We gratefully acknowledge support from
the Simons Foundation and member institutions.
Full-text links:

Download:

Current browse context:

cs.CR

Change to browse by:

cs

References & Citations

DBLP - CS Bibliography

Bookmark

(what is this?)
CiteULike logo BibSonomy logo Mendeley logo del.icio.us logo Digg logo Reddit logo ScienceWISE logo

Computer Science > Cryptography and Security

Title: Cerberus: Query-driven Scalable Security Checking for OAuth Service Provider Implementations

Abstract: OAuth protocols have been widely adopted to simplify user authentication and service authorization for third-party applications. However, little effort has been devoted to automatically checking the security of the libraries that service providers widely use. In this paper, we formalize the OAuth specifications and security best practices, and design Cerberus, an automated static analyzer, to find logical flaws and identify vulnerabilities in the implementation of OAuth service provider libraries. To efficiently detect security violations in a large codebase of service provider implementation, Cerberus employs a query-driven algorithm for answering queries about OAuth specifications. We demonstrate the effectiveness of Cerberus by evaluating it on datasets of popular OAuth libraries with millions of downloads. Among these high-profile libraries, Cerberus has identified 47 vulnerabilities from ten classes of logical flaws, 24 of which were previously unknown. We got acknowledged by the developers of eight libraries and had three accepted CVEs.
Comments: Accepted to appear in the Proc. of ACM Conference on Computer and Communications Security (CCS 2022)
Subjects: Cryptography and Security (cs.CR)
Cite as: arXiv:2110.01005 [cs.CR]
  (or arXiv:2110.01005v2 [cs.CR] for this version)

Submission history

From: Tamjid Al Rahat [view email]
[v1] Sun, 3 Oct 2021 13:43:38 GMT (3551kb,D)
[v2] Mon, 16 May 2022 01:52:13 GMT (3849kb,D)

Link back to: arXiv, form interface, contact.