Version 9 (modified by mikeperry, 2 years ago) (diff)



October 2015 - September 2018 (...)


Joint project with Georgetown and NRL focusing on research about resilience to attacks that reduce anonymity or that deny service.

The grant also includes a "transition to practice" component, which means we should not only help with the research side, but also build and deploy the more promising solutions.


  • Produce research papers
  • Release software (e.g. Tor) that includes fixes based on the research papers
  • Work with Micah Sherr and Rob Jansen

Tentative Roadmap

We currently believe that guard discovery attacks are the most serious threat to anonymity and availability of the Tor network. We are collecting tickets for the these vectors under the keyword guard-discovery.

This roadmap is a living document. We still do not understand the full scope of attacks and fixes for guard discovery attacks, and other attacks that are also in scope of this sponsor may appear at any time. No plan survives contact with the enemy.

Short Term

Our short term plan is to go after low hanging fruit. Several of the guard discovery attack vectors are very easy to mitigate, but very hard to solve entirely. We must not let perfect be the enemy of good during this phase.

To start, a few relatively simple changes can be completed on the 0.3.2/0.3.3 timescale that should address vectors relating to our statistics reporting and gathering:

Ticket Resolution Summary Owner Reporter
No tickets found

Ticket Resolution Summary Owner Reporter
No tickets found

Separate from the above, Proposal 247 is our proposal for changing Tor's path selection for hidden services to deal with trawling-style middle-node based attacks. Unfortunately, Proposal 247 requires quite a bit of performance tuning before we can do a final implementation. The final implementation will also require extensive modifications to Tor's path selection code.

The good news is that we can provide significantly improved security before we complete this implementation by providing torrc options and an add-on a Tor Controller that implements our intended algorithm. This same add-on Tor controller will also be used for performance evaluation. The target release for this initial work is Tor 0.3.3, which freezes mid-January 2018. The set of development work for this is:

Ticket Resolution Summary Owner Reporter
#13837 implemented Mitigate guard discovery by pinning middle node mikeperry asn
#23100 fixed Circuit Build Timeout needs to count hidden service circuits mikeperry mikeperry
#23101 implemented Predict and build specific HS purpose circuits (rather than GENERAL) mikeperry mikeperry
#23114 implemented Circuit Build Timeout should apply at circuit completion mikeperry mikeperry
#24487 Reverse path selection (choose outer hops first) mikeperry

Long Term

After 0.3.3, we plan to simulate the performance properties of Prop247 using the add-on controller. Separately, we will also simulate the time-until-compromise estimates of various parameter choices. We will use the results of these experiments to finalize parameter choices for the native Tor implementation of Proposal 247.

XXX: These two experiments should have tickets.

Proposal 247 by itself is insufficient to deal with all forms of guard discovery. In particular, circuit lifetime attacks like #22728 suggest that we need some way of re-establishing cirucits to an IP/RP over a new path. the conflux technique may be one way to do this. Note that for #22728 we do not need the flow control and load balancing pieces of conflux. we only need the ability to migrate an RP/IP from one path to another.

Here are other tickets we do not have a solid plan for yet:

Ticket Resolution Summary Owner Reporter
#22728 Long-lived onion service circuits can enable guard discovery mikeperry
#22729 Revisit relay read/write history resolution (for onion services) mikeperry
#23980 Provide torrc option to kill hidden service circuits after $TIMEOUT, $NUM_BYTES, or guard changes. mikeperry
#25574 Eliminate "silent-drop" side channels in Tor protocol mikeperry

Research Topics

As we address passive versions of #22728, we should also determine if the flow control mechanisms of conflux (or some other multipath routing) can provide any benefit against congestion attacks and other forms of denial of service attack against guard nodes.

XXX: I'm sure there are other things we need researched also.