&lt;sc&gt;SymbexNet&lt;/sc&gt;: Testing Network Protocol Implementations with Symbolic Execution and Rule-Based Specifications

Song, JaeSeung; Cadar, Cristian; Pietzuch, Peter

doi:10.1109/tse.2014.2323977

Cited by 29 publications

(3 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Kothari et al [27] use symbolic execution to find protocol manipulation attacks where a malicious endhost can induce a remote peer to send more packets more aggressive than it should. Song et al [45] explore the possibility of sending multiple packets in symbolic execution, and they aim at finding low-level and semantic bugs given rule-based specifications extracted from protocol specifications.…”

Section: Related Workmentioning

confidence: 99%

SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery

Wang

Zhu

Cao

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

A key characteristic of commonly deployed deep packet inspection (DPI) systems is that they implement a simplified state machine of the network stack that often differs from that of endhosts. The discrepancies between the two state machines have been exploited to bypass such DPI based middleboxes. However, most prior approaches to do so rely on manually crafted adversarial packets, which not only are labor-intensive but may not work well across a plurality of DPI-based middleboxes. Our goal in this work is to develop an automated way to craft candidate adversarial packets, targeting TCP implementations in particular. Our approach to achieving this goal hinges on the key insight that while the TCP state machines of DPI implementations are obscure, those of the endhosts are well established. Thus, in our system SYMTCP, using symbolic execution, we systematically explore the TCP implementation of an endhost, identifying candidate packets that can reach critical points in the code (e.g., which causes the packets to be accepted or dropped/ignored); such automatically identified packets are then fed through the DPI middlebox to determine if a discrepancy is induced and the middlebox can be eluded. We find that our approach is extremely effective. It can generate tens of thousands of candidate adversarial packets in less than an hour. When evaluating against multiple state-of-the-art DPI systems such as Zeek and Snort, as well as a state-level censorship system, viz. the Great Firewall of China, we identify not only previously known evasion strategies, but also novel ones that were never previously reported (e.g., involving the urgent pointer). The system can be extended easily towards other combinations of operating systems and DPI middleboxes, and serves as a valuable tool for testing future DPIs' robustness against evasion attempts.

show abstract

Section: Related Workmentioning

confidence: 99%

SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery

Wang

Zhu

Cao

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Testing protocols and programs independently is -however worthwhile -not enough. To this end, approaches have been designed that test implementations for protocol compliance using many different testing and verification methodologies, ranging from fuzzing [1,26] over SymEx [22] to model checking [12,13]. Validating that a given implementation fulfills a specification or standard does, however, require a formalized representation to be available, which effectively constitutes another implementation of the specification.…”

Section: Related Workmentioning

confidence: 99%

“…While it is possible that neither implementation is technically compliant with the standard, it becomes more and more improbable that the standard is captured incorrectly by many different people in exactly the same manner. Due to the inherent state-explosion problem of interoperability testing (multiple different, or even all possible programs are considered at once), multiple approaches to specialized [7] and general [14,22] interoperability testing have been proposed in the past.…”

Section: Related Workmentioning

confidence: 99%

Interoperability-Guided Testing of QUIC Implementations using Symbolic Execution

Rath

Schemmel

Wehrle

2018

Proceedings of the Workshop on the Evolution, Performance, and Interoperability of QUIC

View full text Add to dashboard Cite

The main reason for the standardization of network protocols, like QUIC, is to ensure interoperability between implementations, which poses a challenging task. Manual tests are currently used to test the different existing implementations for interoperability, but given the complex nature of network protocols, it is hard to cover all possible edge cases.State-of-the-art automated software testing techniques, such as Symbolic Execution (SymEx), have proven themselves capable of analyzing complex real-world software and finding hard to detect bugs. We present a SymEx-based method for finding interoperability issues in QUIC implementations, and explore its merit in a case study that analyzes the interoperability of picoquic and QUANT.We find that, while SymEx is able to analyze deep interactions between different implementations and uncovers several bugs, in order to enable efficient interoperability testing, implementations need to provide additional information about their current protocol state.

show abstract

FuSeBMC: An Energy-Efficient Test Generator for Finding Security Vulnerabilities in C Programs

Alshmrany

Aldughaim

Bhayat

et al. 2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

<sc>SymbexNet</sc>: Testing Network Protocol Implementations with Symbolic Execution and Rule-Based Specifications

Cited by 29 publications

References 34 publications

SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery

SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery

Interoperability-Guided Testing of QUIC Implementations using Symbolic Execution

FuSeBMC: An Energy-Efficient Test Generator for Finding Security Vulnerabilities in C Programs

Contact Info

Product

Resources

About