Side Channel Threats in the Software-as-a-Service Era: Challenges and Responses
Xiaofeng Wang - Indiana University
Sep 15, 2010Size: 445.1MB
Download: MP4 Video
Watch in your Browser Watch on YouTube
AbstractWith software-as-a-service becoming mainstream, more and more applications are delivered to the client through the Web. Unlike a desktop application, a web application is a "two-part" program, with its components deployed both in the browser and in the web server. The communication between these two components inevitably leaks out the program's internal states to those eavesdropping on its web traffic, simply through the side channel features of the communication such as packet length and timing, even if the traffic is entirely encrypted. In this talk, I will present our discovery showing that such side-channel leaks are both fundamental and realistic: a set of high-profile web applications are found to disclose highly sensitive user data such as one's family incomes, health profiles, investment secrets and more through their side channels. More importantly, we found that the root causes of the problem are some fundamental characteristics of web applications: stateful communication, low entropy input for better interaction, and significant traffic distinctions. This indicates that a significant improvement of the current web-application development practice becomes necessary. As a response to this urgent call, I will also describe in this talk a new technique we developed, called Sidebuster, which facilitates detection and quantification of side-channel vulnerabilities during development of web applications.
About the SpeakerDr. XiaoFeng Wang is the Director of Center for Security Informatics under the School of Informatics and Computing, Indiana University. He received his Ph.D. in Electrical and Computer Engineering from Carnegie Mellon University in August, 2004, and has since been a faculty member at IU. Dr. Wang is a recognized active researcher on system and network security, privacy protection and incentive engineering. His group extensively publishes at leading security venues and vigorously pursues innovative and high-impact research directions. His current work focuses on privacy issues in processing and dissemination of human genome data, and security/privacy issues in Cloud Computing. Dr. Wang has also been actively serving the research community, participating in the program committees and organization committees of numerous conferences and workshops. His research is supported by the NSF, Department of Homeland Security and the Air Force.
The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.