ExperimenTor: A Testbed for Safe and Realistic Tor Experimentation Kevin Bauer 1 Micah Sherr 2 Damon McCoy 3 Dirk Grunwald 4 1 University of Waterloo 2.

Slides:

Advertisements

Similar presentations

Inktomi Confidential and Proprietary The Inktomi Climate Lab: An Integrated Environment for Analyzing and Simulating Customer Network Traffic Stephane.

Advertisements

The Effects of Wide-Area Conditions on WWW Server Performance Erich Nahum, Marcel Rosu, Srini Seshan, Jussara Almeida IBM T.J. Watson Research Center,

LASTor: A Low-Latency AS-Aware Tor Client

PIR-Tor: Scalable Anonymous Communication Using Private Information Retrieval Prateek Mittal University of Illinois Urbana-Champaign Joint work with: Femi.

Estinet open flow network simulator and emulator. IEEE Communications Magazine 51.9 (2013): Wang, Shie-Yuan, Chih-Liang Chou, and Chun-Ming Yang.

Barath Raghavan, Kashi Vishwanath, Sriram Ramabhadran, Kenneth Yocum, Alex C. Snoeren Defense: Rejaie Johnson, Xian Yi Teng.

The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network Rob Jansen et. al NDSS 2014 Presenter: Yue Li Part of slides adapted from R.

Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.

The Challenges of Repeatable Experiment Archiving – Lessons from DETER Stephen Schwab SPARTA, Inc. d.b.a. Cobham Analytic Solutions May 25, 2010.

Design Deployment and Use of the DETER Testbed Terry Benzel, Robert Braden, Dongho Kim, Clifford Informatino Sciences Institute

How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.

The road to reliable, autonomous distributed systems

SDN and Openflow.

On Traffic Analysis in Tor Guest Lecture, ELE 574 Communications Security and Privacy Princeton University April 3 rd, 2014 Dr. Rob Jansen U.S. Naval Research.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson

Criticisms of I3 Zhichun Li. General Issues Functionality Security Performance Practicality If not significant better than existing schemes, why bother?

1 GENI: Global Environment for Network Innovations Jennifer Rexford Princeton University

ToR. Tor: anonymity online Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet.

An Overlay Data Plane for PlanetLab Andy Bavier, Mark Huang, and Larry Peterson Princeton University.

Wresting Control from BGP: Scalable Fine-grained Route Control UCSD / AT&T Research Usenix —June 22, 2007 Dan Pei, Tom Scholl, Aman Shaikh, Alex C. Snoeren,

Scalability and Accuracy in a Large- Scale Network Emulator Amin Vahdat, Ken Yocum, Kevin Walsh, Priya Mahadevan, Dejan Kostic, Jeff Chase, and David Becker.

1 Sonia Fahmy Ness Shroff Students: Roman Chertov Rupak Sanjel Center for Education and Research in Information Assurance and Security (CERIAS) Purdue.

1 GENI: Global Environment for Network Innovations Jennifer Rexford Princeton University See for.

Building a Strong Foundation for a Future Internet Jennifer Rexford ’91 Computer Science Department (and Electrical Engineering and the Center for IT Policy)

Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.

Anonymity on the Web: A Brief Overview By: Nipun Arora uni-na2271.

Toward Understanding Congestion in Tor DC-area Anonymity, Privacy, and Security Seminar January 24 th, 2014 Rob Jansen U.S. Naval Research Laboratory *Joint.

© Copyright 2012 STI INNSBRUCK Tor project: Anonymity online.

1 Enabling Large Scale Network Simulation with 100 Million Nodes using Grid Infrastructure Hiroyuki Ohsaki Graduate School of Information Sci. & Tech.

LiNK: An Operating System Architecture for Network Processors Steve Muir, Jonathan Smith Princeton University, University of Pennsylvania

1 Configurable Security for Scavenged Storage Systems NetSysLab The University of British Columbia Abdullah Gharaibeh with: Samer Al-Kiswany, Matei Ripeanu.

Never Been KIST: Tor’s Congestion Management Blossoms with Kernel- Informed Socket Transport 23 rd USENIX Security Symposium August 20 th 2014 Rob JansenUS.

Zhen Ling Southeast University Extensive Analysis and Large-Scale Empirical Evaluation of Tor Bridge Discovery In collaboration with Junzhou Luo, Southeast.

Crowds: Anonymity for Web Transactions Michael K. Reiter Aviel D. Rubin Jan 31, 2006Presented by – Munawar Hafiz.

Introduction of CRON Lin Xue Feb What is CRON “cron.cct.lsu.edu” testbed project is based on the Emulab system in the University of Utah. Emulab:

VL2: A Scalable and Flexible Data Center Network Albert Greenberg, James R. Hamilton, Navendu Jain, Srikanth Kandula, Changhoon Kim, Parantap Lahiri, David.

Large-scale Virtualization in the Emulab Network Testbed Mike Hibler, Robert Ricci, Leigh Stoller Jonathon Duerig Shashi Guruprasad, Tim Stack, Kirk Webb,

SDN Management Layer DESIGN REQUIREMENTS AND FUTURE DIRECTION NO OF SLIDES : 26 1.

