your state is not mine a closer look at evading stateful
play

Your State is Not Mine: A Closer Look at Evading Stateful Internet - PowerPoint PPT Presentation

Mar 19, 2024 •190 likes •528 views

Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship Zhongjie Wang , Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth V Krishnamurthy University of California, Riverside 1 Internet Censorship Key technology: Deep Packet

  1. Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship Zhongjie Wang , Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth V Krishnamurthy University of California, Riverside 1

  2. Internet Censorship • Key technology: Deep Packet Inspection (DPI) • Reconstruct TCP data flow • Examine application protocol fields AS AS AS TCB Alice Web Server IP Connection State Client SEQ num TCP (Stateful) Payload Data … HTTP GET /badword HTTP/1.1\r\nHost: … 2

  3. Internet Censorship • Similar to Network Intrusion Detection System (NIDS), it is inherently vulnerable: • Network reason (small TTL, middleboxes) • End-host reason (di ff erent TCP impl., local firewall) AS AS AS RST RST TCB Alice Web Server IP Connection State Client SEQ num TCP (Stateful) Payload Data … HTTP GET /badword HTTP/1.1\r\nHost: … 3

  4. Our Study • The Great Firewall of China (GFW) • a sophisticated censorship system performing stateful DPI • has a long history of keyword-based content filtering on HTTP/DNS/IMAP/Tor/etc • sends forged TCP RST packets to terminates the connection upon detection of sensitive keyword • Goal : Measure the e ff ectiveness of TCP-layer censorship evasion techniques on the GFW in practical situation 4

  5. Prior Studies • NIDS • Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Ptacek et al. 1998. • GFW • Ignoring the Great Firewall of China. Clayton et al. 2006. • Towards Illuminating a Censorship Monitor’s Model to Facilitate Evasion. Khattak et al. 2013. 5

  6. Our Contributions • First extensive measurement of the TCP-layer evasion technique on the GFW • Discovered new behaviors of the GFW • Our new evasion strategies achieve >95% success rate , tested e ff ective with HTTP/DNS/VPN/Tor tra ffi c • INTANG, a open-source censorship evasion tool 6

  7. Agenda • Overview • Background • Evaluation of Existing Evasion Strategies • Evolved GFW Behaviors • Evaluation of New Evasion Strategies • Discussion and Conclusion 7

  8. Insertion/Evasion Packet • Insertion Packets: accepted by the GFW but dropped by the server • Evasion Packets: accepted by the server but dropped by the GFW • Basic Idea: De-synchronization • TCP states (LISTEN, ESTABLISHED) • Program states (SEQ num, win size) 8

  9. Existing Evasion Strategies Creating false TCB (bad SEQ) Creating false TCB TCB Creation TCB Teardown 9

  10. Agenda • Overview • Background • Evaluation of Existing Evasion Strategies • Evolved GFW Behaviors • Evaluation of New Evasion Strategies • Discussion and Conclusion 10

  11. Measurement Setup • Alibaba Cloud • HTTP censorship • Tencent Cloud • 77 Alexa top global sites • China Unicom Beijing • 11 vantage points • 9 cities, 3 ISPs Shanghai • 50 times per test • Controlled experiments Guangzhou • Sensitive keyword: ultrasurf Shenzhen 11

  12. Evaluation of Existing Strategies • Failure 1 - no resp. from server; Failure 2 - RST from GFW 12

  13. Why 13

  14. Failure Analysis Interference on Insertion Packets Client-side Server-side Server Middlebox Middlebox Failure 1 Failure 1 
 Failure 1 Accept (No resp. from svr) (No resp. from svr) (No resp. from svr) Failure 2 Drop No Interference No Interference (RST from GFW) Read Inject Win Linux macOS 14

  15. However, there are still a large portion of failure cases left unresolved 15

  16. Agenda • Overview • Background • Evaluation of Existing Evasion Strategies • Evolved GFW Behaviors • Evaluation of New Evasion Strategies • Discussion and Conclusion 16

  17. TCB Creation on SYN/ACK • TCB Creation SYN/ACK SYN SEQ:123, ACK:456 SEQ:123, ACK:456 1.1.1.1:5555 2.2.2.2:6666 1.1.1.1:5555 2.2.2.2:6666 TCB TCB Client: 2.2.2.2:6666 Client: 1.1.1.1:5555 Server: 1.1.1.1:5555 Server: 2.2.2.2:6666 Client SEQ: 456 Client SEQ: 123 … … Prior New 17

  18. Re-synchronization • GFW now becomes “smarter” • GFW enters “re-sync” state upon seeing • Multiple SYN or • Multiple SYN/ACK or • SYN/ACK with incorrect ACK num 18

