| The Tor anonymity network relies heavily on volunteer-owned and operated resources to service millions of users each day. Consequently, it needs to manage these resources efficiently while addressing challenges to its robustness and utility. Many challenges faced by Tor arise from a deficit of trust in three entities---relay operators responsible for managing the relays through which Tor traffic flows, Autonomous Systems (ASes) that own the networks in which relays operate, and users interacting with the Internet via the Tor network. Specifically, relay operators may use traffic flow characteristics to identify the content accessed by a Tor user, ASes may place themselves in positions to exactly identify Tor users and the servers being accessed by them, network-level adversaries (e.g., ASes on behalf of restrictive governments) may reduce the utility of the network by identifying and blocking Tor traffic, and users may misuse the anonymity provided by the network.;In this dissertation, we address each of these threats. In particular, we present (1) traffic flow modification strategies to counter the threat from relay-level and eavesdropping adversaries, (2) relay selection strategies that utilize the state-of-the-art in Internet measurement to mitigate the threat of deanonymization by network-level adversaries, (3) an extensible covert-channel construc- tion framework that addresses the threat of blocking by network-level adversaries by reversing the resource imbalance in the arms race between censors and circumvention tool developers, and (4) measurements that quantify server-side discrimination faced by legitimate Tor users as a consequence of abusive behavior from malicious users of the network.;At a high-level, this dissertation presents theoretically and empirically derived ideas for in- creasing the robustness of any network. The proposed flow modification strategies demonstrate how provably secure traffic correlation defenses can be bootstrapped even with limited bandwidth resources. Our relay selection strategies show how to prevent traffic correlation attacks by utilizing network measurement research to route around adversaries and without requiring changes to the network infrastructure. Our covert-channel framework illustrates how appropriate protocol selec- tion can make blocking of communication more expensive for censors. Finally, our measurements of server-side discrimination show one of the costs of anonymous communication in a public network. |
