Side-Channel Attack on Web
Counteracting Web Malvertising
Secure Computing on Hybrid Clouds
Secure Web Commerce
Mobile Fragmentation

CNS 1017782: Reining in Side-Channel Information Leaks in the Software-as-a-Service Era

Introduction

With software-as-a-service (SaaS) rapidly becoming mainstream, web applications increasingly substitute for desktop software. A web application is a two-part program, with its components deployed both in the browser and in the web server. The interactions between these two components inevitably reveal the program's internal states to any observer of the communication stream, simply through the pattern of packet lengths and the timing of interactions, even if stream is entirely encrypted. This research reveals that these "side-channel" information leaks are both fundamental and common: a number of popular web applications are found to disclose highly sensitive user data, such as one's family income, health profile, investments and more. This research will develop an in-depth understanding of web applications' side channel vulnerabilities, particularly the design features and domain knowledge that lead to side-channel leaks. Based upon this understanding, new technologies are developed to facilitate the detection and mitigation of the side-channel threats during the development and operation of web applications. These technologies will be made available to users so they can assess their vulnerabilities and to developers so they can reduce the vulnerabilities in the applications they build. The outcomes of the project will contribute to the improvement of privacy protection in the SaaS infrastructure and cloud computing.

Related paper

  • F. Zhang, W. He, Y. Chen, Z. Li, X. Wang, S. Chen and X. Liu, 2012 "Thwarting Wi-Fi Side-Channel Analysis through Traffic Demultiplexing". Submitted to IEEE Transactions on Dependable and Secure Computing.
  • K. Zhang, X. Zhou, Y. Chen, X. Wang and Y. Ruan, 2011 "Sedic: Privacy-Aware Data Intensive Computing on Hybrid Clouds". In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS).
  • R. Schlegel, K. Zhang, X. Zhou, M. Intwala, A. Kapadia and X. Wang, 2011 "Soundminer: A Stealthy and Context-Aware Sound Trojan for Smartphones". In Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS)
  • A. Kapadia, S. Myers, X. Wang and G. Fox. 2011 "Toward Securing Sensor Clouds". In Proceedings of the 12th International Symposium on Collaborative Technologies and Systems (CTS).
  • K. Zhang, Z. Li, R. Wang, X. Wang and S. Chen, 2010 "Sidebuster: Automated Detection and Quantification of Side-Channel Leaks in Web Application Development". In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS).
  • A. Kapadia, S. Myers, X. Wang and G. Fox. 2010 "Secure Cloud Computing with Brokered Trusted Sensor Networks". In Proceedings of the 11th International Symposium on Collaborative Technologies and Systems (CTS).
  • S. Chen, R. Wang, X. Wang and K. Zhang, 2010 "Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow". In Proceedings of the 31st IEEE Symposium on Security and Privacy (IEEE S&P Oakland).

Demo

  • Side-Channel Threats to Web Applications

    Please visit this site for detailed demo.

  • Sidebuster

    This demo has two parts. The first part demonstrates how to use our tools to identify the places where information could possiblely be leaked, and the second part shows the process to quantify the information leak.

  • Traffic Demultiplexing:

    Please follow this link to view it on Youtube.com

Source Code of Sidebuster:

Here you can download the source code of SideBuster, a tool that helps web developers detect and quantify the information leaks in the web applications they build. The source code includes two components: the first part is for static analysis on a web application's source code, which reports the possible program locations where information could be leaked; the second part does dynamic analysis on these locations and quantifies the information leaks.

Click here to download the static analysis part, and here to download the dynamic analysis part.

Our tools are built on a set of existing toolkits, so in order to run these analysis tools, you need to download and set up a set of third party libraries, packages, and applications. Following are the instructions.

You need to install JDK SE 1.5 and Eclipse. Also our static analysis tool is built on Soot , a Java Bytecode analysis and transformation Framework. We suggest to install the Eclipse Plugin of Soot , as well as the Soot complete package. Our dynamic analysis tool is built on JWebUnit, which you can download here . Please note that our code has been tested on the JWebUnit 2.3 release only.

We also give some sample web applications for the testing purpose. They are built on GWT (Google Web Toolkit). With GWT, developers can write Web application with Java, and then transform the code into JSP (server side) and HTML/JavaScript (client side) through GWT compiler. Click here to download an application that simulates the behavior of Tax preparation web applications. This application has also been deployed to Google's AppEngine and can be accessed via this link: http://income-test.appspot.com/