Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

VaulTor: Putting the TEE in Tor

Humza Ikram, Rumaisa Habib, Muaz Ali, Zartash Afzal Uzmi

TL;DR

VaulTor addresses the risk of deanonymizing Hidden Services on Tor by introducing a vault as a new trusted actor that hosts HS content inside a Trusted Execution Environment, thereby reducing the HS provider’s uptime requirements and exposure. The approach preserves client anonymity and maintains Tor’s latency characteristics while enabling dynamic content and backward compatibility, using a Vault Contact Hidden Service and a Host Program running within an enclave. The authors provide a detailed protocol for HP creation and bootstrapping, a rigorous threat model, and an evaluation showing only modest performance overhead ($ ext{TTFB}$ up to $5.7\%$, $ ext{TTLB}$ up to $2.9\%$) in real Tor scenarios. They also discuss deployment strategies, incentives, and privacy considerations, arguing that TEEs offer robust protection against a range of attacks and can adapt to future TEE technologies, making VaulTor a practical path toward stronger HS anonymity with minimal client-impact.

Abstract

Online services that desire to operate anonymously routinely host themselves as 'Hidden Services' in the Tor network. However, these services are frequently threatened by deanonymization attacks, whereby their IP address and location may be inferred by the authorities. We present VaulTor, a novel architecture for the Tor network to ensure an extra layer of security for the Hidden Services against deanonymization attacks. In this new architecture, a volunteer (vault) is incentivized to host the web application content on behalf of the Hidden Service. The vault runs the hosted application in a Trusted Execution Environment (TEE) and becomes the point of contact for interested clients. This setup can substantially reduce the uptime requirement of the original Hidden Service provider and hence significantly decrease the chance of deanonymization attacks against them. We also show that the VaulTor architecture does not cause any noticeable performance degradation in accessing the hosted content (the performance degradation ranges from 2.6-5.5%).

VaulTor: Putting the TEE in Tor

TL;DR

VaulTor addresses the risk of deanonymizing Hidden Services on Tor by introducing a vault as a new trusted actor that hosts HS content inside a Trusted Execution Environment, thereby reducing the HS provider’s uptime requirements and exposure. The approach preserves client anonymity and maintains Tor’s latency characteristics while enabling dynamic content and backward compatibility, using a Vault Contact Hidden Service and a Host Program running within an enclave. The authors provide a detailed protocol for HP creation and bootstrapping, a rigorous threat model, and an evaluation showing only modest performance overhead ( up to , up to ) in real Tor scenarios. They also discuss deployment strategies, incentives, and privacy considerations, arguing that TEEs offer robust protection against a range of attacks and can adapt to future TEE technologies, making VaulTor a practical path toward stronger HS anonymity with minimal client-impact.

Abstract

Online services that desire to operate anonymously routinely host themselves as 'Hidden Services' in the Tor network. However, these services are frequently threatened by deanonymization attacks, whereby their IP address and location may be inferred by the authorities. We present VaulTor, a novel architecture for the Tor network to ensure an extra layer of security for the Hidden Services against deanonymization attacks. In this new architecture, a volunteer (vault) is incentivized to host the web application content on behalf of the Hidden Service. The vault runs the hosted application in a Trusted Execution Environment (TEE) and becomes the point of contact for interested clients. This setup can substantially reduce the uptime requirement of the original Hidden Service provider and hence significantly decrease the chance of deanonymization attacks against them. We also show that the VaulTor architecture does not cause any noticeable performance degradation in accessing the hosted content (the performance degradation ranges from 2.6-5.5%).

Paper Structure

This paper contains 40 sections, 5 figures, 1 table, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background
  3. Trusted Execution Environments (TEEs)
  4. Conventional Tor architecture
  5. Related work
  6. DESIGN GOALS
  7. Alternate hosting options
  8. Using a static content hosting service
  9. Hosting on the cloud
  10. Threat Model
  11. VaulTor
  12. Architecture
  13. Protocol
  14. Host Program (HP) Creation
  15. Bootstrapping
  16. ...and 25 more sections

Figures (5)

  • Figure 1: The current implementation of hidden services. Red paths represent information flow through Tor circuits with 6 nodes. Green paths represent information flow through Tor circuits with three nodes. Blue paths represent information flow through Tor circuits with only two nodes.
  • Figure 2: Our proposed implementation. Red paths represent information flow through Tor circuits with 6 nodes. The data inside the enclave is secure and information flow through the arrows is encrypted i.e., the vault owner can not interpret it.
  • Figure 3: Our proposed implementation. Red paths represent 6-node circuits and green paths represent 3-node circuits.
  • Figure 4: The steps taken in order for an HS provider to trust and upload to a vault.
  • Figure 5: Time to first byte (TTFB) and time to last byte (TTLB) for webpages with varying page sizes without and within a TEE. Error bars represent 99% confidence intervals.