A lightweight formal approach for analyzing security of web protocols

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 8688 LNCS, Issue , 2014, Pages 192-211

  Kumar, Apurva ^a  

^a IBM RESEARCH   (United States)

Author keywords

Federated Identity; Security Protocols; Web Security

Indexed keywords

MODEL CHECKING; NETWORK SECURITY; FORMAL LOGIC; MODELING LANGUAGES;

CRYPTOGRAPHIC PROTOCOLS; FEDERATED IDENTITY; IDENTITY FEDERATION; MODEL CHECKING TOOLS; SCIENTIFIC COMMUNITY; SECURITY PROTOCOLS; WEB SECURITY; WEB-BASED PROTOCOLS; INDUSTRIAL STRENGTH;

INTERNET PROTOCOLS;

EID: 84906731380     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-319-11379-1_10     Document Type: Conference Paper

References (30)

1. Abadi, M., Blanchet, B.: Analyzing security protocols with secrecy types and logic programs. Journal of the ACM (JACM) 52(1), 102-146 (2005)
2. Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: Proceedings of The 28th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 104-115. ACM (2001)
3. Abadi, M., Tuttle, M.: A semantics for a logic of authentication. In: Proceedings of the Tenth Annual ACM Symposium on Principles of Distributed Computing, pp. 201-216. ACM (1991)
4. Akhawe, D., Barth, A., Lam, P., Mitchell, J., Song, D.: Towards a formal foundation of web security. In: Proceedings of 23rd IEEE Computer Security Foundations Symposium, pp. 290-304. IEEE (2010)
5. Armando, A., Carbone, R., Compagna, L., Cuellar, J., Tobarra, L.: Formal analysis of SAML 2.0 web browser single sign-on: Breaking the SAML-based single sign-on for Google Apps. In: Proceedings of the 6th ACM Workshop on Formal Methods in Security Engineering, pp. 1-10. ACM (2008)
6. Armando, A., Compagna, L.: SATMC: A SAT-based model checker for security protocols. In: Alferes, J.J., Leite, J. (eds.) JELIA 2004. LNCS (LNAI), vol. 3229, pp. 730-733. Springer, Heidelberg (2004) (Pubitemid 41049985)
7. Bansal, C., Bhargavan, K., Maffeis, S.: Discovering concrete attacks on website authorization by formal analysis. In: 2012 IEEE 25th Computer Security Foundations Symposium (CSF), pp. 247-262. IEEE (2012)
8. Blanchet, B.: Automatic verification of correspondences for security protocols. Journal of Computer Security 17(4), 363-434 (2009)
9. Blanchet, B.: Using Horn clauses for analyzing security protocols. Formal Models and Techniques for Analyzing Security Protocols 5, 86-111 (2011)
10. Blanchet, B., Abadi, M., Fournet, C.: Automated verification of selected equivalences for security protocols. Journal of Logic and Algebraic Programming 75(1), 3-51 (2008)
11. Blanchet, B., et al.: An efficient cryptographic protocol verifier based on Prolog rules. In: Proceedings of the 14th IEEE workshop on Computer Security Foundations, pp. 82-96 (2001)
12. Burrows, M., Abadi, M., Needham, R.: A logic of authentication. ACM Transactions on Computer Systems 8(1), 18-36 (1990)
13. Cantor, S., Kemp, I., Philpott, N., Maler, E.: Assertions and protocols for the OASIS Security Assertion Markup Language V2.0. OASIS Standard (March 2005)
14. Cervesato, I., Durgin, N.A., Lincoln, P., Mitchell, J.C., Scedrov, A.: A metanotation for protocol analysis. In: Proceedings of the 12th IEEE Computer Security Foundations Workshop, 1999, pp. 55-69. IEEE (1999)
15. Craigen, D., Saaltink, M.: Using EVES to analyze authentication protocols. Technical Report TR-96-5508-05, pp. 6-55 (1996)
16. Cremers, C.: Unbounded verification, falsification, and characterization of security protocols by pattern refinement. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 119-128. ACM (2008)
17. Cremers, C.J.F., Lafourcade, P., Nadeau, P.: Comparing state spaces in automatic security protocol analysis. In: Cortier, V., Kirchner, C., Okada, M., Sakurada, H. (eds.) Formal to Practical Security. LNCS, vol. 5458, pp. 70-94. Springer, Heidelberg (2009)
18. Dolev, D., Yao, A.: On the security of public key protocols. IEEE Transactions on Information Theory 29(2), 198-208 (1983)
19. Durgin, N., Lincoln, P., Mitchell, J., Scedrov, A.: Undecidability of bounded security protocols. In: Proceedings of the Workshop on Formal Methods and Security Protocols (1999)
20. Fábrega, F., Herzog, J., Guttman, J.: Strand spaces: Why is a security protocol correct? In: Proceedings of 1998 IEEE Symposium on Research in Security and Privacy, pp. 160-171. IEEE (1998)
21. Hammer-Lahav, E., Recordon, D., Hardt, D.: The OAuth 2.0 authorization protocol. tools.ietf.org/html/ietf-oauth-v2-31, 8 (2011)
22. Jackson, D.: Alloy: A lightweight object modelling notation. ACM Transactions on Software Engineering and Methodology (TOSEM) 11(2), 256-290 (2002)
23. Kindred, D., Wing, J.: Fast, automatic checking of security protocols. In: Proceedings of 2nd Workshop on Electronic Commerce, pp. 41-52. USENIX (1996)
24. Kumar, A.: Model driven security analysis of IDaaS protocols. In: Kappel, G., Maamar, Z., Motahari-Nezhad, H.R. (eds.) ICSOC 2011. LNCS, vol. 7084, pp. 312-327. Springer, Heidelberg (2011)
25. Kumar, A.: Using automated model analysis for reasoning about security of web protocols. In: Proceedings of 28th Annual Computer Security Applications Conference, ACSAC 2012, pp. 289-298 (2012)
26. Nessett, D.: A critique of the Burrows, Abadi and Needham logic. ACM SIGOPS Operating Systems Review 24(2), 35-38 (1990)
27. Recordon, D., Reed, D.: OpenID 2.0: A platform for user-centric identity management. In: Proceedings of the Second ACM Workshop on Digital Identity Management, pp. 11-16. ACM (2006)
28. Schumann, J.: Automatic verification of cryptographic protocols with SETHEO. In: McCune, W. (ed.) CADE 1997. LNCS, vol. 1249, pp. 87-100. Springer, Heidelberg (1997)
29. Song, D., Berezin, S., Perrig, A.: Athena: A novel approach to efficient automatic security protocol analysis. Journal of Computer Security 9(1/2), 47-74 (2001)
30. Syverson, P., Van Oorschot, P.: On unifying some cryptographic protocol logics. In: Proceedings of 1994 IEEE Symposium on Research in Security and Privacy, pp. 14-28. IEEE (1994)