Security and privacy implications of the multi-component nature of Software-as-a-Service

Shuo Chen, Microsoft Research Redmond


The essence of Software-as-a-Service is that an application is distributed between a browser and one-or-more web servers, which is a multi-component system across the Internet. In this talk, I will discuss two of our recent papers, showing that the web industry needs more disciplined programming practices to deal with security and privacy challenges due to the multi-component nature. The first paper (to appear in Oakland’11) is about logic bugs in web service integrations. Specifically, we studied merchant websites that accept payments through third-party cashiers (e.g., PayPal, Amazon Payments and Google Checkout). We found that leading merchant applications and popular online stores contain serious logic flaws that allow a malicious shopper to purchase at an arbitrarily low price, shop for free after paying for one item, or even avoid payment. We reported these bugs to developers. Most of them have been fixed. Besides bug finding, we used a verification tool to study the complexity of a representative merchant logic. The second paper (in Oakland’10) shows that, despite encryption, side-channel leaks are a realistic and serious threat to user privacy. We found that surprisingly detailed sensitive information is being leaked out from a number of high-profile web applications in healthcare, taxation, investment and web search: an eavesdropper can infer the illnesses/medications/surgeries of the user, her family income and investment secrets, despite HTTPS protection; a stranger on the street can glean enterprise employees' web search queries, despite WPA/WPA2 Wi-Fi encryption. The root causes of the problem are some fundamental characteristics of web 2.0 applications: stateful communication, low entropy input, and significant traffic distinctions. We further conducted an analysis to demonstrate the challenges of mitigating such a threat. The URLs of the two papers are:

Time and Place

Apr 4 2011 (Monday) at 1630 hrs
Gates 463A