Privacy and Performance Trade-offs in Anonymous Communication Networks A DISSERTATION SUBMITTED TO THE FACULTY OF THE GRADUATE SCHOOL OF THE UNIVERSITY OF MINNESOTA BY John D. Geddes IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF Doctor of Philosophy Nicholas J. Hopper February, 2017 c John D. Geddes 2017 ALL RIGHTS RESERVED Acknowledgements There are a great many people who I owe a debt of gratitude for their support during this dissertation. First and foremost is my advisor Nick Hopper, who not only helped contribute and shape this work, but provided endless guidance and encouragement from start to finish. I would like to thank all my collaborators and co-authors { Rob Jansen, Max Schuchard, and Mike Schliep. Your input and contributions have been paramount to getting me here, and this work is undeniabley better off because of it. Additionally I want to thank everyone I have had the great pleasure to work with during my tenure in graduate school { Shuai Li, Zi Lin, Yongdae Kim, Denis Foo Kune, Aziz Mohaisen, Se Eun Oh, Micah Sherr, Paul Syverson, Chris Thompson, and Chris Wacek. I would like to thank my other committee members { Stephen McCamant, Andrew Odlyzko, and Jon Weissman { for their comments and time volunteered during this process. I would especially like to thank my parents and brother who have been there since the beginning. Never in a million years could I have accomplished this without your continous support and encouragement. And last but certainly not least, I thank my best friend and wife, Dominique. This work would not exist without you and your never ending support. No matter the chal- lenges or difficulties faced, you stood by me and helped me through it all. i Dedication To Dominique, who has always been there for me, even through the never ending \just one more year of grad school". ii Abstract Anonymous communication systems attempt to prevent adversarial eavesdroppers from learning the identities of any two parties communicating with each other. In or- der to protect from global adversaries, such as nation states and large internet service providers, systems need to induce large amounts of latency in order to sufficiently pro- tect users identities. Other systems sacrifice protection against global adversaries in order to provide low latency service to their clients. This makes the system usable for latency sensitive applications like web browsing. In turn, more users participate in the low latency system, increasing the anonymity set for everybody. These trade-offs on performance and anonymity provided are inherent in anonymous communication systems. In this dissertation we examine these types of trade-offs in Tor, the most popular low latency anonymous communication system in use today. First we look at how user anonymity is affected by mechanisms built into Tor for the purpose of increasing client performance. To this end we introduce an induced throttling attack against flow control and traffic admission control algorithms which allow an adversarial relay to reduce the anonymity set of a client using the adversary as an exit. Second we examine how connections are managed for inter-relay communication and look at some recent proposals for more efficient relay communication. We show how some of these can be abused to anonymously launch a low resource denial of service attack against target relays. With this we then explore two potential solutions which provide more efficient relay communication along with preventing certain denial of service attacks. Finally, we introduce a circuit selection algorithm that can be used by a centralized authority to dramatically increase network utilization. This algorithm is then adapted to work in a decentralized manner allowing clients to make smarter decisions locally, increasing performance while having a small impact on client anonymity. iii Contents Acknowledgementsi Dedication ii Abstract iii List of Tables viii List of Figures ix 1 Introduction1 1.1 Thesis Statement...............................3 1.2 Outline....................................4 2 Background6 2.1 The Tor Anonymous Communication Network..............7 2.2 Circuits....................................7 2.3 Streams....................................8 2.4 Relay Architecture..............................9 2.5 Inter-Relay Communication......................... 10 2.6 Flow Control................................. 10 3 Related Work 11 3.1 Increasing Performance........................... 12 3.1.1 Scheduling.............................. 12 3.1.2 Selection............................... 13 iv 3.1.3 Transport............................... 14 3.1.4 Incentives............................... 15 3.2 Security and Privacy............................. 15 3.2.1 Path Selection and Routing Attacks................ 