Xiaofeng Zheng,Jian Jiang,Jinjin Liang,Haixin Duan,Shuo Chen,Tao Wan,Nicholas Weaver

2015-01-01

Abstract:A cookie can contain a "secure" flag, indicating that it should be only sent over an HTTPS connection. Yet there is no corresponding flag to indicate how a cookie was set: attackers who act as a man-in-the-midddle even temporarily on an HTTP session can inject cookies which will be attached to subsequent HTTPS connections. Similar attacks can also be launched by a web attacker from a related domain. Although an acknowledged threat, it has not yet been studied thoroughly. This paper aims to fill this gap with an in-depth empirical assessment of cookie injection attacks. We find that cookie-related vulnerabilities are present in important sites (such as Google and Bank of America), and can be made worse by the implementation weaknesses we discovered in major web browsers (such as Chrome, Firefox, and Safari). Our successful attacks have included privacy violation, online victimization, and even financial loss and account hijacking. We also discuss mitigation strategies such as HSTS, possible browser changes, and present a proof-of-concept browser extension to provide better cookie isolation between HTTP and HTTPS, and between related domains.

Mingming Zhang,Xiaofeng Zheng,Kaiwen Shen,Ziqiao Kong,Chaoyi Lu,Yu Wang,Haixin Duan,Shuang Hao,Baojun Liu,Min Yang

DOI: https://doi.org/10.1145/3372297.3417252

2020-01-01

Abstract:HTTPS is principally designed for secure end-to-end communication, which adds confidentiality and integrity to sensitive data transmission. While several man-in-the-middle attacks (e.g., SSL Stripping) are available to break the secured connections, state-of-the-art security policies (e.g., HSTS) have significantly increased the cost of successful attacks. However, the TLS certificates shared by multiple domains make HTTPS hijacking attacks possible again. In this paper, we term the HTTPS MITM attacks based on the shared TLS certificates as HTTPS Context Confusion Attack (SCC Attack). Despite a known threat, it has not yet been studied thoroughly. We aim to fill this gap with an in-depth empirical assessment of SCC Attack. We find the attack can succeed even for servers that have deployed current best practice of security policies. By rerouting encrypted traffic to another flawed server that shares the TLS certificate, attackers can bypass the security practices, hijack the ongoing HTTPS connections, and subsequently launch additional attacks including phishing and payment hijacking. Particularly, vulnerable HTTP headers from a third-party server are exploitable for this attack, and it is possible to hijack an already-established secure connection. Through tests on popular websites, we find vulnerable subdomains under 126 apex domains in Alexa top 500 sites, including large vendors like Alibaba, JD, and Microsoft. Meanwhile, through a large-scale measurement, we find that TLS certificate sharing is prominent, which uncovers the high potential of such attacks, and we summarize the security dependencies among different parties. For responsible disclosure, we have reported the issues to affected vendors and received positive feedback. Our study sheds light on an influential attack surface of the HTTPS ecosystem and calls for proper mitigation against MITM attacks.

Brad Miller,Ling Huang,A. D. Joseph,J. D. Tygar

DOI: https://doi.org/10.48550/arXiv.1403.0297

2014-03-03

Abstract:Revelations of large scale electronic surveillance and data mining by governments and corporations have fueled increased adoption of HTTPS. We present a traffic analysis attack against over 6000 webpages spanning the HTTPS deployments of 10 widely used, industry-leading websites in areas such as healthcare, finance, legal services and streaming video. Our attack identifies individual pages in the same website with 89% accuracy, exposing personal details including medical conditions, financial and legal affairs and sexual orientation. We examine evaluation methodology and reveal accuracy variations as large as 18% caused by assumptions affecting caching and cookies. We present a novel defense reducing attack accuracy to 27% with a 9% traffic increase, and demonstrate significantly increased effectiveness of prior defenses in our evaluation context, inclusive of enabled caching, user-specific cookies and pages within the same website.

