DEFENSES
marionette Marionette / format-transforming encryption
Programmable protocol mimicry via formal language descriptions (FTE / Marionette family).
7 papers on file
- 2025-sheffey-extended Extended Abstract: I’ll Shake Your Hand: What Happens After DNS Poisoning
- 2025-wails-censorship Censorship Evasion with Unidentified Protocol Generation
- 2020-oakley-protocol Protocol Proxy: An FTE-based covert channel
- 2017-tanash-decline The Decline of Social Media Censorship and the Rise of Self-Censorship after the 2016 Failed Turkish Coup
- 2015-dyer-marionette Marionette: A Programmable Network-Traffic Obfuscation System
- 2014-luchaup-libfte LibFTE: A Toolkit for Constructing Practical, Format-Abiding Encryption Schemes
- 2013-dyer-protocol Protocol Misidentification Made Easy with Format-Transforming Encryption
8 findings tagged here
-
State-of-the-art ML classifiers (Deep Fingerprinting, Decision Tree, Random Forest, nPrintML) trained on known UPGen protocols and benign traffic always incur high out-of-distribution false-positive rates when attempting to block unknown UPGen protocols — in the vast majority of experiments the OOD FPR is 100%. The one exception (SSH OOD, Deep Fingerprinting) achieved a UPGen TPR of only 20%. By contrast, identical classifiers successfully generalize to block unknown Obfs4 flows with near-zero collateral damage in 3 of 4 cases.
-
In laboratory benchmarks, the best UPGen-generated protocol achieves 252 ms TTFB latency (vs 212 ms Obfs4, 313 ms TLS) and 4.25 Gbit/s throughput per core (vs 4.65 Gbit/s Obfs4, 9.42 Gbit/s TLS). The worst-case UPGen protocol (4.5 RTT handshake) reaches 677 ms TTFB but 3.70 Gbit/s throughput. In large-scale distributed Tor simulations, the choice of UPGen protocol had no statistically significant effect on end-to-end Tor flow performance.
-
UPGen's generator samples 18 independent parameters to produce 4.2×10^22 distinct structured encrypted protocols (entropy 38.4 bits). Each proxy is assigned a unique generated protocol, so identifying one protocol exposes only a single proxy. The generator was designed by studying 27 real-world encrypted protocols and sampling from observed structural patterns (greeting strings, handshake patterns, field orderings, key encodings).
-
Marionette, the prior programmable protocol system, executes user-specified plugin code in a generic Python runtime, making proxies and clients vulnerable to a malicious or buggy protocol distributor and creating a single point of failure in distributed networks like Tor. Marionette also lacks support for multiple simultaneous protocols and version upgrades, limiting its ability to respond to changing censorship rules across heterogeneous client populations.
-
Marionette defeats active fingerprinting by routing non-protocol probes into explicit error-state transitions that respond byte-identically to the target service. Across all 9 evaluated configurations (HTTP, FTP, SSH × nmap 6.4.7, Nessus 6.3.6, Metasploit 4.11.2), every fingerprinting tool reported the Marionette server as the intended target application (Apache 2.4.7, Pure-FTPd 1.0.39, or OpenSSH 6.6.1) while simultaneously passing live Marionette client traffic.
-
Marionette is the first programmable obfuscation system to simultaneously satisfy all five threat-model dimensions evaluated in Figure 2: resistance to blacklist DPI, whitelist DPI, statistical-test DPI, protocol-enforcing proxy traversal, and multi-layer traffic control, while sustaining throughput above 1 Mbps (up to 6.7 Mbps). Every prior system (obfs4, ScrambleSuit, SkypeMorph, StegoTorus, FTE, JumpBox, etc.) fails at least one dimension, most commonly stateful proxy traversal or statistical-feature control.
-
High-fidelity statistical mimicry of Amazon.com traffic — simultaneously matching HTTP response payload length distributions, request-response pairs per TCP connection, and simultaneously active connection counts — reduced goodput to 0.45 Mbps downstream and 0.32 Mbps upstream, versus 6.6/6.7 Mbps for simple RFC-compliant FTP mimicry. The bottleneck was the prevalence of very short payloads (most common length: 43 bytes) forcing frequent TCP connection setup and teardown, with the server blocked on network I/O 98.8% of the time.
-
Format-Transforming Encryption (FTE) fails under proxy-induced ciphertext modification — a single character change causes decryption failure — while Marionette's probabilistic context-free grammar (CFG) templates tolerate header rewriting, connection multiplexing, and content alteration by intermediate proxies. Validated across 10,000 streams through Squid 3.4.9, achieving 5.8 Mbps downstream and 0.41 Mbps upstream goodput.