ParDiff: Practical Static Differential Analysis of Network Protocol Parsers

• Published in: Proceedings of ACM on programming languages Vol. 8; no. OOPSLA1; pp. 1208 - 1234
• Main Authors: Zheng, Mingwei, Shi, Qingkai, Liu, Xuwei, Xu, Xiangzhe, Yu, Le, Liu, Congyu, Wei, Guannan, Zhang, Xiangyu
• Format: Journal Article
• Language: English
• Published: New York, NY, USA ACM 29.04.2024
• Subjects: Automated static analysis; Security and privacy; Software and its engineering; Software defect analysis; Web protocol security; Network protocol; protocol format specification; differential analysis; static program analysis
• ISSN: 2475-1421; 2475-1421
• DOI: 10.1145/3649854

Countless devices all over the world are connected by networks and communicated via network protocols. Just like common software, protocol implementations suffer from bugs, many of which only cause silent data corruption instead of crashes. Hence, existing automated bug-finding techniques focused on memory safety, such as fuzzing, can hardly detect them. In this work, we propose a static differential analysis called ParDiff to find protocol implementation bugs, especially silent ones hidden in message parsers. Our key observation is that a network protocol often has multiple implementations and any semantic discrepancy between them may indicate bugs. However, different implementations are often written in disparate styles, e.g., using different data structures or written with different control structures, making it challenging to directly compare two implementations of even the same protocol. To exploit this observation and effectively compare multiple protocol implementations, ParDiff (1) automatically extracts finite state machines from programs to represent protocol format specifications, and (2) then leverages bisimulation and SMT solvers to find fine-grained and semantic inconsistencies between them. We have extensively evaluated ParDiff using 14 network protocols. The results show that ParDiff outperforms both differential symbolic execution and differential fuzzing tools. To date, we have detected 41 bugs with 25 confirmed by developers.