Add an heuristic to detect fully encrypted flows (#2058)

A fully encrypted session is a flow where every bytes of the payload is encrypted in an attempt to “look like nothing”. The heuristic needs only the very first packet of the flow. See: https://www.usenix.org/system/files/sec23fall-prepub-234-wu-mingshi.pdf A basic, but generic, inplementation of the popcpunt alg has been added
author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2023-07-26 09:09:12 +0200
committer: GitHub <noreply@github.com> 2023-07-26 09:09:12 +0200
commit: 3326fa258ec92e553e39fc8a1bfa3921dc81f15c (patch)
tree: fcd0e725b7b5a8d13db1654a9b0864651c642f00 /fuzz/fuzz_alg_crc32_md5.c
parent: 2b230e28e0612e8654ad617534deb9aaaabd51b7 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/fuzz/fuzz_alg_crc32_md5.c b/fuzz/fuzz_alg_crc32_md5.c
index ad8c5d2ff..b449941e2 100644
--- a/fuzz/fuzz_alg_crc32_md5.c
+++ b/fuzz/fuzz_alg_crc32_md5.c
@@ -2,11 +2,17 @@
 
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   u_char hash[16];
+  struct ndpi_popcount popcount;
 
   /* No memory allocations involved */
 
+  /* Used for crc32, md5 and popcount algs */
+
   ndpi_crc32(data, size);
   ndpi_md5(data, size, hash);
 
+  ndpi_popcount_init(&popcount);
+  ndpi_popcount_count(&popcount, data, size);
+
   return 0;
 }
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2023-07-26 09:09:12 +0200
committer	GitHub <noreply@github.com>	2023-07-26 09:09:12 +0200
commit	3326fa258ec92e553e39fc8a1bfa3921dc81f15c (patch)
tree	fcd0e725b7b5a8d13db1654a9b0864651c642f00 /fuzz/fuzz_alg_crc32_md5.c
parent	2b230e28e0612e8654ad617534deb9aaaabd51b7 (diff)