.youtube.com/watch?v=6jS6KroER3Y shows the dusting process on iPad. After dusting, password characters for login are clearly disclosed.

Extensive analysis and large-scale empirical evaluation of tor bridge discovery

Tor is a well-known low-latency anonymous communication system that is able to bypass Internet censorship. However, publicly announced Tor routers are being blocked by various parties. To counter the censorship blocking, Tor introduced nonpublic bridges as the first-hop relay into its core network. In this paper, we analyzed the effectiveness of two categories of bridge-discovery approaches: (i) enumerating bridges from bridge https and email servers, and (ii) inferring bridges by malicious Tor middle routers. Large-scale experiments were conducted and validated our theoretic findings. We discovered 2365 Tor bridges through the two enumeration approaches and 2369 bridges by only one Tor middle router in 14 days. Our study shows that the bridge discovery based on malicious middle routers is simple, efficient and effective to discover bridges with little overhead. We also discussed the mechanisms to counter the malicious bridge discovery.

A new cell-counting-based attack against Tor

Various low-latency anonymous communication systems such as Tor and Anonymizer have been designed to provide anonymity service for users. In order to hide the communication of users, most of the anonymity systems pack the application data into equal-sized cells (e.g., 512 B for Tor, a known real-world, circuit-based, low-latency anonymous communication network). Via extensive experiments on Tor, we found that the size of IP packets in the Tor network can be very dynamic because a cell is an application concept and the IP layer may repack cells. Based on this finding, we investigate a new cell-counting-based attack against Tor, which allows the attacker to confirm anonymous communication relationship among users very quickly. In this attack, by marginally varying the number of cells in the target traffic at the malicious exit onion router, the attacker can embed a secret signal into the variation of cell counter of the target traffic. The embedded signal will be carried along with the target traffic and arrive at the malicious entry onion router. Then, an accomplice of the attacker at the malicious entry onion router will detect the embedded signal based on the received cells and confirm the communication relationship among users. We have implemented this attack against Tor, and our experimental data validate its feasibility and effectiveness. There are several unique features of this attack. First, this attack is highly efficient and can confirm very short communication sessions with only tens of cells. Second, this attack is effective, and its detection rate approaches 100% with a very low false positive rate. Third, it is possible to implement the attack in a way that appears to be very difficult for honest participants to detect (e.g., using our hopping-based signal embedding).

Blind Recognition of Touched Keys on Mobile Devices

In this paper, we introduce a novel computer vision based attack that automatically discloses inputs on a touch-enabled device while the attacker cannot see any text or popup in a video of the victim tapping on the touch screen. We carefully analyze the shadow formation around the fingertip, apply the optical flow, deformable part-based model (DPM), k-means clustering and other computer vision techniques to automatically locate the touched points. Planar homography is then applied to map the estimated touched points to a reference image of software keyboard keys. Recognition of passwords is extremely challenging given that no language model can be applied to correct estimated touched keys. Our threat model is that a webcam, smartphone or Google Glass is used for stealthy attack in scenarios such as conferences and similar gathering places. We address both cases of tapping with one finger and tapping with multiple fingers and two hands. Extensive experiments were performed to demonstrate the impact of this attack. The per-character (or per-digit) success rate is over 97% while the success rate of recognizing 4-character passcodes is more than 90%. Our work is the first to automatically and blindly recognize random passwords (or passcodes) typed on the touch screen of mobile devices with a very high success rate.

TorWard: Discovery of malicious traffic over Tor

Tor is a popular low-latency anonymous communication system. However, it is currently abused in various ways. Tor exit routers are frequently troubled by administrative and legal complaints. To gain an insight into such abuse, we design and implement a novel system, TorWard, for the discovery and systematic study of malicious traffic over Tor. The system can avoid legal and administrative complaints and allows the investigation to be performed in a sensitive environment such as a university campus. An IDS (Intrusion Detection System) is used to discover and classify malicious traffic. We performed comprehensive analysis and extensive real-world experiments to validate the feasibility and effectiveness of TorWard. Our data shows that around 10% Tor traffic can trigger IDS alerts. Malicious traffic includes P2P traffic, malware traffic (e.g., botnet traffic), DoS (Denial-of-Service) attack traffic, spam, and others. Around 200 known malware have been identified. To the best of our knowledge, we are the first to perform malicious traffic categorization over Tor.

