Discover, Analyze, and Validate Attacks With Introspective Side Channels

Traditionally, the focus of security property "confidentiality" is on users' data (or
application-layer information) such as password and credit card numbers. However, as
network systems grow in complexity, more sensitive and "internal" state information is
being maintained both within and external to the system, and therefore also subject to
being leaked or inferred. One such example is that more features are being pushed to the
middleboxes in the network which causes additional sensitive network state to be kept.
The leakage of such internal state can ultimately cause security breaches at the
application layer.
In my thesis, I describe my journey of systematically identifying important security
impact of the internal network state revealed unintentionally through what I define as
introspective side channels. Such side channels in disguise only leak seemingly trivial
information. My approach consists of four steps: 1). Measurement (behavior
characterization of a target system). 2). Identification of sensitive network and system
state. 3). Identification of relevant introspective side channels. 4). Security analysis by
connecting the sensitive network state and the relevant introspective side channels.
Through these steps, I have developed techniques using side channels as building blocks
to enable a wide range of security applications to discover, analyze and validate both new
and existing attacks. For instance, I discovered that sensitive TCP-related state kept on
certain rewall middleboxes can be exposed to facilitate TCP injection and hijacking
attacks. More surprisingly, even without the middleboxes, similar attacks are still
possible due to newly identified introspective side-channels on the hosts.