Poverty and Hunger Data Analysis 2020
P
e
e
r
F
l
o
w
:
S
e
c
u
r
e
L
o
a
d
B
a
l
a
n
c
i
n
g
i
n
T
o
r
A
a
r
o
n
J
o
h
n
s
o
n
1
R
o
b
J
a
n
s
e
n
1
A
a
r
o
n
S
e
g
a
l
2
N
i
c
h
o
l
a
s
H
o
p
p
e
r
3
P
a
u
l
S
y
v
e
r
s
o
n
1
1
U
.
S
.
N
a
v
a
l
R
e
s
e
a
r
c
h
L
a
b
o
r
a
t
o
r
y
2
Y
a
l
e
U
n
i
v
e
r
s
i
t
y
3
U
n
i
v
e
r
s
i
t
y
o
f
M
i
n
n
e
s
o
t
a
J
u
l
y
1
8
t
h
,
2
0
1
7
Privacy Enhancing Technologies Symposiu
2
O
v
e
r
v
i
e
w
•
Problem:
Secure load-balancing in Tor
•
Existing Solutions
•
TorFlow
•
EigenSpeed
•
New Solution: PeerFlow
•
Prove security against bandwidth-limited adversary
•
Experiments show similar performance to TorFlow
Demonstrate attacks
3
O
v
e
r
v
i
e
w
•
Problem:
Secure load-balancing in Tor
•
Existing Solutions
•
TorFlow
•
EigenSpeed
•
New Solution: PeerFlow
•
Prove security against bandwidth-limited adversary
•
Experiments show similar performance to TorFlow
Demonstrate attacks
4
P
r
o
b
l
e
m
Clients
Relays
Destinations
Guards
Exits
5
P
r
o
b
l
e
m
Clients
Relays
Destinations
Guards
Exits
•
Tor relays have varying unknown
capacities
6
P
r
o
b
l
e
m
Clients
Relays
Destinations
Guards
Exits
•
Tor relays have varying unknown
capacities
•
Clients must balance load
7
P
r
o
b
l
e
m
Clients
Relays
Destinations
Guards
Exits
•
Tor relays have varying unknown
capacities
•
Clients must balance load
•
Insecure load balancing allows adversary to attack more
client traffic
8
P
r
o
b
l
e
m
Clients
Relays
Destinations
Guards
Exits
•
Tor relays have varying unknown
capacities
•
Clients must balance load
•
Insecure load balancing allows adversary to attack more
client traffic
9
P
r
o
b
l
e
m
Clients
Relays
Destinations
Guards
Exits
•
Tor relays have varying unknown
capacities
•
Clients must balance load
•
Insecure load balancing allows adversary to attack more
client traffic
10
P
r
o
b
l
e
m
Clients
Relays
Destinations
Guards
Exits
•
Tor relays have varying unknown
capacities
•
Clients must balance load
•
Insecure load balancing allows adversary to attack more
client traffic
11
11
U.S. Naval Research Laboratory
P
r
o
b
l
e
m
The threat is real: relay falsely advertise bandwidth.
12
O
v
e
r
v
i
e
w
•
Problem:
Secure load-balancing in Tor
•
Existing Solutions
•
TorFlow
•
EigenSpeed
•
New Solution: PeerFlow
•
Prove security against bandwidth-limited adversary
•
Experiments show similar performance to TorFlow
Demonstrate attacks
13
O
v
e
r
v
i
e
w
•
Problem:
Secure load-balancing in Tor
•
Existing Solutions
•
TorFlow
•
EigenSpeed
•
New Solution: PeerFlow
•
Prove security against bandwidth-limited adversary
•
Experiments show similar performance to TorFlow
Demonstrate attacks
14
T
o
r
F
l
o
w
D
e
s
i
g
n
1.
Relays are divided into 50-relay
slices by estimated capacity.
2.
Bandwidth Authorities (BWAuths)
time fetching test files through
pairs of relay in each slice.
3.
Relays given capacities by
multiplying self-reported bandwidth
by test speed divided by average
speed.
15
T
o
r
F
l
o
w
D
e
s
i
g
n
1.
