A Comprehensive Formal Security Analysis of OAuth 2.0
作者: Daniel Fett , Ralf Küsters , Guido Schmitz
关键词:
摘要: The OAuth 2.0 protocol is one of the most widely deployed authorization/single sign-on (SSO) protocols and also serves as foundation for new SSO standard OpenID Connect. Despite popularity OAuth, so far analysis efforts were mostly targeted at finding bugs in specific implementations based on formal models which abstract from many web features or did not provide a treatment all. In this paper, we carry out first extensive an expressive model. Our aims establishing strong authorization, authentication, session integrity guarantees, definitions. our analysis, all four grant types (authorization code grant, implicit resource owner password credentials client grant) are covered. They may even run simultaneously same different relying parties identity providers, where malicious parties, browsers considered well. modeling assumes that security recommendations best practices followed order to avoid obvious known attacks. When proving model, discovered attacks break OAuth. vulnerabilities can be exploited practice present We propose fixes identified vulnerabilities, then, time, actually prove particular, show fixed version (with place) provides properties specify.
harvard.edu
acm.org
core.ac.uk
arxiv-vanity.com参考文章(29)
Wanpeng Li, Chris J. Mitchell, Security Issues in OAuth 2.0 SSO Implementations international conference on information security. pp. 529- 541 ,(2014) , 10.1007/978-3-319-13257-0_34
Ethan Shernan, Henry Carter, Dave Tian, Patrick Traynor, Kevin Butler, More Guidelines Than Rules: CSRF Vulnerabilities from Noncompliant OAuth 2.0 Implementations Detection of Intrusions and Malware, and Vulnerability Assessment. pp. 239- 260 ,(2015) , 10.1007/978-3-319-20550-2_13
Jinjin Liang, Haixin Duan, Shuo Chen, Nicholas Weaver, Tao Wan, Jian Jiang, Xiaofeng Zheng, Cookies lack integrity: real-world implications usenix security symposium. pp. 707- 721 ,(2015)
Chetan Bansal, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Sergio Maffeis, Discovering concrete attacks on website authorization by formal analysis Journal of Computer Security. ,vol. 22, pp. 601- 657 ,(2014) , 10.3233/JCS-140503
Martín Abadi, Cédric Fournet, Mobile values, new names, and secure communication Proceedings of the 28th ACM SIGPLAN-SIGACT symposium on Principles of programming languages - POPL '01. ,vol. 36, pp. 104- 115 ,(2001) , 10.1145/360204.360213
Devdatta Akhawe, Adam Barth, Peifung E. Lam, John Mitchell, Dawn Song, Towards a Formal Foundation of Web Security ieee computer security foundations symposium. pp. 290- 304 ,(2010) , 10.1109/CSF.2010.27
Alessandro Armando, Roberto Carbone, Luca Compagna, Jorge Cuéllar, Giancarlo Pellegrino, Alessandro Sorniotti, An authentication flaw in browser-based Single Sign-On protocols: Impact and remediations Computers & Security. ,vol. 33, pp. 41- 58 ,(2013) , 10.1016/J.COSE.2012.08.007
Apurva Kumar, Using automated model analysis for reasoning about security of web protocols Proceedings of the 28th Annual Computer Security Applications Conference on - ACSAC '12. pp. 289- 298 ,(2012) , 10.1145/2420950.2420993
Eric Y. Chen, Yutong Pei, Shuo Chen, Yuan Tian, Robert Kotcher, Patrick Tague, OAuth Demystified for Mobile Application Developers computer and communications security. pp. 892- 903 ,(2014) , 10.1145/2660267.2660323
Daniel Fett, Ralf Küsters, Guido Schmitz, SPRESSO: A Secure, Privacy-Respecting Single Sign-On System for the Web computer and communications security. pp. 1358- 1369 ,(2015) , 10.1145/2810103.2813726