Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Barriers to TOR Research at UC Berkeley

A talk given by Joseph Lorenzo Hall at the UCB TRUST Privacy workshop on 10/05/2006 that describes the tensions between institutional requirements and technical abilities of the TOR network, which severly limits TOR research on the UCB campus.

  • Be the first to comment

Barriers to TOR Research at UC Berkeley

  1. 1. Barriers to TOR Research at UC Berkeley Joseph Lorenzo Hall Karl Chen Matthew Rothenberg http://josephhall.org/papers/torpapr.pdf
  2. 2. Introduction <ul><li>Thesis: research opportunities with TOR at UC Berkeley are limited. </li></ul><ul><li>Tension exists between features of TOR and the institutional environment. </li></ul><ul><li>We had an neat experiment utilizing TOR ready to go, but were never able to turn it on. </li></ul><ul><li>We used the experience as an opportunity to make recommendations to Berkeley (and TOR). </li></ul>
  3. 3. Outline <ul><li>What is TOR? </li></ul><ul><li>Our planned experiment </li></ul><ul><li>Legal and institutional barriers </li></ul><ul><li>Options available to TOR researchers </li></ul>
  4. 4. What is TOR? <ul><li>An internet anonymization tool. </li></ul>
  5. 5. What is TOR? <ul><li>Technical description of TOR/onion routing. </li></ul><ul><ul><li>Can specify exit policy to control IPs/ports of exit traffic. </li></ul></ul><ul><ul><li>Must specify IP addresses , not domains. </li></ul></ul><ul><ul><li>Clients can specify preferred exit node. </li></ul></ul><ul><li>History and motivation of similar tools. </li></ul><ul><li>Recent research / improvements / attacks in onion routing. </li></ul>
  6. 6. The Planned Experiment <ul><li>What were our planned research goals? </li></ul><ul><ul><li>To profile TOR traffic. What are people doing / going? </li></ul></ul><ul><ul><li>Is TOR something that our institution should support? </li></ul></ul><ul><ul><li>Are there uses of the network that should be disincentivized? </li></ul></ul><ul><li>A high-level description of the planned experiment. </li></ul><ul><li>Technical infrastructure. </li></ul><ul><ul><li>Using a virtual interface for TOR traffic. </li></ul></ul><ul><ul><li>What we would log and why. </li></ul></ul><ul><ul><li>How it would be logged efficiently. </li></ul></ul><ul><ul><li>Storage needs for the logs. </li></ul></ul><ul><ul><li>This was all doable and in place. </li></ul></ul>
  7. 7. Legal Hurdles <ul><li>Content </li></ul><ul><ul><li>Federal Wiretapping Law (18 USC §2 510-2522) </li></ul></ul><ul><ul><ul><li>Court order for govt. access, penalties and damages as well as a civil cause of action </li></ul></ul></ul><ul><ul><li>State Law (California Penal Code §6 29.50-629.98) </li></ul></ul><ul><li>Network Attributes </li></ul><ul><ul><li>Federal Pen-register Law (18 USC §3 121-3127) </li></ul></ul><ul><ul><ul><li>Bar is lower, exceptions exist, no civil cause of action </li></ul></ul></ul>
  8. 8. Institutional Hurdles <ul><li>Departmental Approval </li></ul><ul><li>Unauthenticated proxies forbidden by Minimum Standards for Security of Berkeley Campus Networked Devices (MSSBCND) </li></ul><ul><li>Campus Information Security Committee approval for exception to MSSBCND </li></ul><ul><li>UCB Risk Management Attorneys </li></ul><ul><li>Library Services Licensing (For dealing with IP-based authentication) </li></ul>
  9. 9. The Rub <ul><li>Blocking exit traffic to services we subscribe to is difficult. </li></ul><ul><li>3k+ entries in the proxy.pac file. </li></ul><ul><li>Uses domain names with wildcards (e.g., *.acm.org ) </li></ul><ul><li>TOR doesn’t handle large exit policies well (technically and socially). </li></ul>
  10. 10. Options For TOR Research (1) <ul><li>Operating in middleman mode. (no exit traffic) </li></ul><ul><ul><li>Pros: minimal exit policy, no worries with proxy.pac. </li></ul></ul><ul><ul><li>Cons: would not allow experiments that rely on exit traffic </li></ul></ul><ul><li>Successively adding entries to an allowed list in the exit policies. </li></ul><ul><ul><li>Pros: very small exit policy, would not have to worry about proxy.pac. </li></ul></ul><ul><ul><li>Cons: very limited view of internets, would be biased to certain types of traffic (web, etc.), limited by the length of time that it takes for an exit policy change to propagate to other nodes. </li></ul></ul>
  11. 11. Options For TOR Research (2) <ul><li>Blocking all IP addresses that correspond to proxy.pac regexs in DNS (using searchDNS). </li></ul><ul><ul><li>Pros: Highly precise. </li></ul></ul><ul><ul><li>Cons: Results in an exit policy 3k-150k entries long, blocks legitimate traffic, doesn ’t block traffic to IP addresses that don ’t have DNS entries. </li></ul></ul><ul><li>Blocking whole netblocks associated with second-level domains. </li></ul><ul><ul><li>Pros: Smaller exit policy list. </li></ul></ul><ul><ul><li>Cons: Blocks much more legitimate traffic, exit policy is still 3k long. </li></ul></ul>
  12. 12. Possible Solutions <ul><li>Have a trusted segment of our network. </li></ul><ul><li>Get rid of IP-based “authentication” with services with which we’ve contracted. </li></ul><ul><li>Modify TOR such that its directory protocol is more enterprise-user friendly. </li></ul>

×