Towards programmable anonymity networks

Anonymity systems are critical in achieving free, open communication on today's Internet. In particular, Tor, a popular peer-to-peer anonymous ssystem, has become a staple in resisting online censorship by rogue nations and allowing journalists to safely communicate with sources world-wide.

However, it is surprisingly difficult to create a robust, efficient service that runs on top of a system like Tor. Today, the use of Tor is largely relegated to web proxies and hidden services, and unfortunately, neither of these applications have the ability to scale to handle dynamic workloads or attacks by automated bots.

Conversely, in the "non-anonymous" Internet, services are thriving like never before due to innovations in software-defined networking (SDN), network function virtualization (NFV), and content delivery networks (CDNs). The present and future Internet is comprised of programmable networks, but there do not exist the basic primitives to achieve such features in anonymous networks.

We are developing programmable anonymity networks—extensions of Tor that allow users to install and run small snippets of code on Tor routers—and are using them to build more sophisticated, more secure anonymous services.

Our architecture, Bento, allows users to write functions and upload them to willing Tor relays. The architecture protects relays from the functions they are running on behalf of other users, and protects the users from the relays running their functions.

We are developing a myriad of functions that demonstrate that a programmable Tor can be a more secure, robust, and anonymous Tor. Stay tuned for more details!

Bento source code

Our artifact-evaluated Bento source code is available.


Related Projects

This work has spawned off multiple sub-projects. More information, including links to code repositories, are available at these sites:

  • Phoenix is the first truly "keyless CDN". It allows websites to safely run their sites on untrusted third parties. To achieve this, we introduce conclaves: containers of secure enclaves, which can run unmodified legacy binaries in a secure enclave like Intel SGX.
  • Geneva (for Genetic Evasion) is a genetic algorithm that automatically learns how to modify packet streams to evade censorship. Geneva re-derived virtually all prior work in a matter of hours and has found dozens of ways to circumvent censorship in China, India, Iran, and Kazakhstan.


  • 04-29-21: Our paper on Bento, an architecture for a more programmable Tor, has been accepted to ACM SIGCOMM 2021. A huge congrats to Michael Reininger, Nick Francino, Stephen Herwig from UMD, and Arushi Arora and Christina Garman from Purdue!
  • 03-18-20: We have posted an article on a new form of Iranian censorship, the "protocol whitelister," and techniques on how to avoid it. Over at
  • 12-05-19: Michael Reininger presented initial results to DCAPS, in his talk Towards a Programmable Tor Network.
  • 09-23-19: Stephen Herwig's paper on secure conclaves (containers of enclaves) has been accepted to USENIX Security 2020. Congrats, Stephen!
  • 08-04-19: Dave Levin is presenting at The Cornell, Maryland, Max Planck Pre-doctoral Research School (CMMRS). He will be presenting work on securing the PKI and on securely running code on an untrusted CDN.