Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31.

Published byMorgan Pitts Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31."— Presentation transcript:

1 Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31

2 2 Outline Introduction A Formal Model Active and Passive Fingerprinting Defending Against Malicious Fingerprinting Conclusions

3 3 Introduction (1/3) Identifying specific features of a network protocol implementation by analyzing its input/output behavior – Facilitate management – Exploit the vulnerability of certain implementations

4 4 Introduction (2/3) Most network protocols are not specified completely and deterministically – Optional features – Unspecified behaviors under some circumstances

5 5 Introduction (3/3) Goal : identify which implementation it is by analyzing the input/output behaviors – Active : use some predetermined input sequences for probing the target host – Passive : observe a trace of input/output messages from the target host without disrupting its normal operations

6 6 A Formal Model (1/4) Parameterized Extended Finite State Machine (PEFSM) is a 6-tuple M = – S : a finite set of states – S init : initial state – I = {i 0, i 1, i 2 …, i p-1 }: input alphabet, each carries a vector of parameter values – O = {o 0, o 1, o 2 …, o q-1 } : output alphabet – X : finite set of variables with default initial values

7 7 A Formal Model (2/4) – T : finite set of transitions – For t ∈ T, t = {s, s’, i, o, P(X, i), A(X, i, o) s / s’ : start state / end state i and o : input / output symbols with parameters P : predicate of the variables and input parameters A : an operation on the variables, based on the current variable values, input and output parameter values Example of PEFSM transition

8 8 PEFSM model of a simplified TCP Tahoe implementation (State variables, guards and actions of transition are omitted) initial state (SYN) slow start (SS) congestion avoidance (CA) retransmission (REX) finish (Fin) Transition name Input / output

9 9 A Formal Model (3/4) Given a candidate group of implementation machines, C = {M 1, M 2 …, M k }, a test sequence seq separates M i and M j if taking seq as input, M i and M j have different output A fingerprinting set F for a candidate group C is a set of test sequences, such that for each pair of machines in C, F contains a sequence that separates them

10 10 A Formal Model (4/4) Given a candidate group, the goal of – Active fingerprinting : construct a fingerprinting set – Passive fingerprinting : if a specific candidate generate the given trace

11 11 Active Fingerprinting Algorithm 1 generate a sequence that separate two candidates Algorithm 2 generate the fingerprint set Partition = { {M 1, M 2, M 3, M 4 } } M 1 M 3 can be separated by T 1 Use T 1 to separate {M 1, M 2, M 3, M 4 } Partition = { {M 1, M 4 }, {M 2, M 3 } } M 1 M 4 can be separated by T 2 Use T 2 to separate {M 1, M 4 } and {M 2, M 3 } … Until all sets in Partition have only one element If T 2 separates {M 1, M 4 } and {M 2, M 3 } => Partition = { {M 1 }, {M 2 }, {M 3 }, {M 4 } } fingerprint set = {T 1, T 2 }

12 12 Active Fingerprinting using NMAP Tests (1/3) Nmap identifies a TCP stack implementation by using nine test sequences In the fingerprint database Nmap stores the encoded response to those test sequences of more than 1300 implementations

13 13 Active Fingerprinting using NMAP Tests (2/3) Fig.3 is PEFSM of input / output of some implementation in Nmap All inputs except T 3 could be used as separating sequence for the two machines

14 14 Active Fingerprinting using NMAP Tests (3/3) Ex. Use {Tseq, T1, T2, T3, PU} can separate each implementation in Router category * means there is no exact fingerprint set

15 15 Passive Fingerprinting (1/2) Using TCP Behavior Inference Tool (TBIT) to generate specific traffic Observe input and output in trace and transit, if a candidate can not transit, it means that candidate can not generate that trace

16 16 Passive Fingerprinting (2/2) NF: NoFR T: Tahoe R: Reno NR: NewReno After the duplicated acknowledgement ACK [12] is sent four times, we see a fast retransmission without timeout

17 17 Defending Against Malicious Fingerprinting (1/5) Scrubbing Camouflage One important principal : the modification should be transparent to all regular users

18 18 Defending Against Malicious Fingerprinting (2/5) When receiving I 3, discard it The grey circle represents the common user sets

19 19 Defending Against Malicious Fingerprinting (3/5) When receiving I 3, response O 4 instead O 3 The grey circle represents the union of all user sets Regular user expect the trace from any implementation

20 20 Defending Against Malicious Fingerprinting (4/5) Neither scrubbing nor camouflage is effective The grey circle represents the T 1 user sets Regular user expect the trace from T 1 implementation

21 21 Defending Against Malicious Fingerprinting (5/5) Follow the maximum overlapping subset until there is only one implementation possible When receiving I 3, response O 3 because it is overlapped by M 1 and M 3 The grey circle represents the union of all user sets

22 22 Conclusion Proposed a formal approach for fingerprinting Use PEFSM to model protocol implementation Proposed algorithms for active and passive fingerprinting

23 23 Comments General and automated method Huge database (like Nmap database) is needed How to construct PEFSM?

