Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems
CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
Statistical Identification of Encrypted Web Browsing Traffic
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Architectural styles and the design of network-based software architectures
Architectural styles and the design of network-based software architectures
GUI Ripping: Reverse Engineering of Graphical User Interfaces for Testing
WCRE '03 Proceedings of the 10th Working Conference on Reverse Engineering
Linear discriminant analysis in network traffic modelling: Research Articles
International Journal of Communication Systems
Inferring the source of encrypted HTTP connections
Proceedings of the 13th ACM conference on Computer and communications security
Improving test case generation for web applications using automated interface discovery
Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
Crawling AJAX by Inferring User Interface State Changes
ICWE '08 Proceedings of the 2008 Eighth International Conference on Web Engineering
Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
State of the Art: Automated Black-Box Web Application Vulnerability Testing
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Proceedings of the 17th ACM conference on Computer and communications security
Acoustic side-channel attacks on printers
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
ARC: protecting against HTTP parameter pollution attacks using application request caches
ACNS'12 Proceedings of the 10th international conference on Applied Cryptography and Network Security
SideAuto: quantitative information flow for side-channel leakage in web applications
Proceedings of the 12th ACM workshop on Workshop on privacy in the electronic society
Automated black-box detection of access control vulnerabilities in web applications
Proceedings of the 4th ACM conference on Data and application security and privacy
Hi-index | 0.00 |
Web applications divide their state between the client and the server. The frequent and highly dynamic client-server communication that is characteristic of modern web applications leaves them vulnerable to side-channel leaks, even over encrypted connections. We describe a black-box tool for detecting and quantifying the severity of side-channel vulnerabilities by analyzing network traffic over repeated crawls of a web application. By viewing the adversary as a multi-dimensional classifier, we develop a methodology to more thoroughly measure the distinguishably of network traffic for a variety of classification metrics. We evaluate our detection system on several deployed web applications, accounting for proposed client and server-side defenses. Our results illustrate the limitations of entropy measurements used in previous work and show how our new metric based on the Fisher criterion can be used to more robustly reveal side-channels in web applications.