Abstract
To enhance the performance of web services, web servers often compress data to be delivered. Unfortunately, the data compression technique has also introduced a side effect called compression side-channel attacks (CSCA). CSCA allows eavesdroppers to unveil secret strings included in the encrypted traffic by observing the length of data. A promising defense technique called Debreach was recently proposed to mitigate CSCA by excluding all secret data in a web page during the compression process. Although Debreach has proven to be safe against CSCA and outperforms other approaches, the exclusion of all secret data from compression eventually resulted in a decreased compression efficiency. In this paper, we present a highly efficient CSCA mitigation system called “Mutexion” (
- [1] . 2017. https://sourceforge.net/projects/php-addressbook/.
(Accessed on Jul. 22, 2022) .Google Scholar - [2] . 2018. https://www.adminer.org/.
(Accessed on Jul. 22, 2022) .Google Scholar - [3] . 2015. Protecting encrypted cookies from compression side-channel attacks. In International Conference on Financial Cryptography and Data Security. Springer, 86–106.Google Scholar
Cross Ref
- [4] . 1996. DEFLATE Compressed Data Format Specification version 1.3. RFC 1951. Google Scholar
Digital Library
- [5] . 2013. BREACH: Reviving the CRIME attack. Black Hat USA (2013).Google Scholar
- [6] . 2001. PHP: Superglobals. https://www.php.net/manual/en/language.variables.superglobals.php.
(Accessed on May 25, 2022) .Google Scholar - [7] . 2017. https://iaddressbook.org/wiki/.
(Accessed on Jul. 22, 2022) .Google Scholar - [8] . 2004. Spring Framework. https://spring.io/web-applications.
(Accessed on May 25, 2022) .Google Scholar - [9] . 2016. CTX: Eliminating BREACH with context hiding. Black Hat EU (2016).Google Scholar
- [10] . 2002. Compression and information leakage of plaintext. In International Workshop on Fast Software Encryption. Springer, 263–276.Google Scholar
- [11] . 2001. Web Protocols and Practice: HTTP/1.1, Networking Protocols, Caching, and Traffic Measurement. Addison-Wesley Professional.Google Scholar
- [12] . 2016. Computer Networking: A Top-Down Approach (7th ed.). Pearson, Boston, MA.Google Scholar
- [13] . 2017. zlib Compression Library. https://zlib.net.
(Accessed on Apr. 7, 2021) .Google Scholar - [14] . 2017. Web security: Detection of cross site scripting in PHP web application using genetic algorithm. International Journal of Advanced Computer Science and Applications 8 (2017).Google Scholar
- [15] . 2011. https://www.messenger.com/.
(Accessed on Jul. 22, 2022) .Google Scholar - [16] . 2018. http://nocc.sourceforge.net/.
(Accessed on Jul. 22, 2022) .Google Scholar - [17] . 2019. Debreach: Mitigating compression side channels via static analysis and transformation. arXiv preprint arXiv:1909.05977 (2019).Google Scholar
- [18] . 2015. HPACK: Header Compression for HTTP/2. RFC 7541. Google Scholar
Cross Ref
- [19] . 2018. django-debreach. https://github.com/lpomfrey/django-debreach.
(Accessed on Apr. 7, 2021) .Google Scholar - [20] . 2018. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446. Google Scholar
Cross Ref
- [21] . 2012. The CRIME attack. In Ekoparty Security Conference, Vol. 2012.Google Scholar
- [22] . 2014. Confirmation of consensus on removing compression from TLS 1.3. https://mailarchive.ietf.org/arch/msg/tls/xhMLf8j4pq8W_ZGXUUU1G_m6r1c/.
(Accessed on Apr. 7, 2021) .Google Scholar - [23] . 2009. Agile Web Development with Rails.Google Scholar
- [24] . 2011. https://squirrelmail.org/.
(Accessed on Jul. 22, 2022) .Google Scholar - [25] . 2016. Request and conquer: Exposing cross-origin resource size. In 25th USENIX Security Symposium (USENIX Security 16). 447–462.Google Scholar
- [26] . 2016. HEIST: HTTP encrypted information can be stolen through TCP-windows. In Black Hat USA.Google Scholar
- [27] . 2022. Usage statistics of Gzip compression for websites. https://w3techs.com/technologies/details/ce-gzipcompression.
(Accessed on Jul. 22, 2021) .Google Scholar - [28] . 2008. Cross-Site Request Forgeries: Exploitation and Prevention. http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.147.1445.
(Accessed on Jul. 22, 2021) .Google Scholar - [29] . 2016. SafeDeflate: Compression Without Leaking Secrets.
Technical Report . Cryptology ePrint Archive. https://eprint.iacr.org/2016/958.(Accessed on Jul. 22, 2022) .Google Scholar - [30] . 1977. A universal algorithm for sequential data compression. IEEE Transactions on Information Theory 23, 3 (1977), 337–343.Google Scholar
Digital Library
Index Terms
Mutexion: Mutually Exclusive Compression System for Mitigating Compression Side-Channel Attacks
Recommendations
Security beyond cybersecurity: side-channel attacks against non-cyber systems and their countermeasures
AbstractSide-channels are unintended pathways within target systems that leak internal information, exploitable via side-channel attack techniques that extract the target information, compromising the system’s security and privacy. Side-channel attacks ...
One-Sided Countermeasures for Side-Channel Attacks Can Backfire
WiSec '18: Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile NetworksSide-channel attacks are currently one of the most powerful attacks against implementations of cryptographic algorithms. They exploit the correlation between the physical measurements (power consumption, electromagnetic emissions, timing) taken at ...
How secure is your cache against side-channel attacks?
MICRO-50 '17: Proceedings of the 50th Annual IEEE/ACM International Symposium on MicroarchitectureSecurity-critical data can leak through very unexpected side channels, making side-channel attacks very dangerous threats to information security. Of these, cache-based side-channel attacks are some of the most problematic. This is because caches are ...






Comments