语义层次的协议格式提取方法

doi:10.3969/j.issn.1000-436x.2013.10.019

Abstract

Abstract:

Present methods for protocol format extraction analyze the execution traces of programs at syntax level,which leads to redundancy and conflict in the results of fie identification.In order to improve the accuracy of field identifica-tion,a semantic level method was proposed for protocol format extraction.The method firstly translated the binary in-structions into equivalent intermediate language,and tracked the parsing process of field semantics through fine-grained dynamic taint analysis.Further,it extracted otocol format using semantic level policies of field identifica-tion,based on the semantic indivisibility of fields.Experimental results show that the proposed method can achieve high identification accuracy with low complexity.

Key words: protocol reverse engineering, protocol format extraction, dynamic taint analysis, intermediate language

Zheng HONG,Zhen-ji ZHOU,Li-fa WU,Fan PAN. Protocol format extraction at semantic level[J]. Journal on Communications, 2013, 34(10): 162-173.

Figures/Tables 13

序号	汇编指令	污点记录	识别结果
1	mov esi,[esp+019Ch]	$e s i \mapsto {0, 1, 2, 3}$	—
2	and esi,0FFh	$e s i \mapsto {0, 1, 2, 3}$	＜0,3＞
3	lea eax,[esi-1]	$e s i, e a x \mapsto {0, 1, 2, 3}$	＜0,3＞
4	cmp eax,0E2h	$e s i, e a x \mapsto {0, 1, 2, 3}$	＜0,3＞
5	jz loc_527169	$e s i, e a x \mapsto {0, 1, 2, 3}$	—

References 23

[1]	CUI W , KANNAN J , WANG H . Discoverer:automatic protoco re-verse engineering from network traces[A]. The 16th USENIX Security Symposium[C]. Boston,Sheraton,USA, 2007. 199-212.
[2]	李伟明, 张爱芳, 刘建财 ,et al. 基于支持向量机的Internet流量分类研究[J]. 计算机研究与发展, 2009,46(3): 407-414. LI W M , ZHANG A F , LIU J C ,et al. An automatic network protocol fuzz testing and vulnerability discovering method[J]. Chinese Journal of Computers, 2011,34(2): 242-255.
[3]	CABALLERO J , YIN H , LIANG Z ,et al. Polyglot:automatic extrac-tion of protocol format using dynamic binary analysis[A]. ACM CCS[C]. Alexandria,VA,USA, 2007. 317-329.
[4]	CUI W , PEINADO M , CHEN K ,et al. Tupni:automatic reverse engi-neering of input formats[A]. ACM CCS[C]. Alexandria,VA,USA, 2008. 391-402
[5]	CABALLERO J , POOSANKAM P , KREIBICH C ,et al. Dispatcher:enabling active botnet infiltration using automatic protocol Re-verse-engineering[A]. ACM CCS[C]. Chicago,IL,USA, 2009. 621-634.
[6]	COMPARETTI P , WONDRACEK G , KRUEGEL C ,et al. Prospex:protocol specification extraction[A]. IEEE S＆P[C]. Oakland,Califor-nia,USA, 2009. 110-125.
[7]	应凌云, 杨轶, 冯登国 ,等. 恶意软件网络协议的语法和行为语义分析方法[J]. 软件学报, 2011,22(7): 1676-1689. YING L Y , YANG Y , FENG D G ,et al. Syntax and behavior semantics analysis of network protocol of malware[J]. Journal of Software, 2011,22(7): 1676-1689.
[8]	WONDRACEK G , COMPARETTI P , KRUEGEL C ,et al. Automatic network protocol analysis[A]. NDSS[C]. San Diego,Cali nia,USA, 2008. 1-14.
[9]	LIN Z , JIANG X , XU D ,et al. Automatic protocol format reverse engineering through context-aware monitored execution[A]. NDSS[C]. San Diego,California,USA, 2008. 29-43.
[10]	GODEFRIOD P , KIEZUN A , LEVIN M , Grammar-based whitebox fuzzing[J]. ACM SIGPLAN Notices, 2008,43(6): 206-215.
[11]	BRUMLEY D , JAGER I , AVGERINOS T ,et al. BAP:a binary analy-sis platform[A]. ACM CAV[C]. Snowbird,Utah,USA, 2011. 463-369.
[12]	NICHOLAS N . Dynamic Binary Analysis and Instrumentation or Building Tools is Easy[D]. University of Cambridge, 2004.
[13]	EDWARD J , AVGERINOS T , BRUMLEY D . All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask)[A]. IEEE S＆P[C]. Oakland,Cali-fornia,USA, 2010. 317-331.
[14]	王铁磊 . 面向二进制程序的漏洞挖掘关键技术研究[D]. 北京 :北京大学, 2011. WANG T . Research on Binary-Executable-Oriented Software Vulne-rability Detection[D]. Beijing:Peking University, 2011.
[15]	LIN Z , ZHANG X . Deriving input syntactic structure fro execu-tion[A]. ACM SIGSOFT[C]. Atlanta,Georgia,USA, 2008. 83-93.
[16]	YIN H , SONG D . binary code analysis via whole-system layered annotative execution[EB/OL]. , 2010.
[17]	A BDD package[EB/OL]. .
[18]	刘豫, 聂眉宁, 苏璞睿 ,等. 基于可回溯动态污点分析的攻击特征生成方法[J]. 通信学报, 2012,33(5): 21-28. LIU Y , NIE M Y , SU P R ,et al. Attack signature generation by tracea-ble dynamic taint analysis[J]. Journal on Communications, 2012,33(5): 21-28.
[19]	陈恺, 冯登国, 苏璞睿 ,等. 基于彩色污点传播的黑盒测试方法[J]. 中国科学 :信息科学, 2011,41(5): 526-540 CHEN K , FENG D G , SU P R ,et al. Black-box testing based on co-lorful taint analysis[J]. Science China Information Science, 2011,41(5): 526-540.
[20]	SLOWINSKA A , BOS H . Pointless tainting?:evaluating the practical-ity of pointer tainting[A]. ACM European Conference on Computer Systems[C]. Nuremberg,Germany, 2009. 61-74.
[21]	KAND M , MCCAMANT S , POOSANKAM P ,et al. DTA++:dynamic taint analysis with targeted control-flow propagation[A]. NDSS[C]. San Diego,California,USA, 2011. 26-39.
[22]	WANG Z , JIANG X , CUI W ,et al. ReFormat:automatic reverse engineering of encrypted messages[A]. CESORICS[C]. Athens,Greece, 2010. 200-215.
[23]	CHO C , DOMAGOJ B , SHIN E ,et al. Inference and analysis of for-mal models of botnet command and control protocols[A]. ACM CCS[C]. Chicago,Illinois,USA, 2010. 426-439

