Dropping on the Edge: Flexibility and Dropping on the Edge: - - PowerPoint PPT Presentation

dropping on the edge flexibility and dropping on the edge
SMART_READER_LITE
LIVE PREVIEW

Dropping on the Edge: Flexibility and Dropping on the Edge: - - PowerPoint PPT Presentation

Dec 03, 2023 350 likes •576 views

7/25/2019 PoPET s18 Dropping on the Edge: Flexibility and Dropping on the Edge: Flexibility and Trac Conrmation in Onion Routing Trac Conrmation in Onion Routing Protocols Protocols Florentin Rochet and Olivier Pereira

slide-1
SLIDE 1

7/25/2019 PoPET s18 file:///export/home/frochet/Documents/T

  • r/pets18-slides/index.html?print-pdf

1/21

Dropping on the Edge: Flexibility and Dropping on the Edge: Flexibility and Trac Conrmation in Onion Routing Trac Conrmation in Onion Routing Protocols Protocols

Florentin Rochet and Olivier Pereira Florentin Rochet and Olivier Pereira

UCLouvain Crypto Group, Belgium

1

Florentin R. - Dropping on the Edge: Flexibility and Trac Conrmation in Onion Routing Protocols - 25th Jul 2019

slide-2
SLIDE 2

7/25/2019 PoPET s18 file:///export/home/frochet/Documents/T

  • r/pets18-slides/index.html?print-pdf

2/21

Overview Overview

2

Florentin R. - Dropping on the Edge: Flexibility and Trac Conrmation in Onion Routing Protocols - 25th Jul 2019

slide-3
SLIDE 3

7/25/2019 PoPET s18 file:///export/home/frochet/Documents/T

  • r/pets18-slides/index.html?print-pdf

3/21

Overview Overview

3

Florentin R. - Dropping on the Edge: Flexibility and Trac Conrmation in Onion Routing Protocols - 25th Jul 2019

slide-4
SLIDE 4

7/25/2019 PoPET s18 file:///export/home/frochet/Documents/T

  • r/pets18-slides/index.html?print-pdf

4/21

Overview Overview

4

Florentin R. - Dropping on the Edge: Flexibility and Trac Conrmation in Onion Routing Protocols - 25th Jul 2019

slide-5
SLIDE 5

7/25/2019 PoPET s18 file:///export/home/frochet/Documents/T

  • r/pets18-slides/index.html?print-pdf

5/21

Architectural Principle of the Internet Architectural Principle of the Internet

Robustness principle (among others): Can lead to strong attacks in deployed anonymity systems Be conservative in what you do, be liberal in what you accept from others. , , [RFC761] [RFC1122] [RFC1958]

5

Florentin R. - Dropping on the Edge: Flexibility and Trac Conrmation in Onion Routing Protocols - 25th Jul 2019

slide-6
SLIDE 6

7/25/2019 PoPET s18 file:///export/home/frochet/Documents/T

  • r/pets18-slides/index.html?print-pdf

6/21

Allows compliance to future version of the protocol.

Forward compatibility Forward compatibility

static int connection_edge_process_relay_cell(cell_t *cell, ...) { ... switch(rh.command) { case RELAY_COMMAND_DROP: return 0; // do nothing. ... case RELAY_COMMAND_DATA: //process data ... return 0; ... } log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Unrecognized command %d", rh.command); return 0; /* for forward compatibility, don't kill the circuit */ }

6

Florentin R. - Dropping on the Edge: Flexibility and Trac Conrmation in Onion Routing Protocols - 25th Jul 2019

slide-7
SLIDE 7

7/25/2019 PoPET s18 file:///export/home/frochet/Documents/T

  • r/pets18-slides/index.html?print-pdf

7/21

  • 1. Guard Discovery Attack

Uses forward compatibility, a path selection trick and a side-channel

  • 2. Dropmark attack

An active trafc conrmation attack with interesting properties

Outline Outline

7

Florentin R. - Dropping on the Edge: Flexibility and Trac Conrmation in Onion Routing Protocols - 25th Jul 2019

slide-8
SLIDE 8

7/25/2019 PoPET s18 file:///export/home/frochet/Documents/T

  • r/pets18-slides/index.html?print-pdf

8/21

Guard discovery Guard discovery

Combines a path selection trick, forward compatibility and a side-channel.

8

Florentin R. - Dropping on the Edge: Flexibility and Trac Conrmation in Onion Routing Protocols - 25th Jul 2019

slide-9
SLIDE 9

7/25/2019 PoPET s18 file:///export/home/frochet/Documents/T

  • r/pets18-slides/index.html?print-pdf

9/21

Guard discovery Guard discovery

The public report of bandwidth consumption acts as a side-channel What is the probability of success in the wild?

