本文選題：協(xié)議逆向工程 + 動態(tài)二進(jìn)制分析　； 參考：《國防科學(xué)技術(shù)大學(xué)》2014年博士論文

【摘要】：隨著Internet的迅猛發(fā)展,基于計算機網(wǎng)絡(luò)的應(yīng)用逐步滲透到人類社會各個領(lǐng)域。網(wǎng)絡(luò)協(xié)議,特別是密碼協(xié)議作為整個計算機網(wǎng)絡(luò)的基本技術(shù)支撐,其自身的可用性、可靠性與安全性顯得尤為重要,因此協(xié)議自動逆向工程相關(guān)研究近年來逐漸成為人們的研究熱點和主要方向。協(xié)議模型是協(xié)議逆向工程的一個重要目標(biāo),抽象描述了應(yīng)用程序的動態(tài)網(wǎng)絡(luò)行為,在協(xié)議安全性分析、協(xié)議程序驗證、協(xié)議指紋識別等方面都具有重要應(yīng)用價值。本文以解決協(xié)議模型逆向提取為根本目標(biāo),針對逆向分析實踐中存在協(xié)議消息域字段及其語義難以準(zhǔn)確推斷,加密網(wǎng)絡(luò)數(shù)據(jù)流難以解析,協(xié)議時序邏輯及其狀態(tài)轉(zhuǎn)換關(guān)系難以推理,復(fù)雜網(wǎng)絡(luò)應(yīng)用程序代碼難以分析等難點技術(shù)問題,提出了一套構(gòu)建于程序動態(tài)二進(jìn)制分析基礎(chǔ)之上的協(xié)議模型逆向提取方法,主要研究如何根據(jù)網(wǎng)絡(luò)應(yīng)用程序的動態(tài)執(zhí)行過程逆向獲取協(xié)議消息格式、協(xié)議模型、協(xié)議規(guī)范等問題,并在此基礎(chǔ)上研究了一種協(xié)議模型指導(dǎo)下的協(xié)議偏離挖掘方法,提出了一種基于協(xié)議偏離的程序指紋自動提取與識別方法。本文主要貢獻(xiàn)與創(chuàng)新點包括以下幾個方面的內(nèi)容:(1)深入而廣泛地綜述了協(xié)議逆向工程及程序動態(tài)二進(jìn)制分析技術(shù)領(lǐng)域的研究現(xiàn)狀與最新進(jìn)展。針對當(dāng)前協(xié)議驗證、程序網(wǎng)絡(luò)行為分析、協(xié)議漏洞挖掘等問題,從網(wǎng)絡(luò)流分析與主機分析兩個層面對協(xié)議逆向工程技術(shù)進(jìn)行了介紹,并對現(xiàn)有方案與機制進(jìn)行了分類,歸納總結(jié)各種方法的優(yōu)缺點及應(yīng)用范圍,從而明確了論文的主要工作。針對本課題的重要技術(shù)支撐——程序動態(tài)二進(jìn)制分析技術(shù)的相關(guān)理論進(jìn)行了深入研究,描述了污點傳播分析、動態(tài)二進(jìn)制插樁DBI等關(guān)鍵技術(shù)的原理,同時還介紹并總結(jié)了各類動態(tài)二進(jìn)制分析平臺的優(yōu)缺點。(2)提出了一套基于程序動態(tài)二進(jìn)制分析的消息格式逆向解析方法。加密網(wǎng)絡(luò)數(shù)據(jù)流分析與協(xié)議消息域字段的識別及域語義推理一直是協(xié)議逆向工程所面臨的技術(shù)挑戰(zhàn),根本原因在于逆向分析方法自身,以及協(xié)議信息難以逆向獲取等固有因素。本文結(jié)合主機加解密行為語義知識,提出了一種在函數(shù)級與指令級語義層面上的消息域語義屬性逆向推理方法,以及一種基于庫函數(shù)調(diào)用級與指令級的混合污點分析技術(shù),解決庫函數(shù)調(diào)用級污點分析技術(shù)分析精度不高、應(yīng)用范圍窄,以及指令級污點分析技術(shù)語義獲取困難等問題;并在此基礎(chǔ)上提出了一種能夠逆向解析密碼協(xié)議加密消息格式的方法,解決了目前基于網(wǎng)絡(luò)流的協(xié)議逆向分析技術(shù)無法分析加密消息的問題。(3)提出了一種基于協(xié)議網(wǎng)絡(luò)行為消息交互圖挖掘的分布式多角色協(xié)議模型逆向推斷技術(shù)。協(xié)議模型抽象描述了網(wǎng)絡(luò)應(yīng)用程序的動態(tài)網(wǎng)絡(luò)行為,然而對于現(xiàn)代網(wǎng)絡(luò)協(xié)議,特別是以密碼學(xué)機制為基礎(chǔ)的安全協(xié)議,往往具有復(fù)雜的協(xié)議時序邏輯及狀態(tài)轉(zhuǎn)換,因此從網(wǎng)絡(luò)應(yīng)用程序中逆向恢復(fù)協(xié)議模型具有相當(dāng)?shù)碾y度和挑戰(zhàn)。本文應(yīng)用狀態(tài)機相關(guān)理論與方法,提出了一種基于協(xié)議網(wǎng)絡(luò)行為消息交互圖挖掘的分布式多角色協(xié)議模型逆向推斷技術(shù),能夠在協(xié)議交互過程中存在多個角色主體參與會話的情形下,逆向提取密碼協(xié)議應(yīng)用程序的協(xié)議模型,并在此基礎(chǔ)上提出了一種從協(xié)議狀態(tài)機模型到形式化協(xié)議規(guī)范描述的轉(zhuǎn)換算法,能夠根據(jù)高級協(xié)議描述語言的相關(guān)定義,自動地將逆向提取到的協(xié)議模型描述為形式化的協(xié)議規(guī)范。(4)提出了一種在協(xié)議模型指導(dǎo)下的協(xié)議偏離自動挖掘方法。協(xié)議偏離描述了協(xié)議各版本實現(xiàn)程序在實際網(wǎng)絡(luò)行為上的差異。鑒于協(xié)議偏離在協(xié)議實現(xiàn)程序驗證、協(xié)議指紋提取等領(lǐng)域的應(yīng)用價值,本文提出了一種在協(xié)議模型指導(dǎo)下的協(xié)議實現(xiàn)偏離自動挖掘方法。該方法通過對被測協(xié)議實現(xiàn)程序執(zhí)行一系列的主動迭代測試來不斷發(fā)掘協(xié)議各版本實現(xiàn)程序中所存在的偏離,并在此過程中不斷調(diào)準(zhǔn)逆向推理的協(xié)議模型,實現(xiàn)提高逆向分析精度的目的。(5)提出了一種基于協(xié)議偏離的程序協(xié)議指紋自動提取與識別方法。針對傳統(tǒng)協(xié)議指紋提取存在耗費大量時間和人力的問題,本文結(jié)合協(xié)議偏離的特點,首次提出了程序協(xié)議指紋自動提取與識別方法,其關(guān)鍵思想在于通過觀察網(wǎng)絡(luò)應(yīng)用程序的消息處理動態(tài)執(zhí)行過程來提取協(xié)議特征,因此能夠用于對密碼協(xié)議通信程序的協(xié)議指紋識別。以協(xié)議偏離會話流層面與協(xié)議偏離響應(yīng)消息層面為切入點,在協(xié)議指紋自動提取方法上,論文首先結(jié)合協(xié)議會話流特征的TPFSM描述以及協(xié)議偏離響應(yīng)消息的特點,提出了協(xié)議特征提取方法;其次對協(xié)議指紋庫的構(gòu)造與優(yōu)化進(jìn)行了研究。在協(xié)議指紋自動識別方法上,論文首先提出了會話流編碼以及SHINGLE(連續(xù)節(jié)點序列樣本)的概念,然后在會話流層面提出了基于SHINGLE的會話流特征匹配算法以及基于正則表達(dá)式的消息特征匹配方法。本文研究是對協(xié)議逆向工程技術(shù)領(lǐng)域的一次有益實踐與探索,研究成果對于未來繼續(xù)開拓協(xié)議程序驗證、程序網(wǎng)絡(luò)行為分析、協(xié)議漏洞挖掘等應(yīng)用領(lǐng)域具有重要的理論價值與實踐意義,對完善與發(fā)展網(wǎng)絡(luò)安全領(lǐng)域起到了積極推動作用。
