Guard Sets in Tor using AS Relationships

Authors: Mohsen Imani (The University of Texas at Arlington), Armon Barton (The University of Texas at Arlington), Matthew Wright (Rochester Institute of Technology)

Volume: 2018
Issue: 1
Pages: 145–165
DOI: https://doi.org/10.1515/popets-2018-0008

Download PDF

Abstract: The mechanism for picking guards in Tor suffers from security problems like guard fingerprinting and from performance issues. To address these issues, Hayes and Danezis proposed the use of guard sets, in which the Tor system groups all guards into sets, and each client picks one of these sets and uses its guards. Unfortunately, guard sets frequently need nodes added or they are broken up due to fluctuations in network bandwidth. In this paper, we first show that these breakups create opportunities for malicious guards to join many guard sets by merely tuning the bandwidth they make available to Tor, and this greatly increases the number of clients exposed to malicious guards. To address this problem, we propose a new method for forming guard sets based on Internet location. We construct a hierarchy that keeps clients and guards together more reliably and prevents guards from easily joining arbitrary guard sets. This approach also has the advantage of confining an attacker with access to limited locations on the Internet to a small number of guard sets. We simulate this guard set design using historical Tor data in the presence of both relay-level adversaries and networklevel adversaries, and we find that our approach is good at confining the adversary into few guard sets, thus limiting the impact of attacks.

Keywords: Tor network, guard set

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs license.