Towards Illuminating a Censorship Monitor's Model to Facilitate Evasion

Censorship systems that make dynamic blocking decisions must inspect network activity on-the-fly to identify content to filter. By inferring the analysis models of such monitors we can identify their vulnerabilities to different forms of evasions that we can then exploit for circumvention. We leverage the observation that censorship monitors essentially work on the same principles as Network Intrusion Detection Systems (NIDS) and therefore inherit the same evasion vulnerabilities already discussed in the NIDS context for years. Using this past work as a guide, we illustrate the power of illuminating a monitor’s analysis model by conducting extensive probing to test for vulnerabilities in the Great Firewall of China. We find exploitable flaws in its TCB creation and destruction, fragment and segment reassembly, packet validation, (in)completeness of HTTP analysis, and state management.