一种基于协议格式智能推断的灰盒测试技术

doi:10.19678/j.issn.1000-3428.0066813

计算机工程 ›› 2023, Vol. 49 ›› Issue (12): 129-135, 145. doi: 10.19678/j.issn.1000-3428.0066813

一种基于协议格式智能推断的灰盒测试技术

刘华玉¹, 甘水滔²^,³, 尹小康¹, 柳晓龙², 刘胜利¹, 李宏亮⁴

1. 战略支援部队信息工程大学网络空间安全学院, 郑州 450001
2. 数学工程与先进计算国家重点实验室, 江苏无锡 214215
3. 清华大学网络研究院, 北京 100084
4. 江南计算技术研究所, 江苏无锡 214083

收稿日期:2023-01-23 出版日期:2023-12-15 发布日期:2023-04-12
作者简介:
刘华玉(1997-), 男, 硕士研究生, 主研方向为模糊测试、漏洞挖掘
甘水滔, 副研究员、博士
尹小康, 博士
柳晓龙, 助理研究员、博士
刘胜利, 教授、博士
李宏亮, 研究员、博士
基金资助:
中国博士后科学基金面上资助项目(2021M701942)

A Gray-box Test Technology Based on Intelligent Inference of Protocol Format

Huayu LIU¹, Shuitao GAN²^,³, Xiaokang YIN¹, Xiaolong LIU², Shengli LIU¹, Hongliang LI⁴

1. School of Cyberspace Security, Strategic Support Force Information Engineering University, Zhengzhou 450001, China
2. State Key Laboratory of Mathematical Engineering and Advanced Computing, Wuxi 214215, Jiangsu, China
3. Institute for Network Research, Tsinghua University, Beijing 100084, China
4. Jiangnan Institute of Computing Technology, Wuxi 214083, Jiangsu, China

Received:2023-01-23 Online:2023-12-15 Published:2023-04-12

摘要/Abstract

摘要：

通信协议可保障网络应用和物联网设备之间的通信，但其在设计或实现中存在的脆弱性会带来严重的安全威胁和隐患。模糊测试技术作为一种软件安全分析的有效方法，在针对网络协议的脆弱性分析中表现出高效的性能和无可比拟的优势。现有的针对网络协议的灰盒测试技术仍依赖于人工识别协议格式来辅助测试，并且变异策略的设计更偏向于位和字节的变异，忽略了协议消息本身的格式信息，导致在测试时性能不佳。针对上述问题，提出一种基于对齐聚类的智能化协议格式推断模型ProCluster，用于指导灰盒测试中协议状态机构建和种子的变异。该模型通过自动提取协议关键字和推断相应类型，辅助协议灰盒测试模型构建更精准的种子变异策略，从而生成更符合协议规范的测试用例，以此加速提升模糊测试的代码覆盖能力和脆弱路径发现能力。实验结果表明，在对TinyDTLS、OpenSSL等程序的模糊测试中，与典型协议灰盒测试工具AFLNet相比，ProCluster的边覆盖率能够提升75%~182%，并且在TinyDTLS中发现一个缓冲区溢出漏洞样本。

关键词: 灰盒测试, 协议逆向, 变异策略, 网络协议, 漏洞挖掘

Abstract:

Communication protocols ensure secure communication between network applications and IoT devices. However, the fragility of their design and implementation can result in serious security threats and hidden dangers. Fuzzing, as an effective method for software security analysis, demonstrates efficient performance and unparalleled advantages in vulnerability analysis of network protocols. Nevertheless, existing stateful coverage-based grey-box fuzzing for network protocols still relies on manual identification of the protocol format to assist testing. In addition, the design of the mutation strategy is more prominent in the mutation of bits and bytes, disregarding the format information of the protocol message itself, resulting in suboptimal fuzzing performance. To address these issues, this study proposes an intelligent protocol format based on an aggregate class. This model uses high-efficiency and automatic extraction of protocol keywords and infers corresponding types to assist in building a more accurate seed mutation strategy for the protocol gray-box test model. This approach generates test cases that better conform to the specifications of protocols, thereby accelerating code coverage, improving illegal testing capability, enhancing the capacity of the fuzzy test, and increasing the ability to identify fragile paths. The experimental results demonstrate that, when fuzzing programs such as TinyDTLS and OpenSSL, ProCluster outperforms the typical stateful gray-box fuzzing tool AFLNet by increasing edge coverage by 75% to 182%. Furthermore, it successfully identified a buffer overflow vulnerability sample in TinyDTLS.

Key words: gray-box test, protocol reverse, mutation strategy, network protocols, vulnerability mining

刘华玉, 甘水滔, 尹小康, 柳晓龙, 刘胜利, 李宏亮. 一种基于协议格式智能推断的灰盒测试技术[J]. 计算机工程, 2023, 49(12): 129-135, 145.

Huayu LIU, Shuitao GAN, Xiaokang YIN, Xiaolong LIU, Shengli LIU, Hongliang LI. A Gray-box Test Technology Based on Intelligent Inference of Protocol Format[J]. Computer Engineering, 2023, 49(12): 129-135, 145.

http://www.ecice06.com/CN/Y2023/V49/I12/129

图/表 5

图1 基于协议格式智能推断的灰盒测试技术框架

Fig.1 Framework of gray-box test technology based on intelligent inference of protocol format

图2 协议识别结果

Fig.2 The results of protocol identification

图3 边覆盖数的实时性能比较

Fig.3 Real-time performance comparison of the number of edge coverages

参考文献 30

1	Kaspersky. What is wannacry ransomware?[EB/OL]. [2022-11-20]. https://www.kaspersky.com.au/resourcecenter/threats/ransomwarewannacry.
2	360-CERT. NXNSAttack: DNS协议安全漏洞通告[EB/OL]. [2022-11-20]. https://mp.weixin.qq.com/s/jYxHvIgPyeQknX0dNTZ0Zg.
	360-CERT. NXNSAttack: notification of DNS protocol security vulnerabilities[EB/OL]. [2022-11-20]. https://mp.weixin.qq.com/s/jYxHvIgPyeQknX0dNTZ0Zg. (in Chinese)
3	MILLER B P, FREDRIKSEN L, SO B. An empirical study of the reliability of UNIX utilities. Communications of the ACM, 1990, 33 (12): 32- 44. doi: 10.1145/96267.96279
4	MANÈS V J M, HAN H, HAN C, et al. The art, science, and engineering of fuzzing: a survey. IEEE Transactions on Software Engineering, 2021, 47 (11): 2312- 2331. doi: 10.1109/TSE.2019.2946563
5	GODEFROID P. Fuzzing. Communications of the ACM, 2020, 63 (2): 70- 76. doi: 10.1145/3363824
6	BOEHME M, CADAR C, ROYCHOUDHURY A. Fuzzing: challenges and reflections. IEEE Software, 2020, 38 (3): 79- 86.
7	EDDINGTON M. Peach fuzzer[EB/OL]. [2022-11-20]. https://peachtech.gitlab.io/peach-fuzzer-community.
8	PHAM V T, BÖHME M, ROYCHOUDHURY A. AFLNET: a grey-box fuzzer for network protocols[C]//Proceedings of the 13th IEEE International Conference on Software Testing, Validation and Verification. Washington D. C., USA: IEEE Press, 2020: 460-465.
9	SUTTON M, GREENE A, AMINI P. Fuzzing: brute force vulnerability discovery[M]. [S. 1. ]: Addison-Wesley, 2007.
10	AITEL D. The advantages of block-based protocol analysis for security testing[EB/OL]. [2022-11-20]. https://citeseerx.ist.psu.edu/viewdoc/download;jsessionid.
11	BANKS G, COVA M, FELMETSGER V, et al. SNOOZE: toward a stateful NetwOrk prOtocol fuzZEr. Berlin, Germany: Springer, 2006.
12	KAKSONEN R, LAAKSO M, TAKANEN A. Software security assessment through specification mutations and fault injection. Berlin, Germany: Springer, 2001.
13	ZALEWSKI M. American fuzzy lop fuzzer[EB/OL]. [2022-11-20]. https://lcamtuf.coredump.cx/afl/.
14	NATELLA R. StateAFL: grey-box fuzzing for stateful network servers. Empirical Software Engineering, 2022, 27 (7): 191. doi: 10.1007/s10664-022-10233-3
15	SONG C X, YU B, ZHOU X, et al. SPFuzz: a hierarchical scheduling framework for stateful network protocol fuzzing. IEEE Access, 2019, 7, 18490- 18499. doi: 10.1109/ACCESS.2019.2895025
