Forming Guard Sets using AS Relationships

TL;DR

This paper introduces a location-based guard set formation method for Tor that enhances security by limiting malicious guard influence and improves stability compared to bandwidth-based approaches.

Contribution

We propose a novel Internet location-based guard set formation method that improves security and stability over existing bandwidth-based guard sets.

Findings

Our approach confines adversaries to fewer guard sets.

Simulation shows improved security against relay and network adversaries.

Guard set stability is enhanced with location-based grouping.

Abstract

The mechanism for picking guards in Tor suffers from security problems like guard fingerprinting and from performance issues. To address these issues, Hayes and Danezis proposed the use of guard sets, in which the Tor system groups all guards into sets, and each client picks one of these sets and uses its guards. Unfortunately, guard sets frequently need nodes added or they are broken up due to fluctuations in network bandwidth. In this paper, we first show that these breakups create opportunities for malicious guards to join many guard sets by merely tuning the bandwidth they make available to Tor, and this greatly increases the number of clients exposed to malicious guards. To address this problem, we propose a new method for forming guard sets based on Internet location. We construct a hierarchy that keeps clients and guards together more reliably and prevents guards from easily joining arbitrary guard sets. This approach also has the advantage of confining an attacker with access to limited locations on the Internet to a small number of guard sets. We simulate this guard set design using historical Tor data in the presence of both relay-level adversaries and network-level adversaries, and we find that our approach is good at confining the adversary into few guard sets and thus limiting the impact of attacks.