nach oben

Erschienen in:

2015 | OriginalPaper | Buchkapitel

Attacking Suggest Boxes in Web Applications Over HTTPS Using Side-Channel Stochastic Algorithms

verfasst von : Alexander Schaub, Emmanuel Schneider, Alexandros Hollender, Vinicius Calasans, Laurent Jolie, Robin Touillon, Annelie Heuser, Sylvain Guilley, Olivier Rioul

Erschienen in: Risks and Security of Internet and Systems

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Web applications are subject to several types of attacks. In particular, side-channel attacks consist in performing a statistical analysis of the web traffic to gain sensitive information about a client. In this paper, we investigate how side-channel leaks can be used on search engines such as Google or Bing to retrieve the client’s search query. In contrast to previous works, due to payload randomization and compression, it is not always possible to uniquely map a search query to a web traffic signature and hence stochastic algorithms must be used. They yield, for the French language, an exact recovery of search word in more than \(30\) % of the cases. Finally, we present some methods to mitigate such side-channel leaks.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Latent Semantic Analysis for Privacy Preserving Peer Feedback

Nächstes Kapitel Location–Aware RBAC Based on Spatial Feature Models and Realistic Positioning

See description of Google Instant: http://goo.gl/WI9Zu and Google Autocomplete: http://goo.gl/jv3fQ.

More precisely, the sizes of the packets sent by the user are fixed for a given number of letters, and the sizes of received packets containing suggestions depend only on the word typed by the user (it may only change if Google changes the suggested search queries).

http://www.telerik.com/fiddler.

This is known as Google Instant.

A Face Is Exposed for AOL Searcher, New York Times article, 9 August 2006. http://select.nytimes.com/gst/abstract.html?res=F10612FC345B0C7A8CDDA10894DE404482. Accessed 27 July 2014

Making Search More Secure, 18 October 2011. http://googleblog.blogspot.fr/2011/10/making-search-more-secure.html. Accessed 27 July 2014

Post-PRISM, Google Confirms Quietly Moving To Make All Searches Secure, Except For Ad Clicks, 23 September 2013. http://searchengineland.com/post-prism-google-secure-searches-172487. Accessed 17 July 2014

Cantino, A.: Demasking Google Users With a Timing Attack (blog post). http://blog.andrewcantino.com/blog/2014/09/04/demasking-google-users-with-a-timing-attack/

Chen, S., Wang, R., Wang, X., Zhang, K.:Side-channel leaks in web applications: a reality today, a challenge tomorrow. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy (SP 2010), pp. 191–206 (2010)

Liberatore, M., Levine, N.B.: Inferring the source of encrypted HTTP connections. In: Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS 2006), pp. 255–263. ACM, New York (2006)

Herrmann, D., Wendolsky, R., Federrath, H.: Website fingerprinting: attacking popular privacy enhancing technologies with the multinomial Naïve-Bayes classifier. In: Proceedings of the 2009 ACM Workshop on Cloud Computing Security (CCSW 2009), pp. 31–42 (2009)

Mather, L., Oswald, E.: Pinpointing side-channel information leaks in web applications. J. Cryptogr. Eng. 2(3), 161–177 (2012). Also available in ICAR ePrint 2012:269CrossRef

Sampreet Sharma, A., Bernard Menezes, M.: Implementing side-channel attacks on suggest boxes in web applications. In: Proceedings of the First International Conference on Security of Internet of Things, SecurIT 2012, Amritapuri, Kollam, pp. 57–62 (2012)

10.

Fredkin, E.: Trie memory. Commun. ACM 3(9), 490–499 (1960)CrossRef

11.

Tey, C.M., Gupta, P., Gao, D., Zhang, Y.: Keystroke timing analysis of on-the-fly web apps. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 405–413. Springer, Heidelberg (2013) CrossRef

12.

Nassar, M., Guilley, S., Danger, J.-L.: Formal analysis of the entropy/security trade-off in first-order masking countermeasures against side-channel attacks. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 22–39. Springer, Heidelberg (2011) CrossRef

13.

Backes, M., Doychev, G., Köpf, B.: Preventing side-channel leaks in web traffic: a formal approach. In: 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, 24–27 February 2013, 17 p. http://internetsociety.org/doc/preventing-side-channel-leaks-web-traffic-formal-approach

14.

Dyer, K.P., Coull, S.E., Ristenpart, T., Shrimpton, T.: Peek-a-Boo, i still see you: why efficient traffic analysis countermeasures fail. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP 2012), San Francisco, California, USA, pp. 332–346 (2012)

Titel: Attacking Suggest Boxes in Web Applications Over HTTPS Using Side-Channel Stochastic Algorithms
verfasst von: Alexander Schaub
Emmanuel Schneider
Alexandros Hollender
Vinicius Calasans
Laurent Jolie
Robin Touillon
Annelie Heuser
Sylvain Guilley
Olivier Rioul
Verlag: Springer International Publishing
Buch: Risks and Security of Internet and Systems
Print ISBN: 978-3-319-17126-5

Electronic ISBN: 978-3-319-17127-2

Copyright-Jahr: 2015
DOI: https://doi.org/10.1007/978-3-319-17127-2_8

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"