bbs
bbs copied to clipboard
net4people
[English translation] Research and implementation of advanced evasion technology based on web middleware (Beijing Institute of Technology 2018)
This is another entry in the series of Chinese publications translated to English. Previous entries in the series are #434, #435, #437, #444.
基于网络中间件的高级逃逸系统的研究与实现 Research and implementation of advanced evasion technology based on web middleware 崔一鸣 (Cui Yiming) Online English HTML English PDF Original Chinese DOCX Original Chinese PDF https://github.com/LeoCui/AET
This is a bachelor's thesis about the project AET – Advanced Evasion Technology based on SAPP. It is an implementation of various IDS evasion techniques—for example, IP fragmentation, overlapping TCP segments, and TTL modification—with the stated goal of "simulating a real evasion tool" to improve intrusion detection systems. The specific evasion techniques are nothing new: they are the kind of thing that was written about as early as 1998 by Ptacek and Newsham 1998 and implemented in fragroute circa 2002. (The thesis has a comparison with fragroute in Section 5.3.) What is more interesting is the fact that that the system is implemented as a plugin for SAPP ("Stream Analyse Process Platform), a network analysis platform from MESA, a prominent research lab in the Institute of Information Engineering, Chinese Academy of Sciences. There is not much public information about SAPP, so this thesis is a valuable source of insight.
8 evasion techniques are implemented:
| Evasion technique | Section | Source file |
|---|---|---|
| IP fragmentation | 3.3.1 | module_ip_frag.c |
| IP overlap | 3.3.2 | module_ip_frag.c |
| TCP segmentation | 3.3.3 | module_tcp_segment.c |
| TCP segment overlap | 3.3.4 | module_tcp_overlap.c |
| Modify IP TTL | 3.3.5 | module_modify_ttl.c |
| Modify TCP flags | 3.3.6 | module_modify_tcp_flags.c |
| Modify TCP MSS | 3.3.7 | module_modify_mss.c |
| Modify TCP window scale | 3.3.8 | module_modify_wscale.c |
Concrete evasion attacks are proposed that using the fragmentation/segmentation, overlap, and TTL techniques. No attacks are proposed for the other three techniques (TCP flags, MSS, and window scale), and in fact it's hard to see how they would be useful in hiding an attack from an IDS. A configuration file (AET.conf) permits composing multiple techniques together.
The evasion system is implemented as a plugin (a .so dynamic library) for SAPP. This is how the thesis describes SAPP:
SAPP(Stream Analyse Process Platform)平台,是面向高速网络流处理的网络安全开发平台。具备全栈的协议解析能力,支持IPV4/IPV6网络层协议,支持VLAN、GRE、MPLS、PPPOE等中间层协议,支持Socks、HTTP、SMTP、IMAP、POP3、FTP、Telnet等应用层协议。在相应的硬件平台上可以实现10Gbps到40Gbps的处理能力。支持并接和串接两种部署方式。
…
在接收流量方面,SAPP提供了多种接口,包括IP层流量(经过碎片重组之后),TCP层流量(经过TCP流还原之后),甚至SAPP还提供了以太网层的原始流量。
SAPP (Stream Analyse Process Platform) is a cybersecurity development platform designed for high-speed network stream processing. With full-stack protocol analysis capabilities, it supports IPv4/IPv6 network-layer protocols, intermediate-layer protocols such as VLAN, GRE, MPLS, and PPPoE, and application-layer protocols such as SOCKS, HTTP, SMTP, IMAP, POP3, FTP, and Telnet. Processing capabilities ranging from 10 Gbps to 40 Gbps can be achieved on appropriate hardware platforms. The platform supports both parallel and serial deployment modes.
…
In terms of receiving traffic, SAPP provides a variety of interfaces, including IP-layer traffic (after fragment reassembly), TCP-layer traffic (after TCP stream reconstruction), and even raw traffic at the Ethernet layer.
SAPP is a network analysis platform that lets you see and manipulate network traffic at all layers of the network stack and at various levels of abstraction: from Ethernet frames, to IP packets, to TCP segments, to reassembled streams, to parsed application-layer protocols. The thesis project's interaction with SAPP is fairly limited, however: essentially it uses SAPP just as an engine to capture and send IP packets.
The AET code, which is written in C, imports the header file <MESA/stream.h>, presumably part of the SAPP interface. To receive packets, it defines a function business_ip_entry, which looks like a callback invoked by the SAPP core. The function returns an APP_STATE_GIVEME constant, which must also be part of the SAPP interface. To send packets, it calls a function MESA_sendpacket_iplayer. That seems to be the extent of SAPP integration in this project.
The string "MESA" in source code symbols points to SAPP's origin in the MESA research lab. MESA stands for "Massive and Effective Stream Analysis" and its research involves all sorts of network classification and filtering topics. The lab used to have a public website at https://mesalab.cn/, but it has apparently been offline since January 2025. The lab's major events page cited SAPP being in use since 2014:
- 2014年,MESA组件SAPP平台开始在工程中大规模应用;
- In 2014, the MESA component SAPP platform began to be applied on a large scale in engineering;
In the acknowledgements section, the author of the thesis thanks, among others, professors and students at MESA:
然后要感谢我的校外导师郑超老师和校内导师高玉金老师,是你们帮助我确定选题,讨论研究方法和实现方案,给了这篇论文很大的帮助。
然后还要感谢实验室的陆秋文师兄,在这篇论文完成过程中,给了我很多的指导与参考建议,没有你的帮助,这篇论文很难完成。然后要感谢实验室的汤琦师兄,在实验过程中的技术问题上提供了很多帮助,帮我解决了很多技术难题。然后还有感谢实验室的张斌师兄,李响师姐,和杨泞构师兄,在论文完成过程中,帮我解决了很多疑惑。
Then I would like to thank my external supervisor, Mr. 郑超 (Zheng Chao), and my internal supervisor, Mr. 高玉金 (Gao Yujin), who helped me to identify the topic, discuss the research method and the implementation plan, and gave great help to this thesis.
Then I would also like to thank Brother 陆秋文 (Lu Qiuwen) in the lab for giving me a lot of guidance and reference suggestions during the completion of this thesis, without your help, this thesis would have been difficult to complete. Then I would like to thank 汤琦 (Tang Qi) in the lab, who provided a lot of help in the technical problems during the experiment and helped me to solve many technical problems. Then there are also thanks to Brother 张斌 (Zhang Bin), Sister 李响 (Li Xiang), and Brother 杨泞构 (Yang Ninggou) in the lab, who helped me solve many doubts during the completion of the thesis.
Of particular note is the external supervisor 郑超 (Zheng Chao), who has appeared on this forum many times before. Most notably, Zheng is part of the company Geedge Networks, which last year was accused of supplying equipment and personnel to block VPN traffic in Myanmar. Zheng is also a coauthor of papers discussed in past reading group threads:
- #275
- #282
- #444
The AET code, which is written in C, imports the header file
<MESA/stream.h>, presumably part of the SAPP interface. To receive packets, it defines a functionbusiness_ip_entry, which looks like a callback invoked by the SAPP core. The function returns anAPP_STATE_GIVEMEconstant, which must also be part of the SAPP interface. To send packets, it calls a functionMESA_sendpacket_iplayer. That seems to be the extent of SAPP integration in this project.
Another C identifier that starts with MESA_ appears in the 2014 patent CN103514053, with the title 一种基于共享内存的进程间通讯方法 (Shared-memory-based method for conducting communication among multiple processes). It's a data structure called MESA_shm_queue_info.
The inventors of the patent are 刘庆云 (Liu Qingyun), 李世明 (Li Shiming), 刘洋 (Liu Yang), 秦鹏 (Qin Peng), 郑超 (Zheng Chao), 孙永 (Sun Yong), 周舟 (Zhou Zhou), and 杨威 (Yang Wei). The inventor 郑超 (Zheng Chao) is the same person who is acknowledged in the AET thesis.
struct MESA_shm_queue_info{
Unsigned int max_queue_size;
Unsigned int pool_size;
Unsigned int pool_begin_offset;
Unsigned int pool_end_offset;
Unsigned int write_pos;
Unsigned int op_num;//当前附加进程数
Intower_id;
Char read_flags[32];//标记待读进程
Pthread_mutex_t mutex;
Pthread_rwlock_t rwlock;
}MESA_shm_queue_info_t;
A footnote in the InterSecLab report about the Geedge Networks leak mentions SAPP, the subject of this thesis. This thesis's external supervisor 郑超 (Zheng Chao) is a co-founder of MESA and the CTO of Geedge Networks.
To extract these [AppSketch] fingerprints, Geedge and the Mesalab students use a modified version of the open-source tool tcpdump, which they call tcpdump_mesa. The fingerprint is subsequently transformed into a ruleset utilizing one of four systems for deep packet inspection: SAPP (Stream Analyze Process Platform), a C packet parsing and injection library; Stellar, a stateful firewall plugin platform that operates on a higher level of abstraction compared to SAPP; or Maat, a declarative system. Unlike SAPP and Stellar, Maat does not require programming knowledge for the development of new rules. Maat is capable of matching common connection fingerprints, including IP addresses, domain names, TLS Server Name Indications (SNI), JA3/JA4 fingerprints, specified in a JSON file. Maat rules are synchronized across nodes within a TSG cluster through the use of a Redis database, thereby ensuring consistency in the application of these rules.
For Maat, see #444.
The source code component of the Geedge Networks leak contains a number of repositories with "sapp" in the name. "cuiyiming" is 崔一鸣 (Cui Yiming), the author of the bachelor's thesis that is the subject of this thread.
MESA_Platform/sapp cuiyiming/lua_sapp fumingwei/sapp_test public_resources/sapp_doc stellar/stellar-on-sapp