X-Vine: Secure and Pseudonymous Routing Using Social Networks Prateek Mittal Matthew Caesar Nikita Borisov Dept. of ECE Dept. of CS Dept. of ECE University of Illinois University of Illinois University of Illinois [email protected] [email protected] [email protected] ABSTRACT limiting the growth of the P2P user base, and at the same Distributed hash tables suffer from several security and pri- time does not fully address the problem of Sybil attacks. vacy vulnerabilities, including the problem of Sybil attacks. To address this, recent research proposes to use social net- Existing social network-based solutions to mitigate the Sybil work trust relationships to mitigate Sybil attacks [19,64,65]. attacks in DHT routing have a high state requirement and However, these systems share some key shortcomings: do not provide an adequate level of privacy. For instance, High control overhead: These systems rely on flooding or such techniques require a user to reveal their social network large numbers of repeated lookups to maintain state. For contacts. We design X-Vine, a protection mechanism for example, Whanau [30] is the state-of-art design that secures distributed hash tables that operates entirely by communi- routing in DHTs, but it is built upon a one-hop DHT rout- cating over social network links. As with traditional peer-to- ing mechanism, and has high overheads: state and control peer systems, X-Vine provides robustness, scalability, and a overhead increases with O(√n log n), where n is the number platform for innovation. The use of social network links for of participants in the social network. As networked systems communication helps protect participant privacy and adds become increasingly deployed at scale (e.g., in the wide area, a new dimension of trust absent from previous designs. X- across service providers), in high-churn environments (e.g., Vine is resilient to denial of service via Sybil attacks, and in developing regions, wireless, mobile social networks [36]), fact is the first Sybil defense that requires only a logarithmic and for applications with stronger demands on correctness amount of state per node, making it suitable for large-scale and availability (e.g., online storage, content voting, reputa- and dynamic settings. X-Vine also helps protect the privacy tion systems) the problem of high overhead in existing works of users social network contacts and keeps their IP addresses stands to become increasingly serious; multi-hop DHT rout- hidden from those outside of their social circle, providing ing mechanisms are going to be necessary. a basis for pseudonymous communication. We first evalu- Lack of privacy: These systems require a user to reveal social ate our design with analysis and simulations, using several contact information (friend lists). Some of these schemes re- real world large-scale social networking topologies. We show quire global distribution of this contact information. This is that the constraints of X-Vine allow the insertion of only a unfortunate, as social contacts are considered to be private logarithmic number of Sybil identities per attack edge; we information: leading real-world systems like Facebook [3] show this mitigates the impact of malicious attacks while and LiveJournal [4] provide users with a functionality to not affecting the performance of honest nodes. Moreover, limit access to this information. Forcing users to reveal our algorithms are efficient, maintain low stretch, and avoid this private information could greatly hinder the adoption hot spots in the network. We validate our design with a of these technologies. PlanetLab implementation and a Facebook plugin. A second privacy concern, common to both traditional arXiv:1109.0971v1 [cs.CR] 5 Sep 2011 DHTs and ones that use social networking information, is 1. INTRODUCTION that users must communicate directly with random peers, revealing their IP addresses. This provides an opportunity Peer-to-peer (P2P) networks have, in a short time, rev- for the attacker to perform traffic analysis and compromise olutionized communication on the Internet. One key fea- user privacy [9,31]. Prior work [38,61]has demonstrated that ture of P2P networks is their ability to scale to millions of a colluding adversary can associate a DHT lookup with its users without requiring any centralized infrastructure sup- lookup initiator, and thus infer the activities of a user. A port. The best scalability and performance is offered by pseudonymous routing mechanism can defend against such multi-hop distributed hash tables (DHTs), which offer a attacks, and would be especially beneficial for privacy sen- structured approach to organizing peers [33,48,52,55]. Multi- sitive DHT applications [17,39]. hop DHTs are the subject of much research and are also used To address these shortcomings, we propose X-Vine, a pro- in several mainstream systems [2,7,23]. tection mechanism for large-scale distributed systems that Securing DHTs has always been a challenging task [14,53, leverages social network trust relationships. X-Vine has sev- 59], especially in the face of a Sybil attack [20], where one eral unique properties. X-Vine protects privacy of social re- node can pretend to have multiple identities and thus inter- lationships, by ensuring that a user’s relationship informa- fere with routing operations. Traditional solutions to this tion is revealed only to the user’s immediate friends. At the attack require participants to obtain certificates [14], prove same time, X-Vine also protects correctness of DHT routing, possession of a unique IP address [39, 42], or perform some by mitigating Sybil attacks while requiring only logarithmic computation [11]. This creates a barrier to participation, 1 state and control overhead. To the best of our knowledge, these networks. X-Vine is the first system to provide both properties, which Applications like Coral [23], Adeona [50], and Van- may serve to make it a useful building block in construct- • ing the next generation of social network based distributed ish [25] are built on top of DHTs. The security prop- systems. Finally, X-Vine also provides a basis for pseudony- erties of these applications can often be compromised mous communication; a user’s IP address is revealed only to by exploiting vulnerabilities in the DHT. As an exam- his/her trusted social network contacts. ple, the security of Vanish was recently compromised X-Vine achieves these properties by incorporating social by a low-cost Sybil attack on the Vuze network [63]. network trust relationships in the DHT design. Unlike tra- Our proposed techniques protect these applications by ditional DHTs, which route directly between overlay partic- bounding the number of Sybil identities in the DHT. ipants (e.g., [30]), X-Vine embeds the DHT directly into the Decentralized P2P anonymous communication systems social fabric, allowing communication through the DHT to • like Tarzan [24], Salsa [42] and ShadowWalker [39] as- leverage trust relationships implied by social network links. sume an external Sybil defense mechanism. X-Vine is This is done by using mechanisms similar to network layer particularly suitable for designing Sybil-resilient P2P DHTs like VRR [12]. We leverage this structure for two anonymous communication systems, since it provides purposes. First, communication in X-Vine is carried out secure as well as pseudonymous routing. entirely across social-network links.The use of social net- work links enables pseudonymous communication; while the Freenet [17] is a widely used censorship resistant over- • recipient may know the opaque identifier (pseudonym) for lay network, but its routing algorithm has been shown the source, the IP address of the source is revealed only to to be extremely vulnerable in presence of even a few his/her friends. Second, recent work has shown that social malicious nodes [21]. X-Vine can enable peers to resist networks can be used to detect Sybil attacks by identify- censorship by securely and pseudonymously retrieving ing a bottleneck cut that connects the Sybil identities to data objects from the Freenet network. the rest of the network [19, 64, 65]. X-Vine enables com- Membership concealing overlay networks (MCONs) [57] parable Sybil resilience by bounding the number of DHT • relationships that can traverse a particular edge. With this hide the identities of the peers participating in a net- multi-hop approach, we can limit the number of Sybil iden- work (different from pseudonymity). Our proposed tities per attack edge (attack edges illustrated in Figure 1) techniques can provide a substrate for designing fully to logarithmic in the size of the network with logarithmic decentralized membership concealing networks. control and routing state, a dramatic reduction from previ- Roadmap: The rest of the paper describes and evaluates ous Sybil defense approaches. This allows X-Vine to scale X-Vine. We start by giving a high-level overview of the prob- to large user bases and high-churn environments. lem we address and our approach (Section 2), followed by We evaluate X-Vine both analytically and experimentally a detailed description of our routing algorithm (Section 3) using large scale real-world social network topologies. Since and its security mechanisms (Section 4). We then describe recent work [58, 62] has advocated the use of interaction networks as a more secure realization of social trust, we our experimental results (Section 5). Finally, we summa- rize related work (Section 6), discuss X-Vine’s limitations also demonstrate the performance of X-Vine on interaction (Section 7), and conclude (Section 8). graphs. From our evaluation, we find that X-Vine is able to route using 10–15 hops (comparable to other DHTs) in topologies with 100 000 nodes while using only O(log n) rout- 2. X-VINE OVERVIEW ing state. In particular, we show that the overhead of X-Vine is two orders of magnitude smaller than Whanau. With re- 2.1 Design Goals spect to Sybil resistance, we found that honest nodes are We start by defining the goals for our design.