genevacensorship evasion research evade 1 understand how censors operate 2 apply insight to create...
TRANSCRIPT
Kevin Bock
Geneva: Evolving Censorship Evasion
In-network censorship by nation-states
Client Server
In-network censorship by nation-states
Client Server
In-network censorship by nation-states
Client Server
In-network censorship by nation-states
Client Server
In-network censorship by nation-states
Client Server
In-network censorship by nation-states
Client Server
In-network censorship by nation-states
Client Server
In-network censorship by nation-states
Client Server
In-network censorship by nation-states
Client Server
Spoofed tear-down packets
In-network censorship by nation-states
Client Server
Spoofed tear-down packets
In-network censorship by nation-states
Client Server
Spoofed tear-down packets
In-network censorship by nation-states
Client Server
Spoofed tear-down packets
In-network censorship by nation-states
Client Server
The client terminated
The server terminated
Spoofed tear-down packets
In-network censorship by nation-states
Client Server
The client terminated
The server terminated
Requires per-flow state
Spoofed tear-down packets
In-network censorship by nation-states
Client Server
The client terminated
The server terminated
Requires per-flow state
Censors necessarily take shortcuts
Spoofed tear-down packets
In-network censorship by nation-states
Client Server
Requires per-flow state
Censors necessarily take shortcuts
Evasion can take advantage of these shortcuts
In-network censorship by nation-states
Client Server
TTL=2
Requires per-flow state
Censors necessarily take shortcuts
Evasion can take advantage of these shortcuts
In-network censorship by nation-states
Client Server
TTL=1
Requires per-flow state
Censors necessarily take shortcuts
Evasion can take advantage of these shortcuts
In-network censorship by nation-states
Client Server
TTL=1
Requires per-flow state
Censors necessarily take shortcuts
Evasion can take advantage of these shortcuts
In-network censorship by nation-states
Client Server
TTL=0
Requires per-flow state
Censors necessarily take shortcuts
Evasion can take advantage of these shortcuts
In-network censorship by nation-states
Client Server
Requires per-flow state
Censors necessarily take shortcuts
Evasion can take advantage of these shortcuts
In-network censorship by nation-states
Client Server
Still good
The client terminated
Requires per-flow state
Censors necessarily take shortcuts
Evasion can take advantage of these shortcuts
Censorship evasion research
EvadeMeasureHypothesize
Censorship evasion research
Evade
Understand how censors operate1
MeasureHypothesize
Censorship evasion research
Evade
Understand how censors operate1
Apply insight to create evasion strategies2
MeasureHypothesize
Censorship evasion research
Evade
Understand how censors operate1
Apply insight to create evasion strategies2
Largely manual efforts give censors the advantage
MeasureHypothesize
Censorship evasion research
Evade
Understand how censors operate1
Apply insight to create evasion strategies2
Largely manual efforts give censors the advantage
MeasureHypothesize
Our work gives evasion the advantage
AI-assisted censorship evasion research
Evade MeasureHypothesize
AI-assisted censorship evasion research
Evade
Use AI to automatically learn new evasion strategies1
MeasureHypothesize
AI-assisted censorship evasion research
Evade
Use AI to automatically learn new evasion strategies1
Use the strategies the AI finds to understand how the censor works
2
MeasureHypothesize
GenevaGenetic Evasion
Evade
Use AI to automatically learn new evasion strategies1
Use the strategies the AI finds to understand how the censor works
2
MeasureHypothesize
GenevaGenetic Evasion
TA
CG
Composition MutationBuilding Blocks Fitness
GenevaGenetic Evasion
Building Blocks
Client Server
Geneva runs strictly at one side
GenevaGenetic Evasion
