Abstract
Automatic network protocol reverse engineering is very important for many network applications such as fuzz testing and intrusion detection. Since sequences alignment on network traces is limited by the lack of semantic information, recent researches focus on dynamic taint analysis. But current dynamic taint based methods need heuristics rules to handle different network protocols which make them too complex to run automatically and efficiently. Our approach is inspired by the observation that different fields of network protocol message are processed in different execution path of the binary application, while the bytes of same message field are processed by highly similar instructions sequence. After analyzing the similarity of dynamic taint propagation and adjusting boundaries according to keywords and separators, we can identify the field boundaries not only accurately but also fully automatically. Evaluated by real-world protocol implementations (FTP, HTTP, DNS, etc.), the result shows our method is more accurate and simpler than exist methods.
This work was supported by the National Science Foundation of China No. 61370230 and Opening Project of Key Lab of Information Network Security of Ministry of Public Security (C14603).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Cui, B., Wang, F., Hao, Y., et al.: WhirlingFuzzwork: a taint-analysis-based API in-memory fuzzing framework. Soft Comput. 1–14 (2016). http://dx.doi.org/10.1007/s00500-015-2017-6
Bossert, G., Guihéry, F., Hiet, G.: Towards automated protocol reverse engineering using semantic information. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, pp. 51–62. ACM (2014)
Newsome, J., Brumley, D., Franklin, J., Song, D.: Replayer: automatic protocol replay by binary analysis. In: 13th ACM Conference on Computer and Communications Security (CCS 2006), pp. 311–321 (2006)
Narayan, J., Shukla, S.K., Clancy, T.C.: A survey of automatic protocol reverse engineering tools. ACM Comput. Surv. (CSUR) 48(3), 40 (2015)
Beddoe, M.A.: Network protocol analysis using bioinformatics algorithms. http://www.4tphi.net/awalters/PI/PI.html
Cui, W., Kannan, J., Wang, H.J.: Discoverer, automatic protocol description generation from network traces. In: Proceedings of the USENIX Security Symposium, pp. 143–157. USENIX Association, Berkeley, USA (2007)
Borisov, N., Brumley, D., Wang, H.J., et al.: A generic application-level protocol analyzer and its language. In: Proceedings of the 14th Symposium on Network and Distributed System Security (NDSS) (2007)
Caballero, J., Song, D.: Polyglot: automatic extraction of protocol message format using dynamic binary analysis. In: ACM Conference on Computer and Communications Security (CCS 2007), Alexandria, Virginia, USA, pp. 317–329 (2007)
Lin, Z., Jiang, X., Xu, D., et al.: Automatic protocol format reverse engineering through context-aware monitored execution. In: Proceedings of the Network and Distributed System Security Symposium, San Diego, CA, pp. 37–53 (2008)
Wondracek, G., Comparetti, P.M., Kruegel, C., et al.: Automatic network protocol analysis. In: Proceedings of the Network and Distributed System Security Symposium, San Diego, CA, pp. 125–133 (2008)
Cui, W., Peinado, M., Chen, K., et al.: Tupni: automatic reverse engineering of input formats. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 391–402. ACM, New York (2008)
Comparetti, P.M., Wondracek, G., Kruegel, C., et al.: Prospex: Protocol specification extraction. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 110–125. IEEE Computer Society, Oakland (2009)
Caballero, J., Poosankam, P., Kreibich, C., et al.: Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering. In: Proceedings of the ACM Conference on Computer and Communications Security, Chicago, IL, pp. 77–89 (2009)
Caballero, J., Song, D.: Rosetta: extracting protocol semantics using binary analysis with applications to protocol replay and NAT rewriting. Technical report, 69–84. Carnegie Mellon University (2008)
Kang, M.G., Camant, S.M., Poosankam, P., et al.: DTA++: dynamic taint analysis with targeted control-flow propagation. In: Proceedings of the 18th Annual Network and Distributed System Security Symposium, February 2011
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Li, W., Ai, M., Jin, B. (2016). A Network Protocol Reverse Engineering Method Based on Dynamic Taint Propagation Similarity. In: Huang, DS., Bevilacqua, V., Premaratne, P. (eds) Intelligent Computing Theories and Application. ICIC 2016. Lecture Notes in Computer Science(), vol 9771. Springer, Cham. https://doi.org/10.1007/978-3-319-42291-6_58
Download citation
DOI: https://doi.org/10.1007/978-3-319-42291-6_58
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-42290-9
Online ISBN: 978-3-319-42291-6
eBook Packages: Computer ScienceComputer Science (R0)