Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution.
作者: Xuxian Jiang , Dongyan Xu , Zhiqiang Lin , Xiangyu Zhang
DOI:
关键词: Computer science 、 Byte 、 Reverse engineering 、 Dynamic Host Configuration Protocol 、 Call stack 、 Offset (computer science) 、 Open Shortest Path First 、 Operating system 、 Binary number 、 Malware
摘要: Protocol reverse engineering has often been a manual process that is considered time-consuming, tedious and error-prone. To address this limitation, number of solutions have recently proposed to allow for automatic protocol engineering. Unfortunately, they are either limited in extracting fields due lack program semantics network traces or primitive only revealing the flat structure format. In paper, we present system called AutoFormat aims at not with high accuracy, but also inherently “non-flat”, hierarchical structures messages. based on key insight different same message typically handled execution contexts (e.g., runtime call stack). As such, by monitoring execution, can collect context information every byte (annotated its offset entire message) cluster them derive We evaluated our more than 30 messages from seven protocols, including two text-based protocols (HTTP SIP), three binary-based (DHCP, RIP, OSPF), one hybrid (CIFS/SMB), as well unknown used real-world malware. Our results show identify individual automatically accuracy (an average 93.4% match ratio compared Wireshark), unveil format possible relations sequential, parallel, hierarchical) among fields. ∗Part research supported National Science Foundation under grants CNS-0716376 CNS-0716444. The bulk work was performed when first author visiting George Mason University Summer 2007.
ndss-symposium.org
isoc.org参考文章(25)
Zhenkai Liang, Juan Caballero, Dawn Song, David Brumley, James Newsome, Towards automatic discovery of deviations in binary implementations with applications to error detection and fingerprint generation usenix security symposium. pp. 15- ,(2007)
Engin Kirda, Christopher Krügel, Nenad Jovanovic, Giovanni Vigna, Philipp Vogt, Florian Nentwich, Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. network and distributed system security symposium. ,(2007)
John Dunagan, Pallavi Joshi, Helen J. Wang, Nikita Borisov, David Brumley, Chuanxiong Guo, Generic Application-Level Protocol Analyzer and its Language. network and distributed system security symposium. pp. 15- ,(2007)
Vern Paxson, Weidong Cui, Nicholas Weaver, Randy H. Katz, Protocol-Independent Adaptive Replay of Application Dialog. network and distributed system security symposium. ,(2006)
Tal Garfinkel, Mendel Rosenblum, Kevin Christopher, Ben Pfaff, Jim Chow, Understanding data lifetime via whole system simulation usenix security symposium. pp. 22- 22 ,(2004)
Vern Paxson, Bro: a system for detecting network intruders in real-time Computer Networks. ,vol. 31, pp. 2435- 2463 ,(1999) , 10.1016/S1389-1286(99)00112-7
Weidong Cui, Helen J. Wang, Jayanthkumar Kannan, Discoverer: automatic protocol reverse engineering from network traces usenix security symposium. pp. 14- ,(2007)
Xuxian Jiang, Dongyan Xu, Helen J. Wang, Eugene H. Spafford, Virtual Playgrounds for Worm Behavior Investigation Lecture Notes in Computer Science. pp. 1- 21 ,(2006) , 10.1007/11663812_1
Corrado Leita, Marc Dacier, Frederic Massicotte, Automatic Handling of Protocol Dependencies and Reaction to 0-Day Attacks with ScriptGen Based Honeypots Lecture Notes in Computer Science. pp. 185- 205 ,(2006) , 10.1007/11856214_10
XiaoFeng Wang, Zhuowei Li, Jun Xu, Michael K. Reiter, Chongkyung Kil, Jong Youl Choi, Packet vaccine Proceedings of the 13th ACM conference on Computer and communications security - CCS '06. pp. 37- 46 ,(2006) , 10.1145/1180405.1180412