Bento: Bringing Network Function Virtualization to Tor

Tor is a powerful and important tool for providing anonymity and censorship resistance to users around the world. Yet it is surprisingly difficult to deploy new services in Tor---it is largely relegated to proxies and hidden services---or to nimbly react to new forms of attack. Conversely, "non-anonymous" Internet services are thriving like never before because of recent advances in programmable networks, such as Network Function Virtualization (NFV) which provides programmable in-network middleboxes. This work seeks to close this gap by introducing programmable middleboxes into the Tor network. In this architecture, users can install and run sophisticated "functions" on willing Tor routers,further improving anonymity, resilience to attack, performance of hidden services, and more. We present the design of an architecture, Bento, that protects middlebox nodes from the functions they run and protects the functions from the middleboxes they run on. Bento does not require modifications to Tor, and can run on the live Tor network. Additionally, we give an overview of how we can significantly extend the capabilities of Tor to meet users' anonymity needs and nimbly react to new threats.