Skip to main content
Springer Nature Link
Log in

Provably Avoiding Geographic Regions for Tor’s Onion Services

  • Conference paper
  • First Online:
Financial Cryptography and Data Security (FC 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13950))

Included in the following conference series:

  • 465 Accesses

Abstract

Tor, a peer-to-peer anonymous communication system, is one of the most effective tools in providing free and open communication online. Many of the attacks on Tor’s anonymity occur when an adversary can intercept a user’s traffic; it is thus useful to limit how much of a user’s traffic can enter potentially adversarial networks. Recent work has demonstrated that careful circuit creation can allow users to provably avoid geographic regions that a user expects to be adversarial. These prior systems leverage the fact that a user has complete control over the circuits they create. Unfortunately, that work does not apply to onion services (formerly known as “hidden services”), in which no one entity knows the full circuit between user and hidden service. In this work, we present the design, implementation, and evaluation of DeTor \(_{OS}\) , the first provable geographic avoidance system for onion services. We demonstrate how recent work to build and deploy programmable middleboxes onto the Tor network allows us to take existing techniques like these and deploy them in scenarios that were not possible before. DeTor \(_{OS}\) is immediately deployable as it is built using programmable middleboxes, meaning it does not require either the Tor protocol or its source code to be modified. This work also raises a number of interesting questions about extensions of provable geographical routing to other scenarios and threat models, as well as reinforces how the notion of programmable middleboxes can allow for the deployment of both existing and new techniques in novel ways in anonymity networks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    We note that, as discussed in [22], the Bento architecture is not bound to SGX and can work with any TEE that supports similar functionality [2].

  2. 2.

    Assuming Bob’s OS supports the DeTor \(_{OS}\) protocol. In our current honest-but-curious model, we can provide no guarantees if the OS refuses to participate.

  3. 3.

    That has been provisioned with a TLS certificate as part of the Bento setup.

  4. 4.

    Since there are 50 possible Tor relays in the dataset and we choose 6 without replacement, this gives us over 36 billion circuits, which was infeasible to evaluate for never-once.

  5. 5.

    Given this, we do not repeat similar experiments here and instead refer the interested reader to [7, 22] for more information.

  6. 6.

    https://bento.cs.umd.edu.

References

  1. Anati, I., Gueron, S., Johnson, S., Scarlata, V.: Innovative technology for CPU based attestation and sealing. In: International Workshop on Hardware and Architectural Support for Security and Privacy (HASP) (2013)

    Google Scholar 

  2. ARM security technology: building a secure system using TrustZone technology. http://infocenter.arm.com/help/topic/com.arm.doc.prd29-genc-009492c/PRD29-GENC-009492C_trustzone_security_whitepaper.pdf

  3. Arp, D., Yamaguchi, F., Rieck, K.: Torben: a practical side-channel attack for deanonymizing tor communication. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, pp. 597–602 (2015)

    Google Scholar 

  4. Cangialosi, F., Levin, D., Spring, N.: Ting: measuring and exploiting latencies between all tor nodes. In: Proceedings of the 2015 Internet Measurement Conference, pp. 289–302 (2015)

    Google Scholar 

  5. Dingledine, R., Mathewson, N., Syverson, P.: Tor: the second-generation onion router. Technical report (2004)

    Google Scholar 

  6. Garman, C., Green, M., Miers, I.: Decentralized anonymous credentials. Cryptology ePrint Archive (2013)

    Google Scholar 

  7. Herwig, S., Garman, C., Levin, D.: Achieving keyless CDNs with conclaves. In: USENIX Security Symposium (2020)

    Google Scholar 

  8. Intel: L1 Terminal Fault (2018). http://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/advisory-guidance/l1-terminal-fault.html

  9. Jansen, R., Tschorsch, F., Johnson, A., Scheuermann, B.: The sniper attack: anonymously deanonymizing and disabling the tor network. Techncial report, Office of Naval Research Arlington VA (2014)

    Google Scholar 

  10. Johnson, A., Wacek, C., Jansen, R., Sherr, M., Syverson, P.: Users get routed: traffic correlation on tor by realistic adversaries. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 337–348 (2013)

    Google Scholar 

  11. Johnson, S., Scarlata, V., Rozas, C., Brickell, E., Mckeen, F.: Intel Software Guard Extensions: EPID Provisioning and Attestation Services (2016)

