Paving a road to hell with good side-channels

Abstract

At Usenix Security 2019, the former Chief Security Officer for Facebook, Alex Stamos, begged security researchers to start working on "actual bad stuff" that happens to real people as opposed to esoteric "side channel attacks", which leak information through unexpected side-channels of expected behavior. This talk will serve as my rejoinder to his call, focusing on the real damage that can be caused from the information leaked by side-channels, not only from criminal actors but also from your favorite (apparently legitimate) service providers.

I will cover three of my students' (somewhat) recently published side-channel attacks on

1. the location of your phone (CNS 2019),
2. your web browser (WOOT 2019), and
3. your device's page cache (CCS 2019).

I will also cover the root causes of side-channels, unsuccessful paradigms for mitigating them, and what hope there may be for the future.

References

• Alex Stamos, Tackling the Trust and Safety Crisis: https://www.usenix.org/conference/usenixsecurity19/presentation/stamos
• Alternative Services
  • WOOT paper + presentation: https://www.usenix.org/conference/woot19/presentation/tiwari
  • Black Hat talk talk youtube: https://www.youtube.com/watch?v=u-PVpQ2xr-I
  • Black Hat slides: https://www.blackhat.com/asia-20/briefings/schedule/#the-evil-alt-ego-abusing-http-alternative-services-18822
• Location Leakage:
  • CNS paper: https://ieeexplore.ieee.org/abstract/document/8802847
  • CNS slides: attached.