The term Protocol Differential Analysis needs to make Google as an infosec technique. I first heard the term from esSOBi at Indianapolis’ Circle City Con. I first encountered the trick, though, in a research lab a few years before: a quick and dirty tool was written by a colleague there to help analyze a very, very bizarre serial protocol.
The problem, briefly explained, is this: as an attacker, we want to find out what interesting packets are in a conversation between a controller and its engineering software. For example, we want to find out what packet represents the ‘Stop CPU’ command in a proprietary protocol. Since the protocol is undocumented, we are left either reverse engineering the master application, which can be extremely time-consuming, or analyzing the protocol stream itself to find the interesting packets.
Protocol analysis is often the easier path. Unfortunately, industrial proprietary protocols are extremely ‘chatty.’ Based upon the classic industrial poll-response model, the protocols may be sending tens or even hundreds of packets per second back-and-forth between the PC software and the industrial controller. By the time we interact with the software and click the ‘Stop CPU,’ button on a graphical interface, we may have thousands of packets to dig through. We want to find the packets that are interesting, but end up wading in a river, looking for the raindrop that holds the key to an attack.