Polyglot: Automatic extraction of protocol message format using dynamic binary analysis

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2007, Pages 317-329

  Caballero, Juan ^a   Yin, Heng ^a,b   Liang, Zhenkai ^a   Song, Dawn ^a,c  

^a CARNEGIE MELLON UNIVERSITY   (United States)

^b The College of William and Mary   (United States)

^c UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

Binary analysis; Protocol reverse engineering

Indexed keywords

APPLICATION DATA; APPLICATION-LEVEL PROTOCOL; AUTOMATIC EXTRACTION; BINARY ANALYSIS; DIFFERENT PROTOCOLS; MESSAGE FORMAT; NEW APPROACHES; PROGRAM BINARY; PROTOCOL ANALYZERS; PROTOCOL MESSAGE; PROTOCOL PROCESS; PROTOCOL SPECIFICATIONS; REAL-WORLD; SEMANTIC INFORMATION; WEALTH OF INFORMATION; WIRESHARK;

DYNAMIC ANALYSIS; ERROR DETECTION; NETWORK PROTOCOLS; REENGINEERING; REVERSE ENGINEERING;

NETWORK SECURITY;

EID: 77952403312     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1315245.1315286     Document Type: Conference Paper

References (37)

1. How Samba Was Written. http://samba.org/ftp/tridge/misc/french.cafe.txt.
2. Icqlib: The ICQ Library. http://kicq.sourceforge.net/icqlib.shtml.
3. Libyahoo2: A C Library for Yahoo! Messenger. http://libyahoo2. sourceforge.net.
4. MSN Messenger Protocol. http://www.hypothetic.org/docs/msn/index.php.
5. Qemu: Open Source Processor Emulator. http://fabrice.bellard.free.fr/ qemu/.
6. Tcpdump. http://www.tcpdump.org/.
7. The UnOfficial AIM/OSCAR Protocol Specification. http://www.oilcan.org/ oscar/.
8. Wireshark, Network Protocol Analyzer. http://www.wireshark.org.
9. M. A. Beddoe. Network Protocol Analysis Using Bioinformatics Algorithms. http://www.baselineresearch.net/PI/.
10. N. Borisov, D. J. Brumley, H. J. Wang, and C. Guo. Generic Application-Level Protocol Analyzer and Its Language. Network and Distributed System Security Symposium, San Diego, CA, February 2007.
11. D. Brumley, J. Caballero, Z. Liang, J. Newsome, and D. Song. Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation. USENIX Security Symposium, Boston, MA, August 2007.
12. J. Caballero, S. Venkataraman, P. Poosankam, M. G. Kang, D. Song, and A. Blum. FiG: Automatic Fingerprint Generation. Network and Distributed System Security Symposium, San Diego, CA, February 2007.
13. J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum. Understanding Data Lifetime Via Whole System Simulation. USENIX Security Symposium, San Diego, CA, August 2004.
14. M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-End Containment of Internet Worms. Symposium on Operating Systems Principles, Brighton, United Kingdom, October 2005.
15. J. R. Crandall, S. F. Wu, and F. T. Chong. Minos: Architectural Support for Protecting Control Data. ACM Transactions on Architecture and Code Optimization, December 2006.
16. D. Crocker and P. Overell. Augmented BNF for Syntax Specifications: ABNF. RFC 4234 (Draft Standard), 4234, October 2005.
17. W. Cui, J. Kannan, and H. J. Wang. Discoverer: Automatic Protocol Description Generation from Network Traces. USENIX Security Symposium, Boston, MA, August 2007.
18. W. Cui, V. Paxson, N. C. Weaver, and R. H. Katz. Protocol-Independent Adaptive Replay of Application Dialog. Network and Distributed System Security Symposium, San Diego, CA, February 2006.
19. H. Dreger, A. Feldmann, M. Mai, V. Paxson, and R. Sommer. Dynamic Application-Layer Protocol Analysis for Network Intrusion Detection. USENIX Security Symposium, Vancouver, Canada, July 2006.
20. C. D. Grosso, G. Antoniol, M. D. Penta, P. Galinier, and E. Merlo. Improving Network Applications Security: A New Heuristic to Generate Stress Testing Data. Genetic and Evolutionary Computation Conference, June 2005.
21. P. Haffner, S. Sen, O. Spatscheck, and D. Wang. ACAS: Automated Construction of Application Signatures. ACM SIGCOMM, Workshop on Mining network data, Philadelphia, PA, October 2005.
22. J. Kannan, J. Jung, V. Paxson, and C. E. Koksal. Semi-Automated Discovery of Application Session Structure. Internet Measurement Conference, Rio de Janeiro, Brazil, October 2006.
23. C. Leita, K. Mermoud, and M. Dacier. ScriptGen: An Automated Script Generation Tool for Honeyd. Annual Computer Security Applications Conference, Tucson, AZ, December 2005.
24. J. Lim, T. Reps, and B. Liblit. Extracting Output Formats from Executables. Working Conference on Reverse Engineering, Benevento, Italy, October 2006.
25. J. Ma, K. Levchenko, C. Kreibich, S. Savage, and G. M. Voelker. Unexpected Means of Protocol Inference. Internet Measurement Conference, Rio de Janeiro, Brazil, October 2006.
26. P. McMinn, M. Harman, D. Binkley, and P. Tonella. The Species Per Path Approach to SearchBased Test Data Generation. International Symposium on Software Testing and Analysis, July 2006.
27. P. V. Mockapetris. Domain Names - Implementation and Specification. RFC 1035 (Standard), IETF Request for Comments 1035, November 1987.
28. J. Newsome and D. Song. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. Network and Distributed System Security Symposium, San Diego, CA, February 2005.
29. J. Newsome, D. Brumley, and D. Song. Vulnerability-Specific Execution Filtering for Exploit Prevention on Commodity Software. Network and Distributed System Security Symposium, San Diego, CA, February 2006.
30. J. Newsome, D. Brumley, J. Franklin, and D. Song. Replayer: Automatic Protocol Replay By Binary Analysis. ACM Conference on Computer and Communications Security, Alexandria, VA, October 2006.
31. P. Oehlert. Violating Assumptions with Fuzzing. IEEE Security and Privacy, 3 (2), March 2005.
32. R. Pang, M. Allman, M. Bennett, J. Lee, V. Paxson, and B. Tierney. A First Look At Modern Enterprise Traffic. Internet Measurement Conference, Berkeley, CA, October 2005.
33. R. Pang, V. Paxson, R. Sommer, and L. Peterson. Binpac: A Yacc for Writing Application Protocol Parsers. Internet Measurement Conference, Rio de Janeiro, Brazil, October 2006.
34. G. Portokalidis, A. Slowinska, and H. Bos. Argos: An Emulator for Fingerprinting Zero-Day Attacks for Advertised Honeypots with Automatic Signature Generation. ACM SIGOPS Operating Systems Review, 40 (4), October 2006.
35. G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure Program Execution Via Dynamic Information Flow Tracking. International Conference on Architectural Support for Programming Languages and Operating Systems, Boston, MA, October 2004.
36. P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. Network and Distributed System Security Symposium, San Diego, CA, February 2007.
37. H. Yin, D. Song, E. Manuel, C. Kruegel, and E. Kirda. Panorama: Capturing System-Wide Information Flow for Malware Detection and Analysis. ACM Conference on Computer and Communications Security, Alexandria, VA, October 2007.