Relays are divided into 50-relay
slices by estimated capacity.
2.
Bandwidth Authorities (BWAuths)
time fetching test files through
pairs of relay in each slice.
3.
Relays given capacities by
multiplying self-reported bandwidth
by test speed divided by average
speed.
A
t
t
a
c
k
s
1.
Self-reported bandwidth can be set
arbitrarily high.
2.
Relays can recognize test
downloads and relay data only in
those cases
3.
Malicious pairs need not actually
download the file (no validation).
16
T
o
r
F
l
o
w
D
e
s
i
g
n
1.
Relays are divided into 50-relay
slices by estimated capacity.
2.
Bandwidth Authorities (BWAuths)
time fetching test files through
pairs of relay in each slice.
3.
Relays given capacities by
multiplying self-reported bandwidth
by test speed divided by average
speed.
A
t
t
a
c
k
s
1.
Self-reported bandwidth can be set
arbitrarily high.
2.
Relays can recognize test
downloads and relay data only in
those cases
3.
Malicious pairs need not actually
download the file (no validation).
Shadow experiments w/ #1:
- Goodput: 22.5
0.2
- Weight: 7
11
17
E
i
g
e
n
S
p
e
e
d
D
e
s
i
g
n
1.
Relays periodically send max speed
of other relays to a BWAuth.
2.
Aggregator calculates capacities as
eigenvector of largest connected
component with
trusted
relays.
3.
Exclude as “liars” relays w/ reports
1.
Changing too quickly during
computation, or
2.
Too different from eigenvector
(Snader and Borisov, IPTPS 2009)
T=
Normalize T: T’
Output v
*
: v
*
T’=λT’, λ≥1
18
E
i
g
e
n
S
p
e
e
d
D
e
s
i
g
n
1.
Relays periodically send max speed
of other relays to a BWAuth.
2.
Aggregator calculates capacities as
eigenvector of largest connected
component with
trusted
relays.
3.
Exclude as “liars” relays w/ reports
1.
Changing too quickly during
computation, or
2.
Too different from eigenvector
(Snader and Borisov, IPTPS 2009)
F
a
t
-
p
i
p
e
a
t
t
a
c
k
:
L
a
r
g
e
f
a
l
s
e
s
p
e
e
d
s
a
m
o
n
g
m
a
l
i
c
i
o
u
s
r
e
l
a
y
s
,
s
m
a
l
l
e
l
s
e
w
h
e
r
e
.
E
i
g
e
n
S
p
e
e
d
’
s
l
i
a
r
d
e
t
e
c
t
i
o
n
i
s
d
e
s
i
g
n
e
d
t
o
p
r
e
v
e
n
t
t
h
i
s
.
19
E
i
g
e
n
S
p
e
e
d
D
e
s
i
g
n
1.
Relays periodically send max speed
of other relays to a BWAuth.
2.
Aggregator calculates capacities as
eigenvector of largest connected
component with
trusted
relays.
3.
Exclude as “liars” relays w/ reports
1.
Changing too quickly during
computation, or
2.
Too different from eigenvector
A
t
t
a
c
k
1.
“Frame” some honest non-trusted
relays under liar metric #1 with avg
speeds with all but framed relays.
(Snader and Borisov, IPTPS 2009)
F
r
a
m
i
n
g
a
t
t
a
c
k
:
W
i
t
h
1
1
1
8
t
r
u
s
t
e
d
r
e
l
a
y
s
a
n
d
2
.
8
3
%
m
a
l
i
c
i
o
u
s
B
W
,
a
n
d
5
5
8
m
a
l
i
c
i
o
u
s
r
e
l
a
y
s
,
5
5
9
o
f
5
0
0
0
h
o
n
e
s
t
r
e
l
a
y
s
a
r
e
f
r
a
m
e
d
.
20
O
v
e
r
v
i
e
w
•
Problem: Secure load-balancing in Tor
•
Existing Solutions
•
TorFlow
•
EigenSpeed
•
New Solution: PeerFlow
•
Prove security against bandwidth-limited adversary
•
Experiments show similar performance to TorFlow
Demonstrate attacks
21
P
e
e
r
F
l
o
w
:
D
e
s
i
g
n
22
22
U.S. Naval Research Laboratory
P
e
e
r
F
l
o
w
:
D
e
s
i
g
n
1.
Measuring relays
(largest by
capacity)
record total bytes
transferred with all other relays.
ρ
1
ρ
2
ρ
3
23
23
U.S. Naval Research Laboratory
P
e
e
r
F
l
o
w
:
D
e
s
i
g
n
1.
Measuring relays
(largest by
capacity)
record total bytes
transferred with all other relays
2.
Measurements added to random
noise and divided by position
probabilities. Result (
ρ
i
) submitted
to BW Authorities (BWAuths).
ρ
1
ρ
2
ρ
3
24
24
U.S. Naval Research Laboratory
P
e
e
r
F
l
o
w
:
D
e
s
i
g
n
1.
Measuring relays
(largest by
capacity)
record total bytes
transferred with all other relays
2.
Measurements added to random
noise and divided by position
probabilities. Result (
ρ
i
) submitted
to BW Authorities (BWAuths).
3.
BWAuths estimate the total bytes
relayed
ρ’
as the windowed,
trimmed mean, trimming fractions
by current capacity and windowing
from trusted measurements.
0
1
Measuring relay weights
0.258
0.742
Measured
capacities
ρ
1
ρ
2
ρ
3
25
25
U.S. Naval Research Laboratory
P
e
e
r
F
l
o
w
:
D
e
s
i
g
n
1.
Measuring relays
(largest by
capacity)
record total bytes
transferred with all other relays
2.
Measurements added to random
noise and divided by position
probabilities. Result (
ρ
i
) submitted
to BW Authorities (BWAuths).
3.
BWAuths estimate the total bytes
relayed
ρ’
as the windowed,
trimmed mean, trimming fractions
by current capacity and windowing
from trusted measurements.
0
1
Measuring relay weights
0.258
0.742
Measured
capacities
ρ’
ρ
1
ρ
2
ρ
3
26
26
U.S. Naval Research Laboratory
P
e
e
r
F
l
o
w
:
D
e
s
i
g
n
1.
Measuring relays
(largest by
capacity)
record total bytes
transferred with all other relays
2.
Measurements added to random
noise and divided by position
probabilities. Result (
ρ
i
) submitted
to BW Authorities (BWAuths).
3.
BWAuths estimate the total bytes
relayed
ρ’
as the windowed,
trimmed mean, trimming fractions
by current capacity and windowing
from trusted measurements.
4.
If
ρ’
is comparable to that of peers,
capacity updated using
ρ’
, else
relay enters probation.
0
1
Measuring relay weights
0.258
0.742
Measured
capacities
ρ’
ρ
1
ρ
2
ρ
3
27
27
U.S. Naval Research Laboratory
P
e
e
r
F
l
o
w
:
D
e
s
i
g
n
1.
Measuring relays
(largest by
capacity)
record total bytes
transferred with all other relays
2.
Measurements added to random
noise and divided by position
probabilities. Result (
ρ
i
) submitted
to BW Authorities (BWAuths).
3.
BWAuths estimate the total bytes
relayed
ρ’
as the windowed,
trimmed mean, trimming fractions
by current capacity and windowing
from trusted measurements.
4.
If
ρ’
is comparable to that of peers,
capacity updated using
ρ’
, else
relay enters probation.
5.
New relays only selected for
middle position
0
1
Measuring relay weights
0.258
0.742
Measured
capacities
ρ
1
ρ
2
ρ
3
ρ’
28
28
U.S. Naval Research Laboratory
P
e
e
r
F
l
o
w
:
S
e
c
u
r
i
t
y
Single-round capacity inflation
Multiple-round capacity inflation
P
r
e
s
e
n
t
a
t
i
o
n
T
i
t
l
e
|
29
29
U.S. Naval Research Laboratory
P
e
e
r
F
l
o
w
:
P
e
r
f
o
r
m
a
n
c
e
Shadow experiments comparing PeerFlow, TorFlow, and Ideal
•
4 Tor directory authorities
•
498 Tor relays
•
7,500 Tor clients
•
1,000 servers
Aggregate relay goodput per second
Time to last byte of 320KiB file
30
C
o
n
c
l
u
s
i
o
n
1.
