BA/MA: Cen­sor­ship Top­ics

Various state actors around the world deploy some degree of censorship. To prevent users from accessing specific websites, they alter, drop, and redirect connection attempts to websites and services they deem malicious. Countries facilitate censorship by inspecting protocols like IP, TCP, HTTP, DNS, TLS, and VPNs. The sophistication of censors varies as much as the techniques they use. Overall, this leads to a diverse landscape of censorship around the world. In recent years, the analysis of censorship has increased greatly. Automated tools for global censorship analysis and circumvention have been introduced together with country-specific in-depth analyses.

To aid in this acquisition of knowledge, we want to ascertain censorship techniques and the circumventability of censorship around the globe. This includes both country-specific analyses and new circumvention or analysis techniques. Below, we gather potential thesis topics:

Implement TTL Measurements [BA]. Theoretically, censorship devices can be located anywhere between the client and its accessed server. Practically, censorship devices are mostly located in the clients' ISP devices or edge-routers on the countries' border. To determine the exact location of censorship devices TTL-driven measurements can be employed (see Raman et al.): Gradually increasing the TTL value of IP packets reveals the location of the censorship device as it can only trigger when the TTL is high enough to reach it. You task is to implement TTL-driven measurements in our censorship analysis tool. Using your implementation you will analyze the location of various censorship devices around the world.

QUIC Remote Scanning [BA/MA]. In 2020, Raman et al. introduced Hyperquack, which relies on regular HTTPS servers in a censored region to analyze HTTPS censorship. They open TLS connections from outside a censored region to servers in the censored region that they do not control. While the client is usually located in the censored region, their method proved useful to analyze censors across many countries without vantage points in the countries under analysis. Since then, the QUIC protocol has gained widespread support on the Internet and, similar measurements are possible using QUIC. In this topic, you would implement the Hyperquack measurement method for TLS and QUIC in our Censor-Scanner framework, and evaluate its feasibility to analyze real-world QUIC censors.

Residual Censorship [BA]. Along with dropping and injecting individual packets, censors often deploy residual censorship (e.g., Table 1 in Bock et al.): After a censor detects a forbidden packet, they continue censoring all packets that are likely to belong to the same network flow. The most common forms are comparing the packets' "4-tuple" (src. IP, src. port, dest. IP, dest. port) or the "3-tuple" (src. IP, dest. IP, dest. port), and dropping all matching packets for a specific duration. In some cases, it has also been found that censors do not drop the original packet, but still censor residually (e.g., for QUIC). Your task would be developing scanners to determine the type, duration, and other properties of residual censorship, and to validate them against several real-world censors.

QUIC Client Censorship Robustness [MA]. Many censors perform censorship by injecting additional packets (like TCP Reset packets), rather than dropping packets. Because TCP Reset packets are not authenticated, censors can forge them and tear down connections. For QUIC, this method is not applicable: Instead of using TCP, QUIC uses UDP, where there is no TCP Reset packet, and QUIC's mechanism of closing connections (sending a Connection Close frame) is authenticated after the handshake—so, once the handshake is complete, it cannot be forged by a censor. Prior work conjectures that this makes QUIC more robust against injection-based censorship. This assumption has, however, not yet been validated in depth. In particular, censors are not limited to injecting authenticated Connection Close frames. Instead, they may attempt to inject Connection Close frames early in the handshake, early Server Hello messages impersonating the server, malformed packets, or other packets that may cause clients to give up on a connection. Your goal would be to evaluate different QUIC clients (and possibly servers) for robustness against packet injection, and to determine whether such attacks pose a practical threat.

None of these topics interest you, but you still want to analyze censorship in your thesis? Feel free to contact us with your own ideas. We can try to find a topic together!

Requirements (usually):
- Programming: Java, Kotlin, Python
- Knowledge of protocols: TLS, QUIC, DNS, HTTP, Network Stack (TCP/IP), depending on the topic
- Interest in censorship (circumvention)

Contact