Ma Rongkuan,Zheng Hao,Wang Jingyi,Wang Mufeng,Wei Qiang,Wang Qingxian

DOI: https://doi.org/10.1631/fitee.2000709

IF: 2.526

2022-01-01

Frontiers of Information Technology & Electronic Engineering

Abstract:Proprietary (or semi-proprietary) protocols are widely adopted in industrial control systems (ICSs). Inferring protocol format by reverse engineering is important for many network security applications, e.g., program tests and intrusion detection. Conventional protocol reverse engineering methods have been proposed which are considered time-consuming, tedious, and error-prone. Recently, automatical protocol reverse engineering methods have been proposed which are, however, neither effective in handling binary-based ICS protocols based on network traffic analysis nor accurate in extracting protocol fields from protocol implementations. In this paper, we present a framework called the industrial control system protocol reverse engineering framework (ICSPRF) that aims to extract ICS protocol fields with high accuracy. ICSPRF is based on the key insight that an individual field in a message is typically handled in the same execution context, e.g., basic block (BBL) group. As a result, by monitoring program execution, we can collect the tainted data information processed in every BBL group in the execution trace and cluster it to derive the protocol format. We evaluate our approach with six open-source ICS protocol implementations. The results show that ICSPRF can identify individual protocol fields with high accuracy (on average a 94.3% match ratio). ICSPRF also has a low coarse-grained and overly fine-grained match ratio. For the same metric, ICSPRF is more accurate than AutoFormat (88.5% for all evaluated protocols and 80.0% for binary-based protocols).

Dongxiao Jiang,Chenggang Li,Lixin Ma,Xiaoyu Ji,Yanjiao Chen,Bo Li

DOI: https://doi.org/10.1109/bigdatasecurity-hpsc-ids49724.2020.00015

2020-01-01

Abstract:With the development of network, more and more unkown protocols appear. Network protocols define the rules between network entities and firewall uses network protocol for deep packet detection to prevent intrusions. For detecting these unkown protocols, firewall can’t analyze these protocols, which makes many systems vulnerable. To solve this problem, protocol reverse engineering is getting more and more attention. Protocol reverse engineering is a process that reverses the syntax and grammar of a protocol from its traces of execution codes. It focuses on three protocol features: field boundaries, protocol grammar and state machine. Field boundaries inference is the basis of the protocol reverse engineering, the precision of this process has a big influence on reversing the grammar and state machine. In this paper, we propose a method called ABinfer, which leverage the Field Adjacent information to identify the field boundaries. We evaluate the method on three protocols and the results show that it has a good ability to identify field boundaries of protocols.

Le Yu,Yangyang Liu,Pengfei Jing,Xiapu Luo,Lei Xue,Kaifa Zhao,Yajin Zhou,Ting Wang,Guofei Gu,Sen Nie,Shi Wu

2022-01-01

Abstract:In-vehicle protocols are very important to the security assessment and protection of modern vehicles since they are used in communicating with, accessing, and even manipulating ECUs (Electronic Control Units) that control various vehicle components. Unfortunately, the majority of in-vehicle protocols are proprietary without publicly available documents. Although recent studies proposed methods to reverse engineer the CAN protocol used in the communication among ECUs, they cannot be applied to vehicle diagnostics protocols, which have been widely exploited by attackers to launch remote attacks. In this paper, we propose a novel framework for automatically reverse engineering the diagnostic protocols of vehicles by leveraging professional diagnostic tools. Specifically, we design and develop a new cyber-physical system that uses a set of algorithms to control a programmable robotics arm with the aid of cameras to automatically trigger and capture the messages of diagnostics protocols as well as reverse engineer their formats, semantic meanings, and proprietary formulas required for processing the response messages. We perform a large-scale experiment to evaluate our prototype using 18 real vehicles. It successfully reverse engineers 570 messages (446 for reading sensor values and 124 for controlling components). The experimental results show that our framework achieves high precision in reverse engineering proprietary formulas and obtains much more messages than the prior approach based on app analysis.

Gerardo Canfora,Massimiliano Di Penta

DOI: https://doi.org/10.1109/fose.2007.15

2007-05-01

Abstract:Comprehending and modifying software is at the heart of many software engineering tasks, and this explains the growing interest that software reverse engineering has gained in the last 20 years. Broadly speaking, reverse engineering is the process of analyzing a subject system to create representations of the system at a higher level of abstraction. This paper briefly presents an overview of the field of reverse engineering, reviews main achievements and areas of application, and highlights key open research issues for the future.

Tianxiang Yu,Yang Xin,Yuexin Tao,Bingqing Hou,Hongliang Zhu

DOI: https://doi.org/10.1155/2022/2924479

IF: 1.968

2022-10-08

Security and Communication Networks

Abstract:Network communication protocol reverse engineering is useful for network security, including protocol fuzz testing, botnet command infiltration, and service script generation. Many models have been proposed to generate field boundary, field semantic, state machine, and some other format information from network trace and program execution for text-based protocol and hybrid protocols. However, how to extract format information from network trace data for binary-based protocol still remains a challenging issue. Existing network-trace-based models focus on text-based and hybrid protocols, using tokenization and some other heuristic rules, like field identification, to perform reverse engineering, which makes it hard to apply to binary-based protocol. In this paper, we propose a whole mechanism for binary-based protocol reverse engineering based on auto-encoder models and other clustering algorithms using only network trace data. After evaluation, we set some metrics and compare our model with existing other models, showing its necessity to the field of protocol reverse engineering.

computer science, information systems,telecommunications

bo zhou,yanfen wang,xiaohu yang

DOI: https://doi.org/10.1142/9789812701534_0159

2005-01-01

Abstract:So far most research work done on software reverse engineering is mainly focused on the legacy systems, which are built on obsolete technologies, but contain a lot of information and knowledge about the certain application domain. However, software based on more recent technologies, such as component- based, also raises many issues during comprehension and evolution. Especially, the component models like in J2EE world are based on many technical aspects that make them difficult to understand and use. Thus, the evolution of component-based software becomes an emerging issue in reverse engineering area. In this paper we propose an idea to integrate reverse engineering with more recent systems based on the new technology, component-based, not only restricted to the legacy system. We also extend the existing graph based approaches to reverse engineering such systems. In our approach, the directed graph describes and manages dependencies among the components in the system based on the information extracted from source code, deployment descriptors and configuration files. With this component dependency graph, it helps developers to understand the system better, and ease the succeeding phases of reengineering the system.

Shahed E. Quadir,Junlin Chen,Domenic Forte,Navid Asadizanjani,Sina Shahbazmohamadi,Lei Wang,John Chandy,Mark Tehranipoor

DOI: https://doi.org/10.1145/2755563

IF: 2.013

2016-12-06

ACM Journal on Emerging Technologies in Computing Systems

Abstract:The reverse engineering (RE) of electronic chips and systems can be used with honest and dishonest intentions. To inhibit RE for those with dishonest intentions (e.g., piracy and counterfeiting), it is important that the community is aware of the state-of-the-art capabilities available to attackers today. In this article, we will be presenting a survey of RE and anti-RE techniques on the chip, board, and system levels. We also highlight the current challenges and limitations of anti-RE and the research needed to overcome them. This survey should be of interest to both governmental and industrial bodies whose critical systems and intellectual property (IP) require protection from foreign enemies and counterfeiters who possess advanced RE capabilities.

engineering, electrical & electronic,computer science, hardware & architecture,nanoscience & nanotechnology

Kaizheng Liu,Ming Yang,Zhen Ling,Huaiyu Yan,Yue Zhang,Xinwen Fu,Wei Zhao

DOI: https://doi.org/10.48550/arXiv.2007.11981

2020-07-24

Abstract:IoT security and privacy has raised grave concerns. Efforts have been made to design tools to identify and understand vulnerabilities of IoT systems. Most of the existing protocol security analysis techniques rely on a well understanding of the underlying communication protocols. In this paper, we systematically present the first manual reverse engineering framework for discovering communication protocols of embedded Linux based IoT systems. We have successfully applied our framework to reverse engineer a number of IoT systems. As an example, we present a detailed use of the framework reverse-engineering the WeMo smart plug communication protocol by extracting the firmware from the flash, performing static and dynamic analysis of the firmware and analyzing network traffic. The discovered protocol exposes severe design flaws that allow attackers to control or deny the service of victim plugs. Our manual reverse engineering framework is generic and can be applied to both read-only and writable Embedded Linux filesystems.

