Title :
Verification for OAuth Using ASLan++
Author :
Haixing Yan ; Huixing Fang ; Kuka, Christian ; Huibiao Zhu
Author_Institution :
Shanghai Key Lab. of Trustworthy Comput., East China Normal Univ., Shanghai, China
Abstract :
Over the past few years, OAuth has become an open authorization standard that is being adopted by a growing number of sites such as Twitter, Facebook and Google. It allows users to grant a third-party application access to restricted resources without providing their credentials. However, ensuring the correctness of implementations of OAuth in applications brings multiple concerns. Therefore, it is crucial to verify OAuth with an exhaustive examination by utilizing formal methods. In this paper, we first formalize OAuth with ASLan++ on the AVANTSSAR platform and propose several fundamental security properties on it which are specified using extended Linear Temporal Logic (LTL) formulas. In a second step, we use a SAT-based Model-Checker (SATMC) to verify whether OAuth violates these properties. As a result, we reveal three attacks which steal and falsify users´ critical information.
Keywords :
authorisation; formal verification; specification languages; ASLan++; AVANTSSAR platform; Facebook; Google; LTL formula; OAuth verification; SAT-based model checker; SATMC; Twitter; formal methods; linear temporal logic; open authorization standard; security property; third-party application access; Authentication; Authorization; Browsers; Facebook; Protocols; Servers; ASLan++; Modeling; Oauth; SATMC; Verification;
Conference_Titel :
High Assurance Systems Engineering (HASE), 2015 IEEE 16th International Symposium on
Conference_Location :
Daytona Beach Shores, FL
Print_ISBN :
978-1-4799-8110-6
DOI :
10.1109/HASE.2015.20