Building Blocks
Client Server
Manipulates packets to and from the client
GenevaGenetic Evasion
Building Blocks
Manipulates packets to and from the client
Duplicate
Tamper
Fragment
Drop
GenevaGenetic Evasion
Building Blocks
Manipulates packets to and from the client
Duplicate
Tamper
Fragment
Drop
Alter or corrupt any TCP/IP header field
No semantic understanding of what the fields mean
GenevaGenetic Evasion
Building Blocks
Manipulates packets to and from the client
Duplicate
Tamper
Fragment
Drop
Fragment (IP) or Segment (TCP)
Alter or corrupt any TCP/IP header field
No semantic understanding of what the fields mean
GenevaGenetic Evasion
Building Blocks
Duplicate
Tamper
Fragment
Drop
Actions manipulate individual packets
Composition Mutation Fitness
GenevaGenetic Evasion
Building Blocks
Duplicate
Tamper
Fragment
Drop
Actions manipulate individual packets
Composition Mutation Fitness
Genetic Evasion
Geneva
Composition
Running a Strategy
Client Server
Composition
Running a Strategy
Client Server
Composition
Running a Strategy
Client Server
Composition
Running a Strategy
Client Server
Composition
Running a Strategy
Client Server
Composition
Running a Strategy
Client Server
Composition
TTL=8
TTL=2
Running a Strategy
Client Server
Composition
TTL=2
Running a Strategy
Client Server
Composition
TTL=2
Running a Strategy
Client Server
Composition
Running a Strategy
Client Server
Composition
GenevaGenetic Evasion
Building Blocks
Duplicate
Tamper
Fragment
Drop
Actions manipulate individual packets
Composition Mutation FitnessActions compose
to form trees
Tampertcp.flags = R
Tamperip.ttl = 2
Duplicate
out:tcp.flags=A
GenevaGenetic Evasion
Building Blocks
Duplicate
Tamper
Fragment
Drop
Actions manipulate individual packets
Composition Mutation FitnessActions compose
to form trees
Tampertcp.flags = R
Tamperip.ttl = 2
Duplicate
out:tcp.flags=A
GenevaGenetic Evasion
Building Blocks
Duplicate
Tamper
Fragment
Drop
Actions manipulate individual packets
CompositionActions compose
to form trees
MutationRandomly alter types,
values, and trees
Fitness
Tampertcp.flags = R
Tamperip.ttl = 2
Duplicate
out:tcp.flags=A
GenevaGenetic Evasion
FitnessBuilding Blocks
Duplicate
Tamper
Fragment
Drop
Actions manipulate individual packets
CompositionActions compose
to form trees
MutationRandomly alter types,
values, and trees
Tampertcp.flags = R
Tamperip.ttl = 2
Duplicate
out:tcp.flags=A
GenevaGenetic Evasion
Fitness
Which individuals should survive to the next generation?
GenevaGenetic Evasion
Fitness
Which individuals should survive to the next generation?
GenevaGenetic Evasion
Fitness
Which individuals should survive to the next generation?
GenevaGenetic Evasion
Fitness
Which individuals should survive to the next generation?
Successfully obtaining forbidden content
Not triggering on any packets
Breaking the TCP connection
Conciseness
GenevaGenetic Evasion
Building Blocks
Duplicate
Tamper
Fragment
Drop
Actions manipulate individual packets
CompositionActions compose
to form trees
MutationRandomly alter types,
values, and trees
FitnessGoal: Fewest actions needed to succeed
No trigger
Break TCP
Successful
Concise
Tampertcp.flags = R
Tamperip.ttl = 2
Duplicate
out:tcp.flags=A
Injects & blackholesIran
*
Geneva’s results – Real censor experiments
HTTP HTTPS DNS FTP SMTP
Injects TCP RSTsChina
Injects a block pageIndia
Injects & blackholesKazakhstan
Injects & blackholesIran
*
Geneva’s results – Real censor experiments
HTTP HTTPS DNS FTP SMTP
Injects TCP RSTsChina
Injects a block pageIndia
Injects & blackholesKazakhstan
Diversity of censors
Injects & blackholesIran
*
Geneva’s results – Real censor experiments
HTTP HTTPS DNS FTP SMTP
Injects TCP RSTsChina
Injects a block pageIndia
Injects & blackholesKazakhstan
Diversity of protocolsDiversity of censors
Geneva’s results – Real censor experiments
China India KazakhstanIran
Geneva’s results – Real censor experiments
China India Kazakhstan
Species
Sub-species
6 13
Variants36
Iran
Geneva’s results – Real censor experiments
China India Kazakhstan
Species
Sub-species
6 13
The underlying bug
How Geneva exploits it
Variants36 Functionally distinct
Iran
Geneva’s results – Real censor experiments
China India Kazakhstan
Species
Sub-species
6 13
The underlying bug
How Geneva exploits it
Variants36 Functionally distinct
Iran
Geneva’s results – Real censor experiments
China India Kazakhstan
Species
Sub-species
6 13
The underlying bug
How Geneva exploits it
Variants36 Functionally distinct
Iran
31 136 9
Trick the censor into thinking the client is the server
Turnaround species
Tampertcp.flags = SA
Duplicate
out:tcp.flags=S
Segmentation species
Fragmenttcp:8:inorder
Fragmenttcp:4:inorder
out:tcp.flags=PA
Trick the censor into thinking the client is the server
Turnaround species
Tampertcp.flags = SA
Duplicate
out:tcp.flags=S
Segment the request
Segmentation species
Fragmenttcp:8:inorder
Fragmenttcp:4:inorder
out:tcp.flags=PA
Trick the censor into thinking the client is the server
Turnaround species
Tampertcp.flags = SA
Duplicate
out:tcp.flags=S
Segment the request
archGET /?se =ultrasurf
Trick the censor into thinking the client is the server Segment the request
Segmentation speciesTurnaround species
Tampertcp.flags = SA
Duplicate
out:tcp.flags=S
Fragmenttcp:8:inorder
Fragmenttcp:4:inorder
out:tcp.flags=PA
archGET /?se =ultrasurf
Remainder8 4
Trick the censor into thinking the client is the server
Segment the request,but not the keyword
Segmentation speciesTurnaround species
Fragmenttcp:8:inorder
Fragmenttcp:4:inorder
out:tcp.flags=PA
Tampertcp.flags = SA
Duplicate
out:tcp.flags=S
archGET /?se =ultrasurf
Segment the request, but not the keyword
Trick the censor into thinking the client is the server
Segmentation speciesTurnaround species
Fragmenttcp:8:inorder
Fragmenttcp:4:inorder
out:tcp.flags=PA
Tampertcp.flags = SA
Duplicate
out:tcp.flags=S
arch
GET /?se
=ultrasurf
≤ 8
≥ 12
Segment the request, but not the keyword
Trick the censor into thinking the client is the server
Segmentation speciesTurnaround species
Fragmenttcp:8:inorder
Fragmenttcp:4:inorder
out:tcp.flags=PA
Tampertcp.flags = SA
Duplicate
out:tcp.flags=S
arch
GET /?se
=ultrasurf
Client Server
Geneva
Censoring regime
Server-side evasion
Geneva
Client Server
Censoring regime
Server-side evasion
Potentially broadens reachability without any client-side deployment
Clients
Censoring regime
Geneva
Server
SYN/ACK
SYN
ACK
(query)PSH/ACK
(query)
ACK
Client Server
PSH/ACK (response)
Server-side evasion “shouldn’t” work
SYN/ACK
SYN
ACK
(query)PSH/ACK
(query)
ACK
Client Server
PSH/ACK (response)
Censored keyword
Server-side evasion “shouldn’t” work
SYN/ACK
SYN
ACK
(query)PSH/ACK
(query)
ACK
Client Server
PSH/ACK (response)
All a server does before client is censored
Censored keyword
Server-side evasion “shouldn’t” work
SYN/ACK
SYN
ACK
(query)PSH/ACK
(query)
ACK
Client Server
PSH/ACK (response)
All a server does before client is censored
Fortunately, the AI doesn’t know it “shouldn’t” work
Censored keyword
Server-side evasion “shouldn’t” work
Server-side evasion “shouldn’t” workServer-side results
Server-side evasion “shouldn’t” workServer-side results
China8 strategies
Server-side evasion “shouldn’t” workServer-side results
China8 strategies
1 strategyIran/India
Server-side evasion “shouldn’t” workServer-side results
China8 strategies
1 strategyIran/India Kazakhstan
3 strategies
Server-side evasion “shouldn’t” workServer-side results
China8 strategies
1 strategyIran/India Kazakhstan
3 strategies
None of these require any client-side deployment
SYN/ACK
SYN
ACK
(query)PSH/ACK
(query)
ACK
Client Server
PSH/ACK (response)
All a server does before client is censored
Censored keyword
Server-side evasion “shouldn’t” work
Server-side evasion results
SYN/ACK(benign GET)
SYN/ACK(benign GET)
Double benign-GETs
SYN/ACK(benign GET)
SYN/ACK(benign GET) Server sends uncensored GETs
inside two SYN/ACKs
Server-side evasion resultsDouble benign-GETs
SYN/ACK(benign GET)
SYN/ACK(benign GET) Server sends uncensored GETs
inside two SYN/ACKsCensor confuses
connection direction
Server-side evasion resultsDouble benign-GETs
Server-side evasion results
SYN
SYN
SYN/ACK
(query)PSH/ACK
(query)
ACK
Client Server
PSH/ACK (response)
SYN (corrupted)
ACK
ACK
Simultaneous-open-based desynchronization
SYN
SYN
SYN/ACK
(query)PSH/ACK
(query)
ACK
Client Server
PSH/ACK (response)
SYN (corrupted)
ACK
ACK
TCP simultaneous open
Server-side evasion resultsSimultaneous-open-based desynchronization
SYN
SYN
SYN/ACK
(query)PSH/ACK
(query)
ACK
Client Server
PSH/ACK (response)
SYN (corrupted)
ACK
ACK
TCP simultaneous open
Client sends a SYN/ACK
Server-side evasion resultsSimultaneous-open-based desynchronization
SYN
SYN
SYN/ACK
(query)PSH/ACK
(query)
ACK
Client Server
PSH/ACK (response)
SYN (corrupted)
ACK
ACK
TCP simultaneous open
Client sends a SYN/ACKCensor de-synchronizes
Server-side evasion resultsSimultaneous-open-based desynchronization
Demo
New Model for Chinese Censorship
All of the server-side strategies operate strictly during
the TCP 3-way handshake
New Model for Chinese Censorship
All of the server-side strategies operate strictly during
the TCP 3-way handshake
So why are different applications affected differently in China?
New Model for Chinese Censorship
IP
TCP
DNS HTTP FTP
Sane
New Model for Chinese Censorship
IP
TCP
DNS HTTP FTP
Sane
IP
TCP
DNS
Apparently what’s happening
HTTP
TCP
IP
FTP
TCP
IP
They appear to be running multiple censoring middleboxes
in parallel
New Model for Chinese Censorship
IP
TCP
DNS HTTP FTP
Sane
IP
TCP
DNS
Apparently what’s happening
HTTP
TCP
IP
FTP
TCP
IP
They appear to be running multiple censoring middleboxes
in parallel
New Model for Chinese Censorship
IP
TCP
DNS
Apparently what’s happening
HTTP
TCP
IP
FTP
TCP
IP
They appear to be running multiple censoring middleboxes
in parallel
How does the censor know which one to apply to a connection?
Not port number
They appear to apply protocol fingerprinting
Basic protocol confusion could be highly effective
Geneva defeats censorship-in-depthFebruary 2020: Iran launched a new system: a protocol filter
Geneva defeats censorship-in-depthFebruary 2020: Iran launched a new system: a protocol filter
Censors connections that do not match protocol fingerprints
Geneva defeats censorship-in-depthFebruary 2020: Iran launched a new system: a protocol filter
Censors connections that do not match protocol fingerprints
Those that do match are then subjected to standard censorship
Geneva defeats censorship-in-depthFebruary 2020: Iran launched a new system: a protocol filter
Censors connections that do not match protocol fingerprints
Those that do match are then subjected to standard censorship
Geneva discovered 3 strategies to evade Iran’s filter
Automating the arms race
AI has the potential to fast-forward the arms race for both sides
Automating the arms race
AI has the potential to fast-forward the arms race for both sides
Bugs in implementation
Gaps in logic
Easy for censors to fix the low-hanging fruit
Harder for censors to fix systemic issues
Automating the arms race
AI has the potential to fast-forward the arms race for both sides
Bugs in implementation
Gaps in logic
Easy for censors to fix the low-hanging fruit
Harder for censors to fix systemic issues
What is the logical conclusion of the arms race?
Geneva Team
Kevin BockLouis-Henri Merino Tania AryaDaniel LiscinskyRegina PogosianYair Fax
George HugheyKyle ReeseJasraj SinghKyle HurleyMichael Harrity
Dave Levin Xiao Qiang
Evolving censorship evasion
Geneva code and website geneva.cs.umd.edu
Genetic Evasion
Geneva
Client-side & Server-side
Has found dozens of strategies
Quickly discovers new strategiesGives the advantage to evaders