Debreach: Mitigating Compression Side Channels via Static Analysis and Transformation
Compression is an emerging source of exploitable side-channel leakage that threatens data security, particularly in web applications where compression is indispensable for performance reasons. Current approaches to mitigating compression side channels have drawbacks in that they either degrade compression ratio drastically or require too much effort from developers to be widely adopted. To bridge the gap, we develop Debreach, a static analysis and program transformation based approach to mitigating compression side channels. Debreach consists of two steps. First, it uses taint analysis to soundly identify flows of sensitive data in the program and uses code instrumentation to annotate data before feeding them to the compressor. Second, it enhances the compressor to exploit the freedom to not compress of standard compression protocols, thus removing the dependency between sensitive data and the size of the compressor’s output. Since Debreach automatically instruments applications and does not change the compression protocols, it has the advantage of being non-disruptive and compatible with existing systems. We have evaluated Debreach on a set of web server applications written in PHP. Our experiments show that, while ensuring leakage-freedom, Debreach can achieve significantly higher compression performance than state-of-the-art approaches.
Thu 14 NovDisplayed time zone: Tijuana, Baja California change
13:40 - 15:20 | Program AnalysisResearch Papers / Demonstrations at Cortez 1 Chair(s): Coen De Roover Vrije Universiteit Brussel | ||
13:40 20mTalk | Debreach: Mitigating Compression Side Channels via Static Analysis and Transformation Research Papers Brandon Paulsen University of Southern California, Chungha Sung University of Southern California, Peter Peterson University of Minnesota Duluth, Chao Wang USC | ||
14:00 20mTalk | Fine-grain memory object representation in symbolic execution Research Papers Martin Nowack Imperial College London | ||
14:20 20mTalk | RENN: Efficient Reverse Execution with Neural-Network-assisted Alias Analysis Research Papers Dongliang Mu Nanjing University, Wenbo Guo The Pennsylvania State University, Alejandro Cuevas The Pennsylvania State University, Yueqi Chen The Pennsylvania State University, Jinxuan Gai The Pennsylvania State University, Xinyu Xing The Pennsylvania State University, Bing Mao Nanjing University, Chengyu Song UC Riverside | ||
14:40 20mTalk | Batch Alias Analysis Research Papers Pre-print | ||
15:00 10mDemonstration | Manticore: A User-Friendly Symbolic Execution Framework for Binaries and Smart Contracts Demonstrations Mark Mossberg Trail of Bits, Felipe Manzano Trail of Bits, Eric Hennenfent Trail of Bits, Alex Groce Northern Arizona University, Gustavo Grieco Trail of Bits, Josselin Feist Trail of Bits, Trent Brunson Trail of Bits, Artem Dinaburg Trail of Bits Media Attached | ||
15:10 10mDemonstration | BuRRiTo: A Framework to Extract, Specify, Verify and Analyze Business Rules Demonstrations Pavan Kumar Chittimalli TCS Research, Kritika Anand TCS Research, Shrishti Pradhan TCS Research, Sayandeep Mitra TCS Research, Chandan Prakash TCS Research, Rohit Shere TCS Research, Ravindra Naik TCS Research, TRDDC, India | ||