Research On Protocol Reverse Parsing Based On Dynamic Binary Analysis Platform

Protocol reverse parsing technology has important application value in many fields, such as security analysis of protocols, vulnerability discovering of network applications, intrusion detection and so on. Thus, it is of great significance to do further research on it.This thesis firstly introduced the concept and the application fields as well as the research status of protocol reverse parsing technology, analyzed the shortcomings of the existing research results. Then, a protocol reverse parsing approach based on dynamic binary analysis platform was implemented. The main idea of this approach is: simulating the execution of network application program with the dynamic binary analysis platform, during the executing process, the target program was instrumented dynamically using the extension interface of the analysis platform. Then, the main formats of the protocol messages can be extracted by analyzing the executing traces of the network applications while processing the received protocol data. So, the following techniques were designed and implemented.In this thesis, a taint source auto-identification technology was firstly presented to dynamically locate the received protocol data and tag it as taint source by monitoring the executions of the program's network APIs. Then, a new trace tracking technique based on dynamic program instrumentation was proposed to obtain the protocol data's real-time processing trace, and the ETW (Event Tracing for Windows) mechanism was introduced to store the trace information with high efficiency. After that, the dynamic taint analysis technology based on DynamoRIO was designed and implemented to distill the protocol data's processing details and generate its taint propagation tree with the recorded trace information. Finally, the designed parsing strategies of protocol fields were applied to parse the main protocol fields with the obtained processing details, such as separators, keywords, length fields, target fields, and so on.In the end, this thesis designed and implemented a prototype system (named as UNPRE) for protocol reverse parsing under DynamoRIO,and the test results of both text protocol and binary protocol for the prototype system were presented. The comparison results of the test results with the outputs of Wireshark showed the correctness of protocol formats parsed by UNPRE, and many main protocol fields can be parsed correctly using UNPRE.