Publication Type
Conference Proceeding Article
Version
publishedVersion
Publication Date
2-2013
Abstract
Ideally, security protocol implementations should be formally verified before they are deployed. However, this is not true in practice. Numerous high-profile vulnerabilities have been found in web authentication protocol implementations, especially in single-sign on (SSO) protocols implementations recently. Much of the prior work on authentication protocol verification has focused on theoretical foundations and building scalable verification tools for checking manually-crafted specifications [17, 18, 44]. In this paper, we address a complementary problem of automatically extracting specifications from implementations. We propose AUTHSCAN, an end-to-end platform to automatically recover authentication protocol specifications from their implementations. AUTHSCAN finds a total of 7 security vulnerabilities using off-the-shelf verification tools in specifications it recovers, which include SSO protocol implementations and custom web authentication logic of web sites with millions of users.
Discipline
Software Engineering
Research Areas
Software and Cyber-Physical Systems
Publication
Proceedings of the 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, February 24-27
First Page
1
Last Page
20
City or Country
San Diego, California
Citation
BAI, Guangdong; LEI, Jike; MENG, Guozhu; VENKATRAMAN, Sai Sathyanarayan; SAXENA, Prateek; SUN, Jun; LIU, Yang; and DONG, Jin Song.
AUTHSCAN: Automatic extraction of web authentication protocols from implementations. (2013). Proceedings of the 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, February 24-27. 1-20.
Available at: https://ink.library.smu.edu.sg/sis_research/5008
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.