Using Dust Clouds toEnhance Anonymous Communication

Richard Mortier

, Anil Madhavapeddy

, Theodore Hong

, and Derek Murray

Horizon Digital Economy ResearchSir Colin Campbell Building, Triumph RoadNottingham NG7 2TU, UK

richard.mortier@nottingham.ac.uk

University of Cambridge15 JJ Thomson AvenueCambridge CB3 0FD, UK

firstname.lastname@cl.cam.ac.uk

1 Introduction

Cloud computing platforms, such as Amazon EC2 [1], enable customers to leaseseveral

virtual machines

(VMs) on a per-hour basis. The customer can nowobtain a dynamic and diverse collection of machines spread across the world.In this paper we consider how this aspect of cloud computing can facilitateanonymous communications over untrusted networks such as the Internet, anddiscuss some of the challenges that arise as a result.Most anonymous networks act as a

mix network

, creating hard-to-trace com-munications by using chains of proxy servers. For example, Mixmaster

is ananonymous remailer based on the mix-net protocol [2], MorphMix [10] is a peer-to-peer circuit-based mix network, and the popular Tor [4] network is onionrouted.Tor faces a major challenge: the pool of nodes available to route other people’straffic is limited. Individuals often desire anonymity for their communications,but they may be unwilling to route other (potentially illegal) traffic throughtheir personal machines, and expose themselves to legal action in doing so. Inaddition, user-provided nodes are often short-lived and unreliable because theyrun on home machines or laptops, which can only route traffic when they arepowered on and connected to the Internet.In this position paper, we introduce the concept of a

dust cloud

: a dynamicset of short-lived VMs that run on cloud computing platforms and act as Tornodes. Users can join a dust cloud when they require anonymous communication,and incur charges only while participating. We outline the core architectureand beneﬁts of dust clouds (

2), before considering some of the challenges forsuccessful adoption of dust clouds and suggesting avenues for development andresearch (

3).

http://mixmaster.sourceforge.net/

2 Dust Clouds

HostAA'A''B'XHostBXX

Fig.1.

Dynamic VM-based Tor nodes in the cloud. Host A spawns two VMs (



and



) and Host B spawns a single VM (



). All VMs are full Tor routers.

To use a dust cloud, we assume that users have access to public cloud com-puting facilities, e.g., Amazon EC2 or Rackspace. When a user wants to commu-nicate anonymously, they spawn one or more

dust motes

, cloud VMs that runTor and are configured to survive for fixed periods of time (possibly all different).These Tor nodes receive the user’s traffic as possible ingress points, as well asrouting for other nodes as normal. When the user finishes communicating viaa particular dust mote, they disconnect from it, leaving it to continue routingother traffic until its allotted time expires and it is destroyed.

How is this better than the existing model of the user’s host directly actingas a router?

Privilege Separation.

It is no longer the user’s host computer that routes othertraffic in the Tor network, but their dust motes instead. In case of, for example,complaints about abuse originating from the user’s Tor node [8], the user canterminate the dust mote and demonstrate from the code image (also hosted onthe cloud) that the offending traffic came from a participant in the mix network.This is considerably more difficult to do when Tor is installed directly on apersonal computer, which typically have multiple applications that can generatetraffic. Privilege separation also makes it more convenient for users to run exitrouters, an important benefit as the Tor network currently suffers from a lack of exit bandwidth.

A real-world analogue uses ionization trails of meteors during atmospheric entry toestablish short-lived communications paths [7].

Storage Separation.

A dust mote can run independent processing and has somestorage, enabling it to buffer traffic to improve mixing. Doing this efficientlyrequires protocol proxies inside the dust mote that understand the applicationtraffic to some extent. For example, an SMTP proxy could receive e-mail, andhold it for a random amount of time before passing it along to the next Tor node.Crucially, this delay does not require the user to be online and connected—thedust mote continues running for its allotted time without the original user beingconnected.

Processor Separation.

Running proxies alongside nodes enables other interestinguse models. Streaming large video files is currently impractical since the regulartraffic patterns and limited node bandwidth make anonymising the paths diffi-cult. Viewing a long video or, more generally, performing any long-lived transferover Tor makes it easier for an adversary to perform a timing correlation attack.If the user requests the content in advance, the dust mote can cache the con-tent from the origin server. The user then re-connects to Tor and retrieves thecontent for offline viewing anonymously, but without having to be online whileit is assembled. Similar methods work for PDF files (HTTP range requests) andpeer-to-peer networks, since the dust mote’s local storage can serve as a buffer.For the truly paranoid, the dust mote could even connect to Freenet [3] to storeits data.One extremely useful combination of streaming and clouds might be to pro-vide anonymous audio, and even video, conferences. Self-organising transcodingsystems have been proposed to let real-time audio scale with network capacityin multicast trees [6]. These can be adapted for scaling with

anonymity

in mind,by introducing jitter when routing audio to the participants so that everyonereceives a slightly diﬀerent signal. The CPU capacity for this would be providedby dust motes owned by those participating in the call.

Usage Accounting.

Each dust mote that the user creates is paid for, and helps togrow the network as well as anonymise that user’s traﬃc. Thus, a heavy user willnaturally pay more by spawning more dust motes, and since these dust motes

must

route other user’s traﬃc in order to preserve anonymity, it also helps togrow the network as a whole.

Ease of Use.

The provision of pre-conﬁgured VM templates makes it easy tocreate and destroy Tor nodes in the cloud. Ease of use is important for mixnetworks in order to grow the set of users, and hence the size of the anonymityset and the relay bandwidth available. Using pre-deﬁned templates which canclearly be shown to act

only

as Tor nodes and

not

to manipulate the data alsohelps to achieve plausible deniability.