Total: 1
After a sophisticated attack or data breach occurs at an organization, a postmortem forensic analysis must be conducted to reconstruct and understand the root causes of the attack. Unfortunately, the majority of proposed forensic analysis systems rely on system-level auditing, making it difficult to reconstruct and investigate web-based attacks, due to the semantic-gap between system- and web-level semantics. This limited visibility into web-based attacks has recently become increasingly concerning because web-based attacks are commonly employed by nation-state adversaries to penetrate and achieve the initial compromise of an enterprise network. To enable forensic analysts to replay and investigate web-based attacks, we propose WebRR, a novel OS- and device- independent record and replay (RR) forensic auditing system for Chromium-based web browsers. While there exist prior works that focus on web-based auditing, current systems are either record-only or suffer from critical limitations that prevent them from deterministically replaying attacks. WebRR addresses these limitation by introducing a novel design that allows it to record and deterministically replay modern web applications by leveraging JavaScript Execution Unit Partitioning. Our evaluation demonstrates that WebRR is capable of replaying web-based attacks that fail to replay on prior state-of-the-art systems. Furthermore, we demonstrate that WebRR can replay highly-dynamic modern websites in a deterministic fashion with an average runtime overhead of only 3.44%