Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

ParTEETor: A System for Partial Deployments of TEEs within Tor

Rachel King, Quinn Burke, Yohan Beugin, Blaine Hoak, Kunyang Li, Eric Pauley, Ryan Sheatsley, Patrick McDaniel

TL;DR

ParTEETor tackles the realism gap in deploying trusted execution environments (TEEs) for Tor by enabling partial, incremental TEE deployments. It introduces non-policy and policy modes, an attack-to-TEE mapping, and an extended relay selection algorithm that can enforce security policies while preserving performance. Through a Python-based simulator over multiple deployment scenarios, the study shows that even with modest TEE penetration ($p$ around 10–20%), users gain protection against multiple attack classes with Tor-like throughput, and policy enforcement can maintain reasonable privacy despite reduced circuit availability. The work demonstrates that TEEs can meaningfully enhance Tor’s security and privacy in practice, motivating gradual adoption by relay operators and informing design trade-offs in deployment strategies.

Abstract

The Tor anonymity network allows users such as political activists and those under repressive governments to protect their privacy when communicating over the internet. At the same time, Tor has been demonstrated to be vulnerable to several classes of deanonymizing attacks that expose user behavior and identities. Prior work has shown that these threats can be mitigated by leveraging trusted execution environments (TEEs). However, previous proposals assume that all relays in the network will be TEE-based-which as a practical matter is unrealistic. In this work, we introduce ParTEETor, a Tor-variant system, which leverages partial deployments of TEEs to thwart known attacks. We study two modes of operation: non-policy and policy. Non-policy mode uses the existing Tor relay selection algorithm to provide users incident security. Policy mode extends the relay selection algorithm to address the classes of attacks by enforcing a specific TEE circuit configuration. We evaluate ParTEETor for security, performance, and privacy. Our evaluation demonstrates that at even a small TEE penetration (e.g., 10% of relays are TEE-based), users can reach performance of Tor today while enforcing a security policy to guarantee protection from at least two classes of attacks. Overall, we find that partial deployments of TEEs can substantially improve the security of Tor, without a significant impact on performance or privacy.

ParTEETor: A System for Partial Deployments of TEEs within Tor

TL;DR

ParTEETor tackles the realism gap in deploying trusted execution environments (TEEs) for Tor by enabling partial, incremental TEE deployments. It introduces non-policy and policy modes, an attack-to-TEE mapping, and an extended relay selection algorithm that can enforce security policies while preserving performance. Through a Python-based simulator over multiple deployment scenarios, the study shows that even with modest TEE penetration ( around 10–20%), users gain protection against multiple attack classes with Tor-like throughput, and policy enforcement can maintain reasonable privacy despite reduced circuit availability. The work demonstrates that TEEs can meaningfully enhance Tor’s security and privacy in practice, motivating gradual adoption by relay operators and informing design trade-offs in deployment strategies.

Abstract

The Tor anonymity network allows users such as political activists and those under repressive governments to protect their privacy when communicating over the internet. At the same time, Tor has been demonstrated to be vulnerable to several classes of deanonymizing attacks that expose user behavior and identities. Prior work has shown that these threats can be mitigated by leveraging trusted execution environments (TEEs). However, previous proposals assume that all relays in the network will be TEE-based-which as a practical matter is unrealistic. In this work, we introduce ParTEETor, a Tor-variant system, which leverages partial deployments of TEEs to thwart known attacks. We study two modes of operation: non-policy and policy. Non-policy mode uses the existing Tor relay selection algorithm to provide users incident security. Policy mode extends the relay selection algorithm to address the classes of attacks by enforcing a specific TEE circuit configuration. We evaluate ParTEETor for security, performance, and privacy. Our evaluation demonstrates that at even a small TEE penetration (e.g., 10% of relays are TEE-based), users can reach performance of Tor today while enforcing a security policy to guarantee protection from at least two classes of attacks. Overall, we find that partial deployments of TEEs can substantially improve the security of Tor, without a significant impact on performance or privacy.
Paper Structure (20 sections, 11 figures, 2 tables, 1 algorithm)

This paper contains 20 sections, 11 figures, 2 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background
  3. System Overview
  4. Mapping Attacks to Circuit Protection
  5. Replay Attack
  6. Onion Services Attack
  7. Fingerprinting Attack
  8. Bad Apple Attack
  9. Bandwidth Inflation Attack
  10. ParTEETor
  11. Circuit Security Policy
  12. Extended Relay Selection Algorithm
  13. Deployment Scenarios
  14. Evaluation
  15. Experiment Setup
  16. ...and 5 more sections

Figures (11)

  • Figure 1: ParTEETor, a partial deployment of TEE-based relays in the Tor network.
  • Figure 2: Replay Attack Scenario
  • Figure 3: Onion Services Attack Scenario
  • Figure 4: Fingerprinting Attack Scenario
  • Figure 5: Bad Apple Attack Scenario
  • ...and 6 more figures