Network Protocol System Fingerprinting - A Formal

Approach

Guoqiang Shu and David Lee

INFOCOM 2006 Speaker: Chang Huan Wu

2008/10/31

2

Outline

IntroductionA Formal ModelActive and Passive FingerprintingDefending Against Malicious

FingerprintingConclusions

3

Introduction (1/3)

Identifying specific features of a network protocol implementation by analyzing its input/output behavior– Facilitate management– Exploit the vulnerability of certain

implementations

4

Introduction (2/3)

Most network protocols are not specified completely and deterministically– Optional features– Unspecified behaviors under some

circumstances

5

Introduction (3/3)

Goal : identify which implementation it

is by analyzing the input/output

behaviors– Active : use some predetermined input

sequences for probing the target host

– Passive : observe a trace of input/output

messages from the target host without

disrupting its normal operations

6

A Formal Model (1/4)

Parameterized Extended Finite State Machine (PEFSM) is a 6-tuple M = <S, sini

t, I, O, X, T>– S : a finite set of states– Sinit : initial state– I = {i0, i1, i2…, ip-1}: input alphabet, each carr

ies a vector of parameter values– O = {o0, o1, o2…, oq-1} : output alphabet– X : finite set of variables with default initial

values

7

A Formal Model (2/4)

– T : finite set of transitions– For t T, t = {s, s’, i, o, P(X, i), A(X, i, o)∈

s / s’ : start state / end state i and o : input / output symbols with parameters P : predicate of the variables and input parameters A : an operation on the variables, based on the current

variable values, input and output parameter values

Example of PEFSM transition

8

PEFSM model of a simplified TCP Tahoe implementation(State variables, guards and actions of transition are omitted)

initial state (SYN)slow start (SS)

congestion avoidance (CA)

retransmission (REX)finish (Fin)

Transition nameInput

/ output

9

A Formal Model (3/4)

Given a candidate group of implementation

machines, C = {M1, M2…, Mk}, a test sequenc

e seq separates Mi and Mj if taking seq as inp

ut, Mi and Mj have different output

A fingerprinting set F for a candidate group C

is a set of test sequences, such that for each

pair of machines in C, F contains a sequence

that separates them

10

A Formal Model (4/4)

Given a candidate group, the goal of– Active fingerprinting : construct a

fingerprinting set– Passive fingerprinting : if a specific

candidate generate the given trace

11

Active Fingerprinting

Algorithm 1 generate a sequence that separate two candidates

Algorithm 2 generate the fingerprint set

Partition = { {M1, M2, M3, M4} }M1 M3 can be separated by T1

Use T1 to separate {M1, M2, M3, M4}

Partition = { {M1, M4} , {M2, M3} }M1 M4 can be separated by T2

Use T2 to separate {M1, M4} and {M2, M3} …

Until all sets in Partition have only one element

If T2 separates {M1, M4} and {M2, M3}=> Partition = { {M1}, {M2}, {M3}, {M4} }

fingerprint set = {T1, T2}

12

Active Fingerprinting using NMAP Tests (1/3)

Nmap identifies a TCP stack implementation by using nine test sequences

In the fingerprint database Nmap stores the encoded response to those test sequences of more than 1300 implementations

13

Active Fingerprinting using NMAP Tests (2/3)

Fig.3 is PEFSM of input / output of some implementation in Nmap

All inputs except T3 could be used as separating sequence for the two machines

14

Active Fingerprinting using NMAP Tests (3/3)

Ex. Use {Tseq, T1, T2, T3, PU} can separate each implementation in Router category

* means there is noexact fingerprint set

15

Passive Fingerprinting (1/2)

Using TCP Behavior Inference Tool (TBIT) to generate specific traffic

Observe input and output in trace and transit, if a candidate can not transit, it means that candidate can not generate that trace

16

Passive Fingerprinting (2/2)

NF: NoFRT: TahoeR: RenoNR: NewReno

After the duplicated acknowledgement ACK [12] is sent four times, we see a fast retransmission without timeout

17

Defending Against Malicious Fingerprinting (1/5)

ScrubbingCamouflageOne important principal : the

modification should be transparent to all regular users

18

Defending Against Malicious Fingerprinting (2/5)

When receiving I3, discard it

The grey circle represents the common user sets

19

Defending Against Malicious Fingerprinting (3/5)

When receiving I3, response O4 instead O3

The grey circle represents the union of all user sets

Regular user expect the trace from any implementation

20

Defending Against Malicious Fingerprinting (4/5)

Neither scrubbing nor camouflage is effective

The grey circle represents the T1 user sets

Regular user expect the trace from T1 implementation

21

Defending Against Malicious Fingerprinting (5/5)

Follow the maximum overlapping subset until there is only one implementation possible

When receiving I3, response O3 because it is overlapped by M1 and M3

The grey circle represents the union of all user sets

22

Conclusion

Proposed a formal approach for

fingerprinting

Use PEFSM to model protocol

implementation

Proposed algorithms for active and

passive fingerprinting

23

Comments

General and automated methodHuge database (like Nmap databa

se) is neededHow to construct PEFSM?