Article

Replayer: automatic protocol replay by binary analysis

Authors:

Jason Franklin,

Dawn SongAuthors Info & Claims

CCS '06: Proceedings of the 13th ACM conference on Computer and communications security

Pages 311 - 321

https://doi.org/10.1145/1180405.1180444

Published: 30 October 2006 Publication History

Abstract

We address the problem of replaying an application dialog between two hosts. The ability to accurately replay application dialogs is useful in many security-oriented applications, such as replaying an exploit for forensic analysis or demonstrating an exploit to a third party.A central challenge in application dialog replay is that the dialog intended for the original host will likely not be accepted by another without modification. For example, the dialog may include or rely on state specific to the original host such as its hostname, a known cookie, etc. In such cases, a straight-forward byte-by-byte replay to a different host with a different state (e.g., different hostname) than the original observed dialog participant will likely fail. These state-dependent protocol fields must be updated to reflect the different state of the different host for replay to succeed.We formally define the replay problem. We present a solution which makes novel use of program verification techniques such as theorem proving and weakest pre-condition. By employing these techniques, we create the first sound solution to the replay problem: replay succeeds whenever our approach yields an answer. Previous techniques, though useful, are based on unsound heuristics. We implement a prototype of our techniques called Replayer, which we use to demonstrate the viability of our approach.

References

[1]

Cybertrace. http://www.cybertrace.com/ctids.html.

[2]

Tcpreplay: Pcap editing and replay tools for NIX. http://tcpreplay.sourceforge.net.

[3]

David F. Bacon and Seth Copen Goldstein. Hardware-assisted replay of multiprocessor programs. In Proceedings of the ACM/ONR Workshop on Parallel and Distributed Debugging, May 1991.

Digital Library

[4]

G. Balakrishnan and T. Reps. Analyzing memory accesses in x86 executables. In Proc. Int. Conf. on Compiler Construction, 2004.

[5]

P. Bosch, A. Carloganu, and D. Etiemble. Complete x86 instruction trace generation from hardware bus collect. In 23rd IEEEEUROMICROConference, 1997.

[6]

D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha. Towards automatic generation of vulnerability-based signatures. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland), 2006.

Digital Library

[7]

Yu-Chung Cheng, Urs Hoelzle, Neal Cardwell, Stefan Savage, and Geoffrey M. Voelker. Monkey see, monkey do: A tool for tcp tracing and replaying. In Proceedings of the 2004 USENIX Annual Technical Conference, June 2004.

Digital Library

[8]

Weidong Cui, Vern Paxson, Nicholas C. Weaver, and Randy H. Katz. Protocol-independent adaptive replay of application dialog. In Proceedings of the 13th Annual Network and Distributed System Security Symposium, February 2006.

[9]

D.L. Detlefs, K. Rustan M. Leino, G. Nelson, and J.B. Saxe. Extended static checking. Technical Report 159, Compaq Systems Research Center, December 1998.

[10]

E.W. Dijkstra. A Discipline of Programming. Prentice Hall, Englewood Cliffs, NJ, 1976.

Digital Library

[11]

George W. Dunlap, Samuel T. King, Sukru Cinar, Murtaza Basrai, and Peter M. Chen. ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proceedings of the 2002 Symposium on Operating Systems Design and Implementation (OSDI), December 2002.

Digital Library

[12]

M. D. Ernest, J. Cockrell, W. G. Griswold, and D. Notkin. Dynamically discovering likely program invariants to support program evoluation. IEEETransactions on Software Engineering, 27(2), Feb 2001.

Digital Library

[13]

C. Flanagan and J.B. Saxe. Avoiding exponential explosion: Generating compact verification conditions. In Proceedings of the 28th ACM Symposium on the Principles of Programming Languages (POPL), 2001.

Digital Library

[14]

Vijay Ganesh and David L. Dill. System description of STP. http://www.csl.sri.com/users/demoura/smt-comp/descriptions/stp.ps, August 2006.

[15]

David Gries, editor. Programming in the 1990's: An Introduction to the calculation of programs. Springer Verlag, 1990.

Digital Library

[16]

Samuel T. King, George W. Dunlap, and Peter M. Chen. Debugging operating systems with time-traveling virtual machines. In Proceedings of the 2005 USENIX Annual Technical Conference, April 2005.

Digital Library

[17]

T. J. LeBlanc and J. M. Mellor-Crummey. Debugging parallel programs with instant replay. IEEE Transactions on Computers, 36(4):471--482, 1987.

Digital Library

[18]

K. Rustan M. Leino and Francesco Logozzo. Loop invariants on demand. In Asian Symposium on Programming Languages and Systems APLAS, 2005.

Digital Library

[19]

Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Geoff Lowney, Steven Wallace, Vijay Janapa Reddi, and Kim Hazelwood. Pin: Building customized program analysis tools with dynamic instrumentation. In Proc. of 2005 Programming Language Design and Implementation (PLDI) conference, june 2005.

Digital Library

[20]

Nicholas Nethercote and Julian Seward. Valgrind: A program supervision framework. In Proceedings of the Third Workshop on Runtime Verification (RV'03), Boulder, Colorado, USA, July 2003.

[21]

R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson. Characteristics of internet background radiation. In Proceedings of Internet Measurement Conference, October 2004.

Digital Library

[22]

Niels Provos. A virtual honeypot framework. In Proceedings of the 13th USENIX Security Symposium, August 2004.

Digital Library

[23]

M. Russinovich and B. Cagswell. Replay for concurrent non-deterministic shared-memory applications. In Proceedings of the 1996 Conference on Programming Language Design and Implementation, May 1996.

Digital Library

[24]

P. A. Sandon, Y.C. Liao, T.E. Cook, D.M. Schultz, and P Martin de Nicolas. Nstrace: A bus-driven instruction trace tool for powerpc microprocessors. IBMJournal of Research and Development, 41(3), 1997.

Digital Library

[25]

S. Srinivasan, S. Kandula, C. Andrews, and Y. Zhou. Flashback: A light-weight rollback and deterministic replay extension for software debugging. In Proceedings of the 2004 USENIX Annual Technical Conference, June 2004.

Digital Library

[26]

A. Turner. Flowreplay design notes. http://www.synfin.net/papers/flowreplay.pdf.

Cited By

Stevens KErdemir MZhang HKim TPearce P(2024)BluePrint: Automatic Malware Signature Generation for Internet ScanningProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678923(197-214)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678923
See RGehring MFischer MKaruppayah S(2023)Binary Sight-Seeing: Accelerating Reverse Engineering via Point-of-Interest-BeaconsProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627139(594-608)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627139
Mao LGao ZLiu BHu SRen JLi S(2023)A Protocol Reversing Framework for TDMA Bitstream2023 IEEE 15th International Conference on Advanced Infocomm Technology (ICAIT)10.1109/ICAIT59485.2023.10367251(234-240)Online publication date: 13-Oct-2023
https://doi.org/10.1109/ICAIT59485.2023.10367251
Show More Cited By

Index Terms

Replayer: automatic protocol replay by binary analysis
1. Hardware
  1. Communication hardware, interfaces and storage
2. Networks

Recommendations

RT-replayer: a record-replay architecture for embedded real-time software debugging
SAC '09: Proceedings of the 2009 ACM symposium on Applied Computing

Recent embedded real-time software tends to be multithreaded and constrained by stringent timing requirements, thus often leading to serious faults depending on the precise timing of thread executions and event occurrences. A promising approach to ...
Backwards reasoning for model transformations

We describe a method to compute weakest pre-conditions for model transformations (MT).The condition to be advanced-the post-condition-is described in OCL.A pre-condition holds before applying the MT iff the post-condition holds afterwards.The method ...
Project replayer – an investigation tool to revisit processes of past projects
SPW/ProSim'06: Proceedings of the 2006 international conference on Software Process Simulation and Modeling

In order to help knowledge acquisition and accumulation from past experiences, we propose a KFC (Knowledge Feedback Cycle) framework among engineers and researchers. Three tools (Empirical Project Monitor, Simulator, and Replayer) are used to circulate ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '06: Proceedings of the 13th ACM conference on Computer and communications security

October 2006

434 pages

ISBN:1595935185

DOI:10.1145/1180405

General Chair:
Ari Juels
RSA Laboratories
,
Program Chairs:
Rebecca Wright
Stevens Institute of Technology
,
Sabrina De Capitani di Vimercati
University of Milan, Italy

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS06

Sponsor:

CCS06: 13th ACM Conference on Computer and Communications Security 2006

October 30 - November 3, 2006

Virginia, Alexandria, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

70
Total Citations
View Citations
768
Total Downloads

Downloads (Last 12 months)15
Downloads (Last 6 weeks)0

Reflects downloads up to 14 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Stevens KErdemir MZhang HKim TPearce P(2024)BluePrint: Automatic Malware Signature Generation for Internet ScanningProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678923(197-214)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678923
See RGehring MFischer MKaruppayah S(2023)Binary Sight-Seeing: Accelerating Reverse Engineering via Point-of-Interest-BeaconsProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627139(594-608)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627139
Mao LGao ZLiu BHu SRen JLi S(2023)A Protocol Reversing Framework for TDMA Bitstream2023 IEEE 15th International Conference on Advanced Infocomm Technology (ICAIT)10.1109/ICAIT59485.2023.10367251(234-240)Online publication date: 13-Oct-2023
https://doi.org/10.1109/ICAIT59485.2023.10367251
Shi JYe LLi ZZhan D(2022)Unsupervised Binary Protocol Clustering Based on Maximum Sequential PatternsComputer Modeling in Engineering & Sciences10.32604/cmes.2022.017467130:1(483-498)Online publication date: 2022
https://doi.org/10.32604/cmes.2022.017467
Fang DSong ZGuan LLiu PPeng ACheng KZheng YLiu PZhu HSun L(2021)ICS3Fuzzer: A Framework for Discovering Protocol Implementation Bugs in ICS Supervisory Software by FuzzingProceedings of the 37th Annual Computer Security Applications Conference10.1145/3485832.3488028(849-860)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1145/3485832.3488028
Yagemann CChung SSaltaformaggio BLee WKim YKim JVigna GShi E(2021)Automated Bug Hunting With Data-Driven Symbolic Root Cause AnalysisProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3485363(320-336)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3485363
Li YBai LZhang MWang SWu JJiang H(2021)Network Protocol Reverse Parsing Based on Bit Stream2021 8th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/2021 7th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom)10.1109/CSCloud-EdgeCom52276.2021.00025(83-90)Online publication date: Jun-2021
https://doi.org/10.1109/CSCloud-EdgeCom52276.2021.00025
Huang YShu HKang FGuang Y(2021)Protocol Reverse-Engineering Methods and ToolsComputer Communications10.1016/j.comcom.2021.11.009182:C(238-254)Online publication date: 29-Dec-2021
https://dl.acm.org/doi/10.1016/j.comcom.2021.11.009
Schwenk GJochinke BMüller K(2020)Features spaces and a learning system for structural-temporal data, and their application on a use case of real-time communication network validation dataPLOS ONE10.1371/journal.pone.022843415:2(e0228434)Online publication date: 6-Feb-2020
https://doi.org/10.1371/journal.pone.0228434
Li BMa RWang XWang XHe J(2020)DepTaintProceedings of the 2020 4th International Conference on Management Engineering, Software Engineering and Service Sciences10.1145/3380625.3380642(34-41)Online publication date: 17-Jan-2020
https://dl.acm.org/doi/10.1145/3380625.3380642
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents