The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)
Center for Education and Research in Information Assurance and Security

Xiaofeng Wang - Indiana University

Students: Spring 2024, unless noted otherwise, sessions will be virtual on Zoom.

Side Channel Threats in the Software-as-a-Service Era: Challenges and Responses

Sep 15, 2010

Download: Video Icon MP4 Video Size: 445.1MB  
Watch on Youtube Watch on YouTube

Abstract

With software-as-a-service becoming mainstream, more and more applications are delivered to the client through the Web. Unlike a desktop application, a web application is a "two-part" program, with its components deployed both in the browser and in the web server. The communication between these two components inevitably leaks out the program's internal states to those eavesdropping on its web traffic, simply through the side channel features of the communication such as packet length and timing, even if the traffic is entirely encrypted. In this talk, I will present our discovery showing that such side-channel leaks are both fundamental and realistic: a set of high-profile web applications are found to disclose highly sensitive user data such as one's family incomes, health profiles, investment secrets and more through their side channels. More importantly, we found that the root causes of the problem are some fundamental characteristics of web applications: stateful communication, low entropy input for better interaction, and significant traffic distinctions. This indicates that a significant improvement of the current web-application development practice becomes necessary. As a response to this urgent call, I will also describe in this talk a new technique we developed, called Sidebuster, which facilitates detection and quantification of side-channel vulnerabilities during development of web applications.

About the Speaker

Xiaofeng Wang
Dr. XiaoFeng Wang is the Director of Center for Security Informatics under the School of Informatics and Computing, Indiana University. He received his Ph.D. in Electrical and Computer Engineering from Carnegie Mellon University in August, 2004, and has since been a faculty member at IU. Dr. Wang is a recognized active researcher on system and network security, privacy protection and incentive engineering. His group extensively publishes at leading security venues and vigorously pursues innovative and high-impact research directions. His current work focuses on privacy issues in processing and dissemination of human genome data, and security/privacy issues in Cloud Computing. Dr. Wang has also been actively serving the research community, participating in the program committees and organization committees of numerous conferences and workshops. His research is supported by the NSF, Department of Homeland Security and the Air Force.


Ways to Watch

YouTube

Watch Now!

Over 500 videos of our weekly seminar and symposia keynotes are available on our YouTube Channel. Also check out Spaf's YouTube Channel. Subscribe today!