ParTEETor: A System for Partial Deployments of TEEs within Tor

TL;DR

ParTEETor introduces a system that uses partial deployment of trusted execution environments in Tor relays, enhancing security against deanonymization attacks while maintaining performance and privacy.

Contribution

It proposes a novel partial TEE deployment approach in Tor, with two operational modes, to improve security without requiring full network TEE adoption.

Findings

10% TEE relay deployment achieves comparable performance to current Tor.

Partial TEE deployment effectively defends against multiple deanonymization attacks.

Security improvements are achieved with minimal impact on privacy and performance.

Abstract

The Tor anonymity network allows users such as political activists and those under repressive governments to protect their privacy when communicating over the internet. At the same time, Tor has been demonstrated to be vulnerable to several classes of deanonymizing attacks that expose user behavior and identities. Prior work has shown that these threats can be mitigated by leveraging trusted execution environments (TEEs). However, previous proposals assume that all relays in the network will be TEE-based-which as a practical matter is unrealistic. In this work, we introduce ParTEETor, a Tor-variant system, which leverages partial deployments of TEEs to thwart known attacks. We study two modes of operation: non-policy and policy. Non-policy mode uses the existing Tor relay selection algorithm to provide users incident security. Policy mode extends the relay selection algorithm to address the classes of attacks by enforcing a specific TEE circuit configuration. We evaluate ParTEETor for security, performance, and privacy. Our evaluation demonstrates that at even a small TEE penetration (e.g., 10% of relays are TEE-based), users can reach performance of Tor today while enforcing a security policy to guarantee protection from at least two classes of attacks. Overall, we find that partial deployments of TEEs can substantially improve the security of Tor, without a significant impact on performance or privacy.