Measuring and Mitigating AS-level Adversaries Against Tor Oleksii Adva Phillipa Michael Starov Zair Gill Schapira Rishab Nithyanand
Network-level Traffic Correlation Attacks Internet rou,ng is asymmetric. Source -> Entry != Entry -> Source Source Des0na0on Entry Exit RAPTOR (USENIX Security 2015): Any AS on AS Router (Source à Entry OR Entry à Source) AND (Exit à Dest OR Dest à Exit) is in a posi,on to launch a traffic correla,on aMack
Measuring Network-level Adversaries A C Exit Entry Source Des0na0on B D Goal: Quan,fy the threat from network-level adversaries Approach: Iden,fy ASes on A, B, C, and D • ADV = {(𝐵 ∪ 𝐶) ∩( 𝐷 ∪ 𝐸 ) } Challenge: Traceroutes only let us obtain A
Measuring Network-level Adversaries Our Approach: Spherical cows! • Make assump,ons about Internet rou,ng. • Obtain approximate AS-level paths. Approxima0ng ASes on a path (offline): • AS Topology: 36K ASes + 126K rela,onships • Use inter-AS rela,onships (customer, peer, provider) to decide whether an AS will route via another • Rou,ng through customers > peers > providers, then prefer shortest paths • If there are mul,ple op,ons, we consider all of them • (see paper for valida,on)
Measuring Network-level Adversaries 10 Countries: BR, CN, DE, ES, FR, GB, IR, IT, RU, US 200 websites/country: Local Alexa T-100 + 100 Ci,zen Lab sensi,ve pages Adversaries: Network-level, colluding network-level (see paper), and state-level
Measuring Network-level Adversaries How vulnerable is vanilla Tor? Main Circuit: Circuit carrying first “GET” request is vulnerable Any Circuit: Circuit carrying any request is vulnerable Frac0on of websites with 100 vulnerable circuits Main circuit Any circuit 80 Network-level 60 Adversary 40 20 0 BR CN DE ES FR GB IR IT RU US All Frac0on of websites with 100 vulnerable circuits 80 State-level 60 40 Adversary 20 0 BR CN DE ES FR GB IR IT RU US All
Measuring Network-level Adversaries Can AS-aware relay selec0on help? YES! • > 20000 (source, des,na,on) AS pairs in each country • Consider 1000 * 1000 available (entry, exit) pairs • What frac0on of the 20000 (source, des0na0on) pairs have at most x% of their 1 million (entry, exit) pairs safe from network- level threats? BAD GOOD
Astoria : This AS -aware Tor client i s a lright Measurement Toolkit 2. Compute “safe-op,ons” from all |entry-guard| * |legal-exits| op,ons OFFLINE 1. Convert (source, des,na,on) IPs to ASNs 3. Select one of the “safe-op,ons” 4. Construct and use circuit IP-ASN Database What if there are no safe op0ons? Astoria uses an LP to minimize number of circuits that are vulnerable to any single adversary. (see paper)
Astoria : Security Evaluation Network-level Adversary any: 53% -> 8% main: 37% -> 3% State-level Adversary any: 88% -> 34% main: 82% -> 27%
Astoria : Performance Evaluation 1 Cumulative Probability 0.8 Page-load 0mes 0.6 Tor : 5.9 sec 0.4 Astoria Astoria : 8.3 sec Vanilla Tor 0.2 Uniform Tor Uniform : 15.6 sec 0 0 5 10 15 20 25 30 Page Load Time (sec) 1 Cumulative Probability 0.8 0.6 Available relays Load balancing Perfect load balancing client 0.4 Astoria Similar to Tor* Vanilla Tor 0.2 Uniform Tor 0 0 2 4 6 8 10 12 14 Relay Bandwidth (MB/s)
Conclusions • Offline path-predic,on toolkit to measure Tor vulnerability • Significantly beMer security against network-level adversaries • Cuts number of vulnerable websites to less than 1/4 th • Effec,vely deals with worst-case situa,ons • Load balancing: Similar to Tor • Page-load ,mes: BeMer than uniform, worse than Tor • Main problem: Cannot pre-build circuits like Tor • Arguably weaker against relay-level adversaries (see paper)
Recommend
More recommend
