Purdue CS 42600 - Exposing Private Information

Unformatted text preview:

Exposing Private Informationby Timing Web ApplicationsAndrew BortzStanford [email protected] BonehStanford [email protected] [email protected] show that the time web sites take to respond to HTTPrequests can leak private information, using two differenttypes of attacks. The first, direct timing, directly measuresresponse times from a web site to expose private informa-tion such as validity of an username at a secured site or thenumber of private photos in a publicly viewable gallery. Thesecond, cross-site timing, enables a malicious web site to ob-tain information from the user’s perspective at another site.For example, a malicious site can learn if the user is currentlylogged in at a victim site and, in some cases, the number ofobjects in the user’s shopping cart. Our experiments sug-gest that these timing vulnerabilities are wide-spread. Weexplain in detail how and why these attacks work, and dis-cuss methods for writing web application code that resiststhese attacks.Categories and Subject DescriptorsK.4.4 [Computers and Society]: Electronic Commerce—Security; K.4.1 [Computers and Society]: Public PolicyIssues—PrivacyGeneral TermsDesign, Security, ExperimentationKeywordsweb application security, web browser design, privacy, webspoofing, phishing1. INTRODUCTIONWeb applications are vulnerable to a variety of well pub-licized attacks, such as cross-site scripting (XSS) [15], SQLinjection [2], cross-site request forgery [14], and many oth-ers. In this paper we study timing vulnerabilities in webapplication implementations. Our results show that timingdata can expose private information, suggesting that this is-sue is often ignored by web developers. We first discuss thetype of information revealed by a timing attack and thendiscuss ways to prevent such attacks.We consider two classes of timing attacks. The first, calleda direct timing attack, measures the time the web site takesCopyright is held by the International World Wide Web Conference Com-mittee (IW3C2). Distribution of these papers is limited to classroom use,and personal use by others.WWW 2007, May 8–12, 2007, Banff, Alberta, Canada.ACM 978-1-59593-654-7/07/0005.to respond to HTTP requests. We experiment with twotypes of direct attacks:• Estimating hidden data size. Many sites holding userdata, such as photo-sharing sites, blogging sites, andsocial networking sites, allow users to mark certaindata as private. Photo sharing sites, for example, al-low users to mark certain galleries as only viewable bycertain users. We show that direct timing measure-ments can expose the existence of private data, andeven reveal the size of private data such as the num-ber of hidden pictures in a gallery.• Learning hidden boolean values. Web login pages of-ten try to hide whether a given username is valid —the same error message is returned whether the inputusername is valid or not. However, in many cases,the site executes a different code path depending onvalidity of the given username. As a result, timinginformation can expose username validity despite thesite’s attempt to conceal it.The second class of attacks, called cross-site timing, is aform of cross-site request forgery [14]. The attack enables amalicious site to obtain information about the user’s view ofanother site — a violation of the same-origin principle [11,8]. We describe this attack in Section 4. At a high level, theattack begins when the user visits a malicious page, whichpro cee ds to time a victim web site using one of several tech-niques, all of which time the exact content the user wouldactually see. We show that this timing data can reveal pri-vate information: for example, it can reveal whether the useris currently logged-in. In some cases, timing information caneven reveal the size and contents of the user’s shopping cartand other private data, as discussed in Section 4. This in-formation enables a context-aware phishing attack [9] wherethe user is presented with a custom phishing page.These attacks exploit weaknesses in server-side applica-tion software, specifically when execution time depends onsensitive information. Our results suggest that these vulner-abilities are often ignored.1.1 Related workTiming attacks were previously used to attack crypto im-plementations on smartcards [10, 12, 13] and web servers [4,1]. Felten and Schneider [6] used a cache-based timing at-tack to track web users. Their idea is that once a user visitsa static page, her local cache contains a copy of the pagecausing the page to load faster on subsequent v isits. Bymeasuring the time the browser takes to load a given page,WWW 2007 / Track: Security, Privacy, Reliability, and Ethics Session: Defending Against Emerging Threats621a malicious web site can determine whether the user visitedthe page before. We note that non-invasive methods existto prevent this attack [6, 8].Our attacks target dynamic web pages — we obtain de-tailed information by measuring the time a web site takes toassemble the page (i.e. the time to query the database andrun application code). Since dynamic pages are not typi-cally cacheable, and techniques exist to pre vent the use ofcached copies, we can ignore any caching effects.2. WEB APPLICATION ARCHITECTUREWhen an HTTP request hits a web site various compo-nents on the site are used to assemble a response. After be-ing initially processed for required HTTP details by a webserver, such as Apache or Microsoft IIS, it is routed to theappropriate application or module to generate a response.Static content, which is stored directly in a file, is the easi-est to handle: the response is always just the content of thefile. Dynamic content, such as data-driven HTML pages andstylesheets that are a hallmark of modern web applications,are handled by running a program.This program, which can either be part of a specializedweb application framework (e.g. PHP, Java Server Pages,or ASP.NET), or a standalone program (typically called aCGI script), outputs the content that will form the response.This program can call upon any number of resources, includ-ing databases and custom servers, which may reside eitheron the same machine or another machine on the network,connected either internally or across the public Internet.The time it takes to use these resources, and process thedata that they return, are generally dependent on the un-derlying data, much of which is private. For example, animplementation of a


View Full Document

Purdue CS 42600 - Exposing Private Information

Download Exposing Private Information
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Exposing Private Information and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Exposing Private Information 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?