It has an (unstable) API that you can use to embed it in other Rust programs, and give them support for connections over the Tor network. So what can Arti do? Right now, Arti can successfully bootstrap, run as a SOCKS proxy, and connect over the Tor network. It doesn't support Tor's anti-censorship features yet, and it can't connect to onion services yet.įinally, note that today's Arti is missing several key security features for privacy: you shouldn't use it for browsing if you have actual privacy needs at all. But with our Arti rewrite, we can take embedding into account from the start, to help support applications down the road.) What can Arti do today? What features are missing?įirst off: Don't use Arti for real privacy yet.Īrti doesn't yet run as a relay at all. For example, the complicated structure of the C code has made it hard to adopt for embedding into other applications. (And while we're writing a new implementation, we can clean up design issues that have been hard to fix in C. With a rewrite, we figured that we can keep our existing C code stable and make only minimal changes to it, while building up a working base of Rust code to serve as a basis for future development. And untangling the code is risky, for all the same reasons that working in C is typically risky. That makes it hard for us to rewrite our code one module at a time, without first untangling it to be more modular. Our problem here is that the modules in our existing C code are not terribly well separated from one another: most modules are reachable from most other modules. Why a full rewrite?Īt one point, we had hoped to slowly replace Tor's C code with Rust, one piece at a time. Because of that, Arti's circuit cryptography has been multicore from day 1, at very little additional programming effort. If one thread accesses a piece of state at the same time that another thread is changing it, then your whole program can exhibit some truly confusing and bizarre bugs.īut in Rust, this kind of bug is easy to avoid: the same type system that keeps us from writing memory unsafety prevents us from writing dangerous concurrent access patterns. C's support for thread-safety is quite fragile, and it is very easy to write a program that looks safe to run across multiple threads, but which introduces subtle bugs or security holes. Here's a case where Rust's safety can really help us.įor years now, we've wanted to split Tor's relay cryptography across multiple CPU cores, but we've run into trouble. Since 2016, we've been tracking all the security bugs that we've found in Tor, and it turns out that at least half of them were specifically due to mistakes that should be impossible in safe Rust code. That's a huge win for us in programming and debugging time, and a huge win for users in security and reliability. To a first approximation, if the code compiles, and it isn't explicitly marked as " unsafe", then large categories of bugs are supposed to be impossible. What's more, it's got some really innovative features that let the language enforce certain safety properties at compile-time. It's a high-level language, and significantly more expressive than C. Rust seems like the clearest way out of our bind. This slows us down seriously, and increases the cost of adding new features. Everything we write takes more code than we'd like it to, and we need to double-check even the safest-looking code to make sure it doesn't fall prey to any of C's list of enormous gotchas. Although C is venerable and ubiquitous, it's notoriously error-prone to use, and its lack of high-level features make many programming tasks more complex than they'd be in a more modern language.įor us, these problems mean that programming in C is a slow and painstaking process. Today's Tor is written in the C programming language. Since then, Tor has grown to handle millions of users around the world. In 2006, we incorporated the Tor Project as a nonprofit charity. We started Tor back around 2002, based on earlier Onion Routing designs from the mid-1990s. Tor is also a program (in C) that provides client-side and server-side implementations of those protocols. Tor is a set of protocols to provide anonymity, privacy, and censorship resistance on the Internet. Thanks to funding from Zcash Open Major Grants (ZOMG), we can finally put the Arti project up in our priorities list, and devote more time to it.īelow I'll talk about why we're doing this project, what it means for Tor users and operators, where it's going in the future, and how people can help. Over the past year or so, we've been working on "Arti", a project to rewrite Tor in Rust. Today I'm happy to announce a new era in Tor implementation.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |