Automatic Protocol Reverse Engineering

Presented at Black Hat USA 2022, Aug. 10, 2022, 10:20 a.m. (40 minutes).

Protocol reverse engineering is the process of extracting the specification of a network protocol from a binary code that implements it. Extraction of protocol specification is useful in several security-related contexts, such as finding implementation bugs, determining conformance to a standard, or discovering a botnet's command and control (C&C) protocol.<br><br>Manual reverse engineering of a protocol can be time-consuming. We present a tool that automatically reverse engineers a protocol directly from the binary. Namely, given a binary sample, the tool automatically extracts the protocol specification, including message formats and protocol state machine! The tool leverages symbolic execution and automata learning algorithms. <br><br>This is the first tool that extract a protocol’s specification without relying on captures of the protocol’s traffic, with no prior knowledge of message formats and without assuming there is an active remote protocol peer (such as a C&C server).<br><br>This is a joint work with Prof. Orna Grumberg from the Technion.

Presenters:

  • Gabi Nakibly - Distinguished Researcher, Radware
    Gabi Nakibly has 20 years of experience in network security research. Gabi is currently a distinguished researcher at Radware and a senior lecturer at the Technion. Gabi has a track record of heading teams to world-class achievements in the fields of networking and security and is also a speaker at top industry and academic conferences. Prior to Radware, Gabi was the CTO of a multi-disciplinary national lab in Israel and a Visiting Scholar at Stanford University.
  • Ron Marcovich - MSc Student, Technion
    Ron Marcovich is an MSc student at the Technion with experience in security research. Ron is also a past Black Hat USA speaker.

Links:

Similar Presentations: