26 research outputs found
PTPerf: On the performance evaluation of Tor Pluggable Transports
Tor, one of the most popular censorship circumvention systems, faces regular
blocking attempts by censors. Thus, to facilitate access, it relies on
"pluggable transports" (PTs) that disguise Tor's traffic and make it hard for
the adversary to block Tor. However, these are not yet well studied and
compared for the performance they provide to the users. Thus, we conduct a
first comparative performance evaluation of a total of 12 PTs -- the ones
currently supported by the Tor project and those that can be integrated in the
future.
Our results reveal multiple facets of the PT ecosystem. (1) PTs' download
time significantly varies even under similar network conditions. (2) All PTs
are not equally reliable. Thus, clients who regularly suffer censorship may
falsely believe that such PTs are blocked. (3) PT performance depends on the
underlying communication primitive. (4) PTs performance significantly depends
on the website access method (browser or command-line). Surprisingly, for some
PTs, website access time was even less than vanilla Tor.
Based on our findings from more than 1.25M measurements, we provide
recommendations about selecting PTs and believe that our study can facilitate
access for users who face censorship.Comment: 25 pages, 12 figure
DeTorrent: An Adversarial Padding-only Traffic Analysis Defense
While anonymity networks like Tor aim to protect the privacy of their users,
they are vulnerable to traffic analysis attacks such as Website Fingerprinting
(WF) and Flow Correlation (FC). Recent implementations of WF and FC attacks,
such as Tik-Tok and DeepCoFFEA, have shown that the attacks can be effectively
carried out, threatening user privacy. Consequently, there is a need for
effective traffic analysis defense.
There are a variety of existing defenses, but most are either ineffective,
incur high latency and bandwidth overhead, or require additional
infrastructure. As a result, we aim to design a traffic analysis defense that
is efficient and highly resistant to both WF and FC attacks. We propose
DeTorrent, which uses competing neural networks to generate and evaluate
traffic analysis defenses that insert 'dummy' traffic into real traffic flows.
DeTorrent operates with moderate overhead and without delaying traffic. In a
closed-world WF setting, it reduces an attacker's accuracy by 61.5%, a
reduction 10.5% better than the next-best padding-only defense. Against the
state-of-the-art FC attacker, DeTorrent reduces the true positive rate for a
false positive rate to about .12, which is less than half that of the
next-best defense. We also demonstrate DeTorrent's practicality by deploying it
alongside the Tor network and find that it maintains its performance when
applied to live traffic.Comment: Accepted to the 24th Privacy Enhancing Technologies Symposium (PETS
2024
Recommended from our members
TOWARDS RELIABLE CIRCUMVENTION OF INTERNET CENSORSHIP
The Internet plays a crucial role in today\u27s social and political movements by facilitating the free circulation of speech, information, and ideas; democracy and human rights throughout the world critically depend on preserving and bolstering the Internet\u27s openness. Consequently, repressive regimes, totalitarian governments, and corrupt corporations regulate, monitor, and restrict the access to the Internet, which is broadly known as Internet \emph{censorship}. Most countries are improving the internet infrastructures, as a result they can implement more advanced censoring techniques. Also with the advancements in the application of machine learning techniques for network traffic analysis have enabled the more sophisticated Internet censorship. In this thesis, We take a close look at the main pillars of internet censorship, we will introduce new defense and attacks in the internet censorship literature.
Internet censorship techniques investigate users’ communications and they can decide to interrupt a connection to prevent a user from communicating with a specific entity. Traffic analysis is one of the main techniques used to infer information from internet communications. One of the major challenges to traffic analysis mechanisms is scaling the techniques to today\u27s exploding volumes of network traffic, i.e., they impose high storage, communications, and computation overheads. We aim at addressing this scalability issue by introducing a new direction for traffic analysis, which we call \emph{compressive traffic analysis}. Moreover, we show that, unfortunately, traffic analysis attacks can be conducted on Anonymity systems with drastically higher accuracies than before by leveraging emerging learning mechanisms. We particularly design a system, called \deepcorr, that outperforms the state-of-the-art by significant margins in correlating network connections. \deepcorr leverages an advanced deep learning architecture to \emph{learn} a flow correlation function tailored to complex networks. Also to be able to analyze the weakness of such approaches we show that an adversary can defeat deep neural network based traffic analysis techniques by applying statistically undetectable \emph{adversarial perturbations} on the patterns of live network traffic.
We also design techniques to circumvent internet censorship. Decoy routing is an emerging approach for censorship circumvention in which circumvention is implemented with help from a number of volunteer Internet autonomous systems, called decoy ASes. We propose a new architecture for decoy routing that, by design, is significantly stronger to rerouting attacks compared to \emph{all} previous designs. Unlike previous designs, our new architecture operates decoy routers only on the downstream traffic of the censored users; therefore we call it \emph{downstream-only} decoy routing. As we demonstrate through Internet-scale BGP simulations, downstream-only decoy routing offers significantly stronger resistance to rerouting attacks, which is intuitively because a (censoring) ISP has much less control on the downstream BGP routes of its traffic. Then, we propose to use game theoretic approaches to model the arms races between the censors and the censorship circumvention tools. This will allow us to analyze the effect of different parameters or censoring behaviors on the performance of censorship circumvention tools. We apply our methods on two fundamental problems in internet censorship.
Finally, to bring our ideas to practice, we designed a new censorship circumvention tool called \name. \name aims at increasing the collateral damage of censorship by employing a ``mass\u27\u27 of normal Internet users, from both censored and uncensored areas, to serve as circumvention proxies
SoK: Making Sense of Censorship Resistance Systems
An increasing number of countries implement Internet censorship at different scales and for a variety of reasons. Several censorship resistance systems (CRSs) have emerged to help bypass such blocks. The diversity of the censor’s attack landscape has led to an arms race, leading to a dramatic speed of evolution of CRSs. The inherent complexity of CRSs and the breadth of work in this area makes it hard to contextualize the censor’s capabilities and censorship resistance strategies. To address these challenges, we conducted a comprehensive survey of CRSs-deployed tools as well as those discussed in academic literature-to systematize censorship resistance systems by their threat model and corresponding defenses. To this end, we first sketch a comprehensive attack model to set out the censor’s capabilities, coupled with discussion on the scope of censorship, and the dynamics that influence the censor’s decision. Next, we present an evaluation framework to systematize censorship resistance systems by their security, privacy, performance and deployability properties, and show how these systems map to the attack model. We do this for each of the functional phases that we identify for censorship resistance systems: communication establishment, which involves distribution and retrieval of information necessary for a client to join the censorship resistance system; and conversation, where actual exchange of information takes place. Our evaluation leads us to identify gaps in the literature, question the assumptions at play, and explore possible mitigations
Recommended from our members
Design and Implementation of Algorithms for Traffic Classification
Traffic analysis is the practice of using inherent characteristics of a network flow such as timings, sizes, and orderings of the packets to derive sensitive information about it. Traffic analysis techniques are used because of the extensive adoption of encryption and content-obfuscation mechanisms, making it impossible to infer any information about the flows by analyzing their content. In this thesis, we use traffic analysis to infer sensitive information for different objectives and different applications. Specifically, we investigate various applications: p2p cryptocurrencies, flow correlation, and messaging applications. Our goal is to tailor specific traffic analysis algorithms that best capture network traffic’s intrinsic characteristics in those applications for each of these applications. Also, the objective of traffic analysis is different for each of these applications. Specifically, in Bitcoin, our goal is to evaluate Bitcoin traffic’s resilience to blocking by powerful entities such as governments and ISPs. Bitcoin and similar cryptocurrencies play an important role in electronic commerce and other trust-based distributed systems because of their significant advantage over traditional currencies, including open access to global e-commerce. Therefore, it is essential to
the consumers and the industry to have reliable access to their Bitcoin assets. We also examine stepping stone attacks for flow correlation. A stepping stone is a host that an attacker uses to relay her traffic to hide her identity. We introduce two fingerprinting systems, TagIt and FINN. TagIt embeds a secret fingerprint into the flows by moving the packets to specific time intervals. However, FINN utilizes DNNs to embed the fingerprint by changing the inter-packet delays (IPDs) in the flow. In messaging applications, we analyze the WhatsApp messaging service to determine if traffic leaks any sensitive information such as members’ identity in a particular conversation to the adversaries who watch their encrypted traffic. These messaging applications’ privacy is essential because these services provide an environment to dis- cuss politically sensitive subjects, making them a target to government surveillance and censorship in totalitarian countries. We take two technical approaches to design our traffic analysis techniques. The increasing use of DNN-based classifiers inspires our first direction: we train DNN classifiers to perform some specific traffic analysis task. Our second approach is to inspect and model the shape of traffic in the target application and design a statistical classifier for the expected shape of traffic. DNN- based methods are useful when the network is complex, and the traffic’s underlying noise is not linear. Also, these models do not need a meticulous analysis to extract the features. However, deep learning techniques need a vast amount of training data to work well. Therefore, they are not beneficial when there is insufficient data avail- able to train a generalized model. On the other hand, statistical methods have the advantage that they do not have training overhead
Systematizing Decentralization and Privacy: Lessons from 15 Years of Research and Deployments
Decentralized systems are a subset of distributed systems where multiple
authorities control different components and no authority is fully trusted by
all. This implies that any component in a decentralized system is potentially
adversarial. We revise fifteen years of research on decentralization and
privacy, and provide an overview of key systems, as well as key insights for
designers of future systems. We show that decentralized designs can enhance
privacy, integrity, and availability but also require careful trade-offs in
terms of system complexity, properties provided, and degree of
decentralization. These trade-offs need to be understood and navigated by
designers. We argue that a combination of insights from cryptography,
distributed systems, and mechanism design, aligned with the development of
adequate incentives, are necessary to build scalable and successful
privacy-preserving decentralized systems
ToR K-Anonymity against deep learning watermarking attacks
It is known that totalitarian regimes often perform surveillance and censorship of their
communication networks. The Tor anonymity network allows users to browse the Internet
anonymously to circumvent censorship filters and possible prosecution. This has made
Tor an enticing target for state-level actors and cooperative state-level adversaries, with
privileged access to network traffic captured at the level of Autonomous Systems(ASs) or
Internet Exchange Points(IXPs).
This thesis studied the attack typologies involved, with a particular focus on traffic
correlation techniques for de-anonymization of Tor endpoints. Our goal was to design a
test-bench environment and tool, based on recently researched deep learning techniques
for traffic analysis, to evaluate the effectiveness of countermeasures provided by recent ap-
proaches that try to strengthen Tor’s anonymity protection. The targeted solution is based
on K-anonymity input covert channels organized as a pre-staged multipath network.
The research challenge was to design a test-bench environment and tool, to launch
active correlation attacks leveraging traffic flow correlation through the detection of in-
duced watermarks in Tor traffic. To de-anonymize Tor connection endpoints, our tool
analyses intrinsic time patterns of Tor synthetic egress traffic to detect flows with previ-
ously injected time-based watermarks.
With the obtained results and conclusions, we contributed to the evaluation of the
security guarantees that the targeted K-anonymity solution provides as a countermeasure
against de-anonymization attacks.Já foi extensamente observado que em vários paÃses governados por regimes totalitários
existe monitorização, e consequente censura, nos vários meios de comunicação utilizados.
O Tor permite aos seus utilizadores navegar pela internet com garantias de privacidade e
anonimato, de forma a evitar bloqueios, censura e processos legais impostos pela entidade
que governa. Estas propriedades tornaram a rede Tor um alvo de ataque para vários
governos e ações conjuntas de várias entidades, com acesso privilegiado a extensas zonas
da rede e vários pontos de acesso à mesma.
Esta tese realiza o estudo de tipologias de ataques que quebram o anonimato da rede
Tor, com especial foco em técnicas de correlação de tráfegos. O nosso objetivo é realizar
um ambiente de estudo e ferramenta, baseada em técnicas recentes de aprendizagem pro-
funda e injeção de marcas de água, para avaliar a eficácia de contramedidas recentemente
investigadas, que tentam fortalecer o anonimato da rede Tor. A contramedida que pre-
tendemos avaliar é baseada na criação de multi-circuitos encobertos, recorrendo a túneis
TLS de entrada, de forma a acoplar o tráfego de um grupo anonimo de K utilizadores. A
solução a ser desenvolvida deve lançar um ataque de correlação de tráfegos recorrendo a
técnicas ativas de indução de marcas de água. Esta ferramenta deve ser capaz de correla-
cionar tráfego sintético de saÃda de circuitos Tor, realizando a injeção de marcas de água Ã
entrada com o propósito de serem detetadas num segundo ponto de observação. Aplicada
a um cenário real, o propósito da ferramenta está enquadrado na quebra do anonimato
de serviços secretos fornecidos pela rede Tor, assim como os utilizadores dos mesmos.
