Proceedings ArticleDOI
Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow
Shuo Chen,Rui Wang,XiaoFeng Wang,Kehuan Zhang +3 more
- pp 191-206
TLDR
It is found that surprisingly detailed sensitive information is being leaked out from a number of high-profile, top-of-the-line web applications in healthcare, taxation, investment and web search, suggesting the scope of the problem seems industry-wide.Abstract:
With software-as-a-service becoming mainstream, more and more applications are delivered to the client through the Web. Unlike a desktop application, a web application is split into browser-side and server-side components. A subset of the application’s internal information flows are inevitably exposed on the network. We show that despite encryption, such a side-channel information leak is a realistic and serious threat to user privacy. Specifically, we found that surprisingly detailed sensitive information is being leaked out from a number of high-profile, top-of-the-line web applications in healthcare, taxation, investment and web search: an eavesdropper can infer the illnesses/medications/surgeries of the user, her family income and investment secrets, despite HTTPS protection; a stranger on the street can glean enterprise employees' web search queries, despite WPA/WPA2 Wi-Fi encryption. More importantly, the root causes of the problem are some fundamental characteristics of web applications: stateful communication, low entropy input for better interaction, and significant traffic distinctions. As a result, the scope of the problem seems industry-wide. We further present a concrete analysis to demonstrate the challenges of mitigating such a threat, which points to the necessity of a disciplined engineering practice for side-channel mitigations in future web application developments.read more
Citations
More filters
Proceedings ArticleDOI
VC3: Trustworthy Data Analytics in the Cloud Using SGX
Felix Schuster,Manuel Costa,Cédric Fournet,Christos Gkantsidis,Marcus Peinado,Gloria Mainar-Ruiz,Mark Russinovich +6 more
TL;DR: VC3 is the first system that allows users to run distributed MapReduce computations in the cloud while keeping their code and data secret, and ensuring the correctness and completeness of their results.
Proceedings ArticleDOI
The most dangerous code in the world: validating SSL certificates in non-browser software
TL;DR: It is demonstrated that SSL certificate validation is completely broken in many security-critical applications and libraries and badly designed APIs of SSL implementations and data-transport libraries which present developers with a confusing array of settings and options are analyzed.
Proceedings ArticleDOI
Town Crier: An Authenticated Data Feed for Smart Contracts
TL;DR: TownCrier as discussed by the authors is an authenticated data feed system that acts as a bridge between smart contracts and existing web sites, which are already commonly trusted for non-blockchain applications, and combines a blockchain front end with a trusted hardware back end to scrape HTTPS-enabled websites and serve source-authenticated data to relying smart contracts.
Proceedings ArticleDOI
Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis Countermeasures Fail
TL;DR: It is unlikely that bandwidth-efficient, general-purpose TA countermeasures can ever provide the type of security targeted in prior work, and it is shown that nine known countermeasures are vulnerable to simple attacks that exploit coarse features of traffic.
Journal ArticleDOI
Collaborative Security: A Survey and Taxonomy
TL;DR: A comprehensive study of different mechanisms of collaboration and defense in collaborative security, covering six types of security systems, with the goal of helping to make collaborative security systems more resilient and efficient.
References
More filters
Proceedings ArticleDOI
Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds
TL;DR: It is shown that it is possible to map the internal cloud infrastructure, identify where a particular target VM is likely to reside, and then instantiate new VMs until one is placed co-resident with the target, and how such placement can then be used to mount cross-VM side-channel attacks to extract information from a target VM on the same machine.
Journal ArticleDOI
Remote timing attacks are practical
David Brumley,Dan Boneh +1 more
TL;DR: In this paper, the authors present a timing attack against OpenSSL and demonstrate that timing attacks against network servers are practical and therefore security systems should defend against them, and they show that timing attack applies to general software systems.
Proceedings Article
Timing analysis of keystrokes and timing attacks on SSH
TL;DR: A statistical study of users' typing patterns is performed and it is shown that these patterns reveal information about the keys typed, and that timing leaks open a new set of security risks, and hence caution must be taken when designing this type of protocol.
Analysis of the SSL 3.0 protocol
David Wagner,Bruce Schneier +1 more
TL;DR: A number of minor flaws in the protocol and several new active attacks on SSL are presented; however, these can be easily corrected without overhauling the basic structure of the protocol.
Proceedings Article
Remote timing attacks are practical
David Brumley,Dan Boneh +1 more
TL;DR: This work devise a timing attack against OpenSSL that can extract private keys from an OpenSSL-based web server running on a machine in the local network.