Tor
0.4.7.0-alpha-dev
|
Circuit padding state machines. More...
#include "core/or/or.h"
#include "feature/nodelist/networkstatus.h"
#include "lib/crypt_ops/crypto_rand.h"
#include "core/or/circuitlist.h"
#include "core/or/circuitpadding_machines.h"
#include "core/or/circuitpadding.h"
Go to the source code of this file.
Functions | |
void | circpad_machine_client_hide_intro_circuits (smartlist_t *machines_sl) |
void | circpad_machine_relay_hide_intro_circuits (smartlist_t *machines_sl) |
void | circpad_machine_client_hide_rend_circuits (smartlist_t *machines_sl) |
void | circpad_machine_relay_hide_rend_circuits (smartlist_t *machines_sl) |
Circuit padding state machines.
Introduce circuit padding machines that will be used by Tor circuits, as specified by proposal 302 "Hiding onion service clients using padding".
Right now this file introduces two machines that aim to hide the client-side of onion service circuits against naive classifiers like the ones from the "Circuit Fingerprinting Attacks: Passive Deanonymization of Tor Hidden Services" paper from USENIX. By naive classifiers we mean classifiers that use basic features like "circuit construction circuits" and "incoming and outgoing cell counts" and "duration of activity".
In particular, these machines aim to be lightweight and protect against these basic classifiers. They don't aim to protect against more advanced attacks that use deep learning or even correlate various circuit construction events together. Machines that fool such advanced classifiers are also possible, but they can't be so lightweight and might require more WTF-PAD features. So for now we opt for the following two machines:
Client-side introduction circuit hiding machine:
This machine hides client-side introduction circuits by making their circuit construction sequence look like normal general circuits that download directory information. Furthermore, the circuits are kept open until all the padding has been sent, since intro circuits are usually very short lived and this act as a distinguisher. For more info see circpad_machine_client_hide_intro_circuits() and the sec.
Client-side rendezvous circuit hiding machine:
This machine hides client-side rendezvous circuits by making their circuit construction sequence look like normal general circuits. For more details see circpad_machine_client_hide_rend_circuits() and the spec.
TODO: These are simple machines that carefully manipulate the cells of the initial circuit setup procedure to make them look like general circuits. In the future, more states can be baked into their state machine to do more advanced obfuscation.
Definition in file circuitpadding_machines.c.
void circpad_machine_client_hide_intro_circuits | ( | smartlist_t * | machines_sl | ) |
Create a client-side padding machine that aims to hide IP circuits. In particular, it keeps intro circuits alive until a bunch of fake traffic has been pushed through.
Definition at line 63 of file circuitpadding_machines.c.
void circpad_machine_client_hide_rend_circuits | ( | smartlist_t * | machines_sl | ) |
Create a client-side padding machine that aims to hide rendezvous circuits.
Definition at line 267 of file circuitpadding_machines.c.
void circpad_machine_relay_hide_intro_circuits | ( | smartlist_t * | machines_sl | ) |
Create a relay-side padding machine that aims to hide IP circuits. See comments on the function above for more details on the workings of the machine.
Definition at line 157 of file circuitpadding_machines.c.
void circpad_machine_relay_hide_rend_circuits | ( | smartlist_t * | machines_sl | ) |
Create a relay-side padding machine that aims to hide IP circuits.
This is meant to follow the client-side machine.
Definition at line 386 of file circuitpadding_machines.c.