Research on Taint Backtracking Reverse Analysis Method of Network Encoding Protocol

doi:10.3969/j.issn.1671-1122.2017.01.011

Abstract

Abstract:

This paper proposes a method of taint backtracking. Firstly, this method carries on the dynamic debugging to the network application procedure, locates network interface functions and network output buffers, determines the single minimum execution trajectory interval. Secondly, it performs all of the initial memory addresses in the track section by performing a path analysis calculation. And then the memory cache is applied to the application program, and the entrance state of the trajectory interval is buffered and restored after a single execution of the calculation. Finally, the address of the memory data before coding is obtained by the pollution source localization algorithm. Experimental results show that this method can effectively locate the pre-coding memory address, and it is suitable for different types of coding protocols, including encryption, compression and verification. On the one hand, this method can analyze the syntax information of the encoding protocol by using the memory data before encoding, and improve the syntax analysis ability of the encoding protocol. On the other hand, using the encoding function entry address and the pre-coding memory address, it can generate the network protocol test data that can be detected through integrity, and improve the capabilities of vulnerabilities discovery of the encoding protocol.

Key words: protocol reverse, encoding protocol, taint backtracking

CLC Number:

TP393

Junfeng GAO, Yuefeng ZHANG, Senlin LUO, Ji ZHANG. Research on Taint Backtracking Reverse Analysis Method of Network Encoding Protocol[J]. Netinfo Security, 2017, 17(1): 68-76.

Figures/Tables 14

References 18

[1]	WANG Zhi, JIANG Xuxian, CUI Wweidong, et al.ReFormat: Automatic Reverse Engineering of Encrypted Messages[C]//Alcatel-Lucent Bell Labs France. 14th European Conference on Research in Computer Security, September 21-23, 2009, Saint-Malo, France. Berlin: Springer, 2009:200-215.
[2]	CABALLERO J, POOSANKAM P, KREIBICH C, et al.Dispatcher: Enabling Active Botnet Infiltration Using Automatic Protocol Reverse-engineering[C]//ACM. 2009 ACM Conference on Computer and Communications Security, November 9-13, 2009, Chicago, Illinois, USA. New York: ACM, 2009: 621-634.
[3]	CABALLERO J, SONG D.Automatic Protocol Reverse-engineering: Message Format Extraction and Field Semantics Inference[J]. Computer Networks, 2013, 57(2): 451-474.
[4]	GRÖBERT F, WILLEMS C, HOLZ T. Automated Identification of Cryptographic Primitives in Binary Programs[C]//Communications Research Centre Canada. 14th International Conference on Recent Advances in Intrusion Detection, September 20-21, 2011, Menlo Park, CA, USA. Berlin: Springer, 2011: 41-60.
[5]	LI Meijian, WANG Yongjun, XIE Peidai, et al.Reverse Analysis of Secure Communication Protocol Based on Taint Analysis[C]//IET. 2014 Communications Security Conference, May 22-24, 2014, Beijing, China. Herts: IET, 2014: 1-8.
[6]	李程,魏强,彭建山,等. 基于分解重构的网络软件测试数据生成方法[J]. 计算机科学,2013,40(10):108-113.
[7]	LIN Wei, FEI Jinlong, ZHU Yuefei, et al.A Method of Multiple Encryption and Sectional Encryption Protocol Reverse Engineering[C]//IEEE. 2014 Tenth International Conference on Computational Intelligence and Security, November 15-16, 2014, Kunming, Yunnan, China. New Jersey: IEEE, 2014: 420-424.
[8]	SoftICE. Softice Corporation[EB/OL]. , 2016-9-11.
[9]	WinDbg Microsoft. Software Diagnostics Services[EB/OL]. , 2016-9-11.
[10]	OllyDbg. Oley Yuschuk[EB/OL]. , 2016-9-10.
[11]	Atom. ATOM[EB/OL]., 2016-9-11.
[12]	Intel. A Dynamic Binary Instrumentation Tool[EB/OL]. , 2016-9-10.
[13]	Valgrind. Valgrind[EB/OL] .
[14]	郭亮,罗森林,潘丽敏. 编码函数交叉定位网络协议测试数据生成方法研究[J]. 信息网络安全,2016(3):8-14.
[15]	石小龙,祝跃飞,刘龙,等. 加密通信协议的一种逆向分析方法[J]. 计算机应用研究,2015,32(1):214-217.
[16]	宋铮,王永剑,金波,等. 二进制程序动态污点分析技术研究综述[J]. 信息网络安全,2016(3):77-83.
[17]	ZHAO Ruoxu, GU Dawu, LI Juanru, et al.Automatic Detection and Analysis of Encrypted Messages in Malware[C]//IACR. The 9th International Conference on Information Security and Cryptology, November 27-30, 2013, Guangzhou, China. Berlin: Springer, 2014: 101-117.
[18]	郑丽芬,辛阳. 基于DPI的即时通信软件协议分析与实现[J].信息网络安全,2016(1):51-58.