Onion-Location makes it easy for websites offering onion service access to support automatic discovery in Tor Browser of the random-looking onion address associated with their domain. We provide the first measurement study of how many websites are currently using Onion-Location. We also describe the open-source tools we created to conduct the study. Onion-Location has been criticized elsewhere for its lack of transparency and vulnerability to blocking. Perhaps even more troubling, we show that Onion-Location is vulnerable to very accurate fingerprinting. We present recommended changes to and alternatives to Onion-Location as well as steps towards even more secure onion discovery and association.
@article{onionloc-popets2025,title={Onion-Location Measurements and Fingerprinting},author={Syverson, Paul and Dahlberg, Rasmus and Pulls, Tobias and Jansen, Rob},journal={Proceedings on Privacy Enhancing Technologies},volume={2025},number={2},year={2025},doi={10.56553/popets-2025-0074},}
Website fingerprinting (WF) is a potentially devastating attack against Tor because it can break anonymity by linking a Tor user to their purportedly unlinkable internet destinations. Previous work proposes that an adversary trains WF classifiers either on synthetic traces that are programmatically generated using automated tools, or on real-world traces collected from one or more Tor exit relays. However, no existing work accurately represents a real-world threat model in which a WF adversary’s classifiers must be tested against real-world entry traces that are naturally created by real Tor users. In this paper we present Retracer, a novel method for producing labeled entry traces of genuine Tor traffic patterns. Retracer uses high-fidelity network simulation to accurately transform real-world exit traces into entry traces prior to training and testing WF classifiers. After first demonstrating that Retracer accurately transforms exit traces into entry traces, we then apply it to the recently released GTT23 dataset in a WF evaluation in which more than 3500 classifiers are tested against, for the first time, labeled entry traces of real Tor traffic patterns. Our evaluation yields the best available estimate of the performance an adversary can achieve when directing WF attacks at real Tor users.
@inproceedings{retracer-wpes2024,title={Repositioning Real-World Website Fingerprinting on Tor},author={Jansen, Rob and Wails, Ryan and Johnson, Aaron},booktitle={Workshop on Privacy in the Electronic Society},year={2024},doi={10.1145/3689943.3695047},}
Anna Harbluk Lorimer,
Rob Jansen, and Nick Feamster:
As censors continue to develop more advanced technologies to police access to the Internet, new techniques are also needed to promote Internet freedom. Traffic splitting is one technique that has been shown to defend against various privacy attacks and to improve network performance, but it has not been evaluated in the context of censorship-resistant systems. In this extended abstract we outline a design for traffic splitting for pluggable transports that uses what we call a "shim" pluggable transport and modified Tor Bridges as proxies. We describe our hypotheses and how we plan to evaluate our implementation to determine the extent to which pluggable transports that employ traffic splitting can improve performance, protect against website fingerprinting attacks, and improve resistance to detection and blocking by a censor.
@misc{ptsplit-foci2024,title={Traffic Splitting for Pluggable Transports},author={Lorimer, Anna Harbluk and Jansen, Rob and Feamster, Nick},howpublished={Workshop on Free and Open Communication on the Internet},year={2024},note={Extended abstract},}
Website fingerprinting (WF) is a dangerous attack on web privacy because it enables an adversary to predict the website a user is visiting, despite the use of encryption, VPNs, or anonymizing networks such as Tor. Previous WF work almost exclusively uses synthetic datasets to evaluate the performance and estimate the feasibility of WF attacks despite evidence that synthetic data misrepresents the real world. In this paper we present GTT23, the first WF dataset of genuine Tor traces, which we obtain through a large-scale measurement of the Tor network. GTT23 represents real Tor user behavior better than any existing WF dataset, is larger than any existing WF dataset by at least an order of magnitude, and will help ground the future study of realistic WF attacks and defenses. In a detailed evaluation, we survey 25 WF datasets published over the last 15 years and compare their characteristics to those of GTT23. We discover common deficiencies of synthetic datasets that make them inferior to GTT23 for drawing meaningful conclusions about the effectiveness of WF attacks directed at real Tor users. We have made GTT23 available to promote reproducible research and to help inspire new directions for future work.
@techreport{gtt23-arxiv2024,title={A Measurement of Genuine Tor Traces for Realistic Website Fingerprinting},author={Jansen, Rob and Wails, Ryan and Johnson, Aaron},booktitle={arXiv:2404.07892 [cs.CR]},year={2024},doi={10.48550/arXiv.2404.07892},}
The understanding of realistic censorship threats enables the development of more resilient censorship circumvention systems, which are vitally important for advancing human rights and fundamental freedoms. We argue that current state-of-the-art methods for detecting circumventing flows in Tor are unrealistic: they are overwhelmed with false positives (> 94%), even when considering conservatively high base rates (10^-3). In this paper, we present a new methodology for detecting censorship circumvention in which a deep-learning flow-based classifier is combined with a host-based detection strategy that incorporates information from multiple flows over time. Using over 60,000,000 real-world network flows to over 600,000 destinations, we demonstrate how our detection methods become more precise as they temporally accumulate information, allowing us to detect circumvention servers with perfect recall and no false positives. Our evaluation considers a range of circumventing flow base rates spanning six orders of magnitude and real-world protocol distributions. Our findings suggest that future circumvention system designs need to more carefully consider host-based detection strategies, and we offer suggestions for designs that are more resistant to these attacks.
@inproceedings{precisedetect-ndss2024,title={On Precisely Detecting Censorship Circumvention in Real-World Networks},author={Wails, Ryan and Sullivan, George Arnold and Sherr, Micah and Jansen, Rob},booktitle={Network and Distributed System Security Symposium},year={2024},doi={10.14722/ndss.2024.23394},}
We present the Proteus system for censorship circumvention. Proteus provides a programmable protocol environment in which new communication protocols can be expressed as concise and comprehensible specification files. This design allows clients and proxies to quickly respond to new censorship strategies just by installing new specification files. Proteus improves on prior programmable designs by improving host safety from malicious specifications, providing a specification language that is complete and comprehensible to non-specialists, and supporting multiple simultaneous protocols at a proxy for versioning and localization. This paper represents work in progress and provides an overview of the Proteus design, as well as examples showing that it can express existing encrypted protocols.
@inproceedings{proteus-foci2023,title={Proteus: Programmable Protocols for Censorship Circumvention},author={Wails, Ryan and Jansen, Rob and Johnson, Aaron and Sherr, Micah},booktitle={Workshop on Free and Open Communication on the Internet},year={2023},}
Website fingerprinting (WF) attacks allow an adversary to associate a website with the encrypted traffic patterns produced when accessing it, thus threatening to destroy the client-server unlinkability promised by anonymous communication networks. Explainable WF is an open problem in which we need to improve our understanding of (1) the machine learning models used to conduct WF attacks; and (2) the WF datasets used as inputs to those models. This paper focuses on explainable datasets; that is, we develop an alternative to the standard practice of gathering low-quality WF datasets using synthetic browsers in large networks without controlling for natural network variability. In particular, we demonstrate how network simulation can be used to produce explainable WF datasets by leveraging the simulator’s high degree of control over network operation. Through a detailed investigation of the effect of network variability on WF performance, we find that: (1) training and testing WF attacks in networks with distinct levels of congestion increases the false-positive rate by as much as 200%; (2) augmenting the WF attacks by training them across several networks with varying degrees of congestion decreases the false-positive rate by as much as 83%; and (3) WF classifiers trained on completely simulated data can achieve greater than 80% accuracy when applied to the real world.
@article{explainwf-popets2023,title={Data-Explainable Website Fingerprinting with Network Simulation},author={Jansen, Rob and Wails, Ryan},journal={Proceedings on Privacy Enhancing Technologies},volume={2023},number={4},year={2023},doi={10.56553/popets-2023-0125},}
Website fingerprinting (WF) attacks on Tor allow an adversary who can observe the traffic patterns between a victim and the Tor network to predict the website visited by the victim. Existing WF attacks yield extremely high accuracy. However, the conditions under which these attacks are evaluated raises questions about their effectiveness in the real world. We conduct the first evaluation of website fingerprinting using genuine Tor traffic as ground truth and evaluated under a true open world. We achieve this by adapting the state-of-the-art Triplet Fingerprinting attack to an online setting and training the WF models on data safely collected on a Tor exit relay—a setup an adversary can easily deploy in practice. By studying WF under realistic conditions, we demonstrate that an adversary can achieve a WF classification accuracy of above 95% when monitoring a small set of 5 popular websites, but that accuracy quickly degrades to less than 80% when monitoring as few as 25 websites. We conclude that, although WF attacks may be possible, it is likely infeasible to carry them out in the real world while monitoring more than a small set of websites.
@inproceedings{realworldwf-sec2022,title={Online Website Fingerprinting: Evaluating Website Fingerprinting Attacks on Tor in the Real World},author={Cherubin, Giovanni and Jansen, Rob and Troncoso, Carmela},booktitle={USENIX Security Symposium},year={2022},}
Network experimentation tools are vitally important to the process of developing, evaluating, and testing distributed systems. The state-of-the-art simulation tools are either prohibitively inefficient at large scales or are limited by nontrivial architectural challenges, inhibiting their widespread adoption. In this paper, we present the design and implementation of Phantom, a novel tool for conducting distributed system experiments. In Phantom, a discrete-event network simulator directly executes unmodified applications as Linux processes and innovatively synthesizes efficient process control, system call interposition, and data transfer methods to co-opt the processes into the simulation environment. Our evaluation demonstrates that Phantom is up to 2.2× faster than Shadow, up to 3.4× faster than NS-3, and up to 43× faster than gRaIL in large P2P benchmarks while offering performance comparable to Shadow in large Tor network simulations.
@inproceedings{phantom-atc2022,title={Co-opting Linux Processes for High-Performance Network Simulation},author={Jansen, Rob and Newsome, Jim and Wails, Ryan},booktitle={USENIX Annual Technical Conference},year={2022},}
Censorship-resistant communication systems generally use real-world cover protocols to establish a covert channel through which uncensored communication can occur. Unfortunately, many previously proposed systems use cover protocols inconsistently with the way humans normally use those protocols, leading to anomalous network traffic patterns that have been shown to be discoverable by real-world censors. In this paper, we argue that censorship-resistant communication systems should follow two behavior-based design properties: (i) behavioral independence: systems should isolate the operation of their covert channels from the operation of their cover protocols, and (ii) behavioral realism: systems should either opportunistically use existing genuine cover protocol instances or run new protocol instances that are modeled after genuine ones. These properties ensure that the behavior of a system’s users will not degrade its security. We demonstrate how to achieve these properties through the design and evaluation of Raven, a censorship-resistant messaging system that uses email cover protocols identically to the way humans use email. Raven uses a generative adversarial network that is trained on genuine email data to control the timing and sizes of the email messages it sends and receives, and these messages are transferred independently of user actions. Our evaluation shows that, compared to the state-of-the-art email-based Mailet system, Raven raises the false-positive rate from 3% to 50% when detecting covert channel usage with 100% recall.
@article{raven-popets2022,title={Learning to Behave: Improving Covert Channel Security with Behavior-Based Designs},author={Wails, Ryan and Stange, Andrew and Troper, Eliana and Caliskan, Aylin and Dingledine, Roger and Jansen, Rob and Sherr, Micah},journal={Proceedings on Privacy Enhancing Technologies},volume={2022},number={3},year={2022},doi={10.56553/popets-2022-0068},}
Tor is a popular low-latency anonymous communication system that focuses on usability and performance: a faster network will attract more users, which in turn will improve the anonymity of everyone using the system. The standard practice for previous research attempting to enhance Tor performance is to draw conclusions from the observed results of a single simulation for standard Tor and for each research variant. But because the simulations are run in sampled Tor networks, it is possible that sampling error alone could cause the observed effects. Therefore, we call into question the practical meaning of any conclusions that are drawn without considering the statistical significance of the reported results.
In this paper, we build foundations upon which we improve the Tor experimental method. First, we present a new Tor network modeling methodology that produces more representative Tor networks as well as new and improved experimentation tools that run Tor simulations faster and at a larger scale than was previously possible. We showcase these contributions by running simulations with 6,489 relays and 792k simultaneously active users, the largest known Tor network simulations and the first at a network scale of 100%. Second, we present new statistical methodologies through which we: (i) show that running multiple simulations in independently sampled networks is necessary in order to produce informative results; and (ii) show how to use the results from multiple simulations to conduct sound statistical inference. We present a case study using 420 simulations to demonstrate how to apply our methodologies to a concrete set of Tor experiments and how to analyze the results.
@inproceedings{neverenough-sec2021,title={Once is Never Enough: Foundations for Sound Statistical Inference in Tor Network Experimentation},author={Jansen, Rob and Tracey, Justin and Goldberg, Ian},booktitle={USENIX Security Symposium},year={2021},}
The Tor network uses a measurement system called TorFlow to estimate its relays’ forwarding capacity and to balance traffic among them. This system has been shown to be vulnerable to adversarial manipulation, and inaccuracies even in benign circumstances have long been observed. To solve the issues with security and accuracy, we present FlashFlow, a system to measure the capacity of Tor relays. Our analysis shows that FlashFlow limits a malicious relay to obtaining a capacity estimate at most 1.33 times its true capacity. Through realistic Internet experiments, we find that FlashFlow measures relay capacity with ≥89% accuracy 95% of the time. Through simulation, we find that FlashFlow can measure the entire Tor network in less than 5 hours using 3 measurers with 1 Gbit/s of bandwidth each. Performance simulations using FlashFlow for load balancing shows that, compared to TorFlow, network weight error decreases by 86%, while the median of 50 KiB, 1 MiB, and 5 MiB transfer times decreases by 15%, 29%, and 37%, respectively. Moreover, FlashFlow yields more consistent client performance: the median rate of transfer timeouts decreases by 100%, while the standard deviation of 50 KiB, 1 MiB, and 5 MiB transfer times decreases by 55%, 61%, and 41%, respectively. We also find that the performance improvements increase relative to TorFlow as the total client-traffic load increases, demonstrating that FlashFlow is better suited to supporting network growth.
@inproceedings{flashflow-icdcs2021,title={FlashFlow: A Secure Speed Test for Tor},author={Traudt, Matthew and Jansen, Rob and Johnson, Aaron},booktitle={International Conference on Distributed Computing Systems},year={2021},doi={10.1109/ICDCS51616.2021.00044},}
The Tor network estimates its relays’ bandwidths using relay self-measurements of client traffic speeds. These estimates largely determine how existing traffic load is balanced across relays, and they are used to evaluate the network’s capacity to handle future traffic load increases. Thus, their accuracy is important to optimize Tor’s performance and strategize for growth. However, their accuracy has never been measured. We investigate the accuracy of Tor’s capacity estimation with an analysis of public network data and an active experiment run over the entire live network. Our results suggest that the bandwidth estimates underestimate the total network capacity by at least 50% and that the errors are larger for high-bandwidth and low-uptime relays. Our work suggests that improving Tor’s bandwidth measurement system could improve the network’s performance and better inform plans to handle future growth.
@inproceedings{torbwest-pam2021,title={On the Accuracy of Tor Bandwidth Estimation},author={Jansen, Rob and Johnson, Aaron},booktitle={Passive and Active Measurement Conference},year={2021},doi={10.1007/978-3-030-72582-2_28},}
The combination of TCP auto-tuning and asynchronous I/O event notifications (e.g., epoll) allows the Linux kernel to generally sustain high-volume TCP connections—even for connections with high bandwidth-delay products (high link bandwidth and/or high path latency). However, bufferbloat can quickly become an issue when multiple such connections are in use. In particular, high outbound kernel queuing delays have been observed in the Tor anonymity network, a large distributed system whose relays often manage thousands of sockets—many of which are simultaneously-active, high-volume TCP connections.
In this work, we propose a new notification event that triggers when TCP is ready to send data on a socket while seeking to better understand how it can help applications to better manage network I/O and improve performance. The new event supplements and extends the current write event that triggers when a socket buffer has free space, and the difference in semantics allows more precise control over queuing to the application. We describe the problem, detail a proposal for extending epoll to support the new semantics (including a code patch), and show the effect that such a change could have on performance through a small scale simulation.
@inproceedings{epollcwnd-netdev2020,title={Reducing Kernel Queuing Delays with TCP Window Space Events},author={Goulet, David and Jansen, Rob},booktitle={Technical Conference on Linux Networking},year={2020},}
On Monday, August 12th, 2019, 55 attendees joined us for the 12th USENIX Workshop on Cybersecurity Experimentation and Test (CSET ‘19) in Santa Clara, California. CSET, one of the USENIX Security Symposium’s co-located workshops, welcomes work in the broad categories of “cyber security evaluation, experimentation, measurement, metrics, data, simulations, and testbeds”—that is, research about research tools, data, and methods. The purpose of this article is to share our experi- ence chairing CSET ‘19, and to highlight this year’s papers.
@misc{login-cset2019,title={12th USENIX Workshop on Cyber Security Experimentation and Test (CSET'19)},author={Peterson, Peter A. H. and Jansen, Rob},howpublished={USENIX ;login: Winter 2019, Vol. 44, No. 4},year={2019},note={Editorship},}
As the Tor network has grown in popularity and importance as a tool for privacy-preserving online communication, it has increasingly become a target for disruption, censorship, and attack. A large body of existing work examines Tor’s susceptibility to attacks that attempt to block Tor users’ access to information (e.g., via traffic filtering), identify Tor users’ communication content (e.g., via traffic fingerprinting), and de-anonymize Tor users (e.g., via traffic correlation). This paper focuses on the relatively understudied threat of denial-of-service (DoS) attacks against Tor, and specifically, DoS attacks that intelligently utilize bandwidth as a means to significantly degrade Tor network performance and reliability.
We demonstrate the feasibility of several bandwidth DoS attacks through live-network experimentation and high-fidelity simulation while quantifying the cost of each attack and its effect on Tor performance. First, we explore an attack against Tor’s most commonly used default bridges (for censorship circumvention) and estimate that flooding those that are operational would cost 17K/mo. and could reduce client throughput by 44% while more than doubling bridge maintenance costs. Second, we explore attacks against the TorFlow bandwidth measurement system and estimate that a constant attack against all TorFlow scanners would cost 2.8K/mo. and reduce the median client download rate by 80%. Third, we explore how an adversary could use Tor to congest itself and estimate that such a congestion attack against all Tor relays would cost $1.6K/mo. and increase the median client download time by 47%. Finally, we analyze the effects of Sybil DoS and deanonymization attacks that have costs comparable to those of our attacks.
@inproceedings{pointbreak-sec2019,title={Point Break: A Study of Bandwidth Denial-of-Service Attacks against Tor},author={Jansen, Rob and Vaidya, Tavish and Sherr, Micah},booktitle={USENIX Security Symposium},year={2019},}
KIST: Kernel-Informed Socket Transport for Tor.
Transactions on Privacy and Security, vol. 22, no. 1, 2018. See associated conference paper and case study report.
Tor’s growing popularity and user diversity has resulted in network performance problems that are not well understood, though performance is understood to be a significant factor in Tor’s security. A large body of work has attempted to solve performance problems without a complete understanding of where congestion occurs in Tor. In this article, we first study congestion in Tor at individual relays as well as along the entire end-to-end Tor path and find that congestion occurs almost exclusively in egress kernel socket buffers. We then analyze Tor’s socket interactions and discover two major contributors to Tor’s congestion: Tor writes sockets sequentially, and Tor writes as much as possible to each socket. To improve Tor’s performance, we design, implement, and test KIST: a new socket management algorithm that uses real-time kernel information to dynamically compute the amount to write to each socket while considering all circuits of all writable sockets when scheduling cells. We find that, in the medians, KIST reduces circuit congestion by more than 30%, reduces network latency by 18%, and increases network throughput by nearly 10%. We also find that client and relay performance with KIST improves as more relays deploy it and as network load and packet loss rates increase. We analyze the security of KIST and find an acceptable performance and security tradeoff, as it does not significantly affect the outcome of well-known latency, throughput, and traffic correlation attacks. KIST has been merged and configured as the default socket scheduling algorithm in Tor version 0.3.2.1-alpha (released September 18, 2017) and became stable in Tor version 0.3.2.9 (released January 9, 2018). While our focus is Tor, our techniques and observations should help analyze and improve overlay and application performance, both for security applications and in general.
@article{kist-tops2018,title={KIST: Kernel-Informed Socket Transport for Tor},author={Jansen, Rob and Traudt, Matthew and Geddes, John and Wacek, Chris and Sherr, Micah and Syverson, Paul},journal={Transactions on Privacy and Security},volume={22},number={1},article={3},year={2018},doi={10.1145/3278121},}
The Tor anonymity network is difficult to measure because, if not done carefully, measurements could risk the privacy (and potentially the safety) of the network’s users. Recent work has proposed the use of differential privacy and secure aggregation techniques to safely measure Tor, and preliminary proof-of-concept prototype tools have been developed in order to demonstrate the utility of these techniques. In this work, we significantly enhance two such tools—PrivCount and Private Set-Union Cardinality—in order to support the safe exploration of new types of Tor usage behavior that have never before been measured. Using the enhanced tools, we conduct a detailed measurement study of Tor covering three major aspects of Tor usage: how many users connect to Tor and from where do they connect, with which destinations do users most frequently communicate, and how many onion services exist and how are they used. Our findings include that Tor has ∼8 million daily users, a factor of four more than previously believed. We also find that ∼40% of the sites accessed over Tor have a torproject.org domain name, ∼10% of the sites have an amazon.com domain name, and ∼80% of the sites have a domain name that is included in the Alexa top 1 million sites list. Finally, we find that ∼90% of lookups for onion addresses are invalid, and more than 90% of attempted connections to onion services fail.
@inproceedings{torusage-imc2018,title={Understanding Tor Usage with Privacy-Preserving Measurement},author={Mani, Akshaya and Wilson-Brown, T and Jansen, Rob and Johnson, Aaron and Sherr, Micah},booktitle={Internet Measurement Conference},year={2018},doi={10.1145/3278532.3278549},}
Experimentation tools facilitate exploration of Tor performance and security research problems and allow researchers to safely and privately conduct Tor experiments without risking harm to real Tor users. However, researchers using these tools configure them to generate network traffic based on simplifying assumptions and outdated measurements and without understanding the efficacy of their configuration choices. In this work, we design a novel technique for dynamically learning Tor network traffic models using hidden Markov modeling and privacy-preserving measurement techniques. We conduct a safe but detailed measurement study of Tor using 17 relays (∼2% of Tor bandwidth) over the course of 6 months, measuring general statistics and models that can be used to generate a sequence of streams and packets. We show how our measurement results and traffic models can be used to generate traffic flows in private Tor networks and how our models are more realistic than standard and alternative network traffic generation methods.
@inproceedings{tmodel-ccs2018,title={Privacy-Preserving Dynamic Learning of Tor Network Traffic},author={Jansen, Rob and Traudt, Matthew and Hopper, Nicholas},booktitle={Conference on Computer and Communication Security},year={2018},doi={10.1145/3243734.3243815},}
The Tor anonymous communication network and Bitcoin financial transaction network are examples of security applications with significant risk to user privacy if they fail to perform as expected. Experimentation on private instances of these networks is therefore a popular means to design, develop, and test improvements before deploying them to real users. In particular, the Shadow discrete-event network simulator is one of the most popular tools for conducting safe and ethical Tor research. In this paper, we analyze Shadow’s design and find significant performance bottlenecks in its logging and work scheduling systems stemming from its representation of simulated processes and its use of a globally shared process namespace. We design, implement, and empirically evaluate new algorithms that replace each of these components. We find that our improvements reduce Shadow run time by as much as 31% in synthetic benchmarks over a variety of conditions, and by as much as 73% over small and large experimental Tor networks. Our improvements have been merged into Shadow release v1.12.0 to the benefit of the security and privacy communities.
@inproceedings{shadowelf-cset2018,title={High Performance Tor Experimentation from the Magic of Dynamic ELFs},author={Tracey, Justin and Jansen, Rob and Goldberg, Ian},booktitle={Workshop on Cyber Security Experimentation and Test},year={2018},}
In this paper, we explore traffic analysis attacks on Tor that are conducted solely with middle relays rather than with relays from the entry or exit positions. We create a methodology to apply novel Tor circuit and website fingerprinting from middle relays to detect onion service usage; that is, we are able to identify websites with hidden network addresses by their traffic patterns. We also carry out the first privacy-preserving popularity measurement of a single social networking website hosted as an onion service by deploying our novel circuit and website fingerprinting techniques in the wild. Our results show: (i) that the middle position enables wide-scale monitoring and measurement not possible from a comparable resource deployment in other relay positions, (ii) that traffic fingerprinting techniques are as effective from the middle relay position as prior works show from a guard relay, and (iii) that an adversary can use our fingerprinting methodology to discover the popularity of onion services, or as a filter to target specific nodes in the network, such as particular guard relays.
@inproceedings{insidejob-ndss2018,title={Inside Job: Applying Traffic Analysis to Measure Tor from Within},author={Jansen, Rob and Juarez, Marc and Galvez, Rafael and Elahi, Tariq and Diaz, Claudia},booktitle={Network and Distributed System Security Symposium},year={2018},doi={10.14722/ndss.2018.23261},}
Informal: Tor’s Been KIST: A Case Study of Transitioning Tor Research to Practice.
Technical Report, 2017. See associated journal and conference papers.
Most computer science research is aimed at solving difficult problems with a goal of sharing the developed solutions with the greater research community. For many researchers, a project ends when the paper is published even though a much broader impact could be achieved by spending additional effort to transition that research to real world usage. In this paper, we examine the opportunities and challenges in transitioning Tor research through a case study of deploying a previously proposed application layer socket scheduling policy called KIST into the Tor network. We implement KIST, simulate it in a 2,000-relay private Tor network using Shadow, deploy it on a Tor relay running in the public Tor network, and measure its performance impact. Confirming the results reported in prior research, we find that KIST reduces kernel outbound queuing times for relays and download times for low-volume or bursty clients. We also find that client and relay performance with KIST increases as network load and packet loss rates increase, although the effects of packet loss on KIST were overlooked in past work. Our implementation will be released as open-source software for inclusion in a future Tor release.
@techreport{kistdeploy-arxiv2017,title={Tor's Been KIST: A Case Study of Transitioning Tor Research to Practice},author={Jansen, Rob and Traudt, Matthew},booktitle={arXiv:1709.01044 [cs.CR]},year={2017},doi={10.48550/arXiv.1709.01044},}
In this talk, we will describe a plan for the development of a wide-area testbed for the Tor anonymity system. Our proposed testbed would have the ability to directly run real-world software for anonymous communication, including support for clients, relays, and other critical components of Tor, such as directory services and bandwidth authorities. Researchers could select the experimental parameters, including user models, upload modified versions of Tor and associated scripts, and run an instance for a period of time. In the rest of this talk abstract, we lay out the motivations for having a testbed, the characteristics and use cases we anticipate, and the goals for the HotPETs talk.
@misc{tortestbed-hotpets2017,title={A Wide-Area Testbed for Tor},author={Dingledine, Roger and Goulet, David and Mittal, Prateek and Feamster, Nick and Jansen, Rob and Wright, Matthew},howpublished={Workshop on Hot Topics in Privacy Enhancing Technologies},year={2017},note={Presentation abstract},}
Kwon et al. recently showed that circuit fingerprinting attacks could be used to identify hidden service circuits, which is a key step towards linking Tor users and their activity online. In this paper, we explore an improvement to their attack that uses random forests, which achieves similar accuracy while being more robust to simple countermeasures against it. Additionally, we perform our attack from a middle node, for which an attacker needs less resources and can leverage guard fingerprinting to deanonymize users. Our evaluation shows the attack can be effectively deployed at the middle with 99.98% accuracy.
@misc{middlefp-s&p2017,title={Fingerprinting Hidden Service Circuits from a Tor Middle Relay},author={Juarez, Marc and Jansen, Rob and Galvez, Rafael and Elahi, Tariq and Diaz, Claudia and Wright, Matthew},howpublished={Symposium on Security and Privacy},year={2017},note={Poster abstract},}
We present PeerFlow, a system to securely load balance client traffic in Tor. Security in Tor requires that no adversary handle too much traffic. However, Tor relays are run by volunteers who cannot be trusted to report the relay bandwidths, which Tor clients use for load balancing. We show that existing methods to determine the bandwidths of Tor relays allow an adversary with little bandwidth to attack large amounts of client traffic. These methods include Tor’s current bandwidth-scanning system, TorFlow, and the peer-measurement system EigenSpeed. We present an improved design called PeerFlow that uses a peer-measurement process both to limit an adversary’s ability to increase his measured bandwidth and to improve accuracy. We show our system to be secure, fast, and efficient. We implement PeerFlow in Tor and demonstrate its speed and accuracy in large-scale network simulations.
@article{peerflow-popets2017,title={PeerFlow: Secure Load Balancing in Tor},author={Johnson, Aaron and Jansen, Rob and Hopper, Nicholas and Segal, Aaron and Syverson, Paul},journal={Proceedings on Privacy Enhancing Technologies},volume={2017},number={2},year={2017},doi={10.1515/popets-2017-0017},}
Tor users are vulnerable to deanonymization by an adversary that can observe some Tor relays or some parts of the network. We demonstrate that previous network-aware path-selection algorithms that propose to solve this problem are vulnerable to attacks across multiple Tor connections. We suggest that users use trust to choose the paths through Tor that are less likely to be observed, where trust is flexibly modeled as a probability distribution on the location of the user’s adversaries, and we present the Trust-Aware Path Selection algorithm for Tor that helps users avoid traffic-analysis attacks while still choosing paths that could have been selected by many other users. We evaluate this algorithm in two settings using a high-level map of Internet routing: (i) users try to avoid a single global adversary that has an independent chance to control each Autonomous System organization, Internet Exchange Point organization, and Tor relay family, and (ii) users try to avoid deanonymization by any single country. We also examine the performance of Trust-Aware Path selection using the Shadow network simulator.
@inproceedings{taps-ndss2017,title={Avoiding The Man on the Wire: Improving Tor’s Security with Trust-Aware Path Selection},author={Johnson, Aaron and Jansen, Rob and Jaggard, Aaron D. and Feigenbaum, Joan and Syverson, Paul},booktitle={Network and Distributed System Security Symposium},year={2017},doi={10.14722/ndss.2017.23307},}
Tor is a popular network for anonymous communication. The usage and operation of Tor is not well-understood, however, because its privacy goals make common measurement approaches ineffective or risky. We present PrivCount, a system for measuring the Tor network designed with user privacy as a primary goal. PrivCount securely aggregates measurements across Tor relays and over time to produce differentially private outputs. PrivCount improves on prior approaches by enabling flexible exploration of many diverse kinds of Tor measurements while maintaining accuracy and privacy for each. We use PrivCount to perform a measurement study of Tor of sufficient breadth and depth to inform accurate models of Tor users and traffic. Our results indicate that Tor has 710,000 users connected but only 550,000 active at a given time, that Web traffic now constitutes 91% of data bytes on Tor, and that the strictness of relays’ connection policies significantly affects the type of application data they forward.
@inproceedings{privcount-ccs2016,title={Safely Measuring Tor},author={Jansen, Rob and Johnson, Aaron},booktitle={Conference on Computer and Communications Security},year={2016},doi={10.1145/2976749.2978310},}
We present a brief summary of The 14th Workshop on Privacy in the Electronic Society, held on October 12th, 2015, in conjunction with the 22nd ACM Conference on Computer and Communications Security in Denver, Colorado, USA. The goal of this workshop is to discuss the problems of privacy in the global interconnected societies and possible solutions to them. The workshop program includes 11 full papers and 3 short papers out of 32 total submissions. Specific areas that are covered in the program include, but are not limited to: web and social network privacy, mobile and location privacy, communications privacy, and privacy- preserving data analysis.
@misc{chairsummary-wpes2015,title={WPES 2015: The 14th Workshop on Privacy in the Electronic Society},author={Hopper, Nicholas and Jansen, Rob},howpublished={Workshop on Privacy in the Electronic Society},year={2015},note={Editorship},doi={10.1145/2810103.2812628},}
We describe a new methodology that enables the direct execution of multi-threaded applications inside of Shadow, an existing parallel discrete-event network simulation framework. Our methodology utilizes function interposition and an application-layer thread library to emulate the ordinary thread interface to the application. Using this methodology, we implement a new Shadow plug-in that directly executes the Bitcoin reference client software. To demonstrate the usefulness of this tool, we present novel denial-of-service attacks against the Bitcoin software that exploit low-level implementation artifacts in the Bitcoin reference client; our deterministic simulator was helpful in developing and demonstrating these attacks. We describe optimizations that enable scalable execution of thousands of Bitcoin nodes on a single machine, and discuss how to model the Bitcoin network for experimental purposes.
@inproceedings{shadowbitcoin-cset2015,title={Shadow-Bitcoin: Scalable Simulation via Direct Execution of Multi-threaded Applications},author={Miller, Andrew and Jansen, Rob},booktitle={Workshop on Cyber Security Experimentation and Test},year={2015},}
We consider proposals to improve the performance of the Tor overlay network by increasing the number of connections between relays, such as Torchestra and PCTCP. We introduce a new class of attacks that can apply to these designs, socket exhaustion, and show that these attacks are effective against PCTCP. We also describe IMUX, a design that generalizes the principles behind these designs while still mitigating against socket exhaustion attacks. We demonstrate empirically that IMUX resists socket exhaustion while finding that web clients can realize up to 25% increase in performance compared to Torchestra. Finally, we empirically evaluate the interaction between these designs and the recently proposed KIST design, which aims to improve performance by intelligently scheduling kernel socket writes.
@inproceedings{imux-wpes2014,title={IMUX: Managing Tor Connections from Two to Infinity, and Beyond},author={Geddes, John and Jansen, Rob and Hopper, Nicholas},booktitle={Workshop on Privacy in the Electronic Society},year={2014},doi={10.1145/2665943.2665948},}
Tor’s growing popularity and user diversity has resulted in network performance problems that are not well understood. A large body of work has attempted to solve these problems without a complete understanding of where congestion occurs in Tor. In this paper, we first study congestion in Tor at individual relays as well as along the entire end-to-end Tor path and find that congestion occurs almost exclusively in egress kernel socket buffers. We then analyze Tor’s socket interactions and discover two major issues affecting congestion: Tor writes sockets sequentially, and Tor writes as much as possible to each socket. We thus design, implement, and test KIST: a new socket management algorithm that uses real-time kernel information to dynamically compute the amount to write to each socket while considering all writable circuits when scheduling new cells. We find that, in the medians, KIST reduces circuit congestion by over 30 percent, reduces network latency by 18 percent, and increases network throughput by nearly 10 percent. We analyze the security of KIST and find an acceptable performance and security trade-off, as it does not significantly affect the outcome of well-known latency and throughput attacks. While our focus is Tor, our techniques and observations should help analyze and improve overlay and application performance, both for security applications and in general.
@inproceedings{kist-sec2014,title={Never Been KIST: Tor's Congestion Management Blossoms with Kernel-Informed Socket Transport},author={Jansen, Rob and Geddes, John and Wacek, Chris and Sherr, Micah and Syverson, Paul},booktitle={USENIX Security Symposium},year={2014},}
Mainak Ghosh, Miles Richardson, Bryan Ford, and Rob Jansen:
The Tor network relies on volunteer relay operators for relay bandwidth, which may limit its growth and scaling potential. We propose an incentive scheme for Tor relying on two novel concepts. We introduce TorCoin, an “altcoin” that uses the Bitcoin protocol to reward relays for contributing bandwidth. Relays “mine” TorCoins, then sell them for cash on any existing altcoin exchange. To verify that a given TorCoin represents actual bandwidth transferred, we introduce TorPath, a decentralized protocol for forming Tor circuits such that each circuit is privately-addressable but publicly verifiable. Each circuit’s participants may then collectively mine a limited number of TorCoins, in proportion to the end-to-end transmission goodput they measure on that circuit.
@inproceedings{torpath-hotpets2014,title={A TorPath to TorCoin: Proof-of-Bandwidth Altcoins for Compensating Relays},author={Ghosh, Mainak and Richardson, Miles and Ford, Bryan and Jansen, Rob},booktitle={Workshop on Hot Topics in Privacy Enhancing Technologies},year={2014},}
The Tor anonymity network depends on volunteers to operate relays, and might offer higher bandwidth with lower response latencies if more users could be incentivized to contribute relay bandwidth. We introduce TEARS, a system rewarding useful service with traffic priority. TEARS audits relays and rewards them with anonymous coins called Shallots, proportionally to bandwidth contributed. Shallots may be redeemed anonymously for PriorityPasses, which in turn may be presented to relays to request traffic priority. The PriorityPass construction enables relays to prevent double spending locally without leaking information. Unlike previous incentive proposals, TEARS incorporates transparent and distributed banking using protocols from distributed digital cryptocurrency systems like Bitcoin. Shallots are publicly-verifiable, minimizing reliance on and trust in banking authorities, making them auditable while naturally distributing bank functionality and associated overhead. Further, these distributed banking protocols resist denial-of-service attacks and can recover from catastrophic failures. TEARS may either be deployed in the existing Tor network or operate alongside it.
@inproceedings{tears-hotpets2014,title={From Onions to Shallots: Rewarding Tor Relays with TEARS},author={Jansen, Rob and Miller, Andrew and Syverson, Paul and Ford, Bryan},booktitle={Workshop on Hot Topics in Privacy Enhancing Technologies},year={2014},}
This document provides appendices to accompany the publication entitled “Never Been KIST: Tor’s Congestion Management Blossoms with Kernel-Informed Socket Transport” to appear in the Proceedings of the 23rd USENIX Security Symposium, 2014.
@techreport{kist-umntr14-012,title={Appendices to Accompany "Never Been KIST: Tor’s Congestion Management Blossoms with Kernel-Informed Socket Transport"},author={Jansen, Rob and Geddes, John and Wacek, Chris and Sherr, Micah and Syverson, Paul},booktitle={Computer Science & Engineering (CS&E) Technical Reports},institution={University of Minnesota},year={2014},number={14-012},}
Tor is a distributed onion-routing network used for achieving anonymity and resisting censorship online. Because of Tor’s growing popularity, it is attracting increasingly larger threats against which it was not securely designed. In this paper, we present the Sniper Attack, an extremely low cost but highly destructive denial of service attack against Tor that an adversary may use to anonymously disable arbitrary Tor relays. The attack utilizes valid protocol messages to boundlessly consume memory by exploiting Tor’s end-to-end reliable data transport. We design and evaluate a prototype of the attack to show its feasibility and efficiency: our experiments show that an adversary may consume a victim relay’s memory by as much as 2187 KiB/s while using at most only 92 KiB/s of upstream bandwidth. We extend our experimental results to estimate the threat against the live Tor network and find that a strategic adversary could disable all of the top 20 exit relays in only 29 minutes, thereby reducing Tor’s bandwidth capacity by 35 percent. We also show how the attack enables the deanonymization of hidden services through selective denial of service by forcing them to choose guard nodes in control of the adversary. Finally, we discuss defenses against the Sniper Attack that provably render the attack ineffective, and suggest defenses against deanonymization by denial-of-service attacks in general that significantly mitigate the threat.
@inproceedings{sniper-ndss2014,title={The Sniper Attack: Anonymously Deanonymizing and Disabling the {Tor} Network},author={Jansen, Rob and Tschorsch, Florian and Johnson, Aaron and Scheuermann, Björn},booktitle={Network and Distributed System Security Symposium},year={2014},doi={10.14722/ndss.2014.23288},}
We present the first analysis of the popular Tor anonymity network that indicates the security of typical users against reasonably realistic adversaries in the Tor network or in the underlying Internet. Our results show that Tor users are far more susceptible to compromise than indicated by prior work. Specific contributions of the paper include (1) a model of various typical kinds of users, (2) an adversary model that includes Tor network relays, autonomous systems (ASes), Internet exchange points (IXPs), and groups of IXPs drawn from empirical study, (3) metrics that indicate how secure users are over a period of time, (4) the most accurate topological model to date of ASes and IXPs as they relate to Tor usage and network configuration, (5) a novel realistic Tor path simulator (TorPS), and (6) analyses of security making use of all the above. To show that our approach is useful to explore alternatives and not just Tor as currently deployed, we also analyze a published alternative path selection algorithm, Congestion-Aware Tor. We create an empirical model of Tor congestion, identify novel attack vectors, and show that it too is more vulnerable than previously indicated.
@inproceedings{usersrouted-ccs2013,title={Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries},author={Johnson, Aaron and Wacek, Chris and Jansen, Rob and Sherr, Micah and Syverson, Paul},booktitle={Conference on Computer and Communications Security},year={2013},doi={10.1145/2508859.2516651},}
Tor is one of the most popular anonymity systems in use today, in part because of its design goal of providing high performance. This has motivated research into performance enhancing modifications to Tor’s circuit scheduling, congestion control, and bandwidth allocation mechanisms. This paper investigates the effects of these proposed modifications on attacks that rely on network measurements as a side channel. We introduce a new class of induced throttling attacks in this space that exploit performance enhancing mechanisms to artificially throttle a circuit. We show that these attacks can drastically reduce the set of probable entry guards on a circuit, in many cases uniquely identifying the entry guard. Comparing to existing attacks, we find that although most of the performance enhancing modifications improve the accuracy of network measurements, the effectiveness of the attacks is reduced in some cases by making the Tor network more homogeneous. We conclude with an analysis of the total reduction in anonymity that clients face due to each proposed mechanism.
@inproceedings{howlow-pets2013,title={How Low Can You Go: Balancing Performance with Anonymity in Tor},author={Geddes, John and Jansen, Rob and Hopper, Nicholas},booktitle={Privacy Enhancing Technologies Symposium},year={2013},}
We propose that Tor supports the purchase of its services.
@misc{onionsforsale-fc2013,title={Onions for Sale: Putting Privacy on the Market},author={Johnson, Aaron and Jansen, Rob and Syverson, Paul},howpublished={Conference on Financial Cryptography and Data Security},year={2013},note={Poster abstract},}
Tor, the most popular deployed distributed onion routing network, suffers from performance and scalability problems stemming from a lack of incentives for volunteers to contribute. Insufficient capacity limits scalability and harms the anonymity of its users. We introduce LIRA, a lightweight scheme that creates performance incentives for users to contribute bandwidth resources to the Tor network. LIRA uses a novel cryptographic lottery: winners may be guessed with tunable probability by any user or bought in exchange for resource contributions. The traffic of those winning the lottery is prioritized through Tor. The uncertainty of whether a buyer or a guesser is getting priority improves the anonymity of those purchasing winners, while the performance incentives encourage contribution. LIRA is more lightweight than prior reward schemes that pay for service and provides better anonymity than schemes that simply give priority to traffic originating from fast relays. We analyze LIRA’s efficiency, anonymity, and incentives, present a prototype implementation, and describe experiments that show it indeed improves performance for those servicing the network.
@inproceedings{lira-ndss2013,title={LIRA: Lightweight Incentivized Routing for Anonymity},author={Jansen, Rob and Johnson, Aaron and Syverson, Paul},booktitle={Network and Distributed System Security Symposium},year={2013},}
An anonymous communication system hides the fact that two parties are communicating, and as a result, drastically improves the online privacy of those using it. Tor is the most popular anonymous communication system deployed, but its popularity has illuminated problems with its design that have made it unbearably slow for many users who would otherwise benefit from its protections. These performance problems have been recognized, but there has been little work on designing and properly evaluating practical solutions that improve performance while also preserving privacy. We initiate an exploration into Tor’s system design and the quality of the communication it provides. First, we design and develop a simulation tool, called Shadow, that allows us to experiment with the Tor software in a safe but realistic and controllable manner. We then give a precise model of the Tor network, the backbone networks upon which it operates, and the user agents operating within it. We show that by combining
our model with Shadow, our experimentation environment is capable of producing network interactions and performance qualities indicative of real systems. We then investigate performance enhancements in three major areas of Tor’s design. We explore Tor’s utilization of resources by evaluating both existing and new circuit scheduling techniques, and show the extent to which scheduling can be used to prioritize traffic in order to improve desirable quality metrics. We then design and evaluate algorithms focused on reducing network load by throttling agents that consume an unfair share of network resources. Finally, in an effort to supplement Tor’s volunteered resources, we design and analyze two schemes that increase network capacity by providing incentives to those contributing resources to the system.
@phdthesis{jansen-phd-dissertation,author={Jansen, Rob},school={University of Minnesota},booktitle={Dissertations},title={Privacy preserving performance enhancements for anonymous communication networks},year={2012},}
Live Tor network experiments are difficult due to Tor’s distributed nature and the privacy requirements of its client base. Alternative experimentation approaches, such as simulation and emulation, must make choices about how to model various aspects of the Internet and Tor that are not possible or not desirable to duplicate or implement directly. This paper methodically models the Tor network by exploring and justifying every modeling choice required to produce accurate Tor experimentation environments. We validate our model using two state-of-the-art Tor experimentation tools and measurements from the live Tor network. We find that our model enables experiments that characterize Tor’s load and performance with reasonable accuracy.
@inproceedings{tormodel-cset2012,title={Methodically Modeling the Tor Network},author={Jansen, Rob and Bauer, Kevin and Hopper, Nicholas and Dingledine, Roger},booktitle={Workshop on Cyber Security Experimentation and Test},year={2012},}
Live Tor network experiments are difficult due to Tor’s distributed nature and the privacy requirements of its client base. Alternative experimentation approaches, such as simulation and emulation, must make choices about how to model various aspects of the Internet and Tor that are not possible or not desirable to duplicate or implement directly. This paper methodically models the Tor network by exploring and justifying every modeling choice required to produce accurate Tor experimentation environments. We validate our model using two state-of-the-art Tor experimentation tools and measurements from the live Tor network. We find that our model enables experiments that characterize Tor’s load and performance with reasonable accuracy.
@inproceedings{throttling-sec2012,title={Throttling Tor Bandwidth Parasites},author={Jansen, Rob and Syverson, Paul and Hopper, Nicholas},booktitle={USENIX Security Symposium},year={2012},}
Tor’s network congestion and performance problems stem from a small percentage of users that consume a large fraction of available network capacity. We present the design of three new algorithms that throttle clients to reduce network congestion and increase web client performance.
@misc{throttling-ndss2012-invitedabstract,title={Throttling Tor Bandwidth Parasites},author={Jansen, Rob and Syverson, Paul and Hopper, Nicholas},howpublished={Symposium on Network and Distributed System Security},year={2012},note={Invited abstract},}
Tor is a large and popular overlay network providing both anonymity to its users and a platform for anonymous communication research. New design proposals and attacks on the system are challenging to test in the live network because of deployment issues and the risk of invading users’ privacy, while alternative Tor experimentation techniques are limited in scale, are inaccurate, or create results that are difficult to reproduce or verify. We present the design and implementation of Shadow, an architecture for efficiently running accurate Tor experiments on a single machine. We validate Shadow’s accuracy with a private Tor deployment on PlanetLab and a comparison to live network performance statistics. To demonstrate Shadow’s powerful capabilities, we investigate circuit scheduling and find that the EWMA circuit scheduler reduces aggregate client performance under certain loads when deployed to the entire Tor network. Our software runs without root privileges, is open source, and is publicly available for download.
@inproceedings{shadow-ndss2012,title={Shadow: Running Tor in a Box for Accurate and Efficient Experimentation},author={Jansen, Rob and Hopper, Nicholas},booktitle={Network and Distributed System Security Symposium},year={2012},}
Tor is a large and popular overlay network providing both anonymity to its users and a platform for anonymous communication research. New design proposals and attacks on the system are challenging to test in the live network because of deployment issues and the risk of invading users’ privacy, while alternative Tor experimentation techniques are limited in scale, are inaccurate, or create results that are difficult to reproduce or verify. We present the design and implementation of Shadow, an architecture for efficiently running accurate Tor experiments on a single machine. We validate Shadow’s accuracy with a private Tor deployment on PlanetLab and a comparison to live network performance statistics. To demonstrate Shadow’s powerful capabilities, we investigate circuit scheduling and find that the EWMA circuit scheduler reduces aggregate client performance under certain loads when deployed to the entire Tor network. Our software is open source and available for download.
@techreport{shadow-umntr11-020,title={Shadow: Running Tor in a Box for Accurate and Efficient Experimentation},author={Jansen, Rob and Hopper, Nicholas J.},booktitle={Computer Science & Engineering (CS&E) Technical Reports},institution={University of Minnesota},year={2011},number={11-020},}
Tor’s network congestion and performance problems stem from a small percentage of users that consume a large fraction of available relay bandwidth. These users continuously drain relays of excess bandwidth, creating new network bottlenecks and exacerbating the effects of existing ones. Attacking the problem at its source, we present the design of three new algorithms that throttle clients to reduce network congestion and increase interactive client performance. Unlike existing techniques, our algorithms adaptively adjust throttling parameters given only information local to a relay. We implement our algorithms in Tor and compare significant client performance benefits using network-wide deployments of our algorithms under a variety of network loads. We also analyze the effects of throttling on anonymity and compare the security of our algorithms under adversarial attack. Software patches for our algorithms will be submitted to Tor.
@techreport{throttling-umntr11-019,title={Throttling Tor Bandwidth Parasites},author={Jansen, Rob and Syverson, Paul and Hopper, Nicholas},booktitle={Computer Science & Engineering (CS&E) Technical Reports},institution={University of Minnesota},year={2011},number={11-019},}
Delay Tolerant Networks (DTNs) remove traditional assumptions of end-to-end connectivity, extending network communication to intermittently connected mobile, ad-hoc, and vehicular environments. This work considers anonymity as a vital security primitive for viable military and civilian DTNs. DTNs present new and unique anonymity challenges since we must protect physical location information as mobile nodes with limited topology knowledge naturally mix. We develop a novel Threshold Pivot Scheme (TPS) for DTNs to address these challenges and provide resistance to traffic analysis, source anonymity, and sender-receiver unlinkability. Reply techniques adapted from mix-nets allow for anonymous DTN communication, while secret sharing provides a configurable level of anonymity that enables a balance between security and efficiency. We evaluate TPS via simulation on real-world DTN scenarios to understand its feasibility, performance, and overhead while comparing the provided anonymity against an analytically optimal model.
@inproceedings{tps-milcom2010,title={Toward Anonymity in Delay Tolerant Networks: Threshold Pivot Scheme},author={Jansen, Rob and Beverly, Robert},booktitle={Military Communications Conference},year={2010},doi={10.1109/MILCOM.2010.5680442},}
Tor, a distributed Internet anonymizing system, relies on volunteers who run dedicated relays. Other than altruism, these volunteers have no incentive to run relays, causing a large disparity between the number of users and available relays. We introduce BRAIDS, a set of practical mechanisms that encourages users to run Tor relays, allowing them to earn credits redeemable for improved performance of both interactive and non-interactive Tor traffic. These performance incentives will allow Tor to support increasing resource demands with almost no loss in anonymity: BRAIDS is robust to well-known attacks. Using a simulation of 20,300 Tor nodes, we show that BRAIDS allows relays to achieve 75% lower latency than non-relays for interactive traffic, and 90% higher bandwidth utilization for non-interactive traffic.
@inproceedings{braids-ccs2010,title={Recruiting New {Tor} Relays with {BRAIDS}},author={Jansen, Rob and Hopper, Nicholas and Kim, Yongdae},booktitle={Conference on Computer and Communications Security},year={2010},doi={10.1145/1866307.1866344},}
We introduce the concept of membership-concealing overlay networks (MCONs), which hide the real-world identities of participants. We argue that while membership concealment is orthogonal to anonymity and censorship resistance, pseudonymous communication and censorship resistance become much easier if done over a membership-concealing network. We formalize the concept of membership concealment, discuss a number of attacks against existing systems and present real-world attack results. We then propose three proof-of-concept MCON designs that resist those attacks: one that is more efficient, another that is more robust to membership churn, and a third that balances efficiency and robustness. We show theoretical and simulation results demonstrating the feasibility and performance of our schemes.
@inproceedings{mcon-ccs2009,title={Membership-Concealing Overlay Networks},author={Vasserman, Eugene and Jansen, Rob and Tyra, James and Hopper, Nicholas and Kim, Yongdae},booktitle={Conference on Computer and Communications Security},year={2009},doi={10.1145/1653662.1653709},}
Research on Delay and Disruption Tolerant Networks (DTNs) challenges the traditional assumption of end-to-end connectivity, extending networked communication to e.g. intermittently connected devices, ad-hoc mobile environments, first-responder disaster scenarios, etc. In such environments, ensuring the security and privacy of both content, networks, and participants is often vital. In this work, we consider DTN anonymity and privacy. The disconnected nature of DTNs presents a unique difficulty for traditional anonymity approaches, namely limited knowledge of other nodes and paths in the dynamic, mobile network. We develop a particular solution, the Threshold Pivot Scheme (TPS), to provide source anonymity and sender-receiver unlinkability in DTNs. Our scheme, based on secret sharing primitives, permits a user-selectable level of anonymity, an important feature for DTN environments that must balance security and usability. Through simulation and analytical analysis, we evaluate the performance and overhead of TPS and find that it addresses the constraints of DTNs while providing a suitably high-level of anonymity.
@techreport{tps-bbntr8513,title={Toward Delay Tolerant Network Anonymity: Threshold Pivot Scheme},author={Jansen, Rob and Beverly, Robert},institution={BBN Technologies},year={2009},number={8513},}
Chris Arnold,
Rob Jansen, Zi Lin, and James Parker:
Informal: On PAR for Attack.
Unpublished report, 2009.
In The Onion Router (TOR) system, anonymity is provided by router services run by TOR users who volunteer their computational resources. Scalability concerns stem from the TOR design because volunteers lack an incentive to participate. A payment scheme has been previously introduced which aims at providing economic incentives for volunteers in hopes of increasing both reliability of and participation in TOR. We show that this payment scheme breaks sender-receiver anonymity through a traffic analysis intersection attack and is also vulnerable to traffic injection attacks, enabling TOR exit nodes to unnoticably cause an increase in traffic, and therefore payments, from the client. We simulate our intersection attack on the payment scheme and discuss directions for an improved design.
@misc{par-csci5471,title={On {PAR} for Attack},author={Arnold, Chris and Jansen, Rob and Lin, Zi and Parker, James},year={2009},howpublished={Unpublished report},note={Informal},}
2008
Rob Jansen, Ted Kaminski, Fedor Korsakov, Alexander Saint Croix, and Daniel Selifonov:
Informal: A Priori Trust Vulnerabilities in EigenTrust.
Unpublished report, 2008.
We review the motivations underlying the design of the EigenTrust algorithm for trust management in P2P file sharing networks, then illustrate through a simulated P2P network how EigenTrust’s reliance on pre-trusted peers undermines its other security requirements and can lead to severely compromised networks. We then explore a potential alternative to the use of pre-trusted peers, and demonstrate that EigenTrust can work without these vulnerable authorities.
@misc{fet-csci5271,title={A Priori Trust Vulnerabilities in EigenTrust},author={Jansen, Rob and Kaminski, Ted and Korsakov, Fedor and Croix, Alexander Saint and Selifonov, Daniel},year={2008},howpublished={Unpublished report},note={Informal},}