The Parrot is Dead:Observing Unobservable Network Communications

CS898AB PRIVACY ENHANCING TECHNOLOGIES

DR. MURTUZA JADLIWALAPRESENTED BY

QASEM ALBASHA

Content1- Introduction2- Req. For Parrot Circumvention3- Parrot Circumvention Systems4- Adversary Models5- Parrot Circumvention Flows6- Conclusion

Unobservability By Imitation

*Unobservability: a censor can neither recognize the traffic generated by the circumvention system, nor identify the endpoints engaged in circumvention.

*Imitating an unpopular protocol is futile because the censor will simply block both the genuine protocol and its imitations.

Req. for Parrot Circumvention

A. Mimicking the protocol in its entirety

B. Mimicking reaction to errors and network conditions

C. Mimicking typical traffic

D. Mimicking implementation specific artifacts

A. Mimicking the protocol in its entirety

1-SideProtocols. e.g. VoIP session involves three protocols: SIP, RTP, and RTCP.

2- IntraDepend: e.g. VoIP session starts with SIP followed by RTP and RTCP connections. 3- InterDepend. e.g. an HTTP request often triggers multiple DNS queries.

B. Mimicking reaction to errors and network conditions

1- The parrot must produce at least some reaction to any possible error that might occur in the target protocol

2- Reactions to all possible errors must be consistent.

C. Mimicking typical traffic

1-Content: formats for headers and payloads.

2- Patterns: packet sizes, counts, inter-packet intervals, and flow rates.

D. Mimicking implementation specific artifacts

1- Soft: e.g. HTTP request headers include information about the browser 2- OS: can often be revealed by the recognizable characteristics of specific client and server software.

Parrot Circumvention Systems

1. Skype Morph: mimic Skype video calls2. CensorSpoofer: mimic SIP based

Voice-Over-IP3. StegoTorus: mimic Skype and/or HTTP

SkypeMorph

SkypeMorph Client

Local Network

Skype

SkypeMorph Bridge Tor Node

Firewall

StegoTorus

StegoTorus Client

Local Network

StegoTorus Bridge Tor Node

Firewall

HTTP

HTTP

Skype

Ventrilo

CensorSpoofer

Client

Local Network Blocked.com

CensorSpooferIndirect Server

Firewall

Dummy Server

The Parrot is Dead

“unobservability by imitation” is fundamentally flawed.

*To win, the censor needs only to find a few discrepancies, while the parrot must satisfy a daunting list of imitation requirements.

Adversary Capability Classification

1- Passive attacks: statistical and behavioral analysis, packet inspection

2- Active attacks: manipulation of network traffic

3-Proactive attacks: identify network entities

1- Local adversary (LO)

2- State-level oblivious adversary (OB)

3- State-level omniscient adversary (OM)

Adversary Knowledge Classification

Costs of censorship More resource-intensive

SlowerMore false positives

Cheap and fastDoable at line speed

Very accurate

Machine learning

Statistical analysis

Proactive probing

Active probing

Inspecting protocol signatures

Inspecting keywords

IP filtering

Hide

-with

in

Trad

ition

al sy

stem

s

Passive Attacks To Detect Skype Parrots

Detect Improved Skype Parrots

Distinguishing Censorspoofer From Genuine SIP Clients

Responses to Different httprecon Requests

Skype TCP activity with and without changes in bandwidth

Correlated behavior of StegoToru connections

Conclusion

1- Understanding of the adversaries is a must.2- Unobservability by imitation is a fundamentally flawed approach, To achieve unobservability, the parrot must mimic a concrete implementation and be compatible with every implementation-specific quirk and bug3- Partial imitation is worse than no imitation at all.

Not mimicing, but run the actual protocol FreeWave