SFADiff: Automated Evasion Attacks and Fingerprinting Using Black-box Differential Automata Learning

George Argyros, Ioannis Stais, Suman Jana, Angelos D. Keromytis, Aggelos Kiayias

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Finding differences between programs with similar functionality is an important security problem as such differences can be used for fingerprinting or creating evasion attacks against security software like Web Application Firewalls (WAFs) which are designed to detect malicious inputs to web applications. In this paper, we present SFADIFF, a black-box differential testing framework based on Symbolic Finite Automata (SFA) learning. SFADIFF can automatically find differences between a set of programs with comparable functionality. Unlike existing differential testing techniques, instead of searching for each difference individually, SFADIFF infers SFA models of the target programs using black-box queries and systematically enumerates the differences between the inferred SFA models. All differences between the inferred models are checked against the corresponding programs. Any difference between the models, that does not result in a difference between the corresponding programs, is used as a counterexample for further refinement of the inferred models. SFADIFF's model-based approach, unlike existing differential testing tools, also support fully automated root cause analysis in a domain-independent manner.

We evaluate SFADIFF in three different settings for finding discrepancies between: (i) three TCP implementations, (ii) four WAFs, and (iii) HTML/JavaScript parsing implementations in WAFs and web browsers. Our results demonstrate that SFADIFF is able to identify and enumerate the differences systematically and efficiently in all these settings. We show that SFADIFF is able to find differences not only between different WAFs but also between different versions of the same WAF. SFADIFF is also able to discover three previously-unknown differences between the HTML/JavaScript parsers of two popular WAFs (PHPIDS 0.7 and Expose 2.4.0) and the corresponding parsers of Google Chrome, Firefox, Safari, and Internet Explorer. We confirm that all these differences can be used to evade the WAFs and launch successful cross-site scripting attacks.
Original languageEnglish
Title of host publicationProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
Place of PublicationNew York, NY, USA
Number of pages12
ISBN (Print)978-1-4503-4139-4
Publication statusPublished - 24 Oct 2016
Event23rd ACM Conference on Computer and Communications Security - Hofburg Palace, Vienna, Austria
Duration: 24 Oct 201628 Oct 2016

Publication series

NameCCS '16


Conference23rd ACM Conference on Computer and Communications Security
Abbreviated titleACM CCS 2016
Internet address


Dive into the research topics of 'SFADiff: Automated Evasion Attacks and Fingerprinting Using Black-box Differential Automata Learning'. Together they form a unique fingerprint.

Cite this