Metrics

Recommended 0

No Suggested Reading articles found!

序号	T_？更新记录	执行规则	字段识别结果
1	R_ESI←[{i₀},{i₁},{i₂},{i₃}]	T-VAR,T-INT,T-ABINOP,T-LOAD,T-ASSIGN	—
2	R_ESI←[{i₀},?,?,?]	T-VAR,T-INT,T-BBINOP,T-ASSIGN	—
3	R_EAX←[{i₀},{i₀},{i₀},{i₀}]	T-VAR,T-INT,T-ABINOP,T-ASSIGN	—
4	T_32t_1←[{i₀},{i₀},{i₀},{i₀}]	T-VAR,T-INT,T-ABINOP,T-ASSIGN	—
5	R_ZF←[{i₀},{i₀},{i₀},{i₀}]	T-VAR,T-INT,T-ABINOP,T-ASSIGN	—
6	—	T-VAR,T-INT,T-ABINOP,F-IF	＜0,0＞

报文类型	解析程序	发送程序	报文长度/byte	执行记录规模/Mbyte
DNS Query	Bind 9.9.0	nslookup(Win)	28	3.7
eDonkey Hello	Emule 0.48a	Emule 0.48a	86	315.4
DHCP BOOTP Request	OpenDHCPServer 1.48	DHCP Client(Win)	176	20.4
FTP USER Request	FileZilla Server 0.9.41	FileZilla 3.5.3	16	2.6
HTTP GET Request	Apache 2.4.2	IE 7.0	318	16.2
SIP Register	MiniSIPServer Express	Nero IP phone 2.0	467	247.8
ePO POST PolicyCheck	McAfee ePO 4.5	McAfee Agent 3.0	940	95.6

报文类型	字段数	污点相关的指令数	AutoFormat			Tupni			SPAE
报文类型	字段数	污点相关的指令数	\|F\|	\|F_c\|	\|F_o\|	\|F\|	\|F_c\|	\|F_o\|	\|F\|	\|F\|_c	\|F\|_o
DNS Query	13	4 372	9	1	2	9	1	2	10	1	0
eDonkey Hello	23	17 983	21	0	4	21	1	1	23	0	0
DHCP BOOTP Request	39	25 386	28	5	0	28	5	0	28	5	0
FTP USER Request	4	2 469	4	0	0	3	0	0	4	0	0
HTTP GET Request	67	32 996	60	0	21	60	0	21	67	0	0
SIP Register	104	83 152	103	0	3	103	0	3	104	0	0
ePO POST PolicyCheck	65	120 903	0	0	940	27	0	832	60	1	0

报文类型	执行指令数	时间开销/s		内存开销/KB
报文类型	执行指令数	tracecap	SPAE	tracecap	SPAE
DNS Query	92 169	＜1	19	324	2 392
eDonkey Hello	7 453 698	37	1 748	417	2 368
DHCP BOOTP Request	479 348	2	142	495	2 426
FTP USER Request	64 855	＜1	26	308	2 304
HTTP GET Request	389 491	2	171	667	2 457
SIP Register	5 812 767	25	1 502	872	2 480
ePO POST PolicyCheck	1 984 856	11	1 184	1 231	2 521

Protocol format extraction at semantic level

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 13

References 23

Related Articles 4

Metrics

Recommended 0

[1]	Huafeng HUANG, Purui SU, Yi YANG, Xiangkun JIA. Automatic exploitation generation method of write-what-where vulnerability [J]. Journal on Communications, 2022, 43(1): 83-95.
[2]	Jian-zhen LUO,Shun-zheng YU,Jun CAI. Method for determining the lengths of protocol keywords based on maximum likelihood probability [J]. Journal on Communications, 2016, 37(6): 119-128.
[3]	. Protocol format extraction at semantic level [J]. Journal on Communications, 2013, 34(10): 19-173.
[4]	Yu LIU,Mei-ning NIE,Pu-rui SU,Deng-guo FENG. Attack signature generation by traceable dynamic taint analysis [J]. Journal on Communications, 2012, 33(5): 21-28.