Side Channel Attack and Defense

InteGuard: Toward Automatic Protection of Third-Party Web Service Integrations

L. Xing, Y. Chen, X. Wang and S. Chen. In Proceedings of the 20th Annual Network and Distributed System Security Symposium (NDSS 2013)
A web application today often utilizes web APIs to incorporate third-party services into its functionality. Such API integration, however, is full of security peril: recent studies show that popular web sites using high-profile web services, such as PayPal/Amazon checkouts and Facebook/Google single-sign-on (SSO) services, are riddled with logic flaws, enabling a malicious party to shop for free or log into a victim’s account. To address this new threat, techniques need to be developed to facilitate secure integration of third-party web services.

To answer this urgent call, we present in this paper InteGuard, the first system that offers security protection to vulnerable web API integrations. InteGuard operates a proxy in front of the service integrator’s web site, performing security checks on a set of invariant relations among the HTTP messages the integrator receives during a transaction (e.g., a checkout from a web store or a web SSO). These invariants link multiple HTTP sessions to a transaction and capture their security-critical relations. They also characterize transaction-related communication the proxy cannot directly observe, which happens between the client and the service provider. InteGuard includes a suite of novel techniques that automatically extract such invariants from a variety of communication channels adopted by diverse integrations and achieve effective false positive control in this process. Our evaluation shows that InteGuard can defeat complicated exploits on high-profile web services, with little interference in their normal operations.

Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services

R. Wang, S. Chen and X. Wang. In Proceedings of the 33rd IEEE Symposium on Security and Privacy (IEEE S&P 2012)
With the boom of software-as-a-service and social networking, web-based single sign-on (SSO) schemes are being deployed by more and more commercial websites to safeguard many web resources. Despite prior research in formal verification, little has been done to analyze the security quality of SSO schemes that are commercially deployed in the real world. Such an analysis faces unique technical challenges, including lack of access to well-documented protocols and code, and the complexity brought in by the rich browser elements (script, Flash, etc.). In this paper, we report the first "field study" on popular web SSO systems. In every studied case, we focused on the actual web traffic going through the browser, and used an algorithm to recover important semantic information and identify potential exploit opportunities. Such opportunities guided us to the discoveries of real flaws. In this study, we discovered 8 serious logic flaws in high-profile ID providers and relying party websites, such as OpenID (including Google ID and PayPal Access), Facebook, JanRain, Freelancer, FarmVille, Sears.com, etc. Every flaw allows an attacker to sign in as the victim user. We reported our findings to affected companies, and received their acknowledgements in various ways. All the reported flaws, except those discovered very recently, have been fixed. This study shows that the overall security quality of SSO deployments seems worrisome. We hope that the SSO community conducts a study similar to ours, but in a larger scale, to better understand to what extent SSO is insecurely deployed and how to respond to the situation

How to Shop for Free Online – Security Analysis of Cashier-as-a-Service Based Web Stores

R. Wang, S. Chen, X. Wang, and S. Qadeer. In Proceedings of the 32nd IEEE Symposium on Security and Privacy (IEEE S&P 2011).
Web applications increasingly integrate third-party services. The integration introduces new security challenges due to the complexity for an application to coordinate its internal states with those of the component services and the web client across the Internet. In this paper, we study the security implications of this problem to merchant websites that accept payments through third-party cashiers (e.g., PayPal, Amazon Payments and Google Checkout), which we refer to as Cashier-as-a-Service or CaaS. We found that leading merchant applications (e.g., NopCommerce and Interspire), popular online stores (e.g., Buy.com and JR.com) and a prestigious CaaS provider (Amazon Payments) all contain serious logic flaws that can be exploited to cause inconsistencies between the states of the CaaS and the merchant. As a result, a malicious shopper can purchase an item at an arbitrarily low price, shop for free after paying for one item, or even avoid payment. We reported our findings to the affected parties. They have all been fixed by vendors. We further studied the complexity in finding this type of logic flaws in typical CaaS-based checkout systems, and gained a preliminary understanding of the effort that needs to be made to improve the security assurance of such systems during their development and testing processes.

Sidebuster: Automated Detection and Quantification of Side-Channel Leaks in Web Application Development

K. Zhang, Z. Li, R. Wang, X. Wang and S. Chen. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS 2010).
A web application is a “two-part” program, with its components deployed both in the browser and in the web server. The communication between these two components inevitably leaks out the program’s internal states to those eavesdropping on its web traffic, simply through the side channel features of the communication such as packet length and timing, even if the traffic is entirely encrypted. Our recent study shows that such side-channel leaks are both fundamental and realistic: a set of popular web applications are found to disclose highly sensitive user data such as one’s family incomes, health profiles, investment secrets and more through their side channels. Our study also shows that an significant improvement of the current web-application development practice is necessary to mitigate this threat. To answer this urgent call, we present in this paper a suite of new techniques for automatic detection and quantification of side-channel leaks in web applications. Our approach, called Sidebuster, can automatically analyze an application’s source code to detect its side channels and then perform a rerun test to assess the amount of information disclosed through such channels (quantified as the entropy loss). Sidebuster has been designed to work on event-driven applications and can effectively handle the AJAX GUI widgets used in most web applications. In our research, we implemented a prototype of our technique for analyzing GWT applications and evaluated it using complicated web applications. Our study shows that Sidebuster can effectively identify the side-channel leaks in these applications and assess their severity, with a small overhead.

This demo has two parts. The first part demonstrates how to use our tools to identify the places where information could possiblely be leaked, and the second part shows the process to quantify the information leak.

