Bunker: A Privacy-Oriented Platform for Network Tracing

Andrew G. Miklas, Stefan Saroiu, Alec Wolman, and Angela Demke Brown

HTML (3.3 MBytes)
PDF (559 KBytes)


ISPs are increasingly reluctant to collect and store raw network traces because they can be used to compromise their customers' privacy. Anonymization techniques mitigate this concern by protecting sensitive information. Trace anonymization can be performed offline (at a later time) or online (at collection time). Offline anonymization suffers from privacy problems because raw traces must be stored on disk -- until the traces are deleted, there is the potential for accidental leaks or exposure by subpoenas. Online anonymization drastically reduces privacy risks but complicates software engineering efforts because trace processing and anonymization must be performed at line speed. This paper presents Bunker, a network tracing system that combines the software development benefits of offline anonymization with the privacy benefits of online anonymization. Bunker uses virtual machines, encryption, and restricted I/O interfaces to protect the raw network traces and the tracing software, exporting only an anonymized trace. We present the design and implementation of Bunker, evaluate its security properties, and demonstrate its ease of use for developing a complex network tracing application.

Proceedings of the 6th USENIX Symposium on Networked Systems Design and Implementation, Boston, MA, April 2009.