2020-wang-symtcp

SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery

Zhongjie Wang, Shitong Zhu, Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth V. Krishnamurthy, Kevin S. Chan, Tracy D. Braun · Network and Distributed System Security · 2020

canonical link →

Tags

censors: generic
techniques: dpi rst-injection
defenses: geneva

findings extracted from this paper

The GFW's dominant exploitable discrepancy is accepting data packets whose TCP sequence number is ≤ the initial sequence number (ISN), while Linux rejects such packets as out-of-window. This single 'SEQ ≤ ISN' strategy accounts for the majority of the 3,152 successful evasion-packet cases against the GFW out of 4,587 total successful evasions.

§VIII.C detection dpimiddlebox-interference cn
Snort contains two novel TCP Timestamp discrepancies versus Linux: it omits RFC 7323-mandated timestamp validation on RST packets in SYN_RECV state, and its PAWS TSval acceptance window is 'off by two' — a TSval of 0 or 0xffffffff following a packet with TSval 0x80000000 is accepted by Linux but rejected by Snort, enabling insertion-based evasion by crafting packets that fall in the divergent range.

§VIII.E detection dpimiddlebox-interference generic
Snort interprets the TCP urgent pointer as the offset to the last byte of urgent data and discards all payload bytes before that offset, while Linux consumes only 1 urgent byte and leaves the remaining payload intact. Injecting a packet with the URG flag and the urgent-pointer offset pointing to an insignificant padding byte allows the full sensitive payload to reach the server while Snort strips it — a novel evasion strategy not previously reported.

§VIII.E detection dpimiddlebox-interference generic
SymTCP uses selective symbolic execution over Linux's TCP implementation (S2E + KLEE) to enumerate all packet sequences reaching 47 binary-level accept or drop points from LISTEN to ESTABLISHED, then conducts differential testing against a blackbox DPI to confirm discrepancies; the open-sourced system requires no DPI source access and covers 37 of 47 drop points within the operationally relevant handshake window.

§IV, §VIII.A–B defense dpimiddlebox-interference cngeneric
SymTCP generated 56,787 candidate insertion/evasion packets in approximately one hour using concolic execution over Linux's TCP stack. Evaluating a sampled set of 10,000 test cases against real DPI systems yielded 6,082 evasions against Zeek, 652 against Snort, and 4,587 against the Great Firewall of China — discovering 14 novel evasion strategies beyond those found by prior manual approaches.

§VIII.C evaluation dpimiddlebox-interference cngeneric