Article

Hot or not: Revealing hidden services by their clock skew

Author:

Steven J. MurdochAuthors Info & Claims

CCS '06: Proceedings of the 13th ACM conference on Computer and communications security

Pages 27 - 36

https://doi.org/10.1145/1180405.1180410

Published: 30 October 2006 Publication History

Abstract

Location-hidden services, as offered by anonymity systems such as Tor, allow servers to be operated under a pseudonym. As Tor is an overlay network, servers hosting hidden services are accessible both directly and over the anonymous channel. Traffic patterns through one channel have observable effects on the other, thus allowing a service's pseudonymous identity and IP address to be linked. One proposed solution to this vulnerability is for Tor nodes to provide fixed quality of service to each connection, regardless of other traffic, thus reducing capacity but resisting such interference attacks. However, even if each connection does not influence the others, total throughput would still affect the load on the CPU, and thus its heat output. Unfortunately for anonymity, the result of temperature on clock skew can be remotely detected through observing timestamps. This attack works because existing abstract models of anonymity-network nodes do not take into account the inevitable imperfections of the hardware they run on. Furthermore, we suggest the same technique could be exploited as a classical covert channel and can even provide geolocation.

References

[1]

A. Acquisti, R. Dingledine, and P. F. Syverson. On the economics of anonymity. In R. N. Wright, editor, Financial Cryptography, volume 2742 of LNCS, pages 84--102. Springer-Verlag, 2003.]]

[2]

J. Alves-Foss, C. Taylor, and P. Omanl. A multi-layered approach to security in high assurance systems. In Proceedings of the 37th Hawaii International Conference on System Sciences, Hawaii, January 2004. IEEE CS.]]

Digital Library

[3]

Anonymizer, Inc. http://www.anonymizer.com/.]]

[4]

A. Back, I. Goldberg, and A. Shostack. Freedom Systems 2.1 security issues and analysis. White paper, Zero Knowledge Systems, Inc., May 2001.]]

[5]

BBC News. US blogger fired by her airline, November 2004. http://news.bbc.co.uk/1/technology/3974081.stm.]]

[6]

D. E. Bell and L. J. LaPadula. Secure computer systems: Mathematical foundations. Technical Report 2547, Volume I, MITRE Corporation, March 1973.]]

[7]

O. Berthold, H. Federrath, and S. Köpsell. Web MIXes: A system for anonymous and unobservable Internet access. In H. Federrath, editor, Designing Privacy Enhancing Technologies, volume 2009 of LNCS, pages 115--129. Springer-Verlag, July 2000.]]

Digital Library

[8]

P. Boucher, A. Shostack, and I. Goldberg. Freedom Systems 2.0 architecture. White paper, Zero Knowledge Systems, Inc., December 2000.]]

[9]

C-MAC MicroTechnology. HC49/4H SMX crystals datasheet, September 2004. http://www.cmac.com/mt/databook/crystals/smd/hc49_4h_smx.pdf.]]

[10]

W. Dai. PipeNet 1.1, November 1998. http://www.eskimo.com/weidai/pipenet.txt.]]

[11]

D. Dean and A. Stubblefield. Using client puzzles to protect TLS. In Proceedings of the 10th USENIX Security Symposium, Aug. 2001.]]

Digital Library

[12]

R. Dingledine and N. Mathewson. Tor protocol specification. Technical report, The Free Haven Project, October 2004. http://tor.eff.org/cvs/doc/tor-spec.txt.]]

[13]

R. Dingledine and N. Mathewson. Tor path specification. Technical report, The Free Haven Project, April 2006. http://tor.eff.org/cvs/doc/path-spec.txt.]]

[14]

R. Dingledine and N. Mathewson. Tor rendezvous specification. Technical report, The Free Haven Project, February 2006. http://tor.eff.org/cvs/doc/rend-spec.txt.]]

[15]

R. Dingledine, N. Mathewson, and P. F. Syverson. Tor: The second-generation onion router. In Proceedings of the 13th USENIX Security Symposium, August 2004.]]

Digital Library

[16]

X. Fu, Y. Zhu, B. Graham, R. Bettati, and W. Zhao. On flow marking attacks in wireless anonymous communication networks. In Proceedings of the 25th IEEE International Conference on Distributed Computing Systems, pages 493--503, Columbus, Ohio, USA, June 2005. IEEE CS.]]

Digital Library

[17]

I. Goldberg. A Pseudonymous Communications Infrastructure for the Internet. PhD thesis, UC Berkeley, December 2000.]]

Digital Library

[18]

H. Grundy. Personal communication.]]

[19]

W.-M. Hu. Reducing timing channels with fuzzy time. In 1991 IEEE Symposium on Security and Privacy, pages 8--20, Oakland, California, May 1991. IEEE CS.]]

[20]

W.-M. Hu. Lattice scheduling and covert channels. In 1992 IEEE Symposium on Security and Privacy, pages 52--61, Oakland, California, May 1992. IEEE CS.]]

Digital Library

[21]

V. Jacobson, R. Braden, and D. Borman. TCP extensions for high performance. RFC 1323, IETF, May 1992.]]

Digital Library

[22]

V. Jacobson, C. Leres, and S. McCanne. libpcap, March 2004. http://www.tcpdump.org/.]]

[23]

P. A. Karger and J. C. Wray. Storage channels in disk arm optimization. In 1991 IEEE Symposium on Security and Privacy, pages 52--63, Oakland, California, May 1991. IEEE CS.]]

[24]

T. Kohno, A. Broido, and k. claffy. Remote physical device fingerprinting. In 2005 IEEE Symposium on Security and Privacy, pages 211--225, Oakland, California, May 2005. IEEE CS.]]

Digital Library

[25]

M. G. Kuhn. Personal communication.]]

[26]

B. W. Lampson. A note on the confinement problem. Communications of the ACM, 16(10):613--615, 1973.]]

Digital Library

[27]

M. Martinec. Temperature dependency of a quartz oscillator. http://www.ijs.si/time/#temp-dependency.]]

[28]

D. L. Mills. Network time protocol (version 3) specification, implementation and analysis. RFC 1305, IETF, March 1992.]]

Digital Library

[29]

S. B. Moon, P. Skelly, and D. Towsley. Estimation and removal of clock skew from network delay measurements. Technical Report 98--43, Department of Computer Science University of Massachusetts at Amherst, October 1998.]]

Digital Library

[30]

I. S. Moskowitz, R. E. Newman, D. P. Crepeau, and A. R. Miller. Covert channels and anonymizing networks. In P. Samarati and P. F. Syverson, editors, Workshop on Privacy in the Electronic Society, pages 79--88, Washington, DC, USA, October 2003. ACM Press.]]

Digital Library

[31]

I. S. Moskowitz, R. E. Newman, and P. F. Syverson. Quasi-anonymous channels. In M. Hamza, editor, IASTED Communication, Network, and Information Security, pages 126--131, New York, USA, December 2003. ACTAPress.]]

[32]

J. A. Muir and P. C. van Oorschot. Internet geolocation and evasion. Technical Report TR-06-05, Carleton University -- School of Computer Science, April 2006.]]

[33]

S. J. Murdoch and G. Danezis. Low-cost traffic analysis of Tor. In Proceedings of the 2005 IEEE Symposium on Security and Privacy. IEEE CS, May 2005.]]

Digital Library

[34]

S. J. Murdoch and S. Lewis. Embedding covert channels into TCP/IP. In M. Barni, J. Herrera-Joancomartí, S. Katzenbeisser, and F. Pérez-González, editors, Information Hiding: 7th International Workshop, volume 3727 of LNCS, pages 247--261, Barcelona, Catalonia (Spain), June 2005. Springer-Verlag.]]

Digital Library

[35]

R. M. Needham. Denial of service. In CCS '93: Proceedings of the 1st ACM conference on Computer and communications security, pages 151--153, New York, NY, USA, 1993. ACM Press.]]

Digital Library

[36]

R. M. Needham. Denial of service: an example. Commun. ACM, 37(11):42--46, 1994.]]

Digital Library

[37]

R. E. Newman, V. R. Nalla, and I. S. Moskowitz. Anonymity and covert channels in simple timed mix-firewalls. In Proceedings of Privacy Enhancing Technologies workshop (PET 2004), volume 3424 of LNCS. Springer-Verlag, May 2004.]]

[38]

L. Overlier and P. F. Syverson. Locating hidden servers. In Proceedings of the 2006 IEEE Symposium on Security and Privacy, Oakland, CA, May 2006. IEEE CS.]]

Digital Library

[39]

A. Pfitzmann, B. Pfitzmann, and M. Waidner. ISDN-mixes: Untraceable communication with very small bandwidth overhead. In W. Effelsberg, H. W. Meuer, and G. Müller, editors, GI/ITG Conference on Communication in Distributed Systems, volume 267 of Informatik-Fachberichte, pages 451--463. Springer-Verlag, February 1991.]]

Digital Library

[40]

J. Postel. Internet control message protocol. RFC 792, IETF, September 1981.]]

Digital Library

[41]

R. Redelmeier. CPUBurn, June 2001. http://pages.sbcglobal.net/redelm/.]]

[42]

M. G. Reed, P. F. Syverson, and D. M. Goldschlag. Anonymous connections and onion routing. IEEE Journal on Selected Areas in Communications, 16(4):482--494, May 1998.]]

Digital Library

[43]

Reporters Without Borders. Blogger and documentary filmmaker held for the past month, March 2006. http://www.rsf.org/article.php3?id_article=16810.]]

[44]

G. Uchenick. MILS middleware for secure distributed systems. RTC magazine, 15, June 2006 2006. http://www.rtcmagazine.com/home/article.php?id=100685.]]

Cited By

Chao DXu DGao FZhang CZhang WZhu L(2024)A Systematic Survey on Security in Anonymity Networks: Vulnerabilities, Attacks, Defenses, and FormalizationIEEE Communications Surveys & Tutorials10.1109/COMST.2024.335000626:3(1775-1829)Online publication date: Nov-2025
https://doi.org/10.1109/COMST.2024.3350006
Garg NShahid IAvllazagaj EHill JHan JRoy N(2023)ThermWareProceedings of the 24th International Workshop on Mobile Computing Systems and Applications10.1145/3572864.3580339(81-88)Online publication date: 22-Feb-2023
https://dl.acm.org/doi/10.1145/3572864.3580339
Bin HZhao SLi ZYu NXi RZhu HSun L(2023)UID-Auto-Gen: Extracting Device Fingerprinting from Network Traffic2023 IEEE International Performance, Computing, and Communications Conference (IPCCC)10.1109/IPCCC59175.2023.10253856(82-90)Online publication date: 17-Nov-2023
https://doi.org/10.1109/IPCCC59175.2023.10253856
Show More Cited By

Index Terms

Hot or not: Revealing hidden services by their clock skew

Recommendations

Towards clock skew based services in wireless sensor networks

Clock skew, an inherent property of clock crystals of physical devices, is defined as the rate of deviation of a device clock from the true time. The frequency of a device's clock actually depends on its environment, such as the temperature, humidity, ...
Protocol-level attacks against Tor

Tor is a real-world, circuit-based low-latency anonymous communication network, supporting TCP applications over the Internet. In this paper, we present an extensive study of protocol-level attacks against Tor. Different from existing attacks, the ...
A new cell counter based attack against tor
CCS '09: Proceedings of the 16th ACM conference on Computer and communications security

Various low-latency anonymous communication systems such as Tor and Anoymizer have been designed to provide anonymity service for users. In order to hide the communication of users, many anonymity systems pack the application data into equal-sized cells ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '06: Proceedings of the 13th ACM conference on Computer and communications security

October 2006

434 pages

ISBN:1595935185

DOI:10.1145/1180405

General Chair:
Ari Juels
RSA Laboratories
,
Program Chairs:
Rebecca Wright
Stevens Institute of Technology
,
Sabrina De Capitani di Vimercati
University of Milan, Italy

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS06

Sponsor:

CCS06: 13th ACM Conference on Computer and Communications Security 2006

October 30 - November 3, 2006

Virginia, Alexandria, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

170
Total Citations
View Citations
1,309
Total Downloads

Downloads (Last 12 months)54
Downloads (Last 6 weeks)9

Reflects downloads up to 21 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Chao DXu DGao FZhang CZhang WZhu L(2024)A Systematic Survey on Security in Anonymity Networks: Vulnerabilities, Attacks, Defenses, and FormalizationIEEE Communications Surveys & Tutorials10.1109/COMST.2024.335000626:3(1775-1829)Online publication date: Nov-2025
https://doi.org/10.1109/COMST.2024.3350006
Garg NShahid IAvllazagaj EHill JHan JRoy N(2023)ThermWareProceedings of the 24th International Workshop on Mobile Computing Systems and Applications10.1145/3572864.3580339(81-88)Online publication date: 22-Feb-2023
https://dl.acm.org/doi/10.1145/3572864.3580339
Bin HZhao SLi ZYu NXi RZhu HSun L(2023)UID-Auto-Gen: Extracting Device Fingerprinting from Network Traffic2023 IEEE International Performance, Computing, and Communications Conference (IPCCC)10.1109/IPCCC59175.2023.10253856(82-90)Online publication date: 17-Nov-2023
https://doi.org/10.1109/IPCCC59175.2023.10253856
Dhivya GMohankumar M(2023)Illegal Patterns Identification on Dark Web Using Machine Learning2023 International Conference on Emerging Research in Computational Science (ICERCS)10.1109/ICERCS57948.2023.10434061(1-4)Online publication date: 7-Dec-2023
https://doi.org/10.1109/ICERCS57948.2023.10434061
von Arx TTran MVanbever L(2023)Revelio: A Network-Level Privacy Attack in the Lightning Network2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00060(942-957)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSP57164.2023.00060
Vanderlinden VGoethem TVanhoef M(2023)Time Will Tell: Exploiting Timing Leaks Using HTTP Response HeadersComputer Security – ESORICS 202310.1007/978-3-031-51476-0_1(3-22)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-51476-0_1
Wang RLi RDong WZhang ZJiang L(2022)Fine-grained identification of camera devices based on inherent featuresMathematical Biosciences and Engineering10.3934/mbe.202217319:4(3767-3786)Online publication date: 2022
https://doi.org/10.3934/mbe.2022173
Schmidbauer TWendzel SSuga YSakurai KDing XSako K(2022)SoKProceedings of the 2022 ACM on Asia Conference on Computer and Communications Security10.1145/3488932.3517418(546-560)Online publication date: 30-May-2022
https://dl.acm.org/doi/10.1145/3488932.3517418
Monaco J(2022)Device Fingerprinting with Peripheral Timestamps2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833612(1018-1033)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833612
Qin YZheng TWu YZou F(2022)Tracing Tor Hidden Service Through Protocol Characteristics2022 International Conference on Computer Communications and Networks (ICCCN)10.1109/ICCCN54977.2022.9868859(1-9)Online publication date: Jul-2022
https://doi.org/10.1109/ICCCN54977.2022.9868859
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents