CLC number: TP311
On-line Access: 2023-03-25
Received: 2022-06-25
Revision Accepted: 2023-03-25
Crosschecked: 2022-11-09
Cited: 0
Clicked: 18382
Citations: Bibtex RefMan EndNote GB/T7714
https://orcid.org/0000-0001-9273-616X
Jianxin HUANG, Bo YU, Runhao LIU, Jinshu SU. Automatic discovery of stateful variables in network protocol software based on replay analysis[J]. Frontiers of Information Technology & Electronic Engineering, 2023, 24(3): 403-416.
@article{title="Automatic discovery of stateful variables in network protocol software based on replay analysis",
author="Jianxin HUANG, Bo YU, Runhao LIU, Jinshu SU",
journal="Frontiers of Information Technology & Electronic Engineering",
volume="24",
number="3",
pages="403-416",
year="2023",
publisher="Zhejiang University Press & Springer",
doi="10.1631/FITEE.2200275"
}
%0 Journal Article
%T Automatic discovery of stateful variables in network protocol software based on replay analysis
%A Jianxin HUANG
%A Bo YU
%A Runhao LIU
%A Jinshu SU
%J Frontiers of Information Technology & Electronic Engineering
%V 24
%N 3
%P 403-416
%@ 2095-9184
%D 2023
%I Zhejiang University Press & Springer
%DOI 10.1631/FITEE.2200275
TY - JOUR
T1 - Automatic discovery of stateful variables in network protocol software based on replay analysis
A1 - Jianxin HUANG
A1 - Bo YU
A1 - Runhao LIU
A1 - Jinshu SU
J0 - Frontiers of Information Technology & Electronic Engineering
VL - 24
IS - 3
SP - 403
EP - 416
%@ 2095-9184
Y1 - 2023
PB - Zhejiang University Press & Springer
ER -
DOI - 10.1631/FITEE.2200275
Abstract: network protocol software is usually characterized by complicated functions and a vast state space. In this type of program, a massive number of stateful variables that are used to represent the evolution of the states and store some information about the sessions are prone to potential flaws caused by violations of protocol specification requirements and program logic. Discovering such variables is significant in discovering and exploiting vulnerabilities in protocol software, and still needs massive manual verifications. In this paper, we propose a novel method that could automatically discover the use of stateful variables in network protocol software. The core idea is that a stateful variable features information of the communication entities and the software states, so it will exist in the form of a global or static variable during program execution. Based on recording and replaying a protocol program's execution, varieties of variables in the life cycle can be tracked with the technique of dynamic instrument. We draw up some rules from multiple dimensions by taking full advantage of the existing vulnerability knowledge to determine whether the data stored in critical memory areas have stateful characteristics. We also implement a prototype system that can discover stateful variables automatically and then perform it on nine programs in ProFuzzBench and two complex real-world software programs. With the help of available open-source code, the evaluation results show that the average true positive rate (TPR) can reach 82% and the average precision can be approximately up to 96%.
[1]Aviram A, Weng SC, Hu S, et al., 2012. Efficient system-enforced deterministic parallelism. Commun ACM, 55(5):111-119.
[2]Bergan T, Hunt N, Ceze L, et al., 2010. Deterministic process groups in DoS. Proc 9th USENIX Symp on Operating Systems Design and Implementation, p.177-191.
[3]Bruening D, Zhao Q, 2011. Practical memory checking with Dr.Memory. Proc Int Symp on Code Generation and Optimization, p.213-223.
[4]Brumley D, Caballero J, Liang ZK, et al., 2007. Towards automatic discovery of deviations in binary implementations with applications to error detection and fingerprint generation. Proc 16th USENIX Security Symp, p.213-228.
[5]Dolan-Gavitt B, Hodosh J, Hulin P, et al., 2015. Repeatable reverse engineering with PANDA. Proc 5th Program Protection and Reverse Engineering Workshop, Article 4.
[6]Dunlap GW, King ST, Cinar S, et al., 2002. ReVirt: enabling intrusion analysis through virtual-machine logging and replay. ACM SIGOPS Oper Syst Rev, 36(SI):211-224.
