DOCSLIB.ORG

Phd Thesis.Pdf

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Phd Thesis.Pdf UNIVERSIDADE DE LISBOA INSTITUTO SUPERIOR TECNICO´ Unobservable Multimedia-based Covert Channels for Internet Censorship Circumvention Diogo Miguel Barrinha Barradas Supervisor: Doctor Lu´ısEduardo Teixeira Rodrigues Co-Supervisor: Doctor Nuno Miguel Carvalho dos Santos Thesis approved in public session to obtain the PhD Degree in Computer Science and Engineering Jury Final Classification: Pass with Distinction and Honour 2021 UNIVERSIDADE DE LISBOA INSTITUTO SUPERIOR TECNICO´ Unobservable Multimedia-based Covert Channels for Internet Censorship Circumvention Diogo Miguel Barrinha Barradas Supervisor: Doctor Lu´ısEduardo Teixeira Rodrigues Co-Supervisor: Doctor Nuno Miguel Carvalho dos Santos Thesis approved in public session to obtain the PhD Degree in Computer Science and Engineering Jury Final Classification: Pass with Distinction and Honour Jury Chairperson: Doctor Jos´eManuel da Costa Alves Marques, Instituto Superior T´ecnico, Universidade de Lisboa Members of the Committee: Doctor Lu´ıs Eduardo Teixeira Rodrigues, Instituto Superior T´ecnico, Universidade de Lisboa Doctor Henrique Jo~ao Lopes Domingos, Faculdade de Ci^encias e Tecnologia, Universidade Nova de Lisboa Doctor Mohammad Tariq Ehsan Elahi, School of Informatics, University of Edinburgh, UK Doctor Bruno Emanuel da Gra¸ca Martins, Instituto Superior T´ecnico, Universidade de Lisboa Funding Institutions Universidade de Lisboa Funda¸c~aopara a Ci^enciae Tecnologia 2021 Acknowledgements The work presented in this thesis was only made possible with the help of many people who crossed my path during the last few years. I am forever grateful to them. I start by expressing my kind thanks to my supervisor, Prof. Lu´ısRodrigues, who first incentivized me to pursue a Ph.D.. Apart from instilling the value of hard work, from all the helpful discussions, and from the countless insights he shared with me regarding numerous academic affairs, I mainly thank him for continuously challenging me to deliver high-quality work and for pushing me beyond my limits. In like manner, I warmly thank my co-supervisor, Prof. Nuno Santos, for his constant and energetic encouragement, absolutely critical brainstorming sessions, and for the many hours invested in methodologically training me to conduct research, to write clearly, and to present ideas neatly. I am deeply honored for the opportunity to work, study, and learn under their guidance. Their fierce dedication has inspired me to pursue an academic career and I hope our paths may cross again in the future. During my Ph.D., I had the opportunity to collaborate and learn from other talented researchers and faculty. I thank my co-authors Salvatore Signorello, Fernando Ramos, Zachary Weinberg, and Nicolas Christin. Working with them gave me the opportunity to broaden the spectrum of my research and helped me grow as a scientist. I would also like to thank the faculty of the Distributed Systems Group (GSD) at INESC-ID for their willingness to exchange ideas and for the many times their valuable advice helped me shape and improve my research. I would like to thank all my friends and colleagues at GSD for their companionship and support. I am grateful for all the great times we spent together, including the many meals, drinks, and coffee breaks shared over the last few years. In no particular order, I thank: Jo~aoLoff, Tiago Brito, Miguel Coimbra, Jo~aoSantos, Igor Zavalyshyn, Daniel Castro, Daniel Andrade, Paulo Silva, Pedro Joaquim, Manuel Bravo, Subhajit Sidhanta, Daharewa Gureya, Rodrigo Bruno, Richard Martinez, Paolo Laffranchini, Shady Issa, Cl´audioCorreia, Taras Lykhenko, Jo~aoNeto, Mennan Selimi, and Pedro Raminhas. A special thanks goes to Daniel Porto, the networking wizard who always found the time for discussing the details of my experimental setups with me. Most importantly, I would like to thank the unconditional support of all my long-time friends and family who were always there for me throughout this journey. I wholeheartedly thank Maria for her never-ending encouragement, for her patience to stay by my side despite the constant deadlines, and for shifting the weights on my work-life balance scale. Our evening strolls kept me sane during the long weeks where all experiments seemed to go nowhere. This work has been partially funded by the Universidade de Lisboa (via the BD2018 doctoral scholarship) and by Funda¸c~aopara a Ci^enciae Tecnologia (FCT) (via the SFRH/BD/136967/2018 grant, the project COSMOS with reference PTDC/EEI-COM/29271/2017, and the INESC-ID funding with reference UIDB/50021/2020). To