Detecting Hidden Storage Side Channel Vulnerabilities in Networked Applications

Abstract : Side channels are communication channels that were not intended for communication and that accidentally leak information. A storage side channel leaks information through the content of the channel and not its timing behavior. Storage side channels are a large problem in networked applications since the output at the level of the protocol encoding (e.g., HTTP and HTML) often depends on data and control flow. We call such channels hidden because the output differences blend with the noise of the channel. Within a formal system model, we give a necessary and sufficient condition for such storage side channels to exist. Based on this condition, we develop a method to detect this kind of side channels. The method is based on systematic comparisons of network responses of web applications. We show that this method is useful in practice by exhibiting hidden storage side channels in three well-known web applications: Typo3, Postfix Admin, and Zenith Image Gallery
Type de document :
Communication dans un congrès
Jan Camenisch; Simone Fischer-Hübner; Yuko Murayama; Armand Portmann; Carlos Rieder. 26th International Information Security Conference (SEC), Jun 2011, Lucerne, Switzerland. Springer, IFIP Advances in Information and Communication Technology, AICT-354, pp.41-55, 2011, Future Challenges in Security and Privacy for Academia and Industry. 〈10.1007/978-3-642-21424-0_4〉
Liste complète des métadonnées

Littérature citée [23 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01567587
Contributeur : Hal Ifip <>
Soumis le : lundi 24 juillet 2017 - 10:40:11
Dernière modification le : lundi 24 juillet 2017 - 10:42:16

Fichier

978-3-642-21424-0_4_Chapter.pd...
Fichiers produits par l'(les) auteur(s)

Licence


Distributed under a Creative Commons Paternité 4.0 International License

Identifiants

Citation

Felix Freiling, Sebastian Schinzel. Detecting Hidden Storage Side Channel Vulnerabilities in Networked Applications. Jan Camenisch; Simone Fischer-Hübner; Yuko Murayama; Armand Portmann; Carlos Rieder. 26th International Information Security Conference (SEC), Jun 2011, Lucerne, Switzerland. Springer, IFIP Advances in Information and Communication Technology, AICT-354, pp.41-55, 2011, Future Challenges in Security and Privacy for Academia and Industry. 〈10.1007/978-3-642-21424-0_4〉. 〈hal-01567587〉

Partager

Métriques

Consultations de la notice

50

Téléchargements de fichiers

12