Public release.

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 Mingshi Wu
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,125 @@
+# USENIX Security 2023 AE
+
+This repo includes the source code, data, and documentation to reproduce the major claims in the USENIX Security 2023 paper [*How China Detects and Blocks Fully Encrypted Traffic*](https://www.usenix.org/system/files/sec23fall-prepub-234-wu-mingshi.pdf). 
+
+It is designed for anyone who is curious about the methodologies in our study and wants to reproduce the claims in our paper independently.
+
+Note that it is possible that you cannot reproduce any of the experiment results because the GFW has stopped dynamic blocking since March, 2023. See [this documentation](./artifacts/ceased-dynamic-blocking) for more information.
+
+
+## Overview of the Repo Structure
+
+```txt
+.
+├── ae-appendix
+├── artifacts
+│   ├── ceased-dynamic-blocking
+│   ├── common
+│   ├── setup-vps
+│   ├── sink-server
+│   ├── test-entropy
+│   ├── test-printable-fraction
+│   ├── test-printable-longest-run
+│   ├── test-printable-prefixes
+│   ├── test-protocol-fingerprints
+│   └── utils
+├── CHECKLIST
+├── LICENSE
+└── README.md
+```
+
+* `ceased-dynamic-blocking` contains the source code, data, and documentation on the observation that the GFW of China has stopped blocking random traffic dynamically at least since March 15, 2023.
+* `ae-appendix` contains the source code and Makefile to generate the [artifact appendix](./ae-appendix/usenix23.pdf).
+* `artifacts/setup-vps` contains the source code to set up remote VPSes.
+* `artifacts/sink-server` contains the source code for [a sink server](./artifacts/sink-server/), which runs on the server side.
+* `artifacts/utils` contains [client-side testing tools](./artifacts/utils/).
+* `artifacts/test-*` contain five different tests. Each of them corresponds to a claim of the GFW's traffic exemption rules.
+* `artifacts/common-*` is a module that contains code on which measurement tools are built.
+
+## VPS Information and Configuration
+
+To conduct the measurement experiments described in this repo, it requires at least one host in China and one host outside of China.
+
+To assist the [USENIX SECURITY'23 Artifact Evaluation](https://secartifacts.github.io/usenixsec2023/), we provided the reviewers with two VPSes below. 
+
+| SSH Nickname                              | Location                              | ASN     | CPU Model                | # Core(s) | RAM  | OS                                                      |
+|---------------------------------------|---------------------------------------|---------|--------------------------|-----------|------|---------------------------------------------------------|
+| usenix-ae-client-china      | AlibabaCloud Beijing Datacenter       | AS37963 | Intel Xeon Platinum 8163 | 1         | 1GB  | Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-56-generic x86_64)   |
+| usenix-ae-client-us | DigitalOcean San Francisco Datacenter | AS14061 | Intel DO-Regular         | 1         | 1GB  | Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-88-generic x86_64) |
+
+If you are not an AE reviewer, but simply want to repeat some of the experiments yourself, you need to purchase and set up the two servers yourself. 
+
+1. We refer you to this [README](./artifacts/setup-vps/README.md) for detailed instructions.
+
+2. To set up the client (VPS in China), execute:
+
+```sh
+./artifacts/setup-vps/setup-client/to_alibaba_server.sh
+```
+
+3. To set up the server (VPS in the US), execute:
+
+```sh
+./artifacts/setup-vps/setup-server/to_digitalocean_server.sh
+```
+
+4. Note that we have replaced the IP addresses of the two machines with strings of `REDACTED_CN_SERVER_IP` and `REDACTED_US_SERVER_IP` in our code and documentation. You may want to replace them with your servers' IP addresses (which are `1.1.1.1` and `2.2.2.2` in the below example), using some commands like these:
+
+```sh
+find . -type f ! -name "*.pcap" ! -path '*/\.*' -exec sed -i "s#REDACTED_US_SERVER_IP#1.1.1.1#g" {} \;
+find . -type f ! -name "*.pcap" ! -path '*/\.*' -exec sed -i "s#REDACTED_CN_SERVER_IP#2.2.2.2#g" {} \;
+```
+
+## Minimal Working Example
+
+1. First login to the VPS in China:
+
+```sh
+ssh usenix-ae-client-china
+```
+
+2. Send some random probes from `usenix-ae-client-china` to the port `2` of `usenix-ae-server-us` by repetitively executing the following command:
+
+```sh
+head -c200 /dev/urandom | nc -vn REDACTED_US_SERVER_IP 2
+```
+
+3. After executing the command a few times (1 time to 15 times), if you notice that the `nc` cannot connect to `REDACTED_US_SERVER_IP:2` anymore. Congratulations! The blocking is triggered (and will residually last for up to three minutes).
+You should still be able to connect to other ports of the same server, for example, `REDACTED_US_SERVER_IP:3`. It is also likely that you cannot trigger the blocking, because the GFW has stopped dynamic blocking since March, 2023. See this documentation for more information: [./artifacts/ceased-dynamic-blocking].
+
+4. (Optional) Alternatively, one can use the triggering tools:
+
+```sh
+echo REDACTED_US_SERVER_IP | ./utils/affected-norand -p 2 -log /dev/null
+```
+
+This tool will take a list of IPs on stdin, and perform (default 25) repeated connections to
+the specified port, sending the
+same (configurable) random payload in each connection. If the tool is unable to connect for
+(default 5) consecutive connections in a row, the tool labels the IP as `affected` by
+blocking (`true` in the `affected` column):
+
+```txt
+endTime,addr,countSuccess,totalTimeout,consecutiveTimeout,code,affected
+1678258922,REDACTED_US_SERVER_IP:2,2,5,5,timeout,true
+```
+
+This output means that connecting to the endpoint (REDACTED_US_SERVER_IP:2)
+succeeded in 2 connections, but then
+had 5 consecutive connections timeout in a row (and a total of 5 failed).
+Because there was at least 5 consecutive timeouts, our tool labels this
+endpoint/payload combination as affected (true).
+
+## Estimated Required Time to Reproduce Experiments
+
+We provide a list of estimated required time to reproduce different experiments.
+
+| Experiments                     | Human Time (minutes) | Compute Time (minutes) |
+|---------------------------------|------------|--------------|
+| Ex0: test-random                |      5      |        5      |
+| [Ex1: confirm-ceased-blocking](./artifacts/ceased-dynamic-blocking/)                |      15      |        2 days      |
+| [Ex2: test-entropy](./artifacts/test-entropy/)                |      30      |       30       |
+| [Ex3: test-printable-prefixes](./artifacts/test-printable-prefixes/)     |    15        |     30         |
+| [Ex4: test-printable-fraction](./artifacts/test-printable-fraction/)     |     15       |     30         |
+| [Ex5: test-printable-longest-run](./artifacts/test-printable-longest-run/) |     15       |   15           |
+| [Ex6: test-protocol-fingerprints](./artifacts/test-protocol-fingerprints/) |      15      |       240       |

ae-appendix/Makefile

@@ -0,0 +1,53 @@
+TARGET := usenix23
+
+TEX_ALL := $(shell search=$(TARGET).tex; all=; \
+				while [ -n "$$search" ] ; do \
+					all="$$all $$search"; \
+					search=`egrep "^[^%]*\\input" $$search | \
+						sed -En 's/.*input[^\{]*\{(.+)\}/\1.tex/p'`; \
+				done; \
+				echo "$$all")
+
+FIGURES :=
+
+all: $(TARGET).pdf
+
+figs/%.eps: plots/%.plot
+	gnuplot $< > $@
+
+$(TARGET).pdf: $(FIGURES)  $(TEX_ALL)
+	pdflatex $(TARGET).tex
+	# bibtex $(TARGET)
+	pdflatex $(TARGET).tex
+	pdflatex $(TARGET).tex
+
+nobib:: $(addsuffix .eps, $(FIGURES)) $(TARGET).aux
+	dvips $(TARGET).dvi -Ppdf -Pcmz -Pamz -t letter -D 600 -G0 -o $(TARGET).ps
+	ps2pdf ${PS2PDF_FLAGS} $(TARGET).ps
+
+view:: $(TARGET).pdf
+	open $(TARGET).pdf
+
+see:: $(TARGET).dvi
+	xdvi $(TARGET)
+
+%.eps: plots/%.plot
+	gnuplot $< > figs/$@
+
+%.eps: figs/%.fig
+	fig2dev -L eps -p dummy $< $*.eps
+
+spell::
+	ispell *.tex
+
+clean::
+	rm -fv *.dvi *.aux *.log *~ *.bbl *.blg *.toc *.out *.ps *.ent parsetab.py
+	rm -fv $(addsuffix -eps-converted-to.pdf, $(FIGURES))
+
+fresh::
+	rm -fv *.dvi *.aux *.log *~ *.bbl *.blg *.toc *.ps *.pdf
+
+distclean:: clean
+	rm $(TARGET).ps
+
+.PHONY: clean all view see spell fresh distclean nobib

ae-appendix/README.md

@@ -0,0 +1,73 @@
+# USENIX Security 2023 AE Template
+
+## Build
+
+Repository is configured to build via Github action on each commit
+and store the compiled paper as artifact in the Github action. See
+[.github/workflow/compile.yml](.github/workflow/compile.yml) for
+details.
+
+Alternatively, the repository can be build locally via act or make.
+
+### Build with act
+
+Run ```run_workflow.sh``` and requires Docker to work locally as well as
+an installation of [act](https://github.com/nektos/act). This starts the
+Github action to compile the paper and copies the ```paper.pdf``` to this
+directory. Due to artifacts not working with act it may show errors.
+
+### Build with make
+
+Run ```make```. This requires an installation of latex and make locally on
+your machine and compiles the tex files into ```paper.pdf```.'
+
+### Build with Docker
+
+Export environment variable ```LATEX_BUILD_ENV=docker``` and run ```make```. This
+requires a working Docker CLI (aka ```docker run <image>```) and produces
+a ```paper.pdf```.
+
+## usenixbadges.sty --- affix USENIX Artifact Evaluation badges
+
+The `usenixbadges` LaTeX style file affixes USENIX Artifact Evaluation
+badges to the front page of your USENIX-formatted paper (or standalone Appendix).
+
+### INSTALLATION
+
+Put `usenixbadges.sty` and the `usenixbadges-*.pdf` graphics files in
+the directory that contains the LaTeX source for your paper.  (Really,
+you can put them anywhere in LaTeX's search path, but the simplest
+thing is to put the files in the same directory as your paper's LaTeX
+source files.)
+
+### USAGE
+
+In the preamble of your LaTeX document, insert a line like this:
+
+```
+  \usepackage[<options>]{usenixbadges}
+```
+
+In the options, list the badges that have been awarded to your paper.
+The possible badges are:
+
+  * `available`  --- affix the "Artifacts Available" badge
+  * `functional` --- affix the "Artifacts Functional" badge
+  * `reproduced` --- affix the "Results Reproduced" badge
+
+Example:
+
+```
+  %% Affix the indicated badges to the paper.
+  \usepackage[available,functional]{usenixbadges}
+```
+
+Tips:
+
+In your LaTeX document, the `\usepackage[...]{usenixbadges}` directive
+must come after `\documentclass` and before `\begin{document}`.
+
+If your LaTeX document has many `\usepackage` directives, put
+`\usepackage[...]{usenixbadges}` near the end of those.  This may
+avoid problems relating to conflicting options for the `graphicx`
+package.