your state is not mine a closer look at evading stateful
play

Your State is Not Mine: A Closer Look at Evading Stateful Internet - PowerPoint PPT Presentation

Mar 19, 2024 •190 likes •528 views

Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship Zhongjie Wang , Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth V Krishnamurthy University of California, Riverside 1 Internet Censorship Key technology: Deep Packet

  1. Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship Zhongjie Wang , Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth V Krishnamurthy University of California, Riverside 1

  2. Internet Censorship • Key technology: Deep Packet Inspection (DPI) • Reconstruct TCP data flow • Examine application protocol fields AS AS AS TCB Alice Web Server IP Connection State Client SEQ num TCP (Stateful) Payload Data … HTTP GET /badword HTTP/1.1\r\nHost: … 2

  3. Internet Censorship • Similar to Network Intrusion Detection System (NIDS), it is inherently vulnerable: • Network reason (small TTL, middleboxes) • End-host reason (di ff erent TCP impl., local firewall) AS AS AS RST RST TCB Alice Web Server IP Connection State Client SEQ num TCP (Stateful) Payload Data … HTTP GET /badword HTTP/1.1\r\nHost: … 3

  4. Our Study • The Great Firewall of China (GFW) • a sophisticated censorship system performing stateful DPI • has a long history of keyword-based content filtering on HTTP/DNS/IMAP/Tor/etc • sends forged TCP RST packets to terminates the connection upon detection of sensitive keyword • Goal : Measure the e ff ectiveness of TCP-layer censorship evasion techniques on the GFW in practical situation 4

  5. Prior Studies • NIDS • Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Ptacek et al. 1998. • GFW • Ignoring the Great Firewall of China. Clayton et al. 2006. • Towards Illuminating a Censorship Monitor’s Model to Facilitate Evasion. Khattak et al. 2013. 5

  6. Our Contributions • First extensive measurement of the TCP-layer evasion technique on the GFW • Discovered new behaviors of the GFW • Our new evasion strategies achieve >95% success rate , tested e ff ective with HTTP/DNS/VPN/Tor tra ffi c • INTANG, a open-source censorship evasion tool 6

  7. Agenda • Overview • Background • Evaluation of Existing Evasion Strategies • Evolved GFW Behaviors • Evaluation of New Evasion Strategies • Discussion and Conclusion 7

  8. Insertion/Evasion Packet • Insertion Packets: accepted by the GFW but dropped by the server • Evasion Packets: accepted by the server but dropped by the GFW • Basic Idea: De-synchronization • TCP states (LISTEN, ESTABLISHED) • Program states (SEQ num, win size) 8

  9. Existing Evasion Strategies Creating false TCB (bad SEQ) Creating false TCB TCB Creation TCB Teardown 9

  10. Agenda • Overview • Background • Evaluation of Existing Evasion Strategies • Evolved GFW Behaviors • Evaluation of New Evasion Strategies • Discussion and Conclusion 10

  11. Measurement Setup • Alibaba Cloud • HTTP censorship • Tencent Cloud • 77 Alexa top global sites • China Unicom Beijing • 11 vantage points • 9 cities, 3 ISPs Shanghai • 50 times per test • Controlled experiments Guangzhou • Sensitive keyword: ultrasurf Shenzhen 11

  12. Evaluation of Existing Strategies • Failure 1 - no resp. from server; Failure 2 - RST from GFW 12

  13. Why 13

  14. Failure Analysis Interference on Insertion Packets Client-side Server-side Server Middlebox Middlebox Failure 1 Failure 1 
 Failure 1 Accept (No resp. from svr) (No resp. from svr) (No resp. from svr) Failure 2 Drop No Interference No Interference (RST from GFW) Read Inject Win Linux macOS 14

  15. However, there are still a large portion of failure cases left unresolved 15

  16. Agenda • Overview • Background • Evaluation of Existing Evasion Strategies • Evolved GFW Behaviors • Evaluation of New Evasion Strategies • Discussion and Conclusion 16

  17. TCB Creation on SYN/ACK • TCB Creation SYN/ACK SYN SEQ:123, ACK:456 SEQ:123, ACK:456 1.1.1.1:5555 2.2.2.2:6666 1.1.1.1:5555 2.2.2.2:6666 TCB TCB Client: 2.2.2.2:6666 Client: 1.1.1.1:5555 Server: 1.1.1.1:5555 Server: 2.2.2.2:6666 Client SEQ: 456 Client SEQ: 123 … … Prior New 17

  18. Re-synchronization • GFW now becomes “smarter” • GFW enters “re-sync” state upon seeing • Multiple SYN or • Multiple SYN/ACK or • SYN/ACK with incorrect ACK num 18

