Skip to main content
SpringerLink
Log in

Pinpointing side-channel information leaks in web applications

  • Regular Paper
  • Published:
Journal of Cryptographic Engineering Aims and scope Submit manuscript

Abstract

The construction of a test capable of detecting the presence of information leaks in a sequence of side-channel observations is an important research goal for engineers attempting to design systems resilient against side-channel attacks. Whilst the traditional targets of side-channel attacks are cryptographic hardware devices, recent works have demonstrated the vulnerability of software, and in particular web applications. As a result, there has been a concerted drive towards the development of a leakage detection strategy that can inspect web application traffic for the presence of information leaks. In this work we discuss the effectiveness of previous approaches, and describe an improved, generically applicable test based on a statistical estimation of the mutual information between the user inputs entered into the application and subsequent observable side-channel information. We use our proposed metric to construct a test capable of analysing sampled traces of packets for the presence of information leaks, and demonstrate the application of our test on a real-world web application.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Arimoto S.: An algorithm for computing the capacity of arbitrary memoryless channels. IEEE Trans. Inf. Theory 18(1), 14–20 (1972)

    Article  MathSciNet  MATH  Google Scholar 

  2. Backes, M., Köpf, B.: Formally Bounding the side-channel leakage in unknown-message attacks. In: ESORICS, pp. 517–532 (2008)

  3. Backes, M., Köpf, B., Rybalchenko, A.: automatic discovery and quantification of information leaks. In: IEEE Symposium on Security and Privacy, pp. 141–153 (2009)

  4. Berthold, O., Pfitzmann, A., Standtke, R.: The Disadvantages of free MIX routes and how to overcome them. In: Workshop on Design Issues in Anonymity and Unobservability, pp. 30–45 (2000)

  5. Bissias, G.D., Liberatore, M., Jensen, D., Levine, B.N.: Privacy vulnerabilities in encrypted HTTP streams. In: Privacy Enhancing Technologies, pp. 1–11 (2005)

  6. Blahut R.E.: Computation of channel capacity and rate distortion functions. IEEE Trans. Inf. Theory 18(4), 460–473 (1972)

    Article  MathSciNet  MATH  Google Scholar 

  7. Boreale, M., Pampaloni, F., Paolini, M.: Quantitative information flow, with a view. In: ESORICS, pp. 588–606 (2011)

  8. Chapman, P., Evans, D.: Automated black-box detection of side-channel vulnerabilities in web applications. In: ACM Conference on Computer and Communications Security, pp. 263–274 (2011)

  9. Chatzikokolakis, K., Chothia, T., Guha, A.: Statistical measurement of information leakage. In: TACAS, pp. 390–404 (2010)

  10. Chatzikokolakis K., Palamidessi C., Panangaden P.: Anonymity protocols as noisy channels. Inf. Comput. 206(2–4), 378–401 (2008)

    Article  MathSciNet  MATH  Google Scholar 

  11. Chaum D.: The dining cryptographers problem: unconditional sender and recipient untraceability. J. Cryptol. 1(1), 65– (1988)

    Article  MathSciNet  MATH  Google Scholar 

  12. Chen, S., Wang, R., Wang, X., Zhang, K.: Side-channel leaks in web applications: a reality today, a challenge tomorrow. In: Proceedings of IEEE Symposium on Security and Privacy, 31st IEEE Symposium on Security and Privacy, pp. 191–206. IEEE Computer Society, New York (2010)

  13. Chothia, T., Guha, A.: A statistical test for information leaks using continuous mutual information. In: CSF, pp. 177–190 (2011)

  14. Clark D., Hunt S., Malacaria P.: A static analysis for quantifying information flow in a simple imperative language. J. Comput. Secur. 15(3), 321–371 (2007)

    Google Scholar 

  15. Clarkson M.R., Myers A.C., Schneider F.B.: Quantifying information flow with beliefs. J. Comput. Secur. 17(5), 655–701 (2009)

    Google Scholar 

  16. Clauß, S., Schiffner, S.: Structuring anonymity metrics. In: Digital Identity Management, pp. 55–62 (2006)

  17. Díaz, C., Seys, S., Claessens, J., Preneel, B.: Towards measuring anonymity. In: Privacy Enhancing Technologies, pp. 54–68 (2002)

  18. Dyer, K., Coull, S., Ristenpart, T., Shrimpton, T.: Peek-a-boo, I still see you: why traffic analysis countermeasures fail. In: IEEE Security and Privacy (2012)

  19. Edman, M., Sivrikaya, F., Yener, B.: A combinatorial approach to measuring anonymity. In: ISI, pp. 356–363 (2007)

  20. Fisher R.A.: The use of multiple measures in taxonomic problems. Ann. Eugen. 7, 179–188 (1936)

    Google Scholar 

  21. Gierlichs, B., Troncoso, C., Díaz, C., Preneel, B., Verbauwhede, I.: Revisiting a combinatorial approach toward measuring anonymity. In: WPES, pp. 111–116 (2008)

  22. Goodwill, G., Jun, B., Jaffe, J., Rohatgi, P.: A testing methodology for side-channel resistance validation. In: NIST Non-Invasive Attack Testing Workshop (2011)

  23. Herrmann, D., Wendolsky, R., Federrath, H.: Website fingerprinting: attacking popular privacy enhancing technologies with the multinomial naïve-bayes classifier. In: CCSW, pp. 31–42 (2009)

  24. Jaffe, J., Rohatgi, P., Witteman, M.: Efficient side-channel testing for public key algorithms: RSA case study. In: NIST Non-Invasive Attack Testing Workshop (2011)

  25. Kesdogan, D., Egner, J., Büschkes, R.: Stop-and-Go-MIXes providing probabilistic anonymity in an open system. In: Information Hiding, pp. 83–98 (1998)

  26. Liberatore, M., Levine, B.N.: Inferring the source of encrypted HTTP connections. In: ACM Conference on Computer and Communications Security, pp. 255–263 (2006)

  27. Luo, X., Zhou, P., Chan, E.W.W., Lee, W., Chang, R.K.C., Perdisci, R.: HTTPOS: sealing information leaks with browser-side obfuscation of encrypted flows. In: NDSS (2011)

  28. Mantel, H., Sudbrock, H.: Information-theoretic modeling and analysis of interrupt-related covert channels. In: Formal Aspects in Security and Trust, pp. 67–81 (2008)

  29. Millen, J.K.: Covert channel capacity. In: IEEE Symposium on Security and Privacy, pp. 60–66 (1987)

  30. Moskowitz, I.S., Newman, R.E., Crepeau, D.P., Miller, A.R.: Covert channels and anonymizing networks. In: WPES, pp. 79–88 (2003)

  31. Moskowitz, I.S., Newman, R.E., Syverson, P.: Quasi-anonymous channels. In: IASTED CNIS, pp. 126–131 (2003)

  32. Newman, R.E., Nalla, V.R., Moskowitz, I.S.: Anonymity and covert channels in simple timed mix-firewalls. In: Privacy Enhancing Technologies, pp. 1–16 (2004)

  33. NHS Direct Symptoms Checker. http://www.nhsdirect.nhs.uk/CheckSymptoms.aspx. Accessed 2012

  34. Panchenko, A., Niessen, L., Zinnen, A., Engel, T.: Website fingerprinting in onion routing based anonymization networks. In: WPES (2011)

  35. Paninski L.: Estimation of entropy and mutual information. Neural Comput. 15(6), 1191–1253 (2003)

    Article  MATH  Google Scholar 

  36. Selenium: Selenium remote control. http://seleniumhq.org. Accessed 2012

  37. Serjantov, A., Danezis, G.: Towards an information theoretic metric for anonymity. In: Privacy Enhancing Technologies, pp. 41–53 (2002)

  38. Standaert, F.X., Malkin, T., Yung, M.: A unified framework for the analysis of side-channel key recovery attacks. In: EUROCRYPT, pp. 443–461 (2009)

  39. Tóth, G., Hornák, Z., Vajda, F.: Measuring anonymity revisited. In: Proceedings of the Ninth Nordic Workshop on Secure IT Systems, pp. 85–90 (2004)

  40. Zhang, K., Li, Z., Wang, R., Wang, X., Chen, S.: Sidebuster: automated detection and quantification of side-channel leaks in web application development. In: ACM Conference on Computer and Communications Security, pp. 595–606 (2010)

  41. Zhu, Y., Bettati, R.: Anonymity vs. information leakage in anonymity systems. In: ICDCS, pp. 514–524 (2005)

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB, UK

    Luke Mather & Elisabeth Oswald

Authors
  1. Luke Mather
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Elisabeth Oswald
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Luke Mather.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Mather, L., Oswald, E. Pinpointing side-channel information leaks in web applications. J Cryptogr Eng 2, 161–177 (2012). https://doi.org/10.1007/s13389-012-0036-0

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13389-012-0036-0

Keywords

Search

Navigation