AuthScan: Automatic Extraction of Web Authentication Protocols from Implementations
Author(s): Guangdong Bai, Jike Lei, Guozhu Meng, Sai Sathyanarayan Venkatraman, Prateek Saxena, Jun Sun

Date: April 2013
Publication: Proceedings of the 20th Annual Network & Distributed System Security Symposium, NDSS 2013
Publisher: Internet Society
Source 1: http://www.internetsociety.org/sites/default/files/04_4_0.pdf
Source 2: http://compsec.comp.nus.edu.sg/papers/AuthScan-NDSS13.pdf

Abstract or Summary:
Ideally, security protocol implementations should be formally verified before they are deployed. However, this is not true in practice. Numerous high-profile vulnerabilities have been found in web authentication protocol implementations, especially in single-sign on (SSO) protocols implementations recently. Much of the prior work on authentication protocol verification has focused on theoretical foundations and building scalable verification tools for checking manually-crafted specifications.

In this paper, we address a complementary problem of automatically extracting specifications from implementations. We propose AUTHSCAN, an end-to-end platform to automatically recover authentication protocol specifications from their implementations. AUTHSCAN finds a total of 7 security vulnerabilities using off-the-shelf verification tools in specifications it recovers, which include SSO protocol implementations and custom web authentication logic of web sites with millions of users.


PasswordResearch.com Note: Additional authors: Yang Liu & Jin Song Dong


Do you have additional information to contribute regarding this research paper? If so, please email siteupdates@passwordresearch.com with the details.

<-- Back to Authentication Research Paper Index





[Home] [About Us] [News] [Research]

Copyright © 2016 PasswordResearch.com