Automated black-box detection of side-channel vulnerabilities in web applications

Conference on Computer and Communications Security : proceedings of the ... conference on computer and communications security. ACM Conference on Computer and Communications Security Pub Date : 2011-10-17 DOI:10.1145/2046707.2046737

Peter Chapman, David Evans

{"title":"Automated black-box detection of side-channel vulnerabilities in web applications","authors":"Peter Chapman, David Evans","doi":"10.1145/2046707.2046737","DOIUrl":null,"url":null,"abstract":"Web applications divide their state between the client and the server. The frequent and highly dynamic client-server communication that is characteristic of modern web applications leaves them vulnerable to side-channel leaks, even over encrypted connections. We describe a black-box tool for detecting and quantifying the severity of side-channel vulnerabilities by analyzing network traffic over repeated crawls of a web application. By viewing the adversary as a multi-dimensional classifier, we develop a methodology to more thoroughly measure the distinguishably of network traffic for a variety of classification metrics. We evaluate our detection system on several deployed web applications, accounting for proposed client and server-side defenses. Our results illustrate the limitations of entropy measurements used in previous work and show how our new metric based on the Fisher criterion can be used to more robustly reveal side-channels in web applications.","PeriodicalId":72687,"journal":{"name":"Conference on Computer and Communications Security : proceedings of the ... conference on computer and communications security. ACM Conference on Computer and Communications Security","volume":"22 1","pages":"263-274"},"PeriodicalIF":0.0000,"publicationDate":"2011-10-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"73","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Conference on Computer and Communications Security : proceedings of the ... conference on computer and communications security. ACM Conference on Computer and Communications Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2046707.2046737","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 73

Abstract

Web applications divide their state between the client and the server. The frequent and highly dynamic client-server communication that is characteristic of modern web applications leaves them vulnerable to side-channel leaks, even over encrypted connections. We describe a black-box tool for detecting and quantifying the severity of side-channel vulnerabilities by analyzing network traffic over repeated crawls of a web application. By viewing the adversary as a multi-dimensional classifier, we develop a methodology to more thoroughly measure the distinguishably of network traffic for a variety of classification metrics. We evaluate our detection system on several deployed web applications, accounting for proposed client and server-side defenses. Our results illustrate the limitations of entropy measurements used in previous work and show how our new metric based on the Fisher criterion can be used to more robustly reveal side-channels in web applications.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

自动黑盒检测侧通道漏洞在web应用程序

Web应用程序在客户机和服务器之间划分它们的状态。频繁和高度动态的客户端-服务器通信是现代web应用程序的特征，这使得它们容易受到侧通道泄漏的影响，甚至在加密连接上也是如此。我们描述了一个黑盒工具，通过分析web应用程序重复爬行的网络流量来检测和量化侧通道漏洞的严重性。通过将对手视为多维分类器，我们开发了一种方法，可以更彻底地测量各种分类指标的网络流量的可区分性。我们在几个已部署的web应用程序上评估我们的检测系统，考虑建议的客户端和服务器端防御。我们的结果说明了以前工作中使用的熵测量的局限性，并展示了我们基于Fisher准则的新度量如何用于更稳健地揭示web应用程序中的侧信道。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Conference on Computer and Communications Security : proceedings of the ... conference on computer and communications security. ACM Conference on Computer and Communications Security

CiteScore

9.20

自引率

0.00%

发文量