Aaron D. Jaggard

Aaron D. Jaggard, Paul Syverson

We introduce and investigate *targeting adversaries* who selectively attack users of Tor or other secure-communication networks. We argue that attacks by such adversaries are more realistic and more significant threats to those most relying on Tor's protection than are attacks in prior analyses of Tor security. Previous research and Tor design decisions have focused on protecting against adversaries who are equally interested in any user of the network. Our adversaries selectively target users---e.g., those who visit a particular website or chat on a particular private channel---and essentially disregard Tor users other than these. We present a model of such adversaries and investigate three example cases where particular users might be targeted: a cabal conducting meetings using MTor, a published Tor multicast protocol; a cabal meeting on a private IRC channel; and users visiting a particular .onion website. In general for our adversaries, compromise is much faster and provides more feedback and possibilities for adaptation than do attacks examined in prior work. We also discuss selection of websites for targeting of their users based on the distribution across users of site activity. We describe adversaries both attempting to learn the size of a cabal meeting online or of a set of sufficiently active visitors to a targeted site and attempting to identify guards of each targeted user. We compare the threat of targeting adversaries versus previously considered adversaries, and we briefly sketch possible countermeasures for resisting targeting adversaries.

Aaron Johnson, Rob Jansen, Aaron D. Jaggard et al.

Tor users are vulnerable to deanonymization by an adversary that can observe some Tor relays or some parts of the network. We demonstrate that previous network-aware path-selection algorithms that propose to solve this problem are vulnerable to attacks across multiple Tor connections. We suggest that users use trust to choose the paths through Tor that are less likely to be observed, where trust is flexibly modeled as a probability distribution on the location of the user's adversaries, and we present the Trust-Aware Path Selection algorithm for Tor that helps users avoid traffic-analysis attacks while still choosing paths that could have been selected by many other users. We evaluate this algorithm in two settings using a high-level map of Internet routing: (i) users try to avoid a single global adversary that has an independent chance to control each Autonomous System organization, Internet Exchange Point organization, and Tor relay family, and (ii) users try to avoid deanonymization by any single country. We also examine the performance of Trust-Aware Path selection using the Shadow network simulator.

Aaron D. Jaggard, Aaron Johnson, Paul Syverson et al.

Motivated by the effectiveness of correlation attacks against Tor, the censorship arms race, and observations of malicious relays in Tor, we propose that Tor users capture their trust in network elements using probability distributions over the sets of elements observed by network adversaries. We present a modular system that allows users to efficiently and conveniently create such distributions and use them to improve their security. The major components of this system are (i) an ontology of network-element types that represents the main threats to and vulnerabilities of anonymous communication over Tor, (ii) a formal language that allows users to naturally express trust beliefs about network elements, and (iii) a conversion procedure that takes the ontology, public information about the network, and user beliefs written in the trust language and produce a Bayesian Belief Network that represents the probability distribution in a way that is concise and easily sampleable. We also present preliminary experimental results that show the distribution produced by our system can improve security when employed by users; further improvement is seen when the system is employed by both users and services.