Tor needs secure load balancing
2.
Demonstrated attacks on existing solutions
•
TorFlow
•
EigenSpeed
3.
Presented PeerFlow
•
Demonstrated secure against bandwidth-limited
adversary
•
Experimentally showed performance is similar to
current Tor performance
31
B
a
c
k
u
p
s
l
i
d
e
s
32
P
r
o
b
l
e
m
How can a small malicious relay attack many clients
?
33
P
r
o
b
l
e
m
How can a small malicious relay attack many clients
?
34
P
r
o
b
l
e
m
How can a small malicious relay attack many clients
?
35
P
r
o
b
l
e
m
How can a small malicious relay attack many clients
?
•
Each client need be attacked only once.
•
Attack traffic speed can be sent at the adversary’s desired speed.
•
TCP congestion windows can slow incoming traffic.
36
36
U.S. Naval Research Laboratory
P
r
o
b
l
e
m
The threat is real: attacks have failed due to low weight.
37
E
i
g
e
n
S
p
e
e
d
D
e
s
i
g
n
1.
Relays periodically send max speed
of other relays to a BWAuth.
2.
Aggregator calculates capacities as
eigenvector of largest connected
component with
trusted
relays.
3.
Exclude as “liars” relays w/ reports
1.
Changing too quickly during
computation, or
2.
Too different from eigenvector
A
t
t
a
c
k
s
1.
“Frame” some honest non-trusted
relays under liar metric #1 with avg
speeds with all but framed relays.
2.
Inflate capacity with normal speeds
with trusted and lies with malicious.
(Snader and Borisov, IPTPS 2009)
T
a
r
g
e
t
e
d
l
i
e
a
t
t
a
c
k
:
W
i
t
h
1
1
1
8
t
r
u
s
t
e
d
r
e
l
a
y
s
,
3
.
7
0
%
m
a
l
i
c
i
o
u
s
B
W
,
a
n
d
1
1
1
7
m
a
l
i
c
i
o
u
s
r
e
l
a
y
s
,
a
d
v
e
r
s
a
r
y
a
c
h
i
e
v
e
s
7
9
.
5
%
o
f
c
a
p
a
c
i
t
y
.
Updated data analysis for poverty and hunger in 2020, including statistics on domestic US poverty, income thresholds, official poverty rates, poverty by race, and food security. Explore key findings and trends from reputable sources.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
PeerFlow: Secure Load Balancing in Tor Aaron Johnson1Rob Jansen1Aaron Segal2 Nicholas Hopper3Paul Syverson1 1U.S. Naval Research Laboratory 2Yale University 3University of Minnesota July 18th, 2017 Privacy Enhancing Technologies Symposiu
Overview Problem:Secure load-balancing in Tor Existing Solutions TorFlow EigenSpeed New Solution: PeerFlow Prove security against bandwidth-limited adversary Experiments show similar performance to TorFlow Demonstrate attacks 2
Overview Problem:Secure load-balancing in Tor Existing Solutions TorFlow EigenSpeed New Solution: PeerFlow Prove security against bandwidth-limited adversary Experiments show similar performance to TorFlow Demonstrate attacks 3
Problem Exits Guards Clients Relays Destinations 4
Problem Exits Guards Clients Relays Destinations Tor relays have varying unknown capacities 5
Problem Exits Guards Clients Relays Destinations Tor relays have varying unknown capacities Clients must balance load 6
Problem Exits Guards Clients Relays Destinations Tor relays have varying unknown capacities Clients must balance load Insecure load balancing allows adversary to attack more client traffic 7
Problem Exits Guards Clients Relays Destinations Tor relays have varying unknown capacities Clients must balance load Insecure load balancing allows adversary to attack more client traffic 8
Problem Exits Guards Clients Relays Destinations Tor relays have varying unknown capacities Clients must balance load Insecure load balancing allows adversary to attack more client traffic 9
Problem Exits Guards Clients Relays Destinations Tor relays have varying unknown capacities Clients must balance load Insecure load balancing allows adversary to attack more client traffic 10
Problem The threat is real: relay falsely advertise bandwidth. U.S. Naval Research Laboratory 11
Overview Problem:Secure load-balancing in Tor Existing Solutions TorFlow EigenSpeed New Solution: PeerFlow Prove security against bandwidth-limited adversary Experiments show similar performance to TorFlow Demonstrate attacks 12