a world where people can speak up their minds without fear, Abstract Totalitarian states are known to deploy large-scale surveillance and censorship mechanisms in order to deter citizens from accessing or publishing information on the Internet. Still, even the most oppressive regimes cannot afford to always block all channels with the outside world, and usually allow the operation of widely used services such as video-conferencing applications. This has given rise to the development of censorship-resistant communication tools that rely on the establishment of covert channels in the Internet by encoding covert data within popular multimedia protocols that use encrypted communication, e.g., Skype. A recent approach for the design of such tools, named multimedia protocol tunneling, modulates covert data into the audio and/or video feeds provided to multimedia applications. However, depending on the techniques used to embed covert data, and on the amount of information to embed, multimedia protocol tunneling tools may generate network flows that differ subtly from legitimate flows that do not carry covert channels. Notably, such differences can be uncovered using strictly passive methods (e.g., by observing the length or inter-arrival time of network packets). Incidentally, one of the major challenges faced by the above tools is that of achieving a proper balance between traffic analysis resistance and performance (e.g., achieve sufficient throughput for enabling web browsing activities). This thesis focuses on the study of the efficacy of multimedia protocol tunneling tools to evade the censorship apparatus deployed by network adversaries, while providing sufficient performance for enabling common Internet activities (e.g., web browsing). First, we show that the covert channels generated by existing tools are prone to detection. Specifically, we developed a new machine learning (ML)-based traffic analysis framework which has broken the security assumptions of recent multimedia protocol tunneling tools. Second, we show that network adversaries currently possess the means to perform sophisticated ML-based network flow classification tasks at line-speed. To this end, we worked towards the efficient deployment of multiple ML-based traffic analysis frameworks (including our own) in programmable switches. Third, we devised a new technique for creating traffic analysis resistant covert channels over multimedia streams. Our approach, based on the careful modification of the video encoding pipeline of the WebRTC framework, allows for the creation of high-speed covert channels over multimedia flows whose traffic patterns closely resemble those of legitimate flows. Organization of the document: The dissertation is divided in two parts. The first part provides the motivation and background for my work, identifies the main contributions of the thesis, offers an overview of the results achieved, and proposes directions for future work. The second part consists of a collection of the main papers that resulted from my work. This part reflects the content of the published papers, with minor formatting adjustments to fit the layout of the dissertation. Resumo Nos dias de hoje, v´ariosregimes repressivos empregam mecanismos de censura na Internet com o intuito de impedir o acesso ou publica¸c~aode conte´udoconsiderado sens´ıvel, por parte dos cidad~aos.Apesar disto, a maioria destes regimes permite a opera¸c~aode servi¸cos considerados essenciais, tais como aplica¸c~oes de videoconfer^encia.Este facto motivou o desenvolvimento de ferramentas de comunica¸c~aoresistentes `acensura, que dependem da oculta¸c~aode dados sens´ıveis em protocolos multim´edia,como o Skype, que usam canais de comunica¸c~aocifrados. Uma abordagem promissora, seguida na concep¸c~aodestas ferramentas, ´ebaseada na mod- ula¸c~aode dados ocultos nas tramas de v´ıdeofornecidas `asaplica¸c~oes multim´edia.No entanto, dependendo da fun¸c~aomoduladora e da quantidade de dados a codificar, a utiliza¸c~aodas ferra- mentas geradoras de t´uneisem protocolos multim´edia(FGTPM) pode originar fluxos de rede que diferem de fluxos leg´ıtimosque n~aotransportam dados ocultos. E´ de frisar que estas diferen¸cas podem ser identificadas atrav´esde m´etodos estritamente passivos (por exemplo, atrav´esda ob- serva¸c~aodo comprimento dos pacotes dos fluxos). Assim, um dos principais desafios enfrentados pelas FGTPM consiste em alcan¸carum equil´ıbrioentre o grau de resist^enciaa an´alisede tr´afego e o desempenho oferecido (e.g., atingir d´ebitosuficiente para permitir a navega¸c~aona Internet). Esta tese visa o estudo das possibilidades oferecidas pelas FGTPM no que diz respeito `a gera¸c~aode canais encobertos que oferecem simultaneamente alto d´ebitoe resist^enciaa an´alise de tr´afego.Em primeiro lugar, mostramos que as FGTPM existentes s~aofacilmente detect´aveis. Especificamente, desenvolvemos uma nova metodologia de an´alisede tr´afegobaseada em apren- dizagem autom´atica(AA) capaz de detectar as FGTPM recentes com elevada precis~ao. Em segundo lugar, mostramos que um censor contempor^aneopossui os meios para executar a classi- fica¸c~aode fluxos de rede, baseada em AA, em tempo real. Nomeadamente, estud´amosa utiliza¸c~ao de t´ecnicasde an´alisede tr´afegobaseadas em AA em comutadores program´aveis. Por ´ultimo, introduzimos uma nova t´ecnicapara gerar canais encobertos em fluxos multim´edia,resistentes `aan´alisede tr´afego.A nossa abordagem, baseada na instrumenta¸c~aoda codifica¸c~aode v´ıdeo da plataforma WebRTC, permite a cria¸c~aode canais encobertos com d´ebito elevado atrav´esde fluxos multim´edia cujos padr~oesde tr´afegose assemelham aos de fluxos leg´ıtimos.
Load more

Recommended publications
  • An ISP-Scale Deployment of Tapdance
    An ISP-Scale Deployment of TapDance Sergey Frolov Fred Douglas Will Scott Eric Wustrow Google Allison McDonald University of Colorado Boulder Benjamin VanderSloot University of Michigan Rod Hynes Michalis Kallitsis David G. Robinson Adam Kruger Merit Network Upturn Psiphon Steve Schultze Nikita Borisov J. Alex Halderman Georgetown University Law University of Illinois University of Michigan Center ABSTRACT network operators, who provide censorship circumvention In this talk, we will report initial results from the world’s functionality for any connection that passes through their net- first ISP-scale field trial of a refraction networking system. works. To accomplish this, clients make HTTPS connections Refraction networking is a next-generation censorship cir- to sites that they can reach, where such connections traverse cumvention approach that locates proxy functionality in the a participating network. The participating network operator middle of the network, at participating ISPs or other network recognizes a steganographic signal from the client and ap- operators. We built a high-performance implementation of pends the user’s requested data to the encrypted connection the TapDance refraction networking scheme and deployed it response. From the perspective of the censor, these connec- on four ISP uplinks with an aggregate bandwidth of 100 Gbps. tions are indistinguishable from normal TLS connections to Over one week of operation, our deployment served more sites the censor has not blocked. To block the refraction con- than 50,000 real users. The experience demonstrates that nections, the censor would need to block all connections that TapDance can be practically realized at ISP scale with good traverse a participating network.
    [Show full text]
  • Threat Modeling and Circumvention of Internet Censorship by David Fifield
    Threat modeling and circumvention of Internet censorship By David Fifield A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science in the Graduate Division of the University of California, Berkeley Committee in charge: Professor J.D. Tygar, Chair Professor Deirdre Mulligan Professor Vern Paxson Fall 2017 1 Abstract Threat modeling and circumvention of Internet censorship by David Fifield Doctor of Philosophy in Computer Science University of California, Berkeley Professor J.D. Tygar, Chair Research on Internet censorship is hampered by poor models of censor behavior. Censor models guide the development of circumvention systems, so it is important to get them right. A censor model should be understood not just as a set of capabilities|such as the ability to monitor network traffic—but as a set of priorities constrained by resource limitations. My research addresses the twin themes of modeling and circumvention. With a grounding in empirical research, I build up an abstract model of the circumvention problem and examine how to adapt it to concrete censorship challenges. I describe the results of experiments on censors that probe their strengths and weaknesses; specifically, on the subject of active probing to discover proxy servers, and on delays in their reaction to changes in circumvention. I present two circumvention designs: domain fronting, which derives its resistance to blocking from the censor's reluctance to block other useful services; and Snowflake, based on quickly changing peer-to-peer proxy servers. I hope to change the perception that the circumvention problem is a cat-and-mouse game that affords only incremental and temporary advancements.
    [Show full text]
  • Enhancing System Transparency, Trust, and Privacy with Internet Measurement
    Enhancing System Transparency, Trust, and Privacy with Internet Measurement by Benjamin VanderSloot A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy (Computer Science and Engineering) in the University of Michigan 2020 Doctoral Committee: Professor J. Alex Halderman, Chair Assistant Professor Roya Ensafi Research Professor Peter Honeyman Assistant Professor Baris Kasikci Professor Kentaro Toyama Benjamin VanderSloot [email protected] ORCID iD: 0000-0001-6528-3927 © Benjamin VanderSloot 2020 ACKNOWLEDGEMENTS First and foremost, I thank my wife-to-be, Alexandra. Without her unwavering love and support, this dissertation would have remained unfinished. Without her help, the ideas here would not be as strong. Without her, I would not be here. Thanks are also due to my advisor, J. Alex Halderman, for giving me the independence and support I needed to find myself. I also thank Peter Honeyman for sharing his experience freely, both with history lessons and mentorship. Thank you Roya Ensafi, for watching out for me since we met. Thank you Baris Kasikci and Kentaro Toyama, for helping me out the door, in spite of the ongoing pandemic. I owe a great debt to my parents, Craig and Teresa VanderSloot, for raising me so well. No doubt the lessons about perseverance and hard work were put to good use. Your pride has been fuel to my fire for a very long time now. I also owe so much to my sister, Christine Kirbitz, for being the best example a little brother could hope for. I always had a great path to follow and an ear to share my problems with.
    [Show full text]
  • Predictroute: a Network Path Prediction Toolkit
    PredictRoute: A Network Path Prediction Toolkit RACHEE SINGH, University of Massachusetts, Amherst, USA DAVID TENCH, University of Massachusetts, Amherst, USA PHILLIPA GILL, University of Massachusetts, Amherst, USA ANDREW MCGREGOR, University of Massachusetts, Amherst, USA Accurate prediction of network paths between arbitrary hosts on the Internet is of vital importance for network operators, cloud providers, and academic researchers. We present PredictRoute, a system that predicts network paths between hosts on the Internet using historical knowledge of the data and control plane. In addition to feeding on freely available traceroutes and BGP routing tables, PredictRoute optimally explores network paths towards chosen BGP prefixes. PredictRoute’s strategy for exploring network paths discovers 4X more autonomous system (AS) hops than other well-known strategies used in practice today. Using a corpus of traceroutes, PredictRoute trains probabilistic models of routing towards prefixes on the Internet to predict network paths and their likelihood. PredictRoute’s AS-path predictions differ from the measured path byat most 1 hop, 75% of the time. We expose PredictRoute’s path prediction capability via a REST API to facilitate its inclusion in other applications and studies. We additionally demonstrate the utility of PredictRoute in improving real-world applications for circumventing Internet censorship and preserving anonymity online. CCS Concepts: • Mathematics of computing ! Paths and connectivity problems; Markov networks; • Net- works ! Routing protocols; Wide area networks; Public Internet. Additional Key Words and Phrases: network measurement; Internet path prediction ACM Reference Format: Rachee Singh, David Tench, Phillipa Gill, and Andrew McGregor. 2021. PredictRoute: A Network Path Prediction Toolkit . Proc. ACM Meas. Anal. Comput. Syst.
    [Show full text]
  • The Use of TLS in Censorship Circumvention
    The use of TLS in Censorship Circumvention Sergey Frolov Eric Wustrow University of Colorado Boulder University of Colorado Boulder [email protected] [email protected] Abstract—TLS, the Transport Layer Security protocol, has TLS [54], and adoption continues to grow as more websites, quickly become the most popular protocol on the Internet, already services, and applications switch to TLS. used to load over 70% of web pages in Mozilla Firefox. Due to its ubiquity, TLS is also a popular protocol for censorship Given the prevalence of TLS, it is commonly used by circumvention tools, including Tor and Signal, among others. circumvention tools to evade Internet censorship. Because However, the wide range of features supported in TLS makes censors can easily identify and block custom protocols [30], it possible to distinguish implementations from one another by circumvention tools have turned to using existing protocols. what set of cipher suites, elliptic curves, signature algorithms, and TLS offers a convenient choice for these tools, providing other extensions they support. Already, censors have used deep plenty of legitimate cover traffic from web browsers and packet inspection (DPI) to identify and block popular circumven- other TLS user, protection of content from eavesdroppers, and tion tools based on the fingerprint of their TLS implementation. several libraries to choose from that support it. In response, many circumvention tools have attempted to mimic popular TLS implementations such as browsers, but this However, simply using TLS for a transport protocol is technique has several challenges. First, it is burdensome to keep not enough to evade censors. Since TLS handshakes are not up with the rapidly-changing browser TLS implementations, and encrypted, censors can identify a client’s purported support for know what fingerprints would be good candidates to mimic.
    [Show full text]
  • Conjure: Summoning Proxies from Unused Address Space
    Conjure: Summoning Proxies from Unused Address Space Sergey Frolov Jack Wampler Sze Chuen Tan University of Colorado Boulder University of Colorado Boulder UIUC J. Alex Halderman Nikita Borisov Eric Wustrow University of Michigan UIUC University of Colorado Boulder ABSTRACT Refraction Networking (formerly known as “Decoy Routing”) has emerged as a promising next-generation approach for circumvent- ing Internet censorship. Rather than trying to hide individual cir- cumvention proxy servers from censors, proxy functionality is implemented in the core of the network, at cooperating ISPs in friendly countries. Any connection that traverses these ISPs could be a conduit for the free flow of information, so censors cannot eas- ily block access without also blocking many legitimate sites. While one Refraction scheme, TapDance, has recently been deployed at ISP-scale, it suffers from several problems: a limited number of “decoy” sites in realistic deployments, high technical complexity, Figure 1: Conjure Overview — An ISP deploys a Conjure station, which and undesirable tradeoffs between performance and observability sees a passive tap of passing traffic. Following a steganographic registration by the censor. These challenges may impede broader deployment process, a client can connect to an unused IP address in the ISP’s AS, and and ultimately allow censors to block such techniques. the station will inject packets to communicate with the client as if there were a proxy server at that address. We present Conjure, an improved Refraction Networking ap- proach that overcomes these limitations by leveraging unused ad- dress space at deploying ISPs. Instead of using real websites as the decoy destinations for proxy connections, our scheme connects 1 INTRODUCTION to IP addresses where no web server exists leveraging proxy func- Over half of Internet users globally now live in countries that block tionality from the core of the network.
    [Show full text]
  • Protocol Proxy: an FTE-Based Covert Channel
    Computers & Security 92 (2020) 101777 Contents lists available at ScienceDirect Computers & Security journal homepage: www.elsevier.com/locate/cose Protocol Proxy: An FTE-based covert channel ∗ Jonathan Oakley , Lu Yu, Xingsi Zhong, Ganesh Kumar Venayagamoorthy, Richard Brooks Department of Electrical and Computer Engineering, Clemson University, Clemson, SC, USA a r t i c l e i n f o a b s t r a c t Article history: In a hostile network environment, users must communicate without being detected. This involves blend- Received 25 September 2019 ing in with the existing traffic. In some cases, a higher degree of secrecy is required. We present a proof- Revised 24 December 2019 of-concept format transforming encryption (FTE)-based covert channel for tunneling TCP traffic through Accepted 22 February 2020 protected static protocols. Protected static protocols are UDP-based protocols with variable fields that can- Available online 24 February 2020 not be blocked without collateral damage, such as power grid failures. We (1) convert TCP traffic to UDP Keywords: traffic, (2) introduce observation-based FTE, and (3) model interpacket timing with a deterministic Hid- Covert channel den Markov Model (HMM). The resulting Protocol Proxy has a very low probability of detection and is Format Transforming Encryption (FTE) an alternative to current covert channels. We tunnel a TCP session through a UDP protocol and guaran- Steganography tee delivery. Observation-based FTE ensures traffic cannot be detected by traditional rule-based analysis Traffic analysis or DPI. A deterministic HMM ensures the Protocol Proxy accurately models interpacket timing to avoid Deep Packet Inspection (DPI) detection by side-channel analysis.
    [Show full text]
  • Practical Countermeasures Against Network Censorship
    Practical Countermeasures against Network Censorship by Sergey Frolov B.S.I.T., Lobachevsky State University, 2015 M.S.C.S., University of Colorado, 2017 A thesis submitted to the Faculty of the Graduate School of the University of Colorado in partial fulfillment of the requirements for the degree of Doctor of Philosophy Department of Computer Science 2020 Committee Members: Eric Wustrow, Chair Prof. Sangtae Ha Prof. Nolen Scaife Prof. John Black Prof. Eric Keller Dr. David Fifield ii Frolov, Sergey (Ph.D., Computer Science) Practical Countermeasures against Network Censorship Thesis directed by Prof. Eric Wustrow Governments around the world threaten free communication on the Internet by building increasingly complex systems to carry out Network Censorship. Network Censorship undermines citizens’ ability to access websites and services of their preference, damages freedom of the press and self-expression, and threatens public safety, motivating the development of censorship circumvention tools. Inevitably, censors respond by detecting and blocking those tools, using a wide range of techniques including Enumeration Attacks, Deep Packet Inspection, Traffic Fingerprinting, and Active Probing. In this dissertation, I study some of the most common attacks, actually adopted by censors in practice, and propose novel attacks to assist in the development of defenses against them. I describe practical countermeasures against those attacks, which often rely on empiric measurements of real-world data to maximize their efficiency. This dissertation also reports how this work has been successfully deployed to several popular censorship circumvention tools to help censored Internet users break free of the repressive information control. iii Acknowledgements I am thankful to many engineers and researchers from various organizations I had a pleasure to work with, including Google, Tor Project, Psiphon, Lantern, and several universities.
    [Show full text]
  • Obfuscating Network Traffic to Circumvent Censorship
    Obfuscating Network Traffic to Circumvent Censorship Awn Umar MEng Mathematics and Computer Science University of Bristol May 21, 2021 Abstract This report explores some techniques used to censor information in transit on the Internet. The attack surface of the Internet is explained as well as how this affects the potential for abuse by powerful nation state adversaries. Previous research and existing traffic fingerprinting and obfuscation techniques are discussed. Rosen, a modular and flexible proxy tunnel, is introduced and evaluated against state-of-the- art DPI engines, as are some existing censorship circumvention tools. Rosen is also successfully tested from behind the Great Firewall in China. 1 Contents 1 Contextual Background 3 1.1 Information on the Internet.....................................3 1.2 Security of Internet Protocols....................................3 1.3 Exploitation of the Internet by Nation States...........................5 1.3.1 Mass Surveillance.......................................5 1.3.2 Censorship..........................................6 1.4 Ethic of Responsibility........................................7 2 Project Definition 7 2.1 Aim and Objectives.........................................7 2.2 Scope.................................................8 2.3 Vocabulary..............................................8 3 Adversarial Model 8 4 Traffic Identification Methods 11 4.1 Endpoint-Based Filtering...................................... 11 4.2 Traffic Fingerprinting........................................ 13 5 Network
    [Show full text]
  • To Date, Only Tapdance [59], One of Six Refraction Networking Future Censor Techniques with Greater Agility
    CCS ’19, November 11–15, 2019, London, United Kingdom Sergey Frolov, Jack Wampler, Sze Chuen Tan, J. Alex Halderman, Nikita Borisov, and Eric Wustrow To date, only TapDance [59], one of six Refraction Networking future censor techniques with greater agility. We believe that these proposals, has been deployed at ISP scale [20]. advantages will make Conjure a strong choice for future Refraction TapDance was designed for ease of deployment. Instead of in-line Networking deployments. network devices required by earlier schemes, it calls for only a pas- We have released the open source implementation of the Conjure sive tap. This łon-the-sidež approach, though much friendlier from client at https://github.com/refraction-networking/gotapdance/tree/ an ISP’s perspective, leads to major challenges when interposing dark-decoy. in an ongoing client-to-decoy connection: • Implementation is complex and error-prone, requiring kernel 2 BACKGROUND patches or a custom TCP stack. • To avoid detection, the system must carefully mimic subtle Refraction Networking operates by injecting covert communica- features of each decoy’s TCP and TLS behavior. tion inside a client’s HTTPS connection with a reachable site, also • The architecture cannot resist active probing attacks, where known as a decoy site. In a regular HTTPS session, a client es- the censor sends specially crafted packets to determine whether tablishes a TCP connection, performs a TLS handshake with a a suspected connection is using TapDance. destination site, sends an encrypted web request, and receives an • Interactions with the decoy’s network stack limit the length encrypted response. In Refraction Networking, at least one direc- and duration of each connection, forcing TapDance to multi- tion of this exchange is observed by a refraction station, deployed plex long-lived proxy connections over many shorter decoy at some Internet service provider (ISP).
    [Show full text]
  • Decentralized Control: a Case Study of Russia
    Decentralized Control: A Case Study of Russia Reethika Ramesh∗, Ram Sundara Raman∗, Matthew Bernhard∗, Victor Ongkowijaya∗, Leonid Evdokimov†, Anne Edmundson†, Steven Sprecher∗, Muhammad Ikram‡, Roya Ensafi∗ ∗University of Michigan, {reethika, ramaks, matber, victorwj, swsprec, ensafi}@umich.edu ‡ Macquarie University, †Independent, [email protected] Abstract—Until now, censorship research has largely focused decades, receiving significant global and academic attention as a on highly centralized networks that rely on government-run result. [4], [30], [44], [83]. As more citizens of the world begin technical choke-points, such as the Great Firewall of China. to use the Internet and social media, and political tensions begin Although it was previously thought to be prohibitively difficult, to run high, countries with less centralized networks have also large-scale censorship in decentralized networks are on the started to find tools to exert control over the Internet. Recent rise. Our in-depth investigation of the mechanisms underlying years have seen many unsophisticated attempts to wrestle with decentralized information control in Russia shows that such large-scale censorship can be achieved in decentralized networks decentralized networks, such as Internet shutdowns which, due through inexpensive commodity equipment. This new form of to their relative ease of execution, have become the de facto information control presents a host of problems for censorship censorship method of choice in some countries [14], [36], measurement, including difficulty identifying censored content, re- [82]. While some preliminary studies investigating information quiring measurements from diverse perspectives, and variegated control in decentralized networks have examined India [88], censorship mechanisms that require significant effort to identify Thailand [26], Portugal [60], [61], and other countries, there has in a robust manner.
    [Show full text]
  • Traffic Analysis Resistant Infrastructure
    Clemson University TigerPrints All Dissertations Dissertations August 2020 Traffic Analysis Resistant Infrastructure Jonathan Oakley Clemson University, [email protected] Follow this and additional works at: https://tigerprints.clemson.edu/all_dissertations Recommended Citation Oakley, Jonathan, "Traffic Analysis Resistant Infrastructure" (2020). All Dissertations. 2673. https://tigerprints.clemson.edu/all_dissertations/2673 This Dissertation is brought to you for free and open access by the Dissertations at TigerPrints. It has been accepted for inclusion in All Dissertations by an authorized administrator of TigerPrints. For more information, please contact [email protected]. Traffic Analysis Resistant Infrastructure A Dissertation Presented to the Graduate School of Clemson University In Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy Computer Engineering by Jonathan Oakley August 2020 Accepted by: Dr. Richard Brooks, Committee Chair Dr. James Martin Dr. Harlan Russell Dr. Kuang-Ching Wang Abstract Network traffic analysis is using metadata to infer information from traffic flows. Network traffic flows are the tuple of source IP, source port, destination IP, and destination port. Additional information is derived from packet length, flow size, interpacket delay, Ja3 signature, and IP header options. Even connections using TLS leak site name and cipher suite to observers. This metadata can profile groups of users or individual behaviors. Statistical properties yield even more information. The hidden Markov model can track the state of protocols where each state transition results in an observation. Format Transforming Encryption (FTE) encodes data as the payload of another protocol. The emulated protocol is called the host protocol. Observation-based FTE is a particular case of FTE that uses real observations from the host protocol for the transformation.
    [Show full text]