Guard Placement Attacks on Path Selection Algorithms for Tor

Abstract

The popularity of Tor has made it an attractive target for a variety of deanonymization and fingerprinting attacks. Location-based path selection algorithms have been proposed as a countermeasure to defend against such attacks. However, adversaries can exploit the location-awareness of these algorithms by strategically placing relays in locations that increase their chances of being selected as a client's guard. Being chosen as a guard facilitates website fingerprinting and traffic correlation attacks over extended time periods. In this thesis, we rigorously define and analyze the guard placement attack. We present novel guard placement attacks and show that three state-of-the-art Tor path selection algorithms---Counter-RAPTOR, DeNASA, and LASTor---are vulnerable to these attacks. We overcome defenses considered by all three systems. Our findings indicate that existing location-based path-selection algorithms allow guards to achieve disproportionately high selection probabilities relative to the cost required to run the guard. Lastly, we propose and evaluate a generic defense mechanism that provably defends any guard selection algorithm against guard placement attacks. We run the defense mechanism on each of the three algorithms we attacked, and find that our defense significantly enhances the security of these algorithms against guard placement attacks with only minimal impact to their original security or performance goals.