Data Channel

Obfuscated and indistinguishable values certainly make it difficult to detect the data chan- nel. Channel denial is mitigated by the success of these strategies as well as the strategy of placing overt and covert destinations outside the scope of influence. However, there are limits to the success that depend on how well these strategies are implemented. Trans- forming traffic to look like another protocol, such as HTTP, generally has only limited success [HRBS12,GSH13]. For instance, in the case of mimicry to obfuscate known distin- guishers, the censor only has to find one disparity, whereas a CRS must perfectly imitate the chosen cover protocol in order to succeed. Cover protocols are generally complex, with behavior dependent on their particular use cases. An imitator has the task of not only making the protocol look correct, i.e., matching explicit values, but also ensure it behaves according to expected norms, i.e., matching implicit values. Common protocol- level disparities are a result of incomplete or incorrect cover protocol implementation, such as failure to handle errors in a consistent manner. Both SkypeMorph and Censor- Spoofer suffer from systematic errors stemming from incomplete imitation of the cover protocol [HBS13, GSH13, LSH14].

Even if CRS traffic is tunneled over the cover protocol, to avoid the problems inherent to mimicry, the censor may be able to take advantage of channel usage inconsistencies and content inconsistencies [LSH14]. A CRS may rely on channel characteristics in a different manner from the cover protocol. If the overt protocol is more robust to network degra- dation, for example, the censor can manipulate the network to disrupt CRS traffic, but not legitimate cover protocol traffic. Iran conducted such an attack on Tor by limiting the duration of TLS connections to two minutes. [Tor13] Legitimate connections, to text-based websites, were not affected by this since the website has loaded within that time period. On the other hand, Tor traffic is interrupted, as Tor TLS connections are longer lived than two minutes and would need to be reestablished often. In a similar vein, Iran also throttled TLS connections to 2 kilobits per second rates, making browsing and other activities diffi- cult [Lew11]. These attempts are to block CRSs that do not perfectly match the use cases of the popular protocols they tunnel through, which has the effect of making the usage

of the CRS onerous and thus discouraging it. Other examples include SWEET [ZHCB13] and Freewave [HRBS12]. SWEET uses email as the carrier for web traffic. Since email is a high-latency tolerant protocol and web traffic is not this disparity can be exploited by the censor—who can simply delay all emails leaving the SoI—to impact only the CRS and not the carrier protocol. Similarly, since streaming audio/video is loss tolerant, the censor can disrupt CRSs like Freewave by dropping enough packets to disrupt Freewave transmissions, while leaving actual Skype traffic within the threshold of acceptable level of performance.

Even if the data channel is encrypted, the content of CRS communications may be distinguishable from the content of the cover protocol. For example, Li et al. [LSH14] and Geddes et al. [GSH13] show that Freewave may be detected using an n-gram based classifier on packet lengths. This attack, however, is contingent on the censor accurately modeling normal content. This may be easier for special-purpose protocols, such as VoIP, which is used only for video or voice traffic, than for general-purpose protocols, such as TLS, which is used for multiple types of data. Achieving indistinguishability of CRS traffic from legitimate, popular cover protocols has been a natural focus in the research literature. In light of difficulties ensuring consistency at the protocol, channel, and content levels, Li et al. propose that CRSs not only use popular, unblocked cover protocols to tunnel traffic, but also to match CRS content with that of the chosen cover protocol. Their proposal, Facet, is a prime example of a system that attempts to do this, by building a data channel that sends video traffic over Skype, and ensuring the video traffic approximately matches the expected traffic pattern for a video chat call. It remains to be seen if further discrepancies may be discovered with this approach.

2.7.3

Overt and Covert Destinations

Rate-limiting strategies help to mitigate the impact of the censor curtailing access to overt destinations. The censor combing for CRS-related values is potentially mitigated by the lock-stepped interaction strategy. Coercion resistance is provided by, again, placing CRS- participating components outside the SoI. Hiding the true location or nature of covert content, using the strategy of unpredictable values, also mitigates the threat of the censor coercing content from being taken down.

Decoy routing CRSs [KEJ+_{11, WWGH11, HNCB11, WSH14] are an interesting at-} tempt at obfuscation that has attracted research attention. They work by placing CRS stations within the network infrastructure itself, such as at routers at participating ISPs outside the censor’s SoI. Users signal their intent to use the CRS by steganographically tagging a seemingly innocent connection to a decoy destination (or dummy destination in

our terminology), which can be any site not blocked by the censor and that has a CRS station on the network path between the client and itself . The user may then request her real, blocked destination, which will be served by the CRS station. The main difference between these systems lies in their ability to handle asymmetric flows, a feature of Decoy Routing, Cirripede, and TapDance, and their reliance on an inline network-flow-blocking element, which is necessary in all of these systems except TapDance. All of these systems rely on strategic deployment, making it impossible for the censor to “route around” coop- erating ISPs without significant collateral damage. If this assumption is invalid, however, the censor can avoid or otherwise blackhole the route. The tools for this are already present in networking equipment; the question is if an alternative route exists for desirable hosts on the other side of the proxy. Thomson et al. [SGTH12] investigate the feasibility of this attack while Houmansadr et al. [HWS14] evaluate the costs associated with it. This is an open research problem, with game-theoretic analysis as an avenue for further pursuit.

However, gaps exist. The first is that most CRSs do not yet attempt to prevent crushing tactics (such as a DDoS) against CRS-participating destinations or storage. The CRS implicitly depends on the leveraged platform or their network connectivity provider to prevent such a scenario. In general, preventing an DDoS attack does not yet have a robust solution, outside of over-provisioning of bandwidth and IP addresses. The second gap is that corrupted content and CRS participants are not prevented or mitigated by any strategy. Both of these areas are avenues for future research.

2.7.4

CRS Client

The linking attack is the main vector that is mitigated in the exposure and detection phases. Indirect values, trust, obfuscated and/or indistinguishable traffic patterns and destinations are the main techniques employed. We have already discussed the relevant examples from the literature in the discussion about overt/covert destinations and the dissemination channel.

In the response phase, publisher coercion may be mitigated by CRSs that do not allow the deletion or modification of published content. Alternatively, plausible deniability may deflect suspicion, as seen in DenaLi [NFS14], where errors in broadcasted messages on the local WiFi network are used to hide steganographic messages and CRS participation.