Automated Attacker Synthesis for Distributed Protocols

Hippel, Max von; Vick, Cole; Tripakis, Stavros; Nita-Rotaru, Cristina

doi:10.1007/978-3-030-54549-9_9

Cited by 13 publications

(24 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For example, autonomous vehicles utilize CAN bus and FlexRay, control systems use Modbus and DNP3, online chatting/conferencing applications have their customized protocols. Many security analysis such as static/symbolic vulnerability scanning [40], [24], exploit generation [79], [19], fuzzing [65], [43], [44], [31], attack detection [15], [29], and malware behavior analysis [75], [18] require precise modeling of the network protocol. For instance, knowing the protocol of a networking application is critical to seed input generation in fuzzing; malware analysis often requires composing well-formed messages to the Command and Control (C&C) server so that hidden behaviors can be triggered by the appropriate server responses [23], [83]; and static/symbolic analysis needs to properly model networking functions otherwise a lot of false positives may be generated.…”

Section: Introductionmentioning

confidence: 99%

NetPlier: Probabilistic Network Protocol Reverse Engineering from Message Traces

Zhang

Wang

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Network protocol reverse engineering is an important challenge with many security applications. A popular kind of method leverages network message traces. These methods rely on pair-wise sequence alignment and/or tokenization. They have various limitations such as difficulties of handling a large number of messages and dealing with inherent uncertainty. In this paper, we propose a novel probabilistic method for network trace based protocol reverse engineering. It first makes use of multiple sequence alignment to align all messages and then reduces the problem to identifying the keyword field from the set of aligned fields. The keyword field determines the type of a message. The identification is probabilistic, using random variables to indicate the likelihood of each field (being the true keyword). A joint distribution is constructed among the random variables and the observations of the messages. Probabilistic inference is then performed to determine the most likely keyword field, which allows messages to be properly clustered by their true types and enables the recovery of message format and state machine. Our evaluation on 10 protocols shows that our technique substantially outperforms the state-of-the-art and our case studies show the unique advantages of our technique in IoT protocol reverse engineering and malware analysis.

show abstract

Section: Introductionmentioning

confidence: 99%

NetPlier: Probabilistic Network Protocol Reverse Engineering from Message Traces

Zhang

Wang

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…As protection against attacks is one of the main subjects of systems security, methodologies for designing attack strategies against systems have been reported in the literature [16,17,18]. [16] presents how to synthesize an attacker in the context of stealthy deception attacks, modeled in the framework of SCT, which cannot be detected by the supervisor and cause damage to the system, as a counter weapon against intrusion detection modules as in [12].…”

Section: Introductionmentioning

confidence: 99%

“…Formal synthesis of successful attacks against protocols is the problem considered in this paper. The work in [18] (and its conference version [19]) is of special relevance, as it introduces a methodology of attacker synthesis against systems whose components are modeled as finite-state automata (FSA). It presents how so-called "T -" attackers can be found (if they exist) using a formal methodology that has been implemented in the software tool K [20].…”

Section: Introductionmentioning

confidence: 99%

“…It presents how so-called "T -" attackers can be found (if they exist) using a formal methodology that has been implemented in the software tool K [20]. In the terminology of [18], "T -" refers to attackers that cannot always lead protocols to a violation of required properties, but sometimes succeed ("there exists" a winning run for the attacker). [18] formulates the properties that protocols must protect against as threat models, and it illustrates its methodology with the Transmission Control Protocol (TCP), as standardized in [21].…”

Section: Introductionmentioning

confidence: 99%

“…In the terminology of [18], "T -" refers to attackers that cannot always lead protocols to a violation of required properties, but sometimes succeed ("there exists" a winning run for the attacker). [18] formulates the properties that protocols must protect against as threat models, and it illustrates its methodology with the Transmission Control Protocol (TCP), as standardized in [21]. The formal model in [18] was inspired by that in [22] where automated attack discovery is performed using a state-machine-informed search.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Synthesis of Winning Attacks on Communication Protocols using Supervisory Control Theory: Two Case Studies

Matsui,

Lafortune

2021

Preprint

View full text Add to dashboard Cite

There is an increasing need to study the vulnerability of communication protocols in distributed systems to malicious attacks that attempt to violate safety or liveness properties. In this paper, we propose a general methodology for formal synthesis of successful attacks against protocols where the attacker always eventually wins, called Fattacks. This generalizes previous work on the synthesis of T -attacks, where the attacker can sometimes win. As we model protocols and system architectures by finite-state automata, our methodology employs the supervisory control theory of discrete event systems, which is well suited to pose and solve the synthesis of Fattacks where the attacker has partial observability and controllability of the system events. We demonstrate our methodology using examples of man-in-the-middle attacks against the Alternating Bit Protocol and the Transmission Control Protocol.

show abstract