Cryptography and Security

Kaizheng Liu,Ming Yang,Zhen Ling,Huaiyu Yan,Yue Zhang,Xinwen Fu,Wei Zhao

DOI: https://doi.org/10.1109/jiot.2020.3036232

IF: 10.6

2021-04-15

IEEE Internet of Things Journal

Abstract:IoT security and privacy has raised grave concerns. Efforts have been made to design tools to identify and understand vulnerabilities of IoT systems. Most of the existing protocol security analysis techniques rely on a well understanding of the underlying communication protocols. In this article, we systematically present the first manual reverse engineering framework for discovering communication protocols of embedded Linux-based IoT systems. We have successfully applied our framework to reverse engineer a number of IoT systems. As an example, we present a detailed use of the framework reverse engineering the WeMo smart plug communication protocol by extracting the firmware from the flash, performing static and dynamic analysis of the firmware, and analyzing network traffic. The discovered protocol exposes severe design flaws that allow attackers to control or deny the service of victim plugs. Our manual reverse engineering framework is generic and can be applied to both read-only and writable embedded Linux filesystems.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zhen Qin,Zeyu Yang,Yangyang Geng,Xin Che,Tianyi Wang,Hengye Zhu,Peng Cheng,Jiming Chen

DOI: https://doi.org/10.1109/infocom52122.2024.10621405

2024-01-01

Abstract:Industrial protocols are widely used in Industrial Control Systems (ICSs) to network physical devices, thus playing a crucial role in securing ICSs. However, most commercial industrial protocols are proprietary and owned by their vendors, which impedes the implementation of protections against cyber threats. In this paper, we design REInPro to Reverse Engineer Industrial Protocols. REInPro is inspired by the fact that the structure of industrial protocols can be determined by a particular field referred to control field. By applying a probabilistic model of network traffic behavior, REInPro automatically identifies the control field and groups the associated network traffic into clusters. REInPro then infers critical semantics of industrial protocols by differentiating the features of corresponding protocol fields. We have experimentally implemented and evaluated REInPro using 8 different industrial protocols across 6 Programmable Logic Controllers (PLCs) belonging to 5 original equipment manufacturers. The experimental results show REInPro to reverse-engineer the formats and semantics of industrial protocols with an average correctness/perfection of 0.70/0.58 and 0.96/0.39.

Marc Fyrbiak,Sebastian Strauß,Christian Kison,Sebastian Wallat,Malte Elson,Nikol Rummel,Christof Paar

DOI: https://doi.org/10.48550/arXiv.1910.01518

2019-10-01

Cryptography and Security

Abstract:Hardware reverse engineering is a universal tool for both legitimate and illegitimate purposes. On the one hand, it supports confirmation of IP infringement and detection of circuit malicious manipulations, on the other hand it provides adversaries with crucial information to plagiarize designs, infringe on IP, or implant hardware Trojans into a target circuit. Although reverse engineering is commonplace in practice, the quantification of its complexity is an unsolved problem to date since both technical and human factors have to be accounted for. A sophisticated understanding of this complexity is crucial in order to provide a reasonable threat estimation and to develop sound countermeasures, i.e. obfuscation transformations of the target circuit, to mitigate risks for the modern IC landscape. The contribution of our work is threefold: first, we systematically study the current research branches related to hardware reverse engineering ranging from decapsulation to gate-level netlist analysis. Based on our overview, we formulate several open research questions to scientifically quantify reverse engineering, including technical and human factors. Second, we survey research on problem solving and on the acquisition of expertise and discuss its potential to quantify human factors in reverse engineering. Third, we propose novel directions for future interdisciplinary research encompassing both technical and psychological perspectives that hold the promise to holistically capture the complexity of hardware reverse engineering.

Leonid Azriel,Julian Speith,Nils Albartus,Ran Ginosar,Avi Mendelson,Christof Paar

DOI: https://doi.org/10.1007/s13389-021-00268-5

2021-07-13

Journal of Cryptographic Engineering

Abstract:<p class="a-plus-plus">The discipline of reverse engineering integrated circuits (ICs) is as old as the technology itself. It grew out of the need to analyze competitor's products and detect possible IP infringements. In recent years, the growing hardware Trojan threat motivated a fresh research interest in the topic. The process of IC reverse engineering comprises two steps: <em class="a-plus-plus">netlist extraction</em> and <em class="a-plus-plus">specification discovery</em>. While the process of netlist extraction is rather well understood and established techniques exist throughout the industry, specification discovery still presents researchers with a plurality of open questions. It therefore remains of particular interest to the scientific community. In this paper, we present a survey of the state of the art in IC reverse engineering while focusing on the specification discovery phase. Furthermore, we list noteworthy existing works on methods and algorithms in the area and discuss open challenges as well as unanswered questions. Therefore, we observe that the state of research on algorithmic methods for specification discovery suffers from the lack of a uniform evaluation approach. We point out the urgent need to develop common research infrastructure, benchmarks, and evaluation metrics.</p>

computer science, theory & methods

Wouter Bokslag

DOI: https://doi.org/10.48550/arXiv.1507.02196

2015-07-08

Cryptography and Security

Abstract:This paper discusses the relevance and potential impact of both RFID and reverse engineering of RFID technology, followed by a discussion of common protocols and internals of RFID technology. The focus of the paper is on providing an overview of the different approaches to reverse engineering RFID technology and possible countermeasures that could limit the potential of such reverse engineering attempts.

Rui Xu,Gaolei Li,Zhaohui Yang,Mingzhe Chen,Yuchen Liu,Jianhua Li

DOI: https://doi.org/10.1109/wcnc57260.2024.10570800

2024-01-01

Abstract:Semantic communication has emerged as a revolutionary paradigm within wireless edge networks, showcasing remarkable communication efficiency. In contrast to traditional bit-level communication systems, semantic communication systems exhibit superior effectiveness and precision, particularly in scenarios characterized by low signal-to-noise ratios (SNR). Nonetheless, the privacy of semantic communication poses a critical challenge that demands attention. Once the attacker intercepts the semantic information through continuous eaves-dropping, the private data would be leaked under adversarial environment. Moreover, in low SNR scenario, joint optimization of anti -eavesdropping and privacy reconstruction has not yet been studied, coupled with the intricate nature of designing a cross-layer semantic protection strategy. To address this concern, this paper presents a covert and reliable semantic communication (CRSC) framework via full-duplex receiver to counter continuous eavesdropper by concealing the entire transmission process. Furthermore, a newly-defined metric, namely covert semantic throughput (CST), is introduced to quantify the system's performance. Furthermore, we formulate the maximization of average CST during the semantic transmission period as a multi-constraint optimization problem. Subsequently, we propose a reinforcement learning (RL)-empowered adaptation algorithm to address the formulated problem. Through simulation results, the effectiveness and feasibility of proposed CRSC framework are demonstrated, with an observed maximum average CST improvement of up to 42% compared to conventional communication systems in the low SNR scenario.

Xinying Chen,Jianping An,Zehui Xiong,Chengwen Xing,Nan Zhao,F. Richard Yu,Arumugam Nallanathan

DOI: https://doi.org/10.1109/comst.2023.3263921

IF: 35.6

2023-01-01

IEEE Communications Surveys & Tutorials

Abstract:Information security has always been a critical issue in wireless networks. Apart from other secure techniques, covert communication emerges as a potential solution to security for wireless networks owing to its high-security level. In covert communication networks, the transmitter hides the transmitted signals into environmental or artificial noise by introducing randomness to avoid detection at the warden. By eliminating the existence of transmitted signals at the warden, information security can be preserved more solidly than other secure transmission techniques, i.e., without noticing the existence. Due to the promising security protection, covert communication has been successfully utilized in tremendous wireless communication scenarios. However, fundamental challenges in its practical implementation still exist, e.g., the effectiveness of randomness utilization, the low signal-to-interference-plus-noise ratio at legitimate users, etc. In this survey, we demonstrate a comprehensive review concentrating on the applications, solutions, and future challenges of covert communications. Specifically, the covert principle and research categories are first introduced. Then, the applications in the networks with different topologies and the effective covert techniques in the existing literature are reviewed. We also discuss the potential implementation of covert communications in future networks and the open challenges.

computer science, information systems,telecommunications

Yapeng Ye,Zhuo Zhang,Fei Wang,Xiangyu Zhang,Dongyan Xu

DOI: https://doi.org/10.14722/ndss.2021.24531

2021-01-01

Abstract:Network protocol reverse engineering is an important challenge with many security applications. A popular kind of method leverages network message traces. These methods rely on pair-wise sequence alignment and/or tokenization. They have various limitations such as difficulties of handling a large number of messages and dealing with inherent uncertainty. In this paper, we propose a novel probabilistic method for network trace based protocol reverse engineering. It first makes use of multiple sequence alignment to align all messages and then reduces the problem to identifying the keyword field from the set of aligned fields. The keyword field determines the type of a message. The identification is probabilistic, using random variables to indicate the likelihood of each field (being the true keyword). A joint distribution is constructed among the random variables and the observations of the messages. Probabilistic inference is then performed to determine the most likely keyword field, which allows messages to be properly clustered by their true types and enables the recovery of message format and state machine. Our evaluation on 10 protocols shows that our technique substantially outperforms the state-of-the-art and our case studies show the unique advantages of our technique in IoT protocol reverse engineering and malware analysis.

Haoqian Zhang,Ao Liu,Yuheng Lu,Ying Sheng,Qianzhu Wu,Zhenzhen Yin,Yiwei Chen,Zairan Liu,Heng Pan,Qi Ouyang

DOI: https://doi.org/10.1142/9789814390460_0019

2013-01-01

Abstract:Synthetic biology is a new branch of interdisciplinary science that has been developed in recent years. The main purpose of synthetic biology is to apply successful principles that have been developed in electronic and chemical engineering to develop basic biological functional modules, and through rational design, develop man-made biological systems that have predicted useful functions. Here, we discuss an important principle in rational design of functional biological circuits: the reverse engineering design. We will use a research project that was conducted at Peking University for the International Genetic Engineering Machine Competition (iGEM) to illustrate the principle: synthesis a cell which has a semi-log dose-response to the environment. Through this work we try to demonstrate the potential application of network engineering in synthetic biology.

Muawia A. Elsadig,Yahia A. Fadlalla

DOI: https://doi.org/10.1109/ieeegcc.2017.8447997

2017-05-01

Abstract:advanced developments in intrusion detection systems (IDS) and computer network technology encourage hackers to find new ways to leak confidential information without being detected. When the interpretation of a security model adopted by a system is violated by a communication between two users, or processes operating on their behalf, it is said that the two users are communicating indirectly or covertly. A network covert channel refers to any communication channel that can be exploited by a process to transfer information in a manner that violates a system&#x27;s security policy. Loopholes in network protocols attract covert channel exploitation. This paper sheds light on network covert channel countermeasures and the most recent detection and prevention methods of such channels. The achievements and limitations of these countermeasures are discussed. The paper further introduces the concept of network covert channel triangle (DSM - Development, Switching, and Micro-protocol); three elements that have the most direct positive impact in a network covert channel environment. In addition, the paper reflects on the challenges such covert channels impose.

Keerthana Gurushankar,Pulkit Grover

DOI: https://doi.org/10.48550/arXiv.2110.00889

2021-10-02

Information Theory

Abstract:In neuroscience, researchers have developed informal notions of what it means to reverse engineer a system, e.g., being able to model or simulate a system in some sense. A recent influential paper of Jonas and Kording, that examines a microprocessor using techniques from neuroscience, suggests that common techniques to understand neural systems are inadequate. Part of the difficulty, as a previous work of Lazebnik noted, lies in lack of formal language. We provide a theoretical framework for defining reverse engineering of computational systems, motivated by the neuroscience context. Of specific interest are recent works where, increasingly, interventions are being made to alter the function of the neural circuitry to both understand the system and treat disorders. Starting from Lazebnik's viewpoint that understanding a system means you can ``fix it'', and motivated by use-cases in neuroscience, we propose the following requirement on reverse engineering: once an agent claims to have reverse-engineered a neural circuit, they subsequently need to be able to: (a) provide a minimal set of interventions to change the input/output (I/O) behavior of the circuit to a desired behavior; (b) arrive at this minimal set of interventions while operating under bounded rationality constraints (e.g., limited memory) to rule out brute-force approaches. Under certain assumptions, we show that this reverse engineering goal falls within the class of undecidable problems. Next, we examine some canonical computational systems and reverse engineering goals (as specified by desired I/O behaviors) where reverse engineering can indeed be performed. Finally, using an exemplar network, the ``reward network'' in the brain, we summarize the state of current neuroscientific understanding, and discuss how computer-science and information-theoretic concepts can inform goals of future neuroscience studies.

Xiao Lu,Ekram Hossain,Taniya Shafique,Shaohan Feng,Hai Jiang,Dusit Niyato

DOI: https://doi.org/10.1109/mnet.011.1900579

IF: 10.294

2020-09-01

IEEE Network

Abstract:With growing security threats to the evolving wireless systems, protecting user privacy becomes progressively challenging. Even if the transmitted information is encrypted and the potential wiretap channel is physically limited, the raw data itself, such as transmitter position and transmission pattern, could expose confidential information. In this context, covert communication that intends to hide the existence of transmission from an observant adversary emerges as a practical solution. However, existing covertness techniques ineluctably consume additional resources such as bandwidth and energy, which burdens system deployment. In view of this concern, we propose an intelligent reflecting surface (IRS)-based approach to enhance communication covertness. The core idea is making use of a smartly controlled metasurface to reshape undesirable propagation conditions which could divulge secret messages. To facilitate the understanding of the proposed idea, we first provide an overview of the state-ofthe- art covert communication techniques. Then, we introduce the fundamentals of IRS and elaborate on how an IRS can be integrated to benefit communication covertness. We also demonstrate a case study of the joint configuration of the IRS and the legitimate transmitter, which is of pivotal importance in designing an IRS-enhanced covert communication system. Finally, we shed light on some open research directions.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture