TY - JOUR
T1 - Leaving timing-channel fingerprints in hidden service log files
AU - Shebaro, Bilal
AU - Perez-Gonzalez, Fernando
AU - Crandall, Jedidiah R.
N1 - Funding Information:
This material is based upon work supported by the National Science Foundation under Grant No. 0905177 , by Xunta de Galicia under Projects 07TIC012322 PR (FACTICA), 2006/150 (“Consolidation of Research Units”), and by the Spanish Ministry of Science and Innovation under projects COMONSENS (ref. CSD2008-00010 ) of the CONSOLIDER-INGENIO 2010 Program. We would also like to thank the DFRWS anonymous reviewers and others who gave valuable input, and George Kelbley and Jeff Bowles for providing web server data.
PY - 2010/8
Y1 - 2010/8
N2 - Hidden services are anonymously hosted services that can be accessed over an anonymity network, such as Tor. While most hidden services are legitimate, some host illegal content. There has been a fair amount of research on locating hidden services, but an open problem is to develop a general method to prove that a physical machine, once confiscated, was in fact the machine that had been hosting the illegal content. In this paper we assume that the hidden service logs requests with some timestamp, and give experimental results for leaving an identifiable fingerprint in this log file as a timing channel that can be recovered from the timestamps. In 60 min, we are able to leave a 36-bit fingerprint that can be reliably recovered. The main challenges are the packet delays caused by the anonymity network that requests are sent over and the existing traffic in the log from the actual clients accessing the service. We give data to characterize these noise sources and then describe an implementation of timing-channel fingerprinting for an Apache web server based hidden service on the Tor network, where the fingerprint is an additive channel that is superencoded with a Reed-Solomon code for reliable recovery. Finally, we discuss the inherent tradeoffs and possible approaches to making the fingerprint more stealthy.
AB - Hidden services are anonymously hosted services that can be accessed over an anonymity network, such as Tor. While most hidden services are legitimate, some host illegal content. There has been a fair amount of research on locating hidden services, but an open problem is to develop a general method to prove that a physical machine, once confiscated, was in fact the machine that had been hosting the illegal content. In this paper we assume that the hidden service logs requests with some timestamp, and give experimental results for leaving an identifiable fingerprint in this log file as a timing channel that can be recovered from the timestamps. In 60 min, we are able to leave a 36-bit fingerprint that can be reliably recovered. The main challenges are the packet delays caused by the anonymity network that requests are sent over and the existing traffic in the log from the actual clients accessing the service. We give data to characterize these noise sources and then describe an implementation of timing-channel fingerprinting for an Apache web server based hidden service on the Tor network, where the fingerprint is an additive channel that is superencoded with a Reed-Solomon code for reliable recovery. Finally, we discuss the inherent tradeoffs and possible approaches to making the fingerprint more stealthy.
KW - Fingerprints
KW - Hidden services
KW - Timestamps
KW - Timing channel
KW - Tor network
UR - http://www.scopus.com/inward/record.url?scp=77955395852&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=77955395852&partnerID=8YFLogxK
U2 - 10.1016/j.diin.2010.05.013
DO - 10.1016/j.diin.2010.05.013
M3 - Article
AN - SCOPUS:77955395852
SN - 1742-2876
VL - 7
SP - S104-S113
JO - Digital Investigation
JF - Digital Investigation
IS - SUPPL.
ER -