Overview Problem:Secure load-balancing in Tor Existing Solutions TorFlow EigenSpeed New Solution: PeerFlow Prove security against bandwidth-limited adversary Experiments show similar performance to TorFlow Demonstrate attacks 13
TorFlow Design 1. Relays are divided into 50-relay slices by estimated capacity. 2. Bandwidth Authorities (BWAuths) time fetching test files through pairs of relay in each slice. 3. Relays given capacities by multiplying self-reported bandwidth by test speed divided by average speed. 14
TorFlow Design 1. Relays are divided into 50-relay slices by estimated capacity. 2. Bandwidth Authorities (BWAuths) time fetching test files through pairs of relay in each slice. 3. Relays given capacities by multiplying self-reported bandwidth by test speed divided by average speed. Attacks 1. Self-reported bandwidth can be set arbitrarily high. 2. Relays can recognize test downloads and relay data only in those cases 3. Malicious pairs need not actually download the file (no validation). 15
TorFlow Design 1. Relays are divided into 50-relay slices by estimated capacity. 2. Bandwidth Authorities (BWAuths) time fetching test files through pairs of relay in each slice. 3. Relays given capacities by multiplying self-reported bandwidth by test speed divided by average speed. Attacks 1. Self-reported bandwidth can be set arbitrarily high. 2. Relays can recognize test downloads and relay data only in those cases 3. Malicious pairs need not actually download the file (no validation). Shadow experiments w/ #1: - Goodput: 22.5 0.2 - Weight: 7 11 16
EigenSpeed (Snader and Borisov, IPTPS 2009) Design 1. Relays periodically send max speed of other relays to a BWAuth. 2. Aggregator calculates capacities as eigenvector of largest connected component with trusted relays. 3. Exclude as liars relays w/ reports 1. Changing too quickly during computation, or 2. Too different from eigenvector 0 s12 s13 s14 s21 0 s23 s24 T= s31 s32 0 s34 s41 s42 s43 0 Normalize T: T Output v*: v*T = T , 1 17
EigenSpeed (Snader and Borisov, IPTPS 2009) Design 1. Relays periodically send max speed of other relays to a BWAuth. 2. Aggregator calculates capacities as eigenvector of largest connected component with trusted relays. 3. Exclude as liars relays w/ reports 1. Changing too quickly during computation, or 2. Too different from eigenvector Fat-pipe attack: Large false speeds among malicious relays, small elsewhere. EigenSpeed s liar detection is designed to prevent this. 18
EigenSpeed (Snader and Borisov, IPTPS 2009) Design 1. Relays periodically send max speed of other relays to a BWAuth. 2. Aggregator calculates capacities as eigenvector of largest connected component with trusted relays. 3. Exclude as liars relays w/ reports 1. Changing too quickly during computation, or 2. Too different from eigenvector Attack 1. Frame some honest non-trusted relays under liar metric #1 with avg speeds with all but framed relays. Framing attack: With 1118 trusted relays and 2.83% malicious BW, and 558 malicious relays, 559 of 5000 honest relays are framed. 19
Overview Problem: Secure load-balancing in Tor Existing Solutions TorFlow EigenSpeed New Solution: PeerFlow Prove security against bandwidth-limited adversary Experiments show similar performance to TorFlow Demonstrate attacks 20
PeerFlow: Design 1. Measuring relays (largest by capacity)record total bytes transferred with all other relays. 2 1 3 U.S. Naval Research Laboratory 22
PeerFlow: Design 1. Measuring relays (largest by capacity)record total bytes transferred with all other relays 2. Measurements added to random noise and divided by position probabilities. Result ( i) submitted to BW Authorities (BWAuths). 2 1 3 U.S. Naval Research Laboratory 23
PeerFlow: Design 1. Measuring relays (largest by capacity)record total bytes transferred with all other relays 2. Measurements added to random noise and divided by position probabilities. Result ( i) submitted to BW Authorities (BWAuths). 3. BWAuths estimate the total bytes relayed as the windowed, trimmed mean, trimming fractions by current capacity and windowing from trusted measurements. 2 1 3 Measured capacities 0 1 0.258 0.742 U.S. Naval Research Laboratory 24 Measuring relay weights
PeerFlow: Design 1. Measuring relays (largest by capacity)record total bytes transferred with all other relays 2. Measurements added to random noise and divided by position probabilities. Result ( i) submitted to BW Authorities (BWAuths). 3. BWAuths estimate the total bytes relayed as the windowed, trimmed mean, trimming fractions by current capacity and windowing from trusted measurements. 2 1 3 Measured capacities 0 1 0.258 0.742 U.S. Naval Research Laboratory 25 Measuring relay weights
PeerFlow: Design 1. Measuring relays (largest by capacity)record total bytes transferred with all other relays 2. Measurements added to random noise and divided by position probabilities. Result ( i) submitted to BW Authorities (BWAuths). 3. BWAuths estimate the total bytes relayed as the windowed, trimmed mean, trimming fractions by current capacity and windowing from trusted measurements. 4. If is comparable to that of peers, capacity updated using , else relay enters probation. 2 1 3 Measured capacities 0 1 0.258 0.742 U.S. Naval Research Laboratory 26 Measuring relay weights
PeerFlow: Design 1. Measuring relays (largest by capacity)record total bytes transferred with all other relays 2. Measurements added to random noise and divided by position probabilities. Result ( i) submitted to BW Authorities (BWAuths). 3. BWAuths estimate the total bytes relayed as the windowed, trimmed mean, trimming fractions by current capacity and windowing from trusted measurements. 4. If is comparable to that of peers, capacity updated using , else relay enters probation. 5. New relays only selected for 2 1 3 Measured capacities 0 1 0.258 0.742 U.S. Naval Research Laboratory middle position 27 Measuring relay weights
PeerFlow: Security Attack Only carry traffic in one direction Only exchange traffic with measuring relays Do not exchange traffic with the lower trimmed fraction of relays Weight multiple 2 1.33 1.34 Single-round capacity inflation Multiple-round capacity inflation U.S. Naval Research Laboratory 28
PeerFlow: Performance Shadow experiments comparing PeerFlow, TorFlow, and Ideal 4 Tor directory authorities 498 Tor relays 7,500 Tor clients 1,000 servers Time to last byte of 320KiB file Aggregate relay goodput per second U.S. Naval Research Laboratory Presentation Title | 29
Conclusion 1. Tor needs secure load balancing 2. Demonstrated attacks on existing solutions TorFlow EigenSpeed 3. Presented PeerFlow Demonstrated secure against bandwidth-limited adversary Experimentally showed performance is similar to current Tor performance 30
Problem How can a small malicious relay attack many clients? 32
Problem How can a small malicious relay attack many clients? 33
Problem How can a small malicious relay attack many clients? 34
Problem How can a small malicious relay attack many clients? Each client need be attacked only once. Attack traffic speed can be sent at the adversary s desired speed. TCP congestion windows can slow incoming traffic. 35
Problem The threat is real: attacks have failed due to low weight. U.S. Naval Research Laboratory 36
EigenSpeed (Snader and Borisov, IPTPS 2009) Design 1. Relays periodically send max speed of other relays to a BWAuth. 2. Aggregator calculates capacities as eigenvector of largest connected component with trusted relays. 3. Exclude as liars relays w/ reports 1. Changing too quickly during computation, or 2. Too different from eigenvector Attacks 1. Frame some honest non-trusted relays under liar metric #1 with avg speeds with all but framed relays. 2. Inflate capacity with normal speeds with trusted and lies with malicious. Targeted lie attack: With 1118 trusted relays, 3.70% malicious BW, and 1117 malicious relays, adversary achieves 79.5% of capacity. 37
