SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery

A key characteristic of commonly deployed deep packet inspection (DPI) systems is that they implement a simplified state machine of the network stack that often differs from that of endhosts. The discrepancies between the two state machines have been exploited to bypass such DPI based middleboxes. However, most prior approaches to do so rely on manually crafted adversarial packets, which not only are labor-intensive but may not work well across a plurality of DPI-based middleboxes. Our goal in this work is to develop an automated way to craft candidate adversarial packets, targeting TCP implementations in particular. Our approach to achieving this goal hinges on the key insight that while the TCP state machines of DPI implementations are obscure, those of the endhosts are well established. Thus, in our system SYMTCP, using symbolic execution, we systematically explore the TCP implementation of an endhost, identifying candidate packets that can reach critical points in the code (e.g., which causes the packets to be accepted or dropped/ignored); such automatically identified packets are then fed through the DPI middlebox to determine if a discrepancy is induced and the middlebox can be eluded. We find that our approach is extremely effective. It can generate tens of thousands of candidate adversarial packets in less than an hour. When evaluating against multiple state-of-the-art DPI systems such as Zeek and Snort, as well as a state-level censorship system, viz. the Great Firewall of China, we identify not only previously known evasion strategies, but also novel ones that were never previously reported (e.g., involving the urgent pointer). The system can be extended easily towards other combinations of operating systems and DPI middleboxes, and serves as a valuable tool for testing future DPIs’ robustness against evasion attempts.

[1]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[2]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[3]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[4]  Farnam Jahanian,et al.  Defeating TCP/IP Stack Fingerprinting , 2000, USENIX Security Symposium.

[5]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[6]  Vern Paxson,et al.  Active mapping: resisting NIDS evasion without altering traffic , 2003, 2003 Symposium on Security and Privacy, 2003..

[7]  Vern Paxson,et al.  Enhancing byte-level network intrusion detection signatures with context , 2003, CCS '03.

[8]  Sarang Dharmapurikar,et al.  Robust TCP Stream Reassembly in the Presence of Adversaries , 2005, USENIX Security Symposium.

[9]  Steven J. Murdoch,et al.  Embedding Covert Channels into TCP/IP , 2005, Information Hiding.

[10]  Bogdan M. Wilamowski,et al.  The Transmission Control Protocol , 2005, The Industrial Information Technology Handbook.

[11]  Anja Feldmann,et al.  Dynamic Application-Layer Protocol Analysis for Network Intrusion Detection , 2006, USENIX Security Symposium.

[12]  Ilya Mironov,et al.  Applications of SAT Solvers to Cryptanalysis of Hash Functions , 2006, SAT.

[13]  Hari Balakrishnan,et al.  Efficient and Robust TCP Stream Normalization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[14]  Adam Kiezun,et al.  Grammar-based whitebox fuzzing , 2008, PLDI '08.

[15]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[16]  Ralf Bendrath Global technology trends and national regulation: Explaining Variation in the Governance of Deep Packet Inspection , 2009 .

[17]  Ming Zhang,et al.  Detecting traffic differentiation in backbone ISPs with NetPolice , 2009, IMC '09.

[18]  Ramesh Govindan,et al.  Finding protocol manipulation attacks , 2011, SIGCOMM.

[19]  George Candea,et al.  S2E: a platform for in-vivo multi-path analysis of software systems , 2011, ASPLOS XVI.

[20]  Milton L. Mueller,et al.  The end of the net as we know it? Deep packet inspection and internet governance , 2011, New Media Soc..

[21]  Fernando Gont,et al.  On the Implementation of the TCP Urgent Mechanism , 2011, RFC.

[22]  Andrew Vance,et al.  Intrusion analysis with deep packet inspection: Increasing efficiency of packet based investigations , 2011, 2011 International Conference on Cloud and Service Computing.

[23]  Milton L. Mueller,et al.  Deep packet inspection and bandwidth management: Battles over BitTorrent in Canada and the United States , 2012 .

[24]  Milton L. Mueller,et al.  Profiling the Profilers: Deep Packet Inspection and Behavioral Advertising in Europe and the United States , 2012 .

[25]  Vern Paxson,et al.  Towards Illuminating a Censorship Monitor's Model to Facilitate Evasion , 2013, FOCI.

[26]  Koushik Sen,et al.  Symbolic execution for software testing: three decades later , 2013, CACM.

[27]  Radwan Tahboub,et al.  Data Leakage/Loss Prevention Systems (DLP) , 2014, 2014 World Congress on Computer Applications and Information Systems (WCCAIS).

[28]  Peter R. Pietzuch,et al.  SymbexNet: Testing Network Protocol Implementations with Symbolic Execution and Rule-Based Specifications , 2014, IEEE Transactions on Software Engineering.

[29]  Mourad Debbabi,et al.  Network malware classification comparison using DPI and flow packet headers , 2015, Journal of Computer Virology and Hacking Techniques.

[30]  Alfredo Pironti,et al.  A Messy State of the Union: Taming the Composite State Machines of TLS , 2015, 2015 IEEE Symposium on Security and Privacy.

[31]  Abhik Roychoudhury,et al.  Model-based whitebox fuzzing for program binaries , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[32]  Angelos D. Keromytis,et al.  SFADiff: Automated Evasion Attacks and Fingerprinting Using Black-box Differential Automata Learning , 2016, CCS.

[33]  Angelos D. Keromytis,et al.  Back in Black: Towards Formal, Black Box Analysis of Sanitizers and Filters , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[34]  Alexander Pretschner,et al.  Code obfuscation against symbolic execution attacks , 2016, ACSAC.

[35]  Christopher Krügel,et al.  SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[36]  Alan Mislove,et al.  lib•erate, (n): a library for exposing (traffic-classification) rules and avoiding them efficiently , 2017, Internet Measurement Conference.

[37]  Srikanth V. Krishnamurthy,et al.  Your state is not mine: a closer look at evading stateful internet censorship , 2017, Internet Measurement Conference.

[38]  Zhongjie Wang,et al.  Investigation of the 2016 Linux TCP Stack Vulnerability at Scale , 2017, Proc. ACM Meas. Anal. Comput. Syst..

[39]  Ninghui Li,et al.  SymCerts: Practical Symbolic Execution for Exposing Noncompliance in X.509 Certificate Validation Implementations , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[40]  Roberto Baldoni,et al.  A Survey of Symbolic Execution Techniques , 2016, ACM Comput. Surv..

[41]  Meng Xu,et al.  QSYM : A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing , 2018, USENIX Security Symposium.

[42]  Tommy Chin,et al.  Phishlimiter: A Phishing Detection and Mitigation Approach Using Software-Defined Networking , 2018, IEEE Access.

[43]  Srikanth V. Krishnamurthy,et al.  Off-Path TCP Exploits of the Challenge ACK Global Rate Limit , 2018, IEEE/ACM Transactions on Networking.

[44]  Dave Levin,et al.  Geneva: Evolving Censorship Evasion Strategies , 2019, CCS.

[45]  Sujata Banerjee,et al.  Alembic: Automated Model Inference for Stateful Network Functions , 2019, NSDI.

[46]  Ninghui Li,et al.  Analyzing Semantic Correctness with Symbolic Execution: A Case Study on PKCS#1 v1.5 Signature Verification , 2019, NDSS.