How Unique is Your .onion? An Analysis of the Fingerprintability of Tor Onion Services

Recent studies have shown that Tor onion (hidden) service websites are particularly vulnerable to website fingerprinting attacks due to their limited number and sensitive nature. In this work we present a multi-level feature analysis of onion site fingerprintability, considering three state-of-the-art website fingerprinting methods and 482 Tor onion services, making this the largest analysis of this kind completed on onion services to date. Prior studies typically report average performance results for a given website fingerprinting method or countermeasure. We investigate which sites are more or less vulnerable to fingerprinting and which features make them so. We find that there is a high variability in the rate at which sites are classified (and misclassified) by these attacks, implying that average performance figures may not be informative of the risks that website fingerprinting attacks pose to particular sites. We analyze the features exploited by the different website fingerprinting methods and discuss what makes onion service sites more or less easily identifiable, both in terms of their traffic traces as well as their webpage design. We study misclassifications to understand how onion service sites can be redesigned to be less vulnerable to website fingerprinting attacks. Our results also inform the design of website fingerprinting countermeasures and their evaluation considering disparate impact across sites.Comment: Accepted by ACM CCS 201

Defense Implementation for Website Fingerprinting Attacks on Nginx Web Server

Η επίθεση Website Fingerprinting δίνει σε κάποιον παθητικό επιτιθέμενο την δυνατότητα να ξέρει ποιους ιστοτόπους επισκέπτεται κάποιος πελάτης, ακόμα και όταν τα πακέτα που ανταλλάσσονται μεταξύ του πελάτη και του ιστοτόπου είναι κρυπτογραφημένα. Αυτό είναι δυνατό μέσω της ανάλυσης της διαδικτυακής κίνησης μεταξύ αυτών των δύο, και της εξαγωγής μοτίβων δικτύου που είναι μοναδικά για κάθε ιστότοπο. Για αυτό το είδος επίθεσης, υλοποιούμε μια άμυνα επιπέδου εφαρμογής που ονομάζεται ALPaCA (Application Layer Padding Concerns Adversaries), όπως προτάθηκε από τους Giovanni Cherubin, Jamie Hayes, και Marc Juarez. Υλοποιούμε το ALPaCA σαν βιβλιοθήκη της Rust και αναπτύσσουμε ένα module του web server Nginx το οποίο χρησιμοποιεί το ALPaCA για να προστατεύσει τους ιστοτόπους για τους οποίους είναι ενεργοποιημένο. Στην πτυχιακή αυτή, υλοποιούμε την πρώτη άμυνα για Website Fingerprinting επιθέσεις που μπορεί να χρησιμοποιηθεί σε web server. Ο σκοπός της άμυνας είναι να μειώσει την ακρίβεια πρόβλεψης του επιτιθέμενου όσο αφορά τον ιστότοπο που επισκέπτεται ο πελάτης, τροποποιώντας την διαδικτυακή κίνηση, και συγκεκριμένα τα πακέτα από τον server του ιστότοπου προς τον πελάτη. Ο κώδικας της πτυχιακής βρίσκεται στους ακόλουθους συνδέσμους: https://github.com/PanosKokk/ngx_http_alpaca_module https://github.com/PanosKokk/libalpacaWebsite Fingerprinting attack gives a passive adversary the ability to know which sites a client visits, even when the packages that are being exchanged between the client and the site are encrypted. This is possible by analyzing the network traffic between those two, and extracting network patterns that are unique to each site. For this kind of attacks, we implement an application-level defense called ALPaCA (Application Layer Padding Concerns Adversaries), as proposed by Giovanni Cherubin, Jamie Hayes, and Marc Juarez. We implement ALPaCA as a Rust library, and develop an Nginx module which uses ALPaCA to protect the sites for which it is enabled. In this thesis, we implement the first Website fingerprinting defense which can be used on a web server. The defense’s purpose is to lower the adversary’s predictive accuracy as of which site the client visits, by altering the network traffic, and specifically the packages from the site’s server towards the client. The code of this thesis can be found at the following links: https://github.com/PanosKokk/ngx_http_alpaca_module https://github.com/PanosKokk/libalpac

Modelización del protocolo Tor y extracción de características de servicios ocultos

Tor (The Onion Router) garantiza el anonimato y la privacidad de sus usuarios durante la navegación por Internet, mediante el establecimiento de circuitos virtuales entre los diferentes nodos integrantes de la red Tor. Además, Tor permite que los usuarios publiquen páginas web que son únicamente alcanzables a través de la propia red Tor,quedando entonces no accesibles desde la red de Internet convencional. Estos sitios se conocen como servicios ocultos de la red Tor, o sitios de la dark web. Su peculiaridad radica en que no funcionan a través de un sistema de resolución de nombres clásico como los servicios de Internet (a través de DNS), por lo que la dirección IP del servidor que los aloja es desconocida. El trabajo realizado en este proyecto se dividen en dos partes. En primer lugar, se ha realizado la modelización y formalización del funcionamiento de la red Tor, así como los protocolos que utiliza (o protocolo Tor, por simplificar). Mediante diagramas de secuencia y actividad UML, se describen qué participantes existen en la red Tor, cómo es la comunicación y cómo es el comportamiento de cada uno de los participantes. Estos modelos servirán para entender desde un punto de vista más abstracto el funcionamiento del protocolo y además ayudarán a una futura verificación formal del protocolo de la red Tor. La segunda parte trata sobre la extracción de características de los servicios ocultos. Para ello se ha desarrollado una herramienta para la obtención de direcciones de servicios ocultos y la extracción de información de los mismos a través de estas direcciones. Esta herramienta pretende ser de utilidad para las Fuerzas y Cuerpos de Seguridad del Estado. La información recopilada de estos servicios ocultos se ha estudiado con el objetivo de encontrar características que lleven a la desanonimización del servicio oculto (es decir, que ayuden a localizar la dirección IP). Para ello, se han utilizado concretamente los metadatos suministrados por las cabeceras HTTP y los certificados digitales obtenidos a través del establecimiento de una conexión HTTPS. Estos metadatos se han contrastado con un motor de búsqueda de servicios en Internet, que contiene información de cualquier dirección IPv4 alcanzable en Internet. Los resultados obtenidos muestran que en un número importante de casos se han acotado los dispositivos que pueden estar relacionados con cada servicio oculto, llegando incluso a su desanonimización directa. Sobre la categorización de servicios ocultos, se han encontrado algunos relacionados con actividades ilegítimas

Information Leakage Measurement and Prevention in Anonymous Traffic

University of Minnesota Ph.D. dissertation. June 2019. Major: Computer Science. Advisor: Nick Hopper. 1 computer file (PDF); viii, 76 pages.The pervasive Internet surveillance and the wide-deployment of Internet censors lead to the need for making traffic anonymous. However, recent studies demonstrate the information leakage in anonymous traffic that can be used to de-anonymize Internet users. This thesis focuses on how to measure and prevent such information leakage in anonymous traffic. Choosing Tor anonymous networks as the target, the first part of this thesis conducts the first large-scale information leakage measurement in anonymous traffic and discovers that the popular practice of validating WF defenses by accuracy alone is flawed. We make this measurement possible by designing and implementing our website fingerprint density estimation (WeFDE) framework. The second part of this thesis focuses on preventing such information leakage. Specifically, we design two anti-censorship systems which are able to survive traffic analysis and provide unblocked online video watching and social networking

Towards More Effective Traffic Analysis in the Tor Network.

University of Minnesota Ph.D. dissertation. February 2021. Major: Computer Science. Advisor: Nicholas Hopper. 1 computer file (PDF); xiii, 161 pages.Tor is perhaps the most well-known anonymous network, used by millions of daily users to hide their sensitive internet activities from servers, ISPs, and potentially, nation-state adversaries. Tor provides low-latency anonymity by routing traffic through a series of relays using layered encryption to prevent any single entity from learning the source and destination of a connection through the content alone. Nevertheless, in low-latency anonymity networks, the timing and volume of traffic sent between the network and end systems (clients and servers) can be used for traffic analysis. For example, recent work applying traffic analysis to Tor has focused on website fingerprinting, which can allow an attacker to identify which website a client has downloaded based on the traffic between the client and the entry relay. Along with website fingerprinting, end-to-end flow correlation attacks have been recognized as the core traffic analysis in Tor. This attack assumes that an adversary observes traffic flows entering the network (Tor flow) and leaving the network (exit flow) and attempts to correlate these flows by pairing each user with a likely destination. The research in this thesis explores the extent to which the traffic analysis technique can be applied to more sophisticated fingerprinting scenarios using state-of-the-art machine-learning algorithms and deep learning techniques. The thesis breaks down four research problems. First, the applicability of machine-learning-based website fingerprinting is examined to a search query keyword fingerprinting and improve the applicability by discovering new features. Second, a variety of fingerprinting applications are introduced using deep-learning-based website fingerprinting. Third, the work presents data-limited fingerprinting by leveraging a generative deep-learning technique called a generative adversarial network that can be optimized in scenarios with limited amounts of training data. Lastly, a novel deep-learning architecture and training strategy are proposed to extract features of highly correlated Tor and exit flow pairs, which will reduce the number of false positives between pairs of flows