Analyzing Operational Behavior of Stateful Protocol Implementations for Detecting Semantic Bugs

Network protocol implementations must comply with their specifications that include properties describing the correct operational behavior of the protocol in response to different temporal orderings of network events. Due to inconsistent interpretations of the specification, developers can unknowingly introduce semantic bugs, which cause the implementations to violate the respective properties. Detecting such bugs in stateful protocols becomes significantly difficult as their operations depend on their internal state machines and the complex interactions between the protocol logic. In this paper, we present an automated tool to help developers analyze their protocol implementations and detect semantic bugs violating the temporal properties of the protocols. Given an implementation, our tool (1) extracts the implemented finite state machine (FSM) of the protocol from the source code by symbolically exploring the code and (2) determines whether the extracted FSM violates given temporal properties by using an off-the-shelf model checker. We demonstrated the efficacy of our tool by applying it on 6 protocol implementations. We detected 11 semantic bugs (2 with security implications) when we analyzed these implementations against properties obtained from their publicly available specifications.

[1]  Christopher Krügel,et al.  Prospex: Protocol Specification Extraction , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[2]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[3]  Gerard J. Holzmann,et al.  A practical method for verifying event-driven software , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[4]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[5]  Radu State,et al.  KiF: a stateful SIP fuzzer , 2007, IPTComm '07.

[6]  Zhenkai Liang,et al.  Polyglot: automatic extraction of protocol message format using dynamic binary analysis , 2007, CCS '07.

[7]  Sorin Lerner Path-Sensitive Program Veri cation in Polynomial Time , 2002 .

[8]  Abhijit Bose,et al.  Delayed Internet routing convergence , 2000, SIGCOMM.

[9]  Dawson R. Engler,et al.  Model Checking Large Network Protocol Implementations , 2004, NSDI.

[10]  R. BurchJ.,et al.  Symbolic model checking , 1992 .

[11]  Carl A. Gunter,et al.  Formal verification of standards for distance vector routing protocols , 2002, JACM.

[12]  Alfredo Pironti,et al.  A Messy State of the Union: Taming the Composite State Machines of TLS , 2015, 2015 IEEE Symposium on Security and Privacy.

[13]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[14]  Adam Dunkels,et al.  Full TCP/IP for 8-bit architectures , 2003, MobiSys '03.

[15]  Ramesh Govindan,et al.  Analyzing Protocol Implementations for Interoperability , 2015, NSDI.

[16]  Yuanyuan Zhou,et al.  Bug characteristics in open source software , 2013, Empirical Software Engineering.

[17]  Patrice Godefroid,et al.  Model checking for programming languages using VeriSoft , 1997, POPL '97.

[18]  Zohar Manna,et al.  The Temporal Logic of Reactive and Concurrent Systems , 1991, Springer New York.

[19]  Andrew D. Gordon,et al.  Verified Interoperable Implementations of Security Protocols , 2006, CSFW.

[20]  Todd Millstein,et al.  Finding protocol manipulation attacks , 2011, SIGCOMM 2011.

[21]  Sorin Lerner,et al.  ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[22]  Peter R. Pietzuch,et al.  SymbexNet: Testing Network Protocol Implementations with Symbolic Execution and Rule-Based Specifications , 2014, IEEE Transactions on Software Engineering.

[23]  Mayur Naik,et al.  APISan: Sanitizing API Usages through Semantic Cross-Checking , 2016, USENIX Security Symposium.

[24]  Bowen Alpern,et al.  Recognizing safety and liveness , 2005, Distributed Computing.

[25]  Sagar Chaki,et al.  ASPIER: An Automated Framework for Verifying Security Protocol Implementations , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[26]  Jakob Rehof,et al.  Zing: A Model Checker for Concurrent Software , 2004, CAV.

[27]  Matthew B. Dwyer,et al.  Bandera: extracting finite-state models from Java source code , 2000, Proceedings of the 2000 International Conference on Software Engineering. ICSE 2000 the New Millennium.

[28]  Edmund M. Clarke,et al.  Counterexample-Guided Abstraction Refinement , 2000, CAV.

[29]  Marco Pistore,et al.  Nusmv version 2: an opensource tool for symbolic model checking , 2002, CAV 2002.

[30]  Patrick Schaumont,et al.  Report on the NSF Workshop on Formal Methods for Security , 2016, ArXiv.

[31]  Ralph E. Droms,et al.  Dynamic Host Configuration Protocol , 1993, RFC.

[32]  Alastair F. Donaldson,et al.  Software Model Checking , 2014, Computing Handbook, 3rd ed..

[33]  Cristina Nita-Rotaru,et al.  Leveraging State Information for Automated Attack Discovery in Transport Protocol Implementations , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[34]  Dawn Xiaodong Song,et al.  MACE: Model-inference-Assisted Concolic Exploration for Protocol and Vulnerability Discovery , 2011, USENIX Security Symposium.

[35]  Michael Norrish,et al.  Rigorous specification and conformance testing techniques for network protocols, as applied to TCP, UDP, and sockets , 2005, SIGCOMM '05.

[36]  Somesh Jha,et al.  Verifying security protocols with Brutus , 2000, TSEM.

[37]  Greg Nelson,et al.  Fast Decision Procedures Based on Congruence Closure , 1980, JACM.

[38]  Ramesh Govindan,et al.  Deriving State Machines from TinyOS Programs Using Symbolic Execution , 2008, 2008 International Conference on Information Processing in Sensor Networks (ipsn 2008).

[39]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[40]  Li Guo,et al.  Inferring Protocol State Machine from Network Traces: A Probabilistic Approach , 2011, ACNS.

[41]  Dawn Xiaodong Song,et al.  Inference and analysis of formal models of botnet command and control protocols , 2010, CCS '10.

[42]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[43]  Thomas A. Henzinger,et al.  The software model checker B last : Applications to software engineering , 2007 .

[44]  Dawson R. Engler,et al.  Proceedings of the 5th Symposium on Operating Systems Design and Implementation Cmc: a Pragmatic Approach to Model Checking Real Code , 2022 .

[45]  Dawn Xiaodong Song,et al.  Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering , 2009, CCS.

[46]  Martin Leucker,et al.  The Theory and Practice of SALT , 2011, NASA Formal Methods.

[47]  Koushik Sen DART: Directed Automated Random Testing , 2009, Haifa Verification Conference.

[48]  Kevin C. Almeroth,et al.  SNOOZE: Toward a Stateful NetwOrk prOtocol fuzZEr , 2006, ISC.

[49]  Srinath T. V. Setty,et al.  IronFleet: proving practical distributed systems correct , 2015, SOSP.

[50]  Marco Canini,et al.  A NICE Way to Test OpenFlow Applications , 2012, NSDI.

[51]  Andy Chou,et al.  A simple method for extracting models from protocol code , 2001, Proceedings 28th Annual International Symposium on Computer Architecture.

[52]  Joeri de Ruiter,et al.  Protocol State Fuzzing of TLS Implementations , 2015, USENIX Security Symposium.

[53]  Jon Postel,et al.  Telnet Protocol Specification , 1980, RFC.

[54]  Frits W. Vaandrager,et al.  Combining Model Learning and Model Checking to Analyze TCP Implementations , 2016, CAV.

[55]  Klaus Wehrle,et al.  KleeNet: discovering insidious interaction bugs in wireless sensor networks before deployment , 2010, IPSN '10.