KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

Icefex: Protocol Format Extraction from IL-based Concolic Execution

  • Pan, Fan (Institute of Command Automation, PLA University of Science and Technology) ;
  • Wu, Li-Fa (Institute of Command Automation, PLA University of Science and Technology) ;
  • Hong, Zheng (Institute of Command Automation, PLA University of Science and Technology) ;
  • Li, Hua-Bo (Institute of Command Automation, PLA University of Science and Technology) ;
  • Lai, Hai-Guang (Institute of Command Automation, PLA University of Science and Technology) ;
  • Zheng, Chen-Hui (Institute of Command Automation, PLA University of Science and Technology)
  • Received : 2012.11.22
  • Accepted : 2013.03.09
  • Published : 2013.03.31
Download PDF
⟨ Previous Next ⟩

Abstract

Protocol reverse engineering is useful for many security applications, including intelligent fuzzing, intrusion detection and fingerprint generation. Since manual reverse engineering is a time-consuming and tedious process, a number of automatic techniques have been proposed. However, the accuracy of these techniques is limited due to the complexity of binary instructions, and the derived formats have missed constraints that are critical for security applications. In this paper, we propose a new approach for protocol format extraction. Our approach reasons about only the evaluation behavior of a program on the input message from concolic execution, and enables field identification and constraint inference with high accuracy. Moreover, it performs binary analysis with low complexity by reducing modern instruction sets to BIL, a small, well-specified and architecture-independent language. We have implemented our approach into a system called Icefex and evaluated it over real-world implementations of DNS, eDonkey, FTP, HTTP and McAfee ePO protocols. Experimental results show that our approach is more accurate and effective at extracting protocol formats than other approaches.

Keywords

References

  1. P. Godefroid, A. Kiezun and M.Y. Levin, "Grammar-based whitebox fuzzing," ACM SIGPLAN Notices, vol. 43, no. 6, pp. 206-215, June, 2008.
  2. P. M. Comparetti, G. Wondracek, C. Kruegel, and E. Kirda, "Prospex: Protocol specification extraction," in Proc. of 30th IEEE Symposium on Security and Privacy, pp. 110-125, May 17-20, 2009.
  3. H. Dreger, A. Feldmann, M. Mai, V. Paxson and R. Sommer, "Dynamic Application-Layer Protocol Analysis for Network Intrusion Detection," in Proc. of 15th USENIX Security Symposium, pp.257-272, July 31-August 1, 2006.
  4. V. Paxson, "Bro: A system for detecting network intruders in real time," Computer Networks, vol. 31, no. 23, pp. 2435-2463, 1999. https://doi.org/10.1016/S1389-1286(99)00112-7
  5. J. Caballero, S. Venkataraman, P. Poosankam, M. G. Kang, D. Song, and A. Blum, "FiG: Automatic fingerprint generation," in Proc. of 14th Annual Network and Distributed System Security Symposium, February 28-March 2, 2007.
  6. About Pidgin, http://www.pidgin.im/about/
  7. Protocol information project, http://www.4tphi.net/-awalters/PI/PI.html
  8. C. Leita, K. Mermoud and M. Dacier, "Scriptgen: an automated script generation tool for honeyd," in Proc. of 21st Annual Computer Security Applications Conference, pp. 203-214, December 5-9, 2005.
  9. W. Cui, V. Paxson, N. C. Weaver and R. H. Katz, "Protocol-Independent Adaptive Replay of Application Dialog," in Proc. of 13th Network and Distributed System Security Symposium, February, 2006.
  10. W. Cui, J. Kannan and H. Wang, "Discoverer: automatic protocol reverse engineering from network traces," in Proc. of 16th USENIX Security Symposium, pp. 1-14, August 6-10, 2007.
  11. J. Caballero, H. Yin, Z. Liang, D. Song, "Polyglot: Automatic Extraction of Protocol Format using Dynamic Binary Analysis," in Proc. of 14th ACM Conference on Computer and Communications Security, pp. 317-329, September 29-October 2, 2007.
  12. Z. Lin, X. Jiang, D. Xu and X. Zhang , "Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution," in Proc. of 15th Symposium on Network and Distributed System Security, February 8-11, 2008.
  13. G. Wondracek, P. Comparetti, C. Kruegel and E. Kirda, "Automatic network protocol analysis," in Proc. of 15th Symposium on Network and Distributed System Security, February 8-11, 2008.
  14. W. Cui, M. Peinado, K. Chen, H.J. Wang and L. Irun-Briz, "Tupni: Automatic Reverse Engineering of Input Formats," in Proc. of 15th ACM Conference on Computer and Communications Security, pp. 391-402, October 27-31, 2008.
  15. J. Caballero, P. Poosankam, C. Kreibich and D. Song, "Dispatcher: Enabling Active Botnet Infiltration using Automatic Protocol Reverse-Engineering," in Proc. of 16th ACM Conference on Computer and Communications Security, pp. 621-634, November 9-13, 2009.
  16. David Brumley and Ivan Jager, The BAP Handbook, http://bap.ece.cmu.edu/doc/bap.pdf
  17. P. Godefroid, N. Klarlund and K. Sen, "DART: directed automated random testing," in Proc. of the 2005 ACM SIGPLAN Conference on Programing Language Design and Implementation, pp. 213-223, June 12-15, 2005.
  18. K. Sen, D. Marinov and G. Agha, "Cute: a concolic unit testing engine for c," in Proc. of 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 263-272, September 5-9, 2005.
  19. Intel IA-32 Architectures Software Developer's Manual. http://download.intel.com/products/ processor/manual/253667.pdf
  20. P. Saxena, P. Poosankam, S. McCamant and D. Song, "Loop-extended symbolic execution on binary programs," in Proc. of 18th International Symposium on Software Testing and Analysis, pp. 225-236, July 19-23, 2009.
  21. A. Slowinska and H. Bos, "Pointless tainting?: evaluating the practicality of pointer tainting," in Proc. of 4th ACM European conference on Computer systems, pp. 61-74, April 1-3, 2009.
  22. B. Xin and X. Zhang, "Efficient online detection of dynamic control dependence," in Proc. of 16th International Symposium on Software Testing and Analysis, pp. 185-195, July 9-12, 2007.
  23. Z. Lin and X. Zhang, "Deriving input syntactic structure from execution," in Proc. of 16th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp.83-93, November 9-15, 2008
  24. D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M.G. Kang, Z. Liang, J. Newsome, P. Poosankam and P. Saxena, "BitBlaze: A New Approach to Computer Security via Binary Analysis," ICISS, LNCS 5352, pp. 1-25, 2008
  25. IDA Pro, http://www.hex-rays.com/products/ida/index.shtml
  26. A. V. Aho, M. S. Lam, R. Sethi and J. D. Ullman, Compilers: Principles, Techniques and Tools, Second Edition, Addison Wesley, 2006.
  27. STP Solver, http://people.csail.mit.edu/vganesh/STP_files/stp.html
  28. Wireshark. http://www.wireshark.org/