DPIFuzz: A Differential Fuzzing Framework to Detect DPI Elusion Strategies for QUIC

QUIC is an emerging transport protocol that has the potential to replace TCP in the near future. As such, QUIC will become an important target for Deep Packet Inspection (DPI). Reliable DPI is essential, e.g., for corporate environments, to monitor traffic entering and leaving their networks. However, elusion strategies threaten the validity of DPI systems, as they allow attackers to carefully design traffic to fool and thus evade on-path DPI systems. While such elusion strategies for TCP are well documented, it is unclear if attackers will be able to elude QUIC-based DPI systems. In this paper, we systematically explore elusion methodologies for QUIC. To this end, we present DPIFuzz: a differential fuzzing framework which can automatically detect strategies to elude stateful DPI systems for QUIC. We use DPIFuzz to generate and mutate QUIC streams in order to compare (and find differences in) the server-side interpretations of five popular open-source QUIC implementations. We show that DPIFuzz successfully reveals DPI elusion strategies, such as using packets with duplicate packet numbers or exploiting the diverging handling of overlapping stream offsets by QUIC implementations. DPIFuzz additionally finds four security-critical vulnerabilities in these QUIC implementations.

[1]  Andrew Vance,et al.  Intrusion analysis with deep packet inspection: Increasing efficiency of packet based investigations , 2011, 2011 International Conference on Cloud and Service Computing.

[2]  Collin Jackson,et al.  Analyzing Forged SSL Certificates in the Wild , 2014, 2014 IEEE Symposium on Security and Privacy.

[3]  Marcel Böhme,et al.  AFLNET: A Greybox Fuzzer for Network Protocols , 2020, 2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST).

[4]  Martin Thomson,et al.  QUIC: A UDP-Based Multiplexed and Secure Transport , 2020, RFC.

[5]  Srikanth V. Krishnamurthy,et al.  Your state is not mine: a closer look at evading stateful internet censorship , 2017, Internet Measurement Conference.

[6]  Axel Sikora,et al.  Exploiting Dissent: Towards Fuzzing-Based Differential Black-Box Testing of TLS Implementations , 2020, IEEE Transactions on Dependable and Secure Computing.

[7]  Vern Paxson,et al.  Towards Illuminating a Censorship Monitor's Model to Facilitate Evasion , 2013, FOCI.

[8]  Amr M. Youssef,et al.  The Sorry State of TLS Security in Enterprise Interception Appliances , 2018, ArXiv.

[9]  Fan Yang,et al.  The QUIC Transport Protocol: Design and Internet-Scale Deployment , 2017, SIGCOMM.

[10]  Zhongjie Wang,et al.  SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery , 2020, NDSS.

[11]  Olivier Bonaventure,et al.  Observing the Evolution of QUIC Implementations , 2018, EPIQ@CoNEXT.

[12]  Jeff Jarmoc,et al.  SSL/TLS Interception Proxies and Transitive Trust , 2012 .

[13]  Herbert Bos,et al.  VUzzer: Application-aware Evolutionary Fuzzing , 2017, NDSS.

[14]  Radwan Tahboub,et al.  Data Leakage/Loss Prevention Systems (DLP) , 2014, 2014 World Congress on Computer Applications and Information Systems (WCCAIS).

[15]  Muhammad Torabi Dashti,et al.  SECFUZZ: Fuzz-testing security protocols , 2012, 2012 7th International Workshop on Automation of Software Test (AST).

[16]  Mourad Debbabi,et al.  Network malware classification comparison using DPI and flow packet headers , 2015, Journal of Computer Virology and Hacking Techniques.

[17]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[18]  Alan Mislove,et al.  lib•erate, (n): a library for exposing (traffic-classification) rules and avoiding them efficiently , 2017, Internet Measurement Conference.

[19]  Dave Levin,et al.  Geneva: Evolving Censorship Evasion Strategies , 2019, CCS.

[20]  Tommy Chin,et al.  Phishlimiter: A Phishing Detection and Mitigation Approach Using Software-Defined Networking , 2018, IEEE Access.