automatic network protocol analysis
play

Automatic Network Protocol Analysis Gilbert Wondracek, Paolo Milani - PowerPoint PPT Presentation

Feb 09, 2023 •317 likes •606 views

Secure Systems Lab Technical University Vienna Automatic Network Protocol Analysis Gilbert Wondracek, Paolo Milani Comparetti, Christopher Kruegel and Engin Kirda pmilani@ sssup.it gilbert@ seclab.tuwien.ac.at chris@ cs.ucsb.edu engin.kirda@

  1. Secure Systems Lab Technical University Vienna Automatic Network Protocol Analysis Gilbert Wondracek, Paolo Milani Comparetti, Christopher Kruegel and Engin Kirda pmilani@ sssup.it gilbert@ seclab.tuwien.ac.at chris@ cs.ucsb.edu engin.kirda@ eurecom.fr

  2. Reverse Engineering Network Protocols Secure Systems Lab Technical University Vienna • Find out what application-layer “language” is spoken by a server implementation – Message formats – Protocol state machine • Slow manual process • Do it automatically! Automatic Network Protocol Analysis

  3. Reverse Engineering Network Protocols: Security Applications Secure Systems Lab Technical University Vienna • Black-box fuzzing • Deep packet inspection • Intrusion detection • Reveal differences in server implementations – server fingerprinting – testing/auditing Automatic Network Protocol Analysis

  4. Reverse Engineering Network Protocols: Sources of Information Secure Systems Lab Technical University Vienna • Network traces – limited information (no semantics) • Server binaries – static analysis – dynamic analysis Automatic Network Protocol Analysis

  5. Our approach Secure Systems Lab Technical University Vienna • Mostly dynamic analysis (+ static analysis) • Use dynamic taint analysis to observe the data flow • Observe how the program processes (parses) input messages • Analyze individual messages • Generalize to a message format for messages of a given type (i.e. HTTP get, NFS lookup..) • Classification of messages into types is currently done manually Automatic Network Protocol Analysis

  6. Dynamic taint analysis environment server client Execution traces Execution for individual messages trace Tree of fields analysis Message format ? alignment/ generalization or Automatic Network Protocol Analysis

  7. Dynamic Taint Analysis Secure Systems Lab Technical University Vienna • Run unmodified binary in a monitored environment (based on qemu, valgrind, ptrace..) • Assign a unique label to each byte of network input • Propagate the labels in shadow memory – for each instruction, assign labels of input to output destinations – also track address dependencies (example: lookup table-based toupper() function) Automatic Network Protocol Analysis

  8. Label Input: \r \n G E T / H T T P / 1 . 0 \r \n 16 17 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Propagate Labels: BL EAX push %esi push %ebx G mov (%eax),%bl sub $0x1,%ecx 0 c G E 0 1 Tainted data affects program flow: cmp $0x0a,%bl je 93 Is (something derived from) byte 0 equal to '\n'? Automatic Network Protocol Analysis

  9. Message Format Analysis Secure Systems Lab Technical University Vienna • Structure-forming semantics – enough information to parse a message out of a network data flow – variation between messages • Additional semantics – keywords, file names, session ids,.. Automatic Network Protocol Analysis

  10. Structure-Forming Semantics Secure Systems Lab Technical University Vienna • Length fields – and corresponding target fields, padding • Delimiter fields – and corresponding scope fields • Hierarchical structure Automatic Network Protocol Analysis

  11. Detecting Length Fields (1/2) Secure Systems Lab Technical University Vienna • Length fields are used to control a loop over input data • Leverage static analysis to detect loops • Look for loops where an exit condition tests the same taint labels on every iteration • Need at least 2 iterations Automatic Network Protocol Analysis

  12. Detecting Length Fields (2/2) Secure Systems Lab Technical University Vienna • The tricky part is detecting the target field! • Look at labels touched inside length loop • Remove labels touched in all iterations • May need to merge multiple loops (example: memcpy uses 4- byte mov instructions, but may need to move 1-3 bytes individually) • Some bytes may be unused Automatic Network Protocol Analysis

