Monday, December 29, 2008

Automated Protocol Format Recovery and Automated Protocol Control Flow Recovery

Some recent (2008) research results on "Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution" and "Automatic Network Protocol Analysis" both look like some promising extensions of the work done for Microsoft Discoverer and (apparently defunct) Protocol Informatics approaches for protocol format recognition. A circa 2007 paper titled "Polyglot: Automatic Extraction of Protocol Message Format Using Dynamic Binary Analysis" also describes an approach to protocol recovery. Interesting to me because I did some work on automated recovery of control flows (see).

Might be interesting to combine the two (automated format recovery and automated control flow recovery). Unfortunately, it appears that the approach used in Microsoft Discoverer are going to be patented.

An overarching approach is what I call Dynamic Protocol Reverse Engineering (DPRE). This idea is derived from protocol conformance checking. I'd like to end up with an automated/semi-automated processing pipeline. An overview of a DPRE Framework is depicted here:
Conceptual DPRE Framework


Above, we have some of the ground work built for for automated model recovery. First we collect a "pile-of-packets" for the protocol implementation under inspection. Process the packets to recover an implementation model. Next the recovered models could be processed by automated verification tools to check their performance characteristics. A list of several formal verification methods and tools is located here. After model generation and model verification we could perform vulnerability assessment and generation of targeted effects (i.e. exploits). Finally, the targeted effects could be used to test a protocol implementation in a hostile environment.

Monday, November 17, 2008

Network Reconissance/Forensics Tools

A few network reconnaissance/forensic tools:

  • NetworkMiner a Network Forensic Analysis Tool (NFAT) for Windows. Good for recon'ing a pcap file to see what is in there.
  • LAN Crawler a crawler and indexer of public network files shared via SMB shares.
  • Etherwatch monitors Ethernet traffic, looking for images, and Google™ search terms, and displays these on screen in a mosaic format.

Saturday, September 13, 2008

Burn a CD ISO to a DVD

Downloaded a CD sized ISO image on a Windows XP box and only had blank DVD-R around. I didn't want to use an ISO mount tool and my installed version of Nero Express wouldn't burn the image to a DVD-R

I'm sure there are many ways to do this but InfraRecorder worked for me.

Friday, July 25, 2008

Grammatical Inference

Grammatical inference or Grammar Induction focuses on learning formal language rules from a series of observations of samples from the language under consideration.

If you are interested in learning some grammatical inference basics the video links below are well worth a look.



Grammatical Inference: a Tutorial


Colin de la Higuera

Also, there are several articles available through citeseer. Search on grammar inference or grammatical inference.


Finally, Amazon has several Grammatical Inference conference proceedings.

Monday, June 30, 2008

Protocol Reverse Engineering

Some reverse engineering ideas/resources are located here.

Another attempt at protocol reverse engineering to BNF is online at Rent A Coder.

A recent attempt at classifying encrypted traffic in SSH tunnels here.

Saturday, February 9, 2008

How to specify the default installation prefix in configure.in/configure.ac?

Add the AC_PREFIX_DEFAULT(/usr/local) macro in configure.in/configure.ac. Where you replace /usr/local with the prefix you want to use.

See (here) for details.

Tuesday, January 1, 2008

Augmented BNF (ABNF)

While looking for Augmented BNF (ABNF) source for some of the common Internet protocols I came ac cross a perl script by Bill Fenner to extract ABNF from RFCs (here).

I used it to generate ABNF for RFC4234, RFC2821, and RFC2822 to use with APG an ABNF Parser Generator.