first cut of the new, shiny...
Andrew Lewman authored 13 years ago
|
76) If one or more of these ideas looks promising to you, please <a
77) href="<page about/contact>">contact us</a> to discuss your plans rather than
78) sending blind applications. You may also want to propose your own project
79) idea — which often results in the best applications.
80) </p>
81)
82) <ol>
83)
84) <li>
85) <b>Tor Browser Bundle for Mac OS X</b>
86) <br />
87) Priority: <i>High</i>
88) <br />
89) Effort Level: <i>High</i>
90) <br />
91) Skill Level: <i>Medium</i>
92) <br />
93) Likely Mentors: <i>Steven, Erinn, Jacob, Andrew</i>
94) <br />
95) The Tor Browser Bundle incorporates Tor, Firefox, Polipo, and the Vidalia
96) user interface (and optionally the <a href="http://pidgin.im/">Pidgin</a>
97) Instant Messaging client). Components are pre-configured to operate in a
98) secure way, and it has very few dependencies on the installed operating
99) system. It has therefore become one of the most easy to use, and popular,
100) ways to use Tor on Windows.
101) <br />
102) However, there is currently no released package for Mac OS X, so this project
103) would be to implement Tor Browser Bundle for OS X. This will involve
104) modifications to Vidalia (C++), possibly Firefox (C) then creating and testing
105) the launcher on a range of operating system versions and configurations to
106) verify portability. Some work on this was completed as part of the Google
107) Summer of Code 2009. Another part of this project is to identify all of the
108) traces left behind by using a Tor Browser Bundle on Mac OS X or Linux.
109) Developing ways to stop, counter, or remove these traces is a final step.
110) <br />
111) Students should be familiar with application development on one or
112) preferably both of Linux and Mac OS X, and be comfortable with C/C++
113) and shell scripting.
114) <br />
115) Part of this project could be usability testing of Tor Browser Bundle,
116) ideally amongst our target demographic. That would help a lot in knowing
117) what needs to be done in terms of bug fixes or new features. We get this
118) informally at the moment, but a more structured process would be better.
119) <br />
120) A beta version of the Tor Browser Bundle has been released for GNU/Linux, but
121) work is still required for the Tor IM Browser bundle. Work is currently being
122) done on the Mac OS X version as well. If you would like to help extend or do
123) security auditing for either (or both) of these, please contact Erinn.
124) </li>
125)
126) <li>
127) <b>Help track the overall Tor Network status</b>
128) <br />
129) Priority: <i>Medium to High</i>
130) <br />
131) Effort Level: <i>Medium</i>
132) <br />
133) Skill Level: <i>Medium</i>
134) <br />
135) Likely Mentors: <i>Karsten, Roger</i>
136) <br />
137) It would be great to set up an automated system for tracking network
138) health over time, graphing it, etc. Part of this project would involve
139) inventing better metrics for assessing network health and growth. Is the
140) average uptime of the network increasing? How many relays are qualifying
141) for Guard status this month compared to last month? What's the turnover
142) in terms of new relays showing up and relays shutting off? Periodically
143) people collect brief snapshots, but where it gets really interesting is
144) when we start tracking data points over time.
145) <br />
146) Data could be collected from the Tor Network Scanners in <a
147) href="https://svn.torproject.org/svn/torflow/trunk/README">TorFlow</a>, from
148) the server descriptors that each relay publishes, and from other
149) sources. Results over time could be integrated into one of the <a
150) href="https://torstatus.blutmagie.de/">Tor Status</a> web pages, or be
151) kept separate. Speaking of the Tor Status pages, take a look at Roger's
152) <a href="http://archives.seul.org/or/talk/Jan-2008/msg00300.html">Tor
153) Status wish list</a>.
154) </li>
155)
156) <li>
157) <b>Rewrite TorDNSEL, this time with a spec!</b>
158) <br />
159) Priority: <i>High</i>
160) <br />
161) Effort Level: <i>Medium</i>
162) <br />
163) Skill Level: <i>Medium</i>
164) <br />
165) Likely Mentors: <i>Mike, Roger, Sebastian, Damian</i>
166) <br />
167) The <a href="<page projects/tordnsel>">Tor DNS Exit List</a> is an
168) unmaintained Haskell
169) program that serves three purposes. First, it provides an rbl-style DNS
170) interface for people to look up whether a given IP address is (or has
171) recently been) a Tor exit relay. Second, it actively builds circuits over
172) the Tor network and connects back to itself, to learn the actual exit
173) IP address of each relay — some Tor relays exit from a different
174) address than they advertise in their descriptor. Third, it exports a <a
175) href="http://exitlist.torproject.org/exitAddresses">set of conclusions</a>
176) so that <a href="https://check.torproject.org/">check.torproject.org</a>
177) can guess for you whether your browser is configured to point to Tor.
178) <br />
179) This project would make use of <a
180) href="https://svn.torproject.org/svn/torflow/trunk/README">TorFlow</a>,
181) a set of Python scripts to interact with Tor,
182) to figure out how our Tor Exit Checker should actually work, and then
183) build it — probably in Python since Torflow is in Python. The main
184) goal is to reduce false positives as much as possible, by making sure
185) that it learns about new relays as soon as possible, making sure that
186) the testing phase concludes quickly, and making sure the answers get
187) passed to the Check script quickly. As a bonus, we should standardize
188) (specify) the format of the exitAddresses file, and rewrite the <a
189) href="https://svn.torproject.org/svn/check/trunk/cgi-bin/TorBulkExitList.py">Tor
190) Bulk Exit List</a> script to use that file rather than its current <a
191) href="https://bugs.torproject.org/flyspray/index.php?do=details&id=1019">horrible
192) DNS hacks</a>. As an extra bonus, we should work with Freenode, OFTC,
193) and/or other IRC networks to make sure that the scripts we offer are
194) actually the scripts they want, in terms of accurately identifying which
195) of their users are coming from the Tor network.
196) <br />
197) You can fetch the <a href="git://git.torproject.org/git/tordnsel">latest
198) tordnsel</a> via git.
199) </li>
200)
201) <li>
202) <b>Improving Tor's ability to resist censorship</b>
203) <br />
204) Priority: <i>Medium to High</i>
205) <br />
206) Effort Level: <i>Medium to High</i>
207) <br />
208) Skill Level: <i>High</i>
209) <br />
210) Likely Mentors: <i>Roger, Nick, Steven</i>
211) <br />
212) The Tor 0.2.1.x series makes <a
213) href="<svnprojects>design-paper/blocking.html">significant
214) improvements</a> in resisting national and organizational censorship.
215) But Tor still needs better mechanisms for some parts of its
216) anti-censorship design.
217) <br />
218) One huge category of work is adding features to our <a
219) href="http://gitweb.torproject.org//bridgedb.git?a=tree">bridgedb</a>
220) service (Python). Tor aims to give out <a href="<page docs/bridges>">bridge
221) relay addresses</a> to users that can't reach the Tor network
222) directly, but there's an arms race between algorithms for distributing
223) addresses and algorithms for gathering and blocking them. See <a
|
|
first cut of the new, shiny...
Andrew Lewman authored 13 years ago
|
225) blog post on the topic</a> as an overview, and then look at <a
226) href="http://archives.seul.org/or/dev/Dec-2009/msg00000.html">Roger's
227) or-dev post</a> from December for more recent thoughts — lots of
228) design work remains.
229) <br />
230) If you want to get more into the guts of Tor itself (C), a more minor problem
231) we should address is that current Tors can only listen on a single
232) address/port combination at a time. There's
233) <a href="<gitblob>doc/spec/proposals/118-multiple-orports.txt">a
234) proposal to address this limitation</a> and allow clients to connect
235) to any given Tor on multiple addresses and ports, but it needs more
236) work.
237) <br />
238) This project could involve a lot of research and design. One of the big
239) challenges will be identifying and crafting approaches that can still
240) resist an adversary even after the adversary knows the design, and
241) then trading off censorship resistance with usability and robustness.
242) </li>
243)
244) <!--<li>
245) <b>Tuneup Tor!</b>
246) <br />
247) Priority: <i>Medium to High</i>
248) <br />
249) Effort Level: <i>Medium to High</i>
250) <br />
251) Skill Level: <i>High</i>
252) <br />
253) Likely Mentors: <i>Nick, Roger, Mike, Karsten</i>
254) <br />
255) Right now, Tor relays measure and report their own bandwidth, and Tor
256) clients choose which relays to use in part based on that bandwidth.
257) This approach is vulnerable to
258) <a href="http://freehaven.net/anonbib/#bauer:wpes2007">attacks where
259) relays lie about their bandwidth</a>;
260) to address this, Tor currently caps the maximum bandwidth
261) it's willing to believe any relay provides. This is a limited fix, and
262) a waste of bandwidth capacity to boot. Instead,
263) Tor should possibly measure bandwidth in a more distributed way, perhaps
264) as described in the
265) <a href="http://freehaven.net/anonbib/author.html#snader08">"A Tune-up for
266) Tor"</a> paper
267) by Snader and Borisov. One could use current testing code to
268) double-check this paper's findings and verify the extent to which they
269) dovetail with Tor as deployed in the wild, and determine good ways to
270) incorporate them into their suggestions Tor network without adding too
271) much communications overhead between relays and directory
272) authorities.
273) </li>-->
274)
275) <li>
276) <b>Improving Polipo on Windows</b>
277) <br />
278) Priority: <i>Medium to High</i>
279) <br />
280) Effort Level: <i>Medium</i>
281) <br />
282) Skill Level: <i>Medium</i>
283) <br />
284) Likely Mentors: <i>Chris</i>
285) <br />
286) Help port <a
287) href="http://www.pps.jussieu.fr/~jch/software/polipo/">Polipo</a> to
288) Windows. Example topics to tackle include:
289) <ol><li> the ability to asynchronously query name servers, find the
290) system nameservers, and manage netbios and dns queries.</li>
291) <li> manage events and buffers natively (i.e. in Unix-like OSes,
292) Polipo defaults to 25% of ram, in Windows it's whatever the config
293) specifies).</li>
294) <li> some sort of GUI config and reporting tool, bonus if it has a
295) systray icon with right clickable menu options. Double bonus if it's
296) cross-platform compatible.</li>
297) <li> allow the software to use the Windows Registry and handle proper
298) Windows directory locations, such as "C:\Program Files\Polipo"</li>
299) </ol>
300) </li>
301)
302) <li>
303) <b>Tor Controller Status Event Interface for Vidalia</b>
304) <br />
305) Priority: <i>Medium</i>
306) <br />
307) Effort Level: <i>Medium</i>
308) <br />
309) Skill Level: <i>Low to Medium</i>
310) <br />
311) Likely Mentors: <i>Matt</i>
312) <br />
313) There are a number of status changes inside Tor of which the user may need
314) to be informed. For example, if the user is trying to set up his Tor as a
315) relay and Tor decides that its ports are not reachable from outside
316) the user's network, we should alert the user. Currently, all the user
317) gets is a couple log messages in Vidalia's 'message log' window, which they
318) likely never see since they don't receive a notification that something
319) has gone wrong. Even if the user does actually look at the message log,
320) most of the messages make little sense to the novice user.
321) <br />
322) Tor has the ability to inform Vidalia of many such status changes, and
323) we recently implemented support for a couple of these events. Still,
324) there are many more status events the user should be informed of and we
325) need a better UI for actually displaying them to the user.
