Sidebuster: Automated Detection and Quantification of Side-Channel Leaks in Web Application Development

  • Kehuan Zhang ,
  • Zhou Li ,
  • Rui Wang ,
  • XiaoFeng Wang ,

Proceedings of the ACM Conference on Computer and Communications Security (CCS) |

Published by Association for Computing Machinery, Inc.

Publication

A web application is a “two-part” program, with its components deployed both in the browser and in the web server. The communication between these two components inevitably leaks out the program’s internal states to those eavesdropping on its web traffic, simply through the side channel features of the communication such as packet length and timing, even if the traffic is entirely encrypted. Our recent study shows that such side-channel leaks are both fundamental and realistic: a set of popular web applications are found to disclose highly sensitive user data such as one’s family incomes, health profiles, investment secrets and more through their side channels. Our study also shows that an significant improvement of the current web-application development practice is necessary to mitigate this threat. To answer this urgent call, we present in this paper a suite of new techniques for automatic detection and quantification of side-channel leaks in web applications. Our approach, called Sidebuster, can automatically analyze an application’s source code to detect its side channels and then perform a rerun test to assess the amount of information disclosed through such channels (quantified as the entropy loss). Sidebuster has been designed to work on event-driven applications and can effectively handle the AJAX GUI widgets used in most web applications. In our research, we implemented a prototype of our technique for analyzing GWT applications and evaluated it using complicated web applications. Our study shows that Sidebuster can effectively identify the side-channel leaks in these applications and assess their severity, with a small overhead.