Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automatic Network Protocol Analysis

Published byChristina Doyle Modified over 6 years ago

Similar presentations

Presentation on theme: "Automatic Network Protocol Analysis"— Presentation transcript:

1 Automatic Network Protocol Analysis
Gilbert Wondracek, Paolo Milani Comparetti, Christopher Kruegel, and Engin Kirda NDSS 2008 Speaker: Chang Huan Wu 2009/2/17

2 Outline Introduction Protocol Analysis Evaluation Conclusions
Analysis of a Single Message Analysis of Multiple Messages Evaluation Conclusions

3 Introduction (1/3) Protocol reverse engineering is the process of extracting application-level protocol specifications Especially for closed protocols Security applications Black-box testing for protocol programs Deep packet inspection Reveal differences in server implementations

4 Introduction (2/3) Manual protocol analysis is time-consuming
Only very popular protocols such as SMB can be justified => Automatically analysis

5 Introduction (3/3) Existing automatic approach
Input a binary program and outputs the set of inputs that this program accepts Unable to determine the complete set of inputs Low scalability Input network traffic trace Limited precision

6 Goal Focus on determining the format specification of a certain type of message first

7 Approach Use dynamic taint analysis to observe the data flow
Observe how the program processes input messages Analyze individual messages Generalize to a message format by messages of a given type

8 Dynamic Taint Analysis
Assign a unique label to each byte of network input Monitor the program, and analyze which byte is processed by which instruction (e.g., mov, sub)

9

10 Analysis of a Single Message - Finding delimiters
Delimiter is one or more bytes that separate a field or message Record all operations that compare a tainted input byte with an untainted value Traverse each list and check consecutive labels Ex. Compares the first three bytes with ‘a’, and the fourth byte with ’b’ char Label list a 0, 1, 2 b 3 Message H A B C Label 1 2 3

11 Analysis of a Single Message - Scopes and delimiter hierarchy
Scope fields: A certain delimiter can be present multiple times in the scope field Delimited fields: A certain delimiter present once in the delimited field A delimited field can itself be a scope field for another character A hierarchy of fields reflects nested scopes

12

13 Analysis of a Single Message - Identifying length fields
A length field is a number of bytes that store the length of another field (target field) Use static analysis to detect loops Look for loops where an exit condition tests the same labels on every iteration => Length field candidate

14 Analysis of a Single Message - Identifying target fields
For each length field candidate, look at labels that is “touched” inside the loop Remove labels touched in all iterations Because those bytes are independent of the current loop iteration

15 Analysis of a Single Message - Extracting additional information
Protocol keywords Compare input data with constant string File names Argument of a system call that opens or creates files Echoed fields Pointers (to somewhere else in packet) Unused fields

16 Analysis of Multiple Messages – Generalization (1/3)
Message alignment Based on Needlman-Wunsch algorithm Extended to a hierarchy of fields

17 Analysis of Multiple Messages – Generalization (2/3)
Operate on a tree of fields, not on a string of bytes To align two inner nodes, recursively call NW on the sequence of child nodes To align two leaf nodes, take into account field semantics Repetition detection Merge two or more consecutive, optional nodes into a single repetition node

18 Analysis of Multiple Messages – Generalization (3/3)

19 Evaluation (1/4)

20 Evaluation (2/4)

21 Evaluation (3/4) The results in these tables were obtained by manually comparing our specifications with official RFC documents and with Wireshark output Most of the fields were correctly identified Parsing another set of messages by generated specifications succeeded

22 Evaluation (4/4)

23 Conclusion Introduced a novel approach to automatic protocol reverse engineering Tested on common servers and protocols

24 Comments Automatically generate high-precision protocol specification
Generated specification may be affected by program implementation

Download ppt "Automatic Network Protocol Analysis"

Similar presentations

Introduction to C Programming

Introduction to C Programming
Semantic Analysis and Symbol Tables

Semantic Analysis and Symbol Tables
Some Properties of SSA Mooly Sagiv. Outline Why is it called Static Single Assignment form What does it buy us? How much does it cost us? Open questions.

Some Properties of SSA Mooly Sagiv. Outline Why is it called Static Single Assignment form What does it buy us? How much does it cost us? Open questions.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani TU Vienna Christopher UCSB Engin Kirda.

Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani TU Vienna Christopher UCSB Engin Kirda.
IS 1181 IS 118 Introduction to Development Tools VB Chapter 06.

IS 1181 IS 118 Introduction to Development Tools VB Chapter 06.
Program Design and Development

Program Design and Development
Chapter 3 Program translation1 Chapt. 3 Language Translation Syntax and Semantics Translation phases Formal translation models.

Chapter 3 Program translation1 Chapt. 3 Language Translation Syntax and Semantics Translation phases Formal translation models.
Cs164 Prof. Bodik, Fall 20041 Symbol Tables and Static Checks Lecture 14.

Cs164 Prof. Bodik, Fall Symbol Tables and Static Checks Lecture 14.
1 Compression Techniques to Simplify the Analysis of Large Execution Traces Abdelwahab Hamou-Lhadj and Dr. Timothy C. Lethbridge {ahamou,

1 Compression Techniques to Simplify the Analysis of Large Execution Traces Abdelwahab Hamou-Lhadj and Dr. Timothy C. Lethbridge {ahamou,
Programming by Example using Least General Generalizations Mohammad Raza, Sumit Gulwani & Natasa Milic-Frayling Microsoft Research.

Programming by Example using Least General Generalizations Mohammad Raza, Sumit Gulwani & Natasa Milic-Frayling Microsoft Research.
SIMULATING A MOBILE PEER-TO-PEER NETWORK Simo Sibakov Department of Communications and Networking (Comnet) Helsinki University of Technology Supervisor:

SIMULATING A MOBILE PEER-TO-PEER NETWORK Simo Sibakov Department of Communications and Networking (Comnet) Helsinki University of Technology Supervisor:
CSE Lectures 22 – Huffman codes

CSE Lectures 22 – Huffman codes
Detection and Resolution of Anomalies in Firewall Policy Rules

Detection and Resolution of Anomalies in Firewall Policy Rules
Reverse Engineering State Machines by Interactive Grammar Inference Neil Walkinshaw, Kirill Bogdanov, Mike Holcombe, Sarah Salahuddin.

Reverse Engineering State Machines by Interactive Grammar Inference Neil Walkinshaw, Kirill Bogdanov, Mike Holcombe, Sarah Salahuddin.
NDSS 2007 Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, Giovanni Vigna.

NDSS 2007 Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, Giovanni Vigna.
CIS Computer Programming Logic

CIS Computer Programming Logic
1 Chapter 4: Selection Structures. In this chapter, you will learn about: – Selection criteria – The if-else statement – Nested if statements – The switch.

1 Chapter 4: Selection Structures. In this chapter, you will learn about: – Selection criteria – The if-else statement – Nested if statements – The switch.
Discoverer: Automatic Protocol Reverse Engineering from Network Traces Weidong Cui Jayanthkumar Kannan Helen J. Wang Microsoft Research USENIX Security.

Discoverer: Automatic Protocol Reverse Engineering from Network Traces Weidong Cui Jayanthkumar Kannan Helen J. Wang Microsoft Research USENIX Security.
AccessMiner Using System- Centric Models for Malware Protection Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu and Engin Kirda.

AccessMiner Using System- Centric Models for Malware Protection Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu and Engin Kirda.

Similar presentations

Ads by Google