基于数据流分析的网络协议逆向解析技术

doi:10.3724/SP.J.1087.2013.01217

计算机应用 ›› 2013, Vol. 33 ›› Issue (05): 1217-1221.DOI: 10.3724/SP.J.1087.2013.01217

基于数据流分析的网络协议逆向解析技术

戴理,舒辉,黄荷洁

信息工程大学,郑州 450000

收稿日期:2012-11-27 修回日期:2012-12-27 出版日期:2013-05-01 发布日期:2013-05-08
通讯作者: 戴理
作者简介:戴理(1987-),男,河南洛阳人,硕士研究生,主要研究方向:网络及信息安全; 舒辉(1974-),男,江苏盐城人,副教授,博士,主要研究方向:并行计算、网络与信息安全; 黄荷洁(1989-),男,陕西宝鸡人,硕士研究生,主要研究方向:软件逆向工程。

Network protocol reverse parsing technique based on dataflow analysis

DAI Li,SHU Hui,HUANG Hejie

Information Engineering University, Zhengzhou Henan 450000, China

Received:2012-11-27 Revised:2012-12-27 Online:2013-05-08 Published:2013-05-01
Contact: DAI Li

摘要/Abstract

摘要： 对未知网络协议进行逆向解析在网络安全应用中具有重要的意义。现有的协议逆向解析方法大都存在无法处理加密协议和无法获取协议字段语义信息的问题。针对这一问题，提出并实现了一种基于数据流分析的网络协议解析技术。该技术依托动态二进制插桩平台Pin下编写的数据流记录插件，以基于数据关联性分析的数据流跟踪技术为基础，对软件使用的网络通信协议进行解析，获取协议的格式信息，以及各个协议字段的语义。实验结果证明，该技术能够正确解析出软件通信的协议格式，并提取出各个字段所对应的程序行为语义，尤其对于加密协议有不错的解析效果，达到了解析网络协议的目的。

关键词: 数据流分析, 网络协议逆向, 加密协议解析, 动态二进制插桩, 协议字段语义

Abstract: Reverse parsing unknown network protocol is of great significance in many network security applications. Most of the existing protocol reverse parsing methods can not handle the encryption protocol or get the semantic information of the protocol field. To solve this problem, a network protocol parsing technique based on dataflow analysis was proposed. According to the data flow recording tool developed on Pin platform, it could parse the network protocol with the aid of the dependence analysis based data flow tracking technology, as well as obtain the protocol format and semantic information of each protocol field. The experimental results show that the technique can parse out the protocol format correctly, especially for the encryption protocol, and extract the program behavior semantics of each protocol field.

Key words: dataflow analysis, network protocol reverse, encryption protocol parsing, dynamic binary instrumentation, protocol field semantic

中图分类号:

TP393.08

戴理舒辉黄荷洁. 基于数据流分析的网络协议逆向解析技术[J]. 计算机应用, 2013, 33(05): 1217-1221.

DAI Li SHU Hui HUANG Hejie. Network protocol reverse parsing technique based on dataflow analysis[J]. Journal of Computer Applications, 2013, 33(05): 1217-1221.

参考文献

［1］应凌云,杨轶,冯登国，等. 恶意软件网络协议的语法和行为语义分析方法［J］. 软件学报, 2011, 22(7):1676-1689.

［2］WILLEMS C, HOLZ T, FREILING F C. Toward automated dynamic malware analysis using CWSandbox ［J］. IEEE Security Privacy, 2007, 5(2): 32-39.

［3］CUI W D, PEINADO M, CHEN K, et al. Tupni: automatic reverse engineering of input formats ［C］// CCS 2008:Proceedings of the 15th ACM Conference on Computer and Communications Security. New York: ACM, 2008: 391-402.

［4］MA J, LEVCHENKO K, KREIBICH C, et al. Unexpected means of protocol inference ［C］// Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement. New York: ACM, 2006:313-326.

［5］SMALL S, MASON J, MONROSE F, et al. To catch a predator: A natural language approach for eliciting malicious payloads ［C］// Security 2008: Proceedings of the 17th USENIX Security Symposium. Berkeley: USENIX Association, 2008: 171-183.

［6］KRUEGEL C, ROBERTSON W, VALEUR F, et al. Static disassembly of obfuscated binaries［C］ // Proceedings of the 13th Conference on USENIX Security Symposium. New York:ACM, 2004:18.

［7］NEWSOME J, SONG D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software［EB/OL］. ［ 2012-10-01］. http://valgrind.org/docs/newsome2005.pdf.

［8］NICHOLAS N. Dynamic binary analysis and instrumentation or building tools is easy ［D］. Trinity Lane, Cambridge: University of Cambridge, 2004.

［9］周侃. 基于数据流跟踪和库函数识别检测溢出攻击［D］. 上海:上海交通大学, 2011.

［10］王卓. 基于符号执行的二进制代码动态污点分析［D］. 上海:上海交通大学, 2010.

［11］潘璠,吴礼发,杜有翔,等.协议逆向工程研究进展［J］.计算机应用研究, 2011, 28(8): 2801-2806.

［12］何永君,舒辉,熊小兵.基于动态二进制分析的网络协议逆向解析［J］.计算机工程,2010, 36(9): 268-270.

［13］COMPARETTI P M, WONDRACEK G, KRUEGEL C, et al. Prospex: Protocol specification extraction ［C］// SP'09: Proceedings of the 30th IEEE Symposium on Security & Privacy. Washington,DC: IEEE Computer Society, 2009:110-125.

［14］CABALLERO J, YIN H, LIANG Z K, et al. Polyglot: Automatic extraction of protocol message format using dynamic binary analysis［C］// CCS 2007: Proceedings of the 14th ACM Conference on Computer and Communications Security. New York: ACM, 2007:317-329.

基于数据流分析的网络协议逆向解析技术

Network protocol reverse parsing technique based on dataflow analysis

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 1

编辑推荐

Metrics