Lifting Network Protocol Implementation to Precise Format Specification with Security Applications

TL;DR

This paper introduces a static analysis approach using abstract interpretation to accurately infer protocol formats, significantly improving coverage and security applications like fuzzing and intrusion detection.

Contribution

It presents a novel static analysis method with an abstract format graph for high-coverage, precise protocol format inference, outperforming existing dynamic techniques.

Findings

Inferred formats achieve >95% precision and recall within one minute.

Enhanced fuzzing coverage by 20% to 260%.

Discovered 53 zero-day vulnerabilities with 47 CVEs assigned.

Abstract

Inferring protocol formats is critical for many security applications. However, existing format-inference techniques often miss many formats, because almost all of them are in a fashion of dynamic analysis and rely on a limited number of network packets to drive their analysis. If a feature is not present in the input packets, the feature will be missed in the resulting formats. We develop a novel static program analysis for format inference. It is well-known that static analysis does not rely on any input packets and can achieve high coverage by scanning every piece of code. However, for efficiency and precision, we have to address two challenges, namely path explosion and disordered path constraints. To this end, our approach uses abstract interpretation to produce a novel data structure called the abstract format graph. It delimits precise but costly operations to only small regions, thus ensuring precision and efficiency at the same time. Our inferred formats are of high coverage and precisely specify both field boundaries and semantic constraints among packet fields. Our evaluation shows that we can infer formats for a protocol in one minute with >95% precision and recall, much better than four baseline techniques. Our inferred formats can substantially enhance existing protocol fuzzers, improving the coverage by 20% to 260% and discovering 53 zero-days with 47 assigned CVEs. We also provide case studies of adopting our inferred formats in other security applications including traffic auditing and intrusion detection.