34220112CHINESEJOURNALOFCOMPUTERSVol.34No.2Feb.2011:20100416;:20101215.(60573120).,,1975,,,.Email:lwm@hust.edu.cn.,,1978,,.,,1985,,.,,1951,,,,.李伟明张爱芳刘建财李之棠(430074),.(FuzzTesting),,.FuzzTesting,,.,FuzzTesting,FuzzTesting.,FuzzTesting.FTPTNSEMISQLPlus,,,,.;;TP393DOI:10.3724/SP.J.1016.2011.00242AnAutomaticNetworkProtocolFuzzTestingandVulnerabilityDiscoveringMethodLIWeiMingZHANGAiFangLIUJianCaiLIZhiTang(SchoolofComputerScience,HuazhongUniversityofScienceandTechnology,Wuhan430074)AbstractAlongwiththeincreasingcomplexityofthenetworkapplication,networkprotocolsecurityisnowbecomemoreandmoreimportant.FuzzTestingoftenisusedtodiscoverDoS,bufferoverflow,formatstringandotherkindsofseriousvulnerabilitiesofnetworkprotocols.ButmanuallyFuzzTestingisveryloweffectiveandneedadequatedetailinformationabouttheprotocols.ThepaperpresentsanautomaticvulnerabilitydiscoveringmethodwhichcombinesautomaticProtocolReverseEngineeringtechnologyandFuzzTesting.Themethodisafourstepsprogram,involvingpacketsclustering,multiplesequencesalignment,specialfieldsrecognitionandfuzzerproduction,whichfindthestructureofnetworkpacketsandpursueFuzzTesting.AftertestingFTP,TNS,EMandISQLPlusprotocols,theresultsshowthatthismethodismoreeffectiveandaccuratethanmanuallyanalysis.Themethodisoftheimportantapplicationvalueandcanimprovethesecurityofnetworkprotocols.Keywordsprotocolreverseengineering;fuzztesting;vulnerabilitydiscovering1..(closedprotocols),,MicroSoftSMBOracleTNSIPTV.,,.,(FuzzTesting),,,.2,;3;4,,NeedlemanWunsch;5;6Fuzzer,;7,;8.2,,:,NetworkTrace;,,TaintedData.NetworkTrace,2004MarshallBeddoeProtocolInformaticsproject!.DNA,,..,.(unweightedpairgroupmethodwitharithmeticmean),,,.,,,.,.,,.,LCS(LongestCommonSubsequence),.PI,.2005CorradoLeitaKenMermoudMarcDacierPIHoneyd,Honeyd[1].4:Message,,,.,,,,.CuiPaxsonRolePlayer[2].,,,(IPhostname)Cookie,.,,,.[3],HoneyFarmRolePlayer,GQ:,,,RolePlayer,,,.4,GQ66,,RolePlayerGQ.,,.,Discover[4],,,RolePlayer,Discover.2432:FuzzTesting!Networkprotocolanalysisusingbioinformaticsalgorithms.~awalters/PI/PI.html,2004TaintedData.,,Argos[5]TaintCheck[6].TaintedData,,,.Username,Username.Wondracek[7]:TaintedData,,.,,.CaballeroPolyglot[8].ComparettiProspex[9],().,,DFA,.TaintedData:;,.FuzzTesting.FuzzTesting.,,.FuzzTesting,,FuzzTesting.Miller[10]FuzzTestingUnix,40%,40%XWindows,FuzzTesting.Forrester[11]WindowsGUIFuzzTesting,,21%24%,FuzzTesting.FuzzTesting,SPIKE[12].SPIKEImmunitysecDaveAitel,.GodefroidPatriceFuzzTesting,Fuzz,[13].MP3TFTPFuzzTesting[1415].FuzzTesting,FuzzTesting,,FuzzTesing.,FuzzTesting.FuzzTesting,,NetworkTrace,.,,.,SPIKEFuzzTesting,.,..,,1.1.,,TcpdumpWireShark,.