Skip to main content
SpringerLink
Log in

Toward Exposing Timing-Based Probing Attacks in Web Applications

  • Conference paper
  • First Online:
Wireless Algorithms, Systems, and Applications (WASA 2016)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 9798))

Abstract

Timing attacks in web applications have been known for over a decade. Recently, new attacks have been reported to exploit timing techniques to probe sensitive information from web applications. In this paper, we present a tool to detect timing-based probing attacks in web applications. The main idea of our approach is to monitor the browser behaviors and identify anomalous timing behaviors. We prototyped our approach in the Google Chrome browser, and demonstrated its effectiveness.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Traditional ways to do this is by calling “getComputedStyle” method, but this method has already been modified to prevent this kind of misuse. However, there are still other ways to check the links colors [13, 18].

  2. 2.

    Note that the behaviors in W might not always be shown as the form of a function call (e.g. when loading an image, it’s just an assignment to the src attribute of the image element).

References

  1. Same-origin policy. http://en.wikipedia.org/wiki/Same-origin_policy

  2. Agrawal, D., Archambeault, B., Rao, J.R., Rohatgi, P.: The EM side—channel(s). In: Kaliski, B.S., Koç, Ç.K., Paar, C. (eds.) Cryptographic Hardware and Embedded Systems - CHES 2002. LNCS, vol. 2523, pp. 29–45. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  3. Bansal, C., Preibusch, S., Milic-Frayling, N.: Cache timing attacks revisited: efficient and repeatable browser history, OS and network sniffing. In: Federrath, H., Gollmann, D., Chakravarthy, S.R. (eds.) SEC 2015. IFIP AICT, vol. 455, pp. 97–111. Springer, Heidelberg (2015). doi:10.1007/978-3-319-18467-8_7

    Chapter  Google Scholar 

  4. Brier, E., Joye, M.: Weierstraß elliptic curves and side-channel attacks. Public Key Cryptography. Springer, Heidelberg (2002)

    Book  MATH  Google Scholar 

  5. Cabuk, S., Brodley, C.E., Shields, C.: IP covert timing channels: design and detection. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (2004)

    Google Scholar 

  6. Chen, S., Wang, R., Wang, X., Zhang, K.: Side-channel leaks in web applications: A reality today, a challenge tomorrow. In: Proceedings of the IEEE Symposium on Security and Privacy. IEEE (2010)

    Google Scholar 

  7. Chevallier-Mames, B., Ciet, M., Joye, M.: Low-cost solutions for preventing simple side-channel analysis: Side-channel atomicity. IEEE Trans. Comput. 53(6), 760–768 (2004)

    Article  MATH  Google Scholar 

  8. Felten, E.W. Schneider, M.A.: Timing attacks on web privacy. In: Proceedings of the 7th ACM Conference on Computer and Communications Security (2000)

    Google Scholar 

  9. Irazoqui, G., Eisenbarth, T., Sunar, B.: S$a: A shared cache attack that works across cores and defies VM sandboxingand its application to AES. In: Proceedings of the 36th IEEE Symposium on Security and Privacy (2015)

    Google Scholar 

  10. Jackson, C., Bortz, A., Boneh, D., Mitchell, J.C.: Protecting browser state from web privacy attacks. In: Proceedings of the 15th International Conference on World Wide Web (2006)

    Google Scholar 

  11. Janc, A., Olejnik, L.: Feasibility and real-world implications of web browser history detection. In: Proceedings of Web 2.0 Security and Privacy Workshopp (2010)

    Google Scholar 

  12. Jia, Y., Dong, X., Liang, Z., Saxena, P.: I know where you’ve been: Geo-inference attacks via the browser cache. Internet Comput. IEEE 19(1), 44–53 (2015)

    Article  Google Scholar 

  13. Kotcher, R., Pei, Y., Jumde, P., Jackson, C.: Cross-origin pixel stealing: timing attacks using CSS filters. In: Proceedings of the ACM Conference on Computer and Communications Security (2013)

    Google Scholar 

  14. Lee, S., Kim, H., Kim, J.: Identifying cross-origin resource status using application cache (2015)

    Google Scholar 

  15. Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: Proceedings of the 36th IEEE Symposium on Security and Privacy (2015)

    Google Scholar 

  16. Oren, Y., Kemerlis, V.P., Sethumadhavan, S., Keromytis, A.D.: The spy in the sandbox: Practical cache attacks in Javascript. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (2015)

    Google Scholar 

  17. Stone, P.: Pixel perfect timing attacks with html5. Context Information Security(White Paper) (August 2013)

    Google Scholar 

  18. Weinberg, Z., Chen, E.Y., Jayaraman, P.R., Jackson, C.: I still know what you visited last summer: Leaking browsing history via user interaction and side channel attacks. In: Proceedings of the IEEE Symposium on Security and Privacy (2011)

    Google Scholar 

Download references

Acknowledgment

This work was supported in part by the National Natural Science Foundation of China (No. 61402029), the National Key Basic Research Program (NKBRP) (973 Program) (No. 2012CB315905), the National Natural Science Foundation of China (No. 61370190), Beijing Natural Science Foundation (No4162020), Singapore Ministry of Education under NUS grant R-252-000-539-112.

Author information

Authors and Affiliations

  1. School of Electronic and Information Engineering, BeiHang University, Beijing, China

    Jian Mao, Yue Chen & Futian Shi

  2. School of Computing, National University of Singapore, Singapore, Singapore

    Yaoqi Jia & Zhenkai Liang

  3. Department of Computer Science, George Washington University, Washington, DC, USA

    Jian Mao & Zhenkai Liang

Authors
  1. Jian Mao
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yue Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Futian Shi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yaoqi Jia
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Zhenkai Liang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jian Mao .

Editor information

Editors and Affiliations

  1. Montana State University , Bozeman, USA

    Qing Yang

  2. Dept of Computer & Information Sci, Towson University, Towson, Maryland, USA

    Wei Yu

  3. Laboratoire de Méthodes de Conception de , Algiers, Algeria

    Yacine Challal

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Mao, J., Chen, Y., Shi, F., Jia, Y., Liang, Z. (2016). Toward Exposing Timing-Based Probing Attacks in Web Applications. In: Yang, Q., Yu, W., Challal, Y. (eds) Wireless Algorithms, Systems, and Applications. WASA 2016. Lecture Notes in Computer Science(), vol 9798. Springer, Cham. https://doi.org/10.1007/978-3-319-42836-9_44

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-42836-9_44

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-42835-2

  • Online ISBN: 978-3-319-42836-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation