With software-as-a-service (SaaS) rapidly becoming mainstream, web applications increasingly substitute for desktop software. A web application is a two-part program, with its components deployed both in the browser and in the web server. The interactions between these two components inevitably reveal the program's internal states to any observer of the communication stream, simply through the pattern of packet lengths and the timing of interactions, even if stream is entirely encrypted. This research reveals that these "side-channel" information leaks are both fundamental and common: a number of popular web applications are found to disclose highly sensitive user data such as one's family income, health profile, investments and more. This research will develop an in-depth understanding of web applications' side channel vulnerabilities, particularly the design features and domain knowledge that lead to side-channel leaks. Based upon this understanding, new technologies are developed to facilitate the detection and mitigation of the side-channel threats during the development and operation of web applications. These technologies will be made available to users so they can assess their vulnerabilities and to developers so they can reduce the vulnerabilities in the applications they build. The outcomes of the project will contribute to the improvement of privacy protection in the SaaS infrastructure and cloud computing.
The prosperity of software-as-a-service (SaaS) comes with new security challenges. Different from their desktop counterparts, the web application delivered through the SaaS infrastructure is a two-part program, with its components deployed both in the browser and in the web server. The interactions between these two components inevitably discloses the internal states of the program to the network eavesdropper, through various "side channels" of the communication, such as packet lengths and the timing of interactions, even when the communication is entirely encrypted. Further complicating the situation is the recent popularity of smartphone and tablet techniques, with millions of mobile applications (app for short) already on the market, most of which are essentially web applications with their client-side components directly running on various mobile devices. Not only are those apps equally vulnerable to the network side-channel attack, just like their corresponding browser-side counterparts, but they are also subject to the risks of information leaks through mobile operating systems (OS), including each app’s mobile data, CPU and memory usages and more, which has all been made public to even untrusted apps running on the same devices. Intellectual Merits. In this project, we performed a series of in-depth security analyses under different SaaS computing scenarios, on emerging mobile apps as well as conventional browser-based web applications. Our studies have brought to light the scope and the magnitude of this new security risk (side channel leaks in SaaS): a number of popular web applications are found to disclose highly sensitive user data, such as one's family income, health profile, investments and more through the patterns of their traffic; mobile computing devices expose the types of the applications they are running and their users’ activities through encrypted Wi-Fi packet sequences; also high-profile mobile apps and even the mobile OS itself can be monitored by a malicious app without any permission to figure out the mobile user’s location, identity, driving routes and health and financial information, using such apparently innocent information as the BSSIDs of Wi-Fi access points, mobile data usages, CPU uses and the status of the speaker (on or off). Further, the presence of such side-channel leaks enables the adversary to conduct reconnaissance on the states of the target OS or applications, which makes possible a wide range of attacks, from inferring the content of encrypted data on the cloud to taping the victim’s phone conversation and stealing her medical data from mobile healthcare accessories. Examples of such information leaks are made available through video demos (https://sites.google.com/site/sidedroid/, https://sites.google.com/site/edmbdroid/). To mitigate those security risks, we developed a suite of new techniques for different computing platforms. For conventional web applications, our automatic program analyzer, called "Sidebuster", was designed to statically evaluate the source code of the program, identifying the potential program locations of side channels. Then, a dynamic analysis is performed to quantify the amount of the information that can be exposed through the channels. This helps the developer to analyze her programs and fix the potential weaknesses within the code during the application development stage. In a mobile computing environment, we propose a new demultiplexing technique that decomposes a Wi-Fi communication flow into a set of streams, each mimicking the operations of a different application, so as to confuse a Wi-Fi eavesdropper. On the mobile device, both OS-level and app-level protection mechanisms were designed to defend the mobile user against all known side-channel attacks. All these new techniques have been thoroughly evaluated in real-world computing environments, using popular web applications. As a result of this research, 11 papers have been published or accepted. Most of them appear at the most competitive venues of system security research, including NDSS, CCS and IEEE Transactions on Wireless Computing. Broader impacts. The outcomes of this project have been extensively disseminated. The new security risks we discovered have received extensive media coverage, including Forbes, Slashdotted, PC World, etc. We also made public the techniques we built (http://sysseclab.informatics.indiana.edu/projects.html) and will continue to do so whenever the code becomes mature enough to release. Our industry partners also show interests in some techniques related to the project and there could be opportunities for technical transfers. Also, the project involved HBCU students through summer internships, helping them better understand the security risks in different SaaS scenarios. We also gave talks and presented the outcomes of the research during numerous conferences and invited visits around the world. This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.
