skip to main content
research-article

Mutexion: Mutually Exclusive Compression System for Mitigating Compression Side-Channel Attacks

Published:16 November 2022Publication History
Skip Abstract Section

Abstract

To enhance the performance of web services, web servers often compress data to be delivered. Unfortunately, the data compression technique has also introduced a side effect called compression side-channel attacks (CSCA). CSCA allows eavesdroppers to unveil secret strings included in the encrypted traffic by observing the length of data. A promising defense technique called Debreach was recently proposed to mitigate CSCA by excluding all secret data in a web page during the compression process. Although Debreach has proven to be safe against CSCA and outperforms other approaches, the exclusion of all secret data from compression eventually resulted in a decreased compression efficiency. In this paper, we present a highly efficient CSCA mitigation system called “Mutexion” (Mutually exclusive compression) which allows us to fully take advantage of compression over an entire web page, including secret data. The key idea behind Mutexion is to fully take advantage of all the matching subsequences within a web page except only for those between secret data and user-controlled data (potentially controlled by an attacker) during the compression process. This approach of Mutexion effectively prevents side-channel leaks of secret data under CSCA misusing user-controlled data in a web page while minimizing the degradation in compression efficiency. It is required for our compressor to trace both secret data and user-controlled data in its compression process of web pages. To meet this requirement, we provide techniques to enable automated annotation of secret and user-controlled data in web pages. We implemented Mutexion as a fully working system to test live web pages and evaluated its performance with respect to security and compression efficiency. Our evaluation results demonstrated that Mutexion effectively prevents CSCA and also achieves almost the same compression ratio as the original zlib, which is vulnerable to CSCA, with a slight increase (0.032 milliseconds (7.9%) on average) in execution time.

