AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations

20th Annual Network and Distributed System Security Symposium, NDSS 2013

Volumn , Issue , 2013, Pages

  Bai, Guangdong ^a   Lei, Jike ^a   Meng, Guozhu ^a   Venkatraman, Sai Sathyanarayan ^a   Saxena, Prateek ^a   Sun, Jun ^b   Liu, Yang ^c   Dong, Jin Song ^a  

^a NATIONAL UNIVERSITY OF SINGAPORE   (Singapore)

^b SINGAPORE UNIVERSITY OF TECHNOLOGY AND DESIGN   (Singapore)

^c NANYANG TECHNOLOGICAL UNIVERSITY   (Singapore)

Author keywords

[No Author keywords available]

Indexed keywords

AUTHENTICATION; INTERNET PROTOCOLS; NETWORK SECURITY;

AUTHENTICATION PROTOCOLS; AUTOMATIC EXTRACTION; PROTOCOL IMPLEMENTATION; PROTOCOL VERIFICATION; SECURITY PROTOCOLS; SINGLE SIGN ON; SINGLE SIGNS-ON; THEORETICAL FOUNDATIONS; VERIFICATION TOOLS; WEB AUTHENTICATION;

SPECIFICATIONS;

EID: 85096354052     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (45)

1. AUTHSCAN. https://sites.google.com/site/ndss2013/.
2. BrowserID. https://wiki.mozilla.org/Identity/BrowserID.
3. Facebook Connect Authentication. http://developers.facebook.com/docs/authentication/.
4. Node.js v0.8.14 Manual & Documentation. http://nodejs.org/api/crypto.html.
5. What is OpenID. http://openid.net/get-an-openid/what-isopenid/.
6. Windows Live Messenger Connect, Version 4.1. http://msdn.microsoft.com/en-us/library/ff749458.aspx.
7. Facebook Connect Used By 250 Million People Per Month. http://allfacebook.com/facebook-connect-used-by-250-million-people-per-month b25501, Dec. 8, 2010.
8. Security Vulnerability Allegedly Discovered in Drop-box Client. http://news.softpedia.com/news/Design-Security-Flaw-Allegedly-Discovered-in-Dropbox-Client-194427.shtml, Apr. 11, 2011.
9. Mozilla jwcrypto. https://github.com/mozilla/jwcrypto, May 13, 2012.
10. The AVISPA project homepage. http://www.avispa-project.org/, May 13, 2012.
11. Wolfram alpha. http://www.wolframalpha.com/, May 13, 2012.
12. M. Abadi and A. D. Gordon. A Calculus for Cryptographic Protocols: The spi Calculus. Information and Computation, 148(1):1-70, 1999.
13. M. Abadi and M. R. Tuttle. A Semantics for A Logic of Authentication (Extended Abstract). In PODC, pages 201-216, 1991.
14. M. Aizatulin, A. D. Gordon, and J. Jürjens. Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution. In CCS, pages 331-340, 2011.
15. D. Akhawe, A. Barth, P. E. Lam, J. Mitchell, and D. Song. Towards a Formal Foundation of Web Security. In CSF, pages 290-304, 2010.
16. A. Armando, R. Carbone, L. Compagna, J. Cuellar, and L. Tobarra. Formal Analysis of SAML 2.0 Web Browser Single Sign-On: Breaking the SAML-based Single Sign-On for Google Apps. In FMSE, pages 1-10, 2008.
17. C. Bansal, K. Bhargavan, and S. Maffeis. Discovering Concrete Attacks on Website Authorization by Formal Analysis. In CSF, pages 247-262, 2012.
18. B. Blanchet. An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In CSFW, pages 82-96, 2001.
19. B. Blanchet. Computationally Sound Mechanized Proofs of Correspondence Assertions. In CSF, pages 97-111, 2007.
20. B. Blanchet and A. Chaudhuri. Automated Formal Analysis of a Protocol for Secure File Sharing on Untrusted Storage. In S&P, pages 417-431, 2008.
21. M. Burrows, M. Abadi, and R. Needham. A Logic of Authentication. ACM Transactions On Computer Systems, 8:18-36, 1990.
22. C. J. Cremers. The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols. In CAV, pages 414-418, 2008.
23. G. Delzanno and P. Ganty. Automatic Verification of Time Sensitive Cryptographic Protocols. In TACAS, pages 342-356, 2004.
24. D. Dolev and A. Yao. On the Security of Public Key Protocols. IEEE Transactions on Information Theory, 29:198-208, 1983.
25. D. E.Hammer-Lahav and D.Hardt. The OAuth2.0 Authorization Protocol. 2011. IETF Internet Draft.
26. T. Gross. Security Analysis of the SAML Single Sign-On Browser/Artifact Profile. In ACSAC, pages 298-307, 2003.
27. S. Hanna, E. C. R. Shinz, D. Akhawe, A. Boehmz, P. Saxena, and D. Song. The Emperor's New API: On the (In)Secure Usage of New Client Side Primitives. In W2SP, 2010.
28. S. M. Hansen, J. Skriver, and H. R. Nielson. Using Static Analysis to Validate the SAML Single Sign-On Protocol. In WITS, pages 27-40, 2005.
29. S. Juraj, M. Andreas, S. Jörg, K. Marco, and J. Meiko. On Breaking SAML: Be Whoever You Want to Be. In USENIX Security, 2012.
30. D. Lie, A. Chou, D. Engler, and D. L. Dill. A Simple Method for Extracting Models for Protocol Code. In ISCA, pages 192-203, 2001.
31. G. Lowe. Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR. In TACAS, pages 147-166, 1996.
32. G. Lowe. A Hierarchy of Authentication Specifications. In CSFW, pages 31-43, 1997.
33. M. Miculan and C. Urban. Formal Analysis of Facebook Connect Single Sign-On Authentication Protocol. In SOF-SEM, pages 99-116, 2011.
34. J. C. Mitchell, M. Mitchell, and U. Stern. Automated Analysis of Cryptographic Protocols Using Murphi. pages 141-151. IEEE Computer Society Press, 1997.
35. P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A Symbolic Execution Framework for JavaScript. In S&P, pages 513-528, 2010.
36. P. Saxena, S. Hanna, P. Poosankam, and D. Song. FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications. In NDSS, 2010.
37. D. X. Song. Athena: A New Efficient Automatic Checker for Security Protocol Analysis. In CSFW, pages 192-202, 1999.
38. J. Sun, Y. Liu, J. S. Dong, and J. Pang. PAT: Towards Flexible Verification under Fairness. In CAV, pages 709-714, 2009.
39. S.-T. Sun, K. Hawkey, and K. Beznosov. Systematically Breaking and Fixing OpenID Security: Formal Analysis, Semi-Automated Empirical Evaluation, and Practical Countermeasures. Computers & Security, 31:465-483, 2012.
40. E. Tsyrklevich and V. Tsyrklevich. Single Sign-On for the Internet: A Security Story. In BlackHat, July 2007.
41. D. Wagner and B. Schneier. Analysis of the SSL 3.0 protocol. In WOEC, volume 2, pages 29-40, 1996.
42. R. Wang, S. Chen, and X. Wang. Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services. In S&P, pages 365-379, 2012.
43. T. Wang, T. Wei, G. Gu, and W. Zou. TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection. In S&P, May 2010.
44. T. Y. C. Woo and S. S. Lam. A Semantic Model for Authentication Protocols. In S&P, pages 178-194, 1993.
45. L. Xing, Y. Chen, X. Wang, and S. Chen. InteGuard: Toward Automatic Protection of Third-Party Web Service Integrations. In NDSS, 2013.