5. Checks that
D(x)e mod n = x
I give you x, you
give me D(x)
So that
D(x)e mod n = x
What is the public key?
Private key?
29 October 2013
University of Virginia cs4414
5
6. SSL (Secure Sockets Layer)
Simplified TLS Handshake Protocol
Client
Verify Certificate
using KUCA
Check identity
matches URL
Generate
random K
Hello
Server
KRCA[Server Identity, KUS]
After the handshake, client has
KRCA[Server Identity, KUS], what
prevents client from reusing this
EKUS (K)
and impersonating the server?
Decrypt
using
KRS
Secure channel using K
29 October 2013
University of Virginia cs4414
6
7. SSL (Secure Sockets Layer)
Simplified TLS Handshake Protocol
Client
Verify Certificate
using KUCA
Check identity
matches URL
Generate
random K
Server
Hello
KRCA[Server Identity, KUS]
The client won’t have KRS, and
won’t be able to decrypt for K.
EKUS (K)
Decrypt
using
KRS
Secure channel using K
29 October 2013
University of Virginia cs4414
7
10. Single Sign-On (SSO) Service
Involves Three parties:
• Identity provider
• Relying party
• User
11. OAuth and Single Sign-On
Major identity providers (IdP) use OAuth as SSO
protocol
– 2.0 is the most popular version
OAuth specification describes what interface
IdPs should provide, and what practice the RP
must follow.
12. A typical OAuth authentication
workflow
Relying Party
(e.g., espn.com)
User
(Web Client)
Identity Provider
(e.g., Facebook)
Visit
Redirect
Login
Permission granting
OAuth Credentials
OAuth Credentials
Confirm credentials
Authenticated
Verify login and
issue credentials
20. Possible implementation
Possible Attack
response_type = access_token
Malicious
Foo App
App Client
Client
3 access_token
Facebook
back end
3 access_token
6 Welcome, Alice!
4 access_token
Foo App
Server
7 Welcome Alice?!
20
21.
22. Signed_request to the rescue!
c47YUduADVDyJs4yV6Lvq2V0yxPxSX_rJbzzhICFRQ.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImNvZGUi
OiJBUUIwRGpVaW1TREpRcFdTY3M0Yk1rX2tZNU41SFBhZTZqV
Signature
mNEdVdpM2ktc1VJaHN4RmtHR2tneEU3UFFVYVBtbXdUV2dz
QWg5QUI1RmFzeXVOZkt3NGpGMDE3ZGY2WEEyazB6M3Q2az
NYYjFDVGJXQzZJZEtoaDdsRnp4TTExZm8tWGdYblZXbUxibU1f
MmJHWDhFVWlxQk1ybVpweUxTUzI0TUw0ZnB6WmhRZjU5Sz
U4bkY4LS1yT3M3QVI4RG0xb0xaeDduQkRiQVl4bmVqcnhOc0x
LZTB2UFhBb2JXaTVHNkxfOU1JS192alg2anZUSzlCcDItbEMyem
dveFNFb01BU2g0NzFqUnMwd2JzT29HUW1ZVDVndGRFaWcx
NzZMYkt1Q1ZqMDd1a2ZFejlEdU1wX09xSDFIVWFPWlRVNjlw
NFZnbVh0Ql9NVzQ3YWlmRGJHSTRYVyIsImlzc3VlZF9hdCI6MT
M3OTQyNDgxNCwidXNlcl9pZCI6IjEwMDAwMzkyOTkwNjEzNyJ
9
Base64 Encoded, signed by
application’s secret key
23. Signed_request to the rescue!
Base64 Decoded
{"algorithm":"HMACSHA256","code":"AQB0DjUimSDJQpWScs4bMk_kY5N5HP
ae6jVcDuWi3isUIhsxFkGGkgxE7PQUaPmmwTWgsAh9AB5FasyuNfKw4jF
017df6XA2k0z3t6k3Xb1CTbWC6IdKhh7lFzxM11foXgXnVWmLbmM_2bGX8EUiqBMrmZpyLSS24ML4fpzZhQf
59K58nF8-rOs7AR8Dm1oLZx7nBDbAYxnejrxNsLKe0vPXAobWi5G6L_
9MIK_vjX6jvTK9Bp2lC2zgoxSEoMASh471jRs0wbsOoGQmYT5gtdEig176LbKuC
Vj07ukfEz9DuMp_OqH1HUaOZTU69p4VgmXtB_MW47aif
DbGI4XW","issued_at":1379424814,"user_id":"10000392
9906137"}
User’s FB ID
24. Signature provides integrity and identity!
• Integrity: signed contents cannot be
changed without invalidating signature.
•
Identity: The information is intended for
the application which owns this secret.
•
Both property can be verified by HMACing
the content of the message using secret
key and compare the result with the
signature.
25. Signed_request to the rescue??
Signed_requests are used, but signature is never
checked!
Signature is checked, but application ignores
user_id fields in the message content!
28. Modeling and proofs
Everybody likes formal proofs that the system is
secure.
Program analysis techniques can automatically
prove things IF the program is small.
Modeling helps simplify a large, complex system
to a smaller code base that can be formally
verified using program analysis techniques.
32. Modeling
Advantages
• Turn complicated
system into simpler
systems that are
amenable to analysis.
Disadvantages
• Model behavior does
not necessarily agrees
with original system.
• Abstract away
irrelevant details.
• Details abstracted away
may come back and
‘haunt’ the model.
• Reason modules
separately, combine
smaller proofs to
bigger ones.
• Complicated
interactions between
modules might be
missed.
33. Modeling SSO System
Mallory
Client SDK
MalAppC
FooAppC
FooAppS
Service SDK
Client runtime
Service runtime
Identity Provider
(IdP)
Concrete module with src or documentation
Abstract module subject to dev guide
Black-box concrete module
Abstract module subject to knowledge pool
33
35. API models
procedure {:inline 1} dialog_oauth(IdPLoggedInUser:User,
client_id: AppID,
redirect_domain: Web_Domain, scope:Scope,
response_type:ResponseType)
returns (r:int, Response_data: int)
modifies Access_Tokens__TokenValue, Access_Tokens__user_ID,
Access_Tokens__Scope;
modifies Codes__user_ID,Codes__App_ID,Codes__Scope;
modifies …
{
var access_token:int, code:int, sr:int;
…
if (response_type==_Token || response_type==_Signed_Request){
havoc access_token; //it means "access_token := *;"
…
IdP_Signed_Request_signature[sr]:=ValidIdPSignature;
IdP_Signed_Request_oauth_token[sr]:=access_token;
IdP_Signed_Request_code[sr]:=code;
IdP_Signed_Request_user_ID[sr]:= IdPLoggedInUser;
IdP_Signed_Request_app_id[sr]:= client_id;
}
if (response_type==_Token) {
Response_data:=access_token;
} else if (response_type==_Code) {
Response_data:=code;
} else {
Response_data:=sr;
}
r:=200;
}
Facebook Dialog API documentation
Boogie model
35
36. Results overview
Explicated three SDKs: (6 months)
Many implicit assumptions were found:
Facebook SSO PHP SDK
5 cases reported,
4 fixed, 3 bounties (3x).
Windows 8 SDK for modern apps
One case reported;
documentation revised.
Windows Live connect SDK
Paragraph added to
OAuth 2.0 standard.
36
38. Goal
Large-scale study of how secure Facebook SSO
has been implemented in popular websites
today.
– Need an automatic tool to scan web applications
for vulnerabilities.
39. Misuse
Credential
leakage
• access_token misuse
• signed_request misuse
• client_secret appears at client side
• OAuth credentials leak via referrer
header
• OAuth credentials leak via DOM content
43. Oracle
Simulated attack result needs to be confirmed
– Previous works do this manually, not feasible for
massive testing.
– To do this automatically, we need to learn visual
representation of application states.
43
56. Example vulnerable sites
Credential misuse cases:
– Some dating website
• Personal information, relationship
• Victim’s dates
– Some travel website
• Personal information
• Itinerary views or even changes
57. Example vulnerable sites
Credential leakage cases:
– Impersonation attacks (same as previous)
– Unauthorized access to Facebook account
• Post comments
• Like pages, etc.
58. Responses from vendors
20 vendors contacted.
– Only got 8 responses
– Only 2 are manual responses
– 1 fixed as of now
Through a personal connection, we reached
another vendor.
– After first fix, vulnerability still exists
– Second fix solved all issues
59. Securing web apps is hard
Relying party server
Client
Third-party server
OAuth/SSO
Web apps
LAMP stack
OS
Drivers
Hardware
60. Securing web apps is hard
Relying party server
Client
Third-party server
Browser extensions/plugins
Browser
OS
Drivers
Hardware
61. Securing web apps is hard
Relying party server
Client
Third-party server
Web app
LAMP
OS
Drivers
Hardware
64. Web security (problems)
SSL/TLS security
– Traffic manipulation
Cross-site request forgery (CSRF)
– Force unsolicited transactions/POSTs
Online social network (OSN)
– Fake accounts/comments/likes/tweets/…
Social engineering
– Varies
65. Web privacy (problems)
Third-party JavaScript
– Web identity tracking
– Behavioral/Contextual Ad targeting
Side channels
– Infer user action/information
SSL/TLS security (crypto)
– Eavesdropping
66. Logic vulnerabilities
Lack of checking/sanitization
– Buying stuff for nothing (or even negative price!)
Forget to check user against access control list
– Get admin rights!
Misuse credentials
– Authenticating Bob as Alice
67. Integration type vs vulnerabilities
Integration Type
Number of sites
% of credential misuse
% of credential leakage
All
1700
12%
8.5%
SDK
592
28.9%
3.5%
Widget
136
15.4%
2.2%
Custom code
972
1.3%
12.3%