Bento: safely bringing network function virtualization to Tor

Tor is a powerful and important tool for providing anonymity and censorship resistance to users around the world. Yet it is surprisingly difficult to deploy new services in Tor—it is largely relegated to proxies and hidden services—or to nimbly react to new forms of attack. Conversely, “non-anonymous” Internet services are thriving like never before because of recent advances in programmable networks, such as Network Function Virtualization (NFV) which provides programmable in-network middleboxes. This paper seeks to close this gap by introducing programmable middleboxes into the Tor network. In this architecture, users can install and run sophisticated “functions” on willing Tor routers. We demonstrate a wide range of functions that improve anonymity, resilience to attack, performance of hidden services, and more. We present the design and implementation of an architecture, Bento, that protects middlebox nodes from the functions they run—and protects the functions from the middleboxes they run on. We evaluate Bento by running it on the live Tor network. We show that, with just a few lines of Python, we can significantly extend the capabilities of Tor to meet users' anonymity needs and nimbly react to new threats. We will be making our code and data publicly available.

[1]  Mohsen Imani,et al.  Deep Fingerprinting: Undermining Website Fingerprinting Defenses with Deep Learning , 2018, CCS.

[2]  Tao Wang,et al.  Improved website fingerprinting on Tor , 2013, WPES.

[3]  Lei Yang,et al.  mTor: A multipath Tor routing beyond bandwidth throttling , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[4]  Sylvia Ratnasamy,et al.  SafeBricks: Shielding Network Functions in the Cloud , 2018, NSDI.

[5]  Nicholas Hopper,et al.  Routing around decoys , 2012, CCS.

[6]  Dave Levin,et al.  DeTor: Provably Avoiding Geographic Regions in Tor , 2017, USENIX Security Symposium.

[7]  Ion Stoica,et al.  Modeling middleboxes , 2008, IEEE Network.

[8]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[9]  Micah Sherr,et al.  Users get routed: traffic correlation on tor by realistic adversaries , 2013, CCS.

[10]  Tao Wang,et al.  A Systematic Approach to Developing and Evaluating Website Fingerprinting Defenses , 2014, CCS.

[11]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[12]  Andriy Panchenko,et al.  Path Selection Metrics for Performance-Improved Onion Routing , 2009, 2009 Ninth Annual International Symposium on Applications and the Internet.

[13]  Alex Biryukov,et al.  TorScan: Tracing Long-Lived Connections and Differential Scanning Attacks , 2012, ESORICS.

[14]  Russell J. Clark,et al.  Kinetic: Verifiable Dynamic Network Control , 2015, NSDI.

[15]  Donald E. Eastlake,et al.  Transport Layer Security (TLS) Extensions: Extension Definitions , 2011, RFC.

[16]  Ivan Damgård,et al.  Unclonable Group Identification , 2006, IACR Cryptol. ePrint Arch..

[17]  Nick Feamster,et al.  Programming slick network functions , 2015, SOSR.

[18]  Brian E. Carpenter,et al.  Middleboxes: Taxonomy and Issues , 2002, RFC.

[19]  Donald Eastlake rd,et al.  Transport Layer Security (TLS) Extensions: Extension Definitions , 2011 .

[20]  Olivier Bonaventure,et al.  Flexible Anonymous Network , 2019, ArXiv.

[21]  Mike Perry,et al.  Toward an Efficient Website Fingerprinting Defense , 2015, ESORICS.

[22]  Steven J. Murdoch,et al.  Sampled Traffic Analysis by Internet-Exchange-Level Adversaries , 2007, Privacy Enhancing Technologies.

[23]  Amir Herzberg,et al.  Spying in the Dark: TCP and Tor Traffic Analysis , 2012, Privacy Enhancing Technologies.

[24]  Kyungtae Kim,et al.  OBLIVIATE: A Data Oblivious Filesystem for Intel SGX , 2018, NDSS.

[25]  Sylvia Ratnasamy,et al.  BlindBox: Deep Packet Inspection over Encrypted Traffic , 2015, SIGCOMM.

[26]  Angelos D. Keromytis,et al.  Traffic Analysis against Low-Latency Anonymity Networks Using Available Bandwidth Estimation , 2010, ESORICS.

[27]  Dave Levin,et al.  Ting: Measuring and Exploiting Latencies Between All Tor Nodes , 2015, Internet Measurement Conference.

[28]  Juan del Cuvillo,et al.  Using innovative instructions to create trustworthy software solutions , 2013, HASP '13.

[29]  Eric Wustrow,et al.  Trusted Click: Overcoming Security issues of NFV in the Cloud , 2017, SDN-NFV@CODASPY.

[30]  Brijesh Joshi,et al.  Touching from a distance: website fingerprinting attacks and defenses , 2012, CCS.

[31]  Stefan Lindskog,et al.  How the Great Firewall of China is Blocking Tor , 2012, FOCI.

[32]  J. Hellerstein,et al.  A Wakeup Call for Internet Monitoring Systems : The Case for Distributed Triggers , 2004 .