16	LI J Q, LI S Y, SUN G, et al. SNPSFuzzer: a fast greybox fuzzer for stateful network protocols using snapshots[EB/OL]. [2022-11-20]. https://arxiv.org/abs/2202.03643.pdf.
17	LIU D G, PHAM V T, ERNST G, et al. State selection algorithms and their impact on the performance of stateful network protocol fuzzing[C]//Proceedings of IEEE International Conference on Software Analysis, Evolution and Reengineering. Washington D. C., USA: IEEE Press, 2022: 720-730.
18	WONDRACEK G, COMPARETTI P M, KRÜGEL C, et al. Automatic network protocol analysis[C]//Proceedings of NDSSʼ08. Washington D. C., USA: IEEE Press, 2008: 235-247.
19	COMPARETTI P M, WONDRACEK G, KRUEGEL C, et al. Prospex: protocol specification extraction[C]//Proceedings of the 30th IEEE Symposium on Security and Privacy. Washington D. C., USA: IEEE Press, 2009: 110-125.
20	LIN Z, ZHANG X, XU D. Automatic reverse engineering of data structures from binary execution[C]//Proceedings of the 11th Annual Information Security Symposium. Washington D. C., USA: IEEE Press, 2010: 105-117.
21	BEDDOE M A. Network protocol analysis using bioinformatics algorithms. Toorcon, 2004, 26 (6): 1095- 1098.
22	FENG D F, DOOLITTLE R F. Progressive sequence alignment as a prerequisitetto correct phylogenetic trees. Journal of Molecular Evolution, 1987, 25 (4): 351- 360. doi: 10.1007/BF02603120
23	CUI W D, KANNAN J, WANG H J. Discoverer: automatic protocol reverse engineering from network traces[EB/OL]. [2022-11-20]. https://www.researchgate.net/publication/228641854.
24	CABALLERO J, YIN H, LIANG Z K, et al. Polyglot: automatic extraction of protocol message format using dynamic binary analysis[C]//Proceedings of the 14th ACM Conference on Computer and Communications Security. New York, USA: ACM Press, 2007: 317-329.
25	LIN Z Q, JIANG X X, XU D Y, et al. Automatic protocol format reverse engineering through context-aware monitored execution[C]//Proceedings of NDSSʼ08. Washington D. C., USA: IEEE Press, 2008: 1-15.
26	LEITA C, MERMOUD K, DACIER M. ScriptGen: an automated script generation tool for Honeyd[C]//Proceedings of the 21st Annual Computer Security Applications Conference. Washington D. C., USA: IEEE Press, 2006: 203-214.
27	BOSSERT G, GUIHÉRY F, HIET G. Towards automated protocol reverse engineering using semantic information[C]//Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security. New York, USA: ACM Press, 2014: 51-62.
28	李伟明, 张爱芳, 刘建财, 等. 网络协议的自动化模糊测试漏洞挖掘方法. 计算机学报, 2011, 34 (2): 242- 255. URL
	LI W M, ZHANG A F, LIU J C, et al. An automatic network protocol fuzz testing and vulnerability discovering method. Chinese Journal of Computers, 2011, 34 (2): 242- 255. URL
29	PHILLIPS P J, MARTIN A, WILSON C L, et al. An introduction evaluating biometric systems. Computer, 2000, 33 (2): 56- 63. doi: 10.1109/2.820040
30	CUI W D, PAXSON V, WEAVER N, et al. Protocol-independent adaptive replay of application dialog[C]//Proceedings of NDSSʼ08. Washington D. C., USA: IEEE Press, 2008: 235-246.

[1]	王烁, 谷正气, 韩征彤, 马晓骙. 基于改进离散差分进化算法的桁架优化[J]. 计算机工程, 2021, 47(1): 275-283.
[2]	周伟平, 杨维永, 王雪华, 茅兵. 面向工业控制系统的渗透测试工具研究[J]. 计算机工程, 2019, 45(8): 92-101.
[3]	黄河, 陈君, 邓浩江. 基于循环神经网络的Modbus/TCP模糊测试算法[J]. 计算机工程, 2019, 45(7): 164-169.
[4]	侯方杰,王雷,王嵩,盛捷. 基于位置的自动化网络流协议逆向分析方法[J]. 计算机工程, 2019, 45(5): 84-87.
[5]	黄小兵, 聂兰顺. OPEN-MAC:一种低功耗有保障下行的网络架构[J]. 计算机工程, 2019, 45(10): 101-109.
[6]	李进东,王韬,吴杨,雷东. 基于协议分析与模糊测试的SIP漏洞挖掘研究[J]. 计算机工程, 2016, 42(8): 117-122.
[7]	潘道欣,王轶骏,薛质. 基于网络协议逆向分析的远程控制木马漏洞挖掘[J]. 计算机工程, 2016, 42(2): 146-150,156.
[8]	陈立根,刘胜利,肖达,彭飞. 一种Cisco IOS启发式模糊测试方法[J]. 计算机工程, 2014, 40(12): 68-73.
[9]	郭严赞，季新生，刘彩霞，刘树新. IMS网络Diameter协议流程漏洞挖掘[J]. 计算机工程, 2013, 39(9): 6-11.
[10]	杜有翔, 吴礼发, 潘璠, 洪征. 一种基于报文序列分析的半自动协议逆向方法[J]. 计算机工程, 2012, 38(19): 277-280.
[11]	苏晓艳, 武东英, 刘龙, 韩玉祥. 基于Fuzzing的Cisco IOS漏洞挖掘方法[J]. 计算机工程, 2012, 38(16): 117-120.
[12]	黎杰, 祝吾杰, 胡丽媛. 改进微分进化算法在软硬件划分中的应用[J]. 计算机工程, 2012, 38(16): 284-286.
[13]	智少磊, 夏继强, 张炯. 基于OPC的服务机器人监控系统设计[J]. 计算机工程, 2012, 38(14): 266-268.
[14]	李向燕, 唐柳湘, 李允. 基于AUTOSAR的LIN实现[J]. 计算机工程, 2012, 38(04): 208-211.
[15]	黄奕, 曾凡平, 张美超. 基于动态输入追踪的模糊技术[J]. 计算机工程, 2011, 37(6): 44-45.

选择文件类型/文献管理软件名称

选择包含的内容

一种基于协议格式智能推断的灰盒测试技术

A Gray-box Test Technology Based on Intelligent Inference of Protocol Format

RichHTML

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 5

参考文献 30

相关文章 15

编辑推荐

Metrics

本文评价

模态框（Modal）标题

选择文件类型/文献管理软件名称

选择包含的内容

一种基于协议格式智能推断的灰盒测试技术

A Gray-box Test Technology Based on Intelligent Inference of Protocol Format

RichHTML

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 5

参考文献 30

相关文章 15

编辑推荐

Metrics

本文评价