Skip to content
Snippets Groups Projects
New look
Open Monitoring research
  • View options

    • Monitoring research

  • View options
    • Open Issue created by micah

    Need

    We need to develop a process to monitor and track papers relevant to Tor. This will help us discover important research that might otherwise fall through the cracks.

    To ensure we don't miss important research, we need to come up with a system or process for:

    • Tracking academic papers related to Tor.
    • Monitoring key conferences that publish relevant research in areas like security, anonymity, and privacy.
    • Identifying and Operationalizing relevant papers so that there is a clear pipeline for the process

    This could involve automating the process of discovering relevant papers by monitoring paper repositories (e.g., arXiv), identifying a person to bottom-line looking over relevant conference proceedings, improving collaboratiion with conference organizers to improve communication with us about Tor-related research.

    Background

    There is a large number of academic researchers working in areas such as anonymity, security, privacy, and performance who occasionally produce research relevant to Tor. In some cases, critical security vulnerabilities are revealed through these papers.

    • Best case scenario: Researchers who identify security vulnerabilities follow responsible disclosure practices, contacting us in advance of publication. This gives us a chance to address the issue before it is revealed to the public (e.g. Issue #40969 which was initially reported to us through the HackerOne program).
    • Worst case scenario: We only learn about vulnerabilities after the paper has been published, sometimes months later (e.g. Issue #40996 which was published in March but only came to our attention in December).

    Historically, there was a role called "Research Director" (held by @mikeperry ) that was responsible for tracking relevant papers. Mike would sift through papers to identify those worth paying attention to. However, this process had some challenges:

    • Around 90% of the papers were not relevant or actionable, although we have benefited immensely from research
    • There was a non-trivial amount of papers to work through
    • A significant amount of time was spent communicating with researchers who provided feedback, but often the researchers would not follow through or produce useful results
    • This was not his only role, and thus competed for time

    In addition to this, @arma and @nickm (along with others in our broader network) participate in paper selection for various relevant conferences, with @arma attending many conferences in person. Roger does talk to people about research papers at conferences he does attend, and when he learns about ones that people are talking about, he tries to figure out their relevance. For example, Nick Hopper had a paper at PETS this year with a new website fingerprinting defense, Roger talked to him about it and Nick Hopper told him that it wasn't something we should build because there is already a new attack paper recently that invalidates most of the defenses, so this was not escalated into Tor.

    Roger did make a list of 2024 USENIX security papers that he thought people might find interesting, it was sent it to comms@ and to tor-dev@, but there is nobody's role to act on that. It should be mentioned that he does not always attend USENIX Security (it often conflicts with Defcon)

    In some cases, we have solid connections to the research community, and those people have been good at communicating with us about their research, or other relevant research in the field they have come across.

    One example is the HSDirSniper paper, which:

    • Was not published on arXiv.
    • The researchers did not contact us in advance.
    • It appeared at a fairly obscure, third-tier conference (WWW), which is not even a security conference. This made discovering the paper non-trivial, as it’s difficult to monitor everything manually without automation.

    Roger, along with others, used to regularly maintain anonbib which as a project is hosted here, however it has been since around 2018 where anonbib has been properly maintained. It has papers since 2018, but there are many papers missing.

    Conferences to Monitor

    Below is a list of conferences that produce papers relevant to Tor, ranked by their importance and relevance:

    Tier 1

    • Usenix Security
    • PETS (Privacy Enhancing Technologies)
    • IEEE Security and Privacy

    Tier 2

    • ACM CCS (Conference on Computer and Communications Security)
    • ACM WPES (Workshop on Privacy in the Electronic Society)
    • ACSAC (Annual Computer Security Applications Conference)
    • Usenix NDSS (Network and Distributed System Security Symposium)
    • FOCI (International Workshop on Foundations of Computer Security)

    Tier 3

    • Internet Measurement Conference (IMC)
    • Financial Cryptography

    Next Steps

    We need to discuss and implement a solution to monitor the above conferences more effectively. It would be ideal if we had a clear pipeline inside the organization to identify relevant research, ingest it, analyze its impacts on our products, and potentially take action, as necessary.

    Edited by micah
    • Merge request
    • Branch

    Linked items ... 0

    • Activity

    • All activity
    • Comments only
    • History only
    • Newest first
    • Oldest first
    Loading Loading Loading Loading Loading Loading Loading Loading Loading Loading