Subverting Stateful Firewalls with Protocol States (Extended Version). (arXiv:2112.09604v4 [cs.CR] UPDATED)

We analyzed the generation of protocol header fields in the implementations
of multiple TCP/IP network stacks and found new ways to leak information about
global protocol states. We then demonstrated new covert channels by remotely
observing and modifying the system's global state via these protocol fields.
Unlike earlier works, our research focuses on hosts that reside in firewalled
networks (including source address validation -- SAV), which is a very common
scenario nowadays. Our attacks are designed to be non-disruptive -- …

firewalls states version