Format

Send to

Choose Destination
Sensors (Basel). 2017 Feb 25;17(3). pii: E464. doi: 10.3390/s17030464.

Toward Exposing Timing-Based Probing Attacks in Web Applications.

Author information

1
School of Electronic and Information Engineering, Beihang University, 37 Xueyuan Road, Beijing 100191, China. maojian@buaa.edu.cn.
2
School of Electronic and Information Engineering, Beihang University, 37 Xueyuan Road, Beijing 100191, China. chenyue@buaa.edu.cn.
3
School of Electronic and Information Engineering, Beihang University, 37 Xueyuan Road, Beijing 100191, China. futianbuaa@163.com.
4
Department of Computer Science, National University of Singapore, 13 Computing Drive, Singapore 117417, Singapore. jiayaoqi@comp.nus.edu.sg.
5
Department of Computer Science, National University of Singapore, 13 Computing Drive, Singapore 117417, Singapore. liangzk@comp.nus.edu.sg.

Abstract

Web applications have become the foundation of many types of systems, ranging from cloud services to Internet of Things (IoT) systems. Due to the large amount of sensitive data processed by web applications, user privacy emerges as a major concern in web security. Existing protection mechanisms in modern browsers, e.g., the same origin policy, prevent the users' browsing information on one website from being directly accessed by another website. However, web applications executed in the same browser share the same runtime environment. Such shared states provide side channels for malicious websites to indirectly figure out the information of other origins. Timing is a classic side channel and the root cause of many recent attacks, which rely on the variations in the time taken by the systems to process different inputs. In this paper, we propose an approach to expose the timing-based probing attacks in web applications. It monitors the browser behaviors and identifies anomalous timing behaviors to detect browser probing attacks. We have prototyped our system in the Google Chrome browser and evaluated the effectiveness of our approach by using known probing techniques. We have applied our approach on a large number of top Alexa sites and reported the suspicious behavior patterns with corresponding analysis results. Our theoretical analysis illustrates that the effectiveness of the timing-based probing attacks is dramatically limited by our approach.

KEYWORDS:

privacy; probing attack; side channel; web security

Supplemental Content

Full text links

Icon for Multidisciplinary Digital Publishing Institute (MDPI) Icon for PubMed Central
Loading ...
Support Center