Code to track success/failure rates of circuits built through different tor nodes, in an attempt to detect attacks where an attacker deliberately causes circuits to fail until the client choses a path they like. More...
#include "or.h"#include "channel.h"#include "circpathbias.h"#include "circuitbuild.h"#include "circuitlist.h"#include "circuituse.h"#include "circuitstats.h"#include "connection_edge.h"#include "config.h"#include "crypto_rand.h"#include "entrynodes.h"#include "networkstatus.h"#include "relay.h"
Functions | |
| double | pathbias_get_extreme_rate (const or_options_t *options) |
| int | pathbias_get_dropguards (const or_options_t *options) |
| double | pathbias_get_extreme_use_rate (const or_options_t *options) |
| const char * | pathbias_state_to_string (path_state_t state) |
| int | pathbias_count_build_attempt (origin_circuit_t *circ) |
| void | pathbias_count_build_success (origin_circuit_t *circ) |
| void | pathbias_count_use_attempt (origin_circuit_t *circ) |
| void | pathbias_mark_use_success (origin_circuit_t *circ) |
| void | pathbias_mark_use_rollback (origin_circuit_t *circ) |
| int | pathbias_check_probe_response (circuit_t *circ, const cell_t *cell) |
| int | pathbias_check_close (origin_circuit_t *ocirc, int reason) |
| void | pathbias_count_timeout (origin_circuit_t *circ) |
| double | pathbias_get_close_success_count (entry_guard_t *guard) |
| double | pathbias_get_use_success_count (entry_guard_t *guard) |
Detailed Description
Code to track success/failure rates of circuits built through different tor nodes, in an attempt to detect attacks where an attacker deliberately causes circuits to fail until the client choses a path they like.
This code is currently configured in a warning-only mode, though false positives appear to be rare in practice. There is also support for disabling really bad guards, but it's quite experimental and may have bad anonymity effects.
The information here is associated with the entry_guard_t object for each guard, and stored persistently in the state file.
Function Documentation
◆ pathbias_check_close()
| int pathbias_check_close | ( | origin_circuit_t * | ocirc, |
| int | reason | ||
| ) |
Check if a circuit was used and/or closed successfully.
If we attempted to use the circuit to carry a stream but failed for whatever reason, or if the circuit mysteriously died before we could attach any streams, record these two cases.
If we have successfully used the circuit, or it appears to have been closed by us locally, count it as a success.
Returns 0 if we're done making decisions with the circ, or -1 if we want to probe it first.
◆ pathbias_check_probe_response()
Check the response to a pathbias probe, to ensure the cell is recognized and the nonce and other probe characteristics are as expected.
If the response is valid, return 0. Otherwise return < 0.
◆ pathbias_count_build_attempt()
| int pathbias_count_build_attempt | ( | origin_circuit_t * | circ | ) |
Check our circuit state to see if this is a successful circuit attempt. If so, record it in the current guard's path bias circ_attempt count.
Also check for several potential error cases for bug #6475.
◆ pathbias_count_build_success()
| void pathbias_count_build_success | ( | origin_circuit_t * | circ | ) |
Check our circuit state to see if this is a successful circuit completion. If so, record it in the current guard's path bias success count.
Also check for several potential error cases for bug #6475.
◆ pathbias_count_timeout()
| void pathbias_count_timeout | ( | origin_circuit_t * | circ | ) |
Count timeouts for path bias log messages.
These counts are purely informational.
◆ pathbias_count_use_attempt()
| void pathbias_count_use_attempt | ( | origin_circuit_t * | circ | ) |
Record an attempt to use a circuit. Changes the circuit's path state and update its guard's usage counter.
Used for path bias usage accounting.
◆ pathbias_get_close_success_count()
| double pathbias_get_close_success_count | ( | entry_guard_t * | guard | ) |
Return the number of circuits counted as successfully closed for this guard.
Also add in the currently open circuits to give them the benefit of the doubt.
◆ pathbias_get_dropguards()
| int pathbias_get_dropguards | ( | const or_options_t * | options | ) |
If 1, we actually disable use of guards that fall below the extreme_pct.
◆ pathbias_get_extreme_rate()
| double pathbias_get_extreme_rate | ( | const or_options_t * | options | ) |
The extreme rate is the rate at which we would drop the guard, if pb_dropguard is also set. Otherwise we just warn.
◆ pathbias_get_extreme_use_rate()
| double pathbias_get_extreme_use_rate | ( | const or_options_t * | options | ) |
The extreme use rate is the rate at which we would drop the guard, if pb_dropguard is also set. Otherwise we just warn.
◆ pathbias_get_use_success_count()
| double pathbias_get_use_success_count | ( | entry_guard_t * | guard | ) |
Return the number of circuits counted as successfully used this guard.
Also add in the currently open circuits that we are attempting to use to give them the benefit of the doubt.
◆ pathbias_mark_use_rollback()
| void pathbias_mark_use_rollback | ( | origin_circuit_t * | circ | ) |
If a stream ever detatches from a circuit in a retriable way, we need to mark this circuit as still needing either another successful stream, or in need of a probe.
An adversary could let the first stream request succeed (ie the resolve), but then tag and timeout the remainder (via cell dropping), forcing them on new circuits.
Rolling back the state will cause us to probe such circuits, which should lead to probe failures in the event of such tagging due to either unrecognized cells coming in while we wait for the probe, or the cipher state getting out of sync in the case of dropped cells.
◆ pathbias_mark_use_success()
| void pathbias_mark_use_success | ( | origin_circuit_t * | circ | ) |
Check the circuit's path state is appropriate and mark it as successfully used. Used for path bias usage accounting.
We don't actually increment the guard's counters until pathbias_check_close(), because the circuit can still transition back to PATH_STATE_USE_ATTEMPTED if a stream fails later (this is done so we can probe the circuit for liveness at close).
◆ pathbias_state_to_string()
| const char* pathbias_state_to_string | ( | path_state_t | state | ) |
Convert a Guard's path state to string.
