CS294S Research Project in Computer Security

Lightweight and Modular Proxy

Yiannis



Contents

  1. Description
  2. How it Works
  3. How to Use It

Description

This project aims to provide a lightweight "bridge/proxy" to allow users in censored areas to access the Internet. In particular, we target commercially available Access Points to allow users to contribute to the Tor network using their always-on, low cost, home gateways. We show how such a bridge can be used to access the Tor network or specific websites.

How It Works

Background

A Tor relay (or bridge) can be either a dedicated server, or a user's laptop/PC which acts as a relay while the user is on the Tor network. The first introduces a significant barrier for running a Tor relay, while the latter results to transient nodes with limited uptime, and requires continuous configuration for NAT traversal etc. Our goal is to make it easier for somebody to contribute to such networks. We note that most users own a network gateway at their homes (router/wireless AP) which while limited in resources(~4/8MB Flash, 8/16MB Ram memory), is always on. Torouter, builds a Tor relay for such devices, but it's limited to few high-end models as a full Tor relay requires more resources than it's typically found in these boxes.

Overview

We note that networks like Tor provide two main benefits to the end user: i) connectivity through firewalls in censored areas, and ii) anonymity which prevents him from being detected/tracked. Focusing on connectivity, we build a lightweight bridge that allows users in censored areas to reach the Tor network. The bridge doesn't do onion routing, but a rather simple proxying between the user and the Tor network, adding capabilities for rate-limiting and admission control. Besides, it can be easily extended to enable traffic other than Tor, for example direct access to blocked websites.

System Details

The user within the censored area asks the bridge to create a tunnel of type TOR to a selected Tor relay. The bridge holds the latest consensus from the Tor directories, listing valid relay nodes. He checks the Tor-client's tunnel request against this list, which is being granted or rejected and the tunnel is created accordingly. Similarly the user may ask a tunnel of type WEB, which the bridge can check against a list of IP/domain-based rules.

How to Use It

The bridge is available as an OpenWrt application. OpenWrt is a Linux distribution for home gateways. Source code and links for pre-compiled package/firmware are available here.
To connect your Tor client or Web browser (tested with Firefox) to the bridge, set your proxy configuration with IP:port address of the bridge under the SOCKS4 option.