一种基于协议栈优化的TLS上层服务高效识别方法  

作　　者：陈驰昱 陆余良 杨国正 程明杰 卢灿举 CHEN Chiyu;LU Yuliang;YANG Guozheng;CHENG Mingjie;LU Canju(College of Electronic Engineering,National University of Defense Technology,Hefei 230037,China;Anhui Province Key Laboratory of Cyberspace Security Situation Awareness and Evaluation,Hefei 230037,China)

机构地区：[1]国防科技大学电子对抗学院,安徽合肥230037 [2]网络空间安全态势感知与评估安徽省重点实验室,安徽合肥230037

出　　处：《信息对抗技术》2025年第1期82-94,共13页Information Countermeasure Technology

摘　　要：基于应用层探测来识别传输层安全性协议(transport layer security,TLS)的上层服务是了解互联网服务配置和安全性的重要手段。当前的应用层扫描器在工作时依赖于默认的网络协议栈,其传输控制协议(transmission control protocol,TCP)协议专为通用场景设计,只能以受限的速率获取TLS上层服务信息;而TLS协议部分,由于现代化安全配置的软件库,与部分目标服务器不兼容。针对当前应用层扫描器识别TLS上层服务效率不高且不够全面的问题,本文从协议栈优化的角度,首先提出了一种应用于TCP协议栈的混合状态模型,通过引入无状态工作模式和优化有状态工作模式,以减少协议栈中不必要的状态维护和转换,从而提高应用层探测效率;然后,提出了一种面向TLS协议栈的宽松配置策略,通过最大限度的版本和配置兼容来与更加广泛的服务器建立TLS会话;最后,以用户态协议栈的方式将该模型和配置策略实现为异步应用层扫描器TLSnap,并通过可扩展模块的形式提供自定义接口,以支持多种TLS上层服务的识别任务。实验结果表明,在普通硬件配置下,TLSnap扫描器针对大规模端口的TLS上层服务的识别效率比当前先进方法提高3.5倍以上,且平均识别数量增加9%,有效提高了TLS上层服务识别的效率和全面性。Based on the application layer probing to identify the upper-layer services of the transport layer security(TLS),it is an important means to understand the configuration and security of Internet services.Current application layer scanners rely on the default network protocol stack during operation.Their transmission control protocol(TCP),designed for general scenarios,can only obtain TLS upper-layer service information at a limited rate;whereas,in the TLS protocol section,due to modern security configuration libraries,it is incompatible with some target servers.In response to the current problem that application layer scanners are not efficient and comprehensive enough in identifying TLS upper-layer services,this paper first proposed a hybrid state model applied to the TCP protocol stack from the perspective of protocol stack optimization.By introducing a stateless working mode and optimizing the stateful working mode,it reduces unnecessary state maintenance and transitions in the protocol stack,thereby improving the efficiency of application layer probing.Then,a relaxed configuration strategy for the TLS protocol stack was proposed,establishing TLS sessions with a broader range of servers through maximum version and configuration compatibility.Finally,this model and configuration strategy were implemented as an asynchronous application layer scanner,TLSnap,using a user-space protocol stack,and provide customizable interfaces in the form of extensible modules to support various TLS upper-layer service identification tasks.Experimental results show that under common hardware configurations,the TLSnap scanner improves the identification efficiency of TLS upper-layer services for large-scale ports by more than 3.5 times compared to current advanced methods,and the average number of identifications increases by 9%,effectively enhancing the efficiency and comprehensiveness of TLS upper-layer service identification.

关 键 词：网络测量 应用层探测 服务识别 网络协议栈 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]