Transcript L17-PartII - UMass Amherst

CS590B/690B DETECTING
NETWORK INTERFERENCE
(FALL 2016)
LECTURE 17
PART II – ATTACKS ON COVERT CHANNELS
PHILLIPA GILL – UMASS -- AMHERST
WHERE WE ARE
Last time:
• Started on covert channels
• SkypeMorph
• FreeWave
Today
• Parrot is dead
• Cover your ACKs
REVIEW
• What properties do circumvention systems aim to have?
• What is the key difference between SkypeMorph and
FreeWave?
• What properties might we consider when evaluating
stealthiness of our covert channel?
• Can we make any guarantees?
• Why is this hard?
TODAY
Why imitating existing protocols doesn’t work.
-> Parrot is Dead
Idea: imitation doesn’t work
ACKs: http://dedis.cs.yale.edu/dissent/papers/parrot-slides.pptx
-> Cover your ACKS
Idea: even tunneling over another protocol isn’t enough
PART 1: PARROT IS DEAD
Goals of unobservable circumvention:
Censors should not be able to identify
circumvention traffic or end-hosts through
passive, active, or proactive techniques
Side note: Parrot is dead is a reference to this skit:
https://www.youtube.com/watch?v=4vuW6tQ0218
LET’S HIDE!
Censorship Region
The Internet
PARROT SYSTEMS
Imitate a popular protocol
• SkypeMorph (CCS’12)
• StegoTorus (CCS’12)
• CensorSpoofer (CCS’12)
SKYPEMORPH
Censorship Region
The Internet
Traffic Shaping
SkypeMorph
Client
SkypeMorph
Bridge
A Tor node
SOM HEADER
• The start of message (SoM) header field is MISSING!
• Single-packet identifier, instead of sophisticated statistical traffic
analysis
SKYPEMORPH
Censorship Region
The Internet
TCP control
SkypeMorph
Client
SkypeMorph
Bridge
A Tor node
SKYPEMORPH+
Let’s imitate the missing!
Hard to mimic dynamic behavior
• Active/proactive tests
CHECKING FOR SUPER NODES
• Idea: see if the SkypeMorph node is a real Skype node or not.
• Step 1: If the node can receive Skype calls from NATed users
in the censor’s network then it must be a super node.
• OR: If the censor has the IP address of a suspected
SkypeMorph, check if it is behind a NAT or not.
• If a Skype node is not behind a NAT by definition it is a super
node.
• Step 2: Run a Skype client, flush the cache of SuperNodes and
force connection to suspected SkypeMorph relay
• If no response/call support  this is a SkypeMorph node.
OTHER TESTS
Test
Skype
SkypeMorph+
Flush Supernode cache
Serves as a SN
Rejects all Skype
messages
Drop UDP packets
Burst of packets in TCP
control
No reaction
Close TCP channel
Ends the UDP stream
No reaction
Delay TCP packets
Reacts depending on
the type of message
No reaction
Close TCP connection
to a SN
Initiates UDP probes
No reaction
Block the default TCP
port
Connects to TCP ports
80 and 443
No reaction
STEGOTORUS
The Internet
Censorship Region
HTTP
Who does this???
HTTP
Skype
StegoTorus
Client
StegoTorus
Bridge
Ventrilo
HTTP
A Tor node
STEGOTORUS CHOPPER
Chops Tor connection across other protocols.
Creates dependencies between links
STEGOTORUS-HTTP
Does not look like a typical HTTP server!
Most HTTP methods not supported!
LESSON 1
Unobservability by imitation is
fundamentally flawed!
You basically have to implement the entire protocol…
Bugs and all!
LESSON 2
Partial imitation is worse than no imitation!
Before you looked like a Tor user…
… now you look like a SkypeMorph users
K anonymity anyone?
ALTERNATIVE
Do not imitate, but Run the target protocol
i.e., FreeWave
IP over Voice-over-IP [NDSS’13]