Visible to the public TC: Small: Reining in Side-Channel Information Leaks in the Software-as-a-Service EraConflict Detection Enabled

Project Details

Lead PI

Performance Period

Sep 01, 2010 - Aug 31, 2014


Indiana University

Award Number

Outcomes Report URL

With software-as-a-service (SaaS) rapidly becoming mainstream, web applications increasingly substitute for desktop software. A web application is a two-part program, with its components deployed both in the browser and in the web server. The interactions between these two components inevitably reveal the program's internal states to any observer of the communication stream, simply through the pattern of packet lengths and the timing of interactions, even if stream is entirely encrypted. This research reveals that these "side-channel" information leaks are both fundamental and common: a number of popular web applications are found to disclose highly sensitive user data such as one's family income, health profile, investments and more. This research will develop an in-depth understanding of web applications' side channel vulnerabilities, particularly the design features and domain knowledge that lead to side-channel leaks. Based upon this understanding, new technologies are developed to facilitate the detection and mitigation of the side-channel threats during the development and operation of web applications. These technologies will be made available to users so they can assess their vulnerabilities and to developers so they can reduce the vulnerabilities in the applications they build. The outcomes of the project will contribute to the improvement of privacy protection in the SaaS infrastructure and cloud computing.