Symbolic execution and program testing
Communications of the ACM
Protecting privacy using the decentralized label model
ACM Transactions on Software Engineering and Methodology (TOSEM)
Soot - a Java bytecode optimization framework
CASCON '99 Proceedings of the 1999 conference of the Centre for Advanced Studies on Collaborative research
ICSE '81 Proceedings of the 5th international conference on Software engineering
Statistical Identification of Encrypted Web Browsing Traffic
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
Secure program execution via dynamic information flow tracking
ASPLOS XI Proceedings of the 11th international conference on Architectural support for programming languages and operating systems
Deterring Voluntary Trace Disclosure in Re-encryption Mix Networks
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Assessing security threats of looping constructs
Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Sound and precise analysis of web applications for injection vulnerabilities
Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
Timing analysis of keystrokes and timing attacks on SSH
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Analysis of the SSL 3.0 protocol
WOEC'96 Proceedings of the 2nd conference on Proceedings of the Second USENIX Workshop on Electronic Commerce - Volume 2
Dytan: a generic dynamic taint analysis framework
Proceedings of the 2007 international symposium on Software testing and analysis
An information-theoretic model for adaptive side-channel attacks
Proceedings of the 14th ACM conference on Computer and communications security
Securing web applications with static and dynamic information flow tracking
PEPM '08 Proceedings of the 2008 ACM SIGPLAN symposium on Partial evaluation and semantics-based program manipulation
Devices that tell on you: privacy trends in consumer ubiquitous computing
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
A static analysis for quantifying information flow in a simple imperative language
Journal of Computer Security
Spot Me if You Can: Uncovering Spoken Phrases in Encrypted VoIP Conversations
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Formally Bounding the Side-Channel Leakage in Unknown-Message Attacks
ESORICS '08 Proceedings of the 13th European Symposium on Research in Computer Security: Computer Security
Pointless tainting?: evaluating the practicality of pointer tainting
Proceedings of the 4th ACM European conference on Computer systems
A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks
EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
Automatic creation of SQL Injection and cross-site scripting attacks
ICSE '09 Proceedings of the 31st International Conference on Software Engineering
Quantifying Information Leaks in Outbound Web Traffic
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Automatic Discovery and Quantification of Information Leaks
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Quantifying information flow with beliefs
Journal of Computer Security - 18th IEEE Computer Security Foundations Symposium (CSF 18)
Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Peeping tom in the neighborhood: keystroke eavesdropping on multi-user systems
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Privacy-preserving traffic padding in web-based applications
Proceedings of the 10th annual ACM workshop on Privacy in the electronic society
Automated black-box detection of side-channel vulnerabilities in web applications
Proceedings of the 18th ACM conference on Computer and communications security
Implementing side-channel attacks on suggest boxes in web applications
Proceedings of the First International Conference on Security of Internet of Things
Practical information flow for legacy web applications
Proceedings of the 8th Workshop on Implementation, Compilation, Optimization of Object-Oriented Languages, Programs and Systems
SideAuto: quantitative information flow for side-channel leakage in web applications
Proceedings of the 12th ACM workshop on Workshop on privacy in the electronic society
| Hi-index | 0.00 |
A web application is a "two-part" program, with its components deployed both in the browser and in the web server. The communication between these two components inevitably leaks out the program's internal states to those eavesdropping on its web traffic, simply through the side channel features of the communication such as packet length and timing, even if the traffic is entirely encrypted. Our recent study shows that such side-channel leaks are both fundamental and realistic: a set of popular web applications are found to disclose highly sensitive user data such as one's family incomes, health profiles, investment secrets and more through their side channels. Our study also shows that an significant improvement of the current web-application development practice is necessary to mitigate this threat. To answer this urgent call, we present in this paper a suite of new techniques for automatic detection and quantification of side-channel leaks in web applications. Our approach, called Sidebuster, can automatically analyze an application's source code to detect its side channels and then perform a rerun test to assess the amount of information disclosed through such channels (quantified as the entropy loss). Sidebuster has been designed to work on event-driven applications and can effectively handle the AJAX GUI widgets used in most web applications. In our research, we implemented a prototype of our technique for analyzing GWT applications and evaluated it using complicated web applications. Our study shows that Sidebuster can effectively identify the side-channel leaks in these applications and assess their severity, with a small overhead.