1 / 23

Network Protocol System Fingerprinting - A Formal Approach

Network Protocol System Fingerprinting - A Formal Approach. Guoqiang Shu and David Lee. Speaker: Chang Huan Wu 2008/10/31. INFOCOM 2006. Outline. Introduction A Formal Model Active and Passive Fingerprinting Defending Against Malicious Fingerprinting Conclusions. Introduction (1/3).

vevina
Download Presentation

Network Protocol System Fingerprinting - A Formal Approach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee Speaker: Chang Huan Wu 2008/10/31 INFOCOM 2006

  2. Outline • Introduction • A Formal Model • Active and Passive Fingerprinting • Defending Against Malicious Fingerprinting • Conclusions

  3. Introduction (1/3) • Identifying specific features of a network protocol implementation by analyzing its input/output behavior • Facilitate management • Exploit the vulnerability of certain implementations

  4. Introduction (2/3) • Most network protocols are not specified completely and deterministically • Optional features • Unspecified behaviors under some circumstances

  5. Introduction (3/3) • Goal : identify which implementation it is by analyzing the input/output behaviors • Active : use some predetermined input sequences for probing the target host • Passive : observe a trace of input/output messages from the target host without disrupting its normal operations

  6. A Formal Model (1/4) • Parameterized Extended Finite State Machine (PEFSM) is a 6-tuple M = <S, sinit, I, O, X, T> • S : a finite set of states • Sinit : initial state • I = {i0, i1, i2…, ip-1}: input alphabet, each carries a vector of parameter values • O = {o0, o1, o2…, oq-1} : output alphabet • X : finite set of variables with default initial values

  7. A Formal Model (2/4) • T : finite set of transitions • For t ∈T, t = {s, s’, i, o, P(X, i), A(X, i, o) • s / s’ : start state / end state • i and o : input / output symbols with parameters • P : predicate of the variables and input parameters • A : an operation on the variables, based on the current variable values, input and output parameter values Example of PEFSM transition

  8. Transition name Input / output initial state (SYN) slow start (SS) congestion avoidance (CA) retransmission (REX) finish (Fin) PEFSM model of a simplified TCP Tahoe implementation (State variables, guards and actions of transition are omitted)

  9. A Formal Model (3/4) • Given a candidate group of implementation machines, C = {M1, M2…, Mk}, a test sequence seq separates Mi and Mj if taking seq as input, Mi and Mj have different output • A fingerprinting set F for a candidate group C is a set of test sequences, such that for each pair of machines in C, F contains a sequence that separates them

  10. A Formal Model (4/4) • Given a candidate group, the goal of • Active fingerprinting : construct a fingerprinting set • Passive fingerprinting : if a specific candidate generate the given trace

  11. Active Fingerprinting • Algorithm 1 generate a sequence that separate two candidates • Algorithm 2 generate the fingerprint set Partition = { {M1, M2, M3, M4} } M1 M3 can be separated by T1 Use T1 to separate {M1, M2, M3, M4} Partition = { {M1, M4} , {M2, M3} } M1 M4 can be separated by T2 Use T2 to separate {M1, M4} and {M2, M3} … Until all sets in Partition have only one element If T2 separates {M1, M4} and {M2, M3} => Partition = { {M1}, {M2}, {M3}, {M4} } fingerprint set = {T1, T2}

  12. Active Fingerprinting using NMAP Tests (1/3) • Nmap identifies a TCP stack implementation by using nine test sequences • In the fingerprint database Nmap stores the encoded response to those test sequences of more than 1300 implementations

  13. Active Fingerprinting using NMAP Tests (2/3) • Fig.3 is PEFSM of input / output of some implementation in Nmap • All inputs except T3 could be used as separating sequence for the two machines

  14. Active Fingerprinting using NMAP Tests (3/3) • Ex. Use {Tseq, T1, T2, T3, PU} can separate each implementation in Router category * means there is no exact fingerprint set

  15. Passive Fingerprinting (1/2) • Using TCP Behavior Inference Tool (TBIT) to generate specific traffic • Observe input and output in trace and transit, if a candidate can not transit, it means that candidate can not generate that trace

  16. Passive Fingerprinting (2/2) NF: NoFR T: Tahoe R: Reno NR: NewReno After the duplicated acknowledgement ACK [12] is sent four times, we see a fast retransmission without timeout

  17. Defending Against Malicious Fingerprinting (1/5) • Scrubbing • Camouflage • One important principal : the modification should be transparent to all regular users

  18. Defending Against Malicious Fingerprinting (2/5) • When receiving I3, discard it The grey circle represents the common user sets

  19. Defending Against Malicious Fingerprinting (3/5) • When receiving I3, response O4 instead O3 The grey circle represents the union of all user sets Regular user expect the trace from any implementation

  20. Defending Against Malicious Fingerprinting (4/5) • Neither scrubbing nor camouflage is effective The grey circle represents the T1 user sets Regular user expect the trace from T1 implementation

  21. Defending Against Malicious Fingerprinting (5/5) • Follow the maximum overlapping subset until there is only one implementation possible • When receiving I3, response O3 because it is overlapped by M1 and M3 The grey circle represents the union of all user sets

  22. Conclusion • Proposed a formal approach for fingerprinting • Use PEFSM to model protocol implementation • Proposed algorithms for active and passive fingerprinting

  23. Comments • General and automated method • Huge database (like Nmap database) is needed • How to construct PEFSM?

More Related