Skip directly to content

Minimize RSR Award Detail

Research Spending & Results

Award Detail

Doing Business As Name:Indiana University
  • XiaoFeng Wang
  • (812) 856-1862
Award Date:07/14/2010
Estimated Total Award Amount: $ 494,110
Funds Obligated to Date: $ 494,110
  • FY 2010=$494,110
Start Date:09/01/2010
End Date:08/31/2014
Transaction Type:Grant
Awarding Agency Code:4900
Funding Agency Code:4900
CFDA Number:47.070
Primary Program Source:040100 NSF RESEARCH & RELATED ACTIVIT
Award Title or Description:TC: Small: Reining in Side-Channel Information Leaks in the Software-as-a-Service Era
Federal Award ID Number:1017782
DUNS ID:006046700
Parent DUNS ID:006046700
Program Officer:
  • Jeremy Epstein
  • (703) 292-8338

Awardee Location

Street:509 E 3RD ST
Awardee Cong. District:09

Primary Place of Performance

Organization Name:Indiana University
Street:509 E 3RD ST
Cong. District:09

Abstract at Time of Award

With software-as-a-service (SaaS) rapidly becoming mainstream, web applications increasingly substitute for desktop software. A web application is a two-part program, with its components deployed both in the browser and in the web server. The interactions between these two components inevitably reveal the program's internal states to any observer of the communication stream, simply through the pattern of packet lengths and the timing of interactions, even if stream is entirely encrypted. This research reveals that these "side-channel" information leaks are both fundamental and common: a number of popular web applications are found to disclose highly sensitive user data such as one's family income, health profile, investments and more. This research will develop an in-depth understanding of web applications' side channel vulnerabilities, particularly the design features and domain knowledge that lead to side-channel leaks. Based upon this understanding, new technologies are developed to facilitate the detection and mitigation of the side-channel threats during the development and operation of web applications. These technologies will be made available to users so they can assess their vulnerabilities and to developers so they can reduce the vulnerabilities in the applications they build. The outcomes of the project will contribute to the improvement of privacy protection in the SaaS infrastructure and cloud computing.

Publications Produced as a Result of this Research

Note: When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external site maintained by the publisher. Some full text articles may not yet be available without a charge during the embargo (administrative interval).

Some links on this page may take you to non-federal websites. Their policies may differ from this site.

F. Zhang, W. He, Y. Chen, Z. Li, X. Wang, S. Chen and X. Liu "Thwarting Wi-Fi Side-Channel Analysis through Traffic Demultiplexing" IEEE Transactions on Wireless Communication, v.13, 2013, p..

Project Outcomes Report


This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.

The prosperity of software-as-a-service (SaaS) comes with new security challenges.  Different from their desktop counterparts, the web application delivered through the SaaS infrastructure is a two-part program, with its components deployed both in the browser and in the web server.  The interactions between these two components inevitably discloses the internal states of the program to the network eavesdropper, through various “side channels” of the communication, such as packet lengths and the timing of interactions, even when the communication is entirely encrypted.   Further complicating the situation is the recent popularity of smartphone and tablet techniques, with millions of mobile applications (app for short) already on the market, most of which are essentially web applications with their client-side components directly running on various mobile devices.   Not only are those apps equally vulnerable to the network side-channel attack, just like their corresponding browser-side counterparts,  but they are also subject to the risks of information leaks through mobile operating systems (OS),  including each app’s mobile data, CPU and memory usages and more, which has all been made public to even untrusted apps running on the same devices.


Intellectual Merits. In this project, we performed a series of in-depth security analyses under different SaaS computing scenarios, on emerging mobile apps as well as conventional browser-based web applications.  Our studies have brought to light the scope and the magnitude of this new security risk (side channel leaks in SaaS):  a number of popular web applications are found to disclose highly sensitive user data, such as one's family income, health profile, investments and more through the patterns of their traffic; mobile computing devices expose the types of the applications they are running and their users’ activities through encrypted Wi-Fi packet sequences;  also high-profile mobile apps and even the mobile OS itself can be monitored by a malicious app without any permission to figure out the mobile user’s location, identity, driving routes and health and financial information, using such apparently innocent information as the BSSIDs of Wi-Fi access points,  mobile data usages,  CPU uses and the status of the speaker (on or off).   Further, the presence of such side-channel leaks enables the adversary to conduct reconnaissance on the states of the target OS or applications, which makes possible a wide range of attacks, from inferring the content of encrypted data on the cloud to taping the victim’s phone conversation and stealing her medical data from mobile healthcare accessories.   Examples of such information leaks are made available through video demos (


To mitigate those security risks, we developed a suite of new techniques for different computing platforms.   For conventional web applications, our automatic program analyzer, called “Sidebuster”, was designed to statically evaluate the source code of the program, identifying the potential program locations of side channels.  Then, a dynamic analysis is performed to quantify the amount of the information that can be exposed through the channels.  This helps the developer to analyze her programs and fix the potential weaknesses within the code during the application development stage.   In a mobile computing environment, we propose a new demultiplexing technique that decomposes a Wi-Fi communication flow into a set of streams, each mimicking the opera...

For specific questions or comments about this information including the NSF Project Outcomes Report, contact us.