AUTHSCAN: Automatic extraction of web authentication protocols from implementations
Ideally, security protocol implementations should be formally verified before they are deployed. However, this is not true in practice. Numerous high-profile vulnerabilities have been found in web authentication protocol implementations, especially in single-sign on (SSO) protocols implementations r...
Saved in:
| Main Authors: | , , , , , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2013
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/5008 https://ink.library.smu.edu.sg/context/sis_research/article/6011/viewcontent/ndss2013authscan.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-6011 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-60112020-03-12T09:32:30Z AUTHSCAN: Automatic extraction of web authentication protocols from implementations BAI, Guangdong LEI, Jike MENG, Guozhu VENKATRAMAN, Sai Sathyanarayan SAXENA, Prateek SUN, Jun LIU, Yang DONG, Jin Song Ideally, security protocol implementations should be formally verified before they are deployed. However, this is not true in practice. Numerous high-profile vulnerabilities have been found in web authentication protocol implementations, especially in single-sign on (SSO) protocols implementations recently. Much of the prior work on authentication protocol verification has focused on theoretical foundations and building scalable verification tools for checking manually-crafted specifications [17, 18, 44]. In this paper, we address a complementary problem of automatically extracting specifications from implementations. We propose AUTHSCAN, an end-to-end platform to automatically recover authentication protocol specifications from their implementations. AUTHSCAN finds a total of 7 security vulnerabilities using off-the-shelf verification tools in specifications it recovers, which include SSO protocol implementations and custom web authentication logic of web sites with millions of users. 2013-02-01T08:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/5008 https://ink.library.smu.edu.sg/context/sis_research/article/6011/viewcontent/ndss2013authscan.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Software Engineering |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Software Engineering |
| spellingShingle |
Software Engineering BAI, Guangdong LEI, Jike MENG, Guozhu VENKATRAMAN, Sai Sathyanarayan SAXENA, Prateek SUN, Jun LIU, Yang DONG, Jin Song AUTHSCAN: Automatic extraction of web authentication protocols from implementations |
| description |
Ideally, security protocol implementations should be formally verified before they are deployed. However, this is not true in practice. Numerous high-profile vulnerabilities have been found in web authentication protocol implementations, especially in single-sign on (SSO) protocols implementations recently. Much of the prior work on authentication protocol verification has focused on theoretical foundations and building scalable verification tools for checking manually-crafted specifications [17, 18, 44]. In this paper, we address a complementary problem of automatically extracting specifications from implementations. We propose AUTHSCAN, an end-to-end platform to automatically recover authentication protocol specifications from their implementations. AUTHSCAN finds a total of 7 security vulnerabilities using off-the-shelf verification tools in specifications it recovers, which include SSO protocol implementations and custom web authentication logic of web sites with millions of users. |
| format |
text |
| author |
BAI, Guangdong LEI, Jike MENG, Guozhu VENKATRAMAN, Sai Sathyanarayan SAXENA, Prateek SUN, Jun LIU, Yang DONG, Jin Song |
| author_facet |
BAI, Guangdong LEI, Jike MENG, Guozhu VENKATRAMAN, Sai Sathyanarayan SAXENA, Prateek SUN, Jun LIU, Yang DONG, Jin Song |
| author_sort |
BAI, Guangdong |
| title |
AUTHSCAN: Automatic extraction of web authentication protocols from implementations |
| title_short |
AUTHSCAN: Automatic extraction of web authentication protocols from implementations |
| title_full |
AUTHSCAN: Automatic extraction of web authentication protocols from implementations |
| title_fullStr |
AUTHSCAN: Automatic extraction of web authentication protocols from implementations |
| title_full_unstemmed |
AUTHSCAN: Automatic extraction of web authentication protocols from implementations |
| title_sort |
authscan: automatic extraction of web authentication protocols from implementations |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2013 |
| url |
https://ink.library.smu.edu.sg/sis_research/5008 https://ink.library.smu.edu.sg/context/sis_research/article/6011/viewcontent/ndss2013authscan.pdf |
| _version_ |
1770575188887339008 |