seclab
play

seclab Impersonation Attacks through a Dedicated Bi-directional - PowerPoint PPT Presentation

May 31, 2023 •242 likes •704 views

Protecting Web-based Single Sign-on Protocols against Relying Party seclab Impersonation Attacks through a Dedicated Bi-directional Authenticated Channel THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA Yinzhi Cao

  1. Protecting Web-based Single Sign-on Protocols against Relying Party seclab Impersonation Attacks through a Dedicated Bi-directional Authenticated Channel THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA Yinzhi Cao yinzhi.cao@eecs.northwestern.edu yans@cs.ucsb.edu Yan Shoshitaishvili kevinbo@cs.ucsb.edu Kevin Borgolte Christopher Kruegel chris@cs.ucsb.edu Giovanni Vigna vigna@cs.ucsb.edu Yan Chen ychen@cs.northwestern.edu University of California, Santa Barbara Northwestern University � September 17th, 2014 � RAID 2014 — Authentication & Privacy

  2. seclab Roadmap • Single Sign-on • Threat Model • Problems with Existing Designs • Our Design • Evaluation Kevin Borgolte WebSSO - Protecting SSO against RPI Attacks 2

  3. seclab Single Sign-on (SSO) (1) • Idea: log in to a website with your Facebook, Google, etc. account Kevin Borgolte WebSSO - Protecting SSO against RPI Attacks 3

  4. seclab Single Sign-on (SSO) (1) • Idea: log in to a website with your Facebook, Google, etc. account Kevin Borgolte WebSSO - Protecting SSO against RPI Attacks 3

  5. seclab Single Sign-on (SSO) (1) • Idea: log in to a website with your Facebook, Google, etc. account Kevin Borgolte WebSSO - Protecting SSO against RPI Attacks 3

  6. seclab Single Sign-on (SSO) (1) • Idea: log in to a website with your Facebook, Google, etc. account Kevin Borgolte WebSSO - Protecting SSO against RPI Attacks 3

  7. seclab Single Sign-on (SSO) (1) • Idea: log in to a website with your Facebook, Google, etc. account Kevin Borgolte WebSSO - Protecting SSO against RPI Attacks 3

  8. seclab Single Sign-on (SSO) (2) Image by Mutually Human, via http://www.mutuallyhuman.com/blog/2013/05/09/choosing-an-sso-strategy-saml-vs-oauth2/. Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 4

  9. seclab Problems • SSO vulnerabilities mean • User impersonation • Data/privacy leaks 
 Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 5

  10. seclab Problems • SSO vulnerabilities mean • User impersonation • Data/privacy leaks 
 • Vulnerabilities are prolific • Wang et al. identified five vulnerabilities in which an attacker can impersonate a user [Oakland ’12]. • Sun et al. show that 6.5% of relying parties are vulnerable to impersonation attacks [CCS ’12]. Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 5

  11. seclab Threat Model - Concepts • Identity provider (IdP) • A centralized identification service • Trusted and benign 
 • Relying party (RP) • A third party using the IdP to authenticate users • Potentially malicious 
 • User • Wants to use the RP’s service • Trusted and benign Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 6

  12. seclab Threat Model - Attacks (1) Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 7

  13. seclab Threat Model - Attacks (1) • In-scope • Benign RP initiates request, malicious RP receives response Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 7

  14. seclab Threat Model - Attacks (1) • In-scope • Benign RP initiates request, malicious RP receives response GET https://www.idp.com/login? app_id=****&redirection_url=https://www.idp.com/granter? next_url=https://www.rp.com/login � Host: www.idp.com � Referer: https://www.rp.com/login � Cookie: **** Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 7

  15. seclab Threat Model - Attacks (1) • In-scope • Benign RP initiates request, malicious RP receives response GET https://www.idp.com/login? app_id=****&redirection_url=https://www.idp.com/granter? next_url=https://www.rp.com/login � Host: www.idp.com � Referer: https://www.rp.com/login � Cookie: **** Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 7

  16. seclab Threat Model - Attacks (1) • In-scope • Benign RP initiates request, malicious RP receives response • Malicious RP initiates the attack GET https://www.idp.com/login? app_id=****&redirection_url=https://www.idp.com/granter? next_url=https://www.rp.com/login � Host: www.idp.com � Referer: https://www.rp.com/login � Cookie: **** Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 7

  17. seclab Threat Model - Attacks (1) • In-scope • Benign RP initiates request, malicious RP receives response • Malicious RP initiates the attack ⇒ Information leakage or user impersonation! Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 7

  18. seclab Threat Model - Attacks (2) • Out-of-scope • Social engineering • Compromised or vulnerable RP • Malicious user (browser) • Implementation issues • Privacy leaks Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 8

  19. seclab Revisit - Identities • Existing identities • IdP, usually web origin (<scheme, host, port>) • RP, unique identifier, depending on protocol, app_id or AppName • User, unique identifier like username or email address Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 9

  20. seclab Revisit - Identities • Existing identities • IdP, usually web origin (<scheme, host, port>) • RP, unique identifier, depending on protocol, app_id or AppName • User, unique identifier like username or email address Main issue: RP identifier can be forged. Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 9

  21. seclab Revisit - Communication • Communication between RP and IdP Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 10

  22. seclab Revisit - Communication • Communication between RP and IdP • HTTP(s) redirection to 3rd party server (1-way channel) Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 10

