Exposing private information by timing web applications

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Exposing private information by timing web applications

Full text

Pdf (211 KB)

Source

International World Wide Web Conference archive
Proceedings of the 16th international conference on World Wide Web table of contents

Banff, Alberta, Canada

SESSION: Defending against emerging threats table of contents

Pages: 621 - 628

Year of Publication: 2007

ISBN:978-1-59593-654-7

Authors

Andrew Bortz	Stanford University
Dan Boneh	Stanford University

Sponsor

ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 14, Downloads (12 Months): 123, Citation Count: 5

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1242572.1242656 What is a DOI?

ABSTRACT

We show that the time web sites take to respond to HTTP requests can leak private information, using two different types of attacks. The first, direct timing, directly measures response times from a web site to expose private information such as validity of an username at a secured site or the number of private photos in a publicly viewable gallery. The second, cross-site timing, enables a malicious web site to obtain information from the user's perspective at another site. For example, a malicious site can learn if the user is currently logged in at a victim site and, in some cases, the number of objects in the user's shopping cart. Our experiments suggest that these timing vulnerabilities are wide-spread. We explain in detail how and why these attacks work, and discuss methods for writing web application code that resists these attacks.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Onur Aciiçmez , Werner Schindler , Çetin K. Koç, Improving Brumley and Boneh timing attack on unprotected SSL implementations, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA [doi>10.1145/1102120.1102140]
	2	C. Anley. Advanced SQL injection in SQL server applications, 2002. http://www.nextgenss.com/papers/advanced sql injection.pdf.
	3	Matt Blaze. Simple UNIX time quantization package. Previously available on the web.
	4	David Brumley , Dan Boneh, Remote timing attacks are practical, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.48 n.5, p.701-716, 5 August 2005 [doi>10.1016/j.comnet.2005.01.010]
	5	The CAPTCHA project. http://www.captcha.net.
	6	Edward W. Felten , Michael A. Schneider, Timing attacks on Web privacy, Proceedings of the 7th ACM conference on Computer and communications security, p.25-32, November 01-04, 2000, Athens, Greece [doi>10.1145/352600.352606]
	7	Gallery. http://gallery.menalto.com/.
	8	Collin Jackson , Andrew Bortz , Dan Boneh , John C. Mitchell, Protecting browser state from web privacy attacks, Proceedings of the 15th international conference on World Wide Web, May 23-26, 2006, Edinburgh, Scotland [doi>10.1145/1135777.1135884]
	9	Markus Jakobsson. Modeling and preventing phishing attacks, 2005. http://www.informatics.indiana.edu/markus/papers/phishing_jakobsson.pdf.
	10	Paul C. Kocher, Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems, Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology, p.104-113, August 18-22, 1996
	11	Jesse Ruderman. The same origin policy, 2001. http://www.mozilla.org/projects/security/components/same-origin.html.
	12	Werner Schindler, A Timing Attack against RSA with the Chinese Remainder Theorem, Proceedings of the Second International Workshop on Cryptographic Hardware and Embedded Systems, p.109-124, August 17-18, 2000
	13	Werner Schindler. Optimized timing attacks against public key cryptosystems. Statistics and Decisions, 20:191--210, 2002.
	14	Chris Shiflett. Cross-site request forgeries, 2004. http://shiflett.org/articles/security-corner-dec2004.
	15	The cross-site scripting FAQ. http://www.cgisecurity.net/articles/xss-faq.shtml.

CITED BY 5

	Dinei Florêncio , Cormac Herley , Baris Coskun, Do strong web passwords accomplish anything?, Proceedings of the 2nd USENIX workshop on Hot topics in security, p.1-6, August 07, 2007, Boston, MA
	Chuan Yue , Haining Wang, Characterizing insecure javascript practices on the web, Proceedings of the 18th international conference on World wide web, April 20-24, 2009, Madrid, Spain
	Ariel Futoransky , Damián Saura , Ariel Waissbein, The ND2DB attack: database content extraction using timing attacks on the indexing algorithms, Proceedings of the first conference on First USENIX Workshop on Offensive Technologies, p.3-3, August 06, 2007, Boston, MA
	Spiros Antonatos , Periklis Akritidis , Vinh The Lam , Kostas G. Anagnostakis, Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure, ACM Transactions on Information and System Security (TISSEC), v.12 n.2, p.1-38, December 2008
	Scott A. Crosby , Dan S. Wallach , Rudolf H. Riedi, Opportunities and Limits of Remote Timing Attacks, ACM Transactions on Information and System Security (TISSEC), v.12 n.3, p.1-29, January 2009