Abstract
The construction of a test capable of detecting the presence of information leaks in a sequence of side-channel observations is an important research goal for engineers attempting to design systems resilient against side-channel attacks. Whilst the traditional targets of side-channel attacks are cryptographic hardware devices, recent works have demonstrated the vulnerability of software, and in particular web applications. As a result, there has been a concerted drive towards the development of a leakage detection strategy that can inspect web application traffic for the presence of information leaks. In this work we discuss the effectiveness of previous approaches, and describe an improved, generically applicable test based on a statistical estimation of the mutual information between the user inputs entered into the application and subsequent observable side-channel information. We use our proposed metric to construct a test capable of analysing sampled traces of packets for the presence of information leaks, and demonstrate the application of our test on a real-world web application.
Similar content being viewed by others
References
Arimoto S.: An algorithm for computing the capacity of arbitrary memoryless channels. IEEE Trans. Inf. Theory 18(1), 14–20 (1972)
Backes, M., Köpf, B.: Formally Bounding the side-channel leakage in unknown-message attacks. In: ESORICS, pp. 517–532 (2008)
Backes, M., Köpf, B., Rybalchenko, A.: automatic discovery and quantification of information leaks. In: IEEE Symposium on Security and Privacy, pp. 141–153 (2009)
Berthold, O., Pfitzmann, A., Standtke, R.: The Disadvantages of free MIX routes and how to overcome them. In: Workshop on Design Issues in Anonymity and Unobservability, pp. 30–45 (2000)
Bissias, G.D., Liberatore, M., Jensen, D., Levine, B.N.: Privacy vulnerabilities in encrypted HTTP streams. In: Privacy Enhancing Technologies, pp. 1–11 (2005)
Blahut R.E.: Computation of channel capacity and rate distortion functions. IEEE Trans. Inf. Theory 18(4), 460–473 (1972)
Boreale, M., Pampaloni, F., Paolini, M.: Quantitative information flow, with a view. In: ESORICS, pp. 588–606 (2011)
Chapman, P., Evans, D.: Automated black-box detection of side-channel vulnerabilities in web applications. In: ACM Conference on Computer and Communications Security, pp. 263–274 (2011)
Chatzikokolakis, K., Chothia, T., Guha, A.: Statistical measurement of information leakage. In: TACAS, pp. 390–404 (2010)
Chatzikokolakis K., Palamidessi C., Panangaden P.: Anonymity protocols as noisy channels. Inf. Comput. 206(2–4), 378–401 (2008)
Chaum D.: The dining cryptographers problem: unconditional sender and recipient untraceability. J. Cryptol. 1(1), 65– (1988)
Chen, S., Wang, R., Wang, X., Zhang, K.: Side-channel leaks in web applications: a reality today, a challenge tomorrow. In: Proceedings of IEEE Symposium on Security and Privacy, 31st IEEE Symposium on Security and Privacy, pp. 191–206. IEEE Computer Society, New York (2010)
Chothia, T., Guha, A.: A statistical test for information leaks using continuous mutual information. In: CSF, pp. 177–190 (2011)
Clark D., Hunt S., Malacaria P.: A static analysis for quantifying information flow in a simple imperative language. J. Comput. Secur. 15(3), 321–371 (2007)
Clarkson M.R., Myers A.C., Schneider F.B.: Quantifying information flow with beliefs. J. Comput. Secur. 17(5), 655–701 (2009)
Clauß, S., Schiffner, S.: Structuring anonymity metrics. In: Digital Identity Management, pp. 55–62 (2006)
Díaz, C., Seys, S., Claessens, J., Preneel, B.: Towards measuring anonymity. In: Privacy Enhancing Technologies, pp. 54–68 (2002)
Dyer, K., Coull, S., Ristenpart, T., Shrimpton, T.: Peek-a-boo, I still see you: why traffic analysis countermeasures fail. In: IEEE Security and Privacy (2012)
Edman, M., Sivrikaya, F., Yener, B.: A combinatorial approach to measuring anonymity. In: ISI, pp. 356–363 (2007)
Fisher R.A.: The use of multiple measures in taxonomic problems. Ann. Eugen. 7, 179–188 (1936)
Gierlichs, B., Troncoso, C., Díaz, C., Preneel, B., Verbauwhede, I.: Revisiting a combinatorial approach toward measuring anonymity. In: WPES, pp. 111–116 (2008)
Goodwill, G., Jun, B., Jaffe, J., Rohatgi, P.: A testing methodology for side-channel resistance validation. In: NIST Non-Invasive Attack Testing Workshop (2011)
Herrmann, D., Wendolsky, R., Federrath, H.: Website fingerprinting: attacking popular privacy enhancing technologies with the multinomial naïve-bayes classifier. In: CCSW, pp. 31–42 (2009)
Jaffe, J., Rohatgi, P., Witteman, M.: Efficient side-channel testing for public key algorithms: RSA case study. In: NIST Non-Invasive Attack Testing Workshop (2011)
Kesdogan, D., Egner, J., Büschkes, R.: Stop-and-Go-MIXes providing probabilistic anonymity in an open system. In: Information Hiding, pp. 83–98 (1998)
Liberatore, M., Levine, B.N.: Inferring the source of encrypted HTTP connections. In: ACM Conference on Computer and Communications Security, pp. 255–263 (2006)
Luo, X., Zhou, P., Chan, E.W.W., Lee, W., Chang, R.K.C., Perdisci, R.: HTTPOS: sealing information leaks with browser-side obfuscation of encrypted flows. In: NDSS (2011)
Mantel, H., Sudbrock, H.: Information-theoretic modeling and analysis of interrupt-related covert channels. In: Formal Aspects in Security and Trust, pp. 67–81 (2008)
Millen, J.K.: Covert channel capacity. In: IEEE Symposium on Security and Privacy, pp. 60–66 (1987)
Moskowitz, I.S., Newman, R.E., Crepeau, D.P., Miller, A.R.: Covert channels and anonymizing networks. In: WPES, pp. 79–88 (2003)
Moskowitz, I.S., Newman, R.E., Syverson, P.: Quasi-anonymous channels. In: IASTED CNIS, pp. 126–131 (2003)
Newman, R.E., Nalla, V.R., Moskowitz, I.S.: Anonymity and covert channels in simple timed mix-firewalls. In: Privacy Enhancing Technologies, pp. 1–16 (2004)
NHS Direct Symptoms Checker. http://www.nhsdirect.nhs.uk/CheckSymptoms.aspx. Accessed 2012
Panchenko, A., Niessen, L., Zinnen, A., Engel, T.: Website fingerprinting in onion routing based anonymization networks. In: WPES (2011)
Paninski L.: Estimation of entropy and mutual information. Neural Comput. 15(6), 1191–1253 (2003)
Selenium: Selenium remote control. http://seleniumhq.org. Accessed 2012
Serjantov, A., Danezis, G.: Towards an information theoretic metric for anonymity. In: Privacy Enhancing Technologies, pp. 41–53 (2002)
Standaert, F.X., Malkin, T., Yung, M.: A unified framework for the analysis of side-channel key recovery attacks. In: EUROCRYPT, pp. 443–461 (2009)
Tóth, G., Hornák, Z., Vajda, F.: Measuring anonymity revisited. In: Proceedings of the Ninth Nordic Workshop on Secure IT Systems, pp. 85–90 (2004)
Zhang, K., Li, Z., Wang, R., Wang, X., Chen, S.: Sidebuster: automated detection and quantification of side-channel leaks in web application development. In: ACM Conference on Computer and Communications Security, pp. 595–606 (2010)
Zhu, Y., Bettati, R.: Anonymity vs. information leakage in anonymity systems. In: ICDCS, pp. 514–524 (2005)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Mather, L., Oswald, E. Pinpointing side-channel information leaks in web applications. J Cryptogr Eng 2, 161–177 (2012). https://doi.org/10.1007/s13389-012-0036-0
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13389-012-0036-0