Automatic network protocol analysis and vulnerability discovery based on symbolic expression

doi:10.7523/j.issn.1002-1175.2013.02.021

Abstract

Abstract:

Fuzzing is an efficient method for ensuring software security. However, when one tests network-based software using this method, one may obtain unsatisfied results because of lacking the protocol format. To solve this problem, we propose a new protocol analysis technique based on symbolic expression. We use this technique to translate the crucial code into symbolic expressions and accelerate protocol analysis. In addition, we develop a translation framework which contains the function of automatic protocol format analysis and could export the protocol format to Peach platform. Finally, we apply our framework to analyze one target (eyou client) and obtain good results.

Key words: unknown protocol, Fuzzing, symbolic expression, vulnerability discovery

CLC Number:

TP393

LUO Cheng, ZHANG Yu-Qing, WANG Long, LIU Qi-Xu. Automatic network protocol analysis and vulnerability discovery based on symbolic expression[J]. , 2013, 30(2): 278-284.

References

[1] Liu Q X, Zhang Y Q. TFTP vulnerability finding technique based on fuzzing[J]. Computer Communications, 2008, 31(14): 3420-3426.

[2] Beddoe M. The protocol informatics project automating network protocol analysis[EB/OL]. San Diego:Toorcon, 2004[2011-08-11]. http://www.4tphi.net/~awalters/PI/PI_Toorcon.pdf.

[3] Li W M, Zhang A F, Liu J C, et al. An automatic network protocol Fuzz testing and vulnerability discovering method[J]. Chinese Journal of Computers, 2011, 34(2): 242-255(in Chinese).李伟明,张爱芳,刘建财,等.网络协议的自动化模糊测试漏洞挖掘方法[J].计算机学报,2011,34(2):242-255.

[4] Cui W, Kannan J, Wang H J. Discoverer: automatic protocol reverse engineering from network traces[C]//Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium. Boston, MA, USENIX Association, 2007:1-14.

[5] He Y J, Shu H, Xiong X B. Network protocol reverse parsing based on dynamic binary analysis[J]. Computer Engineering, 2010, 36(9): 268-270(in Chinese).何永君, 舒辉, 熊小兵. 基于动态二进制分析的网络协议逆向解析[J]. 计算机工程, 2010, 36(9): 268-270.

[6] Wang Z, Jiang X, Cui W, et al. ReFormat: automatic reverse engineering of encrypted messages[C]//Proceedings of the 14th European Conference on Research in Computer Security.Saint-Malo,France,Springer-Verlag,2009:200-215.

[7] Caballero J, Yin H, Liang Z, et al. Polyglot: automatic extraction of protocol message format using dynamic binary analysis[C]//14th ACM Conference on Computer and Communications Security.Virginia,USA,ACM,2007:317-329.

[8] Comparetti P M, Wondracek G, Kruegel C, et al. prospex: protocol specification extraction[C]//Security and Privacy, 2009 30th IEEE Symposium on. 2009:110-125.

[9] Wondracek G, Comparetti P M, Kruegel C, et al. Automatic Network Protocol Analysis[C]//15th Annual Network and Distributed System Security Symposium. San Diego, 2008:1-18.

[10] Lin Z, Jiang X, Xu D, et al. Automatic protocol format reverse engineering through context-aware monitored execution[C]//15th Annual Network and Distributed System Security Symposium (NDSS 2008). San Diego, 2008:1-17.

[11] Wang L. The design of a network protocol analysis tools[D]. Xi'an:XiDian University, 2011(in Chinese).王龙. 网络协议分析工具的设计与实现[D]. 西安:西安电子科技大学, 2011.

[12] Eddington M. Peach[EB/OL]. Seattle:Deja Vu Security, (2004)[2011-09-12]. http://peachfuzzer.com/.

[13] Amini P. PAIMEI[EB/OL]. USA:OpenRCE.org, 2007[2011-09-23]. http://pedram.redhive.com/PyDbg/docs/.

[14] Needleman S B, Wunsch C D. A general method applicable to the search for similarities in the amino acid sequence of two proteins[J]. Journal of Molecular Biology, 1970, 48(3): 443-496.