Xiaofeng Wang - Indiana University
Sep 15, 2010
Download: MP4 Video
Watch in your Browser
Watch on YouTube
"Side Channel Threats in the Software-as-a-Service Era: Challenges and Responses"
With software-as-a-service becoming mainstream, more and more applications are delivered to the client through the Web. Unlike a desktop application, a web application is a "two-part" program, with its components deployed both in the browser and in the web server. The communication between these two components inevitably leaks out the program's internal states to those eavesdropping on its web traffic, simply through the side channel features of the communication such as packet length and timing, even if the traffic is entirely encrypted. In this talk, I will present our discovery showing that such side-channel leaks are both fundamental and realistic: a set of high-profile web applications are found to disclose highly sensitive user data such as one's family incomes, health profiles, investment secrets and more through their side channels. More importantly, we found that the root causes of the problem are some fundamental characteristics of web applications: stateful communication, low entropy input for better interaction, and significant traffic distinctions. This indicates that a significant improvement of the current web-application development practice becomes necessary. As a response to this urgent call, I will also describe in this talk a new technique we developed, called Sidebuster, which facilitates detection and quantification of side-channel vulnerabilities during development of web applications.
About the Speaker
Dr. XiaoFeng Wang is the Director of Center for Security Informatics under the School of Informatics and Computing, Indiana University. He received his Ph.D. in Electrical and Computer Engineering from Carnegie Mellon University in August, 2004, and has since been a faculty member at IU. Dr. Wang is a recognized active researcher on system and network security, privacy protection and incentive engineering. His group extensively publishes at leading security venues and vigorously pursues innovative and high-impact research directions. His current work focuses on privacy issues in processing and dissemination of human genome data, and security/privacy issues in Cloud Computing. Dr. Wang has also been actively serving the research community, participating in the program committees and organization committees of numerous conferences and workshops. His research is supported by the NSF, Department of Homeland Security and the Air Force.
Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M.
STEW G52 (Suite 050B), West Lafayette Campus. More information...