Full Text:   <2935>

Summary:  <350>

CLC number: TP311

On-line Access: 2023-03-25

Received: 2022-06-25

Revision Accepted: 2023-03-25

Crosschecked: 2022-11-09

Cited: 0

Clicked: 18382

Citations:  Bibtex RefMan EndNote GB/T7714

 ORCID:

Jinshu SU

https://orcid.org/0000-0001-9273-616X

Jianxin HUANG

https://orcid.org/0000-0002-8643-7355

Bo YU

https://orcid.org/0000-0001-6576-5555

-   Go to

Article info.
Open peer comments

Frontiers of Information Technology & Electronic Engineering  2023 Vol.24 No.3 P.403-416

http://doi.org/10.1631/FITEE.2200275


Automatic discovery of stateful variables in network protocol software based on replay analysis


Author(s):  Jianxin HUANG, Bo YU, Runhao LIU, Jinshu SU

Affiliation(s):  College of Computer Science and Technology, National University of Defense Technology, Changsha 410073, China; more

Corresponding email(s):   jxin8585@nudt.edu.cn, yubo0615@nudt.edu.cn, runhaoliu@nudt.edu.cn, sjs@nudt.edu.cn

Key Words:  Stateful variables, Network protocol software, Program analysis technology, Network security


Jianxin HUANG, Bo YU, Runhao LIU, Jinshu SU. Automatic discovery of stateful variables in network protocol software based on replay analysis[J]. Frontiers of Information Technology & Electronic Engineering, 2023, 24(3): 403-416.

@article{title="Automatic discovery of stateful variables in network protocol software based on replay analysis",
author="Jianxin HUANG, Bo YU, Runhao LIU, Jinshu SU",
journal="Frontiers of Information Technology & Electronic Engineering",
volume="24",
number="3",
pages="403-416",
year="2023",
publisher="Zhejiang University Press & Springer",
doi="10.1631/FITEE.2200275"
}

%0 Journal Article
%T Automatic discovery of stateful variables in network protocol software based on replay analysis
%A Jianxin HUANG
%A Bo YU
%A Runhao LIU
%A Jinshu SU
%J Frontiers of Information Technology & Electronic Engineering
%V 24
%N 3
%P 403-416
%@ 2095-9184
%D 2023
%I Zhejiang University Press & Springer
%DOI 10.1631/FITEE.2200275

TY - JOUR
T1 - Automatic discovery of stateful variables in network protocol software based on replay analysis
A1 - Jianxin HUANG
A1 - Bo YU
A1 - Runhao LIU
A1 - Jinshu SU
J0 - Frontiers of Information Technology & Electronic Engineering
VL - 24
IS - 3
SP - 403
EP - 416
%@ 2095-9184
Y1 - 2023
PB - Zhejiang University Press & Springer
ER -
DOI - 10.1631/FITEE.2200275


Abstract: 
network protocol software is usually characterized by complicated functions and a vast state space. In this type of program, a massive number of stateful variables that are used to represent the evolution of the states and store some information about the sessions are prone to potential flaws caused by violations of protocol specification requirements and program logic. Discovering such variables is significant in discovering and exploiting vulnerabilities in protocol software, and still needs massive manual verifications. In this paper, we propose a novel method that could automatically discover the use of stateful variables in network protocol software. The core idea is that a stateful variable features information of the communication entities and the software states, so it will exist in the form of a global or static variable during program execution. Based on recording and replaying a protocol program's execution, varieties of variables in the life cycle can be tracked with the technique of dynamic instrument. We draw up some rules from multiple dimensions by taking full advantage of the existing vulnerability knowledge to determine whether the data stored in critical memory areas have stateful characteristics. We also implement a prototype system that can discover stateful variables automatically and then perform it on nine programs in ProFuzzBench and two complex real-world software programs. With the help of available open-source code, the evaluation results show that the average true positive rate (TPR) can reach 82% and the average precision can be approximately up to 96%.

基于重放分析的网络协议软件状态变量自动化发现技术

黄见欣1,喻波1,刘润昊1,苏金树1,2
1国防科技大学计算机学院,中国长沙市,410073
2军事科学院,中国北京市,100091
摘要:网络协议软件通常具有程序路径复杂、状态空间庞大的特点。程序中往往存在着一些带有状态的关键变量,用于记录协议状态和会话信息。这些状态变量一旦处理不当,很可能违背协议规范,进而产生逻辑错误,导致协议软件出现潜在的缺陷或漏洞。本文针对现有程序分析技术难以发现网络协议软件中的状态变量,且自动化程度偏低的问题,提出一种基于重放分析的状态变量识别方法。考虑到状态变量主要反映着通信双方的参数和程序的状态,具有这些特征的变量通常会以全局变量或静态变量的形式,持续存在于进程之中,该方法通过记录和重放协议软件的执行轨迹,运用动态插桩技术,在协议状态和软件状态的变化过程中,分析内存关键区域的全局变量和静态变量的状态特征,并结合规则进行筛选判定。在此基础上,设计并实现了一套能够自动化发现状态变量的原型系统,在ProFuzzBench中的9个程序和2个现实中的复杂协议软件上进行了测试。实验结果显示,平均真正类率(TPR)可达82%,平均准确度可达96%左右。

关键词:状态变量;网络协议软件;程序分析技术;网络安全

Darkslateblue:Affiliate; Royal Blue:Author; Turquoise:Article

Reference

[1]Aviram A, Weng SC, Hu S, et al., 2012. Efficient system-enforced deterministic parallelism. Commun ACM, 55(5):111-119.

