Home Explore Help
Sign In
JeremyRand
/
torspec
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: stream-event-isolation
Branches Tags
torspec
/
proposals
/
302-padding-machines-for-onion-clients.txt

302-padding-machines-for-onion-clients.txt 14 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302 
  1. Filename: 302-padding-machines-for-onion-clients.txt
    2. 

  2. Title: Hiding onion service clients using padding
    3. 

  3. Author: George Kadianakis, Mike Perry
    4. 

  4. Created: Thursday 16 May 2019
    5. 

  5. Status: Closed
    6. 

  6. Implemented-In: 0.4.1.1-alpha
    7. 

  7. 

  8. NOTE: Please look at section 3 of padding-spec.txt now, not this document.
    9. 

  9. 

  10. 0. Overview
    11. 

  11. 

  12.    Tor clients use "circuits" to do anonymous communications. There are various
    13. 

  13.    types of circuits. Some of them are for navigating the normal Internet,
    14. 

  14.    others are for fetching Tor directory information, others are for connecting
    15. 

  15.    to onion services, while others are simply for measurements and testing.
    16. 

  16. 

  17.    It's currently possible for MITM type of adversaries (like tor-network-level
    18. 

  18.    and local-area-network adversaries) to distinguish Tor circuit types from
    19. 

  19.    each other using a wide array of metadata and distinguishers.
    20. 

  20. 

  21.    In this proposal, we study various techniques that can be used to
    22. 

  22.    distinguish client-side onion service circuits and provide WTF-PAD circuit
    23. 

  23.    padding machines (using prop#254) to hide them against certain adversaries.
    24. 

  24. 

  25. 1. Motivation
    26. 

  26. 

  27.    We are writing this proposal for various reasons:
    28. 

  28. 

  29.    1) We believe that in an ideal setting MITM adversaries should not be able
    30. 

  30.       to distinguish circuit types by inspecting traffic. Tor traffic should
    31. 

  31.       look amorphous to an outside observer to maximize uncertainty and
    32. 

  32.       anonymity properties.
    33. 

  33. 

  34.       Client-side onion service circuits are an easy target for this proposal,
    35. 

  35.       because we believe we can improve their privacy with low bandwidth
    36. 

  36.       overhead.
    37. 

  37. 

  38.    2) We want to start experimenting with the WTF-PAD subsystem of Tor, and
    39. 

  39.       this use-case provides us with a good testbed.
    40. 

  40. 

  41.    3) We hope that by actually starting to use the WTF-PAD subsystem of Tor, we
    42. 

  42.       will encourage more researchers to start experimenting with it.
    43. 

  43. 

  44. 2. Scope of the proposal [SCOPE]
    45. 

  45. 

  46.    Given the above, this proposal sets forth to use the WTF-PAD system to hide
    47. 

  47.    client-side onion service circuits against the classifiers of paper by Kwon
    48. 

  48.    et al. above.
    49. 

  49. 

  50.    By client-side onion service circuits we refer to these two types of circuits:
    51. 

  51.       - Client-side introduction circuits: Circuit from client to the introduction point
    52. 

  52.       - Client-side rendezvous circuits: Circuit from client to the rendezvous point
    53. 

  53. 

  54.    Service-side onion service circuits are not in scope for this proposal, and
    55. 

  55.    this is because hiding those would require more bandwidth and also more
    56. 

  56.    advanced WTF-PAD features.
    57. 

  57. 

  58.    Furthermore, this proposal only aims to cloak the naive distinguishing
    59. 

  59.    features mentioned in the [KNOWN_DISTINGUISHERS] section, and can by no
    60. 

  60.    means guarantee that client-side onion service circuits are totally
    61. 

  61.    indistinguishable by other means.
    62. 

  62. 

  63.    The machines specified in this proposal are meant to be lightweight and
    64. 

  64.    created for a specific purpose. This means that they can be easily extended
    65. 

  65.    with additional states to do more advanced hiding.
    66. 

  66. 

  67. 3. Known distinguishers against onion service circuits [KNOWN_DISTINGUISHERS]
    68. 

  68. 

  69.    Over the past years it's been assumed that motivated adversaries can
    70. 

  70.    distinguish onion-service traffic from normal Tor traffic given their
    71. 

  71.    special characteristics.
    72. 

  72. 

  73.    As far as we know, there has been relatively little research-level work done
    74. 

  74.    to this direction. The main article published in this area is the USENIX
    75. 

  75.    paper "Circuit Fingerprinting Attacks: Passive Deanonymization of Tor Hidden
    76. 

  76.    Services" by Kwon et al. [0]
    77. 

  77. 

  78.    The above paper deals with onion service circuits in sections 3.2 and 5.1.
    79. 

  79.    It uses the following three "naive" circuit features to distinguish circuits:
    80. 

  80.       1) Circuit construction sequence
    81. 

  81.       2) Number of incoming and outgoing cells
    82. 

  82.       3) Duration of Activity ("DoA")
    83. 

  83. 

  84.     All onion service circuits have particularly loud signatures to the above
    85. 

  85.     characteristics, but WTF-PAD (prop#254) gives us tools to effectively
    86. 

  86.     silence those signatures to the point where the paper's classifiers won't
    87. 

  87.     work.
    88. 

  88. 

  89. 4. Hiding circuit features using WTF-PAD
    90. 

  90. 

  91.    According to section [KNOWN_DISTINGUISHERS] there are three circuit features
    92. 

  92.    we are attempting to hide. Here is how we plan to do this using the WTF-PAD
    93. 

  93.    system:
    94. 

  94. 

  95.    1) Circuit construction sequence
    96. 

  96. 

  97.       The USENIX paper uses the directions of the first 10 cells sent in a
    98. 

  98.       circuit to fingerprint them. Client-side onion service circuits have
    99. 

  99.       unique circuit construction sequences and hence they can be fingeprinted
    100. 

  100.       using just the first 10 cells.
    101. 

  101. 

  102.       We use WTF-PAD to destroy this feature of onion service circuits by
    103. 

  103.       carefully sending padding cells (relay DROP cells) during circuit
    104. 

  104.       construction and making them look exactly like most general tor circuits
    105. 

  105.       up till the end of the circuit construction sequence.
    106. 

  106. 

  107.    2) Number of incoming and outgoing cells
    108. 

  108. 

  109.       The USENIX paper uses the amount of incoming and outgoing cells to
    110. 

  110.       distinguish circuit types. For example, client-side introduction circuits
    111. 

  111.       have the same amount of incoming and outgoing cells, whereas client-side
    112. 

  112.       rendezvous circuits have more incoming than outgoing cells.
    113. 

  113. 

  114.       We use WTF-PAD to destroy this feature by changing the number of cells
    115. 

  115.       sent in introduction circuits. We leave rendezvous circuits as is, since
    116. 

  116.       the actual rendezvous traffic flow usually resembles well normal Tor
    117. 

  117.       circuits.
    118. 

  118. 

  119.     3) Duration of Activity ("DoA")
    120. 

  120. 

  121.       The USENIX paper uses the period of time during which circuits send and
    122. 

  122.       receive cells to distinguish circuit types. For example, client-side
    123. 

  123.       introduction circuits are really short lived, wheras service-side
    124. 

  124.       introduction circuits are very long lived. OTOH, rendezvous circuits have
    125. 

  125.       the same median lifetime as general Tor circuits which is 10 minutes.
    126. 

  126. 

  127.       We use WTF-PAD to destroy this feature of client-side introduction
    128. 

  128.       circuits by setting a special WTF-PAD option, which keeps the circuits
    129. 

  129.       open for 10 minutes completely mimicking the DoA of general Tor circuits.
    130. 

  130. 

  131. 4.1. A dive into general circuit construction sequences [CIRCCONSTRUCTION]
    132. 

  132. 

  133.    In this section we give an overview of how circuit construction looks like
    134. 

  134.    to a network or guard-level adversary. We use this knowledge to make the
    135. 

  135.    right padding machines that can make intro and rend circuits look like these
    136. 

  136.    general circuits.
    137. 

  137. 

  138.    In particular, most general Tor circuits used to surf the web or download
    139. 

  139.    directory information, start with the following 6-cell relay cell sequence (cells
    140. 

  140.    surrounded in [brackets] are outgoing, the others are incoming):
    141. 

  141. 

  142.      [EXTEND2] -> EXTENDED2 -> [EXTEND2] -> EXTENDED2 -> [BEGIN] -> CONNECTED
    143. 

  143. 

  144.    When this is done, the client has established a 3-hop circuit and also
    145. 

  145.    opened a stream to the other end. Usually after this comes a series of DATA
    146. 

  146.    cell that either fetches pages, establishes an SSL connection or fetches
    147. 

  147.    directory information:
    148. 

  148. 

  149.      [DATA] -> [DATA] -> DATA -> DATA
    150. 

  150. 

  151.    The above stream of 10 relay cells defines the grand majority of general
    152. 

  152.    circuits that come out of Tor browser during our testing, and it's what we
    153. 

  153.    are gonna use to make introduction and rednezvous circuits blend in.
    154. 

  154. 

  155.    Please note that in this section we only investigate relay cells and not
    156. 

  156.    connection-level cells like CREATE/CREATED or AUTHENTICATE/etc. that are
    157. 

