Hah! I was wondering when someone was going to start throwing parse tree differentials at regex-based DPI. Obviously the next step in the arms race is DPI systems that use correct parsers, but this is hard to do at wire speed. For now, anyway. Cheers, --mlp On Mon, Jan 27, 2014 at 09:50:02AM -0800, coderman wrote:
https://kpdyer.com/publications/ccs2013-fte.pdf and https://fteproxy.org/about """ Format-Transforming Encryption (FTE) is a novel cryptographic primitive that extends traditional encryption... FTE takes a key, message and format (a compact set descriptor) as input and outputs a ciphertext in the format set. As an example, a format may describe the set of valid HTTP messages.
fteproxy bootstraps FTE to relay arbitrary data streams. In turn, this enables fteproxy to use a regular expression that captures an uncensored protocol (e.g., HTTP), then employ fteproxy to tunnel a censored protocol (e.g., Tor, TLS, SSH, etc.) To the network monitor, traffic looks like HTTP, even though it's actually a censored protocol. """
git clone https://github.com/kpdyer/fteproxy.git fteproxy-unstable cd fteproxy-unstable make ./bin/fteproxy