326) <br />
327) The goal of this project then is to design and implement a UI for
328) displaying Tor status events to the user. For example, we might put a
329) little badge on Vidalia's tray icon that alerts the user to new status
330) events they should look at. Double-clicking the icon could bring up a
331) dialog that summarizes recent status events in simple terms and maybe
332) suggests a remedy for any negative events if they can be corrected by
333) the user. Of course, this is just an example and one is free to
334) suggest another approach.
335) <br />
336) A person undertaking this project should have good UI design and layout
337) and some C++ development experience. Previous experience with Qt and
338) Qt's Designer will be very helpful, but are not required. Some
339) English writing ability will also be useful, since this project will
340) likely involve writing small amounts of help documentation that should
341) be understandable by non-technical users. Bonus points for some graphic
342) design/Photoshop fu, since we might want/need some shiny new icons too.
343) </li>
344)
345) <li>
346) <b>Improve our unit testing process</b>
347) <br />
348) Priority: <i>Medium</i>
349) <br />
350) Effort Level: <i>Medium</i>
351) <br />
352) Skill Level: <i>Medium</i>
353) <br />
354) Likely Mentors: <i>Nick, Erinn</i>
355) <br />
356) Tor needs to be far more tested. This is a multi-part effort. To start
357) with, our unit test coverage should rise substantially, especially in
358) the areas outside the utility functions. This will require significant
359) refactoring of some parts of Tor, in order to dissociate as much logic
360) as possible from globals.
361) <br />
362) Additionally, we need to automate our performance testing. We've got
363) buildbot to automate our regular integration and compile testing already
364) (though we need somebody to set it up on Windows),
365) but we need to get our network simulation tests (as built in <a
366) href="https://svn.torproject.org/svn/torflow/trunk/README">TorFlow</a>)
367) updated for more recent versions of Tor, and designed to launch a test
368) network either on a single machine, or across several, so we can test
369) changes in performance on machines in different roles automatically.
370) </li>
371)
372) <li>
373) <b>Help with independent Tor client implementations</b>
374) <br />
375) Priority: <i>Medium</i>
376) <br />
377) Effort Level: <i>High</i>
378) <br />
379) Skill Level: <i>Medium to High</i>
380) <br />
381) Likely Mentors: <i>Bruce, Nathan</i>
382) <br />
383) Others are currently working on Tor clients for Java, Android, and Maemo
384) environments. The first step is to get a handle on the current state of
385) the project in which you are interested in helping; <a
386) href="http://github.com/brl/JTor">Tor for Java</a>,
387) <a href="https://svn.torproject.org/svn/projects/android/trunk/">Android/Orbot</a>
388) , or <a href="<page docs/N900>">Tor for Maemo</a>. Check out the
389) repository and familiarize yourself
390) with the source code. Further, support for requesting or even providing
391) Tor hidden services would be neat, but not required.
392) <br />
393) A prospective developer should be able to understand and write new Java
394) code, including a Java cryptography API. Being able to read C code would be helpful,
395) too. One should be willing to read the existing documentation,
396) implement code based on it, and refine the documentation
397) when things are underdocumented. This project is mostly about coding and
398) to a small degree about design.
399) </li>
400) <li>
401) <b>More on Orbot & Android OS-specific development</b>
402) <br/>
403) <br />
404) Priority: <i>Medium</i>
405) <br />
406) Effort Level: <i>High</i>
407) <br />
408) Skill Level: <i>Medium to High</i>
409) <br />
410) Likely Mentors: <i>Nathan</i>
411) <br />
412)
413) <b>Android Java UI work:</b> Improved home screen to show better statistics about data transferred (up/down), number of circuits connected, quality of connection and so on. The "Tether Wifi" Android application is a good model to follow in how it shows a realtime count of bytes transferred as well as notifications when wifi client connect. In addition, better display/handling of Tor system/error messages would also be very helpful. Finally, the addition of a wizard or tutorial walkthrough for novice users to explain to them exactly what or what is not anonymized or protected would greatly improve the likelihood they will use Orbot correctly.
414) <br/><br/>
415)
416) <b>Android Java OS/Core app work:</b> Better system-wide indicator either via the notification bar, "Toast" pop-up dialogs or some other indicator that an application's traffic is indeed moving through Orbot/Tor. For instance, right now you need to first go to a torcheck web service to ensure your browser is routing via Tor. Orbot should be able to notify you that circuits are being opened, used, etc. The aforementioned data transfer tracker might provide this type of awareness as well.
417)
418) <br/><br/>
419) <b>Android Java Library/Community Outreach work:</b> We need to package a simple library for use with third-party application to easily enable them to support "Torification" on non-root devices (aka w/o transparent proxying). This library should include a wrapper for the Apache HTTPClient library, a utility class for detecting the state of Orbot connectivity, and other relevant/useful things an Android app might need to anonymize itself. This work would include the creation of the library, documentation, and sample code. Outreach or effort to implement the library within other open-source apps would follow.
420)
421) <br/><br/>
422) <b>Android OS/C/Linux work:</b> The port of Tor to Android is basically a straight cross-compile to Linux ARM. There has been no work done in looking the optimization of Tor within a mobile hardware environment, on the ARM processor or other Android hardware, or on mobile networks. It should be noted, that even without optimization, Tor is handling the mobile network environment very well, automatically detecting change in IP addresses, reconnecting circuits, etc across switching from 2G to 3G to Wifi, and so forth.