  23. seclab Revisit - Communication • Communication between RP and IdP • HTTP(s) redirection to 3rd party server (1-way channel) • In-browser communication channel (no authentication) Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 10

  24. seclab Identity Provider Deployment (1) • Clean-slate design, replaces existing protocols • Identity • Web origin for RP and IdP: <scheme, host, port> • Communication channel • Dedicated • Bi-directional • Authenticated • Secure Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 11

  25. seclab Identity Provider Deployment (2) • Establishing the channel: handshake Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 12

  26. seclab Identity Provider Deployment (2) • Establishing the channel: handshake • Sending messages Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 12

  27. seclab Identity Provider Deployment (2) • Establishing the channel: handshake • Sending messages • Receiving messages Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 12

  28. seclab Identity Provider Deployment (2) • Establishing the channel: handshake • Sending messages • Receiving messages • Terminating the connection: releasing resources Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 12

  29. seclab Relying Party / Proxy Deployment • Allows smooth transition to more secure protocol • Does not require you to replace existing protocol • Proxy communicates with legacy IdP • RPs communicate with proxy Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 13

  30. seclab Relying Party / Proxy Deployment • Allows smooth transition to more secure protocol • Does not require you to replace existing protocol • Proxy communicates with legacy IdP • RPs communicate with proxy Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 13

  31. seclab Implementation • Prototype implementation • Clean-slate / IdP deployment • Two protocols: OpenID-like and OAuth-like • 252 LOC JavaScript, 264 LOC HTML, 243 LOC PHP • External libraries: JavaScript Cryptography Toolkit + Stanford JavaScript Crypto Library • Proxy / RP deployment • Based on a Facebook application Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 14

  32. seclab Evaluation - Formal Verification • Formally verified design with ProVerif • Channel verification • Attacker: passive (sniffing), active (sending messages) • Result: an attacker cannot obtain the plain text message • Protocol verification • Attacker: network (passive) and web attackers (active) • Result: an attacker cannot obtain any useful information • Proxy verification • Attacker: passive (sniffing), active (sending messages) • Result: an attacker can obtain and modify the messages sent over the insecure communication channel between proxy and legacy IdP Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 15

  33. seclab Evaluation - Security Analysis • Our protocol prevents all impersonation attacks identified by Wang et al. [Oakland ’12]: • Facebook and New York Times • Facebook and Zoho • Facebook Legacy Canvas Auth • JanRain wrapping GoogleID • JanRain wrapping Facebook Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 16

  34. seclab Evaluation - Performance Channel operation Operation Delay [ms] 164±12 Establishing the channel Sending a message 32±2 Destroying a channel 70±3 Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

seclab Detecting Website Defacements through Image-based Object Recognition THE COMPUTER

seclab Detecting Website Defacements through Image-based Object Recognition THE COMPUTER

M EERKAT seclab Detecting Website Defacements through Image-based Object Recognition THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA Kevin Borgolte kevinbo@cs.ucsb.edu Christopher Kruegel chris@cs.ucsb.edu Giovanni Vigna

329 views • 17 slides
Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD

Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD

Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD Student Independent InfoSec Consultant/Contractor Overview Typical Java Reversing Talk o Decompile Code o Make Changes o Recompile and Win?

868 views • 66 slides
fuzzing &amp; exploiting wireless device drivers Vienna, 23 November 2007 Sylvester Keil

fuzzing &amp; exploiting wireless device drivers Vienna, 23 November 2007 Sylvester Keil

fuzzing &amp; exploiting wireless device drivers Vienna, 23 November 2007 Sylvester Keil Clemens Kolbitsch sk (at) seclab (dot) tuwien (dot) ac (dot) at ck (at) seclab (dot) tuwien (dot) ac (dot) at Agenda 802.11 fundamentals 802.11

820 views • 79 slides
Stateful Fuzzing of Wireless Device Drivers in an Emulated Environment Tokyo 25 October 2007

Stateful Fuzzing of Wireless Device Drivers in an Emulated Environment Tokyo 25 October 2007

Stateful Fuzzing of Wireless Device Drivers in an Emulated Environment Tokyo 25 October 2007 Sylvester Keil sk [at] seclab [dot] tuwien [dot] ac [dot] at Clemens Kolbitsch ck [at] seclab [dot] tuwien [dot] ac [dot] at About us We are

589 views • 45 slides
seclab THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA

seclab THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA

seclab THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA

969 views • 70 slides
Architecture in Practice: Chrome Reid Holmes Chrome Online content is insecure and can

Architecture in Practice: Chrome Reid Holmes Chrome Online content is insecure and can

Material and some slide content from: Taylor et. al. http://queue.acm.org/detail.cfm?id=1556050 http://seclab.stanford.edu/websec/chromium/chromium-security-architecture.pdf OS-Level Sandbox OS/Runtime OS/Runtime Exploit Barriers Exploit

415 views • 3 slides
Binary Analysis with angr Or: VEX was a good idea Who am I? Who are we? Who cares? Researchers

Binary Analysis with angr Or: VEX was a good idea Who am I? Who are we? Who cares? Researchers

Binary Analysis with angr Or: VEX was a good idea Who am I? Who are we? Who cares? Researchers at the University of California Santa Barbara Seclab People interested in finding bugs in software People interested in publishing papers

626 views • 36 slides
SimuVEX Using VEX in Symbolic Analysis Yan Shoshitaishvili yans@cs.ucsb.edu 2014 Who am I? My

SimuVEX Using VEX