posted on 2006-01-01, 00:00authored byJames Newsome, David Brumley, Jason Franklin, Dawn Song
We address the problem of replaying an application dialog between
two hosts. The ability to accurately replay application dialogs is
useful in many security-oriented applications, such as replaying an
exploit for forensic analysis or demonstrating an exploit to a third
party.
A central challenge in application dialog replay is that the dialog
intended for the original host will likely not be accepted by another
without modification. For example, the dialog may include or rely
on state specific to the original host such as its hostname, a known
cookie, etc. In such cases, a straight-forward byte-by-byte replay to
a different host with a different state (e.g., different hostname) than
the original observed dialog participant will likely fail. These state-
dependent protocol fields must be updated to reflect the different
state of the different host for replay to succeed.
We formally define the replay problem. We present a solution
which makes novel use of program verification techniques such as
theorem proving and weakest pre-condition. By employing these
techniques, we create the first sound solution to the replay problem:
replay succeeds whenever our approach yields an answer. Previous
techniques, though useful, are based on unsound heuristics. We
implement a prototype of our techniques called Replayer, which
we use to demonstrate the viability of our approach.