Abstract
Tor, a peer-to-peer anonymous communication system, is one of the most effective tools in providing free and open communication online. Many of the attacks on Tor’s anonymity occur when an adversary can intercept a user’s traffic; it is thus useful to limit how much of a user’s traffic can enter potentially adversarial networks. Recent work has demonstrated that careful circuit creation can allow users to provably avoid geographic regions that a user expects to be adversarial. These prior systems leverage the fact that a user has complete control over the circuits they create. Unfortunately, that work does not apply to onion services (formerly known as “hidden services”), in which no one entity knows the full circuit between user and hidden service. In this work, we present the design, implementation, and evaluation of DeTor \(_{OS}\) , the first provable geographic avoidance system for onion services. We demonstrate how recent work to build and deploy programmable middleboxes onto the Tor network allows us to take existing techniques like these and deploy them in scenarios that were not possible before. DeTor \(_{OS}\) is immediately deployable as it is built using programmable middleboxes, meaning it does not require either the Tor protocol or its source code to be modified. This work also raises a number of interesting questions about extensions of provable geographical routing to other scenarios and threat models, as well as reinforces how the notion of programmable middleboxes can allow for the deployment of both existing and new techniques in novel ways in anonymity networks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
Assuming Bob’s OS supports the DeTor \(_{OS}\) protocol. In our current honest-but-curious model, we can provide no guarantees if the OS refuses to participate.
- 3.
That has been provisioned with a TLS certificate as part of the Bento setup.
- 4.
Since there are 50 possible Tor relays in the dataset and we choose 6 without replacement, this gives us over 36 billion circuits, which was infeasible to evaluate for never-once.
- 5.
- 6.
References
Anati, I., Gueron, S., Johnson, S., Scarlata, V.: Innovative technology for CPU based attestation and sealing. In: International Workshop on Hardware and Architectural Support for Security and Privacy (HASP) (2013)
ARM security technology: building a secure system using TrustZone technology. http://infocenter.arm.com/help/topic/com.arm.doc.prd29-genc-009492c/PRD29-GENC-009492C_trustzone_security_whitepaper.pdf
Arp, D., Yamaguchi, F., Rieck, K.: Torben: a practical side-channel attack for deanonymizing tor communication. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, pp. 597–602 (2015)
Cangialosi, F., Levin, D., Spring, N.: Ting: measuring and exploiting latencies between all tor nodes. In: Proceedings of the 2015 Internet Measurement Conference, pp. 289–302 (2015)
Dingledine, R., Mathewson, N., Syverson, P.: Tor: the second-generation onion router. Technical report (2004)
Garman, C., Green, M., Miers, I.: Decentralized anonymous credentials. Cryptology ePrint Archive (2013)
Herwig, S., Garman, C., Levin, D.: Achieving keyless CDNs with conclaves. In: USENIX Security Symposium (2020)
Intel: L1 Terminal Fault (2018). http://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/advisory-guidance/l1-terminal-fault.html
Jansen, R., Tschorsch, F., Johnson, A., Scheuermann, B.: The sniper attack: anonymously deanonymizing and disabling the tor network. Techncial report, Office of Naval Research Arlington VA (2014)
Johnson, A., Wacek, C., Jansen, R., Sherr, M., Syverson, P.: Users get routed: traffic correlation on tor by realistic adversaries. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 337–348 (2013)
Johnson, S., Scarlata, V., Rozas, C., Brickell, E., Mckeen, F.: Intel Software Guard Extensions: EPID Provisioning and Attestation Services (2016)
Karunanayake, I., Ahmed, N., Malaney, R., Islam, R., Jha, S.: Anonymity with tor: a survey on tor attacks. arXiv preprint arXiv:2009.13018 (2020)
Kohls, K., Jansen, K., Rupprecht, D., Holz, T., Pöpper, C.: On the challenges of geographical avoidance for tor. In: Network and Distributed System Security Symposium (NDSS) (2019)
Kwon, A., AlSabah, M., Lazar, D., Dacier, M., Devadas, S.: Circuit fingerprinting attacks: passive deanonymization of tor hidden services. In: USENIX Security Symposium (2015)
Levin, D., et al.: Alibi routing. ACM SIGCOMM Comput. Commun. Rev. (2015)
Levis, P.: The collateral damage of internet censorship by DNS injection. ACM SIGCOMM CCR 42(3), 10–1145 (2012)
Li, Z., Herwig, S., Levin, D.: Detor: Provably avoiding geographic regions in tor. In: USENIX Security Symposium (2017)
Nasr, M., Bahramali, A., Houmansadr, A.: DeepCorr: strong flow correlation attacks on tor using deep learning. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1962–1976 (2018)
Nebuchadnezzar, H.: The collateral damage of internet censorship by DNS injection. ACM SIGCOMM CCR 42(3), 10–1145 (2012)
Overlier, L., Syverson, P.: Locating hidden servers. In: IEEE Symposium on Security and Privacy (2006)
Project, T.T.: Tor Manual (2022). http://2019.www.torproject.org/docs/tor-manual.html.en
Reininger, M., et al.: Bento: safely bringing network function virtualization to tor. In: ACM SIGCOMM (2021)
Rochet, F., Bonaventure, O., Pereira, O.: Flexible anonymous network. arXiv preprint arXiv:1906.11520 (2019)
Rosenberg, M., White, J., Garman, C., Miers, I.: zk-creds: Flexible anonymous credentials from zksnarks and existing identity infrastructure. Cryptology ePrint Archive (2022)
Ryan, M.J., Chowdhury, M., Jiang, F., Doss, R.: Avoiding geographic regions in tor. In: 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom) (2020)
Schuchard, M., Geddes, J., Thompson, C., Hopper, N.: Routing around decoys. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 85–96 (2012)
Wang, T., Cai, X., Nithyanand, R., Johnson, R., Goldberg, I.: Effective attacks and provable defenses for website fingerprinting. In: USENIX Security Symposium (2014)
Acknowledgments
We thank the anonymous reviewers for their helpful comments. Arushi Arora and Christina Garman’s work was partially supported by NSF grant CNS-1816422. Dave Levin’s work was partially supported by NSF grant CNS-1943240.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 International Financial Cryptography Association
About this paper
Cite this paper
Arora, A., Karra, R., Levin, D., Garman, C. (2024). Provably Avoiding Geographic Regions for Tor’s Onion Services. In: Baldimtsi, F., Cachin, C. (eds) Financial Cryptography and Data Security. FC 2023. Lecture Notes in Computer Science, vol 13950. Springer, Cham. https://doi.org/10.1007/978-3-031-47754-6_17
Download citation
DOI: https://doi.org/10.1007/978-3-031-47754-6_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-47753-9
Online ISBN: 978-3-031-47754-6
eBook Packages: Computer ScienceComputer Science (R0)