Professional Documents
Culture Documents
Aaron Johnson1 Chris Wacek2 Rob Jansen1 Micah Sherr2 Paul Syverson1
1 U.S.
10
11
13
1. Empirical analysis of traffic correlation threat 2. Develop adversary framework and security metrics 3. Develop analysis methodology and tools
14
Overview
Summary Tor Background Tor Security Analysis
o Adversary Framework o Security Metrics o Evaluation Methodology o Node Adversary Analysis o Link Adversary Analysis
Future Work
15
Overview
Summary Tor Background Tor Security Analysis
o Adversary Framework o Security Metrics o Evaluation Methodology o Node Adversary Analysis o Link Adversary Analysis
Future Work
16
Users
Onion Routers
Destinations
17
Users
Onion Routers
Destinations
18
Users
Onion Routers
Destinations
19
Users
Onion Routers
Destinations
20
Users
Onion Routers
Destinations
21
22
23
1. Clients begin all circuits with a selected guard. 2. Relays define individual exit policies.
24
1. Clients begin all circuits with a selected guard. 2. Relays define individual exit policies. 3. Clients multiplex streams over a circuit.
25
1. 2. 3. 4.
Clients begin all circuits with a selected guard. Relays define individual exit policies. Clients multiplex streams over a circuit. New circuits replace existing ones periodically.
26
Overview
Summary Tor Background Tor Security Analysis
o Adversary Framework o Security Metrics o Evaluation Methodology o Node Adversary Analysis o Link Adversary Analysis
Future Work
27
Adversary Framework
28
Adversary Framework
29
Adversary Framework
30
Adversary Framework
31
Adversary Framework
Resource Types Relays Bandwidth Autonomous Systems (ASes) Internet Exchange Points (IXPs) Money
32
Adversary Framework
Resource Types Relays Bandwidth Autonomous Systems (ASes) Internet Exchange Points (IXPs) Money
Resource Endowment Destination host 5% Tor bandwidth Source AS Equinix IXPs
33
Adversary Framework
Resource Types Relays Bandwidth Autonomous Systems (ASes) Internet Exchange Points (IXPs) Money
Resource Endowment Destination host 5% Tor bandwidth Source AS Equinix IXPs Goal Target a given users communication Compromise as much traffic as possible Learn who uses Tor Learn what Tor is used for
34
Overview
Summary Tor Background Tor Security Analysis
o Adversary Framework o Security Metrics o Evaluation Methodology o Node Adversary Analysis o Link Adversary Analysis
Future Work
35
Security Metrics
Prior metrics
Security Metrics
Security Metrics
2. Probability some AS/IXP exists on both entry and exit paths (i.e. path independence)
Security Metrics
2. Probability some AS/IXP exists on both entry and exit paths (i.e. path independence) 3. gt : Probability of choosing malicious guard within time t
Security Metrics
Principles 1. Probability distribution 2. Measure on human timescales 3. Based on adversaries
40
Security Metrics
Principles 1. Probability distribution 2. Measure on human timescales 3. Based on adversaries
Metrics 1. Probability distribution of time until first path compromise 2. Probability distribution of number of path compromises for a given user over given time period
41
Overview
Background Onion Routing Security Analysis
o Problem: Traffic correlation o Adversary Model o Security Metrics o Evaluation Methodology o Node Adversary Analysis o Link Adversary Analysis
Future Work
42
User Model
User Model
20-minute traces
45
Typical
Facebook Web search IRC BitTorrent
20-minute traces
46
Session schedule One session at 9:00, 12:00, 15:00, and 18:00 Su-Sa
Typical
Facebook Web search IRC BitTorrent
20-minute traces
Session schedule One session at 9:00, 12:00, 15:00, and 18:00 Su-Sa
20-minute traces
50
User Model
metrics.torproject.org
Hourly consensuses Monthly server descriptors archive
52
User Model
Reimplemented path selection in Python Based on current Tor stable version (0.2.3.25) Major path selection features include
Bandwidth weighting Exit policies Guards and guard rotation Hibernation /16 and family conflicts
54
Overview
Background Onion Routing Security Analysis
o Problem: Traffic correlation o Adversary Model o Security Metrics o Evaluation Methodology o Node Adversary Analysis o Link Adversary Analysis
Future Work
55
Node Adversary
Rank 1 2 3 4 5
Bandwidth Family (MiB/s) 260.5 115.7 107.8 95.3 80.5 torservers.net Chaos Computer Club DFRI Team Cymru Paint
56
Node Adversary
Probability to compromise at least one stream and rate of compromise, 10/12 3/13.
57
Node Adversary
58
59
61
Overview
Background Onion Routing Security Analysis
o Problem: Traffic correlation o Adversary Model o Security Metrics o Evaluation Methodology o Node Adversary Analysis o Link Adversary Analysis
Future Work
63
Link Adversary
64
Link Adversary
AS 6
AS1 AS2
AS8
AS 6
AS3 AS4
AS 7
AS5
65
Link Adversary
AS 6
AS1 AS2
AS8
AS 6
AS3 AS4
AS 7
AS5
66
Link Adversary
AS 6
AS1 AS2
AS8
AS 6
AS3 AS4
AS 7
AS5
1. Autonomous Systems (ASes) 2. Internet Exchange Points (IXPs) 3. Adversary has fixed location
67
Link Adversary
AS 6
AS1 AS2
AS8
AS 6
AS3 AS4
AS 7
AS5
1. Autonomous Systems (ASes) 2. Internet Exchange Points (IXPs) 3. Adversary has fixed location
68
Link Adversary
AS 6
AS1 AS2
AS8
AS 6
AS3 AS4
AS 7
AS5
1. 2. 3. 4.
Autonomous Systems (ASes) Internet Exchange Points (IXPs) Adversary has fixed location Adversary may control multiple entities
a. Top ASes b. IXP organizations
69
Link Adversary
Client locations Top 5 non-Chinese source ASes in Tor (Edman&Syverson 09)
AS# 3320 3209 3269 Description Deutsche Telekom AG Arcor Telecom Italia Country Germany Germany Italy Germany
Telefonica Deutschland Germany ID 3356 1299 6939 286 DE-CIX Description Level 3 Communications TeliaNet Global Hurricane Electric DE-CIX Frankfurt DE-CIX
AS/IXP Locations Ranked for client location by frequency on entry or exit paths Exclude src/dst ASes Top k ASes /top IXP organization
70
Link Adversary
IXP organizations obtained by manual clustering based on PeerDB and PCH.
# 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
IXP Organization Equinix PTTMetro PIPE NIXI XChangePoint MAE/VERIZON Netnod Any2 PIX JPNAP DE-CIX AEPROVI Vietnam NorthWestIX Terremark Telx NorrNod ECIX JPIX
Size Country 26 8 6 6 5 5 5 4 4 3 2 2 2 2 2 2 2 2 2 global Brazil Australia India global global Sweden US Canada Japan Germany Equador Vietnam Montana, US global US Sweden Germany Japan
71
Link Adversary
Adversary controls one AS, Time to first compromised stream, 1/13 3/13 Best: most secure client AS Worst: least secure client AS
Adversary controls one AS, Fraction compromised streams, 1/13 3/13 Best: most secure client AS Worst: least secure client AS
72
Link Adversary
Adversary controls IXP organization, Time to first compromised stream, 1/13 3/13, Best: most secure client AS Worst: least secure client AS
Adversary controls top ASes, Time to first compromised stream, 1/13 3/13, Only best client AS
73
Overview
Background Onion Routing Security Analysis
o Problem: Traffic correlation o Adversary Model o Security Metrics o Evaluation Methodology o Node Adversary Analysis o Link Adversary Analysis
Future Work
74
Future Work
1. Extending analysis 2. Improving guard selection 3. Using trust-based path selection to protect against traffic correlation 4. Dealing with incomplete and inaccurate AS and IXP maps 5. Include Tors performance-based pathselection features in TorPS
75