The Community for Technology Leaders
2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE) (2017)
Urbana, IL, USA
Oct. 30, 2017 to Nov. 3, 2017
ISBN: 978-1-5386-3976-4
pp: 229-239
Jia Chen , The University of Texas at Austin, United States
Oswaldo Olivo , The University of Texas at Austin, United States
Isil Dillig , The University of Texas at Austin, United States
Calvin Lin , The University of Texas at Austin, United States
ABSTRACT
Web applications can leak confidential user information due to the presence of unintended side-channel vulnerabilities in code. One particularly subtle class of side-channel vulnerabilities arises due to resource usage imbalances along different execution paths of a program. Such side-channel vulnerabilities are especially severe if the resource usage imbalance is asymptotic. This paper formalizes the notion of asymptotic resource side-channels and presents a lightweight static analysis algorithm for automatically detecting them. Based on these ideas, we have developed a tool called SCANNER that detects resource-related side-channel vulnerabilities in PHP applications. SCANNER has found 18 zero-day security vulnerabilities in 10 different web applications and reports only 2 false positives. The vulnerabilities uncovered by SCANNER can be exploited using cross-site search attacks to extract various kinds of confidential information, such as a user's medications or purchase history.
INDEX TERMS
Security, Timing, Databases, Algorithm design and analysis, Tools, Time factors
CITATION

J. Chen, O. Olivo, I. Dillig and C. Lin, "Static detection of asymptotic resource side-channel vulnerabilities in web applications," 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE), Urbana, IL, USA, 2017, pp. 229-239.
doi:10.1109/ASE.2017.8115636
152 ms
(Ver 3.3 (11022016))