423) </li>
424)
425) <!--<li>
426) <b>New Torbutton Features</b>
427) <br />
428) Priority: <i>Medium</i>
429) <br />
430) Effort Level: <i>High</i>
431) <br />
432) Skill Level: <i>High</i>
433) <br />
434) Likely Mentors: <i>Mike</i>
435) <br/>
436) There are several <a
437) href="https://bugs.torproject.org/flyspray/index.php?tasks=all&project=5&type=2">good
438) feature requests</a> on the Torbutton Flyspray section. In particular, <a
439) href="https://bugs.torproject.org/flyspray/index.php?do=details&id=523">Integrating
440) 'New Identity' with Vidalia</a>,
441) <a href="https://bugs.torproject.org/flyspray/index.php?do=details&id=940">ways of
442) managing multiple cookie jars/identities</a>, <a
443) href="https://bugs.torproject.org/flyspray/index.php?do=details&id=637">preserving
444) specific cookies</a> when cookies are cleared,
445) <a
446) href="https://bugs.torproject.org/flyspray/index.php?do=details&id=524">better
447) referrer spoofing</a>, <a
448) href="https://bugs.torproject.org/flyspray/index.php?do=details&id=564">correct
449) Tor status reporting</a>, and <a
450) href="https://bugs.torproject.org/flyspray/index.php?do=details&id=462">"tor://"
451) and "tors://" urls</a> are all interesting
452) features that could be added.
453) <br />
454) This work would be independent coding in Javascript and the fun world of <a
455) href="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">XUL</a>,
456) with not too much involvement in the Tor internals.
457) </li>-->
458)
459) <!-- <li>
460) <b>New Thandy Features</b>
461) <br />
462) Priority: <i>Medium</i>
463) <br />
464) Effort Level: <i>Medium</i>
465) <br />
466) Skill Level: <i>Medium to High</i>
467) <br />
468) Likely Mentors: <i>Martin</i>
469) <br />
470) Additional capabilities are needed for assisted updates of all the Tor
471) related software for Windows and other operating systems. Some of the
472) features to consider include:
473) <ol>
474) <li> Integration of the <a
475) href="http://chandlerproject.org/Projects/MeTooCrypto">MeTooCrypto
476) Python library</a>
477) for authenticated HTTPS downloads.</li>
478) <li> Adding a level of indirection
479) between the timestamp signatures and the package files included in an
480) update. See the "Thandy attacks / suggestions" thread on or-dev.</li>
481) <li> Support locale specific installation and configuration of assisted
482) updates based on preference, host, or user account language settings.
483) Familiarity with Windows codepages, unicode, and other character sets
484) is helpful in addition to general win32 and posix API experience and
485) Python proficiency.</li>
486) </ol>
487) </li> -->
488)
489) <li>
490) <b>Simulator for slow Internet connections</b>
491) <br />
492) Priority: <i>Medium</i>
493) <br />
494) Effort Level: <i>Medium</i>
495) <br />
496) Skill Level: <i>Medium</i>
497) <br />
498) Likely Mentors: <i>Steven</i>
499) <br />
500) Many users of Tor have poor-quality Internet connections, giving low
501) bandwidth, high latency, and high packet loss/re-ordering. User
502) experience is that Tor reacts badly to these conditions, but it is
503) difficult to improve the situation without being able to repeat the
504) problems in the lab.
505) <br />
506) This project would be to build a simulation environment which
507) replicates the poor connectivity so that the effect on Tor performance
508) can be measured. Other components would be a testing utility to
509) establish what are the properties of connections available, and to
510) measure the effect of performance-improving modifications to Tor.
511) <br />
512) The tools used would be up to the student, but dummynet (for FreeBSD)
513) and nistnet (for Linux) are two potential components on which this
514) project could be built. Students should be experienced with network
515) programming/debugging and TCP/IP, and preferably familiar with C and a
516) scripting language.
517) </li>
518)
519) <li>
520) <b>An Improved and More Usable Network Map in Vidalia</b>
521) <br />
522) Priority: <i>Low to Medium</i>
523) <br />
524) Effort Level: <i>Medium</i>
525) <br />
526) Skill Level: <i>Medium</i>
527) <br />
528) Likely Mentors: <i>Matt</i>
529) <br />
530) One of Vidalia's existing features is a network map that shows the user
531) the approximate geographic location of relays in the Tor network and
532) plots the paths the user's traffic takes as it is tunneled through the
533) Tor network. The map is currently not very interactive and has rather
534) poor graphics. Instead, we implemented KDE's Marble widget such
535) that it gives us a better quality map and enables improved interactivity,
536) such as allowing the user to click on individual relays or circuits to
537) display additional information. We want to add the ability
538) for users to click on a particular relay or a country containing one or
539) more Tor exit relays and say, "I want my connections to exit
540) from here."
541) <br />
542) This project will first involve getting familiar with Vidalia
543) and the Marble widget's API. One will then integrate the widget
544) into Vidalia and customize Marble to be better suited for our application,
545) such as making circuits clickable, storing cached map data in Vidalia's
546) own data directory, and customizing some of the widget's dialogs.
547) <br />
548) A person undertaking this project should have good C++ development
549) experience. Previous experience with Qt and CMake is helpful, but not
550) required.
551) </li>
552)
553) <li>
554) <b>Torbutton equivalent for Thunderbird</b>
555) <br />
556) Priority: <i>Medium</i>
557) <br />
558) Effort Level: <i>High</i>
559) <br />
560) Skill Level: <i>High</i>
561) <br />
562) Likely Mentors: <i>Mike</i>
563) <br />
564) We're hearing from an increasing number of users that they want to use
565) Thunderbird with Tor. However, there are plenty of application-level
566) concerns, for example, by default Thunderbird will put your hostname in
567) the outgoing mail that it sends. At some point we should start a new
568) push to build a Thunderbird extension similar to Torbutton.