9

Florentin R. - Dropping on the Edge: Flexibility and Trac Conrmation in Onion Routing Protocols - 25th Jul 2019

slide-10
SLIDE 10

7/25/2019 PoPET s18 file:///export/home/frochet/Documents/T

  • r/pets18-slides/index.html?print-pdf

10/21

Consumed bandwidth of the targeted guard is always higher during the attack Silently dropped trafc strengthens this assumption Less variance in public measurements during the attack Graceful behaviour of the relay Graceful behaviour of the relay operator Given those assumptions, we can use the history of the network to evaluate the attack

Assumptions Assumptions

10

Florentin R. - Dropping on the Edge: Flexibility and Trac Conrmation in Onion Routing Protocols - 25th Jul 2019

slide-11
SLIDE 11

7/25/2019 PoPET s18 file:///export/home/frochet/Documents/T

  • r/pets18-slides/index.html?print-pdf

11/21

Onion Service's BW << Guard's BW

Let's investigate dierent situations Let's investigate dierent situations

11

Florentin R. - Dropping on the Edge: Flexibility and Trac Conrmation in Onion Routing Protocols - 25th Jul 2019

slide-12
SLIDE 12

7/25/2019 PoPET s18 file:///export/home/frochet/Documents/T

  • r/pets18-slides/index.html?print-pdf

12/21

One day guard discovery attack with a bug exploit We ll the memory of the guard relay Can trigger easily the OOM algorithm which generates a counter bug (public information)

Figure: Chutney experiment triggering the OOM killer algorithm of the onion service's guard

Triggering the OOM killer algorithm Triggering the OOM killer algorithm

12

Florentin R. - Dropping on the Edge: Flexibility and Trac Conrmation in Onion Routing Protocols - 25th Jul 2019

slide-13
SLIDE 13

7/25/2019 PoPET s18 file:///export/home/frochet/Documents/T

  • r/pets18-slides/index.html?print-pdf

13/21

Onion Service's BW >> Guard's BW

Let's investigate dierent situations Let's investigate dierent situations

13

Florentin R. - Dropping on the Edge: Flexibility and Trac Conrmation in Onion Routing Protocols - 25th Jul 2019

slide-14
SLIDE 14

7/25/2019 PoPET s18 file:///export/home/frochet/Documents/T

  • r/pets18-slides/index.html?print-pdf

14/21

Evaluation Evaluation

14

Florentin R. - Dropping on the Edge: Flexibility and Trac Conrmation in Onion Routing Protocols - 25th Jul 2019

slide-15
SLIDE 15

7/25/2019 PoPET s18 file:///export/home/frochet/Documents/T

  • r/pets18-slides/index.html?print-pdf

15/21

Evaluation Evaluation

Evaluating spare resources of guards The attack would be innecient if the Onion service guard is already overloaded

15

Florentin R. - Dropping on the Edge: Flexibility and Trac Conrmation in Onion Routing Protocols - 25th Jul 2019

slide-16
SLIDE 16

7/25/2019 PoPET s18 file:///export/home/frochet/Documents/T

  • r/pets18-slides/index.html?print-pdf

16/21

With the assumption that the counter exploit is xed success rate to retrieve only one (correct) guard in a few days, against a few MB/s

  • nion service

This attack cost less than a sandwich

Evaluation Evaluation

≈ 96%

16

Florentin R. - Dropping on the Edge: Flexibility and Trac Conrmation in Onion Routing Protocols - 25th Jul 2019

slide-17
SLIDE 17

7/25/2019 PoPET s18 file:///export/home/frochet/Documents/T

  • r/pets18-slides/index.html?print-pdf

17/21

Countermeasures Countermeasures

Multiple suggestions to counter the guard discovery The Tor Project chose to perform a volume analysis, and to increase the bandwidth reporting interval Onion service operators: decreasing the available bandwidth reduces the risk (once the counter exploit is solved) See for mitigations @mikeperry-tor/vanguards on GitHub

17

Florentin R. - Dropping on the Edge: Flexibility and Trac Conrmation in Onion Routing Protocols - 25th Jul 2019

slide-18
SLIDE 18

7/25/2019 PoPET s18 file:///export/home/frochet/Documents/T

  • r/pets18-slides/index.html?print-pdf

18/21

  • 1. Guard Discovery Attack

Uses forward compatibility, a path selection trick and a side-channel

  • 2. Dropmark attack

An active trafc conrmation attack with interesting properties

Outline Outline

18

Florentin R. - Dropping on the Edge: Flexibility and Trac Conrmation in Onion Routing Protocols - 25th Jul 2019

slide-19
SLIDE 19

7/25/2019 PoPET s18 file:///export/home/frochet/Documents/T

  • r/pets18-slides/index.html?print-pdf

19/21

Dropmark attack Dropmark attack

Active end-to-end correlation attack with interesting properties Does not need the victim to transfer any packet to succeed The application level trafc does not inuence the success rate Uses forward compatibility and a side-channel Assumes colluding exit and guard (or network observer on client-guard) Implemented and tested in Shadow with TPR and FPR Can be applied in many different scenarios

≈ 99.86% ≈ 0.03%

19

Florentin R. - Dropping on the Edge: Flexibility and Trac Conrmation in Onion Routing Protocols - 25th Jul 2019

slide-20
SLIDE 20

7/25/2019 PoPET s18 file:///export/home/frochet/Documents/T

  • r/pets18-slides/index.html?print-pdf

20/21

Dropmark attack Dropmark attack

20

Florentin R. - Dropping on the Edge: Flexibility and Trac Conrmation in Onion Routing Protocols - 25th Jul 2019

slide-21
SLIDE 21

7/25/2019 PoPET s18 file:///export/home/frochet/Documents/T

  • r/pets18-slides/index.html?print-pdf

21/21

Contributions/Conclusion Contributions/Conclusion

Contributions: Identication of potential weaknesses resulting from Tor's forward compatibility New guard discovery attack New trafc conrmation attack with intriguing properties Many more attacks out there to hunt ... Implementations and tutorial to reproduce our results available on GitHub Discussion Removing forward compatibility? Complicates the integration on novel ideas May reduce the Tor network diversity or slow down deployment of new versions Increases code complexity May not solve the problem ...

21

Florentin R. - Dropping on the Edge: Flexibility and Trac Conrmation in Onion Routing Protocols - 25th Jul 2019