1 Wide Area Network Emulation on the Millennium Bhaskaran Raman Yan Chen Weidong Cui Randy Katz {bhaskar, yanchen, wdc, Millennium.

Data Communications and Networks Chapter 9 – Distributed Systems ICT-BVF8.1- Data Communications and Network Trainer: Dr. Abbes Sebihi.

SHADOWSTREAM: PERFORMANCE EVALUATION AS A CAPABILITY IN PRODUCTION INTERNET LIVE STREAM NETWORK ACM SIGCOMM CING-YU CHU.

Victor Farbman and Maxim Trosman Under guidance of Amichai Shulman.

Mix networks with restricted routes PET 2003 Mix Networks with Restricted Routes George Danezis University of Cambridge Computer Laboratory Privacy Enhancing.

Traffic Correlation in Tor Source and Destination Prediction PETER BYERLEY RINDAL SULTAN ALANAZI HAFED ALGHAMDI.

PrimoGENI Miguel Erazo, Nathanael Van Vorst, Jason Liu (PI) Co-PIs: Julio Ibarra, Heidi Alvarez.

INFSO-RI Enabling Grids for E-sciencE File Transfer Software and Service SC3 Gavin McCance – JRA1 Data Management Cluster Service.

HOW TO BUILD A BETTER TESTBED Fabien Hermenier Robert Ricci LESSONS FROM A DECADE OF NETWORK EXPERIMENTS ON EMULAB TridentCom ’

MicroGrid Update & A Synthetic Grid Resource Generator Xin Liu, Yang-suk Kee, Andrew Chien Department of Computer Science and Engineering Center for Networked.

1 Scalability and Accuracy in a Large-Scale Network Emulator Nov. 12, 2003 Byung-Gon Chun.

Aaron Johnson Rob Jansen Aaron D. Jaggard Joan Feigenbaum

Confluent vs. Splittable Flows

Ahmed Saeed†, Mohamed Ibrahim†, Khaled A. Harras‡, Moustafa Youssef†

PeerFlow: Secure Load Balancing in Tor Aaron Johnson1 Rob Jansen1 Aaron Segal2 Nicholas Hopper3 Paul Syverson1 1U.S. Naval Research Laboratory 2Yale.

Architecture and Algorithms for an IEEE 802

Diskpool and cloud storage benchmarks used in IT-DSS

Shadow: Real Applications, Simulated Networks

Large Distributed Systems

Mohammad Malli Chadi Barakat, Walid Dabbous Alcatel meeting

Privacy Through Anonymous Connection and Browsing

Monkey See, Monkey Do A Tool for TCP Tracing and Replaying

Software Defined Networking (SDN)

Anupam Das , Nikita Borisov

Shadow: Scalable and Deterministic Network Experimentation

Anupam Das , Nikita Borisov

ModelNet: A Large-Scale Network Emulator for Wireless Networks Priya Mahadevan, Ken Yocum, and Amin Vahdat Duke University, Goal:

Privacy-Preserving Dynamic Learning of Tor Network Traffic

Shielding applications from an untrusted cloud with Haven

Rob Jansen, U.S. Naval Research Laboratory

Presentation transcript:

ExperimenTor: A Testbed for Safe and Realistic Tor Experimentation Kevin Bauer 1 Micah Sherr 2 Damon McCoy 3 Dirk Grunwald 4 1 University of Waterloo 2 Georgetown University 3 UCSD 4 University of Colorado 4th Workshop on Cyber Security Experimentation and Test (CSET ’11)

What is Tor and why is it important? 1 Tor is a low-latency overlay network and a software package that allows you to use TCP-based applications anonymously Tor has an estimated 350,000 daily users world-wide and its network consists of over 2,500 volunteer-operated Tor routers Ordinary Citizens - Protect web browsing habits - Research sensitive or taboo topics - Circumvent censorship Corporations - Research the competition - Safeguard trade secrets Activists & Whistleblowers - Expose human rights violations - Promote democracy - Protest election results Law Enforcement - Online surveillance - Sting operations

Get router list Directory Server Tor uses layered encryption to hide your online behaviors Tor provides anonymity for TCP applications by tunneling traffic through a virtual circuit of three Tor routers using layered encryption Client Destination Circuit The Tor Network Entry Guard Middle Router Exit Router Communicating parties are unlinkable as long as the entry and exit routers do not collude Tor Router 2

Tor is still an evolving research network Past and current research aims to improve Tor’s: – Security and anonymity [CCS ‘07, NDSS ’08, USENIX Security ‘10] – Quality of service [USENIX Security ‘09, CCS ’10, PETS ’11] Problem: There is no standard methodology for conducting Tor research in a realistic and safe manner; prior methods include: 3 Network simulators Small-scale network emulation Abstract modeling Live Tor network Distributed research networks Realism Safety

ExperimenTor: A whole-network Tor emulation testbed Goal: Propose a standard experimental methodology 4 -Replicates all components of the Tor network in isolation -Reproduces plausible network conditions through scalable network emulation -Fuels experiments with empirically derived models Network simulators Small-scale network emulation Abstract modeling Live Tor network Distributed research networks Realism Safety Allows investigators to study global, whole-network effects ExperimenTor

Talk outline Motivating case studies from prior Tor research Challenges of building a Tor network testbed Design and implementation of ExperimenTor Early experiences and lessons learned Conclusions and future work 5

Case study: Whole-network PlanetLab experiments Uniform router selection: Probability of attack’s success is (c/n) 2, c malicious routers in a network of n total routers It is assumed that an attacker who controls an entry/exit pair can trivially link the communicating parties: traffic confirmation attack 6 Tor Client Destination Entry Guard Middle Router Exit Router Tor routers are selected in proportion to their perceived bandwidth capacities for load balancing, but malicious routers can lie [Bauer et al., WPES ‘07]

7 Experiment: Evaluated the attack on two small Planetlab deployments with 40 and 60 honest Tor routers Details: Sample the bandwidth distribution of the real Tor network Limitations: 1. Reduced scale 2. Need to run many measurements to find suitable PlanetLab nodes 3. Repeatability? [Bauer et al., WPES ‘07] Case study: Whole-network PlanetLab experiments (2)

Case study: Small-scale experiments with the live Tor network Tunable Tor was proposed to help users manage their risk of the previous attack 8 High anonymity High performance User-tunable router selection Skewed to high bandwidth nodesUniform selection [Snader and Borisov, NDSS ’08] Mean time to fetch 1 MB Experiment : Deployed one “Tunable Tor” client on the live Tor network Details: Measured download times at different “selection levels” Limitations: What happens when many Tor clients use Tunable Tor? Global effects?

A case for whole-network Tor emulation Goal: Capture all salient dynamics of the live Tor network and reproduce in isolation  Realistic and safe experiments Desired features: 1. Allow investigators to deploy small-scale, large-scale, or global changes to any part of Tor’s design 2. Should eliminate any risk to the live Tor network 3. Experimental results should be meaningful to the live Tor network 9 Our argument: All can be realized with whole-network Tor emulation

Design challenges Modeling the live Tor network is difficult – Tor routers: Bandwidths, guard statuses, exit policies? – Tor clients: How many? Applications? Behaviors? Large-scale network emulation – Emulab and DETER have limited and shared resources Need to run unmodified Tor and application code – Avoids re-implementation errors; promotes realism 10

Meeting the design challenges Modeling Tor routers: - Publicly-available router metadata from Tor’s directories - Historical router data aggregated by the Tor Metrics Portal 11 Replicate live Tor’s router state, or scale things up or down

Meeting the design challenges (2) Modeling Tor clients: Leverage existing empirical data on Tor clients and their behaviors 12 Instant Messaging [McCoy et al., PETS ’08] Also leverage existing empirical studies of HTTP traffic to emulate realistic workloads [e.g., Hernándes-Campos et al., MASCOTS ’03; Google web metrics 2010]

Meeting the design challenges (3) Modeling Tor clients: Leverage existing empirical data on Tor clients and their behaviors 13 [McCoy et al., PETS ’08] Instant Messaging Model the distribution of client traffic by connection and volume (GB)

Meeting the design challenges (4) Modeling Tor clients: Can also leverage publicly-available data about Tor clients from the Tor Metrics Project 14 Replicate live Tor’s client state, or scale things up or down

Meeting the design challenges (5) Large-scale network emulation with ModelNet [Vahdat et al., OSDI ‘02] – Emulates a specified network topology – Runs native code without modification – Commodity hardware and OSes; can be deployed at local institution High-level system architecture – “Emulator” machine: Emulates a network topology in a kernel module – “Virtual node” machine: Runs applications within the virtual topology Physical network (e.g., 1 Gbps) Linux FreeBSD “Emulator” Applications run on “virtual node” machines 16

Putting it all together 16 Prototype: FreeBSD 6.3 Linux Accompanying toolkit: - Topology generation - Configure Tor clients, routers, & directories - Run experiments & perform analyses Testbed and toolkit are publicly available

Early experiences ExperimenTor prototypes are deployed at four research institutions (single emulator) Used to support two ongoing research projects: – Evaluate the effects of link-based router selection – Re-design Tor’s congestion control and flow control Both projects require global design changes to Tor 17

Limitations and future work Scalability – Scaling experiments to Tor’s estimated 350K users is likely not possible; necessary to “down sample” Improve client and traffic models – Data on Tor usage are limited – Is it possible to emulate diverse versions and configurations of Tor users? 18

Summary and conclusion ExperimenTor is a whole-network emulation-based testbed and toolkit for safe and realistic Tor experiments Enables large-scale Tor experiments that: – Use real Tor router bandwidths to inform topology – Emulate Tor clients and their traffic – Enable experiments with global changes to Tor’s design – Can be deployed cheaply on commodity systems 19 For more information: