SEEKER: A Root Cause Analysis Method Based on Deterministic Replay for Multi-Type Network Protocol Vulnerabilities.

Runhao Liu,Bo Yu,Baosheng Wang,Jianbin Ye,Jianxin Huang,Xiangdong Kong
DOI: https://doi.org/10.1109/trustcom56396.2022.00029
2022-01-01
Abstract:Various types of network protocol software vulnerabilities often result in considerable damage. However, existing root cause analysis methods, which rely on symbolic path tracing and the hardware processor tracing (PT) function, cannot be applied in protocol software. They are also limited by the restricted resources of embedded platforms and symbolic execution ability. Additionally, manually analysing vulnerabilities is typically labour intensive. To solve this problem, we propose SEEKER, the first root cause analysis method based on deterministic replay for multi-type network protocol vulnerabilities to automatically generate vulnerability analysis reports. By proposing a multilayer semantic model, SEEKER extracts fine-grained semantics, compares the extracted semantics with predefined vulnerability rules and finally generates an analysis report. We implemented and evaluated SEEKER against 7 vulnerability types, across 4 real-world software programs, covering 2 different platforms. The experimental results show that SEEKER can identify the root causes of multi-type vulnerabilities and even find 3 new 0-day vulnerabilities. Meanwhile, SEEKER demonstrates impressive adaptability and scalability. It can analyse one execution path that involves up to 135,437,793 instructions and upwards of 15,893,356 memory access requests.
What problem does this paper attempt to address?