new conjure · 2020. 2. 25. · conjure sergey frolov1, jack wampler1, sze chuen tan3, nikita...
TRANSCRIPT
-
Conjure
Sergey Frolov1, Jack Wampler1, Sze Chuen Tan3,Nikita Borisov3, J. Alex Halderman2, Eric Wustrow1
1 University of Colorado Boulder, 2 University of Michigan, 3 University of Illinois Urbana-Champaign
Summoning Proxies from Unused Address Space
-
2
Internet Censorship
Conjure: Summoning Proxies from Unused Address SpaceSource: censoredplanet.org
Censorship is a global problem
-
3
Proxy
Proxies
Conjure: Summoning Proxies from Unused Address Space
BlockedCovert Hosts
-
4
Blocking Proxies
Conjure: Summoning Proxies from Unused Address Space
BlockedCovert HostsCensors try to discover proxies
by connecting to them as clients
Proxy
-
5
Blocking Proxies
Conjure: Summoning Proxies from Unused Address Space
BlockedCovert HostsCensors try to discover
proxies by inspecting traffic
Proxy
-
6
Proxy
Refraction Networking
Conjure: Summoning Proxies from Unused Address Space
BlockedCovert Hosts
Not BlockedDecoy Host
-
7
Refraction Networking
Not BlockedDecoy HostProxy
Conjure: Summoning Proxies from Unused Address Space
BlockedCovert Hosts
-
8
Refraction Networking
Proxy
Conjure: Summoning Proxies from Unused Address Space
BlockedCovert Hosts
Not BlockedDecoy Host
-
9
Refraction NetworkingRefraction networking● Station listens network router at an ISP
Conjure: Summoning Proxies from Unused Address Space
-
10
TapDanceInline Blocking● Drops connections to decoy sites● Redirects traffic to covert destination
Conjure: Summoning Proxies from Unused Address Space
-
11
Refraction Networking
Telex: Anticensorship in the Network InfrastructureEric Wustrow, Scott Wolchok, Ian Goldberg, J. Alex Halderman [USENIX 2011]
Decoy Routing: Toward Unblockable Internet CommunicationJosh Karlin, Daniel Ellard, Alden W. Jackson, Christine E. Jones, Greg Lauer, David P. Mankins, W. Timothy Strayer [FOCI 2011]
Cirripede: Circumvention Infrastructure using Router Redirection with Plausible DeniabilityAmir Houmansadr, Giang T. K. Nguyen, Matthew Caesar, Nikita Borisov [CCS 2011]
TapDance: End-to-Middle Anticensorship without Flow Blocking Eric Wustrow, Colleen M. Swanson, J. Alex Halderman [USENIX 2014]
Rebound: Decoy Routing on Asymmetric Routes Via Error MessagesDaniel Ellard, Alden Jackson, Christine Jones, Victoria Manfredi, W. Timothy Strayer, Bishal Thapa, Megan Van Welie [IEEE LCM 2015]
Slitheen: Perfectly Imitated Decoy Routing through Traffic ReplacementCecylia Bocovich, Ian Goldberg [CCS 2016]
The Waterfall of Liberty: Decoy Routing Circumvention that Resists Routing AttacksMilad Nasr, Hadi Zolfaghari, Amir Housmansadr [ACM 2017]
MultiFlow: Cross-Connection Decoy Routing using {TLS} 1.3 Session ResumptionVictoria Manfredi, and Pi Songkuntham [FOCI 2018]
FORMERLY DECOY ROUTING
Conjure: Summoning Proxies from Unused Address Space
-
12
Refraction Networking
Telex: Anticensorship in the Network InfrastructureEric Wustrow, Scott Wolchok, Ian Goldberg, J. Alex Halderman [USENIX 2011]
Decoy Routing: Toward Unblockable Internet CommunicationJosh Karlin, Daniel Ellard, Alden W. Jackson, Christine E. Jones, Greg Lauer, David P. Mankins, W. Timothy Strayer [FOCI 2011]
Cirripede: Circumvention Infrastructure using Router Redirection with Plausible DeniabilityAmir Houmansadr, Giang T. K. Nguyen, Matthew Caesar, Nikita Borisov [CCS 2011]
TapDance: End-to-Middle Anticensorship without Flow BlockingEric Wustrow, Colleen M. Swanson, J. Alex Halderman [USENIX 2014]
Rebound: Decoy Routing on Asymmetric Routes Via Error MessagesDaniel Ellard, Alden Jackson, Christine Jones, Victoria Manfredi, W. Timothy Strayer, Bishal Thapa, Megan Van Welie [IEEE LCM 2015]
Slitheen: Perfectly Imitated Decoy Routing through Traffic ReplacementCecylia Bocovich, Ian Goldberg [CCS 2016]
The Waterfall of Liberty: Decoy Routing Circumvention that Resists Routing AttacksMilad Nasr, Hadi Zolfaghari, Amir Housmansadr [ACM 2017]
MultiFlow: Cross-Connection Decoy Routing using {TLS} 1.3 Session ResumptionVictoria Manfredi, and Pi Songkuntham [FOCI 2018]
FORMERLY DECOY ROUTING
Conjure: Summoning Proxies from Unused Address Space
-
13
TapDance
Passive Tap
Conjure: Summoning Proxies from Unused Address Space
TapDance● Station listens on passive tap at an ISP
-
14
TapDance
Passive Tap
Conjure: Summoning Proxies from Unused Address Space
TapDance● Station listens on passive tap at an ISP ● Client connects to the decoy
-
15
TapDance
Passive Tap
x
Conjure: Summoning Proxies from Unused Address Space
TapDance● Station listens on passive tap at an ISP ● Client connects to the decoy● Client sends something to silence the decoy
-
16
TapDance
Spoofedresponses
Passive Tap
TapDance● Station listens on passive tap at an ISP ● Client connects to the decoy● Client sends something to silence the decoy● Station pretends to be the decoy while the connection stays open
x
Conjure: Summoning Proxies from Unused Address Space
-
17
TapDance Issues
● Performance:– Connection upload limit – Connection duration limit
● Observability: – Station must mimic the decoy to avoid blocking
● Timing, packet size, etc.
Issues are a result of its deployability first design
Conjure: Summoning Proxies from Unused Address Space
-
18
Conjure
Conjure: Summoning Proxies from Unused Address Space
-
19
● Improve Performance– Minimize reliance on TLS and live decoy hosts
● Reduce Observability– Reinforce protection from censorship– Create proxies from unused address space
● Maintain deployability– Build off of passive tap architecture
Conjure
Conjure: Summoning Proxies from Unused Address Space
-
20
● Improve Performance– Minimize reliance on TLS and live decoy hosts
● Reduce Observability– Reinforce protection from censorship– Create proxies from unused address space
● Maintain deployability– Build off of passive tap architecture
Conjure
Conjure: Summoning Proxies from Unused Address Space
-
21
● Improve Performance– Minimize reliance on TLS and live decoy hosts
● Reduce Observability– Reinforce protection from censorship– Create proxies from unused address space
● Maintain deployability– Build off of passive tap architecture
Conjure
Conjure: Summoning Proxies from Unused Address Space
-
22
● Improve Performance– Minimize reliance on TLS and live decoy hosts
● Reduce Observability– Reinforce protection from censorship– Create proxies from unused address space
● Maintain deployability– Build off of passive tap architecture
Conjure
Conjure: Summoning Proxies from Unused Address Space
-
23
Conjure Protocol1. Register– Select a phantom IP from a set of unused addresses that
route past the station – Share selection with the station out of band
Conjure: Summoning Proxies from Unused Address Space
-
24
Conjure Protocol1. Register– Select a phantom IP from a set of unused addresses that
route past the station – Share selection with the station out of band
Conjure: Summoning Proxies from Unused Address Space
-
25
Liveness Testing● Avoid connection interference ● Prevent unnecessary load on endpoints
Conjure: Summoning Proxies from Unused Address Space
-
26
Conjure Protocol✓ Register– Select a phantom IP from a set of unused addresses that
route past the station – Share selection with the station out of band
2. Connect– Connect to phantom IP address – The station will pick up the
connection and proxy traffic
Conjure: Summoning Proxies from Unused Address Space
-
27
Conjure Protocol✓ Register– Select a phantom IP from a set of unused addresses that
route past the station – Share selection with the station out of band
2. Connect– Connect to phantom IP address – The station will pick up the
connection and proxy traffic
Conjure: Summoning Proxies from Unused Address Space
-
28
Conjure Protocol✓ Register– Select a phantom IP from a set of unused addresses that
route past the station – Share selection with the station out of band
2. Connect– Connect to phantom IP address – The station will pick up the
connection and proxy traffic
Conjure: Summoning Proxies from Unused Address Space
-
29
Connection Process
Now that we are connected what protocol will we use?
Conjure: Summoning Proxies from Unused Address Space
-
30
Connection Process
Now that we are connected what protocol will we use?
Conjure: Summoning Proxies from Unused Address Space
-
31
Connection Process
Now that we are connected what protocol will we use?
Conjure: Summoning Proxies from Unused Address Space
-
32
Transports
Conjure: Summoning Proxies from Unused Address Space
-
33
Station ProtocolConjure transport protocols should be:● Difficult for censor to block
– Passive analysis– Active probing
● Performant
Conjure: Summoning Proxies from Unused Address Space
-
34
Station ProtocolConjure transport protocols should be:● Difficult for censor to block
– Passive analysis– Active probing
● Performant
Protocols to do this already exist
Conjure: Summoning Proxies from Unused Address Space
-
35
– Obfs4● a look-like nothing obfuscation protocol that requires clients to
demonstrate knowledge of secret shared out of band.
Transports
Conjure: Summoning Proxies from Unused Address Space
-
36
● Randomizing:– Obfs4– Obfuscated SSH
● Popular: – Peer-to-Peer – e.g. WebRTC– TLS
Transports
Conjure: Summoning Proxies from Unused Address Space
-
37
TLS Proxy1. What TLS certificate should be provided?
2. How do we resist active probing?
3. Does the domain map to the IP?
Conjure: Summoning Proxies from Unused Address Space
-
38
Mask Site1. What TLS certificate should be provided?● Invalid● Self Signed● CA Signed
Conjure: Summoning Proxies from Unused Address Space
-
39
Mask Site1. What TLS certificate should be provided?✗ Invalid
✗ Self Signed
✓ CA Signed - Choose a “Mask Site” to mimic and specify it to the station in the registration
Conjure: Summoning Proxies from Unused Address Space
-
40
Mask Site2. How do we resist active probing?● Clients must show knowledge of secrets
– If not traffic is routed to the mask site– Otherwise traffic is routed to covert site
Conjure: Summoning Proxies from Unused Address Space
-
41
Mask Site2. Censors can use TLS as well. ● Clients must show knowledge of secrets
– If not traffic is routed to the mask site– Otherwise traffic is routed to covert site
Conjure: Summoning Proxies from Unused Address Space
-
42
Mask site3. Does the domain map to the IP?● Nearby (in IP space)● Popular Sites● Passively collect at tap and advise client
Conjure: Summoning Proxies from Unused Address Space
-
43
Implementation
Conjure: Summoning Proxies from Unused Address Space
-
44
1. Generate a seed
2. Select the phantom IP address.● Avoid Live Hosts ● Choose realistic addresses
Conjure: Summoning Proxies from Unused Address Space
Preparation
KClient
192.122.190.120
Seed
2001:48a8:59e7:d7f0:4762:3a75:8f51:2b13
2001:48a8::/32
-
45
1. Generate a seed
2. Select the phantom IP address.● Avoid Live Hosts ● Choose realistic addresses
Conjure: Summoning Proxies from Unused Address Space
Preparation
KClient
192.122.190.120
Seed
2001:48a8:59e7:d7f0:4762:3a75:8f51:2b13
2001:48a8::/32
-
46
1. Generate a seed
2. Select the phantom IP address.● Avoid Live Hosts ● Choose realistic addresses
Conjure: Summoning Proxies from Unused Address Space
Preparation
KClient
192.122.190.120
Seed
2001:48a8:59e7:d7f0:4762:3a75:8f51:2b13
2001:48a8::/32
-
47
Conjure Protocol✔ Preparation
Register
Conjure: Summoning Proxies from Unused Address Space
-
48
Conjure Protocol✔ Preparation
Register using HTTPS
Conjure: Summoning Proxies from Unused Address Space
-
49
Registration Using HTTPS
Conjure: Summoning Proxies from Unused Address Space
Steganographic tagging scheme borrowed from TapDance
✔ Generate a seed ✔ Select the phantom IP address. 1. Create a registration message
containing the seed.
Seed
-
50
✔ Generate a seed ✔ Select the phantom IP address. 1. Create a registration message
containing the seed.
2. Connect to a Registration Decoy
Conjure: Summoning Proxies from Unused Address Space
ConjureProxy
K
KClient Registration
DecoyCensor
Registration Using HTTPS
-
51
✔ Generate a seed ✔ Select the phantom IP address. 1. Create a registration message
containing the seed.
2. Connect to a Registration Decoy 3. Send a request containing the
steganographically-encoded registration message
Conjure: Summoning Proxies from Unused Address Space
ConjureProxy
K
KClient Registration
DecoyCensor
< ‘GET /’ >Registration Msg
Registration Using HTTPS
-
52 Conjure: Summoning Proxies from Unused Address Space
ConjureProxy
K
KClient Registration
DecoyCensor
< ‘GET /’ >Registration Msg
✔ Generate a seed ✔ Select the phantom IP address. 1. Create a registration message
containing the seed.
2. Connect to a Registration Decoy 3. Send a request containing the
steganographically-encoded registration message
Registration Using HTTPS
-
53
Conjure Protocol✔ Preparation ✔ Registration
Connect
Conjure: Summoning Proxies from Unused Address Space
-
54
Conjure Protocol✔ Preparation ✔ Registration
Connect
Conjure: Summoning Proxies from Unused Address Space
-
55
Connection Process
Conjure: Summoning Proxies from Unused Address Space
ConjureProxy
KK
Client Phantom Host (Unused address)
Censor Blocked Website
-
56
Connection Process
Conjure: Summoning Proxies from Unused Address Space
ConjureProxy
KK
Client Phantom Host (Unused address)
Censor Blocked Website
-
57
Connection Process
Conjure: Summoning Proxies from Unused Address Space
ConjureProxy
KK
Client Phantom Host (Unused address)
Censor Blocked Website
-
58
Connection Process
Conjure: Summoning Proxies from Unused Address Space
ConjureProxy
KK
Client Phantom Host (Unused address)
Censor Blocked Website
….
-
59
Connection Process
Conjure: Summoning Proxies from Unused Address Space
ConjureProxy
KK
Client Phantom Host (Unused address)
Censor Blocked Website
-
60
Implementation
Conjure is:● Running right now
Conjure: Summoning Proxies from Unused Address Space
-
61
Implementation
Conjure: Summoning Proxies from Unused Address Space
Conjure is:● Running right now● High Performance
-
62
Implementation
Conjure: Summoning Proxies from Unused Address Space
Conjure is:● Running right now● High Performance● Multi-core
-
63
Implementation
Conjure: Summoning Proxies from Unused Address Space
Conjure is:● Running right now● High Performance● Multi-core● Modular
-
64
Performance
Conjure: Summoning Proxies from Unused Address Space
-
65
Download Throughput
Conjure: Summoning Proxies from Unused Address Space
TapDance~87.0 Mbps
Conjure~99.1 Mbps
Socks5~96.0 Mbps
100
10
1
100
10
1
100
10
1
-
66
Upload Throughput
Conjure: Summoning Proxies from Unused Address Space
TapDance~0.057 Mbps
Conjure~83.4 Mbps
1400x improvement
Socks5~75.6 Mbps
100
1
0.01
100
1
0.01
100
1
0.01
-
67
Advantages
Conjure: Summoning Proxies from Unused Address Space
-
68
Conjure Advantages● High Performance
– Removes TapDance artificial limits on upload and connection duration
● Flexible Transports– Obviates mimicry challenges – Adaptable to censor blocking
● Individualized proxy addresses– Minimizes blocking effectiveness.
● Deployment Friendly – Only requires passive tap
Conjure: Summoning Proxies from Unused Address Space
-
69
Upcoming Work● Alpha Deployment:
– Conjure has been tested on our ISP test-bed demonstrating that it is viable– We are working with a proxy development platform to get Conjure into the hands
of real users as soon as possible
● Distributed Architecture– Host numerous stations resilient to failures and incremental upgrades.
