基于协议逆向的移动终端通信数据解析

Analysis of communication data of mobile terminal based on protocol reversal

针对移动终端通信协议及通信数据的解析,其难点在于大部分移动终端应用程序并无相关公开的技术文档,难以获知其采取的通信协议类型。指令执行序列分析技术通过分析程序执行的指令序列逆向推断出消息格式和状态机。但有时序列信息采集不全,导致状态机推断不完备,从而无法获取全部协议信息。针对上述问题,提出了一个新型的基于状态机对比推断分析的移动终端通信协议解析方案,可用于取证场景提高数据取证的准确性和完备性。该方案首先利用PIN动态二进制插桩,识别污点源并跟踪污点轨迹分析出协议消息格式;然后根据格式信息对提取的协议消息进行聚类分析推断出原始状态机;最后利用最长公共子序列(LCS, longest common subsequence)算法与已知的协议状态机进行对比,相似度最高者即为推断出的通信协议类型。在Android平台上基于两类应用程序设计实验对该方案进行测试和评估,实验结果表明可准确提取应用程序的通信内容,实用价值强。

The most problem in analysis of communication protocols and communication data for mobile terminals is that many mobile applications do not have the relevant public technical documents,and it is difficult to know the type of communication protocol it adopts.The instruction execution sequence analysis technique takes the instruction sequence executed by the program as a research object,and inversely infers the message format and the state machine to obtain the communication protocol.However,due to the incomplete collection of sequence information,the state machine infers that the inference is incomplete and cannot be effective.A novel protocol reverse scheme based on state machine comparison is proposed,which can be used for the forensics of mobile terminal communication data.The scheme first uses PIN for dynamical identification of the taint,and track it and analyzes the trajectory to obtain the message format.Secondly,the message clustering is performed on the basis of the message format to infer the protocol state machine.Finally,the LCS algorithm is used to compare the state machines to get a complete protocol state machine.This article tests and evaluates the scheme based on two types of application design experiments on the Android platform.The experimental results show that the results are both complete and real-time,and have practical value.