[7]Dunlap GW, Lucchetti DG, Fetterman MA, et al., 2008. Execution replay of multiprocessor virtual machines. Proc 4th ACM SIGPLAN/SIGOPS Int Conf on Virtual Execution Environments, p.121-130.
[8]Fioraldi A, D'Elia DC, Balzarotti D, 2021. The use of likely invariants as feedback for fuzzers. Proc 30th USENIX Security Symp, p.2829-2846.
[9]Garmany B, Stoffel M, Gawlik R, et al., 2019. Static detection of uninitialized stack variables in binary code. Proc 24th European Symp on Research in Computer Security, p.68-87.
[10]Giuffrida C, Cavallaro L, Tanenbaum AS, 2013. Practical automated vulnerability monitoring using program state invariants. Proc 43rd Annual IEEE/IFIP Int Conf on Dependable Systems and Networks, p.1-12.
[11]Hower DR, Hill MD, 2008. Rerun: exploiting episodes for lightweight memory race recording. Proc Int Symp on Computer Architecture, p.265-276.
[12]Lee C, Bae J, Lee H, 2018. PRETT: protocol reverse engineering using binary tokens and network traces. Proc 33rd IFIP Int Conf on ICT Systems Security and Privacy Protection, p.141-155.
[13]Li JQ, Li SY, Sun G, et al., 2022. SNPSFuzzer: a fast greybox fuzzer for stateful network protocols using snapshots. IEEE Trans Inform Forens Secur, 17:2673-2687.
[14]Milburn A, Bos H, Giuffrida C, 2017. Safelnit: comprehensive and practical mitigation of uninitialized read vulnerabilities. Proc 24th Annual Network and Distributed System Security Symp.
[15]Montesinos P, Ceze L, Torrellas J, 2008. DeLorean: recording and deterministically replaying shared-memory multiprocessor execution efficiently. ACM SIGARCH Comput Archit News, 36(3):289-300.
[16]Musuvathi M, Engler DR, 2004. Model checking large network protocol implementations. Proc 1st Conf on Symp on Networked Systems Design and Implementation, p.1-12.
[17]Natella R, 2022. StateAFL: greybox fuzzing for stateful network servers. Empir Softw Eng, 27(7):191.
[18]O'Callahan R, Jones C, Froyd N, et al., 2017. Engineering record and replay for deployability. Proc USENIX Conf on Usenix Annual Technical Conf, p.377-389.
[19]Pham V, Böhme M, Roychoudhury A, 2020. AFLNET: a greybox fuzzer for network protocols. Proc 13th Int Conf on Software Testing, Validation and Verification, p.460-465.
[20]Pokam G, Danne K, Pereira C, et al., 2013. QuickRec: prototyping an Intel architecture extension for record and replay of multithreaded programs. ACM SIGARCH Comput Archit News, 41(3):643-654.
[21]Saito Y, 2005. Jockey: a user-space library for record-replay debugging. Proc 6th Int Symp on Automated Analysis-Driven Debugging, p.69-76.
[22]Song CX, Yu B, Zhou X, et al., 2019. SPFuzz: a hierarchical scheduling framework for stateful network protocol fuzzing. IEEE Access, 7:18490-18499.
[23]Stepanov E, Serebryany K, 2015. MemorySanitizer: fast detector of uninitialized memory use in C++. Proc IEEE/ACM Int Symp on Code Generation and Optimization, p.46-55.
[24]Ye D, Sui YL, Xue JL, 2014. Accelerating dynamic detection of uses of undefined values with static value-flow analysis. Proc Annual IEEE/ACM Int Symp on Code Generation and Optimization, p.154-164.
[25]Yu B, Wang PF, Yue T, et al., 2019. Poster: fuzzing IoT firmware via multi-stage message generation. Proc ACM SIGSAC Conf on Computer and Communications Security, p.2525-2527.
Open peer comments: Debate/Discuss/Question/Opinion
<1>