Building Sophisticated Services with Programmable Anonymity Networks
Principal Investigator: Christina Garman
Overview Anonymity systems are critical in achieving free, open communication on today’s Internet. In particular, Tor, a popular peer-to-peer anonymous system, has become a staple in resisting online censorship by rogue nations and allowing journalists to safely communicate with sources world-wide.
However, there is a surprisingly narrow set of services that Tor is able to support in a robust fashion. Today, the use of Tor is largely relegated to web proxies and hidden services, and, unfortunately, neither of these applications have the ability to scale to handle dynamic workloads or attacks by automated bots.
Conversely, services on the standard, “non-anonymous” Internet are thriving like never before. Impressive innovations in software-defined networking (SDN), network function virtualization (NFV), content delivery networks (CDNs), and network capabilities have resulted in more robust, scalable, and resilient network services. The present and future Internet is comprised of programmable networks, but there do not exist the basic primitives to achieve such features in anonymous networks.
Intellectual Merit Given these trends, the PIs propose an ambitious research agenda towards developing programmable anonymity networks—extensions of Tor that allow users to install and run small snippets of code on Tor routers—and using them to build more sophisticated, more secure anonymous services. The proposed research has four main thrusts:
Programmable Tor middleboxes: Programmable middleboxes are becoming the linchpin in many complex networked systems on the Internet today, as they allow services like load balancers, firewalls, and traffic shapers to be dynamically deployed and migrated. The PIs propose to develop new middleboxlike primitives based on secure enclaves (e.g., SGX) that allow Tor routers to run small snippets of code on behalf of a third party. If successful, this research will provide a powerful building block that can be used to build a wide range of systems, which we explore in the remaining thrusts.
Censorship-resistant hidden services: One of the fundamental threats to Tor is censorship and deanonymization attacks by routing-capable adversaries. Recent work has made Tor more resilient to censorship, but requires full knowledge of the end-to-end circuit, which is impossible with hidden services. The PIs propose to apply their programmable Tor middleboxes to develop censorship-resistance schemes for hidden services.
Hidden-services-based CDN: Content delivery networks (CDNs) host content on a set of globally replicated servers and protect their customers from large denial of service attacks by stopping attack traffic far from the target’s servers. The PIs propose to apply programmable Tor middleboxes to build a CDN from hidden service hosts, demonstrating the capabilities of anonymous middleboxes for dynamic scaling, load balancing, and filtering attack traffic.
Decentralized anonymous credentials: The CDN we propose to build will face the same threats that today’s (non-anonymous) CDNs face: that of automated bots. Inherently, anonymity systems cannot tie a connection to a particular user, obviating user or IP-based reputation schemes. The PIs propose to develop anonymous credential schemes that allow users to prove their humanity once and obtain a set of anonymous credentials that can be redeemed at CDNs and our middleboxes for access to resources.
Broader Impact Anonymous communication is a key ingredient to combatting online censorship and suppression of thought and information. Unfortunately, anonymity networks lack the necessary primitives to build sophisticated anonymous systems that are secure against powerful nation-state adversaries. If successful, our proposed research can help improve these trends by: (1) Developing and releasing new tools (and resulting datasets) that help protect existing anonymity networks against powerful attackers and enable new, more sophisticated anonymous systems, and (2) Presenting our findings not only to other researchers, but also to administrators such as NANOG and CISO meetings. Beyond these intellectual impacts, if successful, there will be educational impact, as well; the PIs are dedicated to encouraging women and underrepresented minorities to pursue research, and we anticipate that the goals of this research (free and open communication, protecting journalists, and so on) will entice students to study security who may not have considered it otherwise.
Dave Levin (UMD)
Michael Reininger, Arushi Arora, Stephen Herwig, Nicholas Francino, Christina Garman, Dave Levin. "Bento: Bringing Network Function Virtualization to Tor". In ACM CCS Poster Session, 2020.
Michael Reininger, Arushi Arora, Stephen Herwig, Nicholas Francino, Jayson Hurst, Christina Garman, Dave Levin. "Bento: Safely Bringing Network Function Virtualization to Tor". In SIGCOMM 2021.
Provably Avoiding Geographic Regions for Tor's Onion Services. Arushi Arora and Raj Karra (Purdue University); Dave Levin (University of Maryland); Christina Garman (Purdue University). In Financial Cryptography and Data Security 2023.