AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations

Guangdong Bai; Jike Lei; Guozhu Meng; Sai Sathyanarayan Venkatraman; Prateek Saxena; Jun Sun; Yang Liu; Jin Song Dong

AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations

Guangdong Bai
, Jike Lei
, Guozhu Meng
, Sai Sathyanarayan Venkatraman
, Prateek Saxena
, Jun Sun
, Yang Liu
, Jin Song Dong

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

86 Citations (Scopus)

Abstract

Ideally, security protocol implementations should be formally verified before they are deployed. However, this is not true in practice. Numerous high-profile vulnerabilities have been found in web authentication protocol implementations, especially in single-sign on (SSO) protocols implementations recently. Much of the prior work on authentication protocol verification has focused on theoretical foundations and building scalable verification tools for checking manually-crafted specifications [17, 18, 44]. In this paper, we address a complementary problem of automatically extracting specifications from implementations. We propose AUTHSCAN, an end-to-end platform to automatically recover authentication protocol specifications from their implementations. AUTHSCAN finds a total of 7 security vulnerabilities using off-the-shelf verification tools in specifications it recovers, which include SSO protocol implementations and custom web authentication logic of web sites with millions of users. © NDSS 2013.All rights reserved.

Original language	English
Title of host publication	20th Annual Network and Distributed System Security Symposium, NDSS 2013
Publisher	The Internet Society
Publication status	Published - 2013
Externally published	Yes
Event	20th Annual Network and Distributed System Security Symposium, NDSS 2013 - San Diego, United States Duration: 24 Feb 2013 → 27 Feb 2013

Publication series

Name	20th Annual Network and Distributed System Security Symposium, NDSS 2013

Conference

Conference	20th Annual Network and Distributed System Security Symposium, NDSS 2013
Place	United States
City	San Diego
Period	24/02/13 → 27/02/13

Bibliographical note

Publication details (e.g. title, author(s), publication statuses and dates) are captured on an “AS IS” and “AS AVAILABLE” basis at the time of record harvesting from the data source. Suggestions for further amendments or supplementary information can be sent to [email protected].

Funding

We thank our shepherd Venkat Venkatakrishnan and the anonymous reviewers for their insightful comments to improve this manuscript. We also thank Matthew Finifter, Joel Weinberger, Jun Pang, Yacin Nadji, Joseph Hong, Bod-hisatta Roy and Mayank Dhiman for their helpful feedback and comments. This research is partially supported by research grant R-252-000-495-133 from Ministry of Education, Singapore, research project “Automatic Checking and Verification of Security Protocol Implementations” and “Research and Development in the Formal Verification of System Design and Implementation”.

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

@inproceedings{a7aa9a8a2e4245778e11c45b26f230f7,

title = "AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations",

abstract = "Ideally, security protocol implementations should be formally verified before they are deployed. However, this is not true in practice. Numerous high-profile vulnerabilities have been found in web authentication protocol implementations, especially in single-sign on (SSO) protocols implementations recently. Much of the prior work on authentication protocol verification has focused on theoretical foundations and building scalable verification tools for checking manually-crafted specifications [17, 18, 44]. In this paper, we address a complementary problem of automatically extracting specifications from implementations. We propose AUTHSCAN, an end-to-end platform to automatically recover authentication protocol specifications from their implementations. AUTHSCAN finds a total of 7 security vulnerabilities using off-the-shelf verification tools in specifications it recovers, which include SSO protocol implementations and custom web authentication logic of web sites with millions of users. {\textcopyright} NDSS 2013.All rights reserved.",

author = "Guangdong Bai and Jike Lei and Guozhu Meng and Venkatraman, \{Sai Sathyanarayan\} and Prateek Saxena and Jun Sun and Yang Liu and Dong, \{Jin Song\}",

note = "Publication details (e.g. title, author(s), publication statuses and dates) are captured on an “AS IS” and “AS AVAILABLE” basis at the time of record harvesting from the data source. Suggestions for further amendments or supplementary information can be sent to [email protected].; 20th Annual Network and Distributed System Security Symposium, NDSS 2013 ; Conference date: 24-02-2013 Through 27-02-2013",

year = "2013",

language = "English",

series = "20th Annual Network and Distributed System Security Symposium, NDSS 2013",

publisher = "The Internet Society",

booktitle = "20th Annual Network and Distributed System Security Symposium, NDSS 2013",

}

Bai, G, Lei, J, Meng, G, Venkatraman, SS, Saxena, P, Sun, J, Liu, Y & Dong, JS 2013, AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations. in 20th Annual Network and Distributed System Security Symposium, NDSS 2013. 20th Annual Network and Distributed System Security Symposium, NDSS 2013, The Internet Society, 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, United States, 24/02/13.

AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations. / Bai, Guangdong; Lei, Jike; Meng, Guozhu et al.
20th Annual Network and Distributed System Security Symposium, NDSS 2013. The Internet Society, 2013. (20th Annual Network and Distributed System Security Symposium, NDSS 2013).

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

TY - GEN

T1 - AUTHSCAN

T2 - 20th Annual Network and Distributed System Security Symposium, NDSS 2013

AU - Bai, Guangdong

AU - Lei, Jike

AU - Meng, Guozhu

AU - Venkatraman, Sai Sathyanarayan

AU - Saxena, Prateek

AU - Sun, Jun

AU - Liu, Yang

AU - Dong, Jin Song

N1 - Publication details (e.g. title, author(s), publication statuses and dates) are captured on an “AS IS” and “AS AVAILABLE” basis at the time of record harvesting from the data source. Suggestions for further amendments or supplementary information can be sent to [email protected].

PY - 2013

Y1 - 2013

N2 - Ideally, security protocol implementations should be formally verified before they are deployed. However, this is not true in practice. Numerous high-profile vulnerabilities have been found in web authentication protocol implementations, especially in single-sign on (SSO) protocols implementations recently. Much of the prior work on authentication protocol verification has focused on theoretical foundations and building scalable verification tools for checking manually-crafted specifications [17, 18, 44]. In this paper, we address a complementary problem of automatically extracting specifications from implementations. We propose AUTHSCAN, an end-to-end platform to automatically recover authentication protocol specifications from their implementations. AUTHSCAN finds a total of 7 security vulnerabilities using off-the-shelf verification tools in specifications it recovers, which include SSO protocol implementations and custom web authentication logic of web sites with millions of users. © NDSS 2013.All rights reserved.

AB - Ideally, security protocol implementations should be formally verified before they are deployed. However, this is not true in practice. Numerous high-profile vulnerabilities have been found in web authentication protocol implementations, especially in single-sign on (SSO) protocols implementations recently. Much of the prior work on authentication protocol verification has focused on theoretical foundations and building scalable verification tools for checking manually-crafted specifications [17, 18, 44]. In this paper, we address a complementary problem of automatically extracting specifications from implementations. We propose AUTHSCAN, an end-to-end platform to automatically recover authentication protocol specifications from their implementations. AUTHSCAN finds a total of 7 security vulnerabilities using off-the-shelf verification tools in specifications it recovers, which include SSO protocol implementations and custom web authentication logic of web sites with millions of users. © NDSS 2013.All rights reserved.

UR - https://www.scopus.com/pages/publications/85096354052

UR - https://www.scopus.com/record/pubmetrics.uri?eid=2-s2.0-85096354052&origin=recordpage

M3 - RGC 32 - Refereed conference paper (with host publication)

T3 - 20th Annual Network and Distributed System Security Symposium, NDSS 2013

BT - 20th Annual Network and Distributed System Security Symposium, NDSS 2013

PB - The Internet Society

Y2 - 24 February 2013 through 27 February 2013

ER -

AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations

Abstract

Publication series

Conference

Bibliographical note

Funding

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

Cite this