The Closer You Look, The More You Learn: A Grey-box Approach to Protocol State Machine Learning

Chris McMahon Stone; Sam L. Thomas; Mathy Vanhoef; James Henderson; Nicolas Bailluet; Tom Chothia

doi:10.1145/3548606.3559365

The Closer You Look, The More You Learn: A Grey-box Approach to Protocol State Machine Learning

Chris McMahon Stone, Sam L. Thomas, Mathy Vanhoef, James Henderson, Nicolas Bailluet, Tom Chothia

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

57 Downloads (Pure)

Abstract

We propose a new approach to infer state machine models from protocol implementations. Our new tool, StateInspector, learns protocol states by using novel program analyses to combine observations of run-time memory and I/O. It requires no access to source code and only lightweight execution monitoring of the implementation under test. We demonstrate and evaluate StateInspector's effectiveness on numerous TLS and WPA/2 implementations. In the process, we show StateInspector enables deeper state discovery, increased learning efficiency, and more insight compared to existing approaches. Our method led us to discover several concerning deviations from the standards and vulnerabilities in IWD and WolfSSL, both of which were assigned CVEs.

Original language	English
Title of host publication	CCS '22
Subtitle of host publication	Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security
Place of Publication	New York
Publisher	Association for Computing Machinery
Pages	2265-2278
Number of pages	14
ISBN (Print)	9781450394505
DOIs	https://doi.org/10.1145/3548606.3559365
Publication status	Published - 7 Nov 2022
Event	28th ACM SIGSAC Conference on Computer and Communications Security, CCS 2022 - Los Angeles, United States Duration: 7 Nov 2022 → 11 Nov 2022

Publication series

Name	Proceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)	1543-7221

Conference

Conference	28th ACM SIGSAC Conference on Computer and Communications Security, CCS 2022
Country/Territory	United States
City	Los Angeles
Period	7/11/22 → 11/11/22

Bibliographical note

Funding Information:
This research is partially funded by the Engineering and Physical Sciences Research Council (EPSRC) under grants EP/R012598/1, EP/R008000/1, and EP/V000454/1, the Research Fund KU Leuven, and by the Flemish Research Programme Cybersecurity.

Publisher Copyright:
© 2022 ACM.

Keywords

protocol security
reverse engineering
state machine learning

ASJC Scopus subject areas

Software
Computer Networks and Communications

Access to Document

10.1145/3548606.3559365

StoneC2022CloserAccepted author manuscript, 1.13 MBLicence: Creative Commons: Attribution (CC BY)

Cite this

McMahon Stone, C., Thomas, S. L., Vanhoef, M., Henderson, J., Bailluet, N., & Chothia, T. (2022). The Closer You Look, The More You Learn: A Grey-box Approach to Protocol State Machine Learning. In CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (pp. 2265-2278). (Proceedings of the ACM Conference on Computer and Communications Security). Association for Computing Machinery . https://doi.org/10.1145/3548606.3559365

McMahon Stone, Chris ; Thomas, Sam L. ; Vanhoef, Mathy et al. / The Closer You Look, The More You Learn : A Grey-box Approach to Protocol State Machine Learning. CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. New York : Association for Computing Machinery , 2022. pp. 2265-2278 (Proceedings of the ACM Conference on Computer and Communications Security).

@inproceedings{26db203598514ed3b66cc8479f4d776c,

title = "The Closer You Look, The More You Learn: A Grey-box Approach to Protocol State Machine Learning",

abstract = "We propose a new approach to infer state machine models from protocol implementations. Our new tool, StateInspector, learns protocol states by using novel program analyses to combine observations of run-time memory and I/O. It requires no access to source code and only lightweight execution monitoring of the implementation under test. We demonstrate and evaluate StateInspector's effectiveness on numerous TLS and WPA/2 implementations. In the process, we show StateInspector enables deeper state discovery, increased learning efficiency, and more insight compared to existing approaches. Our method led us to discover several concerning deviations from the standards and vulnerabilities in IWD and WolfSSL, both of which were assigned CVEs.",

keywords = "protocol security, reverse engineering, state machine learning",

author = "{McMahon Stone}, Chris and Thomas, {Sam L.} and Mathy Vanhoef and James Henderson and Nicolas Bailluet and Tom Chothia",

note = "Funding Information: This research is partially funded by the Engineering and Physical Sciences Research Council (EPSRC) under grants EP/R012598/1, EP/R008000/1, and EP/V000454/1, the Research Fund KU Leuven, and by the Flemish Research Programme Cybersecurity. Publisher Copyright: {\textcopyright} 2022 ACM.; 28th ACM SIGSAC Conference on Computer and Communications Security, CCS 2022 ; Conference date: 07-11-2022 Through 11-11-2022",

year = "2022",

month = nov,

day = "7",

doi = "10.1145/3548606.3559365",

language = "English",

isbn = "9781450394505",

series = "Proceedings of the ACM Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery ",

pages = "2265--2278",

booktitle = "CCS '22",

}

McMahon Stone, C, Thomas, SL, Vanhoef, M, Henderson, J, Bailluet, N & Chothia, T 2022, The Closer You Look, The More You Learn: A Grey-box Approach to Protocol State Machine Learning. in CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, Association for Computing Machinery , New York, pp. 2265-2278, 28th ACM SIGSAC Conference on Computer and Communications Security, CCS 2022, Los Angeles, United States, 7/11/22. https://doi.org/10.1145/3548606.3559365

The Closer You Look, The More You Learn: A Grey-box Approach to Protocol State Machine Learning. / McMahon Stone, Chris; Thomas, Sam L.; Vanhoef, Mathy et al.
CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. New York: Association for Computing Machinery , 2022. p. 2265-2278 (Proceedings of the ACM Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - The Closer You Look, The More You Learn

T2 - 28th ACM SIGSAC Conference on Computer and Communications Security, CCS 2022

AU - McMahon Stone, Chris

AU - Thomas, Sam L.

AU - Vanhoef, Mathy

AU - Henderson, James

AU - Bailluet, Nicolas

AU - Chothia, Tom

N1 - Funding Information: This research is partially funded by the Engineering and Physical Sciences Research Council (EPSRC) under grants EP/R012598/1, EP/R008000/1, and EP/V000454/1, the Research Fund KU Leuven, and by the Flemish Research Programme Cybersecurity. Publisher Copyright: © 2022 ACM.

PY - 2022/11/7

Y1 - 2022/11/7

N2 - We propose a new approach to infer state machine models from protocol implementations. Our new tool, StateInspector, learns protocol states by using novel program analyses to combine observations of run-time memory and I/O. It requires no access to source code and only lightweight execution monitoring of the implementation under test. We demonstrate and evaluate StateInspector's effectiveness on numerous TLS and WPA/2 implementations. In the process, we show StateInspector enables deeper state discovery, increased learning efficiency, and more insight compared to existing approaches. Our method led us to discover several concerning deviations from the standards and vulnerabilities in IWD and WolfSSL, both of which were assigned CVEs.

AB - We propose a new approach to infer state machine models from protocol implementations. Our new tool, StateInspector, learns protocol states by using novel program analyses to combine observations of run-time memory and I/O. It requires no access to source code and only lightweight execution monitoring of the implementation under test. We demonstrate and evaluate StateInspector's effectiveness on numerous TLS and WPA/2 implementations. In the process, we show StateInspector enables deeper state discovery, increased learning efficiency, and more insight compared to existing approaches. Our method led us to discover several concerning deviations from the standards and vulnerabilities in IWD and WolfSSL, both of which were assigned CVEs.

KW - protocol security

KW - reverse engineering

KW - state machine learning

UR - http://www.scopus.com/inward/record.url?scp=85143086888&partnerID=8YFLogxK

U2 - 10.1145/3548606.3559365

DO - 10.1145/3548606.3559365

M3 - Conference contribution

AN - SCOPUS:85143086888

SN - 9781450394505

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 2265

EP - 2278

BT - CCS '22

PB - Association for Computing Machinery

CY - New York

Y2 - 7 November 2022 through 11 November 2022

ER -

McMahon Stone C, Thomas SL, Vanhoef M, Henderson J, Bailluet N, Chothia T. The Closer You Look, The More You Learn: A Grey-box Approach to Protocol State Machine Learning. In CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. New York: Association for Computing Machinery . 2022. p. 2265-2278. (Proceedings of the ACM Conference on Computer and Communications Security). doi: 10.1145/3548606.3559365

The Closer You Look, The More You Learn: A Grey-box Approach to Protocol State Machine Learning

Abstract

Publication series

Conference

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this