SideAuto: quantitative information flow for side-channel leakage in web applications

Authors:
Xujing Huang;Pasquale Malacaria
Affiliations:
Queen Mary, University of London, London, United Kingdom;Queen Mary, University of London, London, United Kingdom
Venue:
Proceedings of the 12th ACM workshop on Workshop on privacy in the electronic society
Year:
2013

Citing 15
Cited 0

Timing attacks on Web privacy

Proceedings of the 7th ACM conference on Computer and communications security
Symbolic execution and program testing

Communications of the ACM
Programming Techniques: Regular expression search algorithm

Communications of the ACM
A mathematical theory of communication

ACM SIGMOBILE Mobile Computing and Communications Review
New covert channels in HTTP: adding unwitting Web browsers to anonymity sets

Proceedings of the 2003 ACM workshop on Privacy in the electronic society
On the Foundations of Quantitative Information Flow

FOSSACS '09 Proceedings of the 12th International Conference on Foundations of Software Science and Computational Structures: Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2009
Automatic creation of SQL Injection and cross-site scripting attacks

ICSE '09 Proceedings of the 31st International Conference on Software Engineering
Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow

SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Symbolic PathFinder: symbolic execution of Java bytecode

Proceedings of the IEEE/ACM international conference on Automated software engineering
Sidebuster: automated detection and quantification of side-channel leaks in web application development

Proceedings of the 17th ACM conference on Computer and communications security
Soot: a Java bytecode optimization framework

CASCON First Decade High Impact Papers
Automatically deriving information-theoretic bounds for adaptive side-channel attacks

Journal of Computer Security
Automated driver generation for analysis of web applications

FASE'11/ETAPS'11 Proceedings of the 14th international conference on Fundamental approaches to software engineering: part of the joint European conferences on theory and practice of software
Cache Games -- Bringing Access-Based Cache Attacks on AES to Practice

SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
Automated black-box detection of side-channel vulnerabilities in web applications

Proceedings of the 18th ACM conference on Computer and communications security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Communication between the client side and server side in web applications is a threat to the users' private data because of side-channel leakage. Attackers can infer sensitive information from the network traffic generated during the communication according to packet sizes and sequence structure. Here we present a new technique, based on verification and quantitative information flow, for the analysis of these side channels in web applications. The technique is implemented in a tool, called SideAuto, whose applicability to a variety of web applications is demonstrated. SideAuto aims to perform fully automatic analysis of side-channel leakage. Core to this aim is the generation of test cases without the developer's manual work. Our technique applies primarily to the Apache Struts framework of web applications.