Cross-site search attacks

Nethanel Gelernter, Amir Herzberg

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

25 Scopus citations

Abstract

Cross-site search (XS-search) attacks circumvent the sameorigin policy and extract sensitive information, by using the time it takes for the browser to receive responses to search queries. This side-channel is usually considered impractical, due to the limited attack duration and high variability of delays. This may be true for naive XS-search attacks; however, we show that the use of better tools facilitates effective XS-search attacks, exposing information efficiently and precisely. We present and evaluate three types of tools: (1) appropriate statistical tests, (2) amplification of the timing side-channel, by 'inating' communication or computation, and (3) optimized, tailored divide-and-conquer algorithms, to identify terms from large 'dictionaries'. These techniques may be applicable in other scenarios. We implemented and evaluated the attacks against the popular Gmail and Bing services, in several environments and ethical experiments, taking careful, IRB-approved measures to avoid exposure of personal information.

Original languageEnglish
Title of host publicationCCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery
Pages1394-1405
Number of pages12
ISBN (Electronic)9781450338325
DOIs
StatePublished - 12 Oct 2015
Event22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015 - Denver, United States
Duration: 12 Oct 201516 Oct 2015

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
Volume2015-October
ISSN (Print)1543-7221

Conference

Conference22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015
Country/TerritoryUnited States
CityDenver
Period12/10/1516/10/15

Bibliographical note

Publisher Copyright:
© 2015 ACM.

Keywords

  • Privacy
  • Security
  • Side channel attacks
  • Web

Fingerprint

Dive into the research topics of 'Cross-site search attacks'. Together they form a unique fingerprint.

Cite this