minecraft-tunnels-for-covert-communications-entertainment-computing-2025

Ник Пост Дата

tango

Ник	Пост	Дата
tango	Minecraft tunnels for covert communications Nathan Tusing, Jonathan Oakley, Chunpeng Shao, Lu Yu, Richard Brooks https://www.sciencedirect.com/science/article/pii/S1875952125000047 https://github.com/doudoulong/Minecruft-PT MinecruftPT is a censorship circumvention tunnel that uses a steganographic encoding over the Minecraft network protocol; a MinecruftPT session looks like a online game of Minecraft. Minecraft (Java Edition) uses a TCP-based client–server protocol that (in the variant used in this paper) is not encrypted. The Minecraft protocol consists of a sequence of discrete “packets” in both directions. Packets represent actions in the game, such as `player_position` or `spawn_experience_orb`. Every action has an associated set of data fields; MinecruftPT fills these data fields with bytes from its own covert data stream. MinecruftPT seeks to produce a stream of action packets that resemble a human playing the game—to that end, the designers go to some length observing and modeling protocol activity under different gameplay scenarios. The argument for the blocking resistance of the Minecraft protocol is the collateral damage of blocking real game servers. The interface to MinecruftPT is VPN-like, at layer 3. One end of the tunnel sniffs IP packets and encodes them into the tunnel; the other end decodes the IP packets and re-injects them into its local network (the IP packets can then be directed into a SOCKS proxy or similar). On observing a packet, the software encrypts the packet with a shared symmetric key, adds a length prefix, then starts encoding the length-prefixed packet, one byte at a time, into the available data fields of upcoming Minecraft protocol action packets. You can make various applications work with this interface; the paper demonstrates cURL, Firefox, Psiphon, and Tor. It’s not as simple as selecting an action packet that has a high capacity for carrying data and sending it repeatedly. One part of the research is discovering “action sets”, types of protocol packets that can safely convey covert data without resulting in an inconsistent game state. But in addition, you want the sequence and distribution of packets to be plausible. For this, the authors infer hidden Markov models (HMMs) for action sequences, based on recorded transcripts of various kinds of human gameplay (e.g. standing, walking, mining). The HMM determines what next action is likely, given a history of recent past actions. The evaluation uses chi-squared tests for homogeneity and entropy measurements to compare MinecruftPT traffic to normal Minecraft traffic. MinecruftPT can be seen as an extension of “Protocol Proxy: An FTE-based covert channel” by some of the same authors in 2020. It forms part of Nathan Tusing’s 2024 PhD dissertation. Richard Brooks has blog posts in 2020 and 2022 that mention MinecruftPT, as well as a video demonstration. Thanks to the authors for reviewing a draft of this summary.	2025-03-21T01:36:02.317Z

Minecraft tunnels for covert communications
Nathan Tusing, Jonathan Oakley, Chunpeng Shao, Lu Yu, Richard Brooks
https://www.sciencedirect.com/science/article/pii/S1875952125000047
https://github.com/doudoulong/Minecruft-PT

MinecruftPT is a censorship circumvention tunnel that uses a steganographic encoding over the Minecraft network protocol; a MinecruftPT session looks like a online game of Minecraft. Minecraft (Java Edition) uses a TCP-based client–server protocol that (in the variant used in this paper) is not encrypted. The Minecraft protocol consists of a sequence of discrete “packets” in both directions. Packets represent actions in the game, such as player_position or spawn_experience_orb. Every action has an associated set of data fields; MinecruftPT fills these data fields with bytes from its own covert data stream. MinecruftPT seeks to produce a stream of action packets that resemble a human playing the game—to that end, the designers go to some length observing and modeling protocol activity under different gameplay scenarios. The argument for the blocking resistance of the Minecraft protocol is the collateral damage of blocking real game servers.

The interface to MinecruftPT is VPN-like, at layer 3. One end of the tunnel sniffs IP packets and encodes them into the tunnel; the other end decodes the IP packets and re-injects them into its local network (the IP packets can then be directed into a SOCKS proxy or similar). On observing a packet, the software encrypts the packet with a shared symmetric key, adds a length prefix, then starts encoding the length-prefixed packet, one byte at a time, into the available data fields of upcoming Minecraft protocol action packets. You can make various applications work with this interface; the paper demonstrates cURL, Firefox, Psiphon, and Tor.

It’s not as simple as selecting an action packet that has a high capacity for carrying data and sending it repeatedly. One part of the research is discovering “action sets”, types of protocol packets that can safely convey covert data without resulting in an inconsistent game state. But in addition, you want the sequence and distribution of packets to be plausible. For this, the authors infer hidden Markov models (HMMs) for action sequences, based on recorded transcripts of various kinds of human gameplay (e.g. standing, walking, mining). The HMM determines what next action is likely, given a history of recent past actions. The evaluation uses chi-squared tests for homogeneity and entropy measurements to compare MinecruftPT traffic to normal Minecraft traffic.

MinecruftPT can be seen as an extension of “Protocol Proxy: An FTE-based covert channel” by some of the same authors in 2020. It forms part of Nathan Tusing’s 2024 PhD dissertation. Richard Brooks has blog posts in 2020 and 2022 that mention MinecruftPT, as well as a video demonstration.

Thanks to the authors for reviewing a draft of this summary.

2025-03-21T01:36:02.317Z