Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Just add WATER: WebAssembly-based Circumvention Transports

Erik Chi, Gaukas Wang, J. Alex Halderman, Eric Wustrow, Jack Wampler

TL;DR

This paper addresses the deployment bottlenecks in rapidly evolving Internet censorship circumvention by introducing WATER, a WebAssembly-based framework that uses transport-specific WebAssembly Transport Modules (WATMs) loaded by a WATER runtime. The core idea is to decouple transport logic from the host application, enabling out-of-band updates and cross-language interoperability via WASI-compatible WASM binaries. The authors implement a WATER runtime in Go and Rust, and provide several WATMs (plain, reverse, and shadowsocks) including a real Shadowsocks client patched to counter blocking, demonstrating both feasibility and performance trade-offs. Empirical evaluation shows that plain transports incur modest overhead relative to native, while cryptographic operations in WASM introduce noticeable latency and lower throughput, with crypto acceleration expected to improve results; overall WATER offers significant potential for rapid, interoperable deployment of new circumvention techniques. The work highlights the practical impact of WASM in censorship circumvention by enabling reusable, cross-tool transport modules and reducing the need for full app redeployments, which can accelerate responses to evolving blocking tactics.

Abstract

As Internet censors rapidly evolve new blocking techniques, circumvention tools must also adapt and roll out new strategies to remain unblocked. But new strategies can be time consuming for circumventors to develop and deploy, and usually an update to one tool often requires significant additional effort to be ported to others. Moreover, distributing the updated application across different platforms poses its own set of challenges. In this paper, we introduce WATER (WebAssembly Transport Executables Runtime), a novel design that enables applications to use a WebAssembly-based application-layer (e.g., TLS) to wrap network connections and provide network transports. Deploying a new circumvention technique with WATER only requires distributing the WebAssembly Transport Module(WATM) binary and any transport-specific configuration, allowing dynamic transport updates without any change to the application itself. WATMs are also designed to be generic such that different applications using WATER can use the same WATM to rapidly deploy successful circumvention techniques to their own users, facilitating rapid interoperability between independent circumvention tools.

Just add WATER: WebAssembly-based Circumvention Transports

TL;DR

This paper addresses the deployment bottlenecks in rapidly evolving Internet censorship circumvention by introducing WATER, a WebAssembly-based framework that uses transport-specific WebAssembly Transport Modules (WATMs) loaded by a WATER runtime. The core idea is to decouple transport logic from the host application, enabling out-of-band updates and cross-language interoperability via WASI-compatible WASM binaries. The authors implement a WATER runtime in Go and Rust, and provide several WATMs (plain, reverse, and shadowsocks) including a real Shadowsocks client patched to counter blocking, demonstrating both feasibility and performance trade-offs. Empirical evaluation shows that plain transports incur modest overhead relative to native, while cryptographic operations in WASM introduce noticeable latency and lower throughput, with crypto acceleration expected to improve results; overall WATER offers significant potential for rapid, interoperable deployment of new circumvention techniques. The work highlights the practical impact of WASM in censorship circumvention by enabling reusable, cross-tool transport modules and reducing the need for full app redeployments, which can accelerate responses to evolving blocking tactics.

Abstract

As Internet censors rapidly evolve new blocking techniques, circumvention tools must also adapt and roll out new strategies to remain unblocked. But new strategies can be time consuming for circumventors to develop and deploy, and usually an update to one tool often requires significant additional effort to be ported to others. Moreover, distributing the updated application across different platforms poses its own set of challenges. In this paper, we introduce WATER (WebAssembly Transport Executables Runtime), a novel design that enables applications to use a WebAssembly-based application-layer (e.g., TLS) to wrap network connections and provide network transports. Deploying a new circumvention technique with WATER only requires distributing the WebAssembly Transport Module(WATM) binary and any transport-specific configuration, allowing dynamic transport updates without any change to the application itself. WATMs are also designed to be generic such that different applications using WATER can use the same WATM to rapidly deploy successful circumvention techniques to their own users, facilitating rapid interoperability between independent circumvention tools.
Paper Structure (30 sections, 4 figures, 6 tables)

This paper contains 30 sections, 4 figures, 6 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Design
  4. WATER Runtime Library
  5. WebAssembly Transport Module (WATM)
  6. Security Consideration
  7. Implementation
  8. Runtime Library
  9. WebAssembly Transport Module (WATM)
  10. Provided Examples
  11. Evaluation
  12. Performance Metrics
  13. Discussion
  14. Advantages and Limitations
  15. Maximized code reuse
  16. ...and 15 more sections

Figures (4)

  • Figure 1: The overview of WATER's role in action. With transport specs defined by .wasm files distributed out-of-band, WATER can efficiently switch between transports to use.
  • Figure 2: Example connection establishment flows of traditional client (Dialer) and server(Listener) each using a WATER transport. The dialer actively connects to a remote host upon request by caller, with the WATER network interface internally managing sockets and IO allowing the WATM to transform the byte stream. Similarly, the listener accept the incoming connections, allowing the WATM to attempt a handshake with the remote host before firing an accept hook passing the plaintext end to an upstream handler.
  • Figure 3: Latency & Throughput Comparison with Vanilla-SS at Different Packet Sizes
  • Figure 4: Step-by-step workflow of WATER when a new connection is dialed using WATER API by an integrating application.