信息网络安全 ›› 2017, Vol. 17 ›› Issue (1): 68-76.doi: 10.3969/j.issn.1671-1122.2017.01.011

• • 上一篇    下一篇

网络编码协议污点回溯逆向分析方法研究

高君丰1,2, 张岳峰1,3, 罗森林1(), 张笈1   

  1. 1.北京理工大学信息系统及安全对抗实验中心,北京 100081
    2. 中国人民解放军92785部队,河北秦皇岛 066200
    3. 中国人民解放军装甲兵学院,安徽蚌埠 233000
  • 收稿日期:2016-11-27 出版日期:2017-01-20 发布日期:2020-05-12
  • 作者简介:

    作者简介: 高君丰(1987—),男,河北,硕士研究生,主要研究方向为信息安全、数据挖掘;张岳峰(1989—),男,山东,硕士研究生,主要研究方向为信息安全、数据挖掘;罗森林(1968—),男,河北,教授,博士,主要研究方向为信息安全、数据挖掘、文本安全、媒体安全;张笈(1968—),男,陕西,副教授,硕士,主要研究方向为信息安全。

  • 基金资助:
    国家242信息安全计划[2005C48]

Research on Taint Backtracking Reverse Analysis Method of Network Encoding Protocol

Junfeng GAO1,2, Yuefeng ZHANG1,3, Senlin LUO1(), Ji ZHANG1   

  1. 1. Information System and Security & Countermeasures Experimental Center, Beijing Institute of Technology, Beijing 100081, China
    2. Unit 92785 of PLA, Qinhuangdao Hebei 066200, China
    3. Armored Force Academy of PLA, Bengbu Anhui 233000, China
  • Received:2016-11-27 Online:2017-01-20 Published:2020-05-12

摘要:

文章提出一种污点回溯方法,该方法首先对网络应用程序进行动态调试,定位网络接口函数和网络输出缓冲区,确定单次最小执行轨迹区间;然后通过执行轨迹分析计算执行轨迹区间内的所有初始内存地址;接着对应用程序进行内存快照,缓存执行轨迹区间的入口状态,并在单次执行计算之后进行恢复;最后通过污染源定位算法获取编码前的内存数据地址。实验结果表明,该方法能有效定位编码前内存地址,适用于包括加密、压缩、校验等不同类型的编码协议。通过该方法一方面可以利用编码前的内存数据分析编码协议的语法信息,提高对编码协议的语法分析能力;另一方面,利用编码函数入口地址及编码前内存地址,生成能通过完整性检测的网络协议测试数据,提高对编码协议的漏洞挖掘能力。

关键词: 协议逆向, 编码协议, 污点回溯

Abstract:

This paper proposes a method of taint backtracking. Firstly, this method carries on the dynamic debugging to the network application procedure, locates network interface functions and network output buffers, determines the single minimum execution trajectory interval. Secondly, it performs all of the initial memory addresses in the track section by performing a path analysis calculation. And then the memory cache is applied to the application program, and the entrance state of the trajectory interval is buffered and restored after a single execution of the calculation. Finally, the address of the memory data before coding is obtained by the pollution source localization algorithm. Experimental results show that this method can effectively locate the pre-coding memory address, and it is suitable for different types of coding protocols, including encryption, compression and verification. On the one hand, this method can analyze the syntax information of the encoding protocol by using the memory data before encoding, and improve the syntax analysis ability of the encoding protocol. On the other hand, using the encoding function entry address and the pre-coding memory address, it can generate the network protocol test data that can be detected through integrity, and improve the capabilities of vulnerabilities discovery of the encoding protocol.

Key words: protocol reverse, encoding protocol, taint backtracking

中图分类号: