“Non-intrusive” Testing Techniques for Communication...

1/68

INTRODUCTION STATIC CODE ANALYSIS NETWORK TRACE ANALYSIS CONCLUSION

“Non-intrusive” Testing Techniques forCommunication Protocols

12th TAROT Summer School, Paris, France

Jorge Lopez<jorge.lopez[at]telecom-sudparis.eu>

Telecom SudParis / Universite Paris-Saclay

July 8th, 2016

2/68


OUTLINE

MOTIVATION AND INTRODUCTION

STATIC CODE ANALYSIS

NETWORK TRACE ANALYSIS

FUTURE WORK / CONCLUSIONS

3/68


ACKNOWLEDGMENT. . .

The results presented in this talk were obtained along withdifferent co-authors. Therefore, a special thank note isdedicated to those who directly contributed in this talk, theyare:

I Ana CavalliI Natalia KushikI Stephane MaagI Gerardo MoralesI Nina Yevtushenko

Спасибо! ¡Gracias! Merci !

I would also like to thank all the speakers of TAROT, includingstudents. Your presentations were fantastic and will enrich thispresentation.

4/68


MOTIVATION

I The widespread adoption of applications using networks(i.e., communication protocols)

I A second life (for some, their life)I Critical Operations + Sensitive InformationI Tell me the last application you used which does not

interact over the network?

ImportantTesting is crucial for such systems (or applications)!

4/68


MOTIVATION


I A second life (for some, their life)

I Critical Operations + Sensitive InformationI Tell me the last application you used which does not



4/68


MOTIVATION


I A second life (for some, their life)I Critical Operations + Sensitive Information

I Tell me the last application you used which does notinteract over the network?


4/68


MOTIVATION





4/68


MOTIVATION





5/68


“NON-INTRUSIVE” TESTING OF COMMUNICATION

SYSTEMS

Testing of communication systems

I Active testing feels like an intuitive method for testingsoftware and systems

I Sometimes you can’t interfere the system!

Reasons not to interfere the system?

I The data on the system are susceptible towards theexecution of tests

I Certain functionality is not available if “real” data are notprocessed

I Even if a system can be interrupted, we might want to testthe “real” service / application / data

5/68



SYSTEMS








5/68



SYSTEMS








5/68



SYSTEMS








5/68



SYSTEMS








5/68



SYSTEMS








5/68



SYSTEMS








6/68


METHODS FOR NON-INTRUSIVE TESTING

We focus on two of them. . .

I Static (code) analysis

I A “white-box’ approachI We assume we do not disrupt the implementation, we have

an access to its source codeI Analyzing its code, we test the implementation

I Passive network trace analysis

I A “black-box’ approachI We assume we do not disrupt the implementation, we have

an access to the “messages” being exchanged by theimplementation

I The “source” where the messages are taken is called a Pointof Observation (P.O.)

Let’s take a look at each of them. . . “on y va”

6/68



We focus on two of them. . .I Static (code) analysis








6/68




I A “white-box’ approach

I We assume we do not disrupt the implementation, we havean access to its source code

I Analyzing its code, we test the implementationI Passive network trace analysis





6/68





an access to its source code

I Analyzing its code, we test the implementationI Passive network trace analysis





6/68











6/68











6/68






I Passive network trace analysisI A “black-box’ approach

I We assume we do not disrupt the implementation, we havean access to the “messages” being exchanged by theimplementation



6/68






I Passive network trace analysisI A “black-box’ approachI We assume we do not disrupt the implementation, we have




6/68










6/68










7/68


Static Code Analysis 101

8/68


STATIC ANALYSIS

/*Test equal distribution of random number generation algorithm*/#include <stdio.h>#include <stdlib.h>#define NUM 30#define MEM_SIZE 512*1024 //512MBint main(){

short i = 0 , j;long acc = 0;char *numbers = malloc(MEM_SIZE);if(!numbers){

printf(‘‘Can’t allocate memory\n’’);exit(-1);

}while (1){

numbers[i] = rand() % NUM ; //random numbers from 0 - NUMacc = 0;for (j = 0; j < i; j++)

acc += numbers[j];printf(‘‘New average: %ld\n’’, acc/++i); //should converge to NUM/2

}}

Do you see any problems with the code?

9/68


STATIC ANALYSIS (CONT.)/*Test equal distribution of random number generation algorithm*/#include <stdio.h>#include <stdlib.h>#define NUM 30#define MEM_SIZE 512*1024 //512MBint main(){

short i = 0 , j;long acc = 0;char *numbers = malloc(MEM_SIZE);if(!numbers){

printf(‘‘Can’t allocate memory\n’’);exit(-1);

}while (1){

numbers[i] = rand() % NUM ; //random numbers from 0 - NUMacc = 0;for (j = 0; j < i; j++)

acc += numbers[j];printf(‘‘New average: %ld\n’’, acc/++i); //should converge to NUM/2

}}

Hard to see, hard to detect (iteration # 32,768)

10/68


STATIC (CODE) ANALYSIS

We can look for anything. . .

I Which is not functional related (the code compiles)I Usually we check properties

I For instance, for the simple grammar P 7→ P P|(P)|(),ensure that on the even parenthesis list elements, the depthlevel is not more than 2(())()()((())) violates the property, but (((())))() does not(i.e., is valid)

I Ensure that starting from the N-th element of the list atleast m levels are foundFor N = 2,m = 2, ()()() violates the property, and()(())((())) does not

I For a more complex grammar there is much more fun :)

I Let’s look at more real-world examples. . .

10/68




I Which is not functional related (the code compiles)

I Usually we check properties





10/68









10/68









10/68









10/68









10/68









11/68


STATIC ANALYSIS FOR SECURITY PROPERTIES

Source Code Security Issues

I Many problems arise when the user input is not checked

I Cross-Site Scripting (XSS) attacksI SQL injection (SQLI) attacksI Buffer overflow attacks

XSS

I Works by supplying data to users which can lead toinsecure actions, executing unwanted javascript, or addinga sub-site filled with publicity or others

I Simple example: in a forum, users are allowed to insertcomments. If the comment is displayed as-it-is, an attackermight successfully inject malicious code that will affect theforum users

11/68




I Many problems arise when the user input is not checked

I Cross-Site Scripting (XSS) attacksI SQL injection (SQLI) attacksI Buffer overflow attacks

XSS



11/68




I Many problems arise when the user input is not checkedI Cross-Site Scripting (XSS) attacks

I SQL injection (SQLI) attacksI Buffer overflow attacks

XSS



11/68




I Many problems arise when the user input is not checkedI Cross-Site Scripting (XSS) attacksI SQL injection (SQLI) attacks

I Buffer overflow attacks

XSS



11/68




I Many problems arise when the user input is not checkedI Cross-Site Scripting (XSS) attacksI SQL injection (SQLI) attacksI Buffer overflow attacks

XSS



11/68





XSS



11/68





XSSI Works by supplying data to users which can lead to

insecure actions, executing unwanted javascript, or addinga sub-site filled with publicity or others


11/68





XSSI Works by supplying data to users which can lead to

insecure actions, executing unwanted javascript, or addinga sub-site filled with publicity or others


12/68


STATIC ANALYSIS FOR SECURITY PROPERTIES IISQLI

I Essentially works by supplying data to the database forexecuting undesired actions, e.g., a user inputs a searchcriterion, and the database looks for the users matchingthis criterion:SELECT * from users where name=’$CRIT’;

What if the criterion is:a’; DROP TABLE users

How to prevent this attack using static analysis?

I A very simple approach is to guarantee that a sanitizationfunction is called before the storing or displaying theinput. Many languages provide such built-in functions,e.g., PHP provides the htmlspecialchars() function

12/68







12/68







12/68







13/68


STATIC ANALYSIS FOR SECURITY PROPERTIES IIIBuffer Overflow

I The canonical example:

#include <string.h>#define BUFFSIZE 100void load (char *userdata){

char buff[BUFFSIZE];strcpy(buff, userdata); //not good

}

int main (int argc, char **argv){load(argv[1]);...

}

I A string which is longer than BUFFSIZE will be writteninto the memory space of the function load, potentiallyoverwriting the return address

I A string which contains code and the memory address ofthis code in the position of the return address will do thetrick

13/68






}


}



13/68






}


}



13/68






}


}



14/68


STATIC ANALYSIS FOR SECURITY PROPERTIES IV

Buffer Overflow

I If a program with a potentially susceptible stack overflowruns with admin privileges, consequences can bedevastating

Many other properties

I Each file should be closed only onceI Each db connection that was open should be closedI Any other properties are welcome

How to perform static analysis (SA)?

14/68



Buffer OverflowI If a program with a potentially susceptible stack overflow

runs with admin privileges, consequences can bedevastating




14/68








14/68






I Each file should be closed only once

I Each db connection that was open should be closedI Any other properties are welcome


14/68






I Each file should be closed only onceI Each db connection that was open should be closed

I Any other properties are welcome


14/68








14/68








15/68


STATIC ANALYSIS PRINCIPLES

Source Code is?

I A text representation of “computer instructions” in aspecific programming language

I Not text. . . Nor machine codeI A description of a system

Static Analysis is?

I The analysis of source code is performed by a staticanalyzer without executing the program under test

I The code is assumed to be compilable, thus we do not lookfor lexical, syntactical, or type errors that a compiler finds

15/68



Source Code is?I A text representation of “computer instructions” in a

specific programming language

I Not text. . . Nor machine codeI A description of a system

Static Analysis is?



15/68




specific programming languageI Not text. . . Nor machine code

I A description of a system

Static Analysis is?



15/68




specific programming languageI Not text. . . Nor machine codeI A description of a system

Static Analysis is?



15/68





Static Analysis is?



15/68





Static Analysis is?



15/68





Static Analysis is?



16/68


STATIC ANALYSIS PRINCIPLES (CONT.)How do we analyze the source code then?

I Can we treat it as text?

I This would be terriblyn hard

I A data structure is needed to effectively manipulate it

I A famous structure to manipulate the source code is anAbstract Syntax Tree (AST)

I To build an AST, we need to parse the code

A parser. . .

I Can be generated automatically by a parser generator(takes a context free grammar (CFG) as an input andproduces a parser)

I Takes a CFG production (a sentence / source code) andproduces a “parse tree”

16/68



I Can we treat it as text?

I This would be terriblyn hardI A data structure is needed to effectively manipulate it



A parser. . .



16/68



I Can we treat it as text?I This would be terriblyn hard




A parser. . .



16/68







A parser. . .



16/68




I A data structure is needed to effectively manipulate itI A famous structure to manipulate the source code is an

Abstract Syntax Tree (AST)


A parser. . .



16/68





Abstract Syntax Tree (AST)I To build an AST, we need to parse the code

A parser. . .



16/68






A parser. . .



16/68






A parser. . .



16/68






A parser. . .



17/68


AN AST

AST for 2 + 3 ∗ 4

18/68


DATAFLOW ANALYSIS

Mainly cares about data flow and data dependencies

Consider the following code:

void func (int x){int y = 10;int z = 2 + y;

if(x > 10){z=10;x = y + 1;

}print(z);

}

How can Dataflow analysis help us?

18/68


DATAFLOW ANALYSIS




if(x > 10){z=10;x = y + 1;

}print(z);

}


18/68


DATAFLOW ANALYSIS




if(x > 10){z=10;x = y + 1;

}print(z);

}


19/68


DATAFLOW ANALYSIS — FORWARD ANALYSIS

The data flow

20/68



The data flow

Potential values

I Negative array indicesI Closed DB connections

20/68



The data flow

Potential values

I Negative array indicesI Closed DB connections

20/68



The data flow

Potential valuesI Negative array indices

I Closed DB connections

20/68



The data flow

Potential valuesI Negative array indicesI Closed DB connections

21/68


DATAFLOW ANALYSIS — BACKWARD ANALYSIS

The data flow

Data dependencies

I Useful for security testingI Useful for dead code elimination

21/68



The data flow

Data dependencies


21/68



The data flow

Data dependencies

I Useful for security testing

I Useful for dead code elimination

21/68



The data flow

Data dependencies


22/68


DATAFLOW ANALYSIS — CONTROL FLOW GRAPH

void func (int x){//b1int y = 10;int z = 2 + y;

if(x > 10){//b2z=10;x = y + 1;

}//b3print(z);

}

(b1)y=10z=2+y

(b2)z=10x=y+1

(b3)

x>10

x≤10

22/68


DATAFLOW ANALYSIS — CONTROL FLOW GRAPH

void func (int x){//b1int y = 10;int z = 2 + y;

if(x > 10){//b2z=10;x = y + 1;

}//b3print(z);

}

(b1)y=10z=2+y

(b2)z=10x=y+1

(b3)

x>10

x≤10

23/68


DATAFLOW NOTIONS

(b1)y=10z=2+y

(b2)z=10x=y+1

(b3)

x>10

x≤10

(b1)x y z↓ 10 12

(b2)x y z

y+1 ↓ 10

(b3)x y z↓ ↓ ↓

x>10

x≤10

24/68


DATAFLOW NOTIONS (2)

(b1)x y z↓ 10 12

(b2)x y z

y+1 ↓ 10

(b3)x y z↓ ↓ ↓

x>10

x≤10

Putting inputs andoutputs. . .

I Assume ⊥ = notenough information

I Assume > = “toomuch” information(all possible values)

24/68



(b1)x y z↓ 10 12

(b2)x y z

y+1 ↓ 10

(b3)x y z↓ ↓ ↓

x>10

x≤10




24/68



(b1)x y z↓ 10 12

(b2)x y z

y+1 ↓ 10

(b3)x y z↓ ↓ ↓

x>10

x≤10




24/68



(b1)> > >x y z↓ 10 12⊥ ⊥ ⊥

(b2)⊥ ⊥ ⊥x y z

y+1 ↓ 10⊥ ⊥ ⊥

(b3)⊥ ⊥ ⊥x y z↓ ↓ ↓⊥ ⊥ ⊥

x>10

x≤10




25/68


DATAFLOW NOTIONS — THE PROPAGATION GAME

(b1)> > >x y z↓ 10 12⊥ ⊥ ⊥

(b2)⊥ ⊥ ⊥x y z

y+1 ↓ 10⊥ ⊥ ⊥

(b3)⊥ ⊥ ⊥x y z↓ ↓ ↓⊥ ⊥ ⊥

x>10

x≤10

Propagation. . .

I Propagate frominputs to outputs

I From one block toanother

I Join the inputs

25/68



(b1)> > >x y z↓ 10 12⊥ ⊥ ⊥

(b2)⊥ ⊥ ⊥x y z

y+1 ↓ 10⊥ ⊥ ⊥

(b3)⊥ ⊥ ⊥x y z↓ ↓ ↓⊥ ⊥ ⊥

x>10

x≤10

Propagation. . .



I Join the inputs

25/68



(b1)> > >x y z↓ 10 12⊥ ⊥ ⊥

(b2)⊥ ⊥ ⊥x y z

y+1 ↓ 10⊥ ⊥ ⊥

(b3)⊥ ⊥ ⊥x y z↓ ↓ ↓⊥ ⊥ ⊥

x>10

x≤10

Propagation. . .



I Join the inputs

25/68



(b1)> > >x y z↓ 10 12⊥ ⊥ ⊥

(b2)⊥ ⊥ ⊥x y z

y+1 ↓ 10⊥ ⊥ ⊥

(b3)⊥ ⊥ ⊥x y z↓ ↓ ↓⊥ ⊥ ⊥

x>10

x≤10

Propagation. . .



I Join the inputs

25/68



(b1)> > >x y z↓ 10 12> 10 12

(b2)⊥ ⊥ ⊥x y z

y+1 ↓ 10⊥ ⊥ ⊥

(b3)⊥ ⊥ ⊥x y z↓ ↓ ↓⊥ ⊥ ⊥

x>10

x≤10

Propagation. . .



I Join the inputs

(b1)

25/68



(b1)> > >x y z↓ 10 12> 10 12

(b2)> 10 12x y z

y+1 ↓ 10⊥ ⊥ ⊥

(b3)⊥ ⊥ ⊥x y z↓ ↓ ↓⊥ ⊥ ⊥

x>10

x≤10

Propagation. . .



I Join the inputs

(b2)

25/68



(b1)> > >x y z↓ 10 12> 10 12

(b2)> 10 12x y z

y+1 ↓ 1011 10 10

(b3)⊥ ⊥ ⊥x y z↓ ↓ ↓⊥ ⊥ ⊥

x>10

x≤10

Propagation. . .



I Join the inputs

(b2)

25/68



(b1)> > >x y z↓ 10 12> 10 12

(b2)> 10 12x y z

y+1 ↓ 1011 10 10

(b3){>, 11} 10 {12, 10}

x y z↓ ↓ ↓⊥ ⊥ ⊥

x>10

x≤10

Propagation. . .



I Join the inputs

(b3)

25/68



(b1)> > >x y z↓ 10 12> 10 12

(b2)> 10 12x y z

y+1 ↓ 1011 10 10

(b3){>, 11} {10} {12, 10}

x y z↓ ↓ ↓> 10 {12, 10}

x>10

x≤10

Propagation. . .



I Join the inputs

(b3)

25/68



(b1)> > >x y z↓ 10 12> 10 12

(b2)> 10 12x y z

y+1 ↓ 1011 10 10

(b3){>, 11} {10} {12, 10}

x y z↓ ↓ ↓> 10 {12, 10}

x>10

x≤10

Value AnalysisYup... that’s what we did

I y=10 is truth for allexecution pathsOptimizations: constantpropagation (lesscalculations), removal ofy (smaller stackconsumption)

I z ∈ {10, 12}Optimizations: smallerdata type of z; perhapsthis might be furtherused to verify that allfunctions return valuesbetween [11− 20]?

25/68



(b1)> > >x y z↓ 10 12> 10 12

(b2)> 10 12x y z

y+1 ↓ 1011 10 10

(b3){>, 11} {10} {12, 10}

x y z↓ ↓ ↓> 10 {12, 10}

x>10

x≤10




25/68



(b1)> > >x y z↓ 10 12> 10 12

(b2)> 10 12x y z

y+1 ↓ 1011 10 10

(b3){>, 11} {10} {12, 10}

x y z↓ ↓ ↓> 10 {12, 10}

x>10

x≤10




26/68


DATAFLOW ANALYSIS BASICS

Lattice L (The analysis domain)

I A partially ordered set (L,≤)I ∀x, y ∈ L,∃x ∨ y(sup) & ∃x ∧ y(inf)I If ∀S ⊆ L,∃ ∨ S(greatest element >) & ∧S(least element ⊥) L

is a complete lattice

I x0 ≤ x1 ≤ x2... =⇒ ∃n : xn = xn+1 = xn+2 = ...Ensures ascending chain condition (no infinite progress)

Inputs, outputs, and transfer functions, depend on thecontrol flow block (CFB) b

I Transfer function fb : L → LI Output outb = fb(inn) is calculated with a transfer functionI inb = denotes inputs of b, inb = ∨{outm|m ∈ pred(b)}

(usually ∨ = ∪)

26/68




I A partially ordered set (L,≤)

I ∀x, y ∈ L,∃x ∨ y(sup) & ∃x ∧ y(inf)I If ∀S ⊆ L,∃ ∨ S(greatest element >) & ∧S(least element ⊥) L

is a complete lattice




(usually ∨ = ∪)

26/68




I A partially ordered set (L,≤)I ∀x, y ∈ L, ∃x ∨ y(sup) & ∃x ∧ y(inf)

I If ∀S ⊆ L,∃ ∨ S(greatest element >) & ∧S(least element ⊥) Lis a complete lattice




(usually ∨ = ∪)

26/68




I A partially ordered set (L,≤)I ∀x, y ∈ L, ∃x ∨ y(sup) & ∃x ∧ y(inf)I If ∀S ⊆ L, ∃ ∨ S(greatest element >) & ∧S(least element ⊥) L

is a complete latticeI x0 ≤ x1 ≤ x2... =⇒ ∃n : xn = xn+1 = xn+2 = ...

Ensures ascending chain condition (no infinite progress)



(usually ∨ = ∪)

26/68









(usually ∨ = ∪)

26/68








I Transfer function fb : L → L

I Output outb = fb(inn) is calculated with a transfer functionI inb = denotes inputs of b, inb = ∨{outm|m ∈ pred(b)}

(usually ∨ = ∪)

26/68








I Transfer function fb : L → LI Output outb = fb(inn) is calculated with a transfer function

I inb = denotes inputs of b, inb = ∨{outm|m ∈ pred(b)}(usually ∨ = ∪)

26/68









(usually ∨ = ∪)

27/68


DATAFLOW ANALYSIS BASICS (CONT.)

Requirements

I The join operation ∨must not lose information: ∨(x, y) ⊇ xand ∨(x, y) ⊇ y

I ∀f ∈ F, x ⊆ y =⇒ f (x) ⊆ f (y), all transfer functions aremonotones, i.e., they preserve the given order

Necessary conditions for termination!

I Previous requirements + ascending chain condition

We won’t see proofs

I However, this is certainly proven and easy to find. . .

27/68



Requirements







27/68



Requirements







27/68



Requirements







27/68



Requirements







28/68


DATA ANALYSIS BASICS — CALCULATION

ALGORITHM

Maximal Fixed Point algorithm

for all b ∈ B dooutb ← fb(⊥)

end forinb0 ← I //I=initialization (>.⊥, ∅ are usual)outb0 ← fn0(I)worklist← B \ {b0}while worklist 6= ∅ do

b← pop(worklist)inb ← ∨{outm|m ∈ pred(b)}outb ← fb(inb)if outb changed then

worklist←worklist ∪ bend if

end while

28/68


DATA ANALYSIS BASICS — CALCULATION

ALGORITHM

Maximal Fixed Point algorithm


end forinb0 ← I //I=initialization (>.⊥, ∅ are usual)outb0 ← fn0(I)worklist← B \ {b0}while worklist 6= ∅ do

b← pop(worklist)inb ← ∨{outm|m ∈ pred(b)}outb ← fb(inb)if outb changed then

worklist←worklist ∪ bend if

end while

29/68


DATAFLOW ANALYSIS — SIGN ANALYSIS EXAMPLE

void bk (int j, char c[], size_t sc){

size_t midx = 4;int d = 0,i =0;while(i< j){

d = midx - i;c[d] = i;i++;

}}

(b1)j sc midx d i↓ ↓ 4 0 0

(b2)j sc midx d i↓ ↓ ↓ midx-i i+1

(b3)j sc midx d i↓ ↓ ↓ ↓ ↓

i<j

i≥j

i≥j

i<j

30/68



(2)Lattice L is defined over theset of all subsets of {−, 0,+}and ⊆

I ∨ = ∪> ∈ {+,−}⊥ = no information yet

I Operations over LI Addition(

⊕) and

multiplication (⊗

) oflattice values:{−}

⊕{+} =

{−, 0,+} ∧ {0}⊕{+} =

{+} ∧ {−}⊕{−}∧. . .

I fb ∈ F use operations +sign of constants

(b1)j sc midx d i↓ ↓ 4 0 0

(b2)j sc midx d i↓ ↓ ↓ midx-i i+1

(b3)j sc midx d i↓ ↓ ↓ ↓ ↓

i<j

i≥j

i≥j

i<j

30/68



(2)Lattice L is defined over theset of all subsets of {−, 0,+}and ⊆

I ∨ = ∪> ∈ {+,−}⊥ = no information yet

I Operations over LI Addition(

⊕) and

multiplication (⊗

) oflattice values:{−}

⊕{+} =

{−, 0,+} ∧ {0}⊕{+} =

{+} ∧ {−}⊕{−}∧. . .

I fb ∈ F use operations +sign of constants

(b1)j sc midx d i↓ ↓ {+} {0} {0}

(b2)j sc midx d i↓ ↓ ↓ {[midx]}

⊕{−}

⊗{[i]} {[i]}

⊕{+}

(b3)j sc midx d i↓ ↓ ↓ ↓ ↓

i<j

i≥j

i≥j

i<j

31/68



(3)


end forinb0 ← I //I=initialization(>.⊥, ∅ are usual)outb0 ← fn0(I)worklist← B \ {b0}while worklist 6= ∅ do

b← pop(worklist)

inb ← ∨{outm|m ∈ pred(b)}outb ← fb(inb)if outb changed then

worklist←worklist∪ b

end ifend while

(b1)j sc midx d i↓ ↓ {+} {0} {0}


⊕{−}

⊗{[i]} {[i]}

⊕{+}

(b3)j sc midx d i↓ ↓ ↓ ↓ ↓

31/68



(3)



b← pop(worklist)



end ifend while

(b1)j sc midx d i↓ ↓ {+} {0} {0}⊥ ⊥ ⊥ ⊥ ⊥


⊕{−}

⊗{[i]} {[i]}

⊕{+}

⊥ ⊥ ⊥ ⊥ ⊥

(b3)j sc midx d i↓ ↓ ↓ ↓ ↓⊥ ⊥ ⊥ ⊥ ⊥

31/68



(3)



b← pop(worklist)



end ifend while

(b1)> > > > >j sc midx d i↓ ↓ {+} {0} {0}⊥ ⊥ ⊥ ⊥ ⊥

(b2)> > > > >j sc midx d i↓ ↓ ↓ {[midx]}

⊕{−}

⊗{[i]} {[i]}

⊕{+}

⊥ ⊥ ⊥ ⊥ ⊥

(b3)> > > > >j sc midx d i↓ ↓ ↓ ↓ ↓⊥ ⊥ ⊥ ⊥ ⊥

31/68



(3)



b← pop(worklist)



end ifend while

(b1)> > > > >j sc midx d i↓ ↓ {+} {0} {0}> > {+} {0} {0}

(b2)> > > > >j sc midx d i↓ ↓ ↓ {[midx]}

⊕{−}

⊗{[i]} {[i]}

⊕{+}

⊥ ⊥ ⊥ ⊥ ⊥

(b3)> > > > >j sc midx d i↓ ↓ ↓ ↓ ↓⊥ ⊥ ⊥ ⊥ ⊥

31/68



(3)


end forinb0 ← I //I=initialization(>.⊥, ∅ are usual)outb0 ← fn0(I)worklist← {b2, b3}while worklist 6= ∅ do

b← pop(worklist)



end ifend while

(b1)> > > > >j sc midx d i↓ ↓ {+} {0} {0}> > {+} {0} {0}

(b2)> > > > >j sc midx d i↓ ↓ ↓ {[midx]}

⊕{−}

⊗{[i]} {[i]}

⊕{+}

⊥ ⊥ ⊥ ⊥ ⊥

(b3)> > > > >j sc midx d i↓ ↓ ↓ ↓ ↓⊥ ⊥ ⊥ ⊥ ⊥

31/68



(3)


end forinb0 ← I //I=initialization(>.⊥, ∅ are usual)outb0 ← fn0(I)worklist← {b2, b3}while {b2,b3} 6= ∅ do

b← pop(worklist)



end ifend while

(b1)> > > > >j sc midx d i↓ ↓ {+} {0} {0}> > {+} {0} {0}

(b2)> > > > >j sc midx d i↓ ↓ ↓ {[midx]}

⊕{−}

⊗{[i]} {[i]}

⊕{+}

⊥ ⊥ ⊥ ⊥ ⊥

(b3)> > > > >j sc midx d i↓ ↓ ↓ ↓ ↓⊥ ⊥ ⊥ ⊥ ⊥

31/68



(3)for all b ∈ B do

outb ← fb(⊥)end forinb0 ← I //I=initialization(>.⊥, ∅ are usual)outb0 ← fn0(I)worklist← {b2, b3}while {b2,b3} 6= ∅ do

b← pop({b2,b3})//b=b2



end ifend while

(b1)> > > > >j sc midx d i↓ ↓ {+} {0} {0}> > {+} {0} {0}

(b2)> > > > >j sc midx d i↓ ↓ ↓ {[midx]}

⊕{−}

⊗{[i]} {[i]}

⊕{+}

⊥ ⊥ ⊥ ⊥ ⊥

(b3)> > > > >j sc midx d i↓ ↓ ↓ ↓ ↓⊥ ⊥ ⊥ ⊥ ⊥

31/68



(3)



b← pop({b3} )

inb2 ← ∨{outm|m ∈ pred(b2)}outb ← fb(inb)if outb changed then


end ifend while

(b1)> > > > >j sc midx d i↓ ↓ {+} {0} {0}> > {+} {0} {0}

(b2)> > {+} {0} {0}j sc midx d i↓ ↓ ↓ {[midx]}

⊕{−}

⊗{[i]} {[i]}

⊕{+}

⊥ ⊥ ⊥ ⊥ ⊥

(b3)> > > > >j sc midx d i↓ ↓ ↓ ↓ ↓⊥ ⊥ ⊥ ⊥ ⊥

31/68



(3)



b← pop({b3} )

inb2 ← ∨{outm|m ∈ pred(b2)}outb2 ← fb2(inb2)if outb changed then


end ifend while

(b1)> > > > >j sc midx d i↓ ↓ {+} {0} {0}> > {+} {0} {0}

(b2)> > {+} {0} {0}j sc midx d i↓ ↓ ↓ {[midx]}

⊕{−}

⊗{[i]} {[i]}

⊕{+}

> > {+} {+} {+}

(b3)> > > > >j sc midx d i↓ ↓ ↓ ↓ ↓⊥ ⊥ ⊥ ⊥ ⊥

31/68



(3)



b← pop({b3} )

inb2 ← ∨{outm|m ∈ pred(b2)}outb2 ← fb2(inb2)if outb2 changed then


end ifend while

(b1)> > > > >j sc midx d i↓ ↓ {+} {0} {0}> > {+} {0} {0}

(b2)> > {+} {0} {0}j sc midx d i↓ ↓ ↓ {[midx]}

⊕{−}

⊗{[i]} {[i]}

⊕{+}

> > {+} {+} {+}

(b3)> > > > >j sc midx d i↓ ↓ ↓ ↓ ↓⊥ ⊥ ⊥ ⊥ ⊥

31/68



(3)



b← pop({b3} )

inb2 ← ∨{outm|m ∈ pred(b2)}outb2 ← fb2(inb2)if outb2 changed then{b3} ← {b3} ∪ {b2}

end ifend while

(b1)> > > > >j sc midx d i↓ ↓ {+} {0} {0}> > {+} {0} {0}

(b2)> > {+} {0} {0}j sc midx d i↓ ↓ ↓ {[midx]}

⊕{−}

⊗{[i]} {[i]}

⊕{+}

> > {+} {+} {+}

(b3)> > > > >j sc midx d i↓ ↓ ↓ ↓ ↓⊥ ⊥ ⊥ ⊥ ⊥

31/68



(3)



b← pop(worklist)



end ifend while

(b1)> > > > >j sc midx d i↓ ↓ {+} {0} {0}> > {+} {0} {0}

(b2)> > {+} {0} {0}j sc midx d i↓ ↓ ↓ {[midx]}

⊕{−}

⊗{[i]} {[i]}

⊕{+}

> > {+} {+} {+}

(b3)> > > > >j sc midx d i↓ ↓ ↓ ↓ ↓⊥ ⊥ ⊥ ⊥ ⊥

31/68



(3)



b← pop({b3} )



end ifend while

(b1)> > > > >j sc midx d i↓ ↓ {+} {0} {0}> > {+} {0} {0}

(b2)> > {+} {0,+} {0,+}j sc midx d i↓ ↓ ↓ {[midx]}

⊕{−}

⊗{[i]} {[i]}

⊕{+}

> > {+} {+} {+}

(b3)> > > > >j sc midx d i↓ ↓ ↓ ↓ ↓⊥ ⊥ ⊥ ⊥ ⊥

31/68



(3)



b← pop({b3} )



end ifend while

(b1)> > > > >j sc midx d i↓ ↓ {+} {0} {0}> > {+} {0} {0}

(b2)> > {+} {0,+} {0,+}j sc midx d i↓ ↓ ↓ {[midx]}

⊕{−}

⊗{[i]} {[i]}

⊕{+}

> > {+} {+,−} = > {+}

(b3)> > > > >j sc midx d i↓ ↓ ↓ ↓ ↓⊥ ⊥ ⊥ ⊥ ⊥

31/68



(3)



b← pop({b3} )

inb2 ← ∨{outm|m ∈ pred(b2)}outb2 ← fb2(inb2)if outb2 changed then{b3} ← {b3} ∪ {b2}

end ifend while

(b1)> > > > >j sc midx d i↓ ↓ {+} {0} {0}> > {+} {0} {0}

(b2)> > {+} {0,+} {0,+}j sc midx d i↓ ↓ ↓ {[midx]}

⊕{−}

⊗{[i]} {[i]}

⊕{+}

> > {+} > {+}

(b3)> > > > >j sc midx d i↓ ↓ ↓ ↓ ↓⊥ ⊥ ⊥ ⊥ ⊥

31/68



(3)



b← pop(worklist)



end ifend while

(b1)> > > > >j sc midx d i↓ ↓ {+} {0} {0}> > {+} {0} {0}

(b2)> > {+} {0,+} {0,+}j sc midx d i↓ ↓ ↓ {[midx]}

⊕{−}

⊗{[i]} {[i]}

⊕{+}

> > {+} > {+}

(b3)> > > > >j sc midx d i↓ ↓ ↓ ↓ ↓⊥ ⊥ ⊥ ⊥ ⊥

31/68



(3)



b← pop({b3} )



end ifend while

(b1)> > > > >j sc midx d i↓ ↓ {+} {0} {0}> > {+} {0} {0}

(b2)> > {+} > {0,+}j sc midx d i↓ ↓ ↓ {[midx]}

⊕{−}

⊗{[i]} {[i]}

⊕{+}

> > {+} > {+}

(b3)> > > > >j sc midx d i↓ ↓ ↓ ↓ ↓⊥ ⊥ ⊥ ⊥ ⊥

31/68



(3)



b← pop({b3} )



end ifend while

(b1)> > > > >j sc midx d i↓ ↓ {+} {0} {0}> > {+} {0} {0}

(b2)> > {+} > {0,+}j sc midx d i↓ ↓ ↓ {[midx]}

⊕{−}

⊗{[i]} {[i]}

⊕{+}

> > {+} > {+}

(b3)> > > > >j sc midx d i↓ ↓ ↓ ↓ ↓⊥ ⊥ ⊥ ⊥ ⊥

31/68



(3)


end forinb0 ← I //I=initialization(>.⊥, ∅ are usual)outb0 ← fn0(I)worklist← {b2, b3}while {b3} 6= ∅ do

b← pop(worklist)



end ifend while

(b1)> > > > >j sc midx d i↓ ↓ {+} {0} {0}> > {+} {0} {0}

(b2)> > {+} > {0,+}j sc midx d i↓ ↓ ↓ {[midx]}

⊕{−}

⊗{[i]} {[i]}

⊕{+}

> > {+} > {+}

(b3)> > > > >j sc midx d i↓ ↓ ↓ ↓ ↓⊥ ⊥ ⊥ ⊥ ⊥

31/68



(3)



b← pop({} )



end ifend while

(b1)> > > > >j sc midx d i↓ ↓ {+} {0} {0}> > {+} {0} {0}

(b2)> > {+} > {0,+}j sc midx d i↓ ↓ ↓ {[midx]}

⊕{−}

⊗{[i]} {[i]}

⊕{+}

> > {+} > {+}

(b3)> > {+} > {0,+}j sc midx d i↓ ↓ ↓ ↓ ↓⊥ ⊥ ⊥ ⊥ ⊥

31/68



(3)



b← pop({b3} )



end ifend while

(b1)> > > > >j sc midx d i↓ ↓ {+} {0} {0}> > {+} {0} {0}

(b2)> > {+} > {0,+}j sc midx d i↓ ↓ ↓ {[midx]}

⊕{−}

⊗{[i]} {[i]}

⊕{+}

> > {+} > {+}

(b3)> > {+} > {0,+}j sc midx d i↓ ↓ ↓ ↓ ↓> > {+} > {0,+}

31/68



(3)



b← pop({b3} )

inb3 ← ∨{outm|m ∈ pred(b3)}outb3 ← fb3(inb3)if outb changed then{} ←worklist ∪ {b3}

end ifend while

(b1)> > > > >j sc midx d i↓ ↓ {+} {0} {0}> > {+} {0} {0}

(b2)> > {+} > {0,+}j sc midx d i↓ ↓ ↓ {[midx]}

⊕{−}

⊗{[i]} {[i]}

⊕{+}

> > {+} > {+}

(b3)> > {+} > {0,+}j sc midx d i↓ ↓ ↓ ↓ ↓> > {+} > {0,+}

31/68



(3)



b← pop(worklist)



end ifend while

(b1)> > > > >j sc midx d i↓ ↓ {+} {0} {0}> > {+} {0} {0}

(b2)> > {+} > {0,+}j sc midx d i↓ ↓ ↓ {[midx]}

⊕{−}

⊗{[i]} {[i]}

⊕{+}

> > {+} > {+}

(b3)> > {+} > {0,+}j sc midx d i↓ ↓ ↓ ↓ ↓> > {+} > {0,+}

31/68



(3)



b← pop({} )



end ifend while

(b1)> > > > >j sc midx d i↓ ↓ {+} {0} {0}> > {+} {0} {0}

(b2)> > {+} > {0,+}j sc midx d i↓ ↓ ↓ {[midx]}

⊕{−}

⊗{[i]} {[i]}

⊕{+}

> > {+} > {+}

(b3)> > {+} > {0,+}j sc midx d i↓ ↓ ↓ ↓ ↓> > {+} > {0,+}

31/68



(3)



b← pop({b3} )



end ifend while

(b1)> > > > >j sc midx d i↓ ↓ {+} {0} {0}> > {+} {0} {0}

(b2)> > {+} > {0,+}j sc midx d i↓ ↓ ↓ {[midx]}

⊕{−}

⊗{[i]} {[i]}

⊕{+}

> > {+} > {+}

(b3)> > {+} > {0,+}j sc midx d i↓ ↓ ↓ ↓ ↓> > {+} > {0,+}

31/68



(3)


end forinb0 ← I //I=initialization(>.⊥, ∅ are usual)outb0 ← fn0(I)worklist← {b2, b3}while {} 6= ∅ do

b← pop(worklist)



end ifend while

(b1)> > > > >j sc midx d i↓ ↓ {+} {0} {0}> > {+} {0} {0}

(b2)> > {+} > {0,+}j sc midx d i↓ ↓ ↓ {[midx]}

⊕{−}

⊗{[i]} {[i]}

⊕{+}

> > {+} > {+}

(b3)> > {+} > {0,+}j sc midx d i↓ ↓ ↓ ↓ ↓> > {+} > {0,+}

32/68



(3.1)for all b ∈ B do

outb ← fb(⊥)end forinb0 ← I //I=initialization(>.⊥, ∅ are usual)outb0 ← fn0(I)worklist← {b2, b3}while {} 6= ∅ do

b← pop(worklist)



end ifend while

Fixpoint Reached!

Possible values:j sc midx d i> > {+} > {0,+}

(specially in b2)



d = midx - i;c[d] = i;i++;

}}

32/68





b← pop(worklist)



end ifend while

Fixpoint Reached!Possible values:

j sc midx d i> > {+} > {0,+}

(specially in b2)



d = midx - i;c[d] = i;i++;

}}

32/68





b← pop(worklist)



end ifend while

Fixpoint Reached!Possible values:

j sc midx d i> > {+} > {0,+}

(specially in b2)



d = midx - i;c[d] = i;i++;

}}

33/68


STATIC ANALYSIS – FINAL REMARKS

I It can be used for many things including statementreachability

I It can be used for test generation, for determining theinputs that will cover the code

I False-positives can be acceptableI There exist well-known plug-in (or feature) based tools,

e.g., Frama-CI There exist other formal approaches, e.g., abstract

interpretation

33/68







interpretation

33/68







interpretation

33/68





I False-positives can be acceptable

I There exist well-known plug-in (or feature) based tools,e.g., Frama-C

I There exist other formal approaches, e.g., abstractinterpretation

33/68






e.g., Frama-C

I There exist other formal approaches, e.g., abstractinterpretation

33/68







interpretation

34/68


Passive Testing using NetworkTraces

35/68


ARCHITECTURE(EXAMPLE)An image, 103 words. . .

I Direction: From server to clientI P.O. = one network interface of the server (usually a P.O. is

associated with a network host, it can vary. . . )I No information regarding on-line or off-line trace

collection (perhaps on-line is more interesting)

How do we test this?

35/68







35/68



I Direction: From server to client

I P.O. = one network interface of the server (usually a P.O. isassociated with a network host, it can vary. . . )

I No information regarding on-line or off-line tracecollection (perhaps on-line is more interesting)


35/68




associated with a network host, it can vary. . . )

I No information regarding on-line or off-line tracecollection (perhaps on-line is more interesting)


35/68







35/68







36/68


DEEP PACKET INSPECTION (DPI) 101What is DPI?

I The process of examining the data of a network packetwhen searching for specific parameter values in it:

I Protocol non-compliance, e.g., TCP SYN-FIN (or xmas treepacket)

I Viruses, buffer overflows, etc.

I These can be identified by a signatureI A signature is a known binary sequence inside a packet that

identifies the attack

I Specific application layer data, for instance:a’; DROP TABLE users

What to do, once certain value is found?

I Report the finding (usually the search targets forprohibited elements)

36/68











36/68











36/68







identifies the attackI Specific application layer data, for instance:a’; DROP TABLE users



36/68





I Viruses, buffer overflows, etc.I These can be identified by a signatureI A signature is a known binary sequence inside a packet that





36/68









36/68









36/68









37/68


DEEP PACKET INSPECTION (DPI) 102

I Mostly in firewalls, Intrusion Detection Systems (IDS), andIntrusion Prevention Systems (IPS)

I Off-line approaches are not very popularI Off-line approaches are sometimes considered as a form of

computer forensics (examining an already killedcomputer)

How to describe which values to search?

I There exist various approaches (Cisco, Snort, etc.),nonetheless, they tend to have common points. . .

37/68








37/68




I Off-line approaches are not very popular

I Off-line approaches are sometimes considered as a form ofcomputer forensics (examining an already killedcomputer)



37/68








37/68








37/68






How to describe which values to search?I There exist various approaches (Cisco, Snort, etc.),

nonetheless, they tend to have common points. . .

38/68


DESCRIBING VALUES IN DPI

Based on “rules”

I For common protocols (IP, TCP, UDP, HTTP, etc.) variablesare provided, for example:

alert tcp any any -> any 21 (msg:"FTP ROOT"; content:"USER root"; nocase;)

I A signature can be described as a set of strings (potentiallybinary) of a regular language

I It can be described by a regular expression

alert tcp any any -> any 80 (content:"/foo.php?id=";pcre:"/foo.php?id=[0-9]{1,10}/iU";)

(All the previous rules were written using the syntax ofsnort)

38/68



Based on “rules”I For common protocols (IP, TCP, UDP, HTTP, etc.) variables

are provided, for example:






38/68










38/68










38/68










38/68










38/68










39/68


STATELESS AND STATEFUL DPI CONCEPTS

Stateless DPI

I Each rule is applied to each network packet and no state issaved

I It can be good if we are tying to search for a virustransmitted over SMTP, for instance

Stateful DPI

I Certain information regarding the state of the connectiongets stored

I For example, the FTP data channel get associated to theFTP control channel

39/68



Stateless DPII Each rule is applied to each network packet and no state is

saved

I It can be good if we are tying to search for a virustransmitted over SMTP, for instance

Stateful DPI



39/68




savedI It can be good if we are tying to search for a virus

transmitted over SMTP, for instance

Stateful DPI



39/68






Stateful DPI



39/68






Stateful DPII Certain information regarding the state of the connection

gets stored


39/68






Stateful DPII Certain information regarding the state of the connection

gets storedI For example, the FTP data channel get associated to the

FTP control channel

40/68


BEYOND DPIWhat if we want more?.. What is more?

I The Very Simple Network Protocol (VSNP)I Every client request has an integer IDI Each client request is followed by a VSNP server responseI The VSNP server response should be even if the request ID

is odd, and vice-versa

I Assume we want to check the odd/even, even/oddconstraints

I Or we want to check the behavior of non-typical protocolimplementations or not predefined set of rules

I Or to choose what to save and how to correlate it withfuture packets

Passive Testing using Network Traces

40/68









40/68









40/68









40/68









40/68









41/68


PASSIVE TESTING USING NETWORK TRACES 101

We want to guarantee that:

I Certain functional and non-functional requirements holdover the network traces, also known as properties (orrules, or invariants, more on this later)

I We are able to analyze properties that go beyond singlepacket analysis or simple associations

Consider the VSNP protocol and its even/odd, odd/evenproperty

I Let’s take a look at a potential network trace to list someproperties

41/68








41/68








41/68








41/68








41/68








42/68


UNDERSTANDING CORRELATED NETWORK

INTERACTIONS

Consider the following trace

ID:2N:

ID:3N:

ID:4N:

ID:2N: 77

ID:4N: 89

ID:21N:

ID:21N: 101

Questions

I How can two requests / responses be together?