Cryptography and Security

Hong Li,Yunhua He,Limin Sun,Xiuzhen Cheng,Jiguo Yu

DOI: https://doi.org/10.1109/INFOCOM.2016.7524621

2016-01-01

Abstract:Video surveillance has been widely adopted to ensure home security in recent years. Most video encoding standards such as H.264 and MPEG-4 compress the temporal redundancy in a video stream using difference coding, which only encodes the residual image between a frame and its reference frame. Difference coding can efficiently compress a video stream, but it causes side-channel information leakage even though the video stream is encrypted, as reported in this paper. Particularly, we observe that the traffic patterns of an encrypted video stream are different when a user conducts different basic activities of daily living, which must be kept private from third parties as obliged by HIPAA regulations. We also observe that by exploiting this side-channel information leakage, attackers can readily infer a user's basic activities of daily living based on only the traffic size data of an encrypted video stream. We validate such an attack using two off-the-shelf cameras, and the results indicate that the user's basic activities of daily living can be recognized with a high accuracy.

Ke Li,Hong Li,Hongsong Zhu,Limin Sun,Hui Wen

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958775

2019-01-01

Abstract:Instant Messaging has been widely applied for both corporate use and personal use in recent years. Major Instant Messaging service providers adopt the Push Technology to ensure the immediacy of message forwarding, which efficiently provides a great convenience for user. However, the immediacy feature causes side-channel information leakage even if some protection measures has been implemented, such as information encryption strategy. In particular, we observe that senders' traffic flows have a strong temporal correlation with those of corresponding recipients, since the messages are forwarded to recipients as soon as they are received by servers. Based on the observation, attackers can infer real-time communications between pairwise users and even the social connections of users. In this paper, we present a methodology framework to validate this side-channel information leakage, which identifies users of real-time communications by matching the pairwise time sequences of traffic flows. We evaluate the method on the collected real-world data. The experimental results show that users' communications can be identified with a high accuracy, and 6 groups of users are inferred to have strong connections based on the data collected from a local area networks.

Zihao Wang,Jiale Guan,XiaoFeng Wang,Wenhao Wang,Luyi Xing,Fares Alharbi

DOI: https://doi.org/10.1145/3576915.3616655

Abstract:Research on side-channel leaks has long been focusing on the information exposure from a single channel (memory, network traffic, power, etc.). Less studied is the risk of learning from multiple side channels related to a target activity (e.g., website visits) even when individual channels are not informative enough for an effective attack. Although the prior research made the first step on this direction, inferring the operations of foreground apps on iOS from a set of global statistics, still less clear are how to determine the maximum information leaks from all target-related side channels on a system, what can be learnt about the target from such leaks and most importantly, how to control information leaks from the whole system, not just from an individual channel. To answer these fundamental questions, we performed the first systematic study on multi-channel inference, focusing on iOS as the first step. Our research is based upon a novel attack technique, called Mischief, which given a set of potential side channels related to a target activity (e.g., foreground apps), utilizes probabilistic search to approximate an optimal subset of the channels exposing most information, as measured by Merit Score, a metric for correlation-based feature selection. On such an optimal subset, an inference attack is modeled as a multivariate time series classification problem, so the state-of-the-art deep-learning based solution, InceptionTime in particular, can be applied to achieve the best possible outcome. Mischief is found to work effectively on today's iOS (16.2), identifying foreground apps, website visits, sensitive IoT operations (e.g., opening the door) with a high confidence, even in an open-world scenario, which demonstrates that the protection Apple puts in place against the known attack is inadequate. Also importantly, this new understanding enables us to develop more comprehensive protection, which could elevate today's side-channel research from suppressing leaks from individual channels to controlling information exposure across the whole system.

Xurong Li,Chunming Wu,Shouling Ji,Qinchen Gu,Raheem A. Beyah

DOI: https://doi.org/10.1007/978-3-319-78813-5_25

2017-01-01

Abstract:HTTPS has played a significant role in the Internet world. HSTS is deployed to ensure the proper running of HTTPS. To get a good understanding of the deployment of HSTS, we conducted an in-depth measurement of the deployment of HSTS among Alexa top 1 million sites, and investigated bookmarks and navigation panels in different browsers. We found five types of threats, including transmission errors, redirection errors, field setting errors, the auto completion mechanism in bookmarks and the embedded addresses in navigation panels. To demonstrate defects we found, we designed an enhanced HTTPS stripping attack, which was upgraded from the original sslstrip attack. Finally, we gave three effective suggestions to eliminate these defects. This paper exposed various risks of HTTPS and HSTS, making it possible to deploy HTTPS and HSTS in a more secure way.

