Abstract
Side channels are communication channels that were not intended for communication and that accidentally leak information. A storage side channel leaks information through the content of the channel and not its timing behavior. Storage side channels are a large problem in networked applications since the output at the level of the protocol encoding (e.g., HTTP and HTML) often depends on data and control flow. We call such channels hidden because the output differences blend with the noise of the channel. Within a formal system model, we give a necessary and sufficient condition for such storage side channels to exist. Based on this condition, we develop a method to detect this kind of side channels. The method is based on systematic comparisons of network responses of web applications. We show that this method is useful in practice by exhibiting hidden storage side channels in three well-known web applications: Typo3, Postfix Admin, and Zenith Image Gallery.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Admin, P.: Web based administration interface (2010), http://postfixadmin.sourceforge.net/
The TYPO3 Association: Typo3 content management system (2010), http://www.typo3.org/
Backes, M., Dürmuth, M., Unruh, D.: Compromising reflections-or-how to read LCD monitors around the corner. In: IEEE Symposium on Security and Privacy, pp. 158–169. IEEE Computer Society, Los Alamitos (2008)
Bauer, M.: New covert channels in HTTP. CoRR, cs.CR/0404054 (2004)
Bond, M., Anderson, R.: API-level attacks on embedded systems. Computer 34(10), 67–75 (2001)
Borders, K., Prakash, A.: Quantifying information leaks in outbound web traffic. In: Proceedings of the IEEE Symposium on Security and Privacy (May 2009)
Bortz, A., Boneh, D.: Exposing private information by timing web applications. In: Williamson, C.L., Zurko, M.E., Patel-Schneider, P.F., Shenoy, P.J. (eds.) WWW, pp. 621–628. ACM, New York (2007)
Bowyer, L.: Firewall bypass via protocol stenography (2002), http://web.archive.org/web/20021207163949/ , http://networkpenetration.com/protocol_steg.html
Chen, S., Wang, R., Wang, X., Zhang, K.: Side-channel leaks in web applications: a reality today, a challenge tomorrow, Oakland, CA. IEEE, Los Alamitos (May 2010)
CyberiaPC.com. Zenith picture gallery (2007), http://zenithpg.sourceforge.net/
European Network of Excellence (ECRYPT). The Side Channel Cryptanalysis Lounge. Internet (April 2010), http://www.crypto.rub.de/en_sclounge.html
Felten, E.W., Schneider, M.A.: Timing attacks on web privacy. In: SIGSAC: 7th ACM Conference on Computer and Communications Security. ACM SIGSAC (2000)
Kemmerer, R.A.: Shared resource matrix methodology: An approach to identifying storage and timing channels. ACM Transactions on Computer Systems 1(3), 256–277 (1983)
Kwecka, Z.: Application layer covert channel - analysis and detection (2006), http://www.buchananweb.co.uk/zk.pdf
Lampson, B.W.: A note on the confinement problem. ACM 16(10), 613–615 (1973)
Myers, E.W.: An O(ND) difference algorithm and its variations. Algorithmica 1(2), 251–266 (1986)
Nagami, Y., Miyamoto, D., Hazeyama, H., Kadobayashi, Y.: An independent evaluation of web timing attack and its countermeasure. In: Third International Conference an Availability, Reliability and Security (ARES), pp. 1319–1324. IEEE Computer Society, Los Alamitos (2008)
Department of Defense Standard: Department of Defense Trusted Computer System Evaluation Criteria (December 1985)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 IFIP International Federation for Information Processing
About this paper
Cite this paper
Freiling, F.C., Schinzel, S. (2011). Detecting Hidden Storage Side Channel Vulnerabilities in Networked Applications. In: Camenisch, J., Fischer-Hübner, S., Murayama, Y., Portmann, A., Rieder, C. (eds) Future Challenges in Security and Privacy for Academia and Industry. SEC 2011. IFIP Advances in Information and Communication Technology, vol 354. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-21424-0_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-21424-0_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-21423-3
Online ISBN: 978-3-642-21424-0
eBook Packages: Computer ScienceComputer Science (R0)