REFERENCES

  1. [1] AddressBook. 2017. https://sourceforge.net/projects/php-addressbook/. (Accessed on Jul. 22, 2022).Google ScholarGoogle Scholar
  2. [2] Adminer. 2018. https://www.adminer.org/. (Accessed on Jul. 22, 2022).Google ScholarGoogle Scholar
  3. [3] Alawatugoda Janaka, Stebila Douglas, and Boyd Colin. 2015. Protecting encrypted cookies from compression side-channel attacks. In International Conference on Financial Cryptography and Data Security. Springer, 86106.Google ScholarGoogle ScholarCross RefCross Ref
  4. [4] Deutsch L. Peter. 1996. DEFLATE Compressed Data Format Specification version 1.3. RFC 1951. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. [5] Gluck Yoel, Harris Neal, and Prado Angelo. 2013. BREACH: Reviving the CRIME attack. Black Hat USA (2013).Google ScholarGoogle Scholar
  6. [6] Group The PHP. 2001. PHP: Superglobals. https://www.php.net/manual/en/language.variables.superglobals.php. (Accessed on May 25, 2022).Google ScholarGoogle Scholar
  7. [7] iAddressBook. 2017. https://iaddressbook.org/wiki/. (Accessed on Jul. 22, 2022).Google ScholarGoogle Scholar
  8. [8] Johnson Rod. 2004. Spring Framework. https://spring.io/web-applications. (Accessed on May 25, 2022).Google ScholarGoogle Scholar
  9. [9] Karakostas Dimitris, Kiayias Aggelos, Sarafianou Eva, and Zindros Dionysis. 2016. CTX: Eliminating BREACH with context hiding. Black Hat EU (2016).Google ScholarGoogle Scholar
  10. [10] Kelsey John. 2002. Compression and information leakage of plaintext. In International Workshop on Fast Software Encryption. Springer, 263276.Google ScholarGoogle Scholar
  11. [11] Krishnamurthy Balachander and Rexford Jennifer. 2001. Web Protocols and Practice: HTTP/1.1, Networking Protocols, Caching, and Traffic Measurement. Addison-Wesley Professional.Google ScholarGoogle Scholar
  12. [12] Kurose James F. and Ross Keith W.. 2016. Computer Networking: A Top-Down Approach (7th ed.). Pearson, Boston, MA.Google ScholarGoogle Scholar
  13. [13] Gailly Jean-loup and Adler Mark. 2017. zlib Compression Library. https://zlib.net. (Accessed on Apr. 7, 2021).Google ScholarGoogle Scholar
  14. [14] Marashdih Abdalla Wasef, Zaaba Zarul Fitri, and Omer Herman Khalid. 2017. Web security: Detection of cross site scripting in PHP web application using genetic algorithm. International Journal of Advanced Computer Science and Applications 8 (2017).Google ScholarGoogle Scholar
  15. [15] Messenger. 2011. https://www.messenger.com/. (Accessed on Jul. 22, 2022).Google ScholarGoogle Scholar
  16. [16] NOCC. 2018. http://nocc.sourceforge.net/. (Accessed on Jul. 22, 2022).Google ScholarGoogle Scholar
  17. [17] Paulsen Brandon, Sung Chungha, Peterson Peter A. H., and Wang Chao. 2019. Debreach: Mitigating compression side channels via static analysis and transformation. arXiv preprint arXiv:1909.05977 (2019).Google ScholarGoogle Scholar
  18. [18] Peon Roberto and Ruellan Herve. 2015. HPACK: Header Compression for HTTP/2. RFC 7541. Google ScholarGoogle ScholarCross RefCross Ref
  19. [19] Pomfrey Luke. 2018. django-debreach. https://github.com/lpomfrey/django-debreach. (Accessed on Apr. 7, 2021).Google ScholarGoogle Scholar
  20. [20] Rescorla Eric. 2018. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446. Google ScholarGoogle ScholarCross RefCross Ref
  21. [21] Rizzo Juliano and Duong Thai. 2012. The CRIME attack. In Ekoparty Security Conference, Vol. 2012.Google ScholarGoogle Scholar
  22. [22] Salowey Joseph. 2014. Confirmation of consensus on removing compression from TLS 1.3. https://mailarchive.ietf.org/arch/msg/tls/xhMLf8j4pq8W_ZGXUUU1G_m6r1c/. (Accessed on Apr. 7, 2021).Google ScholarGoogle Scholar
  23. [23] Sam Ruby, Thomas Dave, and Hansson David Heinemeier. 2009. Agile Web Development with Rails.Google ScholarGoogle Scholar
  24. [24] Squirrelmail. 2011. https://squirrelmail.org/. (Accessed on Jul. 22, 2022).Google ScholarGoogle Scholar
  25. [25] Goethem Tom Van, Vanhoef Mathy, Piessens Frank, and Joosen Wouter. 2016. Request and conquer: Exposing cross-origin resource size. In 25th USENIX Security Symposium (USENIX Security 16). 447462.Google ScholarGoogle Scholar
  26. [26] Vanhoef Mathy and Goethem Tom Van. 2016. HEIST: HTTP encrypted information can be stolen through TCP-windows. In Black Hat USA.Google ScholarGoogle Scholar
  27. [27] W3Techs. 2022. Usage statistics of Gzip compression for websites. https://w3techs.com/technologies/details/ce-gzipcompression. (Accessed on Jul. 22, 2021).Google ScholarGoogle Scholar
  28. [28] Zeller William and Felten Edward W.. 2008. Cross-Site Request Forgeries: Exploitation and Prevention. http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.147.1445. (Accessed on Jul. 22, 2021).Google ScholarGoogle Scholar
  29. [29] Zieliński Michał. 2016. SafeDeflate: Compression Without Leaking Secrets. Technical Report. Cryptology ePrint Archive. https://eprint.iacr.org/2016/958. (Accessed on Jul. 22, 2022).Google ScholarGoogle Scholar
  30. [30] Ziv Jacob and Lempel Abraham. 1977. A universal algorithm for sequential data compression. IEEE Transactions on Information Theory 23, 3 (1977), 337343.Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Mutexion: Mutually Exclusive Compression System for Mitigating Compression Side-Channel Attacks

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM Transactions on the Web
        ACM Transactions on the Web  Volume 16, Issue 4
        November 2022
        165 pages
        ISSN:1559-1131
        EISSN:1559-114X
        DOI:10.1145/3571715
        Issue’s Table of Contents

        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 16 November 2022
        • Online AM: 7 September 2022
        • Accepted: 21 July 2022
        • Revised: 25 May 2022
        • Received: 8 April 2021
        Published in tweb Volume 16, Issue 4

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • research-article
        • Refereed
      • Article Metrics

        • Downloads (Last 12 months)137
        • Downloads (Last 6 weeks)0

        Other Metrics

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Full Text

      View this article in Full Text.

      View Full Text

      HTML Format

      View this article in HTML Format .

      View HTML Format
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!