  13. Detecting Delimiters Secure Systems Lab Technical University Vienna • Delimiter is one or more bytes that separate a field or message – Observation: all bytes in the scope of the delimiter are compared against a part of the delimiter • Delimiter field detection – Create a list of taint labels used for comparisons for each byte value, merge consecutive labels into intervals • Intervals indicate delimiter scope, – nesting gives us a hierarchical structure – recursive analysis to “break up” message Automatic Network Protocol Analysis

  14. Automatic Network Protocol Analysis

  15. Additional Semantics Secure Systems Lab Technical University Vienna • Protocol keywords • File names • Echoed fields (session id,cookie,..) • Pointers (to somewhere else in packet) • Unused fields Automatic Network Protocol Analysis

  16. Detecting Keywords Secure Systems Lab Technical University Vienna • A keyword is a sequence of (1 or 2 byte) characters which is tested against a constant value – adjacent characters being successfully compared to non tainted values are merged into a string – take delimiters into account • Ideally, we would want to check it is being tested against values which are hard coded in binary – trace taint from entire binary • Currently, we just check the string (of at least 3 bytes) is present in the binary Automatic Network Protocol Analysis

  17. Generalization (1/3) Secure Systems Lab Technical University Vienna • Message alignment • Based on Needlman-Wunsch • Extended to a hierarchy of fields Automatic Network Protocol Analysis

  18. Generalization (2/3) Secure Systems Lab Technical University Vienna • Needleman-Wunsch ABCDE ABDF • Dynamic programming algorithm for string alignment alignment • Computes alignment which minimizes edit distances A A B B C C D D E E • Also provides edit path A A B B C - D D E F between the strings • Scoring function (for match, generalization mismatch, gap) A A B B C? C D D E|F E Automatic Network Protocol Analysis

  19. Generalization (3/3) Secure Systems Lab Technical University Vienna • Hierarchical Needleman-Wunsch • Operate on a tree of fields, not on a string of bytes • To align two inner nodes (complex fields) recursively call NW on the sequence of child nodes • To align two leaf nodes, take into account field semantics – a length field only matches another length field – a keyword only matches same exact keyword – ... • Simple scoring function: +1 for match, -1 for mismatch or gap Automatic Network Protocol Analysis

  20. Generalization: More Semantics Secure Systems Lab Technical University Vienna • Sets of keywords (i.e. keep-alive OR close ..) • Length field semantics – encoding: endianess – compute target field length T from length L: T=A*L+C • Pointer field semantics – encoding: endianess – offset: relative or absolute – offset value is A*L+C • Repetitions – generalize a? a? to a* Automatic Network Protocol Analysis

  21. Evaluation Secure Systems Lab Technical University Vienna • 7 servers (apache,lighttpd,iacd,sendmail,bind,nfsd,samba) • 6 protocols (http, irc, smtp, dns, nfs, smb) • 14 message types ( – http get – irc nick, user – smtp mail, helo, quit, – dns IPv4 A query – rpc/nfs lookup, getattr, create, write – smb/cifs negotiate protocol request, session setup andX request, tree connect andX request Automatic Network Protocol Analysis

  22. DNS A IPV4 query Session ID + B000100000000 0000010001 2 bytes Sequence Length Target 1 byte A=1,C=0 B: any byte T: any printable ascii byte 0001: constant byte values in hex T Automatic Network Protocol Analysis

  23. Scope HTTP GET line ' ' (space) Scope HTTP/1.1 HTTP/1.1 GET ' ' ' ' '.' Scope '/' Filename '/' + * ? Sequence T T Sequence + + '.' '/' Delimiter Keyword T T Automatic Network Protocol Analysis

