CPL - Chalmers Publication Library
| Utbildning | Forskning | Styrkeområden | Om Chalmers | In English In English Ej inloggad.

Securing Timeout Instructions in Web Applications

Alejandro Russo (Institutionen för data- och informationsteknik (Chalmers)) ; Andrei Sabelfeld (Institutionen för data- och informationsteknik (Chalmers))
Proceedings of the 22th IEEE Computer Security Foundations Symposium (2009)
[Konferensbidrag, refereegranskat]

Timeout mechanisms are a useful feature for web applications. However, these mechanisms need to be used with care because, if used as-is, they are vulnerable to timing attacks. This paper focuses on internal timing attacks, a particularly dangerous class of timing attacks, where the attacker needs no access to a clock. In the context of client-side web application security, we present JavaScript-based exploits against the timeout mechanism of the DOM (document object model), supported by the modern browsers. Our experimental findings reveal rather liberal choices for the timeout semantics by different browsers and motivate the need for a general security solution. We propose a foundation for such a solution in the form of a runtime monitor. We illustrate for a simple language that, while being more permissive than a typical static analysis, the monitor enforces termination-insensitive noninterference.

Nyckelord: Timeout, information-flow, web security



Denna post skapades 2009-05-04. Senast ändrad 2015-12-17.
CPL Pubid: 93391

 

Läs direkt!


Länk till annan sajt (kan kräva inloggning)


Institutioner (Chalmers)

Institutionen för data- och informationsteknik (Chalmers)

Ämnesområden

Datalogi

Chalmers infrastruktur