● Realistic Address Selection– Incorporate structure in selected IPv6 addresses
● Transport Support– Add implementation for more transports!
Conjure: Summoning Proxies from Unused Address Space
-
70
Conclusion
Conjure is: Modular Performant Hard to block Deployable
DeployingDeployed
Conjure: Summoning Proxies from Unused Address Space
-
Conjure
Sergey Frolov1, Jack Wampler1, Sze Chuen Tan2,Nikita Borisov2, J. Alex Halderman3, Eric Wustrow1
1 University of Colorado Boulder, 2 University of Michigan, 3 University of Illinois Urbana-Champaign
Summoning Proxies from Unused Address Space
https://refraction.network
-
72
Questions?
github.com/refraction-networking/gotapdance
Client Censor
Unusedaddresses
YOUR ISP HERE
Phantomproxy
Conjure: Summoning Proxies from Unused Address Space
-
73
Bonus Slides
Conjure: Summoning Proxies from Unused Address Space
-
74
ChallengesCan a censor tell if an Ipv6 address is unused
just by looking at the address?
It would be riskyConjure: Summoning Proxies from Unused Address Space
-
75
Attacks
● Why can’t a censor just probe to tell if a host is live and block it?● Why can’t a censor just block all the unused addresses of the
internet?● Why can’t a censor just whitelist good subnets?
Conjure: Summoning Proxies from Unused Address Space
-
76
Station Protocol● New Connection
– Benign– Conjure Registration– Conjure Connection
– REMOVE??
Conjure: Summoning Proxies from Unused Address Space
-
77
Active Probing
Censors try to discover proxies by connecting to them as clients
Conjure: Summoning Proxies from Unused Address Space
-
78
Active Probing
Proxies must carefully reveal themselves to users by providing shared secrets out of band for users to identify themselves with
Conjure: Summoning Proxies from Unused Address Space
-
79
Connection
ConjureProxy
K
KClient Phantom Host
(Unused address)
Censor Blocked Website
….
Conjure: Summoning Proxies from Unused Address Space
-
80
Registration à la TapDance
Registration over TLS:1. Generate a seed 2. Select the phantom IP address. 3. Create a registration packet containing the seed.4. Connect to a Registration Decoy 5. Send a request containing the registration packet
Conjure: Summoning Proxies from Unused Address Space
-
81
ConjureProxy
Generation 3How do we leverage the empty background addresses
of the internet to pretend to host proxies?
(TLS Handshake)
K
KClient Reachable site
Tag
CensorPhantom Host
(Unused address)
Conjure: Summoning Proxies from Unused Address Space
-
82
Connection ProcessConnect:1. Connect to the chosen phantom host 2. The refraction station will respond as
though it resides at the phantom IP address and forward traffic to the covert destination.
Conjure: Summoning Proxies from Unused Address Space
ConjureProxy
KK
Client Phantom Host (Unused address)
Censor Blocked Website
….
-
83
High Throughput
One week of tap traffic monitored by the Conjure station.Conjure: Summoning Proxies from Unused Address Space
-
84
1. Generate a seed
2. Select the phantom IP address.● Avoid Live Hosts ● Choose realistic addresses
Conjure: Summoning Proxies from Unused Address Space
KClient
192.122.190.120
Preparation
Seed
2001:48a8:59e7:d7f0:4762:3a75:8f51:2b13
2001:48a8::/32
-
85
Challenges
Can a censor tell if an Ipv6 address is probably unused just by looking at the address?
Conjure: Summoning Proxies from Unused Address Space
Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37Slide 38Slide 39Slide 40Slide 41Slide 42Slide 43Slide 44Slide 45Slide 46Slide 47Slide 48Slide 49Slide 50Slide 51Slide 52Slide 53Slide 54Slide 55Slide 56Slide 57Slide 58Slide 59Slide 60Slide 61Slide 62Slide 63Slide 64Slide 65Slide 66Slide 67Slide 68Slide 69Slide 70Slide 71Slide 72Slide 73Slide 74Slide 75Slide 76Slide 77Slide 78Slide 79Slide 80Slide 81Slide 82Slide 83Slide 84Slide 85