Blind Detection of Spread Spectrum Flow Watermarks

Recently, the direct sequence spread-spectrum (DSSS)-based technique has been proposed to trace anonymous network flows. In this technique, homogeneous pseudo-noise (PN) codes are used to modulate multiple-bit signals that are embedded into the target flow as watermarks. This technique could be mali- ciously used to degrade an anonymous communication network. In this paper, we propose a simple single flow-based scheme to detect the existence of these watermarks. Our investigation shows that even if we have no knowledge of the applied PN code, we are still able to detect malicious DSSS watermarks via mean-square autocorrelation (MSAC) of a single modulated flows traffic rate time series. MSAC shows periodic peaks due to self-similarity in the modulated traffic caused by homogeneous PN codes that are used in modulating multiple-bit signals. Our scheme has low complexity and does not require any PN-code synchronization. We evaluate this detection schemes effectiveness via simulations and real-world experiments on Tor. Our results demonstrate a high detection rate with a low false positive rate. Our scheme is more flexible and accurate than an existing multi-flow-based approach in DSSS watermark detection.

Protocol-level hidden server discovery

Tor hidden services are commonly used to provide a TCP based service to users without exposing the hidden servers IP address in order to achieve anonymity and anti-censorship. However, hidden services are currently abused in various ways. Illegal content such as child pornography has been discovered on various Tor hidden servers. In this paper, we propose a protocollevel hidden server discovery approach to locate the Tor hidden server that hosts the illegal website. We investigate the Tor hidden server protocol and develop a hidden server discovery system, which consists of a Tor client, a Tor rendezvous point, and several Tor entry onion routers. We manipulate Tor cells, the basic transmission unit over Tor, at the Tor rendezvous point to generate a protocol-level feature at the entry onion routers. Once our controlled entry onion routers detect such a feature, we can confirm the IP address of the hidden server. We conduct extensive analysis and experiments to demonstrate the feasibility and effectiveness of our approach.

Novel Packet Size-Based Covert Channel Attacks against Anonymizer

In this paper, we present a study on the anonymity of Anonymizer, a well-known commercial anonymous communication system. We discovered the architecture of Anonymizer and found that the size of web packets in the Anonymizer network can be very dynamic at the client. Motivated by this finding, we investigated a class of novel packet size-based covert channel attacks against Anonymizer. The attacker between a website and the Anonymizer server can manipulate the web packet size and embed secret signal symbols into the target traffic. An accomplice at the user side can sniff the traffic and recognize the secret signal. In this way, the anonymity provided by Anonymizer is compromised. We developed intelligent and robust algorithms to cope with the packet size distortion incurred by Anonymizer and Internet. We developed techniques to make the attack harder to detect: 1) We pick up right packets of web objects to manipulate to preserve the regularity of the TCP packet size dynamics, which can be measured by the Hurst parameter; 2) We adopt the Monte Carlo sampling technique to preserve the distribution of the web packet size despite manipulation. We have implemented the attack over Anonymizer and conducted extensive analytical and experimental evaluations. It is observed that the attack is highly efficient and requires only tens of packets to compromise the anonymous web surfing via Anonymizer. The experimental results are consistent with our theoretical analysis.

Protocol-level attacks against Tor

Tor is a real-world, circuit-based low-latency anonymous communication network, supporting TCP applications over the Internet. In this paper, we present an extensive study of protocol-level attacks against Tor. Different from existing attacks, the attacks investigated in this paper can confirm anonymous communication relationships quickly and accurately by manipulating one single cell and pose a serious threat against Tor. In these attacks, a malicious entry onion router may duplicate, modify, insert, or delete cells of a TCP stream from a sender, which can cause cell recognition errors at the exit onion router. If an accomplice of the attacker at the entry onion router also controls the exit onion router and recognizes such cell recognition errors, the communication relationship between the sender and receiver will be confirmed. These attacks can also be used for launching the denial-of-service (DoS) attack to disrupt the operation of Tor. We systematically analyze the impact of these attacks and our data indicate that these attacks may drastically degrade the anonymity service that Tor provides, if the attacker is able to control a small number of Tor routers. We have implemented these attacks on Tor and our experiments validate their feasibility and effectiveness. We also present guidelines for defending against protocol-level attacks.