Lifting Network Protocol Implementation to Precise Format Specification with Security Applications

by   Qingkai Shi, et al.

Inferring protocol formats is critical for many security applications. However, existing format-inference techniques often miss many formats, because almost all of them are in a fashion of dynamic analysis and rely on a limited number of network packets to drive their analysis. If a feature is not present in the input packets, the feature will be missed in the resulting formats. We develop a novel static program analysis for format inference. It is well-known that static analysis does not rely on any input packets and can achieve high coverage by scanning every piece of code. However, for efficiency and precision, we have to address two challenges, namely path explosion and disordered path constraints. To this end, our approach uses abstract interpretation to produce a novel data structure called the abstract format graph. It delimits precise but costly operations to only small regions, thus ensuring precision and efficiency at the same time. Our inferred formats are of high coverage and precisely specify both field boundaries and semantic constraints among packet fields. Our evaluation shows that we can infer formats for a protocol in one minute with >95 four baseline techniques. Our inferred formats can substantially enhance existing protocol fuzzers, improving the coverage by 20 discovering 53 zero-days with 47 assigned CVEs. We also provide case studies of adopting our inferred formats in other security applications including traffic auditing and intrusion detection.


page 1

page 2

page 3

page 4


Extracting Protocol Format as State Machine via Controlled Static Loop Analysis

Reverse engineering of protocol message formats is critical for many sec...

FP4: Line-rate Greybox Fuzz Testing for P4 Switches

Compared to fixed-function switches, the flexibility of programmable swi...

Introducing Packet-Level Analysis in Programmable Data Planes to Advance Network Intrusion Detection

Programmable data planes offer precise control over the low-level proces...

Integration of the Static Analysis Results Interchange Format in CogniCrypt

Background - Software companies increasingly rely on static analysis too...

SNPSFuzzer: A Fast Greybox Fuzzer for Stateful Network Protocols using Snapshots

Greybox fuzzing has been widely used in stateless programs and has achie...

Bicoptor 2.0: Addressing Challenges in Probabilistic Truncation for Enhanced Privacy-Preserving Machine Learning

This paper primarily focuses on analyzing the problems and proposing sol...

Please sign up or login with your details

Forgot password? Click here to reset