Measuring and Mitigating AS-level Adversaries Against Tor Oleksii - - PowerPoint PPT Presentation

▶

Feb 21, 2024 472 likes •592 views

Measuring and Mitigating AS-level Adversaries Against Tor Oleksii Adva Phillipa Michael Starov Zair Gill Schapira Rishab Nithyanand Network-level Traffic Correlation Attacks Internet rou,ng is asymmetric. Source -> Entry != Entry

SLIDE 1

Measuring and Mitigating AS-level Adversaries Against Tor

Rishab Nithyanand Oleksii Starov Phillipa Gill Michael Schapira Adva Zair

SLIDE 2

Network-level Traffic Correlation Attacks

Source Entry Exit

AS Router

Des0na0on Internet rou,ng is asymmetric. Source -> Entry != Entry -> Source RAPTOR (USENIX Security 2015): Any AS on (Source à Entry OR Entry à Source) AND (Exit à Dest OR Dest à Exit) is in a posi,on to launch a traffic correla,on aMack

SLIDE 3

Measuring Network-level Adversaries

Goal: Quan,fy the threat from network-level adversaries Approach: Iden,fy ASes on A, B, C, and D

ADV ={(𝐵 ∪𝐶) ∩(𝐷 ∪𝐸)}

Challenge: Traceroutes only let us obtain A

Source Des0na0on Entry Exit

A C B D

SLIDE 4

Measuring Network-level Adversaries

Our Approach: Spherical cows!

Make assump,ons about Internet rou,ng.
Obtain approximate AS-level paths.

Approxima0ng ASes on a path (offline):

AS Topology: 36K ASes + 126K rela,onships
Use inter-AS rela,onships (customer, peer,

provider) to decide whether an AS will route via another

Rou,ng through customers > peers > providers, then

prefer shortest paths

If there are mul,ple op,ons, we consider all of them
(see paper for valida,on)

SLIDE 5

Measuring Network-level Adversaries

10 Countries: BR, CN, DE, ES, FR, GB, IR, IT, RU, US 200 websites/country: Local Alexa T-100 + 100 Ci,zen Lab sensi,ve pages Adversaries: Network-level, colluding network-level (see paper), and state-level

SLIDE 6

Measuring Network-level Adversaries

20 40 60 80 100 BR CN DE ES FR GB IR IT RU US All Main circuit Any circuit

Frac0on of websites with vulnerable circuits

How vulnerable is vanilla Tor?

Main Circuit: Circuit carrying first “GET” request is vulnerable Any Circuit: Circuit carrying any request is vulnerable Network-level Adversary

Frac0on of websites with vulnerable circuits

State-level Adversary

20 40 60 80 100 BR CN DE ES FR GB IR IT RU US All

SLIDE 7

Measuring Network-level Adversaries

Can AS-aware relay selec0on help?

> 20000 (source, des,na,on) AS pairs in each country
Consider 1000 * 1000 available (entry, exit) pairs
What frac0on of the 20000 (source, des0na0on) pairs have at

most x% of their 1 million (entry, exit) pairs safe from network- level threats?

BAD GOOD

YES!

SLIDE 8

Astoria: This AS-aware Tor client is alright

1. Convert (source, des,na,on) IPs to ASNs
2. Compute “safe-op,ons” from all

|entry-guard| * |legal-exits| op,ons

3. Select one of the “safe-op,ons”
4. Construct and use circuit

Measurement Toolkit IP-ASN Database

OFFLINE

What if there are no safe op0ons?

Astoria uses an LP to minimize number of circuits that are vulnerable to any single adversary. (see paper)

SLIDE 9

Astoria: Security Evaluation

Network-level Adversary

any: 53% -> 8% main: 37% -> 3%

State-level Adversary

any: 88% -> 34% main: 82% -> 27%

SLIDE 10

Astoria: Performance Evaluation

Page-load 0mes

Tor: 5.9 sec Astoria: 8.3 sec Uniform: 15.6 sec

Load balancing

Similar to Tor*

0.2 0.4 0.6 0.8 1 5 10 15 20 25 30 Cumulative Probability Page Load Time (sec) Astoria Vanilla Tor Uniform Tor 0.2 0.4 0.6 0.8 1 2 4 6 8 10 12 14 Cumulative Probability Relay Bandwidth (MB/s) Available relays Perfect load balancing client Astoria Vanilla Tor Uniform Tor

SLIDE 11

Conclusions

Offline path-predic,on toolkit to measure Tor vulnerability
Significantly beMer security against network-level adversaries
Cuts number of vulnerable websites to less than 1/4th
Effec,vely deals with worst-case situa,ons
Load balancing: Similar to Tor
Page-load ,mes: BeMer than uniform, worse than Tor
Main problem: Cannot pre-build circuits like Tor
Arguably weaker against relay-level adversaries (see paper)