未知协议的逆向分析与自动化测试  被引量：17

作　　者：张蔚瑶 张磊[2] 毛建瓴 许智君 张玉军[1,3] ZHANG Wei-Yao;ZHANG Lei;MAO Jian-Ling;XU Zhi-Jun;ZHANG Yu-Jun(Internet Technology Research Center,Institute of Computing Technology,Chinese Academy of Sciences,Beijing 100190;Hebei University of Technology,Tianjin 300019;University of Chinese Academy of Sciences,Beijing 100049;Beijing University of Posts and Telecommunications,Beijing 100876)

机构地区：[1]中国科学院计算技术研究所网络技术研究中心,北京100190 [2]河北工业大学,天津300019 [3]中国科学院大学,北京100049 [4]北京邮电大学,北京100876

出　　处：《计算机学报》2020年第4期653-667,共15页Chinese Journal of Computers

基　　金：国家重点研发项目(2016YFE0121500,2018YFB1800403);国家自然科学基金项目(61902382,61972381,61672500,61572474);中国科学院战略性先导科技专项(XDC02030500)资助。

摘　　要：在工业控制、军事通信、金融信息等创新型网络中,大量未知(私有或半私有)协议被广泛采用.对通信协议及其实现进行严格的测试是确保网络系统安全性的重要手段,现有测试手段与方法大多只能针对已知协议进行,未知协议的广泛采用对协议测试提出了挑战.本文提出了针对未知协议的逆向分析与自动化测试方法,其基本思想是基于对协议流量的逆向分析,识别出协议特征,动态生成多维测试数据,自动监控被测系统的运行状态,获得准确的测试结果,为系统安全可靠运行提供依据.具体贡献包括:(1)自动化模糊测试框架;(2)基于协议特征库的逆向分析方法;(3)基于多维变异的测试数据生成方法;(4)基于主动探测的测试执行与异常定位方法.本文设计实现了自动化测试工具UPAFuzz,试验结果表明,UPAFuzz能够基于网络流量实现协议特征的自动识别,并自动生成海量模糊测试数据,对被测系统进行测试;在生成的测试数据量达到千万级时,UPAFuzz的内存占用率为现有模糊测试工具Boofuzz的50%,且其耗时仅为Boofuzz的10%,大大提升了测试执行效率.Nowadays,a large number of unknown(private or semi-private)network protocols are widely adopted in newly emerging network,such as industrial control,military communications,as well as financial information,etc.Making sure the protocol goes through a set of strict tests for both design and implement before the deployment is crucial for the usability and security of network systems.To the best of our knowledge,the majority of the existing protocol test toolkits or systems is only able to be applied to known protocols,i.e.the testers know how the examined protocol works.As a direct consequence,the prevalence of unknown protocols poses a great challenge to current protocol test systems.Therefore,before we can transplant exiting test methods for known protocols to unknown ones,there are many research problems to be noticed,and among those problems,three of them are most unignorable:First,the current test is unable to estimate the architecture and semantic characteristics for unknown protocol with the network sniffer or manual inspection,which make it difficult to obtain necessary knowledge for later tests.Second,the prevailing test data generation methods are proved to be of low-hit-rate and inefficient,and the existing single-field random filling method for generating test data lacks vulnerability mining capabilities.Furthermore,due to the unknown characteristics of the protocol,it is impossible to accurately construct the data required for testing.Last but not least,the network devices running the unknown protocols are usually strictly concealed,which means that it is impossible to install the monitor proxy programs in the devices under test,which is crucial for current test systems designed for known protocols.To address above issues,we propose a novel automated fuzzing test framework for unknown protocols.The workflow of our framework is as follows:1.precise identification of the protocol features based on the protocol reverse analysis,2.dynamic generation of multi-dimensionally mutated test data,3.automatic monit

关 键 词：未知协议 逆向分析 特征识别 协议特征库 多维变异 主动探测 

分 类 号：TP393.0[自动化与计算机技术—计算机应用技术]