[2]Bergan T, Hunt N, Ceze L, et al., 2010. Deterministic process groups in DoS. Proc 9th USENIX Symp on Operating Systems Design and Implementation, p.177-191.

[3]Bruening D, Zhao Q, 2011. Practical memory checking with Dr.Memory. Proc Int Symp on Code Generation and Optimization, p.213-223.

[4]Brumley D, Caballero J, Liang ZK, et al., 2007. Towards automatic discovery of deviations in binary implementations with applications to error detection and fingerprint generation. Proc 16th USENIX Security Symp, p.213-228.

[5]Dolan-Gavitt B, Hodosh J, Hulin P, et al., 2015. Repeatable reverse engineering with PANDA. Proc 5th Program Protection and Reverse Engineering Workshop, Article 4.

[6]Dunlap GW, King ST, Cinar S, et al., 2002. ReVirt: enabling intrusion analysis through virtual-machine logging and replay. ACM SIGOPS Oper Syst Rev, 36(SI):211-224.

[7]Dunlap GW, Lucchetti DG, Fetterman MA, et al., 2008. Execution replay of multiprocessor virtual machines. Proc 4th ACM SIGPLAN/SIGOPS Int Conf on Virtual Execution Environments, p.121-130.

[8]Fioraldi A, D'Elia DC, Balzarotti D, 2021. The use of likely invariants as feedback for fuzzers. Proc 30th USENIX Security Symp, p.2829-2846.

[9]Garmany B, Stoffel M, Gawlik R, et al., 2019. Static detection of uninitialized stack variables in binary code. Proc 24th European Symp on Research in Computer Security, p.68-87.

[10]Giuffrida C, Cavallaro L, Tanenbaum AS, 2013. Practical automated vulnerability monitoring using program state invariants. Proc 43rd Annual IEEE/IFIP Int Conf on Dependable Systems and Networks, p.1-12.

[11]Hower DR, Hill MD, 2008. Rerun: exploiting episodes for lightweight memory race recording. Proc Int Symp on Computer Architecture, p.265-276.

[12]Lee C, Bae J, Lee H, 2018. PRETT: protocol reverse engineering using binary tokens and network traces. Proc 33rd IFIP Int Conf on ICT Systems Security and Privacy Protection, p.141-155.

[13]Li JQ, Li SY, Sun G, et al., 2022. SNPSFuzzer: a fast greybox fuzzer for stateful network protocols using snapshots. IEEE Trans Inform Forens Secur, 17:2673-2687.

[14]Milburn A, Bos H, Giuffrida C, 2017. Safelnit: comprehensive and practical mitigation of uninitialized read vulnerabilities. Proc 24th Annual Network and Distributed System Security Symp.

[15]Montesinos P, Ceze L, Torrellas J, 2008. DeLorean: recording and deterministically replaying shared-memory multiprocessor execution efficiently. ACM SIGARCH Comput Archit News, 36(3):289-300.

[16]Musuvathi M, Engler DR, 2004. Model checking large network protocol implementations. Proc 1st Conf on Symp on Networked Systems Design and Implementation, p.1-12.

[17]Natella R, 2022. StateAFL: greybox fuzzing for stateful network servers. Empir Softw Eng, 27(7):191.

[18]O'Callahan R, Jones C, Froyd N, et al., 2017. Engineering record and replay for deployability. Proc USENIX Conf on Usenix Annual Technical Conf, p.377-389.

[19]Pham V, Böhme M, Roychoudhury A, 2020. AFLNET: a greybox fuzzer for network protocols. Proc 13th Int Conf on Software Testing, Validation and Verification, p.460-465.

[20]Pokam G, Danne K, Pereira C, et al., 2013. QuickRec: prototyping an Intel architecture extension for record and replay of multithreaded programs. ACM SIGARCH Comput Archit News, 41(3):643-654.

[21]Saito Y, 2005. Jockey: a user-space library for record-replay debugging. Proc 6th Int Symp on Automated Analysis-Driven Debugging, p.69-76.

[22]Song CX, Yu B, Zhou X, et al., 2019. SPFuzz: a hierarchical scheduling framework for stateful network protocol fuzzing. IEEE Access, 7:18490-18499.

[23]Stepanov E, Serebryany K, 2015. MemorySanitizer: fast detector of uninitialized memory use in C++. Proc IEEE/ACM Int Symp on Code Generation and Optimization, p.46-55.

[24]Ye D, Sui YL, Xue JL, 2014. Accelerating dynamic detection of uses of undefined values with static value-flow analysis. Proc Annual IEEE/ACM Int Symp on Code Generation and Optimization, p.154-164.

[25]Yu B, Wang PF, Yue T, et al., 2019. Poster: fuzzing IoT firmware via multi-stage message generation. Proc ACM SIGSAC Conf on Computer and Communications Security, p.2525-2527.

Open peer comments: Debate/Discuss/Question/Opinion

<1>

Please provide your name, email address and a comment





Journal of Zhejiang University-SCIENCE, 38 Zheda Road, Hangzhou 310027, China
Tel: +86-571-87952783; E-mail: cjzhang@zju.edu.cn
Copyright © 2000 - 2024 Journal of Zhejiang University-SCIENCE