Explicating SDKs: Uncovering assumptions underlying secure authentication and authorization

Proceedings of the 22nd USENIX Security Symposium

Volumn , Issue , 2013, Pages 399-414

  Wang, Rui ^a   Zhou, Yuchen ^b   Chen, Shuo ^a   Qadeer, Shaz ^a   Evans, David ^b   Gurevich, Yuri ^a  

^a MICROSOFT RESEARCH   (United States)

^b UNIVERSITY OF VIRGINIA   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

SEMANTICS; SOCIAL NETWORKING (ONLINE);

APPLICATION DEVELOPERS; AUTHENTICATION AND AUTHORIZATION; AUTHENTICATION SERVICES; FORMAL ANALYSIS TOOLS; MODERN APPLICATIONS; SECURE AUTHENTICATIONS; SECURITY PROPERTIES; UNDERLYING SYSTEMS;

AUTHENTICATION;

EID: 84992342056     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (37)

1. th ACM SIGSOFT International Symposium on Foundations of Software Engineering), 2001.
2. nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), 2005.
3. Thanassis Avgerinos, Sang Kil Cha, Brent Lim Tze Hao, and David Brumley. AEG: Automatic Exploit Generation. In Network and Distributed System Security Symposium (NDSS). February 2011.
4. Tom Ball, Ella Bounimova, Byron Cook, Vladimir Levin, Jakob Lichtenberg, Con McGarvey, Bohus Ondrusek, Sriram K. Rajamani, and Abdullah Ustuner. Thorough Static Analysis of Device Drivers. EuroSys. 2006.
5. Guangdong Bai, Jike Lei, Guozhu Meng, Sai Sathyanarayan Venkatraman, Prateek Saxena, Jun Sun, Yang Liu, and Jin Song Dong. AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations. In Network and Distributed System Security Symposium (NDSS). February 2013.
6. Chetan Bansal, Karthikeyan Bhargavan and Sergio Maffeis. Discovering Concrete Attacks on Website Authorization by Formal Analysis. IEEE Computer Security Foundations (CSF). 2012.
7. th International Conference on World Wide Web (WWW). 2005.
8. th IEEE Computer Security Foundations Workshop (CSFW), 2001.
9. Boogie: An Intermediate Verification Language. http://research.microsoft.com/en-us/projects/boogie/
10. John Bradley. The Problem with OAuth for Authentication. http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html
11. Hao Chen, David Wagner and Drew Dean. Setuid Demystified. USENIX Security Symposium. 2002
12. th USENIX Security Symposium. 2011.
13. st USENIX Security Symposium. 2012.
14. Facebook. "The Facebook bounty program," http://www.facebook.com/whitehat/bounty/
15. Facebook. SDK Reference - Facebook SDK for PHP. http://developers.facebook.com/docs/reference/php/
16. Facebook. OAuth Dialog, https://developers.facebook.com/docs/reference/dialogs/oauth/
17. Facebook. PHP SDK Usage. https://github.com/facebook/facebook-php-sdk/blob/master/readme.md
18. Facebook. Using App Access Tokens. http://developers.facebook.com/docs/opengraph/using-app-tokens/
19. Matin Georgiev, Subodh Iyengar, Suman Jana, Rishita Anubhai, Dan Boneh, Vitaly Shmatikov. The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software. ACM CCS. 2012.
20. Patrice Godefroid, Michael Y. Levin and David Molnar. Automated Whitebox Fuzz Testing. Network and Distributed System Security Symposium. 2008
21. Google. Using OAuth 2.0 to Access Google APIs. https://developers.google.com/accounts/docs/OAuth2
22. Dick Hardt. The OAuth 2.0 Authorization Framework (RFC6749). http://tools.ietf.org/html/rfc6749
23. Daniel Jackson. Alloy: A Language and Tool for Relational Models. http://alloy.mit.edu/alloy/index.html.
24. Akash Lal, Shaz Qadeer, and Shuvendu Lahiri. Corral: A Solver for Reachability Modulo Theories. Computer Aided Verification (CAV). 2012
25. Microsoft. Live Connect Developer Center - Metro Style Apps. http://msdn.microsoft.com/en-us/library/live/hh826551.aspx
26. Microsoft. Live SDK developer guide - Signing users in. http://msdn.microsoft.com/en-us/library/live/hh243641#signin
27. Microsoft. Live SDK Developer Guide - Single Sign-on for Apps and Websites. http://msdn.microsoft.com/en-us/library/live/hh826544.aspx
28. Microsoft. "LiveSDK's OAuth Sample Code in PHP," https://github.com/liveservices/LiveSDK/tree/master/Sa mples/PHP/OauthSample
29. Microsoft. Live Connect Developer Center - REST Reference. http://msdn.microsoft.com/en-us/library/live/hh243648.aspx
30. Microsoft. Windows. Security. Authentication. Web namespace, http://msdn.microsoft.com/library/windows/apps/BR227044
31. S. Pai, Y. Sharma, S. Kumar, R.M. Pai, and S. Singh. Formal Verification of OAuth 2.0 Using Alloy Framework. In Communication Systems and Network Technologies (CSNT). 2011.
32. Diomidis Spinellis and Panagiotis Louridas. A Framework for the Static Verification of API Calls. Journal of Systems and Software. July 2007.
33. San-Tsai Sun and Konstantin Beznosov. The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems. ACM CCS. 2012.
34. Alan Turing, "Checking a Large Routine", presented at EDSAC Inaugural Conference, 1949. (available from http://www.turingarchive.org/browse.php/B/8)
35. Rui Wang, Shuo Chen, XiaoFeng Wang, and Shaz Qadeer. How to Shop for Free Online - Security Analysis of Cashier-as-a-Service Based Web Stores. IEEE Symposium on Security and Privacy. 2011
36. Rui Wang, Shuo Chen, XiaoFeng Wang. Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services. IEEE Symposium on Security and Privacy. 2012
37. Rui Wang, Yuchen Zhou, Shuo Chen, Shaz Qadeer, David Evans, Yuri Gurevich. Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization. Microsoft Research Technical Report MSR-TR-2013-37, March 2013