Paper 2012/269

Quantifying Side-Channel Information Leakage from Web Applications

Luke Mather and Elisabeth Oswald

Abstract

Recent research has shown that many popular web applications are vulnerable to side-channel attacks on encrypted streams of network data produced by the interaction of a user with an application. As a result, private user data is susceptible to being recovered by a side-channel adversary. A recent focus has been on the development of tools for the detection and quantification of side-channel information leaks from such web applications. In this work we describe a model for these web applications, analyse the effectiveness of previous approaches for the quantification of information leaks, and describe a robust, effective and generically applicable metric based on a statistical estimation of the mutual information between the user inputs made in the application and subsequent observable side-channel information. We use our proposed metric to construct a test capable of analysing sampled traces of packets to detect information leaks, and demonstrate the application of our test on a real-world web application.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Published elsewhere. Unknown where it was published
Keywords
side-channel analysismutual informationweb applicationsinformation leak detection
Contact author(s)
Luke Mather @ bristol ac uk
History
2012-05-21: received
Short URL
https://ia.cr/2012/269
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2012/269,
      author = {Luke Mather and Elisabeth Oswald},
      title = {Quantifying Side-Channel Information Leakage from Web Applications},
      howpublished = {Cryptology ePrint Archive, Paper 2012/269},
      year = {2012},
      note = {\url{https://eprint.iacr.org/2012/269}},
      url = {https://eprint.iacr.org/2012/269}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.