research-article

SideAuto: quantitative information flow for side-channel leakage in web applications

Authors:

Pasquale MalacariaAuthors Info & Claims

WPES '13: Proceedings of the 12th ACM workshop on Workshop on privacy in the electronic society

Pages 285 - 290

https://doi.org/10.1145/2517840.2517869

Published: 04 November 2013 Publication History

Abstract

Communication between the client side and server side in web applications is a threat to the users' private data because of side-channel leakage. Attackers can infer sensitive information from the network traffic generated during the communication according to packet sizes and sequence structure. Here we present a new technique, based on verification and quantitative information flow, for the analysis of these side channels in web applications. The technique is implemented in a tool, called SideAuto, whose applicability to a variety of web applications is demonstrated. SideAuto aims to perform fully automatic analysis of side-channel leakage. Core to this aim is the generation of test cases without the developer's manual work. Our technique applies primarily to the Apache Struts framework of web applications.

References

[1]

Htmlunit. http://hhtmlunit.sourceforge.net/.

[2]

Jpcap. http://jpcap.sourceforge.net/.

[3]

Struts framework. http://struts.apache.org/.

[4]

M. Bauer. New covert channels in http: adding unwitting web browsers to anonymity sets. In Proceedings of the 2003 ACM workshop on Privacy in the electronic society, pages 72--78. ACM, 2003.

Digital Library

[5]

P. Chapman and D. Evans. Automated black-box detection of side-channel vulnerabilities in web applications. In Proceedings of the 18th ACM conference on Computer and communications security, pages 263--274, 2011.

Digital Library

[6]

S. Chen, R. Wang, X. Wang, and K. Zhang. Side-channel leaks in web applications: A reality today, a challenge tomorrow. In Procedings of the IEEE Symposium on Security and Privacy, pages 191--206, 2010.

Digital Library

[7]

H. Cheng and R. Avnur. Traffic analysis of ssl encrypted web browsing. Technical report, 1998. http://www.cs.berkeley.edu/ daw/teac- hing/cs261-f98/projects/final-reports/ronathanheyni-ng.ps.

[8]

D. Clark, S. Hunt, and P. Malacaria. Quantitative analysis of the leakage of confidential data. Electronic Notes in Theoretical Computer Science, 59(3):238--251, 2002.

[9]

E. W. Felten and M. A. Schneider. Timing attacks on web privacy. In Proceedings of the 7th ACM conference on Computer and communications security, pages 25--32. ACM, 2000.

Digital Library

[10]

J. Friedman. Tempest: A signal problem. Cryptologic Spectrum, 2007.

[11]

D. Gullasch, E. Bangerter, and S. Krenn. Cache games--bringing access-based cache attacks on aes to practice. In Security and Privacy (SP), 2011 IEEE Symposium on, pages 490--505. IEEE, 2011.

Digital Library

[12]

A. Kieyzun, P. J. Guo, K. Jayaraman, and M. D. Ernst. Automatic creation of sql injection and cross-site scripting attacks. In Proceedings of the 31st International Conference on Software Engineering, pages 199--209, 2009.

Digital Library

[13]

J. C. King. Symbolic execution and program testing. Communications of the ACM, 17(7):385--394, 1976.

Digital Library

[14]

B. Köpf and D. A. Basin. Automatically deriving information-theoretic bounds for adaptive side-channel attacks. Journal of Computer Security, 19(1):1--31, 2011.

[15]

L. Page, S. Brin, R. Motwani, and T. Winograd. The pagerank citation ranking: bringing order to the web. Technical report, 1999.

[16]

C. S. P\uas\uareanu and N. Rungta. Symbolic pathfinder: symbolic execution of java bytecode. In Proceedings of the IEEE/ACM international conference on Automated software engineering, ASE '10, pages 179--180, New York, NY, USA, 2010. ACM.

Digital Library

[17]

C. E. Shannon. A mathematical theory of communication. ACM SIGMOBILE Mobile Computing and Communications Review, 5(1):3--55, 2001.

Digital Library

[18]

G. Smith. On the foundations of quantitative information flow. In Foundations of Software Science and Computational Structures, pages 288--302, 2009.

Digital Library

[19]

R. Tarjan. Depth-first search and linear graph algorithms. SIAM Journal on Computing, 1(2):146--160, 1972.

Digital Library

[20]

K. Thompson. Programming techniques: Regular expression search algorithm. Communications of the ACM, 11(6):419--422, 1968.

Digital Library

[21]

O. Tkachuk and S. Rajan. Automated driver generation for analysis of web applications. In Proceedings of the Fundamental Approaches to Software Engineering, pages 326--340, 2011.