  24. Parsing Secure Systems Lab Technical University Vienna • The message format allows us to produce a parser • Successfully parses real-world messages of same type – all structural information was successfully recovered • Rejects negative examples – different message types from same protocol – hand-crafted negative examples Automatic Network Protocol Analysis

  25. Automatic Network Protocol Analysis

  26. Related Work Secure Systems Lab Technical University Vienna • Network traces – M. Beddoe. The Protocol Informatics Project. Toorcon 2004 – C. Leita, K. Mermoud, M. Dacier. ScriptGen: An Automated Script Generation Tool for Honeyd. ACSAC 2005 – W. Cui, V. Paxson, N. Weaver, R. Katz. Protocol-Independent Adaptive Replay of Application Dialog. NDSS 2006 – W.Cui, J.Kannan,H.J.Wang: Discoverer: Automatic Protocol Reverse Engineering from Network Traces • Static and dynamic analysis – J. Newsome, D. Brumley, J. Franklin, and D. Song. Replayer: Automatic Protocol Replay by Binary Analysis. ACM CCS 2006. • Dynamic taint analysis – J. Caballero and D. Song. Polyglot: Automatic Extraction of Protocol Format using Dynamic Binary Analysis. ACM CCS 2007 – Z. Lin, X. Jiang, D. Xu, and X. Zhang. Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution. NDSS 2008. Automatic Network Protocol Analysis

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SCNP: A protocol for automatic, decentralized and scalable IP network configuration T. Delaet

SCNP: A protocol for automatic, decentralized and scalable IP network configuration T. Delaet

Motivation Our Solution Summary SCNP: A protocol for automatic, decentralized and scalable IP network configuration T. Delaet Department of Computer Science K.U.Leuven IFIP/IEEE International Workshop on Self-Managed Systems & Services,

547 views • 18 slides
Automatic Generation of Network protocol gateways David Bromberg, Laurent Rveillre, Julia

Automatic Generation of Network protocol gateways David Bromberg, Laurent Rveillre, Julia

Automatic Generation of Network protocol gateways David Bromberg, Laurent Rveillre, Julia Lawall and Gilles Muller LaBRI University of Bordeaux Ubiquitous environment 2 LaBRI Heterogeneous protocols 3 LaBRI Gateways for providing

671 views • 55 slides
Automatic Discovery of Evasion Vulnerabilities Using Targeted Protocol Fuzzing

Automatic Discovery of Evasion Vulnerabilities Using Targeted Protocol Fuzzing

Automatic Discovery of Evasion Vulnerabilities Using Targeted Protocol Fuzzing antti.levomaki@forcepoint.com opi@forcepoint.com WHO? ANTTI LEVOMKI OLLI-PEKKA NIEMI Research Scientist Director of Research WHAT? NETWORK EVASIONS +

463 views • 18 slides
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu 1,2 , Roberto Perdisci 3 , Junjie Zhang 1 , and Wenke Lee 1 1 Georgia Tech 3 Damballa, Inc. 2 Texas A&M University 2008-7-31

549 views • 22 slides
Protocol log analysis with constraint programming Mats Carlsson Olga Grinchtein Justin

Protocol log analysis with constraint programming Mats Carlsson Olga Grinchtein Justin

Protocol log analysis with constraint programming Mats Carlsson Olga Grinchtein Justin Pearson Outline Overview LTE Radio Access Network A case study Public Warning System Testing Procedure Protocol log generation

290 views • 16 slides
OpenBSC network-side GSM stack A tool for GSM protocol level security analysis Harald Welte

OpenBSC network-side GSM stack A tool for GSM protocol level security analysis Harald Welte

GSM/3G security Implementing GSM protocols Security analysis Summary OpenBSC network-side GSM stack A tool for GSM protocol level security analysis Harald Welte gnumonks.org gpl-violations.org OpenBSC airprobe.org hmw-consulting.de SSTIC

1.16k views • 34 slides
Protocol Analysis 17-654/17-764 Analysis of Software Artifacts Kevin Bierhoff Take-Aways

Protocol Analysis 17-654/17-764 Analysis of Software Artifacts Kevin Bierhoff Take-Aways

Protocol Analysis 17-654/17-764 Analysis of Software Artifacts Kevin Bierhoff Take-Aways Protocols define temporal ordering of events Can often be captured with state machines Protocol analysis needs to pay attention to

602 views • 33 slides
How to Generate Insight Using Text Network Analysis Dmitry Paranyushkin 1. Cognitive Network

How to Generate Insight Using Text Network Analysis Dmitry Paranyushkin 1. Cognitive Network

How to Generate Insight Using Text Network Analysis Dmitry Paranyushkin 1. Cognitive Network Protocol (draft proposal) data packet the moon is white timestamp sender receiver type: RELATED_TO (:TO) timestamp: ymdhmsms

618 views • 25 slides
Automatic Network Protection Scenarios Using NetFlow Vojt ch Krm ek, Jan Vykopal

Automatic Network Protection Scenarios Using NetFlow Vojt ch Krm ek, Jan Vykopal

Automatic Network Protection Scenarios Using NetFlow Vojt ch Krm ek, Jan Vykopal {krmicek|vykopal}@ics.muni.cz FloCon 2012 January 9-12, Austin, Texas Part I Flow-based Network Protection Krmicek et al. Automatic Network Protection

478 views • 23 slides
1 Use second form Sample Protocol Goals Given set of traces Authenticity: who sent it?

1 Use second form Sample Protocol Goals Given set of traces Authenticity: who sent it?

TECS Week 2005 Analysis Techniques Protocol Verification by the Inductive Method Crypto Protocol Analysis Dolev-Yao Formal Models Computational Models (perfect cryptography) Random oracle Probabilistic process calculi John Mitchell

63 views • 4 slides
Network Protocol Design and Evaluation 04 - Protocol Specification, Part III Stefan Rhrup

Network Protocol Design and Evaluation 04 - Protocol Specification, Part III Stefan Rhrup

Network Protocol Design and Evaluation 04 - Protocol Specification, Part III Stefan Rhrup University of Freiburg Computer Networks and Telematics Summer 2009 Overview In previous parts of this chapter: Modeling behaviour with

773 views • 74 slides
Automatic Translation Error Analysis or how to brute-force through exponential complexity

Automatic Translation Error Analysis or how to brute-force through exponential complexity

Automatic Translation Error Analysis or how to brute-force through exponential complexity algorithms by abusing beam search Mark Fishel, T ATI Feb. 5, 2011, Theory Days at Nelijrve Outline Approaches to MT evaluation Automatic analysis

418 views • 18 slides
Network Protocol Design and Evaluation 04 - Protocol Specification, Part II Stefan Rhrup

Network Protocol Design and Evaluation 04 - Protocol Specification, Part II Stefan Rhrup

Network Protocol Design and Evaluation 04 - Protocol Specification, Part II Stefan Rhrup University of Freiburg Computer Networks and Telematics Summer 2009 Overview In Part I of this chapter: Modeling with state machines and

1.8k views • 126 slides
1 Roscoe 95, Schneider 96, Compositionality Language Approach Abadi-Gordon97

1 Roscoe 95, Schneider 96, Compositionality Language Approach Abadi-Gordon97

Probabilistic Polynomial-Time Standard analysis methods Process Calculus for Security Finite-state analysis Protocol Analysis Easier Dolev-Yao model Symbolic search of protocol runs Proofs of correctness in formal logic

258 views • 7 slides
TCP/IP CIS 218/238 Internet Protocol (IP) The Internet Protocol (IP) is responsible for

TCP/IP CIS 218/238 Internet Protocol (IP) The Internet Protocol (IP) is responsible for