Source Code of Sidebuster:

Here you can download the source code of SideBuster, a tool that helps web developers detect and quantify the information leaks in the web applications they build. The source code includes two components: the first part is for static analysis on a web application's source code, which reports the possible program locations where information could be leaked; the second part does dynamic analysis on these locations and quantifies the information leaks.

Click here to download the static analysis part, and here to download the dynamic analysis part.

Our tools are built on a set of existing toolkits, so in order to run these analysis tools, you need to download and set up a set of third party libraries, packages, and applications. Following are the instructions.

You need to install JDK SE 1.5 and Eclipse. Also our static analysis tool is built on Soot , a Java Bytecode analysis and transformation Framework. We suggest to install the Eclipse Plugin of Soot , as well as the Soot complete package. Our dynamic analysis tool is built on JWebUnit, which you can download here . Please note that our code has been tested on the JWebUnit 2.3 release only.

We also give some sample web applications for the testing purpose. They are built on GWT (Google Web Toolkit). With GWT, developers can write Web application with Java, and then transform the code into JSP (server side) and HTML/JavaScript (client side) through GWT compiler. Click here to download an application that simulates the behavior of Tax preparation web applications. This application has also been deployed to Google's AppEngine and can be accessed via this link: http://income-test.appspot.com/

Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow

S. Chen, R. Wang, X. Wang and K. Zhang. In Proceedings of the 31st IEEE Symposium on Security and Privacy (IEEE S&P 2010).
With software-as-a-service becoming mainstream, more and more applications are delivered to the client through the Web. Unlike a desktop application, a web application is split into browser-side and server-side components. A subset of the application’s internal information flows are inevitably exposed on the network. We show that despite encryption, such a side-channel information leak is a realistic and serious threat to user privacy. Specifically, we found that surprisingly detailed sensitive information is being leaked out from a number of high-profile, top-of-the-line web applications in healthcare, taxation, investment and web search: an eavesdropper can infer the illnesses/medications/surgeries of the user, her family income and investment secrets, despite HTTPS protection; a stranger on the street can glean enterprise employees' web search queries, despite WPA/WPA2 Wi-Fi encryption. More importantly, the root causes of the problem are some fundamental characteristics of web applications: stateful communication, low entropy input for better interaction, and significant traffic distinctions. As a result, the scope of the problem seems industry-wide. We further present a concrete analysis to demonstrate the challenges of mitigating such a threat, which points to the necessity of a disciplined engineering practice for side-channel mitigations in future web application developments.

Online Advertising

Knowing Your Enemy: Understanding and Detecting Malicious Web Advertising

Z. Li, K. Zhang, Y. Xie, F. Yu and X. Wang.In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS 2012).
With the Internet becoming the dominant channel for marketing and promotion, online advertisements are also increasingly used for illegal purposes such as propagating malware, scamming, click frauds, etc. To understand the gravity of these malicious advertising activities, which we call malvertising, we perform a largescale study through analyzing ad-related Web traces crawled over a three-month period. Our study reveals the rampancy of malvertising: hundreds of top ranking Web sites fell victims and leading ad networks such as DoubleClick were infiltrated. To mitigate this threat, we identify prominent features from malicious advertising nodes and their related content delivery paths, and leverage them to build a new detection system called MadTracer. MadTracer automatically generates detection rules and utilizes them to inspect advertisement delivery processes and detect malvertising activities. Our evaluation shows that MadTracer was capable of capturing a large number of malvertising cases, 15 times as many as Google Safe Browsing and Microsoft Forefront did together, at a low false detection rate. It also detected new attacks, including a type of click-fraud attack that has never been reported before.

[Data]

Access Control and Information Flow Control

FIRM: Capability-based Inline Mediation of Flash Behaviors

Z. Li and X. Wang.In Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC 2010)
The wide use of Flash technologies makes the security risks posed by Flash content an increasingly serious issue. Such risks cannot be effectively addressed by the Flash player, which either completely blocks Flash content's access to web resources or grants it unconstrained access. Efforts to mitigate this threat have to face the practical challenges that Adobe Flash player is closed source, and any changes to it need to be distributed to a large number of web clients. We demonstrate in this paper, however, that it is completely feasible to avoid these hurdles while still achieving fine-grained control of the interactions between Flash content and its hosting page. Our solution is FIRM, a system that embeds an inline reference monitor (IRM) within the web page hosting Flash content. The IRM effectively mediates the interactions between the content and DOM objects, and those between different Flash applications, using the capability tokens assigned by the web designer. FIRM can effectively protect the integrity of its IRM and the confidentiality of capability tokens. It can be deployed without making any changes to browsers. Our evaluation based upon real-world web applications and Flash applications demonstrates that FIRM effectively protects valuable user information and incurs small overhead.

Mash-IF: Practical Information-Flow Control within Client-side Mashups

Z. Li, K. Zhang and X. Wang.In Proceedings of the 40th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2010)
Mashup is a representative of Web 2.0 technology that needs both convenience of cross-domain access and protection against the security risks it brings in. Solutions proposed by prior research focused on mediating access to the data in different domains, but little has been done to control the use of the data after the access. In this paper, we present Mash-IF, a new technique for information-flow control within mashups. Our approach allows cross-domain communications within a browser, but disallows disclosure of sensitive information to remote parties without the user's permission. It mediates the cross-domain channels in existing mashups and works on the client without collaborations from other parties. Also of particular interest is a novel technique that automatically generates declassification rules for a script by statically analyzing its code. Such rules can be efficiently enforced through monitoring the script's call sequences and DOM operations.