Os resultados esperados irão contribuir para a avaliação da solução de anonimato de
K utilizadores mencionada, que é vista como contramedida para ataques de desanonimi-
zação
Practical Traffic Analysis Attacks on Secure Messaging Applications
Instant Messaging (IM) applications like Telegram, Signal, and WhatsApp have
become extremely popular in recent years. Unfortunately, such IM services have
been targets of continuous governmental surveillance and censorship, as these
services are home to public and private communication channels on socially and
politically sensitive topics. To protect their clients, popular IM services
deploy state-of-the-art encryption mechanisms. In this paper, we show that
despite the use of advanced encryption, popular IM applications leak sensitive
information about their clients to adversaries who merely monitor their
encrypted IM traffic, with no need for leveraging any software vulnerabilities
of IM applications. Specifically, we devise traffic analysis attacks that
enable an adversary to identify administrators as well as members of target IM
channels (e.g., forums) with high accuracies. We believe that our study
demonstrates a significant, real-world threat to the users of such services
given the increasing attempts by oppressive governments at cracking down
controversial IM channels.
We demonstrate the practicality of our traffic analysis attacks through
extensive experiments on real-world IM communications. We show that standard
countermeasure techniques such as adding cover traffic can degrade the
effectiveness of the attacks we introduce in this paper. We hope that our study
will encourage IM providers to integrate effective traffic obfuscation
countermeasures into their software. In the meantime, we have designed and
deployed an open-source, publicly available countermeasure system, called
IMProxy, that can be used by IM clients with no need for any support from IM
providers. We have demonstrated the effectiveness of IMProxy through
experiments
SoK: Making Sense of Censorship Resistance Systems
An increasing number of countries implement Internet censorship at different scales and for a variety of reasons. Several censorship resistance systems (CRSs) have emerged to help bypass such blocks. The diversity of the censor’s attack landscape has led to an arms race, leading to a dramatic speed of evolution of CRSs. The inherent complexity of CRSs and the breadth of work in this area makes it hard to contextualize the censor’s capabilities and censorship resistance strategies. To address these challenges, we conducted a comprehensive survey of CRSs-deployed tools as well as those discussed in academic literature-to systematize censorship resistance systems by their threat model and corresponding defenses. To this end, we first sketch a comprehensive attack model to set out the censor’s capabilities, coupled with discussion on the scope of censorship, and the dynamics that influence the censor’s decision. Next, we present an evaluation framework to systematize censorship resistance systems by their security, privacy, performance and deployability properties, and show how these systems map to the attack model. We do this for each of the functional phases that we identify for censorship resistance systems: communication establishment, which involves distribution and retrieval of information necessary for a client to join the censorship resistance system; and conversation, where actual exchange of information takes place. Our evaluation leads us to identify gaps in the literature, question the assumptions at play, and explore possible mitigations
Hardening Tor Hidden Services
Tor is an overlay anonymization network that provides anonymity for clients surfing the web but also allows hosting anonymous services called hidden services. These enable whistleblowers and political activists to express their opinion and resist censorship. Administrating a hidden service is not trivial and requires extensive knowledge because Tor uses a comprehensive protocol and relies on volunteers. Meanwhile, attackers can spend significant resources to decloak them. This thesis aims to improve the security of hidden services by providing practical guidelines and a theoretical architecture. First, vulnerabilities specific to hidden services are analyzed by conducting an academic literature review. To model realistic real-world attackers, court documents are analyzed to determine their procedures. Both literature reviews classify the identified vulnerabilities into general categories.
Afterward, a risk assessment process is introduced, and existing risks for hidden services and their operators are determined. The main contributions of this thesis are practical guidelines for hidden service operators and a theoretical architecture. The former provides operators with a good overview of practices to mitigate attacks. The latter is a comprehensive infrastructure that significantly increases the security of hidden services and alleviates problems in the Tor protocol. Afterward, limitations and the transfer into practice are analyzed. Finally, future research possibilities are determined