  19. Re-synchronization • When in “re-sync” state, the GFW updates its client SEQ num using the next • SEQ num in data packet from “client” to “server” • ACK num in SYN/ACK packet from “server” to “client” Data SYN/ACK 19

  20. Combined strategy: TCB Creation + Resync/Desync 20

  21. Combined strategy: TCB Teardown + TCB Reversal 21

  22. New Insertion Packets Expanding the arsenal 22

  23. How to Find More Insertion Packets? • “Ignore” path analysis in TCP receiving logic and di ff erential testing with the GFW • “Ignore” path: an program execution path doesn’t change any TCP related states, i.e. packet ignored. e.g. wrong checksum • Testing if the GFW also ignores the packet, otherwise, it could be an insertion packet 23

  24. Analyzing Linux TCP Implementation • Analysis on Linux kernel version 4.4, found the following candidate insertion packets • New e ff ective insertion packet: MD5 optional header • Future work: automated discovery of insertion packets 24

  25. Agenda • Overview • Background • Evaluation of Existing Evasion Strategies • Evolved GFW Behaviors • Evaluation of New Evasion Strategies • Discussion and Conclusion 25

  26. INTANG - Extensible Measurement Tool UDP DNS <-> TCP DNS INTANG and its components 26

  27. INTANG - Extensible Measurement Tool Callbacks for each strategy: • setup() • teardown() • process_syn() • process_synack() • process_request() INTANG and its components 27

  28. Evaluation • Evaluation in both directions (inbound & outbound China) (Outbound) (Inbound) • High success rate of >95% for outbound; low inbound success rate due to close distance between server and GFW • INTANG performance: automatically choose the best strategy based on historical results, success rate 98% 28

  29. Case Study - DNS/Tor/VPN • Public DNS resolvers outside China • Google DNS: IP-blocked • OpenDNS: not censored • Dyn DNS: censored, 98%+ success rate with INTANG • Private Tor relay: 100% success rate with INTANG • Private OpenVPN server: occasionally censored, can be bypassed with INTANG when censored 29

  30. Agenda • Overview • Background • Evaluation of Existing Evasion Strategies • Evolved GFW Behaviors • Evaluation of New Evasion Strategies • Discussion and Conclusion 30

  31. Discussion & Limitation • GFW Countermeasures • Hard to be fully immune to insertion packet • May use server’s ACK as a feedback, but still vulnerable to data reassembly strategies • Limitation • Unable to fully understand some of the failure cases due to blackbox nature of the GFW • Complexity and inconsistency of the GFW behaviors 31

  32. Conclusion • We conduct an extensive measurement on the e ff ectiveness of existing TCP-layer evasion techniques against the GFW, and find most of them are no longer working • Middleboxes (including NATs and firewalls) have significant interference on the insertion packets • We discover new behaviors of the GFW and propose new evasion strategies that can bypass these behaviors • We evaluate our new strategies and demonstrate a high success rate of 95%+ 32

  33. Q&A • Zhongjie Wang <zwang048@ucr.edu> • Github: https://github.com/seclab-ucr/INTANG 33

Recommend

Your state is not mine: a closer look at evading stateful internet censorship Zhongjie Wang, Yue

Your state is not mine: a closer look at evading stateful internet censorship Zhongjie Wang, Yue

Your state is not mine: a closer look at evading stateful internet censorship Zhongjie Wang, Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth V Krishnamurthy University of California, Riverside Background The Great Fire Wall (GFW) A

322 views • 28 slides
Stateful access control using LSM CS547 Thomas Uphill Stateful access cont rol using LSM 11

Stateful access control using LSM CS547 Thomas Uphill Stateful access cont rol using LSM 11

Stateful access control using LSM CS547 Thomas Uphill Stateful access cont rol using LSM 11 December 2007 1 Why? Maintaining state allows for decisions to be made based on runtime conditions. State based policy can be more concise

576 views • 18 slides
Scalable Verification of Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly

Scalable Verification of Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly

Scalable Verification of Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, TAU, ICSI Roadmap Why consider stateful networks? The current state of stateful network verification?

1.31k views • 80 slides
Mesos Go Stateful An Abstraction for frameworks running stateful workload Dhilip &amp; Amit -

Mesos Go Stateful An Abstraction for frameworks running stateful workload Dhilip &amp; Amit -

Mesos Go Stateful An Abstraction for frameworks running stateful workload Dhilip &amp; Amit - PaaS Team, Huawei Contents Why Abstraction Available solution in Kubernetes Available solution in Mesos Mesos Go Stateful Design

492 views • 25 slides
EVADING DEEP INSPECTION FOR FUN AND SHELL Who we are

EVADING DEEP INSPECTION FOR FUN AND SHELL Who we are

EVADING DEEP INSPECTION FOR FUN AND SHELL Who we are Olli-Pekka Niemi An; Levomki Chief Research Officer, Senior Vulnerability Stoneso9

1.02k views • 57 slides
Optimal Evading Strategies and Task Allocation in Multi-Pursuer Single-Evader Problems Venkata

Optimal Evading Strategies and Task Allocation in Multi-Pursuer Single-Evader Problems Venkata

Motivation Optimal Evading Strategies Active/Redundant Pursuers Simulations Optimal Evading Strategies and Task Allocation in Multi-Pursuer Single-Evader Problems Venkata Ramana Makkapati and Panagiotis Tsiotras Dynamics and Control Systems

526 views • 27 slides
A Closer Look at Function Approximation Robert Platt Northeastern University The problem of

A Closer Look at Function Approximation Robert Platt Northeastern University The problem of

A Closer Look at Function Approximation Robert Platt Northeastern University The problem of large and continuous state spaces Example of a large state space: Atari Learning Environment state: video game screen actions: joystick

835 views • 55 slides
KiF: A stateful SIP Fuzzer Humberto J. Abdelnur Humberto.Abdelnur@loria.fr Radu State

KiF: A stateful SIP Fuzzer Humberto J. Abdelnur Humberto.Abdelnur@loria.fr Radu State

Introduction Assessing Framework Results &amp; Future work KiF: A stateful SIP Fuzzer Humberto J. Abdelnur Humberto.Abdelnur@loria.fr Radu State Radu.State@loria.fr Olivier Festor Olivier.Festor@loria.fr Madynes team

709 views • 21 slides
Probably the worlds best stateful traffic generation and analysis platform 2 1 2 4 5 3

Probably the worlds best stateful traffic generation and analysis platform 2 1 2 4 5 3

1 Probably the worlds best stateful traffic generation and analysis platform 2 1 2 4 5 3 OVERVIEW TYPES OF TESTS HARDWARE SOFTWARE KEY FEATURES LEARN MORE 3 OVERVIEW Vulcan generates stateful Ethernet traffic to analyze how

349 views • 34 slides
APTs Way: Evading your EBNIDS Ali Abbasi Jos Wetzels Who

APTs Way: Evading your EBNIDS Ali Abbasi Jos Wetzels Who

APTs Way: Evading your EBNIDS Ali Abbasi Jos Wetzels Who we are? Ali Abbasi : PhD student in Distributed and Embedded System Security Group

921 views • 43 slides
Evading&amp;Android&amp;Run?me&amp;Analysis&amp; via&amp;&amp; Sandbox&amp;Detec?on&amp;

Evading&amp;Android&amp;Run?me&amp;Analysis&amp; via&amp;&amp; Sandbox&amp;Detec?on&amp;

Evading&amp;Android&amp;Run?me&amp;Analysis&amp; via&amp;&amp; Sandbox&amp;Detec?on&amp; &amp;&amp;&amp;&amp;&amp;&amp;&amp;&amp;&amp;&amp;&amp;&amp;&amp;&amp;&amp;&amp;Timothy&amp;Vidas,&amp;Nicolas&amp;Chris?n&amp;

526 views • 28 slides
2018 Mine Hill Township Budget &amp; State of the Township Presentation Mine Hills 4 Budget

2018 Mine Hill Township Budget &amp; State of the Township Presentation Mine Hills 4 Budget

2018 Mine Hill Township Budget &amp; State of the Township Presentation Mine Hills 4 Budget Areas 1. Water Utility 2. Garbage District 3. Sewer Utility 4. Municipal Current Fund Water Utility The Water Utility is Financially Stable. 2017

433 views • 15 slides
Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple firewall using Netfilter Iptables firewall in Linux Stateful Firewall Application Firewall Evading Firewalls 2 Firewalls

811 views • 55 slides
Citizenship in EU Closer connection to classical origins; not so (obviously) dependent on

Citizenship in EU Closer connection to classical origins; not so (obviously) dependent on

Citizenship in EU Closer connection to classical origins; not so (obviously) dependent on modern state More self-confident discourse from European institutions (especially since Maastricht -1992 and formal introduction of legal

562 views • 12 slides
Airly Mine Airly Mine Community Consultative Committee (CCC) Presentation Airly Mine 5 th

Airly Mine Airly Mine Community Consultative Committee (CCC) Presentation Airly Mine 5 th

Airly Mine Airly Mine Community Consultative Committee (CCC) Presentation Airly Mine 5 th September 2017 www.centennialcoal.com.au 1. Introduction Reporting Period: May - Sep 2017 Site Name/Location: Airly Mine, Capertee, NSW Summary of

333 views • 29 slides
INVESTMENT OPPORTUNITY READY FOR OPERATIONS The Eden Mine CONTENT 1.MINE OBJECTIVES 2.MINE

INVESTMENT OPPORTUNITY READY FOR OPERATIONS The Eden Mine CONTENT 1.MINE OBJECTIVES 2.MINE

COLOMBIAN EMERALDS MINE INVESTMENT OPPORTUNITY READY FOR OPERATIONS The Eden Mine CONTENT 1.MINE OBJECTIVES 2.MINE READINESS 3. LOCATION 4. GEOLOGY 5. INVESTMENT OPTIONS 2 CONTENT DISCLAIMER This presentation has been prepared by BPM

179 views • 14 slides
1. If I like it, its MINE 2. If its in my hand, its MINE 3. If I can take it from

1. If I like it, its MINE 2. If its in my hand, its MINE 3. If I can take it from

He owns it all | Genesis 1.26-31 1. If I like it, its MINE 2. If its in my hand, its MINE 3. If I can take it from you, its MINE 4. If I had it a while ago, its MINE 5. If its MINE, it must never appear to be yours in any

175 views • 17 slides
Bruteforcing in the Shadows Evading Automated Detection Martin Draar, Jan Vykopal

Bruteforcing in the Shadows Evading Automated Detection Martin Draar, Jan Vykopal

Bruteforcing in the Shadows Evading Automated Detection Martin Draar, Jan Vykopal {drasar|vykopal}@ics.muni.cz Institute of Computer Science Masaryk University Brno, Czech Republic FloCon 2012 January 12, Austin, Texas Part I Network

898 views • 22 slides
Stateful Services on DC/OS Santa Clara, California | April 23th 25th, 2018 Who Am I?

Stateful Services on DC/OS Santa Clara, California | April 23th 25th, 2018 Who Am I?

Stateful Services on DC/OS Santa Clara, California | April 23th 25th, 2018 Who Am I? Shafique Hassan Solutions Architect @ Mesosphere Operator 2 Agenda DC/OS Introduction and Recap Why Stateful Services on

583 views • 29 slides
Reclamation Plan for Blue Point Mine Cal. State Mining &amp; Geology Board January 12, 2006

Reclamation Plan for Blue Point Mine Cal. State Mining &amp; Geology Board January 12, 2006

Reclamation Plan for Blue Point Mine Cal. State Mining &amp; Geology Board January 12, 2006 Prepared by Brian Bisnett, ASLA Provide better site plan (topo &amp; site outline) Bluepoint Mine Post-SMARA area of disturbance 52.0 acres

146 views • 12 slides
1 3 Nodes Nodes Places where the Probability of finding the Electron is Zero ( = 0 so

1 3 Nodes Nodes Places where the Probability of finding the Electron is Zero ( = 0 so

1 A Closer Look at A Closer Look at Contains Information about the Probability of finding the Quantum Mechanical Entity in a Certain State For atom, know energy so is related to probability of finding electron at a certain

589 views • 19 slides
Automatically Evading Classifiers A Case Study on PDF Malware Classifiers Weilin Xu

Automatically Evading Classifiers A Case Study on PDF Malware Classifiers Weilin Xu

Automatically Evading Classifiers A Case Study on PDF Malware Classifiers Weilin Xu David Evans Yanjun Qi University of Virginia Machine Learning is Solving Our Problems Fake Fake Spam IDS

1.07k views • 34 slides
The Highs and Lows of Stateful Containers Presented by Alex Robinson / Member of the Technical

The Highs and Lows of Stateful Containers Presented by Alex Robinson / Member of the Technical

The Highs and Lows of Stateful Containers Presented by Alex Robinson / Member of the Technical Staff @alexwritescode Almost all real applications rely on state When storage systems go down, so do the applications that use them Containers are

756 views • 74 slides
Evading/Attacking NIDS Insertion, Evasion, DoS Attacks Proposed Solutions Traf fi c

Evading/Attacking NIDS Insertion, Evasion, DoS Attacks Proposed Solutions Traf fi c

Agenda Network ID Systems Architecture, Problems Evading/Attacking NIDS Insertion, Evasion, DoS Attacks Proposed Solutions Traf fi c Normalization Priyank Porwal Active Mapping COMP 290 Network Intrusion Detection

397 views • 11 slides

More recommend