cispa_all_3220.pdf (1.31 MB)

DPIFuzz: A Differential Fuzzing Frameworkto Detect DPI Elusion Strategies for QUIC

Download (1.31 MB)
conference contribution
posted on 2023-11-29, 18:13 authored by Gaganjeet Singh Reen, Christian RossowChristian Rossow
QUIC is an emerging transport protocol that has the potential to replace TCP in the near future. As such, QUIC will become an important target for Deep Packet Inspection (DPI). Reliable DPI is essential, e.g., for corporate environments, to monitor traffic entering and leaving their networks. However, elusion strategies threaten the validity of DPI systems, as they allow attackers to carefully design traffic to fool and thus evade on-path DPI systems. While such elusion strategies for TCP are well documented, it is unclear if attackers will be able to elude QUIC-based DPI systems. In this paper, we systematically explore elusion methodologies for QUIC. To this end, we present DPIFuzz: a differential fuzzing framework which can automatically detect strategies to elude stateful DPI systems for QUIC. We use DPIFuzz to generate and mutate QUIC streams in order to compare (and find differences in) the server-side interpretations of five popular open-source QUIC implementations. We show that DPIFuzz successfully reveals DPI elusion strategies, such as using packets with duplicate packet numbers or exploiting the diverging handling of overlapping stream offsets by QUIC implementations. DPIFuzz additionally finds four security-critical vulnerabilities in these QUIC implementations.


Preferred Citation

Gaganjeet Reen and Christian Rossow. DPIFuzz: A Differential Fuzzing Frameworkto Detect DPI Elusion Strategies for QUIC. In: Annual Computer Security Applications Conference (ACSAC). 2020.

Primary Research Area

  • Algorithmic Foundations and Cryptography

Name of Conference

Annual Computer Security Applications Conference (ACSAC)

Legacy Posted Date


Open Access Type

  • Unknown


@inproceedings{cispa_all_3220, title = "DPIFuzz: A Differential Fuzzing Frameworkto Detect DPI Elusion Strategies for QUIC", author = "Reen, Gaganjeet Singh and Rossow, Christian", booktitle="{Annual Computer Security Applications Conference (ACSAC)}", year="2020", }

Usage metrics


    No categories selected


    Ref. manager