Damian Johnson commited on 2016-03-17 16:26:19
Zeige 1 geänderte Dateien mit 0 Einfügungen und 210 Löschungen.
This is an antique, horribly unreadable wad of text as denser than a legal footer. We should invest effort in making project ideas readable or not have them at all. Actually, this section predates me (meaning it's over six years old) and never been maintained in that time. Guess it's so dense even we ignored it. :P If we want to resurrect any of these then it should be done so as tickets.
... | ... |
@@ -1556,216 +1556,6 @@ implementation. |
1556 | 1556 |
</li> |
1557 | 1557 |
|
1558 | 1558 |
</ol> |
1559 |
- |
|
1560 |
- <a id="OtherCoding"></a> |
|
1561 |
- <h2><a class="anchor" href="#OtherCoding">Other Coding and Design related ideas</a></h2> |
|
1562 |
- <ol> |
|
1563 |
- <li>Tor relays don't work well on Windows XP. On |
|
1564 |
- Windows, Tor uses the standard <tt>select()</tt> system |
|
1565 |
- call, which uses space in the non-page pool. This means |
|
1566 |
- that a medium sized Tor relay will empty the non-page pool, <a |
|
1567 |
- href="<wiki>doc/WindowsBufferProblems">causing |
|
1568 |
- havoc and system crashes</a>. We should probably be using overlapped IO |
|
1569 |
- instead. One solution would be to teach <a |
|
1570 |
- href="http://www.monkey.org/~provos/libevent/">libevent</a> how to use |
|
1571 |
- overlapped IO rather than select() on Windows, and then adapt Tor to |
|
1572 |
- the new libevent interface. Christian King made a |
|
1573 |
- <a href="https://svn.torproject.org/svn/libevent-urz/trunk/">good |
|
1574 |
- start</a> on this in the summer of 2007.</li> |
|
1575 |
- |
|
1576 |
- <li>We need a flexible simulator framework for studying end-to-end |
|
1577 |
- traffic confirmation attacks. Many researchers have whipped up ad hoc |
|
1578 |
- simulators to support their intuition either that the attacks work |
|
1579 |
- really well or that some defense works great. Can we build a simulator |
|
1580 |
- that's clearly documented and open enough that everybody knows it's |
|
1581 |
- giving a reasonable answer? This will spur a lot of new research. |
|
1582 |
- See the entry <a href="#Research">below</a> on confirmation attacks for |
|
1583 |
- details on the research side of this task — who knows, when it's |
|
1584 |
- done maybe you can help write a paper or three also.</li> |
|
1585 |
- |
|
1586 |
- <li>Tor 0.1.1.x and later include support for hardware crypto |
|
1587 |
- accelerators via OpenSSL. It has been lightly tested and is |
|
1588 |
- possibly very buggy. We're looking for more rigorous testing, |
|
1589 |
- performance analysis, and optimally, code fixes to OpenSSL and |
|
1590 |
- Tor if needed.</li> |
|
1591 |
- |
|
1592 |
- <li>Write a <a |
|
1593 |
- href="https://secure.wikimedia.org/wikipedia/en/wiki/Fuzz_testing">fuzzer</a> |
|
1594 |
- for Tor to discover security vulnerabilities. Determine if there |
|
1595 |
- are good fuzzing frameworks out there for what we want. Win fame by |
|
1596 |
- getting credit when we put out a new release because of you!</li> |
|
1597 |
- |
|
1598 |
- <li>Tor uses TCP for transport and TLS for link |
|
1599 |
- encryption. This is nice and simple, but it means all cells |
|
1600 |
- on a link are delayed when a single packet gets dropped, and |
|
1601 |
- it means we can only reasonably support TCP streams. We have a <a |
|
1602 |
- href="<page docs/faq>#TransportIPnotTCP">list |
|
1603 |
- of reasons why we haven't shifted to UDP transport</a>, but it would |
|
1604 |
- be great to see that list get shorter. We also have a proposed <a |
|
1605 |
- href="<specblob>proposals/100-tor-spec-udp.txt">specification |
|
1606 |
- for Tor and |
|
1607 |
- UDP</a> — please let us know what's wrong with it.</li> |
|
1608 |
- |
|
1609 |
- <li>We're not that far from having IPv6 support for destination addresses |
|
1610 |
- (at exit nodes). If you care strongly about IPv6, that's probably the |
|
1611 |
- first place to start.</li> |
|
1612 |
- |
|
1613 |
- <li>We need a way to generate the website diagrams (for example, the "How |
|
1614 |
- Tor Works" pictures on the <a href="<page about/overview>">overview page</a> |
|
1615 |
- from source, so we can translate them as UTF-8 text rather than edit |
|
1616 |
- them by hand with Gimp. We might want to |
|
1617 |
- integrate this as an wml file so translations are easy and images are |
|
1618 |
- generated in multiple languages whenever we build the website.</li> |
|
1619 |
- |
|
1620 |
- <li>How can we make the various LiveCD/USB systems easier |
|
1621 |
- to maintain, improve, and document? One example is <a |
|
1622 |
- href="https://tails.boum.org/">The Amnesic Incognito Live |
|
1623 |
- System</a>. |
|
1624 |
- </li> |
|
1625 |
- |
|
1626 |
- <li> |
|
1627 |
- Another anti-censorship project is to try to make Tor |
|
1628 |
- more scanning-resistant. Right now, an adversary can identify <a |
|
1629 |
- href="<specblob>proposals/125-bridges.txt">Tor bridges</a> |
|
1630 |
- just by trying to connect to them, following the Tor protocol, |
|
1631 |
- and seeing if they respond. To solve this, bridges could <a |
|
1632 |
- href="<svnprojects>design-paper/blocking.html#tth_sEc9.3">act like |
|
1633 |
- webservers</a> (HTTP or HTTPS) when contacted by port-scanning tools, |
|
1634 |
- and not act like bridges until the user provides a bridge-specific key. |
|
1635 |
- To start, check out Shane Pope's <a |
|
1636 |
- href="http://dl.dropbox.com/u/37735/index.html">thesis and prototype</a>. |
|
1637 |
- </li> |
|
1638 |
- |
|
1639 |
- </ol> |
|
1640 |
- |
|
1641 |
- <a id="Research"></a> |
|
1642 |
- <h2><a class="anchor" href="#Research">Research</a></h2> |
|
1643 |
- <ol> |
|
1644 |
- <li>The "end-to-end traffic confirmation attack": |
|
1645 |
- by watching traffic at Alice and at Bob, we can <a |
|
1646 |
- href="http://freehaven.net/anonbib/#danezis:pet2004">compare |
|
1647 |
- traffic signatures and become convinced that we're watching the same |
|
1648 |
- stream</a>. So far Tor accepts this as a fact of life and assumes this |
|
1649 |
- attack is trivial in all cases. First of all, is that actually true? How |
|
1650 |
- much traffic of what sort of distribution is needed before the adversary |
|
1651 |
- is confident he has won? Are there scenarios (e.g. not transmitting much) |
|
1652 |
- that slow down the attack? Do some traffic padding or traffic shaping |
|
1653 |
- schemes work better than others?</li> |
|
1654 |
- <li>A related question is: Does running a relay/bridge provide additional |
|
1655 |
- protection against these timing attacks? Can an external adversary that can't |
|
1656 |
- see inside TLS links still recognize individual streams reliably? |
|
1657 |
- Does the amount of traffic carried degrade this ability any? What if the |
|
1658 |
- client-relay deliberately delayed upstream relayed traffic to create a queue |
|
1659 |
- that could be used to mimic timings of client downstream traffic to make it |
|
1660 |
- look like it was also relayed? This same queue could also be used for masking |
|
1661 |
- timings in client upstream traffic with the techniques from <a |
|
1662 |
- href="http://www.freehaven.net/anonbib/#ShWa-Timing06">adaptive padding</a>, |
|
1663 |
- but without the need for additional traffic. Would such an interleaving of |
|
1664 |
- client upstream traffic obscure timings for external adversaries? Would the |
|
1665 |
- strategies need to be adjusted for asymmetric links? For example, on |
|
1666 |
- asymmetric links, is it actually possible to differentiate client traffic from |
|
1667 |
- natural bursts due to their asymmetric capacity? Or is it easier than |
|
1668 |
- symmetric links for some other reason?</li> |
|
1669 |
- <li>Repeat Murdoch and Danezis's <a |
|
1670 |
- href="http://www.cl.cam.ac.uk/~sjm217/projects/anon/#torta">attack from |
|
1671 |
- Oakland 05</a> on the current Tor network. See if you can learn why it |
|
1672 |
- works well on some nodes and not well on others. (My theory is that the |
|
1673 |
- fast nodes with spare capacity resist the attack better.) If that's true, |
|
1674 |
- then experiment with the RelayBandwidthRate and RelayBandwidthBurst |
|
1675 |
- options to run a relay that is used as a client while relaying the |
|
1676 |
- attacker's traffic: as we crank down the RelayBandwidthRate, does the |
|
1677 |
- attack get harder? What's the right ratio of RelayBandwidthRate to |
|
1678 |
- actually capacity? Or is it a ratio at all? While we're at it, does a |
|
1679 |
- much larger set of candidate relays increase the false positive rate |
|
1680 |
- or other complexity for the attack? (The Tor network is now almost two |
|
1681 |
- orders of magnitude larger than it was when they wrote their paper.) Be |
|
1682 |
- sure to read <a href="http://freehaven.net/anonbib/#clog-the-queue">Don't |
|
1683 |
- Clog the Queue</a> too.</li> |
|
1684 |
- <li>The "routing zones attack": most of the literature thinks of |
|
1685 |
- the network path between Alice and her entry node (and between the |
|
1686 |
- exit node and Bob) as a single link on some graph. In practice, |
|
1687 |
- though, the path traverses many autonomous systems (ASes), and <a |
|
1688 |
- href="http://freehaven.net/anonbib/#feamster:wpes2004">it's not uncommon |
|
1689 |
- that the same AS appears on both the entry path and the exit path</a>. |
|
1690 |
- Unfortunately, to accurately predict whether a given Alice, entry, |
|
1691 |
- exit, Bob quad will be dangerous, we need to download an entire Internet |
|
1692 |
- routing zone and perform expensive operations on it. Are there practical |
|
1693 |
- approximations, such as avoiding IP addresses in the same /8 network?</li> |
|
1694 |
- <li>Other research questions regarding geographic diversity consider |
|
1695 |
- the tradeoff between choosing an efficient circuit and choosing a random |
|
1696 |
- circuit. Look at Stephen Rollyson's <a |
|
1697 |
- href="http://swiki.cc.gatech.edu:8080/ugResearch/uploads/7/ImprovingTor.pdf">position |
|
1698 |
- paper</a> on how to discard particularly slow choices without hurting |
|
1699 |
- anonymity "too much". This line of reasoning needs more work and more |
|
1700 |
- thinking, but it looks very promising.</li> |
|
1701 |
- <li>Tor doesn't work very well when relays have asymmetric bandwidth |
|
1702 |
- (e.g. cable or DSL). Because Tor has separate TCP connections between |
|
1703 |
- each hop, if the incoming bytes are arriving just fine and the outgoing |
|
1704 |
- bytes are all getting dropped on the floor, the TCP push-back mechanisms |
|
1705 |
- don't really transmit this information back to the incoming streams. |
|
1706 |
- Perhaps Tor should detect when it's dropping a lot of outgoing packets, |
|
1707 |
- and rate-limit incoming streams to regulate this itself? I can imagine |
|
1708 |
- a build-up and drop-off scheme where we pick a conservative rate-limit, |
|
1709 |
- slowly increase it until we get lost packets, back off, repeat. We |
|
1710 |
- need somebody who's good with networks to simulate this and help design |
|
1711 |
- solutions; and/or we need to understand the extent of the performance |
|
1712 |
- degradation, and use this as motivation to reconsider UDP transport.</li> |
|
1713 |
- <li>A related topic is congestion control. Is our |
|
1714 |
- current design sufficient once we have heavy use? Maybe |
|
1715 |
- we should experiment with variable-sized windows rather |
|
1716 |
- than fixed-size windows? That seemed to go well in an <a |
|
1717 |
- href="http://www.psc.edu/index.php/hpn-ssh/638">ssh |
|
1718 |
- throughput experiment</a>. We'll need to measure and tweak, and maybe |
|
1719 |
- overhaul if the results are good.</li> |
|
1720 |
- <li>Our censorship-resistance goals include preventing |
|
1721 |
- an attacker who's looking at Tor traffic on the wire from <a |
|
1722 |
- href="<svnprojects>design-paper/blocking.html#sec:network-fingerprint">distinguishing |
|
1723 |
- it from normal SSL traffic</a>. Obviously we can't achieve perfect |
|
1724 |
- steganography and still remain usable, but for a first step we'd like to |
|
1725 |
- block any attacks that can win by observing only a few packets. One of |
|
1726 |
- the remaining attacks we haven't examined much is that Tor cells are 512 |
|
1727 |
- bytes, so the traffic on the wire may well be a multiple of 512 bytes. |
|
1728 |
- How much does the batching and overhead in TLS records blur this on the |
|
1729 |
- wire? Do different buffer flushing strategies in Tor affect this? Could |
|
1730 |
- a bit of padding help a lot, or is this an attack we must accept?</li> |
|
1731 |
- <li>Tor circuits are built one hop at a time, so in theory we have the |
|
1732 |
- ability to make some streams exit from the second hop, some from the |
|
1733 |
- third, and so on. This seems nice because it breaks up the set of exiting |
|
1734 |
- streams that a given relay can see. But if we want each stream to be safe, |
|
1735 |
- the "shortest" path should be at least 3 hops long by our current logic, so |
|
1736 |
- the rest will be even longer. We need to examine this performance / security |
|
1737 |
- tradeoff.</li> |
|
1738 |
- <li>It's not that hard to DoS Tor relays or directory authorities. Are client |
|
1739 |
- puzzles the right answer? What other practical approaches are there? Bonus |
|
1740 |
- if they're backward-compatible with the current Tor protocol.</li> |
|
1741 |
- <li>Programs like <a |
|
1742 |
- href="<page docs/torbutton/index>">Torbutton</a> aim to hide |
|
1743 |
- your browser's UserAgent string by replacing it with a uniform answer for |
|
1744 |
- every Tor user. That way the attacker can't splinter Tor's anonymity set |
|
1745 |
- by looking at that header. It tries to pick a string that is commonly used |
|
1746 |
- by non-Tor users too, so it doesn't stand out. Question one: how badly |
|
1747 |
- do we hurt ourselves by periodically updating the version of Firefox |
|
1748 |
- that Torbutton claims to be? If we update it too often, we splinter the |
|
1749 |
- anonymity sets ourselves. If we don't update it often enough, then all the |
|
1750 |
- Tor users stand out because they claim to be running a quite old version |
|
1751 |
- of Firefox. The answer here probably depends on the Firefox versions seen |
|
1752 |
- in the wild. Question two: periodically people ask us to cycle through N |
|
1753 |
- UserAgent strings rather than stick with one. Does this approach help, |
|
1754 |
- hurt, or not matter? Consider: cookies and recognizing Torbutton users |
|
1755 |
- by their rotating UserAgents; malicious websites who only attack certain |
|
1756 |
- browsers; and whether the answers to question one impact this answer. |
|
1757 |
- </li> |
|
1758 |
- <li>How many bridge relays do you need to know to maintain |
|
1759 |
- reachability? We should measure the churn in our bridges. If there is |
|
1760 |
- lots of churn, are there ways to keep bridge users more likely to stay |
|
1761 |
- connected? |
|
1762 |
- </li> |
|
1763 |
- </ol> |
|
1764 |
- |
|
1765 |
- <p> |
|
1766 |
- <a href="<page about/contact>">Let us know</a> if you've made progress on any |
|
1767 |
- of these! |
|
1768 |
- </p> |
|
1769 | 1559 |
</div> |
1770 | 1560 |
<!-- END MAINCOL --> |
1771 | 1561 |
<div id = "sidecol"> |
1772 | 1562 |