Recently there has been a new kind of attacks, browser-based attacks, against anonymous communication systems, such as Tor. This kind of attacks exploits JavaScript in the browser or the HTML meta refresh to generate some predefined signals to correlate users and their visited websites. A novel and efficient defense against such attacks is proposed in this paper. Our main observation is that the attacker must generate enough signals from the client site (the browser) to correlate the user and the website while we can detect the attack at the client site. More specifically, when a user is browsing a specific website and a browser-based attack is in progress, the number of outgoing flows and the total byte counts generated by the browser should be much larger compared with the normal browsing behavior. So we can set up fingerprints (number of outgoing flows and total byte counts) for normal browsing of web pages for a period of time and utilize these fingerprints to detect browser-based attacks. We have also found that some JavaScript codes must be executed many times if the attacker uses JavaScript to communicate. We have modified the Mozilla Firefox JavaScript engine to audit execution times of JavaScript code to defend these attacks, including browser-based attacks.
Towards an Analysis of Passive Attacks on Anonymous Communication Systems
