Protocol reverse engineering is the process of extracting application-level specifications for network protocols. Such specifications are very helpful in a number of security-related contexts. For example, they are needed by intrusion detection systems to perform deep packet inspection, and they allow the implementation of black-box fuzzing tools. Unfortunately, manual reverse engineering is a time-consuming and tedious task. To address this problem, researchers have recently proposed systems that help to automate the process. These systems operate by analyzing traces of network traffic. However, there is limited information available at the network-level, and thus, the accuracy of the results is limited. In this paper, we present a novel approach to automatic protocol reverse engineering. Our approach works by dynamically monitoring the execution of the application, analyzing how the program is processing the protocol messages that it receives. This is motivated by the insight that an application encodes the complete protocol and represents the authoritative specification of the inputs that it can accept. In a first step, we extract information about the fields of individual messages. Then, we aggregate this information to determine a more general specification of the message format, which can include optional or alternative fields, and repetitions. We have applied our techniques to a number of real-world protocols and server applications. Our results demonstrate that we are able to extract the format specification for different types of messages. Using these specifications, we then automatically generate appropriate parser code.
Automatic network protocol analysis
NDSS 2008, 15th Annual Network and Distributed System Security Symposium, February, 15-18 2008, San Diego, USA
© ISOC. Personal use of this material is permitted. The definitive version of this paper was published in NDSS 2008, 15th Annual Network and Distributed System Security Symposium, February, 15-18 2008, San Diego, USA and is available at :
PERMALINK : https://www.eurecom.fr/publication/2522