AuthScan: Automatic Extraction of Web Authentication Protocols from Implementations
Date: April 2013
Publication: Proceedings of the 20th Annual Network & Distributed System Security Symposium, NDSS 2013
Publisher: Internet Society
Source 1: http://www.internetsociety.org/sites/default/files/04_4_0.pdf
Source 2: http://compsec.comp.nus.edu.sg/papers/AuthScan-NDSS13.pdf
Abstract or Summary:
Ideally, security protocol implementations should be formally verified before they are deployed. However, this is not true in practice. Numerous high-profile vulnerabilities have been found in web authentication protocol implementations, especially in single-sign on (SSO) protocols implementations recently. Much of the prior work on authentication protocol verification has focused on theoretical foundations and building scalable verification tools for checking manually-crafted specifications.
In this paper, we address a complementary problem of automatically extracting specifications from implementations. We propose AUTHSCAN, an end-to-end platform to automatically recover authentication protocol specifications from their implementations. AUTHSCAN finds a total of 7 security vulnerabilities using off-the-shelf verification tools in specifications it recovers, which include SSO protocol implementations and custom web authentication logic of web sites with millions of users.
PasswordResearch.com Note: Additional authors: Yang Liu & Jin Song Dong
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.