Exploiting Non-Uniform Program Execution Time to Evade Record/Replay Forensic Analysis

Record/replay system is an essential and widely used module in forensic analysis, as it can help forensic analysts to reconstruct programs’ behaviors. However, the security implication of record/replay systems (i.e., whether record/replay systems can faithfully reproduce all behaviors of a program) has not been thoroughly studied. This paper is the first work which investigates and explores the security limitations of record/replay systems from the perspective of software forensics. In particular, we reveal a type of vulnerability in record/replay systems caused by non-uniform program execution time. A program can exploit this vulnerability to prevent its malicious behavior from being replayed. We conduct a series of experiments on three platforms (i.e., web browser, mobile operating system and virtualized sandbox) to illustrate the wide footprints of the vulnerability. Finally, we discuss possible methods to mitigate the vulnerability. The goal of this work is to study the inherent security limitations of record/replay systems, discover the vulnerability and explore potential mitigation methods, from which forensic analysts can be informed and cautious when applying record/replay systems to software forensics.