Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006...
-
Upload
morgan-pitts -
Category
Documents
-
view
216 -
download
0
Transcript of Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006...
![Page 1: Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649f265503460f94c3d85d/html5/thumbnails/1.jpg)
Network Protocol System Fingerprinting - A Formal
Approach
Guoqiang Shu and David Lee
INFOCOM 2006 Speaker: Chang Huan Wu
2008/10/31
![Page 2: Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649f265503460f94c3d85d/html5/thumbnails/2.jpg)
2
Outline
IntroductionA Formal ModelActive and Passive FingerprintingDefending Against Malicious
FingerprintingConclusions
![Page 3: Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649f265503460f94c3d85d/html5/thumbnails/3.jpg)
3
Introduction (1/3)
Identifying specific features of a network protocol implementation by analyzing its input/output behavior– Facilitate management– Exploit the vulnerability of certain
implementations
![Page 4: Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649f265503460f94c3d85d/html5/thumbnails/4.jpg)
4
Introduction (2/3)
Most network protocols are not specified completely and deterministically– Optional features– Unspecified behaviors under some
circumstances
![Page 5: Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649f265503460f94c3d85d/html5/thumbnails/5.jpg)
5
Introduction (3/3)
Goal : identify which implementation it
is by analyzing the input/output
behaviors– Active : use some predetermined input
sequences for probing the target host
– Passive : observe a trace of input/output
messages from the target host without
disrupting its normal operations
![Page 6: Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649f265503460f94c3d85d/html5/thumbnails/6.jpg)
6
A Formal Model (1/4)
Parameterized Extended Finite State Machine (PEFSM) is a 6-tuple M = <S, sini
t, I, O, X, T>– S : a finite set of states– Sinit : initial state– I = {i0, i1, i2…, ip-1}: input alphabet, each carr
ies a vector of parameter values– O = {o0, o1, o2…, oq-1} : output alphabet– X : finite set of variables with default initial
values
![Page 7: Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649f265503460f94c3d85d/html5/thumbnails/7.jpg)
7
A Formal Model (2/4)
– T : finite set of transitions– For t T, t = {s, s’, i, o, P(X, i), A(X, i, o)∈
s / s’ : start state / end state i and o : input / output symbols with parameters P : predicate of the variables and input parameters A : an operation on the variables, based on the current
variable values, input and output parameter values
Example of PEFSM transition
![Page 8: Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649f265503460f94c3d85d/html5/thumbnails/8.jpg)
8
PEFSM model of a simplified TCP Tahoe implementation(State variables, guards and actions of transition are omitted)
initial state (SYN)slow start (SS)
congestion avoidance (CA)
retransmission (REX)finish (Fin)
Transition nameInput
/ output
![Page 9: Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649f265503460f94c3d85d/html5/thumbnails/9.jpg)
9
A Formal Model (3/4)
Given a candidate group of implementation
machines, C = {M1, M2…, Mk}, a test sequenc
e seq separates Mi and Mj if taking seq as inp
ut, Mi and Mj have different output
A fingerprinting set F for a candidate group C
is a set of test sequences, such that for each
pair of machines in C, F contains a sequence
that separates them
![Page 10: Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649f265503460f94c3d85d/html5/thumbnails/10.jpg)
10
A Formal Model (4/4)
Given a candidate group, the goal of– Active fingerprinting : construct a
fingerprinting set– Passive fingerprinting : if a specific
candidate generate the given trace
![Page 11: Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649f265503460f94c3d85d/html5/thumbnails/11.jpg)
11
Active Fingerprinting
Algorithm 1 generate a sequence that separate two candidates
Algorithm 2 generate the fingerprint set
Partition = { {M1, M2, M3, M4} }M1 M3 can be separated by T1
Use T1 to separate {M1, M2, M3, M4}
Partition = { {M1, M4} , {M2, M3} }M1 M4 can be separated by T2
Use T2 to separate {M1, M4} and {M2, M3} …
Until all sets in Partition have only one element
If T2 separates {M1, M4} and {M2, M3}=> Partition = { {M1}, {M2}, {M3}, {M4} }
fingerprint set = {T1, T2}
![Page 12: Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649f265503460f94c3d85d/html5/thumbnails/12.jpg)
12
Active Fingerprinting using NMAP Tests (1/3)
Nmap identifies a TCP stack implementation by using nine test sequences
In the fingerprint database Nmap stores the encoded response to those test sequences of more than 1300 implementations
![Page 13: Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649f265503460f94c3d85d/html5/thumbnails/13.jpg)
13
Active Fingerprinting using NMAP Tests (2/3)
Fig.3 is PEFSM of input / output of some implementation in Nmap
All inputs except T3 could be used as separating sequence for the two machines
![Page 14: Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649f265503460f94c3d85d/html5/thumbnails/14.jpg)
14
Active Fingerprinting using NMAP Tests (3/3)
Ex. Use {Tseq, T1, T2, T3, PU} can separate each implementation in Router category
* means there is noexact fingerprint set
![Page 15: Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649f265503460f94c3d85d/html5/thumbnails/15.jpg)
15
Passive Fingerprinting (1/2)
Using TCP Behavior Inference Tool (TBIT) to generate specific traffic
Observe input and output in trace and transit, if a candidate can not transit, it means that candidate can not generate that trace
![Page 16: Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649f265503460f94c3d85d/html5/thumbnails/16.jpg)
16
Passive Fingerprinting (2/2)
NF: NoFRT: TahoeR: RenoNR: NewReno
After the duplicated acknowledgement ACK [12] is sent four times, we see a fast retransmission without timeout
![Page 17: Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649f265503460f94c3d85d/html5/thumbnails/17.jpg)
17
Defending Against Malicious Fingerprinting (1/5)
ScrubbingCamouflageOne important principal : the
modification should be transparent to all regular users
![Page 18: Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649f265503460f94c3d85d/html5/thumbnails/18.jpg)
18
Defending Against Malicious Fingerprinting (2/5)
When receiving I3, discard it
The grey circle represents the common user sets
![Page 19: Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649f265503460f94c3d85d/html5/thumbnails/19.jpg)
19
Defending Against Malicious Fingerprinting (3/5)
When receiving I3, response O4 instead O3
The grey circle represents the union of all user sets
Regular user expect the trace from any implementation
![Page 20: Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649f265503460f94c3d85d/html5/thumbnails/20.jpg)
20
Defending Against Malicious Fingerprinting (4/5)
Neither scrubbing nor camouflage is effective
The grey circle represents the T1 user sets
Regular user expect the trace from T1 implementation
![Page 21: Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649f265503460f94c3d85d/html5/thumbnails/21.jpg)
21
Defending Against Malicious Fingerprinting (5/5)
Follow the maximum overlapping subset until there is only one implementation possible
When receiving I3, response O3 because it is overlapped by M1 and M3
The grey circle represents the union of all user sets
![Page 22: Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649f265503460f94c3d85d/html5/thumbnails/22.jpg)
22
Conclusion
Proposed a formal approach for
fingerprinting
Use PEFSM to model protocol
implementation
Proposed algorithms for active and
passive fingerprinting
![Page 23: Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649f265503460f94c3d85d/html5/thumbnails/23.jpg)
23
Comments
General and automated methodHuge database (like Nmap databa
se) is neededHow to construct PEFSM?