Tor gets financial support for Arti development

There is a lot of buzz around the Rust programming language these days—which strikes some folks as irritating, ridiculous, or both. But the idea of a low-level language that can replace C, with fewer built-in security pitfalls, is attractive for any number of projects. Recently, the Tor Project announced the Arti project as a complete Rust rewrite of Tor's core protocols, which provide internet privacy and anonymity. In addition, Tor announced that Arti received a grant to support its development over the next year or so.

Tor

Tor came about in the early 2000s as a mechanism to route a user's packets through multiple relay nodes in its network using "onion routing". The idea is to obscure the connection between where a packet originates and its destination from outside observers. Onion routing was developed in the mid-1990s; it wraps a message in multiple layers of encryption that are peeled off and decrypted one-by-one at various relays in the network. Each relay can only decrypt its layer and does not know how many layers there are, nor where it is located in the chain of relays being used, though the "exit node" knows that it is the last in the chain as it needs to connect outside of the network to the actual destination for the packet. The name "Tor" is an acronym for "The Onion Router".

The core Tor application provides both client and server implementations of the protocols used in the network; it is largely written in C. There was a plan back in 2017 to slowly migrate pieces of the application to Rust. But, according to the blog post announcing Arti, "that hasn't worked out". The post went on to explain why the Tor developers decided on a full rewrite:

Our problem here is that the modules in our existing C code are not terribly well separated from one another: most modules are reachable from most other modules. That makes it hard for us to rewrite our code one module at a time, without first untangling it to be more modular. And untangling the code is risky, for all the same reasons that working in C is typically risky.

With a rewrite, we figured that we can keep our existing C code stable and make only minimal changes to it, while building up a working base of Rust code to serve as a basis for future development.

(And while we're writing a new implementation, we can clean up design issues that have been hard to fix in C. For example, the complicated structure of the C code has made it hard to adopt for embedding into other applications. But with our Arti rewrite, we can take embedding into account from the start, to help support applications down the road.)

Other projects that are looking at replacing pieces of their C code with Rust may well run into similar problems depending on the modularity of their code base.

Grant

Back in March, Tor co-founder Nick Mathewson posted about Arti (which stands for "A Rust Tor implementation") on the community forum for the Zcash cryptocurrency. It was, in effect, a pre-pitch to the community before making a grant proposal for Arti development to the Zcash Open Major Grants (ZOMG) program, which is part of the Zcash Foundation. Both the foundation and the grants program were funded by portions of the block reward for mining Zcash.

Mathewson had been encouraged to post by Holmes Wilson, who is on the ZOMG committee, because Wilson believes that Tor and Zcash fit well together. Zcash, which is implemented in Rust and C++, needs Tor or something like it in order to thwart de-anonymization efforts against its transactions by governments and others, he said. Zcash is aimed in part at providing more privacy for its users than other cryptocurrencies do. Past attempts to use Tor in Zcash have run aground on the difficulties of embedding the Tor code in other applications, at least in part.

Fast forward to July, and a nearly $700,000 grant has been awarded by ZOMG to Tor in order to get Arti to a production-ready 1.0 release—and a bit beyond—over the next year or so. That is meant to cover salaries for three developers and a part-time project manager. The Arti 1.1 milestone, which adds features that will help clients avoid network censorship measures, is also part of the work under the grant; it is scheduled for October 2022. The grant is focused on pieces that are directly usable by Zcash (and, of course, anyone else who wants to use Tor), but will not cover support for onion services, nor will it reach feature parity with the C code. Those pieces are left to milestones that are currently unfunded.

Why Rust?

There are various reasons that the Tor project is interested in a Rust implementation of its protocols. As a particularly security-sensitive project, Tor needs to be extremely careful about its code; using C is worrisome because "it's notoriously error-prone to use". That means extra scrutiny for even the simplest code, which slows the project down and makes new features more costly to implement. Rust can help fix many of those problems:

It's a high-level language, and significantly more expressive than C. What's more, it's got some really innovative features that let the language enforce certain safety properties at compile-time. To a first approximation, if the code compiles, and it isn't explicitly marked as "unsafe", then large categories of bugs are supposed to be impossible.

The Tor project has been tracking its security vulnerabilities since 2016. It turns out that "at least half of them were specifically due to mistakes that should be impossible in safe Rust code". The announcement explained that the project has long wanted to spread its cryptographic work to multiple cores, but that the prospect of doing so in C was daunting because of its fragility when accessing shared data within multi-threaded programs:

But in Rust, this kind of bug is easy to avoid: the same type system that keeps us from writing memory unsafety prevents us from writing dangerous concurrent access patterns. Because of that, Arti's circuit cryptography has been multicore from day 1, at very little additional programming effort.

Status

At this point, Arti is at the "eats babies" stage; it works, in a limited sense of that term, but does not provide any real privacy yet. It can run as a SOCKS proxy and connect via the Tor network, but it does not run as a Tor relay (i.e. server). It can be embedded in other Rust programs, allowing them to make connections to Tor as a client, but the API is not stable. Those who want to give Arti a test spin should consult the Contributing document, which describes hooking Arti up to Tor Browser—the project's version of Firefox specifically tweaked to better support users' privacy and to use the Tor network out of the box.

Arti is available under either version 2.0 of the Apache License or the MIT license (or both). Those looking to get involved can find some ideas for starting points in the Contributing document, including suggestions to review the code and the Architecture document (note that there is a module-organization diagram in the grant proposal). There is a list of issues that are tagged as "First Contribution", which might make for a good place to begin working on Arti. Regular reports on progress will be posted to the tor-dev mailing list; the first was posted at the same time as the announcement. In addition, meetings are being recorded and posted to the Tor project's YouTube channel in an Arti playlist.

The schedule seems fairly aggressive, especially since the team is also coming up to speed on Rust. The first phase is due in October, as Arti 0.0.1, providing basic anonymity services. Arti 0.1 is planned for release in March 2022; it will be ready for embedding into other applications, as well as improving the efficiency and user experience of the application. The production-ready Arti 1.0 release is scheduled for September 2022, with the 1.1 anti-censorship release coming shortly thereafter.

Over time, the C code is expected to wither away, but that will not happen for several years—at minimum. Even after Arti is production-ready for some use cases, there will still be more work needed to get to the point where Arti can do everything that the existing code can do. In particular, Tor relay support will need to be added, which is a substantial effort. But the Tor team will slowly be shifting its focus toward Rust and Arti, so the C code will slowly age out:

We expect that the pace of new features in C will slow, but we will continue fixing issues, shipping bugfixes, and solving important problems in our C code, until Rust is ready to replace it entirely. We will work to keep C Tor users secure, safe, and private, until it is finally ready to be replaced.

Arti will be an interesting project to watch. It should provide a nice experiment to try to show the benefits that Rust proponents have been touting. Arti is a fairly low-level networking application, and the internet provides plenty of "untrusted input" to surface the kinds of problems that have often tripped up similar C programs (including Tor itself, of course). The vulnerability tracking for Arti might well provide evidence for Rust's efficacy in avoiding attacks of that nature. Arti will also give other projects a look at what their future might hold, should they decide to make a similar switch.