未知协议的逆向分析与自动化测试

在工业控制、军事通信、金融信息等创新型网络中,大量未知(私有或半私有)协议被广泛采用.对通信协议及其实现进行严格的测试是确保网络系统安全性的重要手段,现有测试手段与方法大多只能针对已知协议进行,未知协议的广泛采用对协议测试提出了挑战.本文提出了针对未知协议的逆向分析与自动化测试方法,其基本思想是基于对协议流量的逆向分析,识别出协议特征,动态生成多维测试数据,自动监控被测系统的运行状态,获得准确的测试结果,为系统安全可靠运行提供依据.具体贡献包括:(1)自动化模糊测试框架;(2)基于协议特征库的逆向分析方法;(3)基于多维变异的测试数据生成方法;(4)基于主动探测的测试执行与异常定位方法.本文设计实现了自动化测试工具UPAFuzz,试验结果表明,UPAFuzz能够基于网络流量实现协议特征的自动识别,并自动生成海量模糊测试数据,对被测系统进行测试;在生成的测试数据量达到千万级时,UPAFuzz的内存占用率为现有模糊测试工具Boofuzz的50%,且其耗时仅为Boofuzz的10%,大大提升了测试执行效率.

An Automated Method of Unknown Protocol Fuzzing Test

Nowadays,a large number of unknown(private or semi-private)network protocols are widely adopted in newly emerging network,such as industrial control,military communications,as well as financial information,etc.Making sure the protocol goes through a set of strict tests for both design and implement before the deployment is crucial for the usability and security of network systems.To the best of our knowledge,the majority of the existing protocol test toolkits or systems is only able to be applied to known protocols,i.e.the testers know how the examined protocol works.As a direct consequence,the prevalence of unknown protocols poses a great challenge to current protocol test systems.Therefore,before we can transplant exiting test methods for known protocols to unknown ones,there are many research problems to be noticed,and among those problems,three of them are most unignorable:First,the current test is unable to estimate the architecture and semantic characteristics for unknown protocol with the network sniffer or manual inspection,which make it difficult to obtain necessary knowledge for later tests.Second,the prevailing test data generation methods are proved to be of low-hit-rate and inefficient,and the existing single-field random filling method for generating test data lacks vulnerability mining capabilities.Furthermore,due to the unknown characteristics of the protocol,it is impossible to accurately construct the data required for testing.Last but not least,the network devices running the unknown protocols are usually strictly concealed,which means that it is impossible to install the monitor proxy programs in the devices under test,which is crucial for current test systems designed for known protocols.To address above issues,we propose a novel automated fuzzing test framework for unknown protocols.The workflow of our framework is as follows:1.precise identification of the protocol features based on the protocol reverse analysis,2.dynamic generation of multi-dimensionally mutated test data,3.automatic monitor for the running state of the devices under test to make sure the accuracy of the test outcome and secure the systems.Our main contributions can be concluded as follows:First,we design an automated fuzzing test framework for unknown network protocols.Second,we propose an automated reverse analysis method for unknown protocols by virtue of the novel protocol feature database.Third,we propose an innovative method to mutate test data in a multi-dimensional way.Last but not least,we present a set of active-detection methods for the test execution,following inspection and analysis.In addition,we develop UPAFuzz,an automated fuzzing test tool,and according to the experiment outcomes,it is proved that UPAFuzz can analyze characteristics of unknown protocols based on the protocol network traces and generate massive data for later test with high hit rate and low time cost.Moreover,Compared to Boofuzz,a popular open-source fuzzing test tool,UPAFuzz’s memory usage is 50%of that of Boofuzz,and the time consumption for generating tens of millions of test data is only 10%of Boofuzz,which greatly improves the test efficiency and with certain versatility.