Download ppt "Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31."

Similar presentations

7. 7 Chapter 13 Transmission Control Protocol (TCP) Retransmission and Time-Out.

7. 7 Chapter 13 Transmission Control Protocol (TCP) Retransmission and Time-Out.
Introduction 1 Lecture 13 Transport Layer (Transmission Control Protocol) slides are modified from J. Kurose & K. Ross University of Nevada – Reno Computer.

Introduction 1 Lecture 13 Transport Layer (Transmission Control Protocol) slides are modified from J. Kurose & K. Ross University of Nevada – Reno Computer.
Mahadevan Subramaniam and Bo Guo University of Nebraska at Omaha An Approach for Selecting Tests with Provable Guarantees.

Mahadevan Subramaniam and Bo Guo University of Nebraska at Omaha An Approach for Selecting Tests with Provable Guarantees.
Simulation-based Comparison of Tahoe, Reno, and SACK TCP Kevin Fall & Sally Floyd Presented: Heather Heiman September 10, 2002.

Simulation-based Comparison of Tahoe, Reno, and SACK TCP Kevin Fall & Sally Floyd Presented: Heather Heiman September 10, 2002.
1 Transport Protocols & TCP CSE 3213 Fall 2007 130 April 2015.

1 Transport Protocols & TCP CSE 3213 Fall April 2015.
Guide to TCP/IP, Third Edition

Guide to TCP/IP, Third Edition
TCP: Transmission Control Protocol Overview Connection set-up and termination Interactive Bulk transfer Timers Improvements.

TCP: Transmission Control Protocol Overview Connection set-up and termination Interactive Bulk transfer Timers Improvements.
1 The TCP Protocol Connection-oriented, point-to-point protocol: –Connection establishment and teardown phases –‘Phone-like’ circuit abstraction (application-layer.

1 The TCP Protocol Connection-oriented, point-to-point protocol: –Connection establishment and teardown phases –‘Phone-like’ circuit abstraction (application-layer.
An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.

An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.
A Model-Based Approach to Security Flaw Detection of Network Protocol Implementation Yating Hsu, Guoqiang Shu and David Lee Ohio State University 2008.

A Model-Based Approach to Security Flaw Detection of Network Protocol Implementation Yating Hsu, Guoqiang Shu and David Lee Ohio State University 2008.
Transport Layer 3-1 Fast Retransmit r time-out period often relatively long: m long delay before resending lost packet r detect lost segments via duplicate.

Transport Layer 3-1 Fast Retransmit r time-out period often relatively long: m long delay before resending lost packet r detect lost segments via duplicate.
Inferring TCP Connection Characteristics Through Passive Measurements Sharad Jaiswal, Gianluca Iannaccone, Christophe Diot, Jim Kurose, Don Towsley Proceedings.

Inferring TCP Connection Characteristics Through Passive Measurements Sharad Jaiswal, Gianluca Iannaccone, Christophe Diot, Jim Kurose, Don Towsley Proceedings.
Transport Layer3-1 Congestion Control. Transport Layer3-2 Principles of Congestion Control Congestion: r informally: “too many sources sending too much.

Transport Layer3-1 Congestion Control. Transport Layer3-2 Principles of Congestion Control Congestion: r informally: “too many sources sending too much.
1 The scanning process Goal: automate the process Idea: –Start with an RE –Build a DFA How? –We can build a non-deterministic finite automaton (Thompson's.

1 The scanning process Goal: automate the process Idea: –Start with an RE –Build a DFA How? –We can build a non-deterministic finite automaton (Thompson's.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #7 TCP New Reno Vs. Reno.

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #7 TCP New Reno Vs. Reno.
Week 9 TCP9-1 Week 9 TCP 3 outline r 3.5 Connection-oriented transport: TCP m segment structure m reliable data transfer m flow control m connection management.

Week 9 TCP9-1 Week 9 TCP 3 outline r 3.5 Connection-oriented transport: TCP m segment structure m reliable data transfer m flow control m connection management.
CSEE W4140 Networking Laboratory Lecture 7: TCP congestion control Jong Yul Kim 03.04.2009.

CSEE W4140 Networking Laboratory Lecture 7: TCP congestion control Jong Yul Kim
Aho-Corasick String Matching An Efficient String Matching.

Aho-Corasick String Matching An Efficient String Matching.
Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.

Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.
EEC-484/584 Computer Networks Lecture 13 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.

EEC-484/584 Computer Networks Lecture 13 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.

Similar presentations

Ads by Google