  157.    used during the link-layer handshake. The rationale is that connection-level
    158. 

  158.    cells depend on the type of guard used and are not an effective fingerprint
    159. 

  159.    for a network/guard-level adversary.
    160. 

  160. 

  161. 5. WTF-PAD machines
    162. 

  162. 

  163.    For the purposes of this proposal we will make use of four WTF-PAD machines
    164. 

  164.    as follows:
    165. 

  165. 

  166.       - Client-side introduction circuit hiding machine (origin-side)
    167. 

  167.       - Client-side introduction circuit hiding machine (relay-side)
    168. 

  168. 

  169.       - Client-side rendezvous circuit hiding machine (origin-side)
    170. 

  170.       - Client-side rendezvous circuit hiding machine (relay-side)
    171. 

  171. 

  172.    In the following sections we will analyze these machines.
    173. 

  173. 

  174. 5.1. Client-side introduction circuit hiding machines [INTRO_CIRC_HIDING]
    175. 

  175. 

  176.    These two machines are meant to hide client-side introduction circuits. The
    177. 

  177.    origin-side machine sits on the client and sends padding towards the
    178. 

  178.    introduction circuit, whereas the relay-side machine sits on the middle-hop
    179. 

  179.    (second hop of the circuit) and sends padding towards the client. The
    180. 

  180.    padding from the origin-side machine terminates at the middle-hop and does
    181. 

  181.    not get forwarded to the actual introduction point.
    182. 

  182. 

  183.    Both of these machines only get activated for introduction circuits, and
    184. 

  184.    only after an INTRODUCE1 cell has been sent out.
    185. 

  185. 

  186.    This means that before the machine gets activated our cell flow looks like this:
    187. 

  187. 

  188.     [EXTEND2] -> EXTENDED2 -> [EXTEND2] -> EXTENDED2 -> [EXTEND2] -> EXTENDED2 -> [INTRODUCE1]
    189. 

  189. 

  190.    Comparing the above with section [CIRCCONSTRUCTION], we see that the above
    191. 

  191.    cell sequence matches the one from general circuits up to the first 7 cells.
    192. 

  192. 

  193.    However, in normal introduction circuits this is followed by an
    194. 

  194.    INTRODUCE_ACK and then the circuit gets teared down, which does not match
    195. 

  195.    the sequence from [CIRCCONSTRUCTION].
    196. 

  196. 

  197.    Hence when our machine is used, after sending an [INTRODUCE1] cell, we also
    198. 

  198.    send a [PADDING_NEGOTIATE] cell, which gets answered by a PADDING_NEGOTIATED
    199. 

  199.    cell and an INTRODUCE_ACKED cell. This makes us match the [CIRCCONSTRUCTION]
    200. 

  200.    sequence up to the first 10 cells.
    201. 

  201. 

  202.    After that, we continue sending padding from the relay-side machine so as to
    203. 

  203.    fake a directory download, or an SSL connection setup. We also want to
    204. 

  204.    continue sending padding so that the connection stays up longer to destroy
    205. 

  205.    the "Duration of Activity" fingerprint.
    206. 

  206. 

  207.    To calculate the padding overhead, we see that the origin-side machine just
    208. 

  208.    sends a single [PADDING_NEGOATIATE] cell, wheras the origin-side machine
    209. 

  209.    sends a PADDING_NEGOTIATED cell and between 7 to 10 DROP cells. This means
    210. 

  210.    that the average overhead of this machine is 11 padding cells.
    211. 

  211. 

  212.    In terms of WTF-PAD terminology, these machines have three states (START,
    213. 

  213.    OBF, END). They move from the START to OBF state when the first
    214. 

  214.    non-padding cell is received on the circuit, and they stay in the OBF
    215. 

  215.    state until all the padding gets depleted. The OBF state is controlled by
    216. 

  216.    a histogram which specifies the parameters described in the paragraphs
    217. 

  217.    above. After all the padding finishes, it moves to END state.
    218. 

  218. 

  219.    We also set a special WTF-PAD flag which keeps the circuit open even after
    220. 

  220.    the introduction is performed. In particular, with this feature the circuit
    221. 

  221.    will stay alive for the same durations as normal web circuits before they
    222. 

  222.    expire (usually 10 minutes).
    223. 

  223. 

  224. 5.2. Client-side rendezvous circuit hiding machines
    225. 

  225. 

  226.    The rendezvous circuit machines apply on client-side rendezvous circuits and
    227. 

  227.    only after the rendezvous point has been established (REND_ESTABLISHED has
    228. 

  228.    been received). Up to that point, the following cell sequence has been
    229. 

  229.    observed on the circuit:
    230. 

  230. 

  231.     [EXTEND2] -> EXTENDED2 -> [EXTEND2] -> EXTENDED2 -> [ESTABLISH_REND] -> REND_ESTABLISHED
    232. 

  232. 

  233.    which matches the general circuit construction sequence [CIRCCONSTRUCTION]
    234. 

  234.    up to the first 6 cells. However after that, normal rendezvous circuits
    235. 

  235.    receive a RENDEZVOUS2 cell followed by a [BEGIN] and a CONNECTED, which does
    236. 

  236.    not fit the circuit construction sequence we are trying to imitate.
    237. 

  237. 

  238.    Hence our machine gets activated right after REND_ESTABLISHED is received,
    239. 

  239.    and continues by sending a [PADDING_NEGOTIATE] and a [DROP] cell, before
    240. 

  240.    receiving a PADDING_NEGOTIATED and a DROP cell, effectively blending into
    241. 

  241.    the general circuit construction sequence on the first 10 cells.
    242. 

  242. 

  243.    After that our machine gets deactivated, and we let the actual rendezvous
    244. 

  244.    circuit shape the traffic flow. Since rendezvous circuits usually immitate
    245. 

  245.    general circuits (their purpose is to surf the web), we can expect that they
    246. 

  246.    will look alike.
    247. 

  247. 

  248.    In terms of overhead, this machine is quite light. Both sides send 2 padding
    249. 

  249.    cells, for a total of 4 padding cells.
    250. 

  250. 

  251. 6. Overhead analysis
    252. 

  252. 

  253.    Given the parameters above, intro circuit machines have an overhead of 11
    254. 

  254.    padding cells, and rendezvous circuit machines have an overhead of 4
    255. 

  255.    cpadding ells.  . This means that for every intro and rendezvous circuit
    256. 

  256.    there will be an overhead of 15 padding cells in average, which is about
    257. 

  257.    7.5kb.
    258. 

  258. 

  259.    In the PrivCount paper [1] we learn that the Tor network sees about 12
    260. 

  260.    million successful descriptor fetches per day. We can use this figure to
    261. 

  261.    assume that the Tor network also sees about 12 million intro and rendezvous
    262. 

  262.    circuits per day. Given the 7.5kb overhead of each of these circuits, we get
    263. 

  263.    that our padding machines infer an additional 94GB overhead per day on the
    264. 

  264.    network, which is about 3.9GB per hour.
    265. 

  265. 

  266.    XXX Isn't this kinda intense????? Using the graphs from metrics we see that
    267. 

  267.        the Tor network has total capacity of 300 Gbit/s which is about 135000GB per
    268. 

  268.        hour, so 3.9GB per hour is not that much, but still...
    269. 

  269. 

  270. 7. Discussion
    271. 

  271. 

  272. 7.1. Alternative approaches
    273. 

  273. 

  274.    These machines try to hide onion service client-side circuits by obfuscating
    275. 

  275.    their looks. This is a reasonable approach, but if the resulting circuits
    276. 

  276.    look unlike any other Tor circuits, they would still be fingerprintable just
    277. 

  277.    by that fact.
    278. 

  278. 

  279.    Another approach we could take is make normal client circuits look like
    280. 

  280.    onion service circuits, or just make normal clients establish fake onion
    281. 

  281.    service circuits periodically. The hope here is that the adversary won't be
    282. 

  282.    able to distinguish fake onion service circuits from real ones. This
    283. 

  283.    approach has not been taken yet, mainly because it requires additional
    284. 

  284.    WTF-PAD features and poses greater overhead risks.
    285. 

  285. 

  286. 7.2. Future work
    287. 

  287. 

  288.    As discussed in [SCOPE], this proposal only aims to hide some very specific
    289. 

  289.    features of client-side onion service circuits. There is lots of work to be
    290. 

  290.    done here to see what other features can be used to distinguish such
    291. 

  291.    circuits, and also what other classifiers can be built using deep learning
    292. 

  292.    and whatnot.
    293. 

  293. 

  294. ---
    295. 

  295. 

  296.    [0]: https://www.usenix.org/node/190967
    297. 

  297.         https://blog.torproject.org/technical-summary-usenix-fingerprinting-paper
    298. 

  298. 

  299.    [1]: "Understanding Tor Usage with Privacy-Preserving Measurement"
    300. 

  300.         by Akshaya Mani, T Wilson-Brown, Rob Jansen, Aaron Johnson, and Micah Sherr
    301. 

  301.         In Proceedings of the Internet Measurement Conference 2018 (IMC 2018).
    302. 

  302.