节点文献
基于动态二进制分析平台的协议逆向解析技术研究
Research on Protocol Reverse Parsing Based on Dynamic Binary Analysis Platform
【作者】 何永君;
【导师】 舒辉;
【作者基本信息】 解放军信息工程大学 , 计算机科学与技术, 2010, 硕士
【摘要】 协议逆向解析技术在协议安全性分析、网络应用程序漏洞挖掘、入侵检测等方面都具有重要的应用价值,对其进行深入研究具有十分重要的意义。论文首先介绍了协议逆向解析的概念、应用领域及研究现状,分析了已有研究成果存在的不足。在此基础上,实现了一种基于动态二进制分析平台的协议逆向解析方法。该方法的主要思想是:利用动态二进制分析平台对网络应用程序进行解释执行,并在执行过程中,根据动态二进制分析平台的扩展机制,对程序进行动态插装分析,从而准确获取协议消息处理过程中程序的执行轨迹;通过对记录的轨迹信息进行分析处理,解析得到协议消息格式。为此,本文研究并实现了以下技术:设计了污点源动态识别技术,通过对程序中网络API函数执行情况的实时监控,定位程序接收到的协议数据,将其标记为污点源;实现了基于程序动态插装的轨迹实时获取技术,能够准确获取协议消息的处理轨迹,并将ETW(Event Tracing for Windows)机制用于轨迹信息的实时存储;研究并实现了基于DynamoRIO的动态污点分析技术,以记录的轨迹信息为基础,对其进行动态污点分析,提取出协议消息的具体处理信息,生成协议数据处理的污点传播树;最终根据制定的协议字段逆向解析策略,解析得到协议消息的主要字段格式,如分隔符、关键词、长度域与目标域等。论文最后设计并实现了一套基于DynamoRIO的协议逆向解析原型系统(命名为UNPRE),并分别以文本协议和二进制协议为例对原型系统进行了测试,将测试结果与Wireshark的解析结果进行了对比。结果表明,UNPRE对协议格式的逆向解析结果正确,能如实地反映协议消息的主要字段格式。
【Abstract】 Protocol reverse parsing technology has important application value in many fields, such as security analysis of protocols, vulnerability discovering of network applications, intrusion detection and so on. Thus, it is of great significance to do further research on it.This thesis firstly introduced the concept and the application fields as well as the research status of protocol reverse parsing technology, analyzed the shortcomings of the existing research results. Then, a protocol reverse parsing approach based on dynamic binary analysis platform was implemented. The main idea of this approach is: simulating the execution of network application program with the dynamic binary analysis platform, during the executing process, the target program was instrumented dynamically using the extension interface of the analysis platform. Then, the main formats of the protocol messages can be extracted by analyzing the executing traces of the network applications while processing the received protocol data. So, the following techniques were designed and implemented.In this thesis, a taint source auto-identification technology was firstly presented to dynamically locate the received protocol data and tag it as taint source by monitoring the executions of the program’s network APIs. Then, a new trace tracking technique based on dynamic program instrumentation was proposed to obtain the protocol data’s real-time processing trace, and the ETW (Event Tracing for Windows) mechanism was introduced to store the trace information with high efficiency. After that, the dynamic taint analysis technology based on DynamoRIO was designed and implemented to distill the protocol data’s processing details and generate its taint propagation tree with the recorded trace information. Finally, the designed parsing strategies of protocol fields were applied to parse the main protocol fields with the obtained processing details, such as separators, keywords, length fields, target fields, and so on.In the end, this thesis designed and implemented a prototype system (named as UNPRE) for protocol reverse parsing under DynamoRIO,and the test results of both text protocol and binary protocol for the prototype system were presented. The comparison results of the test results with the outputs of Wireshark showed the correctness of protocol formats parsed by UNPRE, and many main protocol fields can be parsed correctly using UNPRE.
【Key words】 DynamoRIO; Protocol Reverse Parsing; Executing Trace; Dynamic Taint Analysis; Parsing Strategies;