GitHunt
FR

frochet/routesim

Behavioral simulator for security evaluation of continuous-time mixnets -- Published in ACM ACSAC'22

Context

Anonymous communication network designs exist in different flavors to defend
different threat models with various adversarial strengths. Tor is an example of
extremely performant design that probabilistically resists local
adversaries to some extent, but does not offer a security guarantee against a global
passive adversary (GPA). At the other end of this spectrum, academic proposals
such as Atom or XRD offer provable security against both a GPA and
local attackers, such as insiders (i.e., a fraction of the network controlled
by the adversary). However, those designs pay a significant performance penalty,
limiting their appeal. In between these two types of systems, we also find designs
based on continuous-time mixing, such as Loopix or Nym, which are not provably secure against a GPA but
may be stronger than Tor. Yet like Tor, they also probabilistically
resist local adversaries only to some extent, i.e., the probability to get
compromised in reality is not negligible.

routesim is a tool to analyze and evaluate continuous-time mixing designs (such as Loopix/Nym) and measures their ability to
resist the insider threat, i.e. an adversary running nodes in the network
and actively trying to deanonymize their users. With routesim, it is possible to test subtle design decisions and have a precise understanding
of how they impact users' anonymity. As a user of a given anonymity network, it
is also possible to use routesim to simulate their own behavior and evaluate its
impact. This could be useful, for example, for a whistleblower to verify and
adapt their behavior to minimize chances to get deanonymized while
communicating critical information.

Routesim -- Technical goal

This is a behavioural simulator for user activity in a continuous-time Mixnet. The objective of
this tool is to evaluate the probability of a deanonymization through time,
assuming some level of adversarial activity among the mixes. This probability
of deanonymization is determined by the user behaviour (i.e., how many messages
the user sends, and their sending volume distribution through time).

This program can take in input behavioural patterns; i.e., a probabilistic
model of the user activity through a period. The simulator can then play this
pattern upon a configured virtual time limit (in days). For example, the
simulator can play a user email pattern within the Mixnet during 100 days.

We read topologies configuration from files, in which each file matchs an epoch
(i.e., an epoch is a timeframe during which the network topology remains the
same). The simulator then output path information for each message sent by each
sampled user (i.e., we apply a Monte Carlo method). As a matter of example, the
"simple" model outputs the following kind of line:

1970-01-01 00:44:31 2538 570,260,1007, false

containing the date, the sample id, the path (mix ids) and whether the route is
fully compromised or not (i.e., whether the user selected PATH_LENGTH malicious mixes).

The timings and number of path sampled depends on the user model selected. E.g.,
for the "simple" user model, one path is sampled every 10 minutes on average
(uniformly random in 5, 15 minutes).

More complex user models and logging mechanisms are also implemented.
Fundamentally, we derive two classes of interactions with the mixnet:
Synchronous one. E.g., sending files to a dropbox, or sending a HTTP request to
a Web Server). And asynchronous ones that mainly capture potential interaction
between anonymous users (e.g., some user send a message to someone's else
mailbox; and the peer can then anonymously fetch the message asynchronously).

Installing Rust

curl --proto '=https' --tlsv1.3 -sSf https://sh.rustup.rs | sh

See Other Installation
Methods if
you're on Windows.

Add Cargo to your PATH.

export PATH="$HOME/.cargo/bin:$PATH"

Compiling and installing routesim

Clone the repository.

  git clone https://github.com/frochet/routesim.git

Compile && install.

cd routesim
cargo install --path .

You should now have routesim installed in ~/.cargo/bin and access to its
interface:

routesim -h

Examples

A dummy example

In your terminal, run the following:

routesim --in-dir testfiles/single_layout --epoch 86401 -u simple --users 2 --days 1 -c 1 -t

This instructs routesim to simulate two users during 1 day with the "simple"
user model, and outputs to stdout the route taken during the virtual day.

A complex usage case: evaluating the impact of your email sending pattern

If you wish to simulate your email-pattern behavior over the Mixnet,
there are a few steps ahead of the simulation itself. Your first need to
extract your data, and post-process them using the available script
located at scripts/process-mailbox.py.

Assuming you have a thunderbird client, install the addon
ImportExportTools NG, and then export your send folder as a .mbox file.
Then, use the script to produce two files containing some processed
information:

python3 scripts/process-mailbox.py path/to/mbox/file

You should then have two .json file in your current directory, named
time_data.json and size_data.json.

Preparing Bow-Tie topologies

mkdir -p topologies/bow-tie
cd topologies/bow-tie
../../scripts/split_csv_file.sh ../../testfiles/layout_data/bow_tie/dynamic_hybrid_steady_0.03_layout.csv

Running a Simulation

routesim --timestamps-h time_data.json --sizes-h size_data.json --in-dir topologies/bow-tie --epoch 3600 -u email --users 5000 --days 30 | sed 's/;/\n/g' > output_routesim_data

Parsing & Plotting Results

You'll find scripts to process and plots the simulation results in
the directory scripts/. process_sim.py processes the output of the
routesim command and stores relevant summaries serialized in a pickle
file.

$ python3 scripts/process_sim.py -h
usage: process_sim.py [-h] --in_file IN_FILE [--outname OUTNAME] [--format FORMAT] [--nbr_messages_until_compromise] --samples SAMPLES

Process results from routesim.py. Output serialized objects for plotting script, and output the answer to 'How many messages clients send before getting deanonymed, on average'

optional arguments:
  -h, --help            show this help message and exit
  --in_file IN_FILE     The output file produced by routesim.py
  --outname OUTNAME     filename for the pickle storage
  --format FORMAT       tell the parser the expected format
  --nbr_messages_until_compromise
                        Display the number of messages until compromise, on average
  --samples SAMPLES     Number of samples in file used in the simulation (--users in routesim)


python3 scripts/process_sim.py --in_file output_routesim_data --outname data_to_plot --format async --samples 5000

Now you should have a file named data_to_plot.pickle in your active
directory. You can use plot_processed_sim.py to get a visual.

$ python3 scripts/plot_processed_sim.py -h
usage: plot_processed_sim.py [-h] [--time] [--count] [--data DATA [DATA ...]] [--label LABEL [LABEL ...]]

Plot Time-to-first route compromised cdf of the routesim results

optional arguments:
  -h, --help            show this help message and exit
  --time
  --count
  --data DATA [DATA ...]
                        datapath to the pickle file
  --label LABEL [LABEL ...]
                        Line label in the same order than the data

You can give the script multiple --data and --label for all your
simulations. They will be plotted on the same figure.

python3 scripts/plot_processed_sim.py --time --data data_to_plot.json.pickle --label simulation_example

In this case, only one line is expected.

Languages

Rust74.6%Python20.2%Shell5.2%

Contributors

FRSUTARI
Created August 19, 2021
Updated March 20, 2025
frochet/routesim | GitHunt