I As packets go through, the P.O. allows to observe nsequential client(s) requests before a response arrives to theP.O.

I What do we do with a non-replied request?

I It depends if the analysis is performed on-line or off-line

42/68



INTERACTIONS

Consider the following traceID:2N:

ID:3N:

ID:4N:

ID:2N: 77

ID:4N: 89

ID:21N:

ID:21N: 101

Questions





42/68



INTERACTIONS


ID:3N:

ID:4N:

ID:2N: 77

ID:4N: 89

ID:21N:

ID:21N: 101

Questions





42/68



INTERACTIONS


ID:3N:

ID:4N:

ID:2N: 77

ID:4N: 89

ID:21N:

ID:21N: 101

Questions





42/68



INTERACTIONS


ID:3N:

ID:4N:

ID:2N: 77

ID:4N: 89

ID:21N:

ID:21N: 101

Questions

I How can two requests / responses be together?I As packets go through, the P.O. allows to observe n

sequential client(s) requests before a response arrives to theP.O.



42/68



INTERACTIONS


ID:3N:

ID:4N:

ID:2N: 77

ID:4N: 89

ID:21N:

ID:21N: 101

Questions





42/68



INTERACTIONS


ID:3N:

ID:4N:

ID:2N: 77

ID:4N: 89

ID:21N:

ID:21N: 101

Questions



I What do we do with a non-replied request?I It depends if the analysis is performed on-line or off-line

43/68


THE ON-LINE VS. OFF-LINE MONITORING VERDICTS

Incoming (or read) packetsID:2N:

Tester Storing queue / MemoryID:2N:

Actions:

43/68




ID:2N:


Actions:Read REQ with ID = 2

43/68





ID:2N:

Actions:Store packet in the requests to be replied queue

43/68




ID:3N:


ID:2N:


43/68





ID:2N:

ID:3N:


43/68




ID:4N:


ID:2N:

ID:3N:


43/68





ID:2N:

ID:3N:

ID:4N:


43/68




ID:2N: 77


ID:2N:

ID:3N:

ID:4N:

Actions:Read RES with ID = 2

43/68




ID:2N: 77


ID:2N:

ID:3N:

ID:4N:

Actions:Check to which stored packet it corresponds

43/68




ID:2N: 77


ID:2N:

ID:3N:

ID:4N:

Actions:Verify the property

43/68





ID:2N:

ID:3N:

ID:4N:

Actions:Report PASS (+)

43/68





ID:3N:

ID:4N:

Actions:Remove corresponding stored packet from the stored requestsqueue

43/68




ID:4N: 89


ID:3N:

ID:4N:


43/68




ID:4N: 89


ID:3N:

ID:4N:


43/68




ID:4N: 89


ID:3N:

ID:4N:


43/68





ID:3N:

ID:4N:

Actions:Report PASS (+)

43/68





ID:3N:


43/68




ID:21N:


ID:3N:


43/68





ID:3N:

ID:21N:


43/68




ID:21N: 101


ID:3N:

ID:21N:


43/68




ID:21N: 101


ID:3N:

ID:21N:


43/68




ID:21N: 101


ID:3N:

ID:21N:


43/68





ID:3N:

ID:21N:

Actions:Report FAIL (-)

43/68





ID:3N:


43/68





ID:3N:

Actions:What’s next?

43/68





ID:3N:

Actions:Wait. . . wait until another packet comes (live capture)

43/68





ID:3N:

Actions:Until when do we wait? What do we do with this left-alonepacket

43/68





ID:3N:

Actions:Until a determined timeout

43/68





Actions:After the determined timeout, report TIME FAIL (!) andremove packets whose time stored > timeout

43/68





ID:3N:

Actions:Now assume it was off-line

43/68




EOT(end of trace)


ID:3N:

Actions:Read EOT

43/68





ID:3N:

Actions:For each packet left on memory report ?

43/68





Actions:Report INCONCLUSIVE (?)! (What if the trace was cut beforethe packet arrived?) and delete the left packets

44/68


CORRELATED NETWORK INTERACTIONS (CONT.)

Some conclusions / questions

I Given the nature of properties, matching packets cannot beexpressed by a regular language

I How do we express the properties?

I Given the network interactions, each packet can representa connection in any state (bad, very bad. . . )

I How to avoid resource consumption?

44/68





I How do we express the properties?I Given the network interactions, each packet can represent

a connection in any state (bad, very bad. . . )


44/68





I How do we express the properties?

I Given the network interactions, each packet can representa connection in any state (bad, very bad. . . )


44/68






a connection in any state (bad, very bad. . . )


44/68






a connection in any state (bad, very bad. . . )I How to avoid resource consumption?

45/68



INTERACTIONS (CONT. 2)Interaction

Invariants or properties

I Test purposes hold over all the observed network tracesI E.g., β6 is not allowed to occur before the occurrence of α4I There have been proposed many languages to express

invariants

45/68





I Test purposes hold over all the observed network traces

I E.g., β6 is not allowed to occur before the occurrence of α4I There have been proposed many languages to express

invariants

45/68





I Test purposes hold over all the observed network tracesI E.g., β6 is not allowed to occur before the occurrence of α4

I There have been proposed many languages to expressinvariants

45/68





I Test purposes hold over all the observed network tracesI E.g., β6 is not allowed to occur before the occurrence of α4I There have been proposed many languages to express

invariants

46/68


EXPRESSING PROPERTIES

Many languages have been proposed. . .

I Linear Temporal Logic (LTL)

I Describes an ω-regular language (over infinite words)I Fits pretty well if assuming an interaction has a single state

(the P.O. is not situated on a server, for instance)I Is not ideal if many states are assumed to be possible for

different connections (many sequential requests)

I Languages based on Context Free Grammars (CFG)

I Languages are adjusted to the taskI Examples: XML-based, or others. . .I Concepts behind the languages are more important. . .

46/68




I Linear Temporal Logic (LTL)

I Describes an ω-regular language (over infinite words)I Fits pretty well if assuming an interaction has a single state


different connections (many sequential requests)I Languages based on Context Free Grammars (CFG)


46/68




I Linear Temporal Logic (LTL)I Describes an ω-regular language (over infinite words)

I Fits pretty well if assuming an interaction has a single state(the P.O. is not situated on a server, for instance)

I Is not ideal if many states are assumed to be possible fordifferent connections (many sequential requests)



46/68




I Linear Temporal Logic (LTL)I Describes an ω-regular language (over infinite words)I Fits pretty well if assuming an interaction has a single state

(the P.O. is not situated on a server, for instance)

I Is not ideal if many states are assumed to be possible fordifferent connections (many sequential requests)



46/68






different connections (many sequential requests)



46/68








46/68







I Languages are adjusted to the task

I Examples: XML-based, or others. . .I Concepts behind the languages are more important. . .

46/68







I Languages are adjusted to the taskI Examples: XML-based, or others. . .

I Concepts behind the languages are more important. . .

46/68








47/68


PASSIVE TESTING WITH NETWORK TRACES

CONCEPTS

I A property expresses a sequence of premises andconsequences of non-chronologically arranged, but relatednetwork packets

I Example: in English, if(A) then B (before or after), or if{if(A) then B(before or after)} then C (before or after), etc...

I A property must be able to characterize different packets

I That is, to describe a template of each packetExample: a packet that uses TCP in the port 1010 and thefirst value is an ID, etc.

I A property must be able to create relationships betweenthe different network packets

I That is, to describe how packet A relates to packet B(request port is equal to response port, etc.)

47/68



CONCEPTS







47/68



CONCEPTS







47/68



CONCEPTS







47/68



CONCEPTS



I A property must be able to characterize different packetsI That is, to describe a template of each packet

Example: a packet that uses TCP in the port 1010 and thefirst value is an ID, etc.



47/68



CONCEPTS







47/68



CONCEPTS







48/68



CONCEPTS (CONT.)How can we proceed to characterize packets andrelationships between them?

I Comparisons. . .

I Request TCP source port = response destination port?I Individual comparisons are performed against constants or

previous (chronological) packet valuesI These comparisons make relationships between packetsI A set of individual comparisons characterizes a packet

To make individual comparisons we need granular dataaccess

I The SYN flag of the TCP header of the i-th the packetI Hierarchical as you can see. . .

48/68




I Comparisons. . .

I Request TCP source port = response destination port?I Individual comparisons are performed against constants or




48/68




I Comparisons. . .I Request TCP source port = response destination port?

I Individual comparisons are performed against constants orprevious (chronological) packet values

I These comparisons make relationships between packetsI A set of individual comparisons characterizes a packet



48/68




I Comparisons. . .I Request TCP source port = response destination port?I Individual comparisons are performed against constants or

previous (chronological) packet values

I These comparisons make relationships between packetsI A set of individual comparisons characterizes a packet



48/68





previous (chronological) packet valuesI These comparisons make relationships between packets

I A set of individual comparisons characterizes a packet



48/68








48/68








48/68







I The SYN flag of the TCP header of the i-th the packet

I Hierarchical as you can see. . .

48/68








49/68



CONCEPTS (CONT. CONT.)

Granular data access is needed

I Because byte offset access is not feasible

I Example: the value of the IHL (Internet header length)affects the offset mapping

I The communication protocol data point to other locations(semantics of the protocol)

I Otherwise, how to refer to the TCP SYN flag inside theTCP header of the packet?

Granular data access can be achieved with hierarchicalkey-value structure of the packet

I A mapping function between the raw data bytes and thestructure is needed

49/68




Granular data access is neededI Because byte offset access is not feasible






49/68










49/68










49/68










49/68










49/68










50/68



CONCEPTS (CONT. CONT. CONT.)

P packet. . .

(TCP Header)eb5d01bbd3e75a55cfa6e7c0801810001cd50000

. . .

Accessing the ACK flag ofthe TCP header

I Given packet P, the valueis 1 forP->TCP->flags->ACK

50/68




P packet. . .


. . .



50/68




P packet. . .


. . .



50/68




P packet. . .


. . .



51/68


EXPRESSING INVARIANTS

Without a “formal” language

I For each response with an even number a “corresponding”request with an odd ID should have been received

I Example:

if RES(

RES->TCP->srcP = 1010 &RES->VSNP->Num % 2 = 0 &RES->IP->srcIP = REQ->IP->dstIP &REQ->VSNP->ID = RES->VSNP->ID &REQ->VSNP->ID %2 != 0

) then REQ<RES(

REQ->VSNP->Num = NULL)

51/68





I Example:

if RES(


) then REQ<RES(


51/68





I Example:

if RES(


) then REQ<RES(


52/68


WHY IS THIS NOT COMMERCIAL / WIDESPREAD?

Resource intensive!!! The industry lost interest. . .

What if I could identify a subset of properties to check at thecurrent execution point?..

How?

An idea: model the protocol as an FSM to identify its states?

52/68


WHY IS THIS NOT COMMERCIAL / WIDESPREAD?Resource intensive!!! The industry lost interest. . .

What if I could identify a subset of properties to check at thecurrent execution point?..

How?


52/68


WHY IS THIS NOT COMMERCIAL / WIDESPREAD?Resource intensive!!! The industry lost interest. . .What if I could identify a subset of properties to check at thecurrent execution point?..

How?


52/68



How?


52/68



How?An idea: model the protocol as an FSM to identify its states?

53/68


THE SIMPLE CONNECTION PROTOCOL (SCP)

s1 s2

s3

T1:req(QoS) / nosupport(QoSOut)QoSOut := QoST2: conn,data(size, value) / errT3: reset / abort

T4:req(QoS) /support(QoSOut)ConnQoS := QoSQoSOut := ConnQoS

T5:conn, TryCount < 2 & SysAvail = 0/ refuseTryCount := TryCount + 1T6: req(QoS),data(size, value) / err

T8:conn, TryCount ≥ 2 / abortTryCount := 0; ConnQoS := 0;DataCount := 0T9: reset / abort TryCount :=0; ConnQoS := 0;DataCount := 0 T7:conn, TryCount < 2

& SysAvail = 1 / accept(QoSOut)

T10:data(size, value) /ack(DataCountOut)DataCount := DataCount + sizeDataCountOut := DataCountT11:req(QoS), conn / err

T12:reset / abortTryCount := 0;ConnQoS := 0;DataCount := 0

Used to transmit data from one entity (called the upper layer)to the other (called the lower layer)

53/68



s1 s2

s3








Used to transmit data from one entity (called the upper layer)to the other (called the lower layer)

53/68



s1 s2

s3








It starts with a QoS negotiation phase, the sending entityproposes the level, the receiving decides

53/68



s1 s2

s3








Then, the transmitting entity attempts connecting to thereceiving one (up to 3 times)

53/68



s1 s2

s3








After a successful connection, the transmitting entity sendsdata, the receiving entity acknowledges

54/68


CHECKING SCP PROPERTIES. . .

s1 s2

s3








Assume we want to check that:

I An acknowledgment is always sent after transmitting dataI After a successful connection a reset is sentI Only relevant properties to the current execution state!

54/68



s1 s2

s3








Assume we want to check that:I An acknowledgment is always sent after transmitting data

I After a successful connection a reset is sentI Only relevant properties to the current execution state!

54/68



s1 s2

s3








Assume we want to check that:I An acknowledgment is always sent after transmitting data

Why to check for data packets when the connection hasnot been even established?

I After a successful connection a reset is sentI Only relevant properties to the current execution state!

54/68



s1 s2

s3








Assume we want to check that:I An acknowledgment is always sent after transmitting dataI After a successful connection a reset is sent

I Only relevant properties to the current execution state!

54/68



s1 s2

s3








Assume we want to check that:I An acknowledgment is always sent after transmitting dataI After a successful connection a reset is sent

Why to check for connection requests/replies if no QoSlevel has been agreed on?

I Only relevant properties to the current execution state!

54/68



s1 s2

s3








Assume we want to check that:I An acknowledgment is always sent after transmitting dataI After a successful connection a reset is sentI Only relevant properties to the current execution state!

55/68


FINITE STATE MACHINE (FSM)

Do you remember?..An FSM is a 5-tupleM = 〈S, I,O, hs,S

′〉

I S is a finite nonempty setof states with a non-emptysubset S′

of initial statesI I and O are finite input and

output alphabetsI hs ⊆ S× I ×O× S is a

behavior relation

s1 s2

i1/o1

i2/o2

i1/o1

i1/o1, o3

S′= {s1}

FSMi1i2i1. . . o1o2o3. . .

55/68




′〉I S is a finite nonempty set

of states with a non-emptysubset S′

of initial states

I I and O are finite input andoutput alphabets

I hs ⊆ S× I ×O× S is abehavior relation

s1 s2

i1/o1

i2/o2

i1/o1

i1/o1, o3

S′= {s1}

FSMi1i2i1. . . o1o2o3. . .

55/68







output alphabets

I hs ⊆ S× I ×O× S is abehavior relation

s1 s2

i1/o1

i2/o2

i1/o1

i1/o1, o3

S′= {s1}

FSMi1i2i1. . . o1o2o3. . .

55/68








behavior relation

s1 s2

i1/o1

i2/o2

i1/o1

i1/o1, o3

S′= {s1}

FSMi1i2i1. . . o1o2o3. . .

55/68








behavior relation

s1 s2

i1/o1

i2/o2

i1/o1

i1/o1, o3

S′= {s1}

FSMi1i2i1. . . o1o2o3. . .

55/68








behavior relation

s1 s2

i1/o1

i2/o2

i1/o1

i1/o1, o3

S′= {s1}

FSMi1i2i1. . . o1o2o3. . .

56/68


EXTENDED FSM (EFSM)

EFSM augments an FSMwith

I Context variablesI Input and output

parametersI PredicatesI Update functions

A transition is executed if thecorresponding predicate is true

s1 s2

s3








i and o can have parametersContext variables are updatedwhen a transition is executedPredicates allow to execute thetransition if it is true

56/68


EXTENDED FSM (EFSM)


I Context variables

I Input and outputparameters

I PredicatesI Update functions


s1 s2

s3









56/68


EXTENDED FSM (EFSM)



parameters

I PredicatesI Update functions


s1 s2

s3









56/68


EXTENDED FSM (EFSM)



parametersI Predicates

I Update functions


s1 s2

s3









56/68


EXTENDED FSM (EFSM)





s1 s2

s3









56/68


EXTENDED FSM (EFSM)





s1 s2

s3









56/68


EXTENDED FSM (EFSM)





s1 s2

s3









57/68


PROPERTIES OF AN FSM M = 〈S, I,O, hs,S′〉

An FSM can be

I deterministic if for each pair (s, i) ∈ S× I there exists at mostone pair (o, s′) ∈ O× S such that (s, i, o, s′) ∈ hs, otherwiseM is nondeterministic

I complete if for each (s, i) ∈ S× I there exists (o, s′) ∈ O× Ssuch that (s, i, o, s′) ∈ hs, otherwise M is partial

I observable if for each triple (s, i, o) ∈ S× I ×O there exist atmost one state s′ ∈ S such that (s, i, o, s′) ∈ hs, otherwise Mis nonobservable

This is a partial, nondeterministic and nonobservableFSM

s1 s2i1/o1

i2/o2

i1/o1

i1/o1, o3

57/68



An FSM can beI deterministic if for each pair (s, i) ∈ S× I there exists at most

one pair (o, s′) ∈ O× S such that (s, i, o, s′) ∈ hs, otherwiseM is nondeterministic




s1 s2i1/o1

i2/o2

i1/o1

i1/o1, o3

57/68








s1 s2i1/o1

i2/o2

i1/o1

i1/o1, o3

57/68








s1 s2i1/o1

i2/o2

i1/o1

i1/o1, o3

57/68








s1 s2i1/o1

i2/o2

i1/o1

i1/o1, o3

58/68


FROM AN EFSM TO AN FSM

EFSM FSM

I Deleting context variables and predicates that significantlydepend on them (Context-free Slice)