Yossi Gilad,Amir Herzberg

DOI: https://doi.org/10.48550/arXiv.1204.6623

2012-04-30

Abstract:We show how an off-path (spoofing-only) attacker can perform cross-site scripting (XSS), cross-site request forgery (CSRF) and site spoofing/defacement attacks, without requiring vulnerabilities in either web-browser or server and circumventing known defenses. Attacker can also launch devastating denial of service (DoS) attacks, even when the connection between the client and the server is secured with SSL/TLS. The attacks are practical and require a puppet (malicious script in browser sandbox) running on a the victim client machine, and attacker capable of IP-spoofing on the Internet. Our attacks use a technique allowing an off-path attacker to learn the sequence numbers of both client and server in a TCP connection. The technique exploits the fact that many computers, in particular those running Windows, use a global IP-ID counter, which provides a side channel allowing efficient exposure of the connection sequence numbers. We present results of experiments evaluating the learning technique and the attacks that exploit it. Finally, we present practical defenses that can be deployed at the firewall level; no changes to existing TCP/IP stacks are required.

Cryptography and Security

Zihao Jin,Ziqiao Kong,Shuo Chen,Haixin Duan

DOI: https://doi.org/10.1109/sp46214.2022.9833710

2022-01-01

Abstract:Chromium’s site isolation ensures that different sites are rendered by different processes, which is a vision that academic researchers set forth over a decade ago. The journey from academic prototypes to the commercial availability represents a holistic rethinking about the security architecture for modern browsers. In this paper, we emphasize that the timing issues under site isolation need a thorough study. Specifically, we show that site isolation enables a realistic timing attack, which allows the attacker to identify which websites in a given target-sites set are loaded into the browser, as well as the website the user is currently interacting with. Through these vulnerabilities, the user’s site-visit behavior is leaked to the attacker. Our evaluation using Alexa Top 3000 websites gives very high vulnerability percentages – 99%, 99% and 95% for our three key metrics of vulnerabilities. Moreover, the attack is very robust without any special assumption, so will be effective if deployed in the field. The main challenge revealed by our work is the tension between the scarcity of processes and the obligation to isolate cross-site frames in different processes. We are working with the Google Chrome team and Microsoft Edge team to propose and evaluate mitigation options.

Chuanpu Fu,Qi Li,Ke Xu,Xuewei Feng,Kun Sun

DOI: https://doi.org/10.1109/tnet.2021.3115517

2022-02-01

IEEE/ACM Transactions on Networking

Abstract:In this paper, we uncover a new off-path TCP hijacking attack that can be used to terminate victim TCP connections or inject forged data into victim TCP connections by manipulating the new mixed IPID assignment method, which is widely used in Linux kernel version 4.18 and beyond. Our attack has three steps. First, an off-path attacker can downgrade the IPID assignment for TCP packets from the more secure per-socket-based policy to the less secure hash-based policy, thus building a shared IPID counter that forms a side channel in the victim. Second, the attacker detects the presence of TCP connections by observing the side channel of the shared IPID counter. Third, the attacker infers sequence and acknowledgment numbers of the detected connection by observing the side channel. Consequently, the attacker can completely hijack the connection, e.g., resetting the connection or poisoning the data stream. We evaluate the impacts of our attack in the real world, and we uncover that more than 20% of Alexa top 100k websites are vulnerable to our attack. Our case studies of SSH DoS, manipulating web traffic, and poisoning BGP routing tables show its threat on a wide range of applications. Moreover, we demonstrate that our attack can be further extended to exploit IPv4/IPv6 dual-stack networks on increasing the hash collisions and enlarging vulnerable populations. Finally, we analyze the root cause and develop a new IPID assignment method to defeat this attack. We prototype our defense in Linux 4.18 and confirm its effectiveness in the real world.

