Security and privacy implications of the multi-component nature of Software-as-a-Service
Shuo Chen, Microsoft Research Redmond
Abstract:
The essence of Software-as-a-Service is that an application is
distributed between a browser and one-or-more web servers, which is a
multi-component system across the Internet. In this talk, I will discuss
two of our recent papers, showing that the web industry needs more
disciplined programming practices to deal with security and privacy
challenges due to the multi-component nature.
The first paper (to appear in Oakland’11) is about logic bugs in web
service integrations. Specifically, we studied merchant websites that
accept payments through third-party cashiers (e.g., PayPal, Amazon
Payments and Google Checkout). We found that leading merchant
applications and popular online stores contain serious logic flaws that
allow a malicious shopper to purchase at an arbitrarily low price, shop
for free after paying for one item, or even avoid payment. We reported
these bugs to developers. Most of them have been fixed. Besides bug
finding, we used a verification tool to study the complexity of a
representative merchant logic.
The second paper (in Oakland’10) shows that, despite encryption,
side-channel leaks are a realistic and serious threat to user privacy.
We found that surprisingly detailed sensitive information is being
leaked out from a number of high-profile web applications in healthcare,
taxation, investment and web search: an eavesdropper can infer the
illnesses/medications/surgeries of the user, her family income and
investment secrets, despite HTTPS protection; a stranger on the street
can glean enterprise employees' web search queries, despite WPA/WPA2
Wi-Fi encryption. The root causes of the problem are some fundamental
characteristics of web 2.0 applications: stateful communication, low
entropy input, and significant traffic distinctions. We further
conducted an analysis to demonstrate the challenges of mitigating such a
threat.
The URLs of the two papers are:
http://research.microsoft.com/en-us/um/people/shuochen/caas/caas-oakland-final.pdf
http://research.microsoft.com/pubs/119060/WebAppSideChannel-final.pdf