569) </li>
570)
571) <!--<li>
572) <b>Intermediate Level Network Device Driver</b>
573) <br />
574) Priority: <i>Low</i>
575) <br />
576) Effort Level: <i>High</i>
577) <br />
578) Skill Level: <i>High</i>
579) <br />
580) Likely Mentors: <i>Martin</i>
581) <br />
582) The WinPCAP device driver used by Tor VM for bridged networking does
583) not support a number of wireless and non-Ethernet network adapters.
584) Implementation of a intermediate level network device driver for win32
585) and 64bit would provide a way to intercept and route traffic over such
586) networks. This project will require knowledge of and experience with
587) Windows kernel device driver development and testing. Familiarity with
588) Winsock and Qemu would also be helpful.
589) </li>-->
590)
591) <li>
592) <b>Improve Tor Weather</b>
593) <br />
594) Priority: <i>Medium</i>
595) <br />
596) Effort Level: <i>Medium</i>
597) <br />
598) Skill Level: <i>Medium</i>
599) <br />
600) Likely Mentors: <i>Christian, Roger, Damian</i>
601) <br />
602) <a href="https://weather.torproject.org/">Tor weather</a> is a tool
603) that allows signing up to receive notifications via email when the
604) tracked Tor relay is down. Currently, it isn't really useful for
605) people who use the hibernation feature of Tor, or for those who
606) have to shut down their relay regularly. During the project, Tor
607) weather could be extended to allow more flexible configurations.
608) Other enhancements are also possible: Weather could send out warnings
609) when your relay runs an out-of-date version of Tor, or when its
610) observed bandwith drops below a certain value. It might also be a
611) nice tool that allows for checking whether your relay has earned
612) you a <a href="<page getinvolved/tshirt>">T-Shirt</a>, or sending reminders to
613) directory authorities that
614) their keys are about to expire. Be creative, and consider how the
615) above project to track overall network status can help you get your job
616) done more quickly! See also its
617) <a href="https://svn.torproject.org/svn/weather/trunk/README">README</a>
618) and <a href="https://svn.torproject.org/svn/weather/trunk/TODO">TODO</a>.
619) </li>
620)
621) <li>
622) <b>Improvements for Tor+Vidalia interaction on Linux/Unix platforms</b>
623) <br />
624) Priority: <i>Medium</i>
625) <br />
626) Effort Level: <i>Medium</i>
627) <br />
628) Skill Level: <i>Medium</i>
629) <br />
630) Likely Mentors: <i>Erinn, Peter</i>
631) <br />
632) Vidalia currently doesn't play nicely with Tor on Linux and Unix platforms.
633) Currently, on Debian and Ubuntu, there is a configuration mechanism which
634) allows Vidalia to override Tor's ability to start on boot (by sourcing
635) <code>/etc/default/tor.vidalia</code> which sets <code>RUN_DAEMON=no</code> at the user's
636) request), but full implementation of <a href="<gitblob>doc/spec/control-spec.txt">ControlPort</a>
637) communication is still required.
638) <br />
639) A better solution on Linux and Unix platforms would be to use Tor's
640) ControlSocket, which allows Vidalia to talk to Tor via a Unix domain socket,
641) and could possibly be enabled by default in Tor's distribution packages.
642) Vidalia can then authenticate to Tor using filesystem-based (cookie)
643) authentication if the user running Vidalia is also in the distribution-specific
644) tor group.
645) <br />
646) This project will first involve adding support for Tor's ControlSocket to
647) Vidalia. The student will then develop and test this support on various
648) distributions to make sure it behaves in a predictable and consistent manner on
649) all of them.
650) <br />
651) The next challenge would be to find an intuitive and usable way for Vidalia to be
652) able to change Tor's configuration (torrc) even though it is located in
653) <code>/etc/tor/torrc</code> and thus immutable. In Debian and Ubuntu we handle
654) this with the aforementioned <code>/etc/default/tor.vidalia</code> but this
655) functionality could (or should) be less distribution-specific.
656) <br />
657) The best idea we've come up with so far is to feed Tor a new configuration via
658) the ControlSocket when Vidalia starts, but that's bad because if the user is not
659) using the latest Debian/Ubuntu packages, they may not have disabled Tor's
660) ability to run on boot and will end up with a configuration that is different
661) from what they want. The second best idea we've come up with is for Vidalia to
662) write out a temporary torrc file and ask the user to manually move it to
663) <code>/etc/tor/torrc</code>, but that's bad because users shouldn't have to
664) mess with files directly.
665) <br />
666) A person undertaking this project should have prior knowledge of various Linux
667) distributions and their packaging mechanisms as well as some C++ development
668) experience. Previous experience with Qt is helpful, but not required.
669) </li>
670)
671) <!--<li>
672) <b>Tor/Polipo/Vidalia Auto-Update Framework</b>
673) <br />
674) We're in need of a good authenticated-update framework.
675) Vidalia already has the ability to notice when the user is running an
676) outdated or unrecommended version of Tor, using signed statements inside
677) the Tor directory information. Currently, Vidalia simply pops
678) up a little message box that lets the user know they should manually
679) upgrade. The goal of this project would be to extend Vidalia with the
680) ability to also fetch and install the updated Tor software for the
681) user. We should do the fetches via Tor when possible, but also fall back
682) to direct fetches in a smart way. Time permitting, we would also like
683) to be able to update other
684) applications included in the bundled installers, such as Polipo and
685) Vidalia itself.
686) <br />
687) To complete this project, the student will first need to first investigate
688) the existing auto-update frameworks (e.g., Sparkle on OS X) to evaluate
689) their strengths, weaknesses, security properties, and ability to be
690) integrated into Vidalia. If none are found to be suitable, the student
691) will design their own auto-update framework, document the design, and
692) then discuss the design with other developers to assess any security
693) issues. The student will then implement their framework (or integrate
694) an existing one) and test it.
