NISL实验室

Zhongjie Wang

Shitong Zhu

Yue Cao

Zhiyun Qian

Chengyu Song

Srikanth V. Krishnamurthy

Kevin S. Chan

Tracy D. Braun

NDSS

The Network and Distributed System Security (NDSS) Symposium fosters information exchange among researchers and practitioners of network and distributed system security.

Originally the Workshop on Network and Distributed System Security, the NDSS Symposium was first held in 1993 in San Diego, California. It was organized as a workshop of the Privacy and Security Research Group of the Internet Research Task Force (IRTF) and was hosted by the Internet Society and Lawrence Livermore National Laboratory.

The Internet Society has proudly hosted the NDSS Symposium ever since to foster the next generation of Internet security experts and to support open, accessible, and collaborative security to research to help strengthen the Internet.

The symposium is now a five-day hybrid event including three days of the main NDSS Symposium and two days of co-located workshops and symposia. Each event brings together hundreds of security educators, researchers and practitioners from all over the world. The event is designed to encourage and enable the Internet community to apply, deploy, and advance the state of practical security technologies.

A key characteristic of commonly deployed deep packet inspection (DPI) systems is that they implement a simpli- fied state machine of the network stack that often differs from that of the end hosts. The discrepancies between the two state machines have been exploited to bypass such DPI middleboxes. However, most prior approaches to do so rely on manually crafted adversarial packets, which not only is labor-intensive but may not work well across a plurality of DPI-based middleboxes. Our goal in this work is to develop an automated way to craft such candidate packets, targeting TCP implementations in particular. Our approach to achieve this goal hinges on the key insight that while the TCP state machines of DPI implementations are obscure, those of the end hosts are well established. Thus, in our system SYMTCP, using symbolic execution, we systematically explore the TCP implementation of an end host, identifying candidate packets that can reach critical points in the code (e.g., which causes the packets to be accepted or dropped/ignored); such automatically identified packets are then fed through the DPI middlebox to determine if a discrepancy is induced and the middlebox can be bypassed. We find that our approach is extremely effective. It can generate tens of thousands of candidate adversarial packets in less than an hour. When evaluating against multiple state-of-the-art DPI middleboxes such as Zeek and Snort, as well as a state-level censorship firewall, Great Firewall of China, we identify not only previously known evasion strategies, but also novel ones that were never previously reported (e.g., involving urgent pointer). The system can extend easily to test other combinations of operating systems and DPI middleboxes, and serve as a valuable testing tool of future DPIs’ robustness against evasion attempts.

SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery

今天分享的论文是一篇针对网络审查的研究。该论文根据深度包检测系统（Deep Packet Inspection，DPI）与用户终端网络协议实现之间的差异，利用符号执行技术在TCP层自动化生成插入包（被DPI接受但被服务端忽略）与逃避包（被DPI忽略但被服务端接受）。

【论文分享】SymTCP：基于状态差异的自动化深度包检测逃逸技术

【论文分享】SymTCP：基于状态差异的自动化深度包检测逃逸技术

SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery查看来源