From 3326fa258ec92e553e39fc8a1bfa3921dc81f15c Mon Sep 17 00:00:00 2001 From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> Date: Wed, 26 Jul 2023 09:09:12 +0200 Subject: Add an heuristic to detect fully encrypted flows (#2058) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A fully encrypted session is a flow where every bytes of the payload is encrypted in an attempt to “look like nothing”. The heuristic needs only the very first packet of the flow. See: https://www.usenix.org/system/files/sec23fall-prepub-234-wu-mingshi.pdf A basic, but generic, inplementation of the popcpunt alg has been added --- fuzz/fuzz_alg_crc32_md5.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'fuzz') diff --git a/fuzz/fuzz_alg_crc32_md5.c b/fuzz/fuzz_alg_crc32_md5.c index ad8c5d2ff..b449941e2 100644 --- a/fuzz/fuzz_alg_crc32_md5.c +++ b/fuzz/fuzz_alg_crc32_md5.c @@ -2,11 +2,17 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { u_char hash[16]; + struct ndpi_popcount popcount; /* No memory allocations involved */ + /* Used for crc32, md5 and popcount algs */ + ndpi_crc32(data, size); ndpi_md5(data, size, hash); + ndpi_popcount_init(&popcount); + ndpi_popcount_count(&popcount, data, size); + return 0; } -- cgit v1.2.3