695) <br />
696) A person undertaking this project should have good C++ development
697) experience. Previous experience with Qt is helpful, but not required. One
698) should also have a good understanding of common security
699) practices, such as package signature verification. Good writing ability
700) is also important for this project, since a vital step of the project
701) will be producing a design document to review and discuss
702) with others prior to implementation.
703) </li>-->
704)
705) <li>
706) <b>Improving the Tor QA process: Continuous Integration for builds</b>
707) <br />
708) Priority: <i>Medium</i>
709) <br />
710) Effort Level: <i>Medium</i>
711) <br />
712) Skill Level: <i>Medium</i>
713) <br />
714) Likely Mentors: <i>Erinn</i>
715) <br />
716) It would be useful to have automated build processes for Windows and
717) probably other platforms. The purpose of having a continuous integration
718) build environment is to ensure that Windows isn't left behind for any of
719) the software projects used in the Tor project or its accompanying.<br />
720) Buildbot may be a good choice for this as it appears to support all of
721) the platforms Tor does. See the
722) <a href="http://en.wikipedia.org/wiki/BuildBot">wikipedia entry for
723) buildbot</a>.<br />
724) There may be better options and the person undertaking this task should
725) evaluate other options. Any person working on this automatic build
726) process should have experience or be willing to learn how to build all
727) of the respective Tor related code bases from scratch. Furthermore, the
728) person should have some experience building software in Windows
729) environments as this is the target audience we want to ensure we do not
730) leave behind. It would require close work with the Tor source code but
731) probably only in the form of building, not authoring.<br />
732) Additionally, we need to automate our performance testing for all platforms.
733) We've got buildbot (except on Windows — as noted above) to automate
734) our regular integration and compile testing already,
735) but we need to get our network simulation tests (as built in torflow)
736) updated for more recent versions of Tor, and designed to launch a test
737) network either on a single machine, or across several, so we can test
738) changes in performance on machines in different roles automatically.
739) </li>
740)
741) <!--<li>
742) <b>Usability testing of Tor</b>
743) <br />
744) Priority: <i>Medium</i>
745) <br />
746) Effort Level: <i>Medium</i>
747) <br />
748) Skill Level: <i>Low to Medium</i>
749) <br />
750) Likely Mentors: <i>Andrew</i>
751) <br />
752) Especially the browser bundle, ideally amongst our target demographic.
753) That would help a lot in knowing what needs to be done in terms of bug
754) fixes or new features. We get this informally at the moment, but a more
755) structured process would be better.
756) </li>-->
757)
758) <li>
759) <b>An authenticating IRC proxy</b>
760) <br />
761) Priority: <i>Low</i>
762) <br />
763) Effort Level: <i>Medium to High</i>
764) <br />
765) Skill Level: <i>Medium to High</i>
766) <br />
767) Likely Mentors: <i>Sebastian, Weasel, Roger</i>
768) <br />
769) The world needs an authenticating irc proxy. As we're periodically
770) reminded from the Penny Arcade web comic, "Internet user + anonymity =
771) jerk". With respect to websites we're actually doing ok, since websites
772) can make their users log in and use other application-level authentication
773) approaches. But IRC servers are much worse off, because most IRC server
774) code is poorly written: hard to maintain, and harder to modify. Many
775) IRC networks now block connections from Tor, and we're basically down to
776) two holdouts (OFTC and Freenode). This state of affairs means that a lot
777) of people around the world are thinking "I told you so" about anonymity
778) online, when in fact the problem is simply lack of technology to make the
779) problem manageable. We need some way to let the IRC networks distinguish
780) which users have developed a reputation as not being jerks, so they can
781) treat the two groups separately. There are some really cool research
782) designs like <a href="http://www.cs.dartmouth.edu/~nymble/">Nymble</a>,
783) which aim to let websites blacklist users without needing to learn who
784) they are. But Nymble is designed around web interactions. We need to
785) build the glue around the IRC protocol that would let us plug in a project
786) like Nymble (or a simpler one to start, as a proof-of-concept). One way
787) to do that would be to build an IRC proxy that knows how to hear from
788) IRC clients, knows how to talk to IRC servers, and has an additional
789) layer that requires the users to authenticate. Some work on this has
790) begun by other volunteers, see their progress at <a
791) href="http://github.com/anonirc/orc">http://github.com/anonirc/orc</a>.
792) </li>
793)
794) <li>
795) <b>Make torsocks/dsocks work on OS X</b>
796) <br />
797) Priority: <i>Medium</i>
798) <br />
799) Effort Level: <i>Medium</i>
800) <br />
801) Skill Level: <i>Medium</i>
802) <br />
803) Likely Mentors: <i>?</i>
804) <br />
805) <a href="http://code.google.com/p/torsocks/">Torsocks</a> and <a
806) href="http://code.google.com/p/dsocks/">dsocks</a> are wrappers that will
807) run applications, intercept their outgoing network connections, and push
808) those connections through Tor. The goal is to handle applications that
809) don't support proxies (or don't supporting them well). To get it right,
810) they need to intercept many system calls. The syscalls you need to
811) intercept on Linux differ dramatically from those on BSD. So Torsocks
812) works fine on Linux, dsocks works ok on BSD (though it may be less
813) maintained and thus might miss more syscalls), and nothing works well
814) on both. First, we should patch dsocks to use Tor's <i>mapaddress</i>
815) commands from the controller interface, so we don't waste a whole
816) round-trip inside Tor doing the resolve before connecting. Second,
817) we should make our <i>torify</i> script detect which of torsocks or
818) dsocks is installed, and call them appropriately. This probably means
819) unifying their interfaces, and might involve sharing code between them
820) or discarding one entirely.
