Abstract
The Simple Authentication and Security Layer (SASL) is a framework for enabling application protocols to support authentication, integrity and confidentiality services. The SASL was originally specified in RFC 2222, and later updated in RFC 4422, using natural language. However, due to the richness of natural language this involves ambiguities and imprecision. Whilst there is an Oracle implementation of SASL, its documentation also contains informal descriptions and under-defined specifications of the RFCs. This paper provides clarification of ambiguity in SASL using Abstract State Machines (ASMs). This clarification is based on two ASM essential notions: a ground model to capture the intended SASL behavior in an understandable way, and a refinement notion to accurately explicate the ambiguous parts of the behavior. We also show some differences between RFCs and the description of the Oracle implementation. We believe our work can serve as a basis for further implementation and for formal analysis.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
All the rules for the refined model that is based on RFC 2222/4422 are available online at https://doi.org/10.5281/zenodo.1204257, while for the refined model which is based on the description of Oracle implementation documentation are available at https://doi.org/10.5281/zenodo.1204242.
- 3.
The full ground models are available online at https://doi.org/10.5281/zenodo.1200216.
References
The CoreASM Project. http://www.coreasm.org/
Al-Shareefi, F., Lisitsa, A., Dixon, C.: Abstract state machines and system theoretic process analysis for safety-critical systems. In: Cavalheiro, S., Fiadeiro, J. (eds.) SBMF 2017. LNCS, vol. 10623, pp. 15–32. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70848-5_3
Arcaini, P., Holom, R.M., Riccobene, E.: ASM-based formal design of an adaptivity component for a Cloud system. Formal Aspects Comput. 28(4), 567–595 (2016)
Bella, G., Riccobene, E.: Formal analysis of the Kerberos authentication system. J. Univers. Comput. Sci. 3(12), 1337–1381 (1997)
Bishop, S., Fairbairn, M., Norrish, M., Sewell, P., Smith, M., Wansbrough, K.: Engineering with logic: HOL specification and symbolic-evaluation testing for TCP implementations, pp. 55–66. ACM Press (2006)
Börger, E., Stärk, R.: Abstract State Machines: A Method for High-Level System Design and Analysis. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-642-18216-7
Chelemen, R.M.: Modeling a web application for cloud content adaptation with ASMs. In: International Conference on Cloud Computing and Big Data (CloudCom-Asia), pp. 44–55. IEEE (2013)
Froome, P., Monahan, B.: The role of mathematically formal methods in the development and assessment of safety-critical systems. Microprocess. Microsyst. 12(10), 539–546 (1988)
Gargantini, A., Riccobene, E., Scandurra, P.: Model-driven language engineering: the ASMETA case study. In: The Third International Conference on Software Engineering Advances, ICSEA, pp. 373–378. IEEE (2008)
Gargantini, A.M., Riccobene, E., Scandurra, P.: A metamodel-based language and a simulation engine for abstract state machines. J. Univ. Comput. Sci. 14(12), 1949–1983 (2008)
Gurevich, Y.: Evolving algebras 1993: Lipari guide. In: Specification and Validation Methods, pp. 9–36. Oxford University Press (1995)
Leach, P., Newman, C.: Using Digest Authentication as a SASL Mechanism. RFC 2831 (2000)
Melnikov, A., Zeilenga, K.: Simple Authentication and Security Layer (SASL). RFC 4422 (2006)
Myers, J.: Simple Authentication and Security Layer (SASL). RFC 2222 (1997)
Oracle: Writing applications that use SASL. In: Developer’s Guide to Oracle Solaris®11 Security, Chap. 7, pp. 126–148. Oracle (2012)
Oracle: Java SASL API Programming and Deployment Guide. In: Java Platform, Standard Edition Security Developers Guide, Chap. 10, pp. 21–28. Oracle (2016)
Rosenzweig, D., Runje, D., Slani, N.: Privacy, abstract encryption and protocols: an ASM model - part I. In: Börger, E., Gargantini, A., Riccobene, E. (eds.) ASM 2003. LNCS, vol. 2589, pp. 372–390. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36498-6_22
Siemborski, R., Gulbrandsen, A.: IMAP Extension for Simple Authentication and Security Layer (SASL) Initial Client Response. RFC 4959 (2007)
Siemborski, R., Melnikov, A.: SMTP Service Extension for Authentication Initial Client Response. RFC 4954 (2007)
Zeilenga, K.: The PLAIN Simple Authentication and Security Layer (SASL) Mechanism. RFC 4616 (2006)
Acknowledgments
The third author was partially supported by the EPSRC funded RAI Hub FAIR-SPACE (EP/R026092/1).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Al-Shareefi, F., Lisitsa, A., Dixon, C. (2018). Clarification of Ambiguity for the Simple Authentication and Security Layer. In: Butler, M., Raschke, A., Hoang, T., Reichl, K. (eds) Abstract State Machines, Alloy, B, TLA, VDM, and Z. ABZ 2018. Lecture Notes in Computer Science(), vol 10817. Springer, Cham. https://doi.org/10.1007/978-3-319-91271-4_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-91271-4_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-91270-7
Online ISBN: 978-3-319-91271-4
eBook Packages: Computer ScienceComputer Science (R0)