Automated black-box detection of side-channel vulnerabilities in web applications
- 17 October 2011
- conference paper
- conference paper
- Published by Association for Computing Machinery (ACM)
- p. 263-274
- https://doi.org/10.1145/2046707.2046737
Abstract
Web applications divide their state between the client and the server. The frequent and highly dynamic client-server communication that is characteristic of modern web applications leaves them vulnerable to side-channel leaks, even over encrypted connections. We describe a black-box tool for detecting and quantifying the severity of side-channel vulnerabilities by analyzing network traffic over repeated crawls of a web application. By viewing the adversary as a multi-dimensional classifier, we develop a methodology to more thoroughly measure the distinguishably of network traffic for a variety of classification metrics. We evaluate our detection system on several deployed web applications, accounting for proposed client and server-side defenses. Our results illustrate the limitations of entropy measurements used in previous work and show how our new metric based on the Fisher criterion can be used to more robustly reveal side-channels in web applications.Keywords
This publication has 9 references indexed in Scilit:
- SidebusterPublished by Association for Computing Machinery (ACM) ,2010
- Side-Channel Leaks in Web Applications: A Reality Today, a Challenge TomorrowPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2010
- State of the Art: Automated Black-Box Web Application Vulnerability TestingPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2010
- Quantitative Analysis of Secure Information Flow via Probabilistic SemanticsPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2009
- Crawling AJAX by Inferring User Interface State ChangesPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2008
- Improving test case generation for web applications using automated interface discoveryPublished by Association for Computing Machinery (ACM) ,2007
- Inferring the source of encrypted HTTP connectionsPublished by Association for Computing Machinery (ACM) ,2006
- Building rich web applications with AjaxComputer, 2005
- THE USE OF MULTIPLE MEASUREMENTS IN TAXONOMIC PROBLEMSAnnals of Eugenics, 1936