New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Poking a Hole in the Wall: Efficient Censorship-Resistant Internet Communications by Parasitizing on WebRTC (CCS 2020) #55
Comments
I agree with and commend the general idea of layering circumvention traffic above widely used software stack repurposed as the transport (or parasitization, not sure if this feels a bit negative). It is much easier and much more efficient to parrot a software stack by modifying a small part of it than reimplementing it. Some comments that I can think of,
|
I think you are mistaken on this point. WebRTC is always UDP—it has to be, in order for peer-to-peer connections through NAT to work. Media channels use SRTP. Data channels are SCTP internally, but encapsulated in DTLS, so still UDP. Protozoa uses media channels, which are unreliable, so it's not much different than sending encrypted datagrams with some extra overhead. The mux already exists: it's the Linux kernel at both ends handling reordering and retransmission of the IP datagrams tunneled through Protozoa. |
@wkrp I stand corrected. Thank you for pointing this out. |
I have question about the §5 (the evaluation section) in this paper. When testing the system’s ability to resist traffic analysis attacks, the authors only tested the case where covert data was YouTube video same as the carrier video. Then authors concluded that the system has a very good traffic analysis resistance. However, the difference between video streams and video streams is not obvious. So I think authors should also test the cases when the covert data is web pages, files, and emails, to make the conclusion more convincing. |
That's the beauty of the design: the type of the covert data does not matter. That's because the traffic characteristics of the carrier video are independent of the traffic characteristics of the covert data. The size and timing of the carrier's SRTP packets are never modified from what they would be naturally: the only modification is that EFBP payload data is replaced with encrypted covert data of the same size. If there is no covert data available to send at the moment, the payload is replaced with encrypted padding instead. (Section 4.2: "Protozoa will continuously stream video until the termination of the covert session, even when there is no covert traffic to be transmitted; in this case, dummy payload (chaff) is sent.") You can compare to a similar design in Slitheen (Section 3.1):
You are right, though, that in other cases it is important to consider whether traffic characteristics of the covert traffic affect the cover channel in detectable ways. The argument advanced in Facet (for video) and Mailet (for text-based social media) is that no single cover channel is appropriate for all covert traffic; one should choose the cover channel to match the characteristics of the covert traffic you want to transmit.
|
Thanks for patiently answering my questions! Respect! |
Poking a Hole in the Wall: Efficient Censorship-Resistant Internet Communications by Parasitizing on WebRTC
Diogo Barradas, Nuno Santos, Luís Rodrigues, Vítor Nunes
https://censorbib.nymity.ch/#Barradas2020a
https://github.com/dmbb/Protozoa
This paper presents a censorship circumvention design called Protozoa. Protozoa belongs to the class of systems that are use what the authors call "multimedia covert streaming": disguising a channel to look like the transmission of an audio or video stream. Past such systems have either mimicked the surface-level features of an encrypted media stream (e.g. SkypeMorph), which gives rise to dead-parrot attacks; or they have encoded data into the audio/video signal in a way that survives media compression (e.g. CovertCast), which comes with a loss of efficiency and the challenge of matching packet size and timing features. The main innovation of Protozoa is that while it tunnels through a genuine video streaming application, it doesn't actually exchange properly encoded video streams. Instead, it takes an input video stream (such as the webcam video) as a carrier, scoops out its encoded video bitstream, and replaces it with covert data. The recipient extracts the covert data and throws away the video stream container. This is all done without modifying the sizes or timing of video stream packets, so the traffic characteristics of Protozoa are identical to hose of the carrier video. Overall encryption of the media stream prevents an observer from seeing that any traffic replacement has happened. The design, which the authors call "encoded media tunneling," allows for both higher performance and better resistance to traffic analysis. Encoded media tunneling in some ways resembles Slitheen, which also uses an independent carrier traffic generator and opportunistically replaces part of the traffic with covert data.
The authors build a prototype of the system using a version of Chromium that is modified to permit hooking the video transport layer and replacing the video bitstream. They do most of their testing with Whereby, a WebRTC video conferencing service. The client and proxy first share a meeting room identifier out of band. Both parties then enter the meeting room in the modified Chromium and start a meeting. Protozoa takes over the video stream and starts replacing content. Using an established service like Whereby has the advantage that most concerns about WebRTC fingerprinting do not apply: the WebRTC stack comes from a browser, and the browser automatically uses the service's own signaling servers and STUN/TURN servers. The authors build a data set of synthetic traffic and evaluate detectability using a machine learning classifier. Protozoa-tunnelled traffic is barely more detectable than random chance, which is expected, given how it works.
What makes Whereby a suitable media streaming service is that it establishes a direct peer-to-peer WebRTC connection between the two meeting participants, and both peers know to extract data from the video stream and not treat it like actual video. Protozoa would not work with services that intercept the media stream at a middlebox and attempt to decode it, as Discord is reported to do. Reliability and retransmission of data within the (potentially unreliable) media tunnel is handled by the OS kernels at both ends, as with a VPN. The system doesn't have any inherent defense against insider attack or proxy enumeration; as with other covert tunnels, you need to take care that the IP addresses of Protozoa proxies do not become known to censors.
Thanks to the authors for commenting on a draft of this summary.
The text was updated successfully, but these errors were encountered: