Dongxiao Jiang,Chenggang Li,Lixin Ma,Xiaoyu Ji,Yanjiao Chen,Bo Li

DOI: https://doi.org/10.1109/bigdatasecurity-hpsc-ids49724.2020.00015

2020-01-01

Abstract:With the development of network, more and more unkown protocols appear. Network protocols define the rules between network entities and firewall uses network protocol for deep packet detection to prevent intrusions. For detecting these unkown protocols, firewall can’t analyze these protocols, which makes many systems vulnerable. To solve this problem, protocol reverse engineering is getting more and more attention. Protocol reverse engineering is a process that reverses the syntax and grammar of a protocol from its traces of execution codes. It focuses on three protocol features: field boundaries, protocol grammar and state machine. Field boundaries inference is the basis of the protocol reverse engineering, the precision of this process has a big influence on reversing the grammar and state machine. In this paper, we propose a method called ABinfer, which leverage the Field Adjacent information to identify the field boundaries. We evaluate the method on three protocols and the results show that it has a good ability to identify field boundaries of protocols.

Weiming Li,Meirong Ai,Bo Jin

DOI: https://doi.org/10.1007/978-3-319-42291-6_58

2016-01-01

Abstract:Automatic network protocol reverse engineering is very important for many network applications such as fuzz testing and intrusion detection. Since sequences alignment on network traces is limited by the lack of semantic information, recent researches focus on dynamic taint analysis. But current dynamic taint based methods need heuristics rules to handle different network protocols which make them too complex to run automatically and efficiently. Our approach is inspired by the observation that different fields of network protocol message are processed in different execution path of the binary application, while the bytes of same message field are processed by highly similar instructions sequence. After analyzing the similarity of dynamic taint propagation and adjusting boundaries according to keywords and separators, we can identify the field boundaries not only accurately but also fully automatically. Evaluated by real-world protocol implementations (FTP, HTTP, DNS, etc.), the result shows our method is more accurate and simpler than exist methods.

Shameng Wen,Qingkun Meng,Chao Feng,Chaojing Tang

DOI: https://doi.org/10.1371/journal.pone.0186188

IF: 3.7

2017-10-19

PLoS ONE

Abstract:Network protocol vulnerability detection plays an important role in many domains, including protocol security analysis, application security, and network intrusion detection. In this study, by analyzing the general fuzzing method of network protocols, we propose a novel approach that combines network traffic analysis with the binary reverse engineering method. For network traffic analysis, the block-based protocol description language is introduced to construct test scripts, while the binary reverse engineering method employs the genetic algorithm with a fitness function designed to focus on code coverage. This combination leads to a substantial improvement in fuzz testing for network protocols. We build a prototype system and use it to test several real-world network protocol implementations. The experimental results show that the proposed approach detects vulnerabilities more efficiently and effectively than general fuzzing methods such as SPIKE.

Ying Wang,Lize Gu,Zhongxian Li,Yixian Yang

DOI: https://doi.org/10.1016/S1005-8885(13)60217-4

2013-01-01

The Journal of China Universities of Posts and Telecommunications

Abstract:This paper presents a new method for protocol reverse engineering, which combines both the dynamic and static binary analysis. Our work not only does precise positioning on the field and its length, but also gives the field attributes accurately. According to different instructions and the current program structure, we can infer the message format validly. To prove the method is sound and effective, we build a prototype tool – NetProtocolFinder, and select some documented protocol and undocumented protocol messages as the test instances respectively. Results of our experiments show that the tool can not only extract the message format from protocols effectively, but also speculate the state machine model through relevant field attributes conveniently.

Yanjing Hu,Liaojun Pang,Qingqi Pei,Xu An Wang

DOI: https://doi.org/10.1109/3pgcic.2015.68

2015-01-01

Abstract:Unknown protocol's hidden behavior is becoming a new challenge in network security. This paper takes the captured messages and the binary code that implement the protocol both as the studied object. Dynamic Taint Analysis combined with Static Analysis is used for protocol analyzing. Firstly, monitor and analyze the process of protocol program parses the message in the virtual platform HiddenDisc prototype system developed by ourselves, record the protocol's public behavior, then based on our proposed Hidden Behavior Perception and Mining algorithm, static analyze the protocol's hidden behavior trigger conditions and hidden behavior instruction sequences. According to the hidden behavior trigger conditions, new protocol messages with the sensitive information are generated, and the hidden behaviors are executed by dynamic triggering. HiddenDisc prototype system can sense, trigger and analysis the protocol's hidden behaviors. According to the statistical analysis results, we propose the evaluation method of Protocol Execution Security. The experimental results show that the present method can accurately mining the protocol's hidden behaviors, and can evaluate unknown protocol's execution security.

Yipeng Wang,Xingjian Li,Jiao Meng,Yong Zhao,Zhibin Zhang,Li Guo

DOI: https://doi.org/10.1109/pdcat.2011.25

2011-01-01

Abstract:Application-level protocol specifications are helpful for network security management, including intrusion detection and intrusion prevention which rely on monitoring technologies such as deep packet inspection. Moreover, detailed knowledge of protocol specifications is also an effective way of detecting malicious code. However, current methods for obtaining unknown and proprietary protocol message formats (i.e., no publicly available protocol specification), especially binary protocols, highly rely on manual operations, such as reverse engineering which is time-consuming and laborious. In this paper, we propose Biprominer, a tool that can automatically extract binary protocol message formats of an application from its real-world network trace. In addition, we present a transition probability model for a better description of the protocol. The chief feature of Biprominer is that it does not need to have any priori knowledge of protocol formats, because Biprominer is based on the statistical nature of the protocol format. We evaluate the efficacy of Biprominer over three binary protocols, with an average precision more than 99% and a recall better than 96.7%.

Meijian Li,Wang, Yongjun,Xie, Peidai,Zhijian Huang

DOI: https://doi.org/10.1049/cp.2014.0729

2014-01-01

Abstract:To maintain communications confidentiality, security protocols are widely used in more and more network applications. Moreover, some malwares even leverage these kinds of protocols to evade inspection by IDS. Most security protocols are designed and verified by formalized methods; however, observation shows that protocol implementations commonly contain flaws or vulnerabilities. Therefore, research on reverse engineering of security protocols can play an important role in improving the security of network applications, especially by providing another way to fight against malwares. Nevertheless, previous protocol reverse engineering technologies, which are based on analysis of network traces, encounter great challenges when the network messages transmitted between different protocol principals are encrypted. This paper proposes a taint analysis based method, which aims to infer the message format from dynamic execution of security protocol applications. The proposed approach is based on the observation that the process of message parsing in cryptographic protocol applications reveals rich information about the hierarchical structures and semantics of their messages. Hence, by observing calls to library function and instruction execution in network programs, the proposed approach can reverse derive large amount of information about their protocol, such as message format and protocol model, even the communication is encrypted. Experiments show that the reverse analysis results not only accurately identify message fields, but also unveil the structure of the encrypted message fields.

Yige Chen,Tianning Zang,Yongzheng Zhang,Yuan Zhou,Peng Yang,Yipeng Wang

DOI: https://doi.org/10.1007/978-3-030-92635-9_21

2021-01-01

Abstract:The automatic protocol reverse engineering for undocumented network protocols is important for many fundamental network security applications, such as intrusion prevention and detection. With the growing prevalence of binary protocols in the network communication to organize data in a terse format and ensure data integrity, the proven reverse approaches for ordinary text protocols face severe challenges in the compatibility. In this paper, we propose Inspector, an automatic protocol reverse engineering approach that exploits semantic fields to infer message formats from binary network traces. Inspector reasonably infers two semantic fields based on the binary content analysis of protocol messages to support clustering messages and message format inference. We evaluate the effectiveness of Inspector on two binary cryptographic protocols (TLS and SSH) and a binary unencrypted protocol MQTT by measuring the accuracy of message clustering and comparing the inferred message formats with the ground truths on a traffic dataset captured from a campus. Our experimental results show that Inspector accurately cluster messages with 100% cluster precision and 100% message recall for TLS, 90% cluster precision and 99.6% message recall for SSH, 100% cluster precision and 92.7% message recall for MQTT. Based on the accurate message clusters, Inspector can correctly infer the format of the messages in the cluster.

Lu Yu,Yuliang Lu,Yi Shen,Jun Zhao,Jiazhen Zhao

DOI: https://doi.org/10.3934/mbe.2022127

2022-01-01

Mathematical Biosciences and Engineering

Abstract:Program-wide binary code diffing is widely used in the binary analysis field, such as vulnerability detection. Mature tools, including BinDiff and TurboDiff, make program-wide diffing using rigorous comparison basis that varies across versions, optimization levels and architectures, leading to a relatively inaccurate comparison result. In this paper, we propose a program-wide binary diffing method based on neural network model that can make diffing across versions, optimization levels and architectures. We analyze the target comparison files in four different granularities, and implement the diffing by both top down process and bottom up process according to the granularities. The top down process aims to narrow the comparison scope, selecting the candidate functions that are likely to be similar according to the call relationship. Neural network model is applied in the bottom up process to vectorize the semantic features of candidate functions into matrices, and calculate the similarity score to obtain the corresponding relationship between functions to be compared. The bottom up process improves the comparison accuracy, while the top down process guarantees efficiency. We have implemented a prototype PBDiff and verified its better performance compared with state-of-the-art BinDiff, Asm2vec and TurboDiff. The effectiveness of PBDiff is further illustrated through the case study of diffing and vulnerability detection in real-world firmware files.

Zian Liu,Zhi Zhang,Siqi Ma,Dongxi Liu,Jun Zhang,Chao Chen,Shigang Liu,Muhammad Ejaz Ahmed,Yang Xiang

2023-08-03

Abstract:Binary similarity detection is a critical technique that has been applied in many real-world scenarios where source code is not available, e.g., bug search, malware analysis, and code plagiarism detection. Existing works are ineffective in detecting similar binaries in cases where different compiling optimizations, compilers, source code versions, or obfuscation are deployed. We observe that all the cases do not change a binary's key code behaviors although they significantly modify its syntax and structure. With this key observation, we extract a set of key instructions from a binary to capture its key code behaviors. By detecting the similarity between two binaries' key instructions, we can address well the ineffectiveness limitation of existing works. Specifically, we translate each extracted key instruction into a self-defined key expression, generating a key-semantics graph based on the binary's control flow. Each node in the key-semantics graph denotes a key instruction, and the node attribute is the key expression. To quantify the similarity between two given key-semantics graphs, we first serialize each graph into a sequence of key expressions by topological sort. Then, we tokenize and concatenate key expressions to generate token lists. We calculate the locality-sensitive hash value for all token lists and quantify their similarity. %We implement a prototype, called SemDiff, consisting of two modules: graph generation and graph diffing. The first module generates a pair of key-semantics graphs and the second module diffs the graphs. Our evaluation results show that overall, SemDiff outperforms state-of-the-art tools when detecting the similarity of binaries generated from different optimization levels, compilers, and obfuscations. SemDiff is also effective for library version search and finding similar vulnerabilities in firmware.

Cryptography and Security

Jinxin Zhong -,Wenqing Fan -,Jing An -,Miao Zhang -,Yixian Yang -

DOI: https://doi.org/10.4156/jdcta.vol6.issue4.15

2012-01-01

International Journal of Digital Content Technology and its Applications

Abstract:Nowadays, Vulnerability exploiting has become a major means of malicious code communication. In order to solve the problem that polymorphic and metamorphic vulnerability exploit variants is difficult to detect, it presents a method of detecting vulnerability exploits based on binary behavior analysis in this paper. The method track and monitor the memory and register changes the binary file's behavior results, and have a formal verification on application's behavior through intermediate‐level language. In this paper, we examine the performance of binary analysis by taking two sets of experiments for separate targets, one is 13 local file vulnerabilities, the other is web browser vulnerabilities. The results show that the exploits detection method based on binary behavior analysis can be effectively used for analysis and detection of the vulnerabilities, also with significantly reduced time and space complexity.

SUN Ming,GU Da-wu,LI Juan-ru,LUO Yu-hao

DOI: https://doi.org/10.3969/j.issn.1001-3695.2012.02.068

2012-01-01

Abstract:Static binary analysis methods cannot meet the demand for malicious code analysis,and the traditional dynamic analysis approaches cannot effectively find the critical information among the huge amount of dynamic binary code.This paper gave a kind of differential analysis approach on dynamic binary code and provided its model and method.This approach could effectively extract the sensitive information from malicious code and make the function module or data spread understood.Finally,it provided an experiment based on differential binary analysis system,which validated the capability and efficiency of the approach.

Shouguo Yang,Zhengzi Xu,Yang Xiao,Zhe Lang,Wei Tang,Yang Liu,Zhiqiang Shi,Hong Li,Limin Sun

DOI: https://doi.org/10.1145/3604608

IF: 3.685

2023-06-17

ACM Transactions on Software Engineering and Methodology

Abstract:Vulnerability is a major threat to software security. It has been proven that binary code similarity detection approaches are efficient to search for recurring vulnerabilities introduced by code sharing in binary software. However, these approaches suffer from high false-positive rates since they usually take the patched functions as vulnerable, and they usually do not work well when binaries are compiled with different compilation settings. To this end, we propose an approach, named Robin , to confirm recurring vulnerabilities by filtering out patched functions. Robin is powered by a lightweight symbolic execution to solve the set of function inputs that can lead to the vulnerability-related code. It then executes the target functions with the same inputs to capture the vulnerable or patched behaviors for patched function filtration. Experimental results show that Robin achieves high accuracy for patch detection across different compilers and compiler optimization levels respectively on 287 real-world vulnerabilities of 10 different software. Based on accurate patch detection, Robin significantly reduces the false-positive rate of state-of-the-art vulnerability detection tools (by 94.3% on average), making them more practical. Robin additionally detects 12 new potentially vulnerable functions.

computer science, software engineering

Yipeng Wang,Xiaochun Yun,M. Zubair Shafiq,Liyan Wang,Alex X. Liu,Zhibin Zhang,Danfeng (Daphne) Yao,Yongzheng Zhang,Li Guo

DOI: https://doi.org/10.1109/icnp.2012.6459963

2012-01-01

Abstract:Extracting the protocol message format specifications of unknown applications from network traces is important for a variety of applications such as application protocol parsing, vulnerability discovery, and system integration. In this paper, we propose ProDecoder, a network trace based protocol message format inference system that exploits the semantics of protocol messages without the executable code of application protocols. ProDecoder is based on the key insight that the n-grams of protocol traces exhibit highly skewed frequency distribution that can be leveraged for accurate protocol message format inference. In ProDecoder, we first discover the latent relationship among n-grams by first grouping protocol messages with the same semantics and then inferring message formats by keyword based clustering and cluster sequence alignment. We implemented and evaluated ProDecoder to infer message format specifications of SMB (a binary protocol) and SMTP (a textual protocol). Our experimental results show that ProDecoder accurately parses and infers SMB protocol with 100% precision and recall. For SMTP, ProDecoder achieves approximately 95% precision and recall.

J. Vadayath,Kyle Zeng,Christophe Hauser,Ruoyu Wang,Y. Fratantonio,Tiffany Bao,Adam Doupé,Nicolaas Weideman,Yan Shoshitaishvili,Moritz Eckert,Gokulkrishna Praveen Menon,D. Balzarotti

Abstract:In spite of their effectiveness in the context of vulnerability discovery, current state-of-the-art binary program analysis approaches are limited by inherent trade-offs between accuracy and scalability. In this paper, we identify a set of vulnerability properties that can aid both static and dynamic vulnerability detection techniques, improving the precision of the former and the scalability of the latter. By carefully integrating static and dynamic techniques, we detect vulnerabilities that exhibit these properties in real-world programs at a large scale. We implemented our technique, making several advancements in the analysis of binary code, and created a prototype called A RBITER . We demonstrate the effectiveness of our approach with a large-scale evaluation on four common vulnerability classes: CWE-131 (Incorrect Calculation of Buffer Size), CWE-252 (Unchecked Return Value), CWE-134 (Un-controlled Format String), and CWE-337 (Predictable Seed in Pseudo-Random Number Generator). We evaluated our approach on more than 76,516 x86-64 binaries in the Ubuntu repositories and discovered new vulnerabilities, including a flaw inserted into programs during compilation.

Computer Science

Fusheng Wu,Huanguo Zhang,Wengqing Wang,Jianwei Jia,Shi Yuan

DOI: https://doi.org/10.1155/2017/7042835

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:The security analysis of protocols on theory level cannot guarantee the security of protocol implementations. To solve this problem, researchers have done a lot, and many achievements have been reached in this field, such as model extraction and code generation. However, the existing methods do not take the security of protocol implementations into account. In this paper, we have proposed to exploit the traces of function return values to analyze the security of protocol implementations at the source code level. Taking classic protocols into consideration, for example (like the Needham-Schroeder protocol and the Diffie-Hellman protocol, which cannot resist man-in-the-middle attacks), we have analyzed man-in-the-middle attacks during the protocol implementations and have carried out experiments. It has been shown in the experiments that our new method works well. Different from other methods of analyzing the security of protocol implementations in the literatures, our newmethod can avoid some flaws of program languages (like C language memory access, pointer analysis, etc.) and dynamically analyze the security of protocol implementations.

QIAN Yong,ZHANG Yong,BAI Yingcai

DOI: https://doi.org/10.3969/j.issn.1000-3428.2001.03.008

2001-01-01

Abstract:An approach which made use of running modes of two-party cryptographic protocols to analyze protocols was put forwarded in [1]. Through some counter-examples, we found flaws in the approach. In this paper, an efficient method is developed, which matchs faked messages with received set of attacks,messages in other run of protocol. Using the method, we found holes of some cryptographic protocols successly.

Yuntao Zhang,Binxing Fang,Zehui Xiong,Yanhao Wang,Yuwei Liu,Chao Zheng,Qinnan Zhang

DOI: https://doi.org/10.1109/jiot.2024.3389014

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:As a fundamental component of Internet of Things (IoT) devices, firmware plays an essential role. Nowadays, the development of IoT firmware relies extensively on third-party components and substantially enhances development efficiency. However, these components are not inherently secure, and their vulnerabilities can adversely affect the security of IoT firmware. Existing research adopts binary code similarity analysis to detect known vulnerabilities in firmware. However, it encounters significant challenges, primarily in extracting function features from the limited semantic information within binary code. Another challenge is the need for real-world data sets to assess the model's performance in practical scenarios, such as firmware supply chain analysis. We present a detection model named program dependence graph to vector (PDG2Vec) based on program dependence graphs (PDGs) to tackle these challenges. PDG2Vec extracts function features at the variable level on PDG and assesses function similarity by evaluating whether two functions can represent each other. We conducted evaluations using three data sets, including one we created to simulate a firmware supply chain scenario. The experimental results demonstrate that PDG2Vec exhibits resilience to cross-architecture challenges and captures more precise semantics than other approaches. Furthermore, PDG2Vec outperforms state-of-the-art tools in the supply chain analysis scenario, with a 16% higher area under the curve (AUC) value average against baseline approaches.

Fanzhi Meng,Yuan Liu,Chunrui Zhang,Dong Liu

DOI: https://doi.org/10.2991/icmmita-15.2015.137

2015-01-01

Abstract:Protocol format reverse based on communication data has played an important role in the fields of network security and information countermeasures. In this paper, a format reverse analysis method for binary communication protocol which based on probability alignment and differential analysis of statistic is proposed. The method adopts the data set of protocol frame as analysis object, and makes the corresponding fields in protocol frame aligned accurately by probability alignment algorithm firstly, and then identifies the boundary of adjacent fields in the frame according to the different features of various statistics, and finally reverses the communication protocol format specification. The experimental results show that the method can effectively identify the format specification of binary communication protocol and semantics specification for some fields in protocol frame format.

Lixin Li,Chao Wang

DOI: https://doi.org/10.1007/978-3-642-40787-1_31

2013-01-01

Abstract:Dynamic analysis techniques have made a significant impact in security practice, e.g. by automating some of the most tedious processes in detecting vulnerabilities. However, a significant gap remains between existing software tools and what many security applications demand. In this paper, we present our work on developing a cross-platform interactive analysis tool, which leverages techniques such as symbolic execution and taint tracking to analyze binary code on a range of platforms. The tool builds upon IDA, a popular reverse engineering platform, and provides a unified analysis engine to handle various instruction sets and operating systems. We have evaluated the tool on a set of real-world applications and shown that it can help identify the root causes of security vulnerabilities quickly.