Paper summary: Conjure: Summoning Proxies from Unused Address Space (CCS 19)

Conjure: Summoning Proxies from Unused Address Space
Sergey Frolov, Jack Wampler, Sze Chuen Tan, J. Alex Halderman, Nikita Borisov, Eric Wustrow

Conjure is a refraction networking design, distinguished from others in that the covert traffic is directed towards an unused address (“phantom host”) rather than a live decoy server. The design eliminates a lot of technical complexity and allows for better performance and vastly more freedom in choosing an obfuscated proxy protocol.

Using the system requires two steps. First, the client sends a covert registration signal to a Conjure station at a cooperating ISP that indicates the client’s desire to start a refraction networking session. There are many imaginable ways to send a registration signal; the authors have found it convenient to reuse the chosen-ciphertext steganography technique from TapDance (§3.1), which involves sending an HTTPS request through the Conjure station to a real web server (this is not the part that uses unused addresses). Besides signaling the start of a Conjure session, the registration message contains a seed that allows the client and the Conjure station to agree on the address of a phantom host. In the second step, the client sends packets that are directed to the phantom address, and the Conjure station intercepts them and redirects them to an application proxy service. The client and Conjure station do not need to maintain a synchronized view of what addresses are unused behind the Conjure station: in the event that registration results in a “phantom” that is actually live, the client just tries again with a different seed.

Past refraction networking systems, in order to maintain the illusion of continuing conversation with a live decoy host, have had to play tricks with details of TLS and HTTP that put constraints on the data-transfer protocol. Conjure, because it doesn’t need to maintain that illusion, can choose any covert proxy protocol—basically, anything that on its own won’t get blocked by a censor, like obfs4, WebRTC, obfuscated SSH, or TLS with some form of SNI protection. The authors tested an implementation by deployment at a mid-sized ISP in the manner of Frolov et al. 2017. Conjure has 1000× better upload bandwidth, more consistent download bandwidth, and lower latency than TapDance.