The Tor network depends mainly on resources, which are owned and managed by volunteers, to cater daily for millions of internet users seeking to maintain high levels of anonymity and privacy. As such, these resources have to be efficiently managed, by the Tor network, while also dealing with challenges facing its utility and robustness. A large percentage of the challenges facing Tor emerge from insufficient trust in three main entities:
- Operators of relay nodes whose function is to manages the flow of Tor network traffic through the relay nodes.
- Autonomous Systems (ASes) which own the various networks across which the relay nodes operate.
- Internet users who access the world wide web via means of the Tor network.
ASes can precisely de-anonymize Tor users as well as the servers they access. On the other hand, adversaries at the network level, such as ASes representing restrictive governments, can markedly decrease network utility via identification and blockage of Tor related traffic. Moreover, some Tor users can sometimes abuse the anonymity offered to them via the network.
A recently published research study addressed each of the aforementioned threats. Particularly, the study presented:
- Strategies to modify network traffic flows to countermeasure the threats imposed by eavesdropping and relay-level adversaries.
- Relay selection techniques which utilize internet measurement approaches to counteract deanonymization threats imposed by adversaries at network level.
- A covert channel construction scheme that mitigates the threat of blockage by adversaries at the network level via means of reversal of imbalance of resources throughout the arms race between censoring on one side, and circumvention tool developers on the other.
- Measurements that estimate the magnitude of server-side discrimination facing honest Tor users secondary to the dishonest behavior of malicious users across the network.
Interestingly, this research study presented theoretically derived ideas for maximizing the robustness of any form of network. The suggested approaches for flow modification illustrate how secure means of traffic correlation defense measures can be efficient even in the presence of low bandwidth resources. The relay selection strategies presented via the study demonstrate how to minimize various forms of traffic correlation attacks via utilization of network measurement analysis to bypass adversaries without having to modify the infrastructure of the network. The proposed covert channel scheme demonstrates how wise protocol selection approaches can render communication blockage extremely expensive for censors.
Let’s take a look at some of the defenses proposed via this study:
Website Fingerprinting Defenses:
The study presented three forms of defenses against website fingerprinting:
Congestion sensitive BuFlo:
The study proposed the Congestion Sensitive Buffered Fixed Length Obfuscator (CS-BuFLO) which maximizes the security and performance of known defense technique, the BuFLO. The CS-BuFLO represents a new strategy in fingerprinting defenses. Most of the previously known fingerprinting defenses were formulated to counteract known attacks, and hence adopt black listing to address information leaks; in other words, they act to conceal certain features from attackers including packet sizes. Oppositely, CS-BuFLO adopts a whitelisting defensive approach. The design is based on concealment of traffic flow characteristics and iterative refinement of the design to uncover certain features of traffic flow.
The Highly secure Glove website fingerprinting defense:
Glove shows that secure and effective website fingerprinting can be securely achieved. The main idea underlying “Glove” is relatively simple; even though webpages usually widely vary in size and structure, protecting a large number of webpages from fingerprinting is possible via categorization of similar webpages into clusters. Consequently, to countermeasure website fingerprinting, one only has to add a small magnitude of cover traffic to categorize all webpages in a cluster that will all seem to be the same webpage to the attacker. Whenever a user loads a webpage while utilizing this defense technique, the attacker will be able to determine the cluster to which that webpage belongs, yet he/she won’t be able to gain any additional information regarding which specific page within that cluster the user is actually browsing.
Network Level Correlation Defenses:
The research study made contribution, regarding network level defenses, in two dimensions. Firstly, via means of a series of simulated and real world experiments, the study quantified the threat imposed by adversaries via Tor traffic correlation at network level. Secondly, the study developed a method for relay selection to counteract such attacks by adversaries at the network level.