(3~4),PCAP,PCAP.,.:FuzzTesting.,,PCAP,.,,.ANSIIUnicode,.,24420111SPIKE,SPIKE.FaultMon,,;.,.,FuzzTesting,.3,,Session,SessionPCAP.,PCAP,,,.,PCAP,,.,,,..,∀A#,∀B#,∀A#∀B#.,∀A#∀A#,,(TypeSquence)..defclusterSequences(typeSquences)typeCompare=FalseforseqintypeSquencesdoforbyteinseqdoifbyteisnotprintabledotypeCompare=truebreakdonedonedoneiftypeComparedomodel=GetHighestFrequencyTypeModel(typeSquences)elsemodel=GetLongestCommonString(typeSquences)doneforseqintypeSquencesdoif!MatchModel(model,seq)dotypeSquences.remove(seq)donedone(longestcommonstring),.,,,,.43:2452:FuzzTesting[16].NeedlmanWunsch,3,CarrilloLipman,10.Hogeweg,FengTaylor,CLUSTALW.,,HiddenMarkovModelGibbs.,,,.,,.,,.41,...,(Gap),Gap,seqs={s1,s2,∃,sn},len,SP(seqs)=%leni=1SPCol(s1,i,s2,i,∃,sn,i),SPCol(c1,c2,∃,clen)=%i=leni=1%j=lenj=1,j!=iCmp(ci,cj),Cmp(c1,c2)=2,c1=c2&c1!=gap-1,c1!=c2&c1!=gap2,c1!=c2&(c1=gap|c2=gap)-2,c1=gap&c2=gap(1)(1)SumofPairs(SP),Gap,,.,Gap,,Gap..9,N,[17].(1)CrossOver.p1p2,p1ip2(N-i),.(2)Mutate.,,,.(3)LocalShuffle.,Gap.(4)BlockShuffle.,Gap.(5)InsertGap.,GapGap.(6)DeleteGap.,Gap,Gap.(7)Union.,,Gap,Gap.(8)Division.,,Gap,Gap.(9)CleanUpGapColumn.Gap,,Gap..,(12).,SP.,,.0.,,,.9.,,,,2462011,,.,,,.,.:.,,,..,6,4,,10,.1,2,.112000~10220010~2032000~10,10420010~20,1052000~10,10620010~20,102SPSP1793.346639.6446.511206.248839.4727.7250048020.8448.82962.745829.7666.33353.352084.6494.23816.751674.6770.24-64.737862.4381.84695.352858.6775.25570.952065.8508.451096.857300.78296212.638786.7389.86906.570889.5985.9,.,.,,SP.,,,.,,,..4.2NeedlemanWunsch,,,,,...3:(1);(2);(3).,NeedlemanWunsch.NeedlemanWunsch.NeedlemanWunsch,,.:(1),.(2),.:Mij=maxMi-1,j-1+SijMi,j-1+wMi-1,j+w(2),Mij,Sij(),w.,,,Sij2,Sij-1,w=-2.,NeedlemanWunsch,,.2,NeedlemanWunsch,Referer:=maxMi-1,j-1+Sij+(n-1)&bMi,j-1+wMi-1,j+w(3),n,b,2472:FuzzTesting2,,,2,,,.Referer:().,,..,,,defConstructTree(seqs)forseqinseqsdonode=newTreeNode(seq)nodeList.append(node)donewhile(len(nodeList)1)node1,node2=FindAndRemove2ShortestSeqs(nodeList)newNode=newTreeNode()newNode.seq,node1.gapList,node2.gapList=NeedlemanWunsch(node1.seq,node2.seq)newNode.left=node1newNode.right=node2nodeList.append(newNode)donereturnnodeList[0],NeedlemanWunsch,,Gap,Gap,,.:defSequenceResult(treeNode,resultSeqs)iftreeNode.gapList!=nulldoGapListStack.push(treeNode.gapList)SequenceResult(treeNode.left)Sequen