Some thoughts on protocol exploit mining or protocol reverse engineering

• [0] Protocol Vulnerability mining, sometimes also called protocol reverse technology. There are two kinds of names in academic circles, but foreign countries generally call it reverse technology, and the author prefers the term of protocol reverse technology.

Foreign terms used Protocol Reverse Engineering (Protocol reverse engineering, PRE) such words, some will use the network Protocol Reverse Engineering (NPRE).

Domestic will also use the pre, part will also use Protocol Vulnerability Mining (protocol loophole mining) such words.

There are two protocol reverse technologies, one is reverse technology based on instruction code and the other is reverse technology based on network trajectory. The former is also called the Instruction Analysis technique, the latter is also called the message sequence analysis technology.

Corresponding to some of the predecessors of the previous work of friends, the former also known as Software Protocol vulnerability, or based on Engineering Software Protocol Vulnerability Mining, the latter also has called the Protocol field division or based on the message sequence analysis technology.

• [1] For social use, the Protocol vulnerability mining is biased to the instruction code analysis technology, that is, through anti-compilation or spot tracking and so on, reverse analysis of communication clients and so on.

Because of the demand for social use, communication clients need to use to customers, once to customer use, it means that the client flow to the community, since the social programmer a lot =, why do not use code instruction analysis method to analyze the protocol vulnerability, this is the natural idea. For clients, reverse engineering, such as anti-compilation technology is also relatively hot development, but also natural use of similar technologies. However, this kind of reverse engineering technology is somewhat different from the combination of protocol reverse technology.

• [2] For some purposes, the Protocol vulnerability Mining Bias Message sequence analysis technology, that is, by observing the network sniffing or capturing packets, analysis of such unknown protocol specification or field meaning.

Because part of the use of the scene, so that can not reach the client, had to use such a way. On the surface this way research is very narrow = = Actually I want to say that this kind of research method and instruction Code analysis technology is the same, it is very difficult, the application is very wide, but some friends do not realize where these uses.

• [3] Similarities between the two

The purpose is to parse those private protocols, such as parsing the QQ protocol and the Skype protocol specification. These protocols do not expose the specification of the Protocol field, only the reverse analysis.

The commonality of the two is the way of heaven, which is more than enough to fill. Two ways can not say who is strong who weak, can only say who has the technical needs, who more need to appear in what scenario.

Some researchers will use both methods to study private protocols.

• [4] Differences between the two

Cannot reach the entity (client or chip) that the protocol produces, only the message sequence analysis technique is used.

In the partial encryption and decryption problem, the instruction code technology is more easy to go, but does not mean that the message sequence cannot be decrypted.

The instruction code is a computer-biased process or a microcomputer theory, and the message analysis technique is biased toward data mining algorithm theory.

• [5] written in the future

At present, 360 of the domestic products are related to the resolution of wireless signals (signals can also be regarded as a protocol message or protocol messages), but is based on known specifications, but also failed to make the unknown specification analysis.

Take the earthquake network virus as an example, query the relevant data, which contains the analysis of simple unknown protocol function, this function is integrated into a small volume of the virus, perhaps marked the level of foreign reverse protocol reached a very high level.

The domestic understanding of the reverse agreement is not too specific, and not too comprehensive, stay in the tribal guerrilla state, until 2013 has not yet appeared the situation of flowering.

The so-called tribal guerrilla state, refers to anti-compilation and other reverse engineering is more mature, but with the protocol loopholes are still in the developing stage. At the same time, the current protocol reverse technology is in the bottleneck period, failed to put forward a major theoretical breakthrough, so the domestic stay in some of the reverse technical way. (2004, 2007, 2012 and other years, both foreign and domestic have a number of predecessors, to make some major breakthroughs, so that these predecessors become Guru-level figures, but these are the fruits, every three or four years, so a piece, is really a wonderful idea method. ）

But admire these people, because practice is the only standard to test truth, sometimes only practice is better than talking theory, this is indeed a kind of experience and lessons.

In the 2014, a great deal of research appeared in the academic circles, which quickly pointed to the progress of the research on the reverse analysis of the protocol, but objectively made a great breakthrough and made a lot of theoretical understanding, and the overall progress was still very advanced.

• [6] disguise, it is not blessed to know.

A) Few people in the country before 2013 to study this, it means that the results are very small, any result is very valuable, the technology was originally very promotional value, but because the overall study of fewer people, resulting in the technology marketing, it is always a perceptual perception of no use.

b) Suddenly, many people in the country study this, meaning that the field is ready to start, such technology may be to be everbright. However, this means that it will take many years to develop, while the reverse technology is currently in the bottleneck, which is more mature for the Application layer protocol analysis work. Other Network Layered Protocol analysis work, because of its own technical difficulties, so do not know how to develop to the point, I can not foresee the following scenes, only to say that blossom is a good thing, will let this field alive, at least the academic can occupy a place.

There has been a Guru-level publication of tools, without their research and tools, and will not open the quest for subsequent juniors.

I think I write the tool, will be on one day surfaced, eventually have liberation for a day.

Not only is the technical theory of the Protocol reverse in slow development, difficult, and technology from the theory to engineering results, will also produce various problems.

The author stood on the shoulders of the giants of the predecessor to see the world, but in 2013 the whole year is more lonely, because peer research is really very poor, and the predecessors of the study of a person read and very difficult.

How in academia and the industry, to achieve the best of both worlds is a very difficult thing, not to mention the academic community has not pushed the relevant work, in a certain bottleneck period.

Read a Gatha language, "I have a pearl, long been dust Lao Guan, once dust to live, according to break the mountains and rivers million flower."

The research process of protocol reverse is such an encounter.

May the days of the clouds break, may the deep sea have dragons.

Original address: http://www.cnblogs.com/bitpeach/p/4479418.html

Some thoughts on protocol exploit mining or protocol reverse engineering