Digital Library

[22]

R. Vallée-Rai, P. Co, E. Gagnon, L. Hendren, P. Lam, and V. Sundaresan. Soot: A java bytecode optimization framework. In CASCON First Decade High Impact Papers, pages 214--224, 2010.

Digital Library

[23]

P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In Proceedings of the Network and Distributed Systems Security Symposium, 2007.

[24]

K. Zhang, Z. Li, R. Wang, X. Wang, and S. Chen. Sidebuster: automated detection and quantification of side-channel leaks in web application development. In Proceedings of the 17th ACM conference on Computer and communications security, pages 595--606. ACM, 2010.

Digital Library

Cited By

Huang X(2022)An Automated System for Fingerprinting User Privacy in Web Applications2022 IEEE 4th International Conference on Power, Intelligent Computing and Systems (ICPICS)10.1109/ICPICS55264.2022.9873790(443-447)Online publication date: 29-Jul-2022
https://doi.org/10.1109/ICPICS55264.2022.9873790
Kadron İRosner NBultan TKhurshid SPăsăreanu C(2020)Feedback-driven side-channel analysis for networked applicationsProceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3395363.3397365(260-271)Online publication date: 18-Jul-2020
https://dl.acm.org/doi/10.1145/3395363.3397365
Grubbs PMcPherson RNaveed MRistenpart TShmatikov VWeippl EKatzenbeisser SKruegel CMyers AHalevi S(2016)Breaking Web Applications Built On Top of Encrypted DataProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security10.1145/2976749.2978351(1353-1364)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2976749.2978351
Show More Cited By

Index Terms

SideAuto: quantitative information flow for side-channel leakage in web applications
1. Security and privacy
  1. Cryptography
    1. Cryptanalysis and other attacks
  2. Intrusion/anomaly detection and malware mitigation
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Efficient character-level taint tracking for Java
SWS '09: Proceedings of the 2009 ACM workshop on Secure web services

Over 80% of web services are vulnerable to attack, and much of the danger arises from command injection vulnerabilities. We present an efficient character-level taint tracking system for Java web applications and argue that it can be used to defend ...
Toward a Moving Target Defense for Web Applications
IRI '15: Proceedings of the 2015 IEEE International Conference on Information Reuse and Integration

Web applications are a critical component of the security ecosystem as they are often the front door for many companies, as such, vulnerabilities in web applications allow hackers access to companies' private data, which contains consumers' private ...
On Security Issues in Web Applications through Cross Site Scripting (XSS)
APSEC '13: Proceedings of the 2013 20th Asia-Pacific Software Engineering Conference (APSEC) - Volume 01

Web applications have become a very popular means of developing software. This is because of many advantages of web applications like no need of installation on each client machine, centralized data, reduction in business cost etc. With the increase in ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

WPES '13: Proceedings of the 12th ACM workshop on Workshop on privacy in the electronic society

November 2013

306 pages

ISBN:9781450324854

DOI:10.1145/2517840

General Chair:
Ahmad-Reza Sadeghi
TU-Darmstadt & Fraunhofer SIT & Intel ICRI-SC, Germany
,
Program Chair:
Sara Foresti
Università degli Studi di Milano, Italy

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 November 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'13

Sponsor:

SIGSAC

CCS'13: 2013 ACM SIGSAC Conference on Computer and Communications Security

November 4, 2013

Berlin, Germany

Acceptance Rates

WPES '13 Paper Acceptance Rate 30 of 103 submissions, 29%;

Overall Acceptance Rate 106 of 355 submissions, 30%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
189
Total Downloads

Downloads (Last 12 months)6
Downloads (Last 6 weeks)0

Reflects downloads up to 08 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Huang X(2022)An Automated System for Fingerprinting User Privacy in Web Applications2022 IEEE 4th International Conference on Power, Intelligent Computing and Systems (ICPICS)10.1109/ICPICS55264.2022.9873790(443-447)Online publication date: 29-Jul-2022
https://doi.org/10.1109/ICPICS55264.2022.9873790
Kadron İRosner NBultan TKhurshid SPăsăreanu C(2020)Feedback-driven side-channel analysis for networked applicationsProceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3395363.3397365(260-271)Online publication date: 18-Jul-2020
https://dl.acm.org/doi/10.1145/3395363.3397365
Grubbs PMcPherson RNaveed MRistenpart TShmatikov VWeippl EKatzenbeisser SKruegel CMyers AHalevi S(2016)Breaking Web Applications Built On Top of Encrypted DataProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security10.1145/2976749.2978351(1353-1364)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2976749.2978351
Huang X(2015)It Leaks More Than You Think: Fingerprinting Users from Web Traffic AnalysisActa Informatica Pragensia10.18267/j.aip.704:3(206-225)Online publication date: 31-Dec-2015
https://doi.org/10.18267/j.aip.70

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten