Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution

Proceedings of the Symposium on Network and Distributed System Security, NDSS 2008

Volumn , Issue , 2008, Pages

  Lin, Zhiqiang ^a   Jiang, Xuxian ^b   Xu, Dongyan ^a   Zhang, Xiangyu ^a  

^a PURDUE UNIVERSITY   (United States)

^b George Mason University   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

HTTP; HYPERTEXT SYSTEMS; INTERNET PROTOCOLS; NETWORK SECURITY; SEMANTICS;

CONTEXT-AWARE; ERROR PRONES; EXECUTION CONTEXT; FLAT STRUCTURES; HIGH-ACCURACY; IN NETWORKS; MANUAL PROCESS; PROGRAM SEMANTICS; PROTOCOL FIELD; PROTOCOL MESSAGE;

REVERSE ENGINEERING;

EID: 74049090626     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (31)

1. How Samba Was Written. http://samba.org/ftp/tridge/misc/french cafe.txt.
2. QEMU: an open source processor emulator. http://www.qemu.org/.
3. The Protocol Informatics Project. http://www.baselineresearch.net/PI/.
4. The SNORT network intrusion detection system. http://www.snort.org.
5. Wireshark: The World’s Most Popular Network Protocol Analyzer. http://www.wireshark.org/.
6. PUD: Peer-To-Peer UDP Distributed Denial of Service. http://www.packetstormsecurity.org/distributed/pud.tgz, 2002.
7. N. Borisov, D. Brumley, H. J. Wang, J. Dunagan, P. Joshi, and C. Guo. A generic application-level protocol analyzer and its language. In Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS’07), San Diego, CA, February 2007.
8. D. Brumley, J. Caballero, Z. Liang, J. Newsome, and D. Song. Towards automatic discovery of deviations in binary implementations with applications to error detection and fingerprint generation. In In Proceedings of the 16th USENIX Security Symposium (Security’07), Boston, MA, August 2007.
9. J. Caballero and D. Song. Polyglot: Automatic extraction of protocol format using dynamic binary analysis. In Proceedings of the 14th ACM Conference on Computer and and Communications Security (CCS’07), 2007.
10. J. Chow, B. Pfaff, K. Christopher, and M. Rosenblum. Understanding data lifetime via whole-system simulation. 2004.
11. J. R. Crandall, S. F. Wu, and F. T. Chong. Minos: Architectural support for protecting control data. ACM Trans. Archit. Code Optim., 3(4):359-389, 2006.
12. W. Cui, J. Kannan, and H. J. Wang. Discoverer: Automatic protocol reverse engineering from network traces. In Proceedings of the 16th USENIX Security Symposium (Security’ 07), Boston, MA, August 2007.
13. W. Cui, V. Paxson, N. Weaver, and R. H. Katz. Protocolindependent adaptive replay of application dialog. In Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS’06), San Diego, CA, February 2006.
14. W. Cui, M. Peinado, H. J. Wang, and M. Locasto. Shieldgen: Automatic data patch generation for unknown vulnerabilities with informed probing. In In Proceedings of 2007 IEEE Symposium on Security and Privacy, Oakland, CA, May 2007.
15. M. Egele, C. Kruegel, E. Kirda, H. Yin, and D. Song. Dynamic spyware analysis. In Proceedings of the 2007 USENIX Annual Technical Conference (Usenix’07), June 2007.
16. X. Jiang, D. Xu, H. J. Wang, and E. H. Spafford. Virtual Playgrounds forWorm Behavior Investigation. Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection, Sept. 2005.
17. C. Leita, M. Dacier, and F. Massicotte. Automatic handling of protocol dependencies and reaction to 0-day attacks with scriptgen based honeypots. In 9th International Symposium on Recent Advances in Intrusion Detection (RAID’06), pages 185-205, 2006.
18. C. Leita, K. Mermoud, and M. Dacier. Scriptgen: an automated script generation tool for honeyd. In Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC’05), pages 203-214, Washington, DC, USA, 2005.
19. C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S.Wallace, V. J. Reddi, and K. Hazelwood. Pin: building customized program analysis tools with dynamic instrumentation. In Proceedings of ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’05), pages 190-200, 2007.
20. J. Ma, K. Levchenko, C. Kreibich, S. Savage, and G. M. Voelker. Unexpected means of protocol inference. In Proceedings of the 6th ACM SIGCOMM on Internet measurement (IMC’06), pages 313-326, New York, NY, USA, 2006. ACM Press.
21. N. Nethercote and J. Seward. Valgrained: a framework for heavyweight dynamic binary instrumentation. In Proceedings of ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’07), San Diego, California, USA, 2007. ACM Press.
22. J. Newsome, D. Brumley, J. Franklin, and D. Song. Replayer: Automatic protocol replay by binary analysis. In Proceedings of the 13th ACM Conference on Computer and and Communications Security (CCS’06), 2006.
23. J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS’05), San Diego, CA, February 2005.
24. V. Paxson. Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks, 31(23-24):2345-2463, 1999.
25. F. Perriot and P. Szor. An Analysis of the Slapper Worm Exploit. http://securityresponse.symantec.com/avcenter/reference/ analysis.slapper.worm.pdf.
26. G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In Proceedings of International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’04), Boston, Massachusetts, 2004.
27. P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS’07), San Diego, CA, February 2007.
28. H. J. Wang, C. Guo, D. R. Simon, and A. Zugenmaier. Shield: vulnerability-driven network filters for preventing known vulnerability exploits. In Proceedings of ACM SIGCOMM '04, pages 193-204, 2004.
29. X. Wang, Z. Li, J. Xu, M. K. Reiter, C. Kil, and J. Y. Choi. Packet vaccine: Black-box exploit detection and signature generation. In Proceedings of the 13th ACM Conference on Computer and Communication Security (CCS’06), pages 37-46, New York, NY, USA, 2006. ACM Press.
30. G. Wondracek, P. M. Comparetti, C. Kruegel, and E. Kirda. Automatic Network Protocol Analysis. Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08), Feb. 2008.
31. H. Yin, D. Song, E. Manuel, C. Kruegel, and E. Kirda. Panorama: Capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM Conferences on Computer and Communication Security (CCS’07), October 2007.