Prospex:ProtocolSpecificationExtraction

Protocol reverse engineering is the process of extracting application-level specifications for network protocols. Such specificationsare very useful in a numberof security-related contexts, forexample, to perform deep packet inspectionand black-box fuzzing, or to quickly understand custom botnet command and control (C&C) channels. Since manual reverse engineering is a time-consuming and tedious process, a number of systems have been proposed that aim to automate this task. These systems either analyze network traffic directly or monitor the execution of the application that receivestheprotocolmessages.While previoussystemsshow thatprecise message formatscanbe extractedautomatically, they do not provide a protocol specification. The reason is that they do not reverse engineerthe protocol state machine. In this paper, we focus on closing this gap by presenting a system that is capable of automatically inferring state machines. This greatly enhances the results of automatic protocol reverse engineering, while further reducing the need for human interaction. We extend previous work that focuses on behavior-based message format extraction, and introduce techniques for identifying and clustering different types of messages not only based on their structure, but also accordingto the impact of each message on server behavior. Moreover, we present an algorithm for extracting the state machine. We have applied our techniques to a number of real-world protocols, including the command and control protocol used by a malicious bot. Our results demonstrate that we are able to extract format specifications for different types of messages and meaningful protocol state machines. We use these protocol specifications to automatically generate input for a stateful fuzzer, allowing us to discover security vulnerabilities in real-world applications. 1

Threats to privacy sensitive data

Zsfassung in dt. SpracheIn den letzten Jahren sind hunderte Millionen von Benutzern zu Opfern von Cybercrime geworden.Bösartige Software (Malware) oder Aktivitäten wie Daten-~oder Identitätsdiebstahl, Phishing, Botnetze, Trojaner oder gezielte Spamkampagnen sind eine ernsthafte Bedrohung für die Sicherheit und den Schutz von sensiblen und privaten Daten von Benutzern.Diese Dissertation präsentiert neuartige Lösungsansätze und Techniken für drei Problemfelder innerhalb des Gebiets der Computersecurity.Zuerst stellen wir ein neuartiges Bedrohungsszenario für soziale Netzwerke (z.B. Facebook, LinkedIn, Xing) vor, welches es einem Angreifer ermöglicht, eine große Anzahl von Benutzern zu deanonymisieren. Wir zeigen, sowohl theoretisch als auch experimentell, dass ein derartiger Angriff mit relativ geringem Aufwand in der Realität durchführbar ist, und die persönlichen Daten und die Privatsphäre von Millionen von Benutzern gefährdet.Des Weiteren demonstrieren wir anhand einer Studie die Verbindung zwischen Cybercrime und der Internet-Schattenwirtschaft (underground economy).Wir führen eine technische und wirtschaftliche Untersuchung der Online-Adult Branche durch, und zeigen, dass undurchsichtige Geschäftsmodelle mit traditionellen Securitybedrohungen Hand in Hand gehen. Dies berührt im Besonderen die Themen traffic trading, Betrug in Partnerprogrammen, das Ausspähen von privaten Browserdaten und Malware Bedrohungen (drive-by-downloads).Schließlich präsentieren wir Prospex, ein System zum automatischen Reverse-Engineering von Netzwerkprotokollen.Durch dynamische Taint-Analyse ist es möglich, Rückschlüsse auf das interne Verhalten von Programmen, die ein Protokoll implementieren, zu erhalten. Wir führen neuartige Methoden ein, mit denen genaue Format- und Typbeschreibungen für Protokollnachrichten generiert werden können, und ein Zustandsautomat abgeleitet werden kann. Als konkrete Anwendung zeigen wir, dass automatisch generierte Protokollbeschreibungen zum Fuzz-Testing von existierender Software verwendet werden kann und damit reale Sicherheitslücken gefunden werden können.In recent years, security and privacy threats like data or identity theft, phishing, credential stealing trojans, botnets, or targeted spam campaigns have affected millions of users and online businesses.Researchers have acknowledged these threats, and are actively exploring potential attack vectors and developing solutions and countermeasures.%Staying on top of this ongoing race between malicious attackers and research %have become a concern for hundreds of In this doctoral thesis, we present new approaches and techniques to three problems in the domain of computer security that severly impact user privacy.First, we introduce a novel attack scenario against social networks (e.g., Facebook, LinkedIn, Xing), that potentially allows a miscreant to de-anonymize a large amount of social network users. We demonstrate, both theoretically and practically, that this is feasible in a real-world scenario, thus compromising the privacy and security of millions of users.Second, we conduct a study on cybercrime and the underground economy.Specifically, we investigate shady business practices using the example of the online adult industry and perform an economic and technical analysis. Furthermore, we provide a real-world evaluation of security issues in this domain, including traffic trading, affiliate fraud, history stealing, and malware (drive-by-downloads) vulnerability assessments.Finally, we present ``Prospex'', a system that aims at automatic network protocol reverse engineering. By applying dynamic taint analysis on binaries, we can observe the internal behavior of programs that implement an application level protocol.Then, we use novel techniques to identify message formats and types, and infer a protocol state machine. As an application of our system, we show that we successfully used the recovered protocol specifications as input to a fuzz testing tool, allowing us to find security vulnerabilities in real-world software.12