Information Leakage Vulnerabilities
An Introduction
Prof. David Bernstein
James Madison University
Computer Science Department
bernstdh@jmu.edu
Overview
Nature of the Vulnerability:
Information is provided using an unintended mechanism
Nature of the Attack:
The attacker becomes aware of the unintended mechanism
and makes use of it
Kinds of Mechanisms
Side Channels:
Timing Channels - information is inferred by measuring
the time required to complete different operations
Storage Channels - information is inferred using properties
of stored information (e.g., the names of files, the
lengths of files)
Insecure Direct Object References:
Insecure references to secure information (e.g., a URL
that results in an operation being performed on data
with a particular ID leaks information about that ID and
the identification scheme)
Mitigation
Tends to be application-specific
Cryptography and randomization tend to play an important role