821) </li>
822)
823) <li>
824) <b>Bring up new ideas!</b>
825) <br />
826) Don't like any of these? Look at the <a
827) href="<gitblob>doc/roadmaps/2008-12-19-roadmap-full.pdf">Tor development
828) roadmap</a> for more ideas, or just try out Tor, Vidalia, and Torbutton,
829) and find out what you think needs fixing.
830) Some of the <a href="<gittree>doc/spec/proposals">current proposals</a>
831) might also be short on developers.
832) </li>
833)
834) </ol>
835)
836) <a id="OtherCoding"></a>
837) <h2><a class="anchor" href="#OtherCoding">Other Coding and Design related ideas</a></h2>
838) <ol>
839) <li>Tor relays don't work well on Windows XP. On
840) Windows, Tor uses the standard <tt>select()</tt> system
841) call, which uses space in the non-page pool. This means
842) that a medium sized Tor relay will empty the non-page pool, <a
843) href="https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/WindowsBufferProblems">causing
844) havoc and system crashes</a>. We should probably be using overlapped IO
845) instead. One solution would be to teach <a
846) href="http://www.monkey.org/~provos/libevent/">libevent</a> how to use
847) overlapped IO rather than select() on Windows, and then adapt Tor to
848) the new libevent interface. Christian King made a
849) <a href="https://svn.torproject.org/svn/libevent-urz/trunk/">good
850) start</a> on this in the summer of 2007.</li>
851)
852) <li>We need to actually start building our <a href="<page
853) docs/documentation>#DesignDoc">blocking-resistance design</a>. This involves
854) fleshing out the design, modifying many different pieces of Tor, adapting
855) <a href="<page projects/vidalia>">Vidalia</a> so it supports the
856) new features, and planning for deployment.</li>
857)
858) <li>We need a flexible simulator framework for studying end-to-end
859) traffic confirmation attacks. Many researchers have whipped up ad hoc
860) simulators to support their intuition either that the attacks work
861) really well or that some defense works great. Can we build a simulator
862) that's clearly documented and open enough that everybody knows it's
863) giving a reasonable answer? This will spur a lot of new research.
864) See the entry <a href="#Research">below</a> on confirmation attacks for
865) details on the research side of this task — who knows, when it's
866) done maybe you can help write a paper or three also.</li>
867)
868) <li>Tor 0.1.1.x and later include support for hardware crypto accelerators
869) via OpenSSL. It has been lightly tested and is possibly very buggy. We're looking for more rigorous testing, performance analysis, and optimally, code fixes to openssl and Tor if needed.</li>
870)
871) <li>Perform a security analysis of Tor with <a
872) href="http://en.wikipedia.org/wiki/Fuzz_testing">"fuzz"</a>. Determine
873) if there are good fuzzing libraries out there for what we want. Win fame by
874) getting credit when we put out a new release because of you!</li>
875)
876) <li>Tor uses TCP for transport and TLS for link
877) encryption. This is nice and simple, but it means all cells
878) on a link are delayed when a single packet gets dropped, and
879) it means we can only reasonably support TCP streams. We have a <a
880) href="https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#YoushouldtransportallIPpacketsnotjustTCPpackets.">list
881) of reasons why we haven't shifted to UDP transport</a>, but it would
882) be great to see that list get shorter. We also have a proposed <a
883) href="<gitblob>doc/spec/proposals/100-tor-spec-udp.txt">specification
884) for Tor and
885) UDP</a> — please let us know what's wrong with it.</li>
886)
887) <li>We're not that far from having IPv6 support for destination addresses
888) (at exit nodes). If you care strongly about IPv6, that's probably the
889) first place to start.</li>
890)
891) <li>We need a way to generate the website diagrams (for example, the "How
892) Tor Works" pictures on the <a href="<page about/overview>">overview page</a>
893) from source, so we can translate them as UTF-8 text rather than edit
894) them by hand with Gimp. We might want to
895) integrate this as an wml file so translations are easy and images are
896) generated in multiple languages whenever we build the website.</li>
897)
898) <li>How can we make the various LiveCD/USB systems easier
899) to maintain, improve, and document? One example is <a
900) href="https://amnesia.boum.org/">The (Amnesic) Incognito Live
901) System</a>.
902) </li>
903)
904) <li>
905) Another anti-censorship project is to try to make Tor
906) more scanning-resistant. Right now, an adversary can identify <a
907) href="<gitblob>doc/spec/proposals/125-bridges.txt">Tor bridges</a>
908) just by trying to connect to them, following the Tor protocol,
909) and seeing if they respond. To solve this, bridges could <a
910) href="<svnprojects>design-paper/blocking.html#tth_sEc9.3">act like
911) webservers</a> (HTTP or HTTPS) when contacted by port-scanning tools,
912) and not act like bridges until the user provides a bridge-specific key.
913) To start, check out Shane Pope's <a
914) href="http://dl.dropbox.com/u/37735/index.html">thesis and prototype</a>.
915) </li>
916)
917) </ol>
918)
919) <a id="Research"></a>
920) <h2><a class="anchor" href="#Research">Research</a></h2>
921) <ol>
922) <li>The "end-to-end traffic confirmation attack":
923) by watching traffic at Alice and at Bob, we can <a
924) href="http://freehaven.net/anonbib/#danezis:pet2004">compare
925) traffic signatures and become convinced that we're watching the same
926) stream</a>. So far Tor accepts this as a fact of life and assumes this
927) attack is trivial in all cases. First of all, is that actually true? How
928) much traffic of what sort of distribution is needed before the adversary
929) is confident he has won? Are there scenarios (e.g. not transmitting much)
930) that slow down the attack? Do some traffic padding or traffic shaping
931) schemes work better than others?</li>
932) <li>A related question is: Does running a relay/bridge provide additional
933) protection against these timing attacks? Can an external adversary that can't
934) see inside TLS links still recognize individual streams reliably?
935) Does the amount of traffic carried degrade this ability any? What if the
936) client-relay deliberately delayed upstream relayed traffic to create a queue
937) that could be used to mimic timings of client downstream traffic to make it
938) look like it was also relayed? This same queue could also be used for masking
939) timings in client upstream traffic with the techniques from <a
940) href="http://www.freehaven.net/anonbib/#ShWa-Timing06">adaptive padding</a>,
941) but without the need for additional traffic. Would such an interleaving of
942) client upstream traffic obscure timings for external adversaries? Would the
943) strategies need to be adjusted for asymmetric links? For example, on
944) asymmetric links, is it actually possible to differentiate client traffic from
945) natural bursts due to their asymmetric capacity? Or is it easier than
946) symmetric links for some other reason?</li>
947) <li>Repeat Murdoch and Danezis's <a
948) href="http://www.cl.cam.ac.uk/~sjm217/projects/anon/#torta">attack from
949) Oakland 05</a> on the current Tor network. See if you can learn why it
950) works well on some nodes and not well on others. (My theory is that the
951) fast nodes with spare capacity resist the attack better.) If that's true,
952) then experiment with the RelayBandwidthRate and RelayBandwidthBurst
953) options to run a relay that is used as a client while relaying the
954) attacker's traffic: as we crank down the RelayBandwidthRate, does the
955) attack get harder? What's the right ratio of RelayBandwidthRate to
956) actually capacity? Or is it a ratio at all? While we're at it, does a
957) much larger set of candidate relays increase the false positive rate
958) or other complexity for the attack? (The Tor network is now almost two
959) orders of magnitude larger than it was when they wrote their paper.) Be
960) sure to read <a href="http://freehaven.net/anonbib/#clog-the-queue">Don't
961) Clog the Queue</a> too.</li>
962) <li>The "routing zones attack": most of the literature thinks of
963) the network path between Alice and her entry node (and between the
964) exit node and Bob) as a single link on some graph. In practice,
965) though, the path traverses many autonomous systems (ASes), and <a
966) href="http://freehaven.net/anonbib/#feamster:wpes2004">it's not uncommon
967) that the same AS appears on both the entry path and the exit path</a>.
968) Unfortunately, to accurately predict whether a given Alice, entry,
969) exit, Bob quad will be dangerous, we need to download an entire Internet
970) routing zone and perform expensive operations on it. Are there practical
971) approximations, such as avoiding IP addresses in the same /8 network?</li>
972) <li>Other research questions regarding geographic diversity consider
973) the tradeoff between choosing an efficient circuit and choosing a random
974) circuit. Look at Stephen Rollyson's <a
975) href="http://swiki.cc.gatech.edu:8080/ugResearch/uploads/7/ImprovingTor.pdf">position
976) paper</a> on how to discard particularly slow choices without hurting
977) anonymity "too much". This line of reasoning needs more work and more
978) thinking, but it looks very promising.</li>
979) <li>Tor doesn't work very well when relays have asymmetric bandwidth
980) (e.g. cable or DSL). Because Tor has separate TCP connections between
981) each hop, if the incoming bytes are arriving just fine and the outgoing
982) bytes are all getting dropped on the floor, the TCP push-back mechanisms
983) don't really transmit this information back to the incoming streams.
984) Perhaps Tor should detect when it's dropping a lot of outgoing packets,
985) and rate-limit incoming streams to regulate this itself? I can imagine
986) a build-up and drop-off scheme where we pick a conservative rate-limit,
987) slowly increase it until we get lost packets, back off, repeat. We
988) need somebody who's good with networks to simulate this and help design
989) solutions; and/or we need to understand the extent of the performance
990) degradation, and use this as motivation to reconsider UDP transport.</li>
991) <li>A related topic is congestion control. Is our
992) current design sufficient once we have heavy use? Maybe
993) we should experiment with variable-sized windows rather
994) than fixed-size windows? That seemed to go well in an <a
995) href="http://www.psc.edu/networking/projects/hpn-ssh/theory.php">ssh
996) throughput experiment</a>. We'll need to measure and tweak, and maybe
997) overhaul if the results are good.</li>
998) <li>Our censorship-resistance goals include preventing
999) an attacker who's looking at Tor traffic on the wire from <a
1000) href="<svnprojects>design-paper/blocking.html#sec:network-fingerprint">distinguishing
1001) it from normal SSL traffic</a>. Obviously we can't achieve perfect
1002) steganography and still remain usable, but for a first step we'd like to
1003) block any attacks that can win by observing only a few packets. One of
1004) the remaining attacks we haven't examined much is that Tor cells are 512
1005) bytes, so the traffic on the wire may well be a multiple of 512 bytes.
1006) How much does the batching and overhead in TLS records blur this on the
1007) wire? Do different buffer flushing strategies in Tor affect this? Could
1008) a bit of padding help a lot, or is this an attack we must accept?</li>
1009) <li>Tor circuits are built one hop at a time, so in theory we have the
1010) ability to make some streams exit from the second hop, some from the
1011) third, and so on. This seems nice because it breaks up the set of exiting
1012) streams that a given relay can see. But if we want each stream to be safe,
1013) the "shortest" path should be at least 3 hops long by our current logic, so
1014) the rest will be even longer. We need to examine this performance / security
1015) tradeoff.</li>
1016) <li>It's not that hard to DoS Tor relays or directory authorities. Are client
1017) puzzles the right answer? What other practical approaches are there? Bonus
1018) if they're backward-compatible with the current Tor protocol.</li>
1019) <li>Programs like <a
|
first cut of the new, shiny...
fix another 404 from the fr...