ASE 2017

2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE 2017), October 30 – November 3, 2017, Urbana-Champaign, IL, USA

Desktop Layout

Security
Technical Research
Static Detection of Asymptotic Resource Side-Channel Vulnerabilities in Web Applications
Jia Chen, Oswaldo Olivo, Isil Dillig, and Calvin Lin
(University of Texas at Austin, USA)
Abstract: Web applications can leak confidential user information due to the presence of unintended side-channel vulnerabilities in code. One particularly subtle class of side-channel vulnerabilities arises due to resource usage imbalances along different execution paths of a program. Such side-channel vulnerabilities are especially severe if the resource usage imbalance is asymptotic. In particular, if the resource usage is constant along one branch but asymptotically dependent on user input along another branch, the attacker can arbitrarily inflate the program's input to amplify differences in resource usage, with the goal of inferring confidential user data. This paper formalizes the notion of asymptotic resource side-channels and presents a lightweight static analysis algorithm for automatically detecting such vulnerabilities in web applications. Based on these ideas, we have developed a tool called SCANNER for detecting resource-related side-channel vulnerabilities in PHP applications. SCANNER has found 18 zero-day security vulnerabilities in 10 different web applications and reports only 2 false positives. The vulnerabilities uncovered by SCANNER can be exploited using cross-site search attacks to extract various kinds of confidential information, such as a user's medications or purchase history.

Authors:


Time stamp: 2019-09-22T02:00:17+02:00