15 3.2.2 Side Channel and Congestion Attacks............... 16 3.3 Experimentation............................... 17 4 Experimental Setup 19 4.1 Shadow and Network Topologies...................... 20 4.2 Performance Metrics............................. 21 4.3 Adversarial Model.............................. 22 5 How Low Can You Go: Balancing Performance with Anonymity in Tor 25 5.1 Introduction.................................. 26 5.2 Background.................................. 27 5.2.1 Circuit Scheduling.......................... 27 5.2.2 Flow Control............................. 27 5.2.3 Traffic Admission Control...................... 28 5.2.4 Circuit Clogging........................... 29 5.2.5 Fingerprinting............................ 29 5.3 Methodology................................. 30 5.3.1 Algorithmic-Specific Information Leakage............. 30 5.3.2 Experimental Setup and Model................... 32 5.4 Algorithmic Effects on Known Attacks................... 32 5.4.1 Throughput as a Signal....................... 32 5.4.2 Latency as a Signal.......................... 36 5.5 Induced Throttling via Flow Control.................... 37 5.5.1 Artificial Congestion......................... 37 5.5.2 Small Scale Experiment....................... 40 5.5.3 Smoothing Throughput....................... 41 5.5.4 Scoring Algorithm.......................... 42 5.5.5 Large Scale Experiments....................... 43 v 5.6 Induced Throttling via Traffic Admission Control............. 45 5.6.1 Connection Sybils.......................... 45 5.6.2 Large Scale Experiments....................... 49 5.6.3 Search Extensions.......................... 49 5.7 Analysis.................................... 51 5.8 Conclusion.................................. 54 6 Managing Tor Connections for Inter-Relay Communication 57 6.1 Introduction.................................. 58 6.2 Background.................................. 60 6.3 Socket Exhaustion Attacks......................... 61 6.3.1 Sockets in Tor............................ 61 6.3.2 Attack Strategies........................... 62 6.3.3 Effects of Socket Exhaustion.................... 64 6.4 IMUX..................................... 68 6.4.1 Connection Management...................... 68 6.4.2 Connection Scheduler........................ 71 6.4.3 KIST: Kernel-Informed Socket Transport............. 73 6.5 Evaluation................................... 74 6.5.1 Experimental Setup......................... 74 6.5.2 Implementations........................... 75 6.5.3 Connection Management...................... 76 6.5.4 Performance............................. 78 6.6 Replacing TCP................................ 82 6.6.1 Micro Transport Protocol...................... 82 6.6.2 xTCP................................. 84 6.6.3 Experimental Setup......................... 86 6.6.4 Performance............................. 86 6.7 Discussion................................... 87 6.8 Conclusion.................................. 89 7 Anarchy in Tor: Performance Cost of Decentralization 91 7.1 Introduction.................................. 92 vi 7.2 Background.................................. 92 7.3 Maximizing Network Usage......................... 93 7.3.1 Central Authority.......................... 93 7.3.2 Offline Algorithm........................... 97 7.3.3 Circuit Sets.............................. 98 7.4 ABRA for Circuit Selection......................... 100 7.5 Experimental Setup............................. 102 7.5.1 Shadow................................ 102 7.5.2 Implementations........................... 103 7.5.3 Consistency.............................. 105 7.6 Performance.................................. 105 7.6.1 Competitive Analysis........................ 105 7.6.2 ABRA Parameters.......................... 106 7.6.3 ABRA Performance......................... 108 7.7 Privacy Analysis............................... 110 7.7.1 Information Leakage......................... 110 7.7.2 Colluding Relays Lying....................... 112 7.7.3 Denial of Service........................... 114 7.8 Conclusion.................................. 116 8 Future Work and Final Remarks 118 8.1 Future Work................................. 119 8.1.1 Tor Transports............................ 119 8.1.2 Simulation Accuracy......................... 120 8.2 Final Remarks................................ 120 References 122 vii List of Tables 6.1 Functions that xTCP needs to intercept and how xTCP must handle them. 85 7.1 The bottleneck clustering methods mean square error across varying bandwidth granularity and window parameters, with red values indicat- ing scores less than weighted random estimator............... 106 viii List of Figures 2.1 Tor client encrypting a cell, sending it on the circuit, and
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages146 Page
-
File Size-