EFSM

s1 s2

s3








FSM

s1 s2

s3

T1:req / nosupportT2: conn,data / errT3: reset / abort

T4:req / support

T5:conn/ refuseT6: req,data / err

T8:conn / abortT9: reset / abort

T7:conn / accept

T10:data/ ackT11:req, conn / err

T12:reset / abort

58/68



EFSM FSM


EFSM

s1 s2

s3








FSM

s1 s2

s3


T4:req / support



T7:conn / accept


T12:reset / abort

58/68



EFSM FSM


EFSM

s1 s2

s3








FSM

s1 s2

s3


T4:req / support



T7:conn / accept


T12:reset / abort

59/68


HOMING SEQUENCE (HS)

I The sequence αallows toconclude aboutthe final state s′itrough theobservation of βi(the outputreaction)

I After applying αat any state si ∈ Sthe final state s′ibecomes known,depending on theobserved βi

I α is a homingsequence

s1 s2 . . . sn

s′1 s′2 s′′2 s′3

α/β1 α/β2 α/β3 α/βi

If βi = βj =⇒ s′i = s′j (For observableFSMs)

59/68


HOMING SEQUENCE (HS)I The sequence α

allows toconclude aboutthe final state s′itrough theobservation of βi(the outputreaction)



s1 s2 . . . sn

s′1 s′2 s′′2 s′3



59/68






s1 s2 . . . sn

s′1 s′2 s′′2 s′3



59/68






s1 s2 . . . sn

s′1 s′2 s′′2 s′3



59/68






s1 s2 . . . sn

s′1 s′2 s′′2 s′3



60/68


DERIVING ALL (NON-REDUNDANT) HS OF LENGTH l

I Derive a TruncatedSuccessor Tree (TST)∃o ∈ ((s1, ij, o, s

′1) ∈ hs&

(s2, ij, o, s′2) ∈ hs&

(s3, ij, o, s′3) ∈ hs. . . )

I Truncating rules

I Rule 1 The node P hasonly singletons

I Rule 2 The depth of thenode P is greater than l

s1, s2, ..., sn

. . . . . .

s′1, s′2, .., s

′x, s′′1 , s

′′2 , .., s

′′y

. . . . . .

i1ij

im

α is a homing sequence iff itlabels the path truncated by

Rule 1

60/68




′1) ∈ hs&

(s2, ij, o, s′2) ∈ hs&

(s3, ij, o, s′3) ∈ hs. . . )

I Truncating rules

I Rule 1 The node P hasonly singletons


s1, s2, ..., sn

. . . . . .

s′1, s′2, .., s

′x, s′′1 , s

′′2 , .., s

′′y

. . . . . .

i1ij

im


Rule 1

60/68




′1) ∈ hs&

(s2, ij, o, s′2) ∈ hs&

(s3, ij, o, s′3) ∈ hs. . . )

I Truncating rulesI Rule 1 The node P has

only singletons


s1, s2, ..., sn

. . . . . .

s′1, s′2, .., s

′x, s′′1 , s

′′2 , .., s

′′y

. . . . . .

i1ij

im


Rule 1

60/68




′1) ∈ hs&

(s2, ij, o, s′2) ∈ hs&

(s3, ij, o, s′3) ∈ hs. . . )


only singletonsI Rule 2 The depth of the

node P is greater than l

s1, s2, ..., sn

. . . . . .

s′1, s′2, .., s

′x, s′′1 , s

′′2 , .., s

′′y

. . . . . .

i1ij

im


Rule 1

60/68




′1) ∈ hs&

(s2, ij, o, s′2) ∈ hs&

(s3, ij, o, s′3) ∈ hs. . . )


only singletonsI Rule 2 The depth of the

node P is greater than l

s1, s2, ..., sn

. . . . . .

s′1, s′2, .., s

′x, s′′1 , s

′′2 , .., s

′′y

. . . . . .

i1ij

im


Rule 1

61/68


APPLYING STATE IDENTIFICATION TO SCP

Let’s assume α = (req.conn)

I If β ∈{(nosupport.err), (err.abort)},then current state is s1,check no properties

I If β ∈{(support.refuse), (err.refuse)},then current state is s2,check for req/conn

I Else current state is s3check for data/ack +reset/abort (small heuristic)

s1 s2

s3








61/68



s1 s2

s3








The resulting set of HSs of length l = 2{(req.reset), (req.conn), (req.data), (reset), (data.rec), (data.conn),data.reset), (conn.req), (conn.data), (conn.reset)}





s1 s2

s3








61/68







s1 s2

s3








61/68







s1 s2

s3








61/68







s1 s2

s3








61/68







s1 s2

s3








62/68


STATE IDENTIFICATION FOR NETWORK TRACE

ANALYSIS — FINAL REMARKS

What if the TST up to the length l does not contain a HS?..

I Continue with your TST with l = l + 1

I Or perhaps not. . . If ∀S′j ∈ SHs, |S

′ | >> |S′i |

S′

. . . . . .

{S′1,S

′2, ..., s

′

k} = SHs

. . . . . .

i1ij

im

Only check properties for the identified subset!

What sequences to choose?

I Sequences that are frequent to observe!I Sequences that follow the protocol flow, e.g., not (conn.req)I Can be chosen by experimental evaluation

62/68







′ | >> |S′i |

S′

. . . . . .

{S′1,S

′2, ..., s

′

k} = SHs

. . . . . .

i1ij

im




62/68







′ | >> |S′i |

S′

. . . . . .

{S′1,S

′2, ..., s

′

k} = SHs

. . . . . .

i1ij

im




62/68







′ | >> |S′i |

S′

. . . . . .

{S′1,S

′2, ..., s

′

k} = SHs

. . . . . .

i1ij

im




62/68







′ | >> |S′i |

S′

. . . . . .

{S′1,S

′2, ..., s

′

k} = SHs

. . . . . .

i1ij

im



I Sequences that are frequent to observe!

I Sequences that follow the protocol flow, e.g., not (conn.req)I Can be chosen by experimental evaluation

62/68







′ | >> |S′i |

S′

. . . . . .

{S′1,S

′2, ..., s

′

k} = SHs

. . . . . .

i1ij

im



I Sequences that are frequent to observe!I Sequences that follow the protocol flow, e.g., not (conn.req)

I Can be chosen by experimental evaluation

62/68







′ | >> |S′i |

S′

. . . . . .

{S′1,S

′2, ..., s

′

k} = SHs

. . . . . .

i1ij

im




63/68


PASSIVE TESTING USING NETWORK TRACES – FINAL

REMARKS

I Very useful when: no access to the code is possible, realdata analysis is desirable, the system cannot be influencedby test cases

I It can be computationally expensive, but techniques toreduce the complexity are being actively studied

I The approach was presented with network traces, but itcan be applied to passive testing of othersoftware/hardware (embedded) systems

63/68



REMARKS




63/68



REMARKS




63/68



REMARKS




64/68


Future work / Conclusions

65/68


RESEARCH OPPORTUNITIES / FUTURE WORK

Static Code Analysis

I Reducing the complexity when analyzing

I New methods / Heuristics

I New analysis approaches using different algebraicstructures


I Reducing the complexity when checking properties2 (!)

I Through simplifying the checking algorithmsI Through minimizing the number checks :)

I Considering:Synchronizing distributed traces. . .Encrypted protocol testing. . .

I Developing efficient tools. . .

65/68




I Reducing the complexity when analyzing

I New methods / Heuristics







65/68




I Reducing the complexity when analyzingI New methods / Heuristics







65/68











65/68











65/68











65/68







I Reducing the complexity when checking properties2 (!)I Through simplifying the checking algorithms

I Through minimizing the number checks :)



65/68







I Reducing the complexity when checking properties2 (!)I Through simplifying the checking algorithmsI Through minimizing the number checks :)



65/68










65/68










66/68


END

Thank you for your attention!

67/68


Q&A / SOME CLARIFICATIONS

Ariadna Barinova from ITMO asked about the applicabilityof static code analysis to scripting languages

In the example, we saw how static analysis can be usedfor sign analysis and detected a negative array index. Forscripting languages this is not important as array indexes canbe anything they are not the offset of a memory address.However, sign analysis can reveal errors in the code, e.g., afunction that should guarantee a positive return value does not,etc. Furthermore, many other analyses can be useful, like thelive variables analysis to detect potential waste of resources,etc. I hope the explanation was clear during the presentation,or at least it is now :)

68/68


Q&A / SOME CLARIFICATIONS (2)

Natalia Kushik from Telecom SudParis pointed out the factthat the extended finite state machine under experimentto obtain a homing sequence had an initial state

In fact, as she correctly pointed out, if the initial state isknown, there is no need for the entire experiment. My intentionwas to show a communication protocol description; thisprotocol description has an initial state in fact. However, it istheoretically incorrect depict an initial state when performingthe state identification experiment. These slides were correctedand updated taking this into consideration.

Thank you, Natalia :)

Date post:	22-Jun-2020
Category:	Documents
Upload:	others
View:	9 times
Download:	0 times

“Non-intrusive” Testing Techniques for Communication...

Documents