Replayer: Automatic Protocol Replay by Binary Analysis
journal contributionposted on 01.01.2006, 00:00 by James Newsome, David Brumley, Jason Franklin, Dawn Song
We address the problem of replaying an application dialog between two hosts. The ability to accurately replay application dialogs is useful in many security-oriented applications, such as replaying an exploit for forensic analysis or demonstrating an exploit to a third party. A central challenge in application dialog replay is that the dialog intended for the original host will likely not be accepted by another without modiﬁcation. For example, the dialog may include or rely on state speciﬁc to the original host such as its hostname, a known cookie, etc. In such cases, a straight-forward byte-by-byte replay to a different host with a different state (e.g., different hostname) than the original observed dialog participant will likely fail. These state- dependent protocol ﬁelds must be updated to reﬂect the different state of the different host for replay to succeed. We formally deﬁne the replay problem. We present a solution which makes novel use of program veriﬁcation techniques such as theorem proving and weakest pre-condition. By employing these techniques, we create the ﬁrst sound solution to the replay problem: replay succeeds whenever our approach yields an answer. Previous techniques, though useful, are based on unsound heuristics. We implement a prototype of our techniques called Replayer, which we use to demonstrate the viability of our approach.