Securing Timeout Instructions in Web Applications
Paper i proceeding, 2009
Timeout mechanisms are a useful feature for web
applications. However, these mechanisms need to be
used with care because, if used as-is, they are vulnerable
to timing attacks. This paper focuses on internal
timing attacks, a particularly dangerous class of timing
attacks, where the attacker needs no access to a
clock. In the context of client-side web application
security, we present JavaScript-based exploits against
the timeout mechanism of the DOM (document object
model), supported by the modern browsers. Our experimental
findings reveal rather liberal choices for the
timeout semantics by different browsers and motivate
the need for a general security solution. We propose
a foundation for such a solution in the form of a
runtime monitor. We illustrate for a simple language
that, while being more permissive than a typical static
analysis, the monitor enforces termination-insensitive
noninterference.
information-flow
Timeout
web security