network protocol system fingerprinting - a formal approach guoqiang shu and david lee infocom 2006...
TRANSCRIPT
Network Protocol System Fingerprinting - A Formal
Approach
Guoqiang Shu and David Lee
INFOCOM 2006 Speaker: Chang Huan Wu
2008/10/31
2
Outline
IntroductionA Formal ModelActive and Passive FingerprintingDefending Against Malicious
FingerprintingConclusions
3
Introduction (1/3)
Identifying specific features of a network protocol implementation by analyzing its input/output behavior– Facilitate management– Exploit the vulnerability of certain
implementations
4
Introduction (2/3)
Most network protocols are not specified completely and deterministically– Optional features– Unspecified behaviors under some
circumstances
5
Introduction (3/3)
Goal : identify which implementation it
is by analyzing the input/output
behaviors– Active : use some predetermined input
sequences for probing the target host
– Passive : observe a trace of input/output
messages from the target host without
disrupting its normal operations
6
A Formal Model (1/4)
Parameterized Extended Finite State Machine (PEFSM) is a 6-tuple M = <S, sini
t, I, O, X, T>– S : a finite set of states– Sinit : initial state– I = {i0, i1, i2…, ip-1}: input alphabet, each carr
ies a vector of parameter values– O = {o0, o1, o2…, oq-1} : output alphabet– X : finite set of variables with default initial
values
7
A Formal Model (2/4)
– T : finite set of transitions– For t T, t = {s, s’, i, o, P(X, i), A(X, i, o)∈
s / s’ : start state / end state i and o : input / output symbols with parameters P : predicate of the variables and input parameters A : an operation on the variables, based on the current
variable values, input and output parameter values
Example of PEFSM transition
8
PEFSM model of a simplified TCP Tahoe implementation(State variables, guards and actions of transition are omitted)
initial state (SYN)slow start (SS)
congestion avoidance (CA)
retransmission (REX)finish (Fin)
Transition nameInput
/ output
9
A Formal Model (3/4)
Given a candidate group of implementation
machines, C = {M1, M2…, Mk}, a test sequenc
e seq separates Mi and Mj if taking seq as inp
ut, Mi and Mj have different output
A fingerprinting set F for a candidate group C
is a set of test sequences, such that for each
pair of machines in C, F contains a sequence
that separates them
10
A Formal Model (4/4)
Given a candidate group, the goal of– Active fingerprinting : construct a
fingerprinting set– Passive fingerprinting : if a specific
candidate generate the given trace
11
Active Fingerprinting
Algorithm 1 generate a sequence that separate two candidates
Algorithm 2 generate the fingerprint set
Partition = { {M1, M2, M3, M4} }M1 M3 can be separated by T1
Use T1 to separate {M1, M2, M3, M4}
Partition = { {M1, M4} , {M2, M3} }M1 M4 can be separated by T2
Use T2 to separate {M1, M4} and {M2, M3} …
Until all sets in Partition have only one element
If T2 separates {M1, M4} and {M2, M3}=> Partition = { {M1}, {M2}, {M3}, {M4} }
fingerprint set = {T1, T2}
12
Active Fingerprinting using NMAP Tests (1/3)
Nmap identifies a TCP stack implementation by using nine test sequences
In the fingerprint database Nmap stores the encoded response to those test sequences of more than 1300 implementations
13
Active Fingerprinting using NMAP Tests (2/3)
Fig.3 is PEFSM of input / output of some implementation in Nmap
All inputs except T3 could be used as separating sequence for the two machines
14
Active Fingerprinting using NMAP Tests (3/3)
Ex. Use {Tseq, T1, T2, T3, PU} can separate each implementation in Router category
* means there is noexact fingerprint set
15
Passive Fingerprinting (1/2)
Using TCP Behavior Inference Tool (TBIT) to generate specific traffic
Observe input and output in trace and transit, if a candidate can not transit, it means that candidate can not generate that trace
16
Passive Fingerprinting (2/2)
NF: NoFRT: TahoeR: RenoNR: NewReno
After the duplicated acknowledgement ACK [12] is sent four times, we see a fast retransmission without timeout
17
Defending Against Malicious Fingerprinting (1/5)
ScrubbingCamouflageOne important principal : the
modification should be transparent to all regular users
18
Defending Against Malicious Fingerprinting (2/5)
When receiving I3, discard it
The grey circle represents the common user sets
19
Defending Against Malicious Fingerprinting (3/5)
When receiving I3, response O4 instead O3
The grey circle represents the union of all user sets
Regular user expect the trace from any implementation
20
Defending Against Malicious Fingerprinting (4/5)
Neither scrubbing nor camouflage is effective
The grey circle represents the T1 user sets
Regular user expect the trace from T1 implementation
21
Defending Against Malicious Fingerprinting (5/5)
Follow the maximum overlapping subset until there is only one implementation possible
When receiving I3, response O3 because it is overlapped by M1 and M3
The grey circle represents the union of all user sets
22
Conclusion
Proposed a formal approach for
fingerprinting
Use PEFSM to model protocol
implementation
Proposed algorithms for active and
passive fingerprinting
23
Comments
General and automated methodHuge database (like Nmap databa
se) is neededHow to construct PEFSM?