Information Leakage Vulnerabilities

Information Leakage Vulnerabilities
An Introduction

Prof. David Bernstein
James Madison University

Computer Science Department

bernstdh@jmu.edu

Overview

Nature of the Vulnerability:
- Information is provided using an unintended mechanism
Nature of the Attack:
- The attacker becomes aware of the unintended mechanism and makes use of it

Kinds of Mechanisms

Side Channels:
- Timing Channels - information is inferred by measuring the time required to complete different operations
- Storage Channels - information is inferred using properties of stored information (e.g., the names of files, the lengths of files)
Insecure Direct Object References:
- Insecure references to secure information (e.g., a URL that results in an operation being performed on data with a particular ID leaks information about that ID and the identification scheme)

Mitigation