Computer Science

Jian Mao,Yue Chen,Futian Shi,Yaoqi Jia,Zhenkai Liang

DOI: https://doi.org/10.3390/s17030464

2017-02-25

Abstract:Web applications have become the foundation of many types of systems, ranging from cloud services to Internet of Things (IoT) systems. Due to the large amount of sensitive data processed by web applications, user privacy emerges as a major concern in web security. Existing protection mechanisms in modern browsers, e.g., the same origin policy, prevent the users' browsing information on one website from being directly accessed by another website. However, web applications executed in the same browser share the same runtime environment. Such shared states provide side channels for malicious websites to indirectly figure out the information of other origins. Timing is a classic side channel and the root cause of many recent attacks, which rely on the variations in the time taken by the systems to process different inputs. In this paper, we propose an approach to expose the timing-based probing attacks in web applications. It monitors the browser behaviors and identifies anomalous timing behaviors to detect browser probing attacks. We have prototyped our system in the Google Chrome browser and evaluated the effectiveness of our approach by using known probing techniques. We have applied our approach on a large number of top Alexa sites and reported the suspicious behavior patterns with corresponding analysis results. Our theoretical analysis illustrates that the effectiveness of the timing-based probing attacks is dramatically limited by our approach.

Ziqiang Wang,Xuewei Feng,Qi Li,Kun Sun,Yuxiang Yang,Mengyuan Li,Ganqiu Du,Ke Xu,Jianping Wu

2024-10-01

Abstract:In this paper, we unveil a fundamental side channel in Wi-Fi networks, specifically the observable frame size, which can be exploited by attackers to conduct TCP hijacking attacks. Despite the various security mechanisms (e.g., WEP and WPA2/WPA3) implemented to safeguard Wi-Fi networks, our study reveals that an off path attacker can still extract sufficient information from the frame size side channel to hijack the victim's TCP connection. Our side channel attack is based on two significant findings: (i) response packets (e.g., ACK and RST) generated by TCP receivers vary in size, and (ii) the encrypted frames containing these response packets have consistent and distinguishable sizes. By observing the size of the victim's encrypted frames, the attacker can detect and hijack the victim's TCP connections. We validate the effectiveness of this side channel attack through two case studies, i.e., SSH DoS and web traffic manipulation. Precisely, our attack can terminate the victim's SSH session in 19 seconds and inject malicious data into the victim's web traffic within 28 seconds. Furthermore, we conduct extensive measurements to evaluate the impact of our attack on real-world Wi-Fi networks. We test 30 popular wireless routers from 9 well-known vendors, and none of these routers can protect victims from our attack. Besides, we implement our attack in 80 real-world Wi-Fi networks and successfully hijack the victim's TCP connections in 75 (93.75%) evaluated Wi-Fi networks. We have responsibly disclosed the vulnerability to the Wi-Fi Alliance and proposed several mitigation strategies to address this issue.

Networking and Internet Architecture,Cryptography and Security

Aydin, Furkan,Aysu, Aydin

DOI: https://doi.org/10.1007/s13389-023-00340-2

2024-01-13

Journal of Cryptographic Engineering

Abstract:Homomorphic encryption (HE) allows computing encrypted data in the ciphertext domain without knowing the encryption key. It is possible, however, to break fully homomorphic encryption (FHE) algorithms by using side channels. This article demonstrates side-channel leakages of the Microsoft SEAL HE library. The proposed attack can steal encryption keys during the key generation phase by abusing the leakage of ternary value assignments that occurs during the number theoretic transform (NTT) algorithm. We propose two attacks, one for -O0 flag non-optimized code implementation which targets addition and subtraction operations, and one for -O3 flag compiler optimization which targets guard and mul_root operations. In particular, the attacks can steal the secret key coefficients from a single power/electromagnetic measurement trace of SEAL's NTT implementation. To achieve high accuracy with a single-trace , we develop novel machine-learning side-channel profilers. On an ARM Cortex-M4F processor, our attacks are able to extract secret key coefficients with an accuracy of 98.3% when compiler optimization is disabled, and 98.6% when compiler optimization is enabled. We finally demonstrate that our attack can evade an application of the random delay insertion defense.

