protocol independent adaptive replay of application dialog
Download
Skip this Video
Download Presentation
Protocol-Independent Adaptive Replay of Application Dialog

Loading in 2 Seconds...

play fullscreen
1 / 18

Protocol-Independent Adaptive Replay of Application Dialog - PowerPoint PPT Presentation


  • 102 Views
  • Uploaded on

Protocol-Independent Adaptive Replay of Application Dialog. Authors: Vern Paxson, Nicholas C. Weaver, Randy H. Katz Published At: 13th Annual Network and Distributed System Security Symposium, Feb 2006 Presented By: Anvita Priyam. Overview. Intent of the Paper

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Protocol-Independent Adaptive Replay of Application Dialog' - lynna


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
protocol independent adaptive replay of application dialog

Protocol-Independent Adaptive Replay of Application Dialog

Authors: Vern Paxson, Nicholas C. Weaver, Randy H. Katz

Published At: 13th Annual Network and Distributed System Security Symposium, Feb 2006

Presented By: Anvita Priyam

overview
Overview
  • Intent of the Paper
  • RolePlayer, Its properties and goals
  • Mechanism
  • Evaluation
  • Weaknesses
  • Suggestions for improvement
application dialog
Application Dialog
  • Refers to recorded instance of an application session
  • Two main entities

> Initiator- host that starts a session

> Responder- The entity which the initiator contacts

why do we need replay
Why do we need Replay??
  • Different attacks exploiting the same vulnerability often conduct same application dialog.
  • When developing new security mechanism repeat attacks to evaluate the system’s response.
roleplayer
RolePlayer
  • A system which mimics both client and server sides of the session.
  • It uses examples of an application session
key properties
Key Properties
  • Operates in application-independent fashion
  • Does not require specifics of the application that it mimics
  • Uses byte-stream alignment algorithms
  • Heuristically determines and adjusts IP addresses, ports, cookies and length fields
goals
Goals
  • Protocol Independence

> so that it works transparently

  • Minimal training

> uses only a small number of examples

  • Automation

> correct operation without manual intervention

basic idea
Basic Idea
  • Locates the dynamic fields in an application data unit (ADU)
  • Adjusts them as necessary before sending the ADUs
types of dynamic fields
Types of Dynamic Fields
  • Endpoint-address: hostnames, IP addresses, port numbers
  • Length: length of ADU/subsequent dynamic field
  • Cookie: session specific opaque data e.g. transaction id
  • Argument: domain name, destination directory
  • Don’t care: opaque fields appearing in only one side of the dialog
work of roleplayer
Work of RolePlayer
  • Preparation

> first searches for end-point addresses & argument fields

> then for length fields and cookie fields

  • Replay

> first searches for new values of dynamic fields

> then updates them with new values

spd cont d
SPD cont’d

Requests have seven fields:

  • LEN-0: holds length of message
  • TYPE: message type (1->request, 2->response)
  • SID: session identifier (server echoes in response)
  • LEN-1: Length of HOSTNAME
  • LEN-2: Length of SERVICE

Responses have five:

  • LEN-0, TYPE & SID are same
  • LEN-1: Length of IP-port field
replay stage
Replay Stage

NO

Yes

SEND RECEIVE

NO

NO

YES

YES

Start Replay

Next Packet?

Finish Replay

Send or Rcv?

Rcv Packet

First Packet?

Send Packet

Last Packet?

Update Dynamic

Fields in ADU

Find Dynamic

Fields in ADU

test environment
Test Environment
  • Isolated testbed, set of nodes running on VMWare Workstation
  • Both Windows XP Professional, Fedora Core 3 images were used
  • RolePlayer ran in the Linux host system
weaknesses
Weaknesses
  • Its coverage is not universal
  • Can not accommodate protocols with time-dependent states
  • Protocols using cryptographic authentication/encrypted traffic are out of league
  • Adversary can detect its presence through the unchanged dynamic fields
  • It can be detected due to inconsistency b/w OS of application & RolePlayer.
suggestions
Suggestions
  • Randomize certain dynamic fields
  • Manipulate packet headers to match expected operating OS.
  • Identify & test additional, complex application protocols.
ad