Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit ad45e63
Showing
125 changed files
with
2,234,516 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
MIT License | ||
|
||
Copyright (c) 2023 Mingshi Wu | ||
|
||
Permission is hereby granted, free of charge, to any person obtaining a copy | ||
of this software and associated documentation files (the "Software"), to deal | ||
in the Software without restriction, including without limitation the rights | ||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
copies of the Software, and to permit persons to whom the Software is | ||
furnished to do so, subject to the following conditions: | ||
|
||
The above copyright notice and this permission notice shall be included in all | ||
copies or substantial portions of the Software. | ||
|
||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | ||
SOFTWARE. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,125 @@ | ||
# USENIX Security 2023 AE | ||
|
||
This repo includes the source code, data, and documentation to reproduce the major claims in the USENIX Security 2023 paper [*How China Detects and Blocks Fully Encrypted Traffic*](https://www.usenix.org/system/files/sec23fall-prepub-234-wu-mingshi.pdf). | ||
|
||
It is designed for anyone who is curious about the methodologies in our study and wants to reproduce the claims in our paper independently. | ||
|
||
Note that it is possible that you cannot reproduce any of the experiment results because the GFW has stopped dynamic blocking since March, 2023. See [this documentation](./artifacts/ceased-dynamic-blocking) for more information. | ||
|
||
|
||
## Overview of the Repo Structure | ||
|
||
```txt | ||
. | ||
├── ae-appendix | ||
├── artifacts | ||
│ ├── ceased-dynamic-blocking | ||
│ ├── common | ||
│ ├── setup-vps | ||
│ ├── sink-server | ||
│ ├── test-entropy | ||
│ ├── test-printable-fraction | ||
│ ├── test-printable-longest-run | ||
│ ├── test-printable-prefixes | ||
│ ├── test-protocol-fingerprints | ||
│ └── utils | ||
├── CHECKLIST | ||
├── LICENSE | ||
└── README.md | ||
``` | ||
|
||
* `ceased-dynamic-blocking` contains the source code, data, and documentation on the observation that the GFW of China has stopped blocking random traffic dynamically at least since March 15, 2023. | ||
* `ae-appendix` contains the source code and Makefile to generate the [artifact appendix](./ae-appendix/usenix23.pdf). | ||
* `artifacts/setup-vps` contains the source code to set up remote VPSes. | ||
* `artifacts/sink-server` contains the source code for [a sink server](./artifacts/sink-server/), which runs on the server side. | ||
* `artifacts/utils` contains [client-side testing tools](./artifacts/utils/). | ||
* `artifacts/test-*` contain five different tests. Each of them corresponds to a claim of the GFW's traffic exemption rules. | ||
* `artifacts/common-*` is a module that contains code on which measurement tools are built. | ||
|
||
## VPS Information and Configuration | ||
|
||
To conduct the measurement experiments described in this repo, it requires at least one host in China and one host outside of China. | ||
|
||
To assist the [USENIX SECURITY'23 Artifact Evaluation](https://secartifacts.github.io/usenixsec2023/), we provided the reviewers with two VPSes below. | ||
|
||
| SSH Nickname | Location | ASN | CPU Model | # Core(s) | RAM | OS | | ||
|---------------------------------------|---------------------------------------|---------|--------------------------|-----------|------|---------------------------------------------------------| | ||
| usenix-ae-client-china | AlibabaCloud Beijing Datacenter | AS37963 | Intel Xeon Platinum 8163 | 1 | 1GB | Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-56-generic x86_64) | | ||
| usenix-ae-client-us | DigitalOcean San Francisco Datacenter | AS14061 | Intel DO-Regular | 1 | 1GB | Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-88-generic x86_64) | | ||
|
||
If you are not an AE reviewer, but simply want to repeat some of the experiments yourself, you need to purchase and set up the two servers yourself. | ||
|
||
1. We refer you to this [README](./artifacts/setup-vps/README.md) for detailed instructions. | ||
|
||
2. To set up the client (VPS in China), execute: | ||
|
||
```sh | ||
./artifacts/setup-vps/setup-client/to_alibaba_server.sh | ||
``` | ||
|
||
3. To set up the server (VPS in the US), execute: | ||
|
||
```sh | ||
./artifacts/setup-vps/setup-server/to_digitalocean_server.sh | ||
``` | ||
|
||
4. Note that we have replaced the IP addresses of the two machines with strings of `REDACTED_CN_SERVER_IP` and `REDACTED_US_SERVER_IP` in our code and documentation. You may want to replace them with your servers' IP addresses (which are `1.1.1.1` and `2.2.2.2` in the below example), using some commands like these: | ||
|
||
```sh | ||
find . -type f ! -name "*.pcap" ! -path '*/\.*' -exec sed -i "s#REDACTED_US_SERVER_IP#1.1.1.1#g" {} \; | ||
find . -type f ! -name "*.pcap" ! -path '*/\.*' -exec sed -i "s#REDACTED_CN_SERVER_IP#2.2.2.2#g" {} \; | ||
``` | ||
|
||
## Minimal Working Example | ||
|
||
1. First login to the VPS in China: | ||
|
||
```sh | ||
ssh usenix-ae-client-china | ||
``` | ||
|
||
2. Send some random probes from `usenix-ae-client-china` to the port `2` of `usenix-ae-server-us` by repetitively executing the following command: | ||
|
||
```sh | ||
head -c200 /dev/urandom | nc -vn REDACTED_US_SERVER_IP 2 | ||
``` | ||
|
||
3. After executing the command a few times (1 time to 15 times), if you notice that the `nc` cannot connect to `REDACTED_US_SERVER_IP:2` anymore. Congratulations! The blocking is triggered (and will residually last for up to three minutes). | ||
You should still be able to connect to other ports of the same server, for example, `REDACTED_US_SERVER_IP:3`. It is also likely that you cannot trigger the blocking, because the GFW has stopped dynamic blocking since March, 2023. See this documentation for more information: [./artifacts/ceased-dynamic-blocking]. | ||
|
||
4. (Optional) Alternatively, one can use the triggering tools: | ||
|
||
```sh | ||
echo REDACTED_US_SERVER_IP | ./utils/affected-norand -p 2 -log /dev/null | ||
``` | ||
|
||
This tool will take a list of IPs on stdin, and perform (default 25) repeated connections to | ||
the specified port, sending the | ||
same (configurable) random payload in each connection. If the tool is unable to connect for | ||
(default 5) consecutive connections in a row, the tool labels the IP as `affected` by | ||
blocking (`true` in the `affected` column): | ||
|
||
```txt | ||
endTime,addr,countSuccess,totalTimeout,consecutiveTimeout,code,affected | ||
1678258922,REDACTED_US_SERVER_IP:2,2,5,5,timeout,true | ||
``` | ||
|
||
This output means that connecting to the endpoint (REDACTED_US_SERVER_IP:2) | ||
succeeded in 2 connections, but then | ||
had 5 consecutive connections timeout in a row (and a total of 5 failed). | ||
Because there was at least 5 consecutive timeouts, our tool labels this | ||
endpoint/payload combination as affected (true). | ||
|
||
## Estimated Required Time to Reproduce Experiments | ||
|
||
We provide a list of estimated required time to reproduce different experiments. | ||
|
||
| Experiments | Human Time (minutes) | Compute Time (minutes) | | ||
|---------------------------------|------------|--------------| | ||
| Ex0: test-random | 5 | 5 | | ||
| [Ex1: confirm-ceased-blocking](./artifacts/ceased-dynamic-blocking/) | 15 | 2 days | | ||
| [Ex2: test-entropy](./artifacts/test-entropy/) | 30 | 30 | | ||
| [Ex3: test-printable-prefixes](./artifacts/test-printable-prefixes/) | 15 | 30 | | ||
| [Ex4: test-printable-fraction](./artifacts/test-printable-fraction/) | 15 | 30 | | ||
| [Ex5: test-printable-longest-run](./artifacts/test-printable-longest-run/) | 15 | 15 | | ||
| [Ex6: test-protocol-fingerprints](./artifacts/test-protocol-fingerprints/) | 15 | 240 | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
TARGET := usenix23 | ||
|
||
TEX_ALL := $(shell search=$(TARGET).tex; all=; \ | ||
while [ -n "$$search" ] ; do \ | ||
all="$$all $$search"; \ | ||
search=`egrep "^[^%]*\\input" $$search | \ | ||
sed -En 's/.*input[^\{]*\{(.+)\}/\1.tex/p'`; \ | ||
done; \ | ||
echo "$$all") | ||
FIGURES := | ||
all: $(TARGET).pdf | ||
figs/%.eps: plots/%.plot | ||
gnuplot $< > $@ | ||
$(TARGET).pdf: $(FIGURES) $(TEX_ALL) | ||
pdflatex $(TARGET).tex | ||
# bibtex $(TARGET) | ||
pdflatex $(TARGET).tex | ||
pdflatex $(TARGET).tex | ||
nobib:: $(addsuffix .eps, $(FIGURES)) $(TARGET).aux | ||
dvips $(TARGET).dvi -Ppdf -Pcmz -Pamz -t letter -D 600 -G0 -o $(TARGET).ps | ||
ps2pdf ${PS2PDF_FLAGS} $(TARGET).ps | ||
view:: $(TARGET).pdf | ||
open $(TARGET).pdf | ||
see:: $(TARGET).dvi | ||
xdvi $(TARGET) | ||
%.eps: plots/%.plot | ||
gnuplot $< > figs/$@ | ||
%.eps: figs/%.fig | ||
fig2dev -L eps -p dummy $< $*.eps | ||
spell:: | ||
ispell *.tex | ||
clean:: | ||
rm -fv *.dvi *.aux *.log *~ *.bbl *.blg *.toc *.out *.ps *.ent parsetab.py | ||
rm -fv $(addsuffix -eps-converted-to.pdf, $(FIGURES)) | ||
fresh:: | ||
rm -fv *.dvi *.aux *.log *~ *.bbl *.blg *.toc *.ps *.pdf | ||
distclean:: clean | ||
rm $(TARGET).ps | ||
.PHONY: clean all view see spell fresh distclean nobib |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
# USENIX Security 2023 AE Template | ||
|
||
## Build | ||
|
||
Repository is configured to build via Github action on each commit | ||
and store the compiled paper as artifact in the Github action. See | ||
[.github/workflow/compile.yml](.github/workflow/compile.yml) for | ||
details. | ||
|
||
Alternatively, the repository can be build locally via act or make. | ||
|
||
### Build with act | ||
|
||
Run ```run_workflow.sh``` and requires Docker to work locally as well as | ||
an installation of [act](https://github.com/nektos/act). This starts the | ||
Github action to compile the paper and copies the ```paper.pdf``` to this | ||
directory. Due to artifacts not working with act it may show errors. | ||
|
||
### Build with make | ||
|
||
Run ```make```. This requires an installation of latex and make locally on | ||
your machine and compiles the tex files into ```paper.pdf```.' | ||
|
||
### Build with Docker | ||
|
||
Export environment variable ```LATEX_BUILD_ENV=docker``` and run ```make```. This | ||
requires a working Docker CLI (aka ```docker run <image>```) and produces | ||
a ```paper.pdf```. | ||
|
||
## usenixbadges.sty --- affix USENIX Artifact Evaluation badges | ||
|
||
The `usenixbadges` LaTeX style file affixes USENIX Artifact Evaluation | ||
badges to the front page of your USENIX-formatted paper (or standalone Appendix). | ||
|
||
### INSTALLATION | ||
|
||
Put `usenixbadges.sty` and the `usenixbadges-*.pdf` graphics files in | ||
the directory that contains the LaTeX source for your paper. (Really, | ||
you can put them anywhere in LaTeX's search path, but the simplest | ||
thing is to put the files in the same directory as your paper's LaTeX | ||
source files.) | ||
|
||
### USAGE | ||
|
||
In the preamble of your LaTeX document, insert a line like this: | ||
|
||
``` | ||
\usepackage[<options>]{usenixbadges} | ||
``` | ||
|
||
In the options, list the badges that have been awarded to your paper. | ||
The possible badges are: | ||
|
||
* `available` --- affix the "Artifacts Available" badge | ||
* `functional` --- affix the "Artifacts Functional" badge | ||
* `reproduced` --- affix the "Results Reproduced" badge | ||
|
||
Example: | ||
|
||
``` | ||
%% Affix the indicated badges to the paper. | ||
\usepackage[available,functional]{usenixbadges} | ||
``` | ||
|
||
Tips: | ||
|
||
In your LaTeX document, the `\usepackage[...]{usenixbadges}` directive | ||
must come after `\documentclass` and before `\begin{document}`. | ||
|
||
If your LaTeX document has many `\usepackage` directives, put | ||
`\usepackage[...]{usenixbadges}` near the end of those. This may | ||
avoid problems relating to conflicting options for the `graphicx` | ||
package. |
Oops, something went wrong.