Enemy At the Gateways: Censorship-Resilient Proxy Distribution Using Game Theory

Proceedings 2019 Network and Distributed System Security Symposium Pub Date : 2019-01-01 DOI:10.14722/ndss.2019.23496

Milad Nasr, Sadegh Farhang, A. Houmansadr, Jens Grossklags

{"title":"Enemy At the Gateways: Censorship-Resilient Proxy Distribution Using Game Theory","authors":"Milad Nasr, Sadegh Farhang, A. Houmansadr, Jens Grossklags","doi":"10.14722/ndss.2019.23496","DOIUrl":null,"url":null,"abstract":"A core technique used by popular proxy-based circumvention systems like Tor is to privately and selectively distribute the IP addresses of circumvention proxies among censored clients to keep them unknown to the censors. In Tor, for instance, such privately shared proxies are known as bridges. A key challenge to this mechanism is the insider attack problem: censoring agents can impersonate benign censored clients in order to learn (and then block) the privately shared circumvention proxies. To minimize the risks of the insider attack threat, in-thewild circumvention systems like Tor use various proxy assignment mechanisms in order to minimize the risk of proxy enumeration by the censors, while providing access to a large fraction of censored clients. Unfortunately, existing proxy assignment mechanisms (like the one used by Tor) are based on ad hoc heuristics that offer no theoretical guarantees and are easily evaded in practice. In this paper, we take a systematic approach to the problem of proxy distribution in circumvention systems by establishing a gametheoretic framework. We model the proxy assignment problem as a game between circumvention system operators and the censors, and use game theory to derive the optimal strategies of each of the parties. Using our framework, we derive the best (optimal) proxy assignment mechanism of a circumvention system like Tor in the presence of the strongest censorship adversary who takes her best censorship actions. We perform extensive simulations to evaluate our optimal proxy assignment algorithm under various adversarial and network settings. We show that the algorithm has superior performance compared to the state of the art, i.e., provides stronger resistance to censorship even against the strongest censorship adversary. Our study establishes a generic framework for optimal proxy assignment that can be applied to various types of circumvention systems and under various threat models. We conclude with lessons and recommendations for the design of proxy-based circumvention systems.","PeriodicalId":20444,"journal":{"name":"Proceedings 2019 Network and Distributed System Security Symposium","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2019-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"9","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings 2019 Network and Distributed System Security Symposium","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.14722/ndss.2019.23496","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 9

Abstract

A core technique used by popular proxy-based circumvention systems like Tor is to privately and selectively distribute the IP addresses of circumvention proxies among censored clients to keep them unknown to the censors. In Tor, for instance, such privately shared proxies are known as bridges. A key challenge to this mechanism is the insider attack problem: censoring agents can impersonate benign censored clients in order to learn (and then block) the privately shared circumvention proxies. To minimize the risks of the insider attack threat, in-thewild circumvention systems like Tor use various proxy assignment mechanisms in order to minimize the risk of proxy enumeration by the censors, while providing access to a large fraction of censored clients. Unfortunately, existing proxy assignment mechanisms (like the one used by Tor) are based on ad hoc heuristics that offer no theoretical guarantees and are easily evaded in practice. In this paper, we take a systematic approach to the problem of proxy distribution in circumvention systems by establishing a gametheoretic framework. We model the proxy assignment problem as a game between circumvention system operators and the censors, and use game theory to derive the optimal strategies of each of the parties. Using our framework, we derive the best (optimal) proxy assignment mechanism of a circumvention system like Tor in the presence of the strongest censorship adversary who takes her best censorship actions. We perform extensive simulations to evaluate our optimal proxy assignment algorithm under various adversarial and network settings. We show that the algorithm has superior performance compared to the state of the art, i.e., provides stronger resistance to censorship even against the strongest censorship adversary. Our study establishes a generic framework for optimal proxy assignment that can be applied to various types of circumvention systems and under various threat models. We conclude with lessons and recommendations for the design of proxy-based circumvention systems.

查看原文本刊更多论文

网关上的敌人:使用博弈论的审查弹性代理分配

流行的基于代理的翻墙系统(如Tor)使用的核心技术是在被审查的客户端之间私下和有选择地分发翻墙代理的IP地址，以使审查者不知道它们。例如，在Tor中，这种私人共享的代理被称为桥接。这种机制面临的一个关键挑战是内部攻击问题:审查代理可以冒充被审查的良性客户端，以便学习(然后阻止)私有共享的规避代理。为了最大限度地降低内部攻击威胁的风险，像Tor这样的野外规避系统使用各种代理分配机制，以最大限度地降低审查者代理枚举的风险，同时提供对大部分审查客户端的访问。不幸的是，现有的代理分配机制(如Tor所使用的)是基于临时启发式的，无法提供理论上的保证，并且在实践中很容易被规避。本文通过建立一个博弈论框架，系统地研究了规避系统中的代理分配问题。本文将代理分配问题建模为规避系统操作者与审查者之间的博弈，并利用博弈论推导出双方的最优策略。使用我们的框架，我们推导了在最强审查对手存在的情况下，像Tor这样的规避系统的最佳(最优)代理分配机制，该对手采取了最好的审查行动。我们进行了大量的模拟来评估我们在各种对抗和网络设置下的最佳代理分配算法。我们表明，与目前的技术水平相比，该算法具有优越的性能，即即使面对最强的审查对手，也能提供更强的审查阻力。我们的研究建立了一个通用的最优代理分配框架，可以应用于各种类型的规避系统和各种威胁模型。最后，我们对基于代理的规避系统的设计提出了经验教训和建议。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings 2019 Network and Distributed System Security Symposium

自引率

0.00%

发文量