CLC number: TP311
On-line Access: 2023-03-25
Received: 2022-06-25
Revision Accepted: 2023-03-25
Crosschecked: 2022-11-09
Cited: 0
Clicked: 17764
Citations: Bibtex RefMan EndNote GB/T7714
https://orcid.org/0000-0001-9273-616X
Jianxin HUANG, Bo YU, Runhao LIU, Jinshu SU. Automatic discovery of stateful variables in network protocol software based on replay analysis[J]. Frontiers of Information Technology & Electronic Engineering,in press.https://doi.org/10.1631/FITEE.2200275 @article{title="Automatic discovery of stateful variables in network protocol software based on replay analysis", %0 Journal Article TY - JOUR
基于重放分析的网络协议软件状态变量自动化发现技术1国防科技大学计算机学院,中国长沙市,410073 2军事科学院,中国北京市,100091 摘要:网络协议软件通常具有程序路径复杂、状态空间庞大的特点。程序中往往存在着一些带有状态的关键变量,用于记录协议状态和会话信息。这些状态变量一旦处理不当,很可能违背协议规范,进而产生逻辑错误,导致协议软件出现潜在的缺陷或漏洞。本文针对现有程序分析技术难以发现网络协议软件中的状态变量,且自动化程度偏低的问题,提出一种基于重放分析的状态变量识别方法。考虑到状态变量主要反映着通信双方的参数和程序的状态,具有这些特征的变量通常会以全局变量或静态变量的形式,持续存在于进程之中,该方法通过记录和重放协议软件的执行轨迹,运用动态插桩技术,在协议状态和软件状态的变化过程中,分析内存关键区域的全局变量和静态变量的状态特征,并结合规则进行筛选判定。在此基础上,设计并实现了一套能够自动化发现状态变量的原型系统,在ProFuzzBench中的9个程序和2个现实中的复杂协议软件上进行了测试。实验结果显示,平均真正类率(TPR)可达82%,平均准确度可达96%左右。 关键词组: Darkslateblue:Affiliate; Royal Blue:Author; Turquoise:Article
Reference[1]Aviram A, Weng SC, Hu S, et al., 2012. Efficient system-enforced deterministic parallelism. Commun ACM, 55(5):111-119. [2]Bergan T, Hunt N, Ceze L, et al., 2010. Deterministic process groups in DoS. Proc 9th USENIX Symp on Operating Systems Design and Implementation, p.177-191. [3]Bruening D, Zhao Q, 2011. Practical memory checking with Dr.Memory. Proc Int Symp on Code Generation and Optimization, p.213-223. [4]Brumley D, Caballero J, Liang ZK, et al., 2007. Towards automatic discovery of deviations in binary implementations with applications to error detection and fingerprint generation. Proc 16th USENIX Security Symp, p.213-228. [5]Dolan-Gavitt B, Hodosh J, Hulin P, et al., 2015. Repeatable reverse engineering with PANDA. Proc 5th Program Protection and Reverse Engineering Workshop, Article 4. [6]Dunlap GW, King ST, Cinar S, et al., 2002. ReVirt: enabling intrusion analysis through virtual-machine logging and replay. ACM SIGOPS Oper Syst Rev, 36(SI):211-224. [7]Dunlap GW, Lucchetti DG, Fetterman MA, et al., 2008. Execution replay of multiprocessor virtual machines. Proc 4th ACM SIGPLAN/SIGOPS Int Conf on Virtual Execution Environments, p.121-130. [8]Fioraldi A, D'Elia DC, Balzarotti D, 2021. The use of likely invariants as feedback for fuzzers. Proc 30th USENIX Security Symp, p.2829-2846. [9]Garmany B, Stoffel M, Gawlik R, et al., 2019. Static detection of uninitialized stack variables in binary code. Proc 24th European Symp on Research in Computer Security, p.68-87. [10]Giuffrida C, Cavallaro L, Tanenbaum AS, 2013. Practical automated vulnerability monitoring using program state invariants. Proc 43rd Annual IEEE/IFIP Int Conf on Dependable Systems and Networks, p.1-12. [11]Hower DR, Hill MD, 2008. Rerun: exploiting episodes for lightweight memory race recording. Proc Int Symp on Computer Architecture, p.265-276. [12]Lee C, Bae J, Lee H, 2018. PRETT: protocol reverse engineering using binary tokens and network traces. Proc 33rd IFIP Int Conf on ICT Systems Security and Privacy Protection, p.141-155. [13]Li JQ, Li SY, Sun G, et al., 2022. SNPSFuzzer: a fast greybox fuzzer for stateful network protocols using snapshots. IEEE Trans Inform Forens Secur, 17:2673-2687. [14]Milburn A, Bos H, Giuffrida C, 2017. Safelnit: comprehensive and practical mitigation of uninitialized read vulnerabilities. Proc 24th Annual Network and Distributed System Security Symp. [15]Montesinos P, Ceze L, Torrellas J, 2008. DeLorean: recording and deterministically replaying shared-memory multiprocessor execution efficiently. ACM SIGARCH Comput Archit News, 36(3):289-300. [16]Musuvathi M, Engler DR, 2004. Model checking large network protocol implementations. Proc 1st Conf on Symp on Networked Systems Design and Implementation, p.1-12. [17]Natella R, 2022. StateAFL: greybox fuzzing for stateful network servers. Empir Softw Eng, 27(7):191. [18]O'Callahan R, Jones C, Froyd N, et al., 2017. Engineering record and replay for deployability. Proc USENIX Conf on Usenix Annual Technical Conf, p.377-389. [19]Pham V, Böhme M, Roychoudhury A, 2020. AFLNET: a greybox fuzzer for network protocols. Proc 13th Int Conf on Software Testing, Validation and Verification, p.460-465. [20]Pokam G, Danne K, Pereira C, et al., 2013. QuickRec: prototyping an Intel architecture extension for record and replay of multithreaded programs. ACM SIGARCH Comput Archit News, 41(3):643-654. [21]Saito Y, 2005. Jockey: a user-space library for record-replay debugging. Proc 6th Int Symp on Automated Analysis-Driven Debugging, p.69-76. [22]Song CX, Yu B, Zhou X, et al., 2019. SPFuzz: a hierarchical scheduling framework for stateful network protocol fuzzing. IEEE Access, 7:18490-18499. [23]Stepanov E, Serebryany K, 2015. MemorySanitizer: fast detector of uninitialized memory use in C++. Proc IEEE/ACM Int Symp on Code Generation and Optimization, p.46-55. [24]Ye D, Sui YL, Xue JL, 2014. Accelerating dynamic detection of uses of undefined values with static value-flow analysis. Proc Annual IEEE/ACM Int Symp on Code Generation and Optimization, p.154-164. [25]Yu B, Wang PF, Yue T, et al., 2019. Poster: fuzzing IoT firmware via multi-stage message generation. Proc ACM SIGSAC Conf on Computer and Communications Security, p.2525-2527. Journal of Zhejiang University-SCIENCE, 38 Zheda Road, Hangzhou
310027, China
Tel: +86-571-87952783; E-mail: cjzhang@zju.edu.cn Copyright © 2000 - 2024 Journal of Zhejiang University-SCIENCE |
Open peer comments: Debate/Discuss/Question/Opinion
<1>