Quantitative Information Flow of Side-Channel Leakages in Web Applications
Publisher
Metadata
Show full item recordAbstract
It is not a secret that communications between client sides and server sides in web
applications can leak user confidential data through side-channel attacks. The lower lever
traffic features, such as packet sizes, packet lengths, timings, etc., are public to
attackers. Attackers can infer a user's web activities including web browsing histories
and user sensitive information by analysing web traffic generated during communications,
even when the traffic is encrypted.
There has been an increasing public concern about the disclosure of user privacy
through side-channel attacks in web applications. A large amount of work has been
proposed to analyse and evaluate this kind of security threat in the real world.
This dissertation addresses side-channel vulnerabilities from different perspectives.
First, a new approach based on verification and quantitative information
flow is proposed
to perform a fully automated analysis of side-channel leakages in web applications. Core
to this aim is the generation of test cases without developers' manual work. Techniques
are implemented into a tool, called SideAuto, which targets at the Apache Struts web
applications.
Then the focus is turned to real-world web applications. A black-box methodology
of automatically analysing side-channel vulnerabilities in real-world web applications is
proposed. This research demonstrates that communications which are not explicitly
involving user sensitive information can leak user secrets, even more seriously than a
traffic explicitly transmitting user information.
Moreover, this thesis also examines side-channel leakages of user identities from
Google accounts. The research demonstrates that user identities can be revealed, even
when communicating with external websites included in Alexa Top 150 websites, which
have no relation to Google accounts.
Authors
Huang, XujingCollections
- Theses [3831]