Abstract
SSO (single-sign-on) services, such as those provided by Facebook, Google and Microsoft Azure, are integrated into tens of millions of websites and cloud services, just like lock manufacturers offering locks for every home. Imagine you are a website developer, typically unfamiliar with SSO protocols. Your manager wants you to integrate a particular SSO service into a website written in a particular language (e.g., PHP, ASP.NET or Python). You are likely overwhelmed by the amount of work for finding a suitable SSO library, understanding its programming guide, and writing your code. Moreover, studies have shown that many SSO integrations on real-world websites are incorrect, and thus vulnerable to security attacks! SVAuth is an open-source project that tries to provide integration solutions for all major SSO services in all major web languages. Its correctness is ensured by a technology called self-verifying execution, which performs program verification at runtime. SVAuth is so easy to adopt that a website developer does not need any knowledge about SSO protocols or implementations. This paper describes the architecture of SVAuth and how to use it on real-world websites.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
.NET Core. https://www.microsoft.com/net/core
AllJoyn® Framework. https://allseenalliance.org/framework
Bansal, C., Bhargavan, K., Maffeis, S.: Discovering concrete attacks on website authorization by formal analysis. In: 25th IEEE Computer Security Foundations Symposium, CSF (2012)
Bai, G., Lei, J., Meng, G., Venkatraman, S.S., Saxena, P., Sun, J., Liu, Y., Dong, J.S.: Authscan: Automatic extraction of web authentication protocols from implementations. In: ISOC Network and Distributed System Security Symposium (2013)
Barnett, M., Qadeer, S.: BCT: A translator from MSIL to Boogie. In: Seventh Workshop on Bytecode Semantics, Verification, Analysis and Transformation (2012)
Chen, E., Chen, S., Qadeer, S., Wang, R.: Securing multiparty online services via certification of symbolic transactions. In: IEEE Symposium on Security and Privacy (2015)
Chen, E., Pei, Y., Tian, Y., Chen, S., Kotcher, R., Tague, P.: 1000 Ways to Die in Mobile OAuth. Blackhat, USA (2016)
Chen, F., d’Amorim, M., Rosu, G.: Checking and correcting behaviors of java programs at runtime with java-MOP. In: The Runtime Verification Workshop (2005)
Chen, F., Rosu, G.: MOP: An efficient and generic runtime verification framework. In: The ACM SIGPLAN Conference on Systems, Programming, Languages and Applications (OOPSLA) (2007)
Cloud Security Alliance. The Notorious Nine – Cloud Computing Top Threats in 2013. https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
DZone.com. The Liskov Substitution Principle (With Examples). https://dzone.com/articles/the-liskov-substitution-principle-with-examples
Lal, A., Qadeer, S., Lahiri, S.: A solver for reachability modulo theories. In: Computer Aided Verification (2012)
Liskov, B.H., Wing, J.M.: A behavioral notion of subtyping. ACM Trans. Program. Lang. Syst. 16(6), 1811–1841 (1994)
McCutchen, M., Song, D., Chen, S., Qadeer, S.: Self-verifying execution (Position Paper). In: Proceedings of the IEEE Cybersecurity Development Conference (SecDev) (2016)
Sun, S.-T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: ACM conference on Computer and Communications Security (2012)
Trusted Computing Group. Trusted Platform Module Library Specification 2.0. http://www.trustedcomputinggroup.org/resources/tpm_library_specification
Wang, R., Chen, S., Wang, X.F.: Signing me onto your accounts through facebook and google: a traffic-guided security study of commercially deployed single-sign-on web services. In: IEEE Symposium on Security and Privacy (2012)
Wang, R., Zhou, Y., Chen, S., Qadeer, S., Evans, D., Gurevich, Y.: Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization. USENIX Security (2013)
Yang, R., Lau, W.C., Liu, T.: Signing into One Billion Mobile App Accounts Effortlessly with OAuth 2.0. Blackhat, Europe (2016)
Zhou, Y., Evans, D.: SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities. USENIX Security (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Chen, S., McCutchen, M., Cao, P., Qadeer, S., Iyer, R.K. (2017). SVAuth – A Single-Sign-On Integration Solution with Runtime Verification. In: Lahiri, S., Reger, G. (eds) Runtime Verification. RV 2017. Lecture Notes in Computer Science(), vol 10548. Springer, Cham. https://doi.org/10.1007/978-3-319-67531-2_21
Download citation
DOI: https://doi.org/10.1007/978-3-319-67531-2_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-67530-5
Online ISBN: 978-3-319-67531-2
eBook Packages: Computer ScienceComputer Science (R0)