[33]  Dongsu Han,et al.  Enhancing Security and Privacy of Tor's Ecosystem by Using Trusted Execution Environments , 2017, NSDI.

[34]  Vern Paxson,et al.  Towards Illuminating a Censorship Monitor's Model to Facilitate Evasion , 2013, FOCI.

[35]  Paul F. Syverson,et al.  Valet Services: Improving Hidden Servers with a Personal Touch , 2006, Privacy Enhancing Technologies.

[36]  Prateek Mittal,et al.  RAPTOR: Routing Attacks on Privacy in Tor , 2015, USENIX Security Symposium.

[37]  Aniket Kate,et al.  Anonymity Trilemma: Strong Anonymity, Low Bandwidth Overhead, Low Latency - Choose Two , 2017, 2018 IEEE Symposium on Security and Privacy (SP).

[38]  Ittai Anati,et al.  Innovative Technology for CPU Based Attestation and Sealing , 2013 .

[39]  Fernando Pedone,et al.  Merlin: A Language for Provisioning Network Resources , 2014, CoNEXT.

[40]  Thorsten Holz,et al.  On the Challenges of Geographical Avoidance for Tor , 2019, NDSS.

[41]  Marc Dacier,et al.  Circuit Fingerprinting Attacks: Passive Deanonymization of Tor Hidden Services , 2015, USENIX Security Symposium.

[42]  Donald E. Porter,et al.  Graphene-SGX: A Practical Library OS for Unmodified Applications on SGX , 2017, USENIX Annual Technical Conference.

[43]  Ian Goldberg,et al.  The Path Less Travelled: Overcoming Tor's Bottlenecks with Traffic Splitting , 2013, Privacy Enhancing Technologies.

[44]  Nicholas Hopper,et al.  PeerFlow: Secure Load Balancing in Tor , 2017, Proc. Priv. Enhancing Technol..

[45]  Harsha V. Madhyastha,et al.  LASTor: A Low-Latency AS-Aware Tor Client , 2012, IEEE/ACM Transactions on Networking.

[46]  양희영 2005 , 2005, Los 25 años de la OMC: Una retrospectiva fotográfica.

[47]  Pablo Rodriguez,et al.  Multi-Context TLS (mcTLS): Enabling Secure In-Network Functionality in TLS , 2015, Comput. Commun. Rev..

[48]  Ming Zhang,et al.  An untold story of middleboxes in cellular networks , 2011, SIGCOMM.

[49]  Tao Wang,et al.  Walkie-Talkie: An Efficient Defense Against Passive Website Fingerprinting Attacks , 2017, USENIX Security Symposium.

[50]  Nicholas Hopper,et al.  How much anonymity does network latency leak? , 2007, TSEC.

[51]  Matthew Green,et al.  Decentralized Anonymous Credentials , 2014, NDSS.

[52]  Roger Dingledine,et al.  A Practical Congestion Attack on Tor Using Long Paths , 2009, USENIX Security Symposium.

[53]  Joong Bum Rhim,et al.  Fountain Codes , 2010 .

[54]  Amin Vahdat,et al.  xOMB: Extensible Open MiddleBoxes with commodity servers , 2012, 2012 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS).

[55]  David Chaum,et al.  The dining cryptographers problem: Unconditional sender and recipient untraceability , 1988, Journal of Cryptology.

[56]  Tao Wang,et al.  Effective Attacks and Provable Defenses for Website Fingerprinting , 2014, USENIX Security Symposium.

[57]  David Chaum,et al.  Security without identification: transaction systems to make big brother obsolete , 1985, CACM.

[58]  Thomas F. Wenisch,et al.  Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution , 2018, USENIX Security Symposium.

[59]  Michael Luby,et al.  A digital fountain approach to reliable distribution of bulk data , 1998, SIGCOMM '98.

[60]  George Danezis,et al.  Low-cost traffic analysis of Tor , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[61]  Moni Naor,et al.  Pricing via Processing or Combatting Junk Mail , 1992, CRYPTO.

[62]  Aditya Akella,et al.  Toward software-defined middlebox networking , 2012, HotNets-XI.

[63]  Micah Sherr,et al.  Scalable Link-Based Relay Selection for Anonymous Routing , 2009, Privacy Enhancing Technologies.

[64]  Vyas Sekar,et al.  Making middleboxes someone else's problem: network processing as a cloud service , 2012, SIGCOMM '12.

[65]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[66]  Christof Fetzer,et al.  ShieldBox: Secure Middleboxes using Shielded Execution , 2018, SOSR.

[67]  Jan Camenisch,et al.  How to win the clonewars: efficient periodic n-times anonymous authentication , 2006, CCS '06.

[68]  Ion Stoica,et al.  A policy-aware switching layer for data centers , 2008, SIGCOMM '08.

[69]  Xin Jin,et al.  SoftCell: scalable and flexible cellular core network architecture , 2013, CoNEXT.

[70]  Dave Levin,et al.  Achieving Keyless CDNs with Conclaves , 2020, USENIX Security Symposium.

[71]  Paul F. Syverson,et al.  As-awareness in Tor path selection , 2009, CCS.