    Google Scholar 

  12. Karunanayake, I., Ahmed, N., Malaney, R., Islam, R., Jha, S.: Anonymity with tor: a survey on tor attacks. arXiv preprint arXiv:2009.13018 (2020)

  13. Kohls, K., Jansen, K., Rupprecht, D., Holz, T., Pöpper, C.: On the challenges of geographical avoidance for tor. In: Network and Distributed System Security Symposium (NDSS) (2019)

    Google Scholar 

  14. Kwon, A., AlSabah, M., Lazar, D., Dacier, M., Devadas, S.: Circuit fingerprinting attacks: passive deanonymization of tor hidden services. In: USENIX Security Symposium (2015)

    Google Scholar 

  15. Levin, D., et al.: Alibi routing. ACM SIGCOMM Comput. Commun. Rev. (2015)

    Google Scholar 

  16. Levis, P.: The collateral damage of internet censorship by DNS injection. ACM SIGCOMM CCR 42(3), 10–1145 (2012)

    Google Scholar 

  17. Li, Z., Herwig, S., Levin, D.: Detor: Provably avoiding geographic regions in tor. In: USENIX Security Symposium (2017)

    Google Scholar 

  18. Nasr, M., Bahramali, A., Houmansadr, A.: DeepCorr: strong flow correlation attacks on tor using deep learning. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1962–1976 (2018)

    Google Scholar 

  19. Nebuchadnezzar, H.: The collateral damage of internet censorship by DNS injection. ACM SIGCOMM CCR 42(3), 10–1145 (2012)

    Google Scholar 

  20. Overlier, L., Syverson, P.: Locating hidden servers. In: IEEE Symposium on Security and Privacy (2006)

    Google Scholar 

  21. Project, T.T.: Tor Manual (2022). http://2019.www.torproject.org/docs/tor-manual.html.en

  22. Reininger, M., et al.: Bento: safely bringing network function virtualization to tor. In: ACM SIGCOMM (2021)

    Google Scholar 

  23. Rochet, F., Bonaventure, O., Pereira, O.: Flexible anonymous network. arXiv preprint arXiv:1906.11520 (2019)

  24. Rosenberg, M., White, J., Garman, C., Miers, I.: zk-creds: Flexible anonymous credentials from zksnarks and existing identity infrastructure. Cryptology ePrint Archive (2022)

    Google Scholar 

  25. Ryan, M.J., Chowdhury, M., Jiang, F., Doss, R.: Avoiding geographic regions in tor. In: 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom) (2020)

    Google Scholar 

  26. Schuchard, M., Geddes, J., Thompson, C., Hopper, N.: Routing around decoys. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 85–96 (2012)

    Google Scholar 

  27. Wang, T., Cai, X., Nithyanand, R., Johnson, R., Goldberg, I.: Effective attacks and provable defenses for website fingerprinting. In: USENIX Security Symposium (2014)

    Google Scholar 

Download references

Acknowledgments

We thank the anonymous reviewers for their helpful comments. Arushi Arora and Christina Garman’s work was partially supported by NSF grant CNS-1816422. Dave Levin’s work was partially supported by NSF grant CNS-1943240.

Author information

Authors and Affiliations

  1. Purdue University, West Lafayette, IN, 47906, USA

    Arushi Arora, Raj Karra & Christina Garman

  2. University of Maryland, College Park, MD, 20742, USA

    Dave Levin

Authors
  1. Arushi Arora
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Raj Karra
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dave Levin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Christina Garman
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Arushi Arora .

Editor information

Editors and Affiliations

  1. George Mason University, Fairfax, VA, USA

    Foteini Baldimtsi

  2. University of Bern, Bern, Switzerland

    Christian Cachin

Rights and permissions

Reprints and permissions

Copyright information

© 2024 International Financial Cryptography Association

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Arora, A., Karra, R., Levin, D., Garman, C. (2024). Provably Avoiding Geographic Regions for Tor’s Onion Services. In: Baldimtsi, F., Cachin, C. (eds) Financial Cryptography and Data Security. FC 2023. Lecture Notes in Computer Science, vol 13950. Springer, Cham. https://doi.org/10.1007/978-3-031-47754-6_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-47754-6_17

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-47753-9

  • Online ISBN: 978-3-031-47754-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics