Leaving timing-channel fingerprints in hidden service log files

Bilal Shebaro, Fernando Perez-Gonzalez, Jedidiah R. Crandall

Research output: Contribution to journalArticlepeer-review

10 Scopus citations

Abstract

Hidden services are anonymously hosted services that can be accessed over an anonymity network, such as Tor. While most hidden services are legitimate, some host illegal content. There has been a fair amount of research on locating hidden services, but an open problem is to develop a general method to prove that a physical machine, once confiscated, was in fact the machine that had been hosting the illegal content. In this paper we assume that the hidden service logs requests with some timestamp, and give experimental results for leaving an identifiable fingerprint in this log file as a timing channel that can be recovered from the timestamps. In 60 min, we are able to leave a 36-bit fingerprint that can be reliably recovered. The main challenges are the packet delays caused by the anonymity network that requests are sent over and the existing traffic in the log from the actual clients accessing the service. We give data to characterize these noise sources and then describe an implementation of timing-channel fingerprinting for an Apache web server based hidden service on the Tor network, where the fingerprint is an additive channel that is superencoded with a Reed-Solomon code for reliable recovery. Finally, we discuss the inherent tradeoffs and possible approaches to making the fingerprint more stealthy.

Original languageEnglish (US)
Pages (from-to)S104-S113
JournalDigital Investigation
Volume7
Issue numberSUPPL.
DOIs
StatePublished - Aug 2010
Externally publishedYes

Keywords

  • Fingerprints
  • Hidden services
  • Timestamps
  • Timing channel
  • Tor network

ASJC Scopus subject areas

  • Pathology and Forensic Medicine
  • Information Systems
  • Computer Science Applications
  • Medical Laboratory Technology
  • Law

Fingerprint

Dive into the research topics of 'Leaving timing-channel fingerprints in hidden service log files'. Together they form a unique fingerprint.

Cite this