[Abstract]:With the rapid development of Internet, the application of computer network has gradually penetrated into every field of human society. Network protocol, especially the cryptographic protocol, as the basic technical support of the whole computer network, is particularly important for its own availability, reliability and security. Therefore, the research of protocol automatic reverse engineering related research has been carried out in recent years. The protocol model is an important target in the research of the protocol reverse engineering, which abstractly describes the dynamic network behavior of the application. It has important application value in the aspects of protocol security analysis, protocol verification, protocol fingerprint recognition and so on. This paper is based on the solution of the reverse extraction of the protocol model. Aiming at the difficulty of accurate inference of the protocol message domain and its semantics in reverse analysis practice, the encrypted network data flow is difficult to parse, the temporal logic of the protocol and the state transformation relationship are difficult to be reasoned, the complex network application code is difficult to analyze and other difficult technical problems, and a set of dynamic binary analysis bases built on the program is proposed. On the basis of the reverse extraction method of protocol model, this paper mainly studies how to reverse the protocol message format, protocol model, protocol specification and so on according to the dynamic execution process of the network application, and then studies a protocol deviation mining method under the guidance of the protocol model, and proposes a program based on protocol deviation. The main contributions and innovation points of this paper include the following aspects: (1) the research status and latest progress in the field of protocol reverse engineering and program dynamic binary analysis are reviewed in depth and widely. Two layers of network flow analysis and host analysis are introduced in the face of protocol reverse engineering technology, and the existing schemes and mechanisms are classified, the advantages and disadvantages and application scope of various methods are summarized, thus the main work of the paper is clarified. The theory is deeply studied, the principle of the key technologies such as the analysis of the blot propagation, the dynamic binary insertion of DBI and other key technologies is described. At the same time, the advantages and disadvantages of all kinds of dynamic binary analysis platforms are introduced and summarized. (2) a set of message lattice inverse analysis method based on the dynamic binary analysis of the program is proposed. The recognition of the message domain and the domain semantic reasoning have always been the technical challenges in the reverse engineering of the protocol. The fundamental reason is the reverse analysis method itself and the inherent factors which are difficult to retrieve the protocol information. This paper presents a semantic knowledge of the host encryption and decryption behavior, and proposes a cancellation of the semantic level of the function level and the instruction level. The inverse reasoning method of semantic property of interest domain and a mixed stain analysis technique based on the call level and instruction level of the library function are used to solve the problem of poor analysis precision, narrow application scope and difficulty in semantic acquisition of instruction level stain analysis technology. The method of encrypting message format by cryptographic protocol solves the problem that the protocol reverse analysis technology based on network flow can not analyze the encrypted message. (3) a distributed multi role protocol inverse inference technology based on protocol network behavior message interaction graph mining is proposed. The protocol model abstracts the network application. Dynamic network behavior, however, for modern network protocols, especially the cryptographic mechanism based security protocols, often has complex protocol temporal logic and state transformation. Therefore, it is quite difficult and challenging to reverse the protocol model from the network application. In this paper, a distributed multi role protocol inverse inference technology based on protocol network behavior message interaction graph mining can be used to extract the protocol model of the cryptographic protocol application, and a protocol state machine model to form is proposed on the basis of the presence of multiple role entities involved in the session. The conversion algorithm described by the protocol specification can automatically describe the reverse extracted protocol model as a formal protocol specification according to the related definition of the high-level protocol description language. (4) a protocol deviation automatic mining method under the guidance of the protocol model is proposed. The protocol deviation describes the implementation of each protocol version of the protocol in practice. In view of the difference in network behavior, in view of the application value of protocol deviation in the domain of protocol implementation verification and protocol fingerprint extraction, this paper proposes a method of automatic deviation mining for protocol implementation under the guidance of protocol model. This method continuously excavates the protocol through a series of active iterative tests on the program implemented by the protocol. There is a deviation in the implementation of each version, and in this process, the protocol model of reverse inference is constantly adjusted to improve the accuracy of reverse analysis. (5) a method of automatic fingerprint extraction and recognition based on protocol deviation is proposed. In this paper, based on the characteristics of protocol deviation, the method of automatic fingerprint extraction and recognition of program protocol is proposed for the first time. The key idea is to extract protocol features by observing the dynamic execution process of message processing in the network application, so it can be used to identify the protocol fingerprint of the communication program of the cryptographic protocol. With the protocol deviation response message level as the breakthrough point, in the protocol fingerprint automatic extraction method, the paper first combines the TPFSM description of the protocol session flow characteristics and the characteristics of the protocol deviation message, and proposes the protocol feature extraction method. Secondly, the construction and optimization of the protocol fingerprint library are studied. In this paper, the concept of session flow coding and SHINGLE (continuous node sequence sample) is first proposed. Then, a session flow feature matching algorithm based on SHINGLE and a message feature matching method based on regular expressions are proposed at the session flow level. This paper is a useful practice and exploration in the field of protocol reverse engineering. The research results have important theoretical and practical significance for the future development of protocol verification, program network behavior analysis, protocol vulnerability mining and other applications. It has played an active role in improving and developing the network security field.

【學(xué)位授予單位】：國防科學(xué)技術(shù)大學(xué)
【學(xué)位級別】：博士
【學(xué)位授予年份】：2014
【分類號】：TP393.04
，

本文編號：1794523