Commit 9be6fcdb authored by Paul Fiterau Brostean's avatar Paul Fiterau Brostean
Browse files

updated

parent 566db6e6
......@@ -6,11 +6,17 @@ and also, the default server for many UNIX-based systems. DropBear is an alterna
systems. BitVise is a well known proprietary Windows-only SSH implementation.
In our experimental setup, the {\dlearner} and {\dmapper} were running in a Linux Virtual Machine. OpenSSH and DropBear were
learned over a local connection, whereas BitVise was learned over a virtual connection with the Windows host machine.
learned over a localhost connection, whereas BitVise was learned over a virtual connection with the Windows host machine.
Certain arrangements had to be made including the setting of timing parameters to fit each implementation.
OpenSSH was learned using a full alphabet, whereas DropBear and BitVise were learned using a reduced alphabet. Both versions of
the alphabets are described in Subsection~\ref{sec:alphabet}. For testing, we used random and exhaustive variants of testing algorithm described in
the alphabets are described in Subsection~\ref{sec:alphabet}. The primary reason for using a reduced alphabet was to reduce learning times.
Most inputs excluded were inputs that either didn't change behavior (like \textsl{debug} or \textsl{unimpl}), or that triggered behavior
predictably similar to other inputs. As an example, \textsl{ua\_pw\_ok} contours the same behavior as \textsl{ua\_pk\_ok}. But while authenticating
with a public key was done quickly, authenticating with a username/password proved expensive (it would take the system 2-3 seconds to respond to
false credentials \textsl{ua\_pw\_ok}). The \textsl{disconnect} proved expensive in a similar way.
For testing, we used random and exhaustive variants of testing algorithm described in
\cite{SMJV15}, which generate efficient test suites. Tests generated comprise an access sequence, a middle section of length {\dk} and a
distinguishing sequence. The exhaustive variant for a set {\dk}, generates tests for all possible middle sections and all states. Passing all tests provides some notion of confidence,
namely, that the learned model is correct unless the (unknown) model of the implementation has at least {\dk} more states. The random variant produces tests
......@@ -42,6 +48,6 @@ The large number of states is down to several reasons. First of all, some system
responses for inputs sent during a key re-exchange and would deliver them all once the exchange was done.
A considerable number of states were added due to {\dmapper} generated outputs such as \textsl{ch\_none} or \textsl{ch\_max}, outputs which signal that no channel is open or
that the maximum number of channels have been opened. To give a concrete example, the {\dmapper} on every \textsl{ch\_open} saves a channel identifier. If \textsl{ch\_open}
is called again, a \textsl{ch\_max} output is generated. The channel identifier is removed by a \textsl{ch\_close} input leading to dual
states with existing and non-existing channel identifiers, even states where channels are not relevant (like for example states before authentication).
is called again, a \textsl{ch\_max} output is generated. The channel identifier is removed by a \textsl{ch\_close} input leading to pairs of
states with existing and non-existing channel identifiers, even in states where channels are not relevant (like for example states before authentication).
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment