Gergő Ládi

Research assistant

gergo.ladi (at) crysys.hu

web: www.crysys.hu/~gergo.ladi/
twitter: @GergoLadi
office: I.E. 429
tel: +36 1 463 2063

Current courses | Publications

Short Bio

Gergő Ládi received his B.Sc. degree in Computer Science & Engineering from Budapest University of Technology and Economics (BME) in 2015, focusing on media informatics and media security. In 2018, he earned a master's degree with honours, also in Computer Science & Engineering from Budapest University of Technology and Economics, specializing in internet services and IT security. Since then, he has been working with the Laboratory of Cryptography and System Security (CrySyS), Department of Networked Systems and Services (HIT), under the supervision of Dr. Tamás Holczer. His main areas of research are automated protocol analysis and format-preserving encryption methods. Gergő is a Certified Ethical Hacker as well as a Microsoft Certified Trainer with several years of experience administering Windows Server environments.

Current Courses

IT Security (VIHIAC01)

This BSc course gives an overview of the different areas of IT security with the aim of increasing the security awareness of computer science students and shaping their attitude towards designing and using secure computing systems. The course prepares BSc students for security challenges that they may encounter during their professional career, and at the same time, it provides a basis for those students who want to continue their studies at MSc level (taking, for instance, our IT Security major specialization). We put special emphasis on software security and the practical aspects of developing secure programs.

IT Security (in English) (VIHIAC01)

This is the English version of IT Security (VIHIAC01) course.

Coding and IT Security (VIHIBB01)

This BProf course gives an overview of the different areas of IT security with the aim of increasing the security awareness of computer science students and shaping their attitude towards designing and using secure computing systems. The course also gives an introduction to source software security and channel coding.

Software Security (VIHIMA21)

This course introduces security problems in software development: students will learn the most common mistakes in software development and how attackers exploit those mistakes (offensive security). Then, students get to know how to mitigate attacks and write secure applications.

Software Security Laboratory (VIHIMA22)

This laboratory extends and deepens the knowledge and skills obtained in the Software Security course by solving practical, hands-on exercises in real, or close-to-real environments.

Computer and Network Security (VIHIMA23)

The course introduces security problems in computing and networked systems, as well as the principles, practical mechanisms, and tools used to solve them. The course covers physical security and OS level security of computers, and the problem of malicious software (malware). It also covers issues related to secure operation of networks in practice. Students get theoretical knowledge and practical skills to assess security risks, understand threats and vulnerabilities. The course also serves as a basis for obtaining skills in penetration testing and ethical hacking of networks.

Computer and Network Security Laboratory (VIHIMB07)

This laboratory extends and deepens the knowledge and skills obtained in the Computer and Network Security course by solving practical, hands-on exercises in real, or close-to-real environments.

Network Security in Practice (VIHIBB02)

This course gives an introduction into the security problems of computer networks, and it gives an overview of the possible solutions to those problems. It also covers issues related to secure operation of networks in practice, including modern tools and techniques used to ensure security. Students get theoretical knowledge and practical skills that form the basis of secure network operations.

Networking and Security Laboratory (VIHIBC01)

This laboratory extends and deepens the knowledge and skills obtained in the Network Security in Practise and Computer Security in Practise courses by solving practical, hands-on exercises in real, or close-to-real environments.

Cybersecurity Operations Fundamentals (VIHIAV43)

This is an elective lab exercise course where students learn the basics of security operations.

Publications

2024

On the Performance Evaluation of Protocol State Machine Reverse Engineering Methods

G. Ládi and T. Holczer

Journal of Communications Software and Systems, 2024.

Bibtex | Abstract | PDF | Link

@article {
   author = {Gergõ Ládi and Tamas Holczer},
   title = {On the Performance Evaluation of Protocol State Machine Reverse Engineering Methods},
   journal = {Journal of Communications Software and Systems},
   year = {2024},
   howpublished = "\url{https://doi.org/10.24138/jcomss-2023-0149}"
}

Keywords

protocol reverse engineering, protocol state machine, performance evaluation, runtime analysis, bounded runtime, incomplete input

Abstract

Having access to the specifications of network pro- tocols is essential for several reasons in IT security. When the specifications are not known, one may turn to protocol reverse engineering methods to reconstruct these, typically by analysing recorded network traffic or inspecting an executable that implements the protocol. First, the format and structure of the messages need to be recovered, then the state machine of the protocol itself. Over the years, several solutions have been proposed for both tasks. As a consequence, picking the right solution for a given scenario is often a complex problem that involves evaluating and comparing various solutions. In this paper, we review the current means of evaluating the perfor- mance of protocol state machine reverse engineering methods. To help alleviate the shortcomings of the current methodology, we propose two new metrics of performance to be measured: correctness and completeness of output for partial runs (when runtime is bounded). These, combined with previously used metrics should make it easier to pick the most ideal choice for a given use case. We also propose the examination of cases where the algorithms have to work with incomplete or inaccurate syntactical information. We showcase how these new metrics and related information may be useful for the evaluation and comparison of various algorithms by applying these new methods to evaluate the performance of a recent protocol state machine reverse engineering method.

2021

Protocol State Machine Reverse Engineering with a Teaching-Learning Approach

G. Székely and G. Ládi and T. Holczer and L. Buttyán

Acta Cybernetica, 2021.

Bibtex | Abstract | PDF

@article {
   author = {Gábor Székely and Gergõ Ládi and Tamas Holczer and Levente Buttyán},
   title = {Protocol State Machine Reverse Engineering with a Teaching-Learning Approach},
   journal = {Acta Cybernetica},
   year = {2021}
}

Keywords

automated protocol reverse engineering, state machines, Mealy machines

Abstract

In this work, we propose a novel solution to the problem of inferring the state machine of an unknown protocol. We extend and improve prior results on inferring Mealy machines, and present a new algorithm that accesses and interacts with a networked system that runs the unknown protocol in order to infer the Mealy machine representing the protocol’s state machine. To demonstrate the viability of our approach, we provide an implementation and illustrate the operation of our algorithm on a simple example protocol, as well as on two real-world protocols, Modbus and MQTT.

2020

GrAMeFFSI: Graph Analysis Based Message Format and Field Semantics Inference for Binary Protocols Using Recorded Network Traffic

G. Ládi and L. Buttyán and T. Holczer

Infocommunications Journal, Vol. XII, No. 2, 2020.

Bibtex | Abstract | PDF

@article {
   author = {Gergõ Ládi and Levente Buttyán and Tamas Holczer},
   title = {GrAMeFFSI: Graph Analysis Based Message Format and Field Semantics Inference for Binary Protocols Using Recorded Network Traffic},
   journal = {Infocommunications Journal, Vol. XII, No. 2},
   year = {2020}
}

Keywords

protocol reverse engineering, message format, field semantics, inference, binary protocols, network traffic, graph analysis, Modbus, MQTT

Abstract

Protocol specifications describe the interaction be- tween different entities by defining message formats and message processing rules. Having access to such protocol specifications is highly desirable for many tasks, including the analysis of botnets, building honeypots, defining network intrusion detection rules, and fuzz testing protocol implementations. Unfortunately, many protocols of interest are proprietary, and their specifications are not publicly available. Protocol reverse engineering is an approach to reconstruct the specifications of such closed proto- cols. Protocol reverse engineering can be tedious work if done manually, so prior research focused on automating the reverse engineering process as much as possible. Some approaches rely on access to the protocol implementation, but in many cases, the protocol implementation itself is not available or its license does not permit its use for reverse engineering purposes. Hence, in this paper, we focus on reverse engineering protocol specifications relying solely on recorded network traffic. More specifically, we propose GrAMeFFSI, a method based on graph analysis that can infer protocol message formats as well as certain field semantics for binary protocols from network traces. We demonstrate the usability of our approach by running it on packet captures of two known protocols, Modbus and MQTT, then comparing the inferred specifications to the official specifications of these protocols.

Towards Reverse Engineering Protocol State Machines

G. Székely and G. Ládi and T. Holczer and L. Buttyán

The 12th Conference of PhD Students in Computer Science - Volume of short papers, 2020, pp. 70-73.

Bibtex | Abstract | PDF

@inproceedings {
   author = {Gábor Székely and Gergõ Ládi and Tamas Holczer and Levente Buttyán},
   title = {Towards Reverse Engineering Protocol State Machines},
   booktitle = {The 12th Conference of PhD Students in Computer Science - Volume of short papers},
   year = {2020},
   pages = {70-73}
}

Abstract

In this work, we are addressing the problem of inferring the state machine of an unknown protocol. Our method is based on prior work on inferring Mealy machines. We require access to and interaction with a system that runs the unknown protocol, and we serve a state-of-the-art Mealy machine inference algorithm with appropriate input obtained from the system at hand. We implemented our method and illustrate its operation on a simple example protocol.

Virtualization-assisted Testing of Network Security Systems for NPPs

T. Holczer and G. Berman and S. M. Darricades and P. György and G. Ládi

International Conference on Nuclear Security: Sustaining and Strengthening Efforts, International Atomic Energy Agency (IAEA), 2020.

Bibtex | Abstract | PDF

@inproceedings {
   author = {Tamas Holczer and G. Berman and S. M. Darricades and Péter György and Gergõ Ládi},
   title = {Virtualization-assisted Testing of Network Security Systems for NPPs},
   booktitle = {International Conference on Nuclear Security: Sustaining and Strengthening Efforts},
   publisher = {International Atomic Energy Agency (IAEA)},
   year = {2020}
}

Abstract

Nuclear power plants use different digital assets to control the processes. These assets are normally connected by computer networks, and are targets of potential cyber-attacks. To avoid or mitigate the effect of such an attack, different security controls are used in accordance with the guidelines. Before deploying a new cyber security control, it must be tested thoroughly. The paper proposes virtual testbeds made of virtual computers and networks for these tests and shows how three widely used open source firewalls perform in such a test.

2018

Message Format and Field Semantics Inference for Binary Protocols Using Recorded Network Traffic

G. Ládi and L. Buttyán and T. Holczer

26th International Conference on Software, Telecommunications and Computer Networks, Workshop on Information and Communication Technologies, Proceedings, FESB, University of Split, 2018, pp. 1-6, ISBN 978-9-5329-0087-3.

Bibtex | Abstract | PDF

@inproceedings {
   author = {Gergõ Ládi and Levente Buttyán and Tamas Holczer},
   title = {Message Format and Field Semantics Inference for Binary Protocols Using Recorded Network Traffic},
   booktitle = {26th International Conference on Software, Telecommunications and Computer Networks, Workshop on Information and Communication Technologies, Proceedings},
   publisher = {FESB, University of Split},
   year = {2018},
   pages = {1-6},
   note = {ISBN 978-9-5329-0087-3}
}

Keywords

protocol reverse engineering; message format; field semantics; inference; binary protocols; network traffic; Modbus; MQTT

Abstract

Protocol specifications describe the interaction between different entities by defining message formats and message processing rules. Having access to such protocol specifications is highly desirable for many tasks, including the analysis of botnets, building honeypots, defining network intrusion detection rules, and fuzz testing protocol implementations. Unfortunately, many protocols of interest are proprietary, and their specifications are not publicly available. Protocol reverse engineering is an approach to reconstruct the specifications of such closed protocols. Protocol reverse engineering can be tedious work if done manually, so prior research focused on automating the reverse engineering process as much as possible. Some approaches rely on access to the protocol implementation, but in many cases, the protocol implementation itself is not available or its license does not permit its use for reverse engineering purposes. Hence, in this paper, we focus on reverse engineering protocol specifications based solely on recorded network traffic. More specifically, we propose a method that can infer protocol message formats as well as certain field semantics for binary protocols from network traces. We demonstrate the usability of our approach by running it on packet captures of two known protocols, Modbus and MQTT, then comparing the inferred specifications to the known specifications of these protocols.

2017

Semantics-Preserving Encryption for Computer Networking Related Data Types

G. Ládi

12th International Symposium on Applied Informatics and Related Areas, Proceedings, Óbuda University, 2017, pp. 176-181, ISBN 978-963-449-032-6.

Bibtex | Abstract | PDF

@inproceedings {
   author = {Gergõ Ládi},
   title = {Semantics-Preserving Encryption for Computer Networking Related Data Types},
   booktitle = {12th International Symposium on Applied Informatics and Related Areas, Proceedings},
   publisher = {Óbuda University},
   year = {2017},
   pages = {176-181},
   note = {ISBN 978-963-449-032-6}
}

Keywords

semantics-preserving encryption; format-preserving encryption; networking; data type; MAC address; IPv4 address; IPv6 address; TCP port; UDP port; privacy; log anonymization;

Abstract

Semantics-preserving encryption methods are encryption methods that not only preserve the format (data structure) of the input, but also a set of additional properties that are desired to be preserved (for example, transforming an IP address into another from the same subnet). Such methods may be used to anonymize logs or otherwise hide potentially sensitive information from third parties, while preserving characteristics that are essential for a given purpose. This paper presents tuneable semantics-preserving encryption methods that may be applied to common computer networking related data types such as IPv4, IPv6, and MAC addresses.

Transparent Encryption for Cloud-based Services

G. Ládi

25th International Conference on Software, Telecommunications and Computer Networks, Workshop on Information and Communication Technologies, Proceedings, FESB, University of Split, 2017, pp. 64-68, ISSN 1847-3598.

Bibtex | Abstract | PDF

@inproceedings {
   author = {Gergõ Ládi},
   title = {Transparent Encryption for Cloud-based Services},
   booktitle = {25th International Conference on Software, Telecommunications and Computer Networks, Workshop on Information and Communication Technologies, Proceedings},
   publisher = {FESB, University of Split},
   year = {2017},
   pages = {64-68},
   note = {ISSN 1847-3598}
}

Keywords

transparent encryption; cloud; security; DNS spoofing; TLS inspection; tampering proxy; format preserving encryption;

Abstract

Transparent encryption is a method that involves encrypting data locally, on the user's computer, just before it is sent to cloud services to be stored, then decrypting said data later, straight after it is retrieved from the cloud service. All this takes place without having to alter the client application or the remote service (hence transparent). Applying this method ensures that if the user's account or the provider itself is compromised, the attackers can only retrieve encrypted data that is useless without the encryption keys. This paper illustrates the design of a system that is capable of performing transparent encryption for various cloud-based services, even if the connection between the client and the provider is secured by Transport Layer Security.

Transparent Encryption for Cloud-based Services

G. Ládi

Mesterpróba 2017, Conference Proceedings, Faculty of Electrical Engineering and Informatics, Budapest University of Technology and Economics, 2017, pp. 5-8.

Bibtex | Abstract | PDF

@inproceedings {
   author = {Gergõ Ládi},
   title = {Transparent Encryption for Cloud-based Services},
   booktitle = {Mesterpróba 2017, Conference Proceedings},
   publisher = {Faculty of Electrical Engineering and Informatics, Budapest University of Technology and Economics},
   year = {2017},
   pages = {5-8}
}

Keywords

transparent encryption; cloud; security; DNS spoofing; tampering proxy; format preserving encryption;

Abstract

Transparent encryption is a method that involves encrypting data locally, on the user's computer, just before it is sent to cloud services to be stored, then decrypting said data later, straight after it is retrieved from the cloud service. All this takes place without having to alter the client application or the remote service (hence transparent). Applying this method ensures that even if the user's account or the provider itself is compromised, the attackers can only retrieve encrypted data that is useless without the encryption keys. This paper illustrates the design of a system that is capable of performing transparent encryption for various cloud-based services.