  19. Re-synchronization • When in “re-sync” state, the GFW updates its client SEQ num using the next • SEQ num in data packet from “client” to “server” • ACK num in SYN/ACK packet from “server” to “client” Data SYN/ACK 19

  20. Combined strategy: TCB Creation + Resync/Desync 20

  21. Combined strategy: TCB Teardown + TCB Reversal 21

  22. New Insertion Packets Expanding the arsenal 22

  23. How to Find More Insertion Packets? • “Ignore” path analysis in TCP receiving logic and di ff erential testing with the GFW • “Ignore” path: an program execution path doesn’t change any TCP related states, i.e. packet ignored. e.g. wrong checksum • Testing if the GFW also ignores the packet, otherwise, it could be an insertion packet 23

  24. Analyzing Linux TCP Implementation • Analysis on Linux kernel version 4.4, found the following candidate insertion packets • New e ff ective insertion packet: MD5 optional header • Future work: automated discovery of insertion packets 24

  25. Agenda • Overview • Background • Evaluation of Existing Evasion Strategies • Evolved GFW Behaviors • Evaluation of New Evasion Strategies • Discussion and Conclusion 25

  26. INTANG - Extensible Measurement Tool UDP DNS <-> TCP DNS INTANG and its components 26

  27. INTANG - Extensible Measurement Tool Callbacks for each strategy: • setup() • teardown() • process_syn() • process_synack() • process_request() INTANG and its components 27

  28. Evaluation • Evaluation in both directions (inbound & outbound China) (Outbound) (Inbound) • High success rate of >95% for outbound; low inbound success rate due to close distance between server and GFW • INTANG performance: automatically choose the best strategy based on historical results, success rate 98% 28

  29. Case Study - DNS/Tor/VPN • Public DNS resolvers outside China • Google DNS: IP-blocked • OpenDNS: not censored • Dyn DNS: censored, 98%+ success rate with INTANG • Private Tor relay: 100% success rate with INTANG • Private OpenVPN server: occasionally censored, can be bypassed with INTANG when censored 29

  30. Agenda • Overview • Background • Evaluation of Existing Evasion Strategies • Evolved GFW Behaviors • Evaluation of New Evasion Strategies • Discussion and Conclusion 30

  31. Discussion & Limitation • GFW Countermeasures • Hard to be fully immune to insertion packet • May use server’s ACK as a feedback, but still vulnerable to data reassembly strategies • Limitation • Unable to fully understand some of the failure cases due to blackbox nature of the GFW • Complexity and inconsistency of the GFW behaviors 31

  32. Conclusion • We conduct an extensive measurement on the e ff ectiveness of existing TCP-layer evasion techniques against the GFW, and find most of them are no longer working • Middleboxes (including NATs and firewalls) have significant interference on the insertion packets • We discover new behaviors of the GFW and propose new evasion strategies that can bypass these behaviors • We evaluate our new strategies and demonstrate a high success rate of 95%+ 32

  33. Q&A • Zhongjie Wang <zwang048@ucr.edu> • Github: https://github.com/seclab-ucr/INTANG 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Your state is not mine: a closer look at evading stateful internet censorship Zhongjie Wang, Yue

Your state is not mine: a closer look at evading stateful internet censorship Zhongjie Wang, Yue

Your state is not mine: a closer look at evading stateful internet censorship Zhongjie Wang, Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth V Krishnamurthy University of California, Riverside Background The Great Fire Wall (GFW) A

322 views • 28 slides
Stateful access control using LSM CS547 Thomas Uphill Stateful access cont rol using LSM 11

Stateful access control using LSM CS547 Thomas Uphill Stateful access cont rol using LSM 11

Stateful access control using LSM CS547 Thomas Uphill Stateful access cont rol using LSM 11 December 2007 1 Why? Maintaining state allows for decisions to be made based on runtime conditions. State based policy can be more concise

576 views • 18 slides
Scalable Verification of Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly

Scalable Verification of Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly

Scalable Verification of Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, TAU, ICSI Roadmap Why consider stateful networks? The current state of stateful network verification?

1.31k views • 80 slides
Mesos Go Stateful An Abstraction for frameworks running stateful workload Dhilip &amp; Amit -

Mesos Go Stateful An Abstraction for frameworks running stateful workload Dhilip &amp; Amit -

Mesos Go Stateful An Abstraction for frameworks running stateful workload Dhilip &amp; Amit - PaaS Team, Huawei Contents Why Abstraction Available solution in Kubernetes Available solution in Mesos Mesos Go Stateful Design

492 views • 25 slides
EVADING DEEP INSPECTION FOR FUN AND SHELL Who we are

EVADING DEEP INSPECTION FOR FUN AND SHELL Who we are

EVADING DEEP INSPECTION FOR FUN AND SHELL Who we are Olli-Pekka Niemi An; Levomki Chief Research Officer, Senior Vulnerability Stoneso9

1.02k views • 57 slides
Optimal Evading Strategies and Task Allocation in Multi-Pursuer Single-Evader Problems Venkata

Optimal Evading Strategies and Task Allocation in Multi-Pursuer Single-Evader Problems Venkata

Motivation Optimal Evading Strategies Active/Redundant Pursuers Simulations Optimal Evading Strategies and Task Allocation in Multi-Pursuer Single-Evader Problems Venkata Ramana Makkapati and Panagiotis Tsiotras Dynamics and Control Systems

526 views • 27 slides
A Closer Look at Function Approximation Robert Platt Northeastern University The problem of

A Closer Look at Function Approximation Robert Platt Northeastern University The problem of

A Closer Look at Function Approximation Robert Platt Northeastern University The problem of large and continuous state spaces Example of a large state space: Atari Learning Environment state: video game screen actions: joystick

835 views • 55 slides
KiF: A stateful SIP Fuzzer Humberto J. Abdelnur Humberto.Abdelnur@loria.fr Radu State

KiF: A stateful SIP Fuzzer Humberto J. Abdelnur Humberto.Abdelnur@loria.fr Radu State

Introduction Assessing Framework Results &amp; Future work KiF: A stateful SIP Fuzzer Humberto J. Abdelnur Humberto.Abdelnur@loria.fr Radu State Radu.State@loria.fr Olivier Festor Olivier.Festor@loria.fr Madynes team

709 views • 21 slides
Probably the worlds best stateful traffic generation and analysis platform 2 1 2 4 5 3

Probably the worlds best stateful traffic generation and analysis platform 2 1 2 4 5 3

1 Probably the worlds best stateful traffic generation and analysis platform 2 1 2 4 5 3 OVERVIEW TYPES OF TESTS HARDWARE SOFTWARE KEY FEATURES LEARN MORE 3 OVERVIEW Vulcan generates stateful Ethernet traffic to analyze how

349 views • 34 slides
APTs Way: Evading your EBNIDS Ali Abbasi Jos Wetzels Who

APTs Way: Evading your EBNIDS Ali Abbasi Jos Wetzels Who

APTs Way: Evading your EBNIDS Ali Abbasi Jos Wetzels Who we are? Ali Abbasi : PhD student in Distributed and Embedded System Security Group

921 views • 43 slides
Evading&amp;Android&amp;Run?me&amp;Analysis&amp; via&amp;&amp; Sandbox&amp;Detec?on&amp;

Evading&amp;Android&amp;Run?me&amp;Analysis&amp; via&amp;&amp; Sandbox&amp;Detec?on&amp;

Evading&amp;Android&amp;Run?me&amp;Analysis&amp; via&amp;&amp; Sandbox&amp;Detec?on&amp; &amp;&amp;&amp;&amp;&amp;&amp;&amp;&amp;&amp;&amp;&amp;&amp;&amp;&amp;&amp;&amp;Timothy&amp;Vidas,&amp;Nicolas&amp;Chris?n&amp;

526 views • 28 slides
2018 Mine Hill Township Budget &amp; State of the Township Presentation Mine Hills 4 Budget

2018 Mine Hill Township Budget &amp; State of the Township Presentation Mine Hills 4 Budget

2018 Mine Hill Township Budget &amp; State of the Township Presentation Mine Hills 4 Budget Areas 1. Water Utility 2. Garbage District 3. Sewer Utility 4. Municipal Current Fund Water Utility The Water Utility is Financially Stable. 2017

433 views • 15 slides
Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple firewall using Netfilter Iptables firewall in Linux Stateful Firewall Application Firewall Evading Firewalls 2 Firewalls

811 views • 55 slides
Citizenship in EU Closer connection to classical origins; not so (obviously) dependent on

Citizenship in EU Closer connection to classical origins; not so (obviously) dependent on

Citizenship in EU Closer connection to classical origins; not so (obviously) dependent on modern state More self-confident discourse from European institutions (especially since Maastricht -1992 and formal introduction of legal

562 views • 12 slides
Airly Mine Airly Mine Community Consultative Committee (CCC) Presentation Airly Mine 5 th

Airly Mine Airly Mine Community Consultative Committee (CCC) Presentation Airly Mine 5 th

Airly Mine Airly Mine Community Consultative Committee (CCC) Presentation Airly Mine 5 th September 2017 www.centennialcoal.com.au 1. Introduction Reporting Period: May - Sep 2017 Site Name/Location: Airly Mine, Capertee, NSW Summary of

333 views • 29 slides
INVESTMENT OPPORTUNITY READY FOR OPERATIONS The Eden Mine CONTENT 1.MINE OBJECTIVES 2.MINE

INVESTMENT OPPORTUNITY READY FOR OPERATIONS The Eden Mine CONTENT 1.MINE OBJECTIVES 2.MINE

COLOMBIAN EMERALDS MINE INVESTMENT OPPORTUNITY READY FOR OPERATIONS The Eden Mine CONTENT 1.MINE OBJECTIVES 2.MINE READINESS 3. LOCATION 4. GEOLOGY 5. INVESTMENT OPTIONS 2 CONTENT DISCLAIMER This presentation has been prepared by BPM

179 views • 14 slides
Session Initiation Protocol Jouni Soitinaho 1 Jso_SIP_v2.PPT/ 05.04.2001/ Jouni Soitinaho

Session Initiation Protocol Jouni Soitinaho 1 Jso_SIP_v2.PPT/ 05.04.2001/ Jouni Soitinaho

Session Initiation Protocol Jouni Soitinaho 1 Jso_SIP_v2.PPT/ 05.04.2001/ Jouni Soitinaho Contents Protocol Development Protocol Basics Expandability Extension Examples Application areas Conclusions 2

617 views • 26 slides
Automated and machine-verified security proofs of stateful protocols Andreas Hess 1 Sebastian

Automated and machine-verified security proofs of stateful protocols Andreas Hess 1 Sebastian

Automated and machine-verified security proofs of stateful protocols Andreas Hess 1 Sebastian Mdersheim 1 Achim Brucker 2,3 Anders Schlichtkrull 1 1 Technical University of Denmark 2 The University of Sheffield 3 University of Exeter Overview 1

650 views • 26 slides
FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls (Categories) Implementation Best practices What are Firewalls? Internet Firewall Client/Host Network Network Security

585 views • 39 slides
NFS Don Porter CSE 506 Figure 1 The Fllesystem Interface The VFS interface is implemented

NFS Don Porter CSE 506 Figure 1 The Fllesystem Interface The VFS interface is implemented

12/6/12 together as the !handle for a rue. The inode generation number is necessary because the server may hand out an !handle with an inode number of a file that is later removed and the inode J reused. When the original fhandle comes

507 views • 4 slides
sockets cont / RPC 1 last time client/server versus peer-to-peer model names, addresses

sockets cont / RPC 1 last time client/server versus peer-to-peer model names, addresses

sockets cont / RPC 1 last time client/server versus peer-to-peer model names, addresses (IPv4/IPv6), routing socket abstraction two-way pipes to remote machine server sockets bind() (set address) + listen() (wait for connections)

1.45k views • 132 slides
Feasibility and Infeasibility of Secure Computation with Malicious PUFs Dana Dachman-Soled 1 Nils

Feasibility and Infeasibility of Secure Computation with Malicious PUFs Dana Dachman-Soled 1 Nils

Feasibility and Infeasibility of Secure Computation with Malicious PUFs Dana Dachman-Soled 1 Nils Fleischhacker 2 Jonathan Katz 1 Anna Lysyanskaya 3 oder 2 Dominique Schr 1 University of Maryland, College Park 2 Saarland University 3 Brown

547 views • 39 slides
Security Protocols Model Checking Standards David Basin ETH Zurich CASTOR Software Days

Security Protocols Model Checking Standards David Basin ETH Zurich CASTOR Software Days

Security Protocols Model Checking Standards David Basin ETH Zurich CASTOR Software Days October 2019 Thanks Tamarin Team Simon Meier Benedikt Schmidt Cas Cremers Ralf Sasse Jannik Dreier ISO/9798 (verified using precursor tools)

535 views • 35 slides
Trustworthy Systems from Un-Trusted Components http://www.comp.nus.edu.sg/~tsunami PRESENTED BY

Trustworthy Systems from Un-Trusted Components http://www.comp.nus.edu.sg/~tsunami PRESENTED BY

Trustworthy Systems from Un-Trusted Components http://www.comp.nus.edu.sg/~tsunami PRESENTED BY PROF. ABHIK ROYCHOUDHURY NATIONAL UNIVERSITY OF SINGAPORE ABHIK@COMP.NUS.EDU.SG Enhancing local Ongoing NRF Project Overall capabilities Outlook

407 views • 25 slides

More recommend