Zhaohui Hu,Qi Chen,Ruizhao Yu

DOI: https://doi.org/10.3321/j.issn:1002-8331.2001.10.020

2001-01-01

Abstract:This article introduces the implementation of TCP Protocol and the technique of Port Scanning based on the characteristic of TCP Protocol,at the same time,the several implementations of Port Scanning are also described. We also analyze the potential external attacks that can be made because of the weakness of operation system and the ways to avoid suck kinds of attack are also put up.

Ying Liu,Dongqin Feng

DOI: https://doi.org/10.1109/iccasit48058.2019.8973161

2019-01-01

Abstract:Computer network technology has been increasingly infiltrated into the industrial control system and made the security problems more complex and changeable. Network security situation awareness technology can perceive the real-time threats that the network faced, and provide reliable basis for decision-making. This paper mainly focuses on the situation assessment and introduces finite state machine and fuzzy logic theory. Finite state machine can intuitively show the internal state transition of the industrial control system and detect the malicious packet attack's type and severity. Fuzzy logic balances the semantic fuzziness and event uncertainty in the process of situation assessment, fuses the output data of the state machine and obtains the threat level which is helpful for decision analysis. Proved, the method proposed in this paper can give a reasonable and accurate security assessment of industrial control system.

Fan Hu,Jiangan Ji,Hui Shu,Zheming Li,Tieming Liu,Chao Zhang

DOI: https://doi.org/10.1109/icst60714.2024.00022

2024-01-01

Abstract:The TLS protocol is one of the most crucial foundations for ensuring internet security. Consequently, vulnerabilities within the TLS protocol have a significant impact on the Internet security. This paper aims to explore more efficient methods of discovering vulnerabilities in the TLS protocol. Fuzzing stands out as one of the most important techniques for vulnerability discovery in the TLS protocol. To tackle the high complexity of the TLS protocol, stateful greybox fuzzers such as AFLnet have been introduced to enable stateful fuzzing of TLS servers. However, these mutation-based fuzzers often encounter chal-lenges in preserving the message format information during the mutation process, which can undermine the testing results. As a result, this paper proposes a novel approach that incorporates a formatted mutation strategy into the stateful greybox fuzzing process, with the aim of achieving more efficient mutation results. The evaluation process involves four mainstream fuzzers, with OpenSSL's TLS server serving as the target. The results demonstrate that the proposed method significantly enhances the quality of generated seeds, code coverage, and state coverage across all four fuzzers.

Jiajun Shen,Dongqin Feng

DOI: https://doi.org/10.1109/hpcc.2014.115

2014-01-01

Abstract:With the development of the industrial informatization, the problems of security in field device layer have been gradually exposed, which mainly involves specified industrial communication protocols. Clock synchronization protocol, as one of the most important industrial communication protocols, ensures the real-time performance of industrial control system. Considering that the related researches have not yet formed a mature system, we propose a new method for analyzing the vulnerability of clock synchronization protocol in this article. In this method, SPN(stochastic petri net) is introduced as a modeling tool, while IEEE 1588 PTP clock synchronization protocol is regarded as the research object. An SPN(stochastic petri net) model is strictly built according to the protocol. Then, steady-state probability expressions are obtained by the isomorphic Markov chain. Through changing trigger rate of transitions of several pivotal states which are related to vulnerability, the influences of each parameter has on the model could be quantitatively reflected in the result of simulation in order to analyze vulnerability of clock synchronization protocol by determining the critical factors that affect protocol's vulnerability.

Yan Pan,Wei Lin,Liang Jiao,Yuefei Zhu

DOI: https://doi.org/10.1155/2022/6880677

IF: 1.968

2022-05-06

Security and Communication Networks

Abstract:The widely used network protocols play a crucial role in various systems. However, the protocol vulnerabilities caused by the design of the network protocol or its implementation by programmers lead to multiple security incidents and substantial losses. Hence, it is important to study the protocol fuzzing in order to ensure its correctness. However, the challenges of protocol fuzzing are the mutation of protocol messages and the deep interactivity of the protocol implementation. This paper proposes a model-based grey-box fuzzing approach for protocol implementations, including the server-side and client-side. The proposed method is divided into two phases: automata learning based on the minimally adequate teacher (MAT) framework and grey-box fuzzing guided by the learned model and code coverage. The StateFuzzer tool used for evaluation is presented to demonstrate the validity and feasibility of the proposed approach. The server-side fuzzing can achieve similar or higher code coverage and vulnerability discovery capability than those of AFLNET and StateAFL. Considering the client, the results show that it achieves 1.5X branch coverage (on average) compared with the default AFL, and 1.3X branch coverage compared with AFLNET and StateAFL, using the typical implementations such as OpenSSL, LibreSSL, and Live555. The StateFuzzer identifies a new memory corruption bug in Live555 (2021-08-25) and 14 distinct discrepancies based on differential testing.

computer science, information systems,telecommunications

Boyuan He,Vaibhav Rastogi,Yinzhi Cao,Yan Chen,V. N. Venkatakrishnan,Chunlin Xiong,Runqing Yang,Zhenrui Zhang

2016-01-01

Abstract:Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols have become the security backbone of the Web and Internet today. Many systems including mobile and desktop applications are protected by SSL/TLS protocols against network attacks. However, many vulnerabilities caused by incorrect use of SSL/TLS APIs have been uncovered in recent years. Such vulnerabilities, many of which are caused due to poor API design and inexperience of application developers, often lead to confidential data leakage or man-in-the-middle attacks. In this paper, to guarantee code quality and logic correctness of SSL/TLS applications, we design and implement SSLINT, a scalable, automated, static analysis system for detecting incorrect use of SSL/TLS APIs. SSLINT is capable of performing automatic logic verification with high efficiency and good accuracy. To demonstrate it, we apply SSLINT to one of the most popular Linux distributions – Ubuntu. We find 29 previously unknown SSL/TLS vulnerabilities in Ubuntu applications, most of which are also distributed with other Linux distributions.

Sankalp Bagaria,R. Balaji,B. S. Bindhumadhava

DOI: https://doi.org/10.48550/arXiv.1705.09044

2017-05-25

Cryptography and Security

Abstract:TLS uses X.509 certificates for server authentication. A X.509 certificate is a complex document and various innocent errors may occur while creating/ using it. Also, many certificates belong to malicious websites and should be rejected by the client and those web servers should not be visited. Usually, when a client finds a certificate that is doubtful using the traditional tests, it asks for human intervention. But, looking at certificates, most people can't differentiate between malicious and non-malicious websites. Thus, once traditional certificate validation has failed, instead of asking for human intervention, we use machine learning techniques to enable a web browser to decide whether the server to which the certificate belongs to is malignant or not ie, whether the website should be visited or not. Once a certificate has been accepted in the above phase, we observe that the website may still turn out to be malicious. So, in the second phase, we download a part of the website in a sandbox without decrypting it and observe the TLS encrypted traffic (encrypted malicious data captured in a sandbox cannot harm the system). As the traffic is encrypted after Handshake is completed, traditional pattern-matching techniques cannot be employed. Thus we use flow features of the traffic along with the features used in the above first phase. We couple these features with the unencrypted TLS header information obtained during TLS Handshake and use these in a machine learning classifier to identify whether the traffic is malicious or not.

Yuelei XIAO,Zhixiang ZHU,Yong ZHANG

DOI: https://doi.org/10.13682/j.issn.2095-6533.2015.05.003

2015-01-01

Abstract:By analyzing the process of security protocols,the definition of driving module (DM) is introduced,and then regular and penetrator DMs are formed according to the Strand Space Model (SSM).Based on this,a DM-based model checking method is proposed.Theoretical analysis indicates that this method is prefect in terms of searching breadth and depth,and can avoid the state space explosion problem.Therefore,this method can be used not only to get the attack scenarios of a flawed security protocol,but also to prove that an unflawed security protocol is secure.Moreover,the Otway-Rees protocol and the TLS protocol are analyzed based on this method.As a result,various attack scenarios of the Otway-Rees protocol are discovered and two secure improved Otway-Rees protocols are put forward,and therefore the TLS protocol is proved to be secure.

Kaled Alshmrany,Lucas Cordeiro

DOI: https://doi.org/10.48550/arXiv.2001.09592

2020-01-27

Cryptography and Security

Abstract:Implementations of network protocols are often prone to vulnerabilities caused by developers' mistakes when accessing memory regions and dealing with arithmetic operations. Finding practical approaches for checking the security of network protocol implementations has proven to be a challenging problem. The main reason is that the protocol software state-space is too large to be explored. Here we propose a novel verification approach that combines fuzzing with symbolic execution to verify intricate properties in network protocol implementations. We use fuzzing for an initial exploration of the network protocol, while symbolic execution explores both the program paths and protocol states, which were uncovered by fuzzing. From this combination, we automatically generate high-coverage test input packets for a network protocol implementation. We surveyed various approaches based on fuzzing and symbolic execution to understand how these techniques can be effectively combined and then choose a suitable tool to develop further our model on top of it. In our preliminary evaluation, we used ESBMC, Map2Check, and KLEE as software verifiers and SPIKE as fuzzer to check their suitability to verify our network protocol implementations. Our experimental results show that ESBMC can be further developed within our verification framework called \textit{FuSeBMC}, to efficiently and effectively detect intricate security vulnerabilities in network protocol implementations.

Jing Wang,Ying Yang,Lijuan Chen,Guang Yang,Zhenya Chen,Liqiang Wen

DOI: https://doi.org/10.1109/cis.2015.103

2015-01-01

Abstract:SSL (Secure Sockets Layer) and TLS (Transport Layer Security), which aim to provide confidentiality and integrity of data in transit across untrusted networks, have combined symmetric cryptography technology and public encryption technology. Over the last couple of years, however, several significant vulnerabilities have been discovered in SSL/TLS protocols. The combination way of timing attack and statistical methods is proposed to reduce the computational complexity. The approach focuses on the cryptographic operation of SSL/TLS record protocols in CBC-mode. The experiment result shows it is better than Lucy 13 attack.

Hanqing Yu,Yuanyi Ma,Siyu Cheng,Siyang Chen,Quan Zheng,Shuangwu Chen

DOI: https://doi.org/10.1109/iccc59590.2023.10507645

2023-01-01

Abstract:TLS protocol, as the most popular security protocol in modern network communications, has numerous different implementations. Despite continuous efforts by creators to maintain these complex codes, they are still plagued by errors and security vulnerabilities. The TLS handshake protocol, as one of the most sensitive and vulnerable protocols in the TLS protocol family, has seen limited research in terms of security testing. Existing testing tools like TLS-differ use black-box differential fuzz testing to test the TLS handshake protocol. However, due to the blindness of black-box fuzzing, the generated test cases have lower coverage, and the efficiency of discovering differences is also relatively low. This paper focuses on the TLS handshake protocol in the TLS protocol family and proposes a strategy for using gray-box differential fuzz testing to discover differences between different implementations in the TLS handshake process. It introduces the AR-SMAB model to guide the seed selection and mutation process in gray-box fuzz testing. We implemented our testing tool and compared it with TLS-differ and two other validated gray-box differential fuzz testing tools. Our experiments show that our testing tool is more efficient in discovering differences and cumulative coverage, improving by approximately 10% to 50% compared to other tools.

Blake Anderson,Subharthi Paul,David McGrew

DOI: https://doi.org/10.48550/arXiv.1607.01639

2016-07-06

Abstract:The use of TLS by malware poses new challenges to network threat detection because traditional pattern-matching techniques can no longer be applied to its messages. However, TLS also introduces a complex set of observable data features that allow many inferences to be made about both the client and the server. We show that these features can be used to detect and understand malware communication, while at the same time preserving the privacy of benign uses of encryption. These data features also allow for accurate malware family attribution of network communication, even when restricted to a single, encrypted flow. To demonstrate this, we performed a detailed study of how TLS is used by malware and enterprise applications. We provide a general analysis on millions of TLS encrypted flows, and a targeted study on 18 malware families composed of thousands of unique malware samples and ten-of-thousands of malicious TLS flows. Importantly, we identify and accommodate the bias introduced by the use of a malware sandbox. The performance of a malware classifier is correlated with a malware family's use of TLS, i.e., malware families that actively evolve their use of cryptography are more difficult to classify. We conclude that malware's usage of TLS is distinct from benign usage in an enterprise setting, and that these differences can be effectively used in rules and machine learning classifiers.

Cryptography and Security

Mingming Zhang,Xiaofeng Zheng,Kaiwen Shen,Ziqiao Kong,Chaoyi Lu,Yu Wang,Haixin Duan,Shuang Hao,Baojun Liu,Min Yang

DOI: https://doi.org/10.1145/3372297.3417252

2020-01-01

Abstract:HTTPS is principally designed for secure end-to-end communication, which adds confidentiality and integrity to sensitive data transmission. While several man-in-the-middle attacks (e.g., SSL Stripping) are available to break the secured connections, state-of-the-art security policies (e.g., HSTS) have significantly increased the cost of successful attacks. However, the TLS certificates shared by multiple domains make HTTPS hijacking attacks possible again. In this paper, we term the HTTPS MITM attacks based on the shared TLS certificates as HTTPS Context Confusion Attack (SCC Attack). Despite a known threat, it has not yet been studied thoroughly. We aim to fill this gap with an in-depth empirical assessment of SCC Attack. We find the attack can succeed even for servers that have deployed current best practice of security policies. By rerouting encrypted traffic to another flawed server that shares the TLS certificate, attackers can bypass the security practices, hijack the ongoing HTTPS connections, and subsequently launch additional attacks including phishing and payment hijacking. Particularly, vulnerable HTTP headers from a third-party server are exploitable for this attack, and it is possible to hijack an already-established secure connection. Through tests on popular websites, we find vulnerable subdomains under 126 apex domains in Alexa top 500 sites, including large vendors like Alibaba, JD, and Microsoft. Meanwhile, through a large-scale measurement, we find that TLS certificate sharing is prominent, which uncovers the high potential of such attacks, and we summarize the security dependencies among different parties. For responsible disclosure, we have reported the issues to affected vendors and received positive feedback. Our study sheds light on an influential attack surface of the HTTPS ecosystem and calls for proper mitigation against MITM attacks.

Yurong Chen,Yongsheng Mei,Tian Lan,Guru Venkataramani

DOI: https://doi.org/10.1145/3526088

2024-01-01

Digital Threats Research and Practice

Abstract:In recent years, coverage-based greybox fuzzing has become popular forvulnerability detection due to its simplicity and efficiency. However, it is less powerful when applied directly to protocol fuzzing due to the unique challenges involved in fuzzing communication protocols. In particular, the communication among multiple ends contains more than one packet, which are not necessarily dependent upon each other, i.e., fuzzing single (usually the first) packet can only achieve extremely limited code coverage. In this paper, we study such challenges and demonstrate the limitation of current non-stateful greybox fuzzer. In order to achieve higher code coverage, we design stateful protocol fuzzing strategies for communication protocols to explore the code related to different protocol states. Our approach contains a state switching engine, together with a multi-state forkserver to consistently and flexibly fuzz different states of an compiler-instrumented protocol program. Our experimental results on OpenSSL show that our approach achieves an improvement of 73% more code coverage and 2x unique crashes when comparing against fuzzing the first packet during a protocol handshake.

Shameng Wen,Qingkun Meng,Chao Feng,Chaojing Tang

DOI: https://doi.org/10.1371/journal.pone.0188229

IF: 3.7

2017-11-16

PLoS ONE

Abstract:Formal techniques have been devoted to analyzing whether network protocol specifications violate security policies; however, these methods cannot detect vulnerabilities in the implementations of the network protocols themselves. Symbolic execution can be used to analyze the paths of the network protocol implementations, but for stateful network protocols, it is difficult to reach the deep states of the protocol. This paper proposes a novel model-guided approach to detect vulnerabilities in network protocol implementations. Our method first abstracts a finite state machine (FSM) model, then utilizes the model to guide the symbolic execution. This approach achieves high coverage of both the code and the protocol states. The proposed method is implemented and applied to test numerous real-world network protocol implementations. The experimental results indicate that the proposed method is more effective than traditional fuzzing methods such as SPIKE at detecting vulnerabilities in the deep states of network protocol implementations.

Ya Ma

DOI: https://doi.org/10.52783/jes.3438

2024-04-25

Abstract:The protection of industrialized management systems and related network protocols is guaranteed by vulnerability mining innovation. The inadequate receiving efficiency and insufficient vulnerability mining capacity of vulnerability mining strategies are their drawbacks. So, this study analyzes the network protocol vulnerability mining using fuzz testing combined with deep learning (DL). In this study, Modbus TCP is employed as a network protocol regarding vulnerability mining. This paper presents a unique threshold-sample-driven deep neural network (T-s DNN) framework. Based on the TSDNN, we construct a fuzzing framework (T-s DNN Fuzzer) for Modbus TCP protocols. The DNN algorithm is first trained to understand the meaning of the protocol's data unit using this framework. The likelihood distribution of every value in the information is quantified using the softmax mechanism. The technique then examines the highest likelihood and the random variable's threshold in deciding whether to use the information value with the optimal likelihood in place of the existing information value. The MBAP header has been finished by the protocol standard. Fuzz tests demonstrate that in addition to increasing sample receipt levels and exploitability, fuzzing devices can identify protocol vulnerabilities rapidly. Experiments conducted with the T-s DNN fuzzer demonstrate that it can detect industrial control protocol vulnerabilities greater in addition to increasing test case reception scores and exploitability.

Computer Science,Engineering

Mahdi Jafari Siavoshani,Amirhossein Khajehpour,Amirmohammad Ziaei Bideh,Amirali Gatmiri,Ali Taheri

DOI: https://doi.org/10.1007/s00500-023-07949-9

IF: 3.732

2023-05-12

Soft Computing

Abstract:Protecting users' privacy over the Internet is of great importance; however, it becomes harder and harder to maintain due to the increasing complexity of network protocols and components. Therefore, investigating and understanding how data are leaked from the information transmission platforms and protocols can lead us to a more secure environment. In this paper, we propose a framework to systematically find the most vulnerable information fields in a network protocol. To this end, focusing on the transport layer security (TLS) protocol, we perform different machine-learning-based fingerprinting attacks on the collected data from more than 70 domains (websites) to understand how and where this information leakage occurs in the TLS protocol. Then, by employing the interpretation techniques developed in the machine learning community and applying our framework, we find the most vulnerable information fields in the TLS protocol. Our findings demonstrate that the TLS handshake (which is mainly unencrypted), the TLS record length appearing in the TLS application data header, and the IV field are among the most critical leaker parts in this protocol, respectively.

computer science, artificial intelligence, interdisciplinary applications

Liang Wan,Wenchang Shi

DOI: https://doi.org/10.1109/icasid.2012.6325286

2012-01-01

Abstract:Network protocol vulnerability detection is paramount to network security. Formalization provides an important way for vulnerability detection. In this paper, we apply TLA, which is a powerful tool for formal analysis, to analyze network protocols. An approach is proposed that aims to detect vulnerabilities of a protocol effectively with the TLA, with the Kerberos protocol being taken as an example. Firstly, roles for the protocol, especially those related to intruders, are created. Then actions of the roles are specified. Sessions among the roles are built. And environment parameters are set. A prototype program is developed to implement the approach, which covers the model and the detection properties of the protocol. Experiments show that our approach is effective and powerful in specifying and checking a protocol, and it is better than SPIN and SMV.

Kevin Lamshöft,Jana Dittmann

DOI: https://doi.org/10.1016/j.ifacol.2020.12.258

2020-01-01

Abstract:Recent findings in research on malware threats indicate an increasing use of information hiding techniques as a novel approach for compromising IT-Systems by using covert functions and hidden channels. Especially in the context of covert intrusion and data exfiltration, networks of Industrial Control Systems (ICS) are a valuable target for information hiding based attacks. In this paper we discuss how 18 known patterns of information hiding in networks can be applied to protocols found in ICS networks and demonstrate how information can be covertly embedded and retrieved at the example of Modbus/TCP to achieve an overall protocol-compliance by also studying the embedding capacity. Additionally we provide a first tendency of warden- compliance, if the warden has a suspicion that there is a hidden message (conspicuousness). For a practical analysis we introduce an evaluation framework based on open-source software enabling assessment and quick implementation of hidden channels in common protocols found in ICS networks. In combination with a pattern-based approach for the identification of hidden channels, we show how this framework can be utilized as a systematic approach to identify and evaluate plausible hidden channels in industrial communication protocols. From the 14 identified patterns, in this paper we use the introduced framework to implement and evaluate two exemplary timing and storage channels in Modbus/TCP. Our results show 14 protocol-compliant patterns of information hiding based attacks in the context of Industrial Control Systems as well as the necessity of more research in this particular field, especially in terms of further plausible combination of pattern, warden-compliance, detection and mitigation strategies.

Steve Kremer,Max Ammann,L. Hirschi

DOI: https://doi.org/10.1109/SP54263.2024.00096

2024-05-19

Abstract:Critical and widely used cryptographic protocols have repeatedly been found to contain flaws in their design and their implementation. A prominent class of such vulnerabilities is logical attacks, e.g. attacks that exploit flawed protocol logic. Automated formal verification methods, based on the Dolev-Yao (DY) attacker, formally define and excel at finding such flaws, but operate only on abstract specification models. Fully automated verification of existing protocol implementations is today still out of reach. This leaves open whether such implementations are secure. Unfortunately, this blind spot hides numerous attacks, such as recent logical attacks on widely used TLS implementations introduced by implementation bugs.We answer by proposing a novel and effective technique that we call DY model-guided fuzzing, which precludes logical attacks against protocol implementations. The main idea is to consider as possible test cases the set of abstract DY executions of the DY attacker, and use a novel mutation-based fuzzer to explore this set. The DY fuzzer concretizes each abstract execution to test it on the program under test. This approach enables reasoning at a more structural and security-related level of messages represented as formal terms (e.g. decrypt a message and re-encrypt it with a different key) as opposed to random bit-level modifications that are much less likely to produce relevant logical adversarial behaviors. We implement a full-fledged and modular DY protocol fuzzer. We demonstrate its effectiveness by fuzzing three popular TLS implementations, resulting in the discovery of four novel vulnerabilities.

Computer Science