firestack icon indicating copy to clipboard operation
firestack copied to clipboard
verified publisher icon celzero

Combine direct_split with TCB Desynchronization

Open Lanius-collaris opened this issue 1 year ago • 7 comments

Related to #46

Todo:

  • [ ] Add more comments
  • [ ] Discuss functionality of this dialer.

Lanius-collaris avatar Apr 10 '24 23:04 Lanius-collaris

Thanks; how are you building and testing this? Or, is it PoC (which is also fine)?

ignoramous avatar Apr 13 '24 08:04 ignoramous

PoC.patch.txt @ignoramous You can use this patch. Build and run it with adb or termux.

Lanius-collaris avatar Apr 13 '24 17:04 Lanius-collaris

@ignoramous Does firestack have API(s) to configure dialers?

Lanius-collaris avatar Apr 19 '24 06:04 Lanius-collaris

Does firestack have API(s) to configure dialers?

Yes; see [r|n|p|tls]dial.go in intra/dialers. Not the most stellar code.

ignoramous avatar Apr 19 '24 11:04 ignoramous

@ignoramous Have you design how rethink-app side specifies a strategy? We are adding multiple circumvention strategies. Can we use AddProxy()? (Sorry, I'm not familiar with rethink-app) And dialers.SplitDial() may trigger residual censorship, I think we can make WeirdSplit the default strategy. (It doesn't break any load balancer but increases latency, cause servers to wait for retranssmission)

https://github.com/celzero/firestack/blob/e16959c082c3450bdb8d826da0285b787b315491/intra/dialers/rdial.go#L88-L91 Can we remove this filter?

Lanius-collaris avatar Apr 26 '24 11:04 Lanius-collaris

Can we use AddProxy()? (Sorry, I'm not familiar with rethink-app)

Don't have to. ipn/exit.go (no fancy stuff, just plain old egress), ipn/base.go (splits ClientHello if TCP on ports 443 & 853), and ipn/ground.go (drops all egress) are pre-added "proxies" that use the underlying network as-is. In this case, we probably switch ipn/base.go to use WeirdDial (needs a better name) if you think it is better than SplitDial in all scenarios, with a fallback to SplitDial (but that can be implemented in a later commit).

ignoramous avatar Apr 26 '24 18:04 ignoramous

overwrite_split_experiment branch @ignoramous Could you try it? Please run it on hardware devices, it doesn't work with SLIRP.

Lanius-collaris avatar Apr 29 '24 23:04 Lanius-collaris

@ignoramous Do you have time to review my pull request next week?

Lanius-collaris avatar Jun 21 '24 11:06 Lanius-collaris

Doesn't work on main branch.

Lanius-collaris avatar Jul 18 '24 09:07 Lanius-collaris

Do you have time to review my pull request next week

I've reviewed this and nothing looks particularly concerning to me. There's a few linter remarks on the code, which could be addressed.

ignoramous avatar Jul 18 '24 12:07 ignoramous

Received ICMP messages may not contain my payload, so the implementation of traceroute needs modification.

@ignoramous SwitchStrategy() doesn't work. Move it to ipn/exit.go?

Lanius-collaris avatar Jul 18 '24 21:07 Lanius-collaris

SwitchStrategy() doesn't work. Move it to ipn/exit.go?

Could instead move var DialStrategy to config/settings.go as atomic.Int32, and the method DialStrat(int32) to android/tun2socks.go.

ignoramous avatar Jul 19 '24 03:07 ignoramous

It's usable now. What's next? @ignoramous

Lanius-collaris avatar Jul 22 '24 20:07 Lanius-collaris