TCP/IP CIS 218/238 Internet Protocol (IP) The Internet Protocol (IP) is responsible for ensuring that data is transferred between two Intenret hosts based on a 32 bit address. To be ROUTABLE, a protocol must specify a NETWORK ADDRESS

899 views • 22 slides
Epistemic Network Analysis Todays Class Epistemic Network Analysis Epistemic Network

Epistemic Network Analysis Todays Class Epistemic Network Analysis Epistemic Network

Week 5 Video 6 Epistemic Network Analysis Todays Class Epistemic Network Analysis Epistemic Network Analysis (ENA) (Shaffer, 2017) Studying relationships between elements in coded data Lots of applications Conference founded

536 views • 30 slides
CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International

CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International

CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International Data Tracking 2 http://privacyinternational.org/feature/2433/i-asked-online-tracking-company-all-my-data-and-heres-what-i-found Two Main Attack

986 views • 63 slides
FlowFence: Prac-cal Data Protec-on for Emerging IoT Applica-on Frameworks Earlence Fernandes,

FlowFence: Prac-cal Data Protec-on for Emerging IoT Applica-on Frameworks Earlence Fernandes,

FlowFence: Prac-cal Data Protec-on for Emerging IoT Applica-on Frameworks Earlence Fernandes, Jus/n Paupore, Amir Rahma/, Daniel Simionato, Mauro Con/, Atul Prakash University of Michigan, University of Padova Published at USENIX Security 2016

468 views • 22 slides
Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code

Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code

Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code Analyzer for Security Static Code Analyzer for Security (HP Fortify SCA) C/C++ Java Vulnerabilities LLVM Language independent Services C/C++ Swift

325 views • 31 slides
SSS12 - HW3: TaintDroid Alexander Georgii-Hemming Cyon Andreas Cederholm Mathias Pedersen

SSS12 - HW3: TaintDroid Alexander Georgii-Hemming Cyon Andreas Cederholm Mathias Pedersen

SSS12 - HW3: TaintDroid Alexander Georgii-Hemming Cyon Andreas Cederholm Mathias Pedersen Magnus Bergman Mattias Uskali Carl Bjrkman Outline - What is TaintDroid? - Why TaintDroid? - Design challenges - Design of TaintDroid -

531 views • 26 slides
Protecting Mobile Devices from Physical Memory Attacks with Targeted Encryption Le Guan , Chen

Protecting Mobile Devices from Physical Memory Attacks with Targeted Encryption Le Guan , Chen

Protecting Mobile Devices from Physical Memory Attacks with Targeted Encryption Le Guan , Chen Cao, Sencun Zhu, Jingqiang Lin, Peng Liu, Yubin Xia, and Bo Luo Why do Physical-space Threats Concern for SmartPhones? Why do Physical-space Threats

318 views • 31 slides
Securing web applications is not nearly as easy! 3 4 5 6

Securing web applications is not nearly as easy! 3 4 5 6

GuardRails GuardRails Web applications are easier to create A Data-Centric Web Application Security Framework than ever! Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia

113 views • 8 slides
RIPS RIPS A static source code analyser NDS Seminar for vulnerabilities in PHP scripts A

RIPS RIPS A static source code analyser NDS Seminar for vulnerabilities in PHP scripts A

RIPS RIPS A static source code analyser NDS Seminar for vulnerabilities in PHP scripts A static source code analyser A static source code analyser for vulnerabilities in PHP scripts for vulnerabilities in PHP scripts 1 Johannes Dahse

803 views • 35 slides
Outline 31st IEEE Symposium on Security & Privacy Introduction TaintScope: A

Outline 31st IEEE Symposium on Security & Privacy Introduction TaintScope: A

Outline 31st IEEE Symposium on Security & Privacy Introduction TaintScope: A Checksum-Aware Background Directed Fuzzing Tool for Automatic Motivation Software Vulnerability Detection TaintScope Intuition Tielei Wang 1 ,

427 views • 5 slides

More recommend