Similar articles

Abstract: network protocol software is usually characterized by complicated functions and a vast state space. In this type of program, a massive number of stateful variables that are used to represent the evolution of the states and store some information about the sessions are prone to potential flaws caused by violations of protocol specification requirements and program logic. Discovering such variables is significant in discovering and exploiting vulnerabilities in protocol software, and still needs massive manual verifications. In this paper, we propose a novel method that could automatically discover the use of stateful variables in network protocol software. The core idea is that a stateful variable features information of the communication entities and the software states, so it will exist in the form of a global or static variable during program execution. Based on recording and replaying a protocol program's execution, varieties of variables in the life cycle can be tracked with the technique of dynamic instrument. We draw up some rules from multiple dimensions by taking full advantage of the existing vulnerability knowledge to determine whether the data stored in critical memory areas have stateful characteristics. We also implement a prototype system that can discover stateful variables automatically and then perform it on nine programs in ProFuzzBench and two complex real-world software programs. With the help of available open-source code, the evaluation results show that the average true positive rate (TPR) can reach 82% and the average precision can be approximately up to 96%.

基于重放分析的网络协议软件状态变量自动化发现技术

[1]Aviram A, Weng SC, Hu S, et al., 2012. Efficient system-enforced deterministic parallelism. Commun ACM, 55(5):111-119.

[2]Bergan T, Hunt N, Ceze L, et al., 2010. Deterministic process groups in DoS. Proc 9^th USENIX Symp on Operating Systems Design and Implementation, p.177-191.

[3]Bruening D, Zhao Q, 2011. Practical memory checking with Dr.Memory. Proc Int Symp on Code Generation and Optimization, p.213-223.

[4]Brumley D, Caballero J, Liang ZK, et al., 2007. Towards automatic discovery of deviations in binary implementations with applications to error detection and fingerprint generation. Proc 16^th USENIX Security Symp, p.213-228.

[5]Dolan-Gavitt B, Hodosh J, Hulin P, et al., 2015. Repeatable reverse engineering with PANDA. Proc 5^th Program Protection and Reverse Engineering Workshop, Article 4.

[6]Dunlap GW, King ST, Cinar S, et al., 2002. ReVirt: enabling intrusion analysis through virtual-machine logging and replay. ACM SIGOPS Oper Syst Rev, 36(SI):211-224.

[7]Dunlap GW, Lucchetti DG, Fetterman MA, et al., 2008. Execution replay of multiprocessor virtual machines. Proc 4^th ACM SIGPLAN/SIGOPS Int Conf on Virtual Execution Environments, p.121-130.

[8]Fioraldi A, D'Elia DC, Balzarotti D, 2021. The use of likely invariants as feedback for fuzzers. Proc 30^th USENIX Security Symp, p.2829-2846.

[9]Garmany B, Stoffel M, Gawlik R, et al., 2019. Static detection of uninitialized stack variables in binary code. Proc 24^th European Symp on Research in Computer Security, p.68-87.

[10]Giuffrida C, Cavallaro L, Tanenbaum AS, 2013. Practical automated vulnerability monitoring using program state invariants. Proc 43^rd Annual IEEE/IFIP Int Conf on Dependable Systems and Networks, p.1-12.

[11]Hower DR, Hill MD, 2008. Rerun: exploiting episodes for lightweight memory race recording. Proc Int Symp on Computer Architecture, p.265-276.

[12]Lee C, Bae J, Lee H, 2018. PRETT: protocol reverse engineering using binary tokens and network traces. Proc 33^rd IFIP Int Conf on ICT Systems Security and Privacy Protection, p.141-155.

[13]Li JQ, Li SY, Sun G, et al., 2022. SNPSFuzzer: a fast greybox fuzzer for stateful network protocols using snapshots. IEEE Trans Inform Forens Secur, 17:2673-2687.

[14]Milburn A, Bos H, Giuffrida C, 2017. Safelnit: comprehensive and practical mitigation of uninitialized read vulnerabilities. Proc 24^th Annual Network and Distributed System Security Symp.

[15]Montesinos P, Ceze L, Torrellas J, 2008. DeLorean: recording and deterministically replaying shared-memory multiprocessor execution efficiently. ACM SIGARCH Comput Archit News, 36(3):289-300.

[16]Musuvathi M, Engler DR, 2004. Model checking large network protocol implementations. Proc 1^st Conf on Symp on Networked Systems Design and Implementation, p.1-12.

[17]Natella R, 2022. StateAFL: greybox fuzzing for stateful network servers. Empir Softw Eng, 27(7):191.

[18]O'Callahan R, Jones C, Froyd N, et al., 2017. Engineering record and replay for deployability. Proc USENIX Conf on Usenix Annual Technical Conf, p.377-389.

[19]Pham V, Böhme M, Roychoudhury A, 2020. AFLNET: a greybox fuzzer for network protocols. Proc 13^th Int Conf on Software Testing, Validation and Verification, p.460-465.

[20]Pokam G, Danne K, Pereira C, et al., 2013. QuickRec: prototyping an Intel architecture extension for record and replay of multithreaded programs. ACM SIGARCH Comput Archit News, 41(3):643-654.

[21]Saito Y, 2005. Jockey: a user-space library for record-replay debugging. Proc 6^th Int Symp on Automated Analysis-Driven Debugging, p.69-76.

[22]Song CX, Yu B, Zhou X, et al., 2019. SPFuzz: a hierarchical scheduling framework for stateful network protocol fuzzing. IEEE Access, 7:18490-18499.

[23]Stepanov E, Serebryany K, 2015. MemorySanitizer: fast detector of uninitialized memory use in C++. Proc IEEE/ACM Int Symp on Code Generation and Optimization, p.46-55.

[24]Ye D, Sui YL, Xue JL, 2014. Accelerating dynamic detection of uses of undefined values with static value-flow analysis. Proc Annual IEEE/ACM Int Symp on Code Generation and Optimization, p.154-164.

[25]Yu B, Wang PF, Yue T, et al., 2019. Poster: fuzzing IoT firmware via multi-stage message generation. Proc ACM SIGSAC Conf on Computer and Communications Security, p.2525-2527.