DEFENSES
water-wasm WATER (WASM-based pluggable transports)
3 papers on file
- 2017-frolov-water-pluggable WATER: a programmable framework for pluggable transports
- 2024-chi-just Just add WATER: WebAssembly-based Circumvention Transports
- 2017-nasr-waterfall The Waterfall of Liberty: Decoy Routing Circumvention that Resists Routing Attacks
6 findings tagged here
-
Because WATER uses a sing-box-compatible interface, a single WASM transport module written once is immediately usable by any application that embeds the WATER host runtime — including lantern-box (Lantern's proxy SDK), any other sing-box-derived client (33k+ GitHub stars as of 2024), and standalone WATER host binaries. This gives each new transport a substantially larger deployment surface than a single-app pluggable transport achieves.
-
WATER (WebAssembly Transport Executables at Runtime) defines a pluggable-transport architecture in which the transport logic is compiled to a WASM module that is loaded and executed at runtime by a thin Go host process. This separates the stable host ABI (dial, accept, read, write) from the rapidly-evolving transport logic, allowing new or updated transports to be delivered as small WASM binaries without recompiling or redeploying the host application.
-
WATMs are designed to be generic: any application that embeds the WATER host runtime can use the same WATM binary without modification. This means a single successfully deployed transport module reaches users of every WATER-enabled application simultaneously, collapsing the per-app porting effort that traditionally delays circumvention tool updates.
-
WATER (WebAssembly Transport Executables Runtime) separates transport logic from the host application by compiling it to a WASM module (WATM) that is distributed and loaded independently at runtime. Deploying a new or updated circumvention technique requires only distributing the new WATM binary and optional configuration — no change to the host application and no app-store update cycle is required.
-
Traditional circumvention tool development and deployment is slow because new strategies must be developed, integrated into each tool separately, and then distributed via platform app-stores. WATER's WASM module architecture specifically addresses this asymmetry: censors evolve blocking techniques quickly, while circumventors are bottlenecked by binary release cycles. The paper argues that dynamic WATM delivery breaks this bottleneck by decoupling transport updates from application releases.
-
The paper identifies that circumvention systems relying on long-lived, consistent proxy servers are fundamentally vulnerable to host-based temporal detection regardless of per-flow obfuscation quality, and recommends adversarial examples, ephemeral obfuscation servers, and programmable or polymorphic protocols as countermeasures. Snowflake's volunteer-browser proxy architecture—where proxies are ephemeral and addresses are not reused—is highlighted as inherently more resistant to host-based classification than static bridge designs like obfs4.