Holding all the ASes: Identifying and Circumventing the Pitfalls of AS-aware Tor Client Design
This work addresses the threat of de-anonymization for Tor users by network-level adversaries, but it is incremental as it builds on existing AS-aware client designs.
The paper tackled the problem of AS-level traffic correlation attacks on Tor by analyzing their evolution over five years and identifying design pitfalls in AS-aware clients, resulting in the proposal of Cipollino, which achieves better security against network-level adversaries while maintaining other security and performance aspects.
Traffic correlation attacks to de-anonymize Tor users are possible when an adversary is in a position to observe traffic entering and exiting the Tor network. Recent work has brought attention to the threat of these attacks by network-level adversaries (e.g., Autonomous Systems). We perform a historical analysis to understand how the threat from AS-level traffic correlation attacks has evolved over the past five years. We find that despite a large number of new relays added to the Tor network, the threat has grown. This points to the importance of increasing AS-level diversity in addition to capacity of the Tor network. We identify and elaborate on common pitfalls of AS-aware Tor client design and construction. We find that succumbing to these pitfalls can negatively impact three major aspects of an AS-aware Tor client -- (1) security against AS-level adversaries, (2) security against relay-level adversaries, and (3) performance. Finally, we propose and evaluate a Tor client -- Cipollino -- which avoids these pitfalls using state-of-the-art in network-measurement. Our evaluation shows that Cipollino is able to achieve better security against network-level adversaries while maintaining security against relay-level adversaries and