computer science, theory & methods

Han Wang,Ming Tang,Ke Xu,Quancheng Wang

2023-06-03

Abstract:In the modern CPU architecture, enhancements such as the Line Fill Buffer (LFB) and Super Queue (SQ), which are designed to track pending cache requests, have significantly boosted performance. To exploit this structures, we deliberately engineered blockages in the L2 to L1d route by controlling LFB conflict and triggering prefetch prediction failures, while consciously dismissing other plausible influencing factors. This approach was subsequently extended to the L3 to L2 and L2 to L1i pathways, resulting in three potent covert channels, termed L2CC, L3CC, and LiCC, with capacities of 10.02 Mbps, 10.37 Mbps, and 1.83 Mbps, respectively. Strikingly, the capacities of L2CC and L3CC surpass those of earlier non-shared-memory-based covert channels, reaching a level comparable to their shared memory-dependent equivalents. Leveraging this congestion further facilitated the extraction of key bits from RSA and EdDSA implementations. Coupled with SpectreV1 and V2, our covert channels effectively evade the majority of traditional Spectre defenses. Their confluence with Branch Prediction (BP) Timing assaults additionally undercuts balanced branch protections, hence broadening their capability to infiltrate a wide range of cryptography libraries.

Cryptography and Security

Xuewei Feng,Qi Li,Kun Sun,Ke Xu,Jianping Wu

2024-11-19

Abstract:After more than 40 years of development, the fundamental TCP/IP protocol suite, serving as the backbone of the Internet, is widely recognized for having achieved an elevated level of robustness and security. Distinctively, we take a new perspective to investigate the security implications of cross-layer interactions within the TCP/IP protocol suite caused by ICMP error messages. Through a comprehensive analysis of interactions among Wi-Fi, IP, ICMP, UDP, and TCP due to ICMP errors, we uncover several significant vulnerabilities, including information leakage, desynchronization, semantic gaps, and identity spoofing. These vulnerabilities can be exploited by off-path attackers to manipulate network traffic stealthily, affecting over 20% of popular websites and more than 89% of public Wi-Fi networks, thus posing risks to the Internet. By responsibly disclosing these vulnerabilities to affected vendors and proposing effective countermeasures, we enhance the robustness of the TCP/IP protocol suite, receiving acknowledgments from well-known organizations such as the Linux community, the OpenWrt community, the FreeBSD community, Wi-Fi Alliance, Qualcomm, HUAWEI, China Telecom, Alibaba, and H3C.

Cryptography and Security

Xavier de Carné de Carnavalet,Paul C. van Oorschot

DOI: https://doi.org/10.1145/3580522

2022-12-27

Abstract:TLS is an end-to-end protocol designed to provide confidentiality and integrity guarantees that improve end-user security and privacy. While TLS helps defend against pervasive surveillance of intercepted unencrypted traffic, it also hinders several common beneficial operations typically performed by middleboxes on the network traffic. Consequently, various methods have been proposed that "bypass" the confidentiality goals of TLS by playing with keys and certificates essentially in a man-in-the-middle solution, as well as new proposals that extend the protocol to accommodate third parties, delegation schemes to trusted middleboxes, and fine-grained control and verification mechanisms. We first review the use cases expecting plain HTTP traffic and discuss the extent to which TLS hinders these operations. We retain 19 scenarios where access to unencrypted traffic is still relevant and evaluate the incentives of the stakeholders involved. Second, we survey 30 schemes by which TLS no longer delivers end-to-end security, and by which the notion of an "end" changes, including caching middleboxes such as Content Delivery Networks. Finally, we compare each scheme based on deployability and security characteristics, and evaluate their compatibility with the stakeholders' incentives. Our analysis leads to a number of key findings, observations, and research questions that we believe will be of interest to practitioners, policy makers and researchers.

Cryptography and Security

Linke Song,Zixuan Pang,Wenhao Wang,Zihao Wang,XiaoFeng Wang,Hongbo Chen,Wei Song,Yier Jin,Dan Meng,Rui Hou

2024-09-30

Abstract:The wide deployment of Large Language Models (LLMs) has given rise to strong demands for optimizing their inference performance. Today's techniques serving this purpose primarily focus on reducing latency and improving throughput through algorithmic and hardware enhancements, while largely overlooking their privacy side effects, particularly in a multi-user environment. In our research, for the first time, we discovered a set of new timing side channels in LLM systems, arising from shared caches and GPU memory allocations, which can be exploited to infer both confidential system prompts and those issued by other users. These vulnerabilities echo security challenges observed in traditional computing systems, highlighting an urgent need to address potential information leakage in LLM serving infrastructures. In this paper, we report novel attack strategies designed to exploit such timing side channels inherent in LLM deployments, specifically targeting the Key-Value (KV) cache and semantic cache widely used to enhance LLM inference performance. Our approach leverages timing measurements and classification models to detect cache hits, allowing an adversary to infer private prompts with high accuracy. We also propose a token-by-token search algorithm to efficiently recover shared prompt prefixes in the caches, showing the feasibility of stealing system prompts and those produced by peer users. Our experimental studies on black-box testing of popular online LLM services demonstrate that such privacy risks are completely realistic, with significant consequences. Our findings underscore the need for robust mitigation to protect LLM systems against such emerging threats.

Cryptography and Security

Atri Bhattacharyya,Alexandra Sandulescu,Matthias Neugschwandtner,Alessandro Sorniotti,Babak Falsafi,Mathias Payer,Anil Kurmus

DOI: https://doi.org/10.1145/3319535.3363194

2019-09-26

Abstract:Spectre, Meltdown, and related attacks have demonstrated that kernels, hypervisors, trusted execution environments, and browsers are prone to information disclosure through micro-architectural weaknesses. However, it remains unclear as to what extent other applications, in particular those that do not load attacker-provided code, may be impacted. It also remains unclear as to what extent these attacks are reliant on cache-based side channels. We introduce SMoTherSpectre, a speculative code-reuse attack that leverages port-contention in simultaneously multi-threaded processors (SMoTher) as a side channel to leak information from a victim process. SMoTher is a fine-grained side channel that detects contention based on a single victim instruction. To discover real-world gadgets, we describe a methodology and build a tool that locates SMoTher-gadgets in popular libraries. In an evaluation on glibc, we found hundreds of gadgets that can be used to leak information. Finally, we demonstrate proof-of-concept attacks against the OpenSSH server, creating oracles for determining four host key bits, and against an application performing encryption using the OpenSSL library, creating an oracle which can differentiate a bit of the plaintext through gadgets in libcrypto and glibc.

Cryptography and Security

Vasilios Mavroudis,Jamie Hayes

2023-10-27

Abstract:In webpage fingerprinting, an on-path adversary infers the specific webpage loaded by a victim user by analysing the patterns in the encrypted TLS traffic exchanged between the user's browser and the website's servers. This work studies modern webpage fingerprinting adversaries against the TLS protocol; aiming to shed light on their capabilities and inform potential defences. Despite the importance of this research area (the majority of global Internet users rely on standard web browsing with TLS) and the potential real-life impact, most past works have focused on attacks specific to anonymity networks (e.g., Tor). We introduce a TLS-specific model that: 1) scales to an unprecedented number of target webpages, 2) can accurately classify thousands of classes it never encountered during training, and 3) has low operational costs even in scenarios of frequent page updates. Based on these findings, we then discuss TLS-specific countermeasures and evaluate the effectiveness of the existing padding capabilities provided by TLS 1.3.

Cryptography and Security,Machine Learning

Xujing Huang

DOI: https://doi.org/10.1145/3436369.3436478

2020-10-30

Abstract:Information leakage by side channels in web applications is a major security threat, even when web traffic is encrypted. In this paper, we describe an automated system to analyse leakages of user privacy. Previous works focus on communications directly interacting with sensitive information. We show how, in real-world web applications, user information can be leaked through "non-intuitive" communications, which do not contain direct interactions with sensitive information. Unexpectedly, we found that user privacy can be leaked more from this kind of "non-intuitive" communication than direct interactions. This work also discloses user identities can be inferred by traffic analysis. In this work, we combine machine learning to recognize traffic pattern, i.e., Hidden Markov model is used to fingerprint web traffic of user privacy.