Tor's built-in country-exclusion mechanism is unreliable: circuits configured to exclude US Tor nodes only actually bypassed the US 12% of the time, motivating provably-avoidant circuit construction.

DeTorOS enables provable geographic avoidance for Tor onion services by running a TEE-backed Bento function as a trusted middlebox: both the client and the onion service upload their respective 3-hop circuit halves to this enclave, which computes the never-once or never-twice avoidance proof without revealing either party's circuit to the other.

§3 defense

Computing a never-once avoidance proof for a 6-hop onion-service circuit takes an average of 64.85 seconds — incurred once at connection setup — because the system must collect round-trip timing measurements across all six relays before running the geographic proof; SGX execution overhead is nominal, and the paper notes that lower-RTT circuits (more likely to be DeTorOS-compliant) reduce subsequent data-transfer latency.

§5.3 evaluation

Never-twice provable avoidance succeeds for 72.4% of sampled source-destination pairs on 6-hop onion-service circuits, compared to approximately 98% on the original 3-hop DeTor circuits; the degradation arises because the additional hops increase round-trip time, making it harder to rule out forbidden-region traversal via speed-of-light bounds.

§5.2 evaluation

DeTorOS's security relies on the honest-but-curious model: if the onion service refuses to participate or lies about its circuit, the client receives no avoidance guarantee. The paper explicitly flags this as an open limitation and notes it cannot be closed without either requiring a TEE on the onion service side or fundamental protocol changes.

§6 defense

A three-stage detection pipeline exploiting the "dual-role" behavioral fingerprint of single-IP circumvention relays achieved 23.2% recall (96/414 ground-truth relays) with a 0.18% false-positive rate against 97,651 benign TLS servers, for an overall accuracy of 99.5%. The ground-truth set covered OpenVPN, WireGuard, and SOCKS relays identified in a 17 TB single-day backbone trace (WIDE Project, April 9, 2025).

2026-almutairi-server §3.4, Table 1 traffic-shapedpiflow-correlation

NATA (Non-invasive Active Traffic-correlation Analysis) injects low-frequency bandwidth waveforms (sinusoidal, square-wave, triangular) into Tor TCP connections at an upstream gateway without endpoint compromise, payload decryption, or Tor-browser modification. BM-Net, a selective state-space classifier trained on the exit-side observations, achieves a 99.65% binary detection F1 score distinguishing watermarked from natural traffic on a 20,000-trace real-world dataset.

2026-fan-activeflowmark-assessing-tor §IV, §VI.D, Table III flow-correlationtraffic-shapeml-classifier

BM-Net achieves a 99.65% binary detection F1 score for distinguishing bandwidth-watermarked Tor flows from natural traffic, outperforming all evaluated baselines (next best: TikTok at 75.96% F1). The accuracy gap stems from active perturbation imposing a deterministic low-frequency throughput constraint rather than relying on subtle natural metadata, making the detection task fundamentally easier than passive website fingerprinting.

2026-fan-activeflowmark-assessing-tor §VI-D, Table III–IV flow-correlationtraffic-shapeml-classifier

BM-Net achieves a 99.65% binary detection F1 score distinguishing watermarked from natural Tor flows, and a 97.5% macro-F1 score for fine-grained modulation classification across sinusoidal, square-wave, and triangular patterns. The fine-grained test set contains 201 held-out samples collected from ten clients across five geographic regions (Europe, North America, Australia, Southeast Asia, East Asia), with training traces including traffic collected under WTF-PAD and Walkie-Talkie defenses.

2026-fan-activeflowmark-assessing-tor §VI-D, Table III, Table V flow-correlationml-classifiertraffic-shape

Active bandwidth perturbation has an inherent detectability–stability trade-off: overly aggressive low-rate phases cause Tor SENDME-based flow control stalls, retransmissions, timeouts, or circuit replacement before sufficient correlation evidence is collected. The paper selects a 30-second modulation period and an empirically determined minimum shaping rate; the usable shaping range varies with relay load, path length, TCP congestion control behavior, and Tor multiplexing.

2026-fan-activeflowmark-assessing-tor §VII-A flow-correlationtraffic-shape

Using a 1%-scaled tornettools simulation with historical Tor consensus data, a single adversary-controlled exit relay at 148 Mbps yields an exit-observation probability of approximately 2.13%; deploying 5 adversary-controlled exit relays pushes observation probability above 10%. The aggregation effect is concave — repeated observations across T independent windows compound via 1 − (1 − Pcorr)^T.

2026-fan-activeflowmark-assessing-tor §VI-A flow-correlation