SymTCP: Eluding Stateful Deep Packet Inspection with Automated - - PowerPoint PPT Presentation

symtcp eluding stateful deep packet inspection with
SMART_READER_LITE
LIVE PREVIEW

SymTCP: Eluding Stateful Deep Packet Inspection with Automated - - PowerPoint PPT Presentation

Jun 17, 2023 15 likes •208 views

SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery Zhongjie Wang , Shitong Zhu, Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth Krishnamurthy, Kevin Chan, and Tracy Braun What is DPI (Deep Packet Inspection)?

slide-1
SLIDE 1

SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery

Zhongjie Wang, Shitong Zhu, Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth Krishnamurthy, Kevin Chan, and Tracy Braun

slide-2
SLIDE 2

What is DPI (Deep Packet Inspection)?

Censorship and Surveillance ISP Traffic Differentiation Modeling Users for Online Ads

slide-3
SLIDE 3

How does DPI work?

IP TCP Application Protocol

slide-4
SLIDE 4

How does DPI work?

IP TCP Application Protocol

RST RST

slide-5
SLIDE 5

How does DPI work?

IP TCP Application Protocol

slide-6
SLIDE 6

Implementation-level discrepancy

// Linux TCP timestamp validation if ((signed int)(last_tsval - current_tsval) <= 1) { // succeed } else { // fail } // Snort TCP timestamp validation if ((signed int)((current_tsval - last_tsval) + 1) < 0) { // fail } else { // succeed } last_tsval - 1 <= current_tsval <= last_tsval + 231 last_tsval - 1 <= current_tsval <= last_tsval + 231 - 2

slide-7
SLIDE 7

Workflow of SymTCP

Successful test cases Huge search space!!!

slide-8
SLIDE 8

Workflow of SymTCP

Symbolic Execution Highly effective test cases Successful test cases

slide-9
SLIDE 9

Problem with symbolic execution

All possible packets All possible execution paths Path explosion!!!

slide-10
SLIDE 10

Pruning decisions

Labeling “drop” / “accept” points

In the program, we label where a packet gets dropped or accepted (i.e. TCP state changed). We try to cover these accept/drop points.

Bounding TCP options

We allow each TCP option to occur only once, and at most 5 different TCP options in a packet.

Pruning uninteresting TCP states

We terminate an execution path once it reaches any uninteresting TCP state (e.g., TIME_WAIT, CLOSED)

slide-11
SLIDE 11

Server

Differential testing DPI

DPI

slide-12
SLIDE 12

Complete packet sequence

…… …… Pn+1 P1 Pn Test case Packet triggering discrepancies Pn+r Follow-up packets Packet triggering feedback LISTEN state ESTABLISHED state

slide-13
SLIDE 13

Symbolic execution performance

  • Linux kernel v4.9.3
  • 72 core Intel Xeon CPU and 256GB memory
  • 1/2/3 symbolic packets
  • 20/40/60 byte length packet

No TCP options 56,787 test cases Sampled 10,000 test cases

slide-14
SLIDE 14

Zeek (formerly Bro)

  • 6082 successful test cases, 9 strategies, 2 novel strategies
slide-15
SLIDE 15

Snort

  • 652 successful test cases, 11 strategies, 3 novel
slide-16
SLIDE 16

Great Firewall of China (GFW)

  • 4587 successful test cases, 12 strategies, 9 novel
slide-17
SLIDE 17

Case study

  • 2. Underflow SEQ (Zeek & GFW)
  • 1. Urgent Pointer (Snort)
slide-18
SLIDE 18

Key contributions

  • A novel approach that combines whitebox and blackbox testing

Whitebox: Extract a reference model from server with symbolic execution

Blackbox: Infer internal states of DPI with follow-up packets

  • First to run symbolic execution on full-fledged TCP implementation and

send multiple symbolic packets

  • Highly efficient and effective automated tool to unearth discrepancies

between different TCP implementations

Facilitate DPI elusion

Help developers fix implementation bugs

slide-19
SLIDE 19

Conclusion

  • A novel approach combines whitebox and blackbox testing to automatically

discover TCP implementation-level discrepancies

  • Evaluated against 3 well-known DPI systems, Zeek (Bro), Snort, and the

GFW, and found 14 novel strategies

  • A significant step in testing and eluding DPI systems

Email: zwang048@ucr.edu Homepage: https://zhongjie.me