SideAuto: quantitative information flow for side-channel leakage in web applications

Communication between the client side and server side in web applications is a threat to the users' private data because of side-channel leakage. Attackers can infer sensitive information from the network traffic generated during the communication according to packet sizes and sequence structure. Here we present a new technique, based on verification and quantitative information flow, for the analysis of these side channels in web applications. The technique is implemented in a tool, called SideAuto, whose applicability to a variety of web applications is demonstrated. SideAuto aims to perform fully automatic analysis of side-channel leakage. Core to this aim is the generation of test cases without the developer's manual work. Our technique applies primarily to the Apache Struts framework of web applications.

[1]  H. Cheng,et al.  Traffic Analysis of SSL Encrypted Web Browsing , 1998 .

[2]  Matthias Bauer New covert channels in HTTP: adding unwitting Web browsers to anonymity sets , 2003, WPES '03.

[3]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[4]  Geoffrey Smith,et al.  On the Foundations of Quantitative Information Flow , 2009, FoSSaCS.

[5]  Robert E. Tarjan,et al.  Depth-First Search and Linear Graph Algorithms , 1972, SIAM J. Comput..

[6]  David Clark,et al.  Quantitative Analysis of the Leakage of Confidential Data , 2002, QAPL.

[7]  Laurie Hendren,et al.  Soot: a Java bytecode optimization framework , 2010, CASCON.

[8]  Edward W. Felten,et al.  Timing attacks on Web privacy , 2000, CCS.

[9]  Peter Chapman,et al.  Automated black-box detection of side-channel vulnerabilities in web applications , 2011, CCS '11.

[10]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[11]  Stephan Krenn,et al.  Cache Games -- Bringing Access-Based Cache Attacks on AES to Practice , 2011, 2011 IEEE Symposium on Security and Privacy.

[12]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[13]  Ken Thompson,et al.  Programming Techniques: Regular expression search algorithm , 1968, Commun. ACM.

[14]  David A. Basin,et al.  Automatically deriving information-theoretic bounds for adaptive side-channel attacks , 2011, J. Comput. Secur..

[15]  Charles F. Hockett,et al.  A mathematical theory of communication , 1948, MOCO.

[16]  Zhou Li,et al.  Sidebuster: automated detection and quantification of side-channel leaks in web application development , 2010, CCS '10.

[17]  Oksana Tkachuk,et al.  Automated Driver Generation for Analysis of Web Applications , 2011, FASE.

[18]  Rui Wang,et al.  Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow , 2010, 2010 IEEE Symposium on Security and Privacy.

[19]  Michael D. Ernst,et al.  Automatic creation of SQL Injection and cross-site scripting attacks , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[20]  Corina S. Pasareanu,et al.  Symbolic PathFinder: symbolic execution of Java bytecode , 2010, ASE.

[21]  Rajeev Motwani,et al.  The PageRank Citation Ranking : Bringing Order to the Web , 1999, WWW 1999.