Volume 16, Issue 2 (9-2019)                   JSDP 2019, 16(2): 19-40 | Back to browse issues page


XML Persian Abstract Print


Download citation:
BibTeX | RIS | EndNote | Medlars | ProCite | Reference Manager | RefWorks
Send citation to:

Momenian N, Tork Ladani B. Reverse Engineering of Network Software Binary Codes for Identification of Syntax and Semantics of Protocol Messages. JSDP 2019; 16 (2) :19-40
URL: http://jsdp.rcisp.ac.ir/article-1-502-en.html
Abstract:   (3675 Views)

Reverse engineering of network applications especially from the security point of view is of high importance and interest. Many network applications use proprietary protocols which specifications are not publicly available. Reverse engineering of such applications could provide us with vital information to understand their embedded unknown protocols. This could facilitate many tasks including deep protocol inspection in next generation firewalls and analysis of suspicious binary codes.
The goal of protocol reverse engineering is to extract the protocol format and the protocol state machine. The protocol format describes the structure of all messages in protocol and the protocol state machine describes the sequence of messages that the protocol accept. Recently, there has been rising interest in automatic protocol reverse engineering. These works are divided into activities that extract protocol format and activities that extract protocol state machine. They can also be divided into those uses as input network traffic and those uses as input program implements the protocol. However, although there are some researches in this field, they mostly focused on extracting syntactic structure of the protocol messages.
In this paper, some new techniques are presented to improve extracting the format (both the syntax and semantics) of protocol messages via reverse engineering of binary codes of network applications. To do the research, an integration of dynamic and static binary code analysis are used. The field extraction approach first detects length fields and separators and then by applying rules based on compiler principles locates all the fields in the messages. The semantic extraction approach is based on the semantic information available in the program implements of the protocol and also information exists in the environment of the program.
For evaluating the proposed approach, four different network applications including DNS, eDonkey, Modbus, and STUN were analyzed. Experimental results show that the proposed techniques not only could extract more complete syntactic structure of messages than similar works, but also it could extract a set of advantageous semantic information about the protocol messages that are not achievable in previous works.
 

Full-Text [PDF 6020 kb]   (1934 Downloads)    
Type of Study: Research | Subject: Paper
Received: 2017/05/7 | Accepted: 2019/06/30 | Published: 2019/09/17 | ePublished: 2019/09/17

References
1. [1] J. Caballero, D. Song, "Automatic protocol reverse-engineering: Message format extraction and field semantics inference", Computer Networks, vol. 57(2), pp. 451-474, 2013. [DOI:10.1016/j.comnet.2012.08.003]
2. [2] M. Beddoe, "The Protocol Informatics Project", in Toorcon, 2004.
3. [3] W. Cui, J. Kannan, H. J. Wang, "Discoverer: Automatic Protocol Reverse Engineering from Network Traces", in Proceedings of the USENIX Security Symposium, Boston, MA, pp. 199-212, August 2007.
4. [4] Y. Wang, X. Yun, and M. Z. Shafiq, L. Wang, A. X. Liu, Z. Zhang, D. Yao, Y. Zhang, L. Guo, "A semantics aware approach to automated reverse engineering unknown protocols", in 20th IEEE International Conference on Network Protocols (ICNP), pp. 1-10, October 2012. [DOI:10.1109/ICNP.2012.6459963]
5. [5] F. Pan, Z. Hong, Y. Du, L. Wu, "Efficient Protocol Reverse Method Based on Network Trace Analysis", International Journal of Digital Content Technology and its Applications, vol.6(20), 201, November 2012. [DOI:10.4156/jdcta.vol6.issue20.22]
6. [6] G. Bossert, F. Guihéry, and G. Hiet, "Towards automated protocol reverse engineering using semantic information", in Proceedings of the 9th ACM symposium on Information, computer and communications security, pp. 51-62, ACM, June 2014. [DOI:10.1145/2590296.2590346]
7. [7] Luo X, Chen D, Wang Y, Xie P, "A Type-Aware Approach to Message Clustering for Protocol Reverse Engineering", Sensors 19, no. 3, p.716, January 2019. [DOI:10.3390/s19030716] [PMID] [PMCID]
8. [8] S Kleber, H Kopp, F Kargl, "NEMESYS: Network Message Syntax Reverse Engineering by Analysis of the Intrinsic Structure of Individual Messages", in 12th USENIX Workshop on Offensive Technologies (WOOT 18), 2018.
9. [9] F Meng, C Zhang, and G Wu, "Protocol reverse based on hierarchical clustering and probability alignment from network traces", in 2018 IEEE 3rd International Conference on Big Data Analysis (ICBDA), pp. 443-447, IEEE, March 2018. [DOI:10.1109/ICBDA.2018.8367724]
10. [10] K.S. Shim, Y.H. Goo, M.S. Lee, H Hasanova, M.S. Kim, "Inference of network unknown protocol structure using CSP (Contiguous Sequence Pattern) algorithm based on tree structure", in NOMS 2018-2018 IEEE/IFIP Network Operations and Management Sympo-sium, pp. 1-4, IEEE, April 2018. [DOI:10.1109/NOMS.2018.8406311]
11. [11] M.S. Lee, K.S. Shim, Y.H. Goo, M.S. Kim, "A Study on the Method to Extract Clear Fields From the Private Protocol", in 2018 International Conference on Information and Communication Technology Convergence (ICTC), pp. 1397-1402, IEEE, October 2018. [DOI:10.1109/ICTC.2018.8539357]
12. [12] J. Caballero, H. Yin, and Z. Liang, D. Song. "Polyglot: Automatic extraction of protocol message format using dynamic binary analysis", in Proceedings of the 14th ACM conference on Computer and communications security, Alexandria, VA, pp. 317-329, October 2007. [DOI:10.1145/1315245.1315286]
13. [13] Z. Lin, X. Jiang, and D. Xu, X. Zhang, "Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution", in Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA, Vol. 8, pp. 1-15, February 2008.
14. [14] F. Pan, L. F. Wu, and Z. Hong, H. B. Li, H. G. Lai, C. H. Zheng, "Icefex: Protocol Format Extraction from IL-based Concolic Execution", KSII Transactions on Internet & Information Systems, 7(3), 2013. [DOI:10.3837/tiis.2013.03.010]
15. [15] Y. Yang, K. McLaughlin, and S. Sezer, T. Littler, E. G. Im, B. Pranggono, H. F. Wang, "Multiattribute SCADA-specific intrusion detection system for power networks", in IEEE Transactions on Power Delivery, 29(3), 1092-1102, 2014. [DOI:10.1109/TPWRD.2014.2300099]
16. [16] V. Yegneswaran, J. T. Giffin, and P. Barford, S. Jha, "An architecture for generating semantics-aware signatures", in Proceedings of Usenix Security Symposium 2005, pp. 34-43, August 2005. [DOI:10.21236/ADA449063]
17. [17] A. Aho, M. Lam, R. Sethi, and J. D. Ullman, "Compilers: Principles, techniques, and tools", 2nd ed., Addison Wesley, Boston, 2006.
18. [18] "TEMU: The BitBlaze Dynamic Analysis Component", Available: http://bitblaze.cs.berk-eley.edu/temu, [Accessed: March 2019].
19. [19] "Qemu: Open source processor emulator" Available: http://wiki.qemu.org, [Accessed: March 2019].
20. [20] "Buster Sandbox Analyser", Available: http://bsa.isoftware.nl/, [Accessed: March 2019].
21. [21] "IDA Pro", Available: https://www.hex-rays.com, [Accessed: March 2019].
22. [22] "Zynamics, Binnavi- binary code reverse engineering tool", Available: http://www.zyna-mics.com/binnavi.html, [Accessed: March 2019].
23. [23] "Resource Tuner 2.04 - Resource Editor for EXE and DLL Resource Files. Edit Icon Resources, Replace Strings, Change Bitmaps", Available: http://restuner.com/, [Accessed: March 2019].
24. [24] "Wireshark•Go Deep", Available: http-s://www.wireshark.org , [Accessed: March 2019].
25. [25] J. Caballero, D. Song, "Automatic protocol reverse-engineering: Message format extraction and field semantics inference", Computer Networks, 57(2), pp. 451-474, 2013. [DOI:10.1016/j.comnet.2012.08.003]
26. [26] M. Beddoe, "The Protocol Informatics Project", in Toorcon, 2004.
27. [27] W. Cui, J. Kannan, H. J. Wang, "Discoverer: Automatic Protocol Reverse Engineering from Network Traces", in Proceedings of the USENIX Security Symposium, Boston, MA, pp. 199-212, August 2007.
28. [28] Y. Wang, X. Yun, and M. Z. Shafiq, L. Wang, A. X. Liu, Z. Zhang, D. Yao, Y. Zhang, L. Guo, "A semantics aware approach to automated reverse engineering unknown protocols", in 20th IEEE International Conference on Network Protocols (ICNP), pp. 1-10, October 2012. [DOI:10.1109/ICNP.2012.6459963]
29. [29] F. Pan, Z. Hong, Y. Du, L. Wu, "Efficient Protocol Reverse Method Based on Network Trace Analysis", International Journal of Digital Content Technology and its Applications, 6(20), 201, November 2012. [DOI:10.4156/jdcta.vol6.issue20.22]
30. [30] G. Bossert, F. Guihéry, and G. Hiet, "Towards automated protocol reverse engineering using semantic information", in Proceedings of the 9th ACM symposium on Information, computer and communications security, pp. 51-62, ACM, June 2014. [DOI:10.1145/2590296.2590346]
31. [31] Luo X, Chen D, Wang Y, Xie P, "A Type-Aware Approach to Message Clustering for Protocol Reverse Engineering", Sensors 19, no. 3, p.716, January 2019. [DOI:10.3390/s19030716] [PMID] [PMCID]
32. [32] S Kleber, H Kopp, F Kargl, "NEMESYS: Network Message Syntax Reverse Engineering by Analysis of the Intrinsic Structure of Individual Messages", in12th USENIX Workshop on Offensive Technologies (WOOT 18), 2018.
33. [33] F Meng, C Zhang, G Wu, "Protocol reverse based on hierarchical clustering and probability alignment from network traces", in 2018 IEEE 3rd International Conference on Big Data Analysis (ICBDA), pp. 443-447, IEEE, March 2018. [DOI:10.1109/ICBDA.2018.8367724]
34. [34] K.S. Shim, Y.H. Goo, M.S. Lee, H Hasanova, M.S. Kim, "Inference of network unknown protocol structure using CSP (Contiguous Sequence Pattern) algorithm based on tree structure", in NOMS 2018-2018 IEEE/IFIP Network Operations and Management Sympo-sium, pp. 1-4, IEEE, April 2018. [DOI:10.1109/NOMS.2018.8406311]
35. [35] M.S. Lee, K.S. Shim, Y.H. Goo, M.S. Kim, "A Study on the Method to Extract Clear Fields From the Private Protocol", in 2018 International Conference on Information and Communication Technology Convergence (ICTC), pp. 1397-1402, IEEE, October 2018. [DOI:10.1109/ICTC.2018.8539357]
36. [36] J. Caballero, H. Yin, and Z. Liang, D. Song. "Polyglot: Automatic extraction of protocol message format using dynamic binary analysis", in Proceedings of the 14th ACM conference on Computer and communications security, Alexan-dria, VA, pp. 317-329, October 2007. [DOI:10.1145/1315245.1315286]
37. [37] Z. Lin, X. Jiang, and D. Xu, X. Zhang, "Automatic Protocol Format Reverse Enginee-ring through Context-Aware Monitored Execu-tion", in Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA, Vol. 8, pp. 1-15, February 2008.
38. [38] F. Pan, L. F. Wu, and Z. Hong, H. B. Li, H. G. Lai, C. H. Zheng, "Icefex: Protocol Format Extraction from IL-based Concolic Execution", KSII Transactions on Internet & Information Systems, 7(3), 2013. [DOI:10.3837/tiis.2013.03.010]
39. [39] Y. Yang, K. McLaughlin, and S. Sezer, T. Littler, E. G. Im, B. Pranggono, H. F. Wang, "Multiattribute SCADA-specific intrusion detec-tion system for power networks", in IEEE Transactions on Power Delivery, 29(3), 1092-1102, 2014. [DOI:10.1109/TPWRD.2014.2300099]
40. [40] V. Yegneswaran, J. T. Giffin, and P. Barford, S. Jha, "An architecture for generating semantics-aware signatures", in Proceedings of Usenix Security Symposium 2005, pp. 34-43, August 2005. [DOI:10.21236/ADA449063]
41. [41] A. Aho, M. Lam, and R. Sethi, J. D. Ullman, "Compilers: Principles, techniques, and tools", 2nd ed., Addison Wesley, Boston, 2006.
42. [42] "TEMU: The BitBlaze Dynamic Analysis Component", Available: http://bitblaze.cs.berke-ley.edu/temu, [Accessed: March 2019].
43. [43] "Qemu: Open source processor emulator" Available: http://wiki.qemu.org, [Accessed: March 2019].
44. [44] "Buster Sandbox Analyser", Available: h-ttp://bsa.isoftware.nl/, [Accessed: March 2019].
45. [45] "IDA Pro", Available: https://www.hex-rays.com, [Accessed: March 2019].
46. [46] "Zynamics, Binnavi- binary code reverse engineering tool", Available: http://www.zy-namics.com/binnavi.html, [Acce-ssed: March 2019].
47. [47] "Resource Tuner 2.04 - Resource Editor for EXE and DLL Resource Files. Edit Icon Resources, Replace Strings, Change Bitmaps", Available: http://restuner.com/, [Accessed: March 2019].
48. [48] "Wireshark•Go Deep", Available: https://ww-w.wireshark.org , [Accessed: March 2019].

Add your comments about this article : Your username or Email:
CAPTCHA

Send email to the article author


Rights and permissions
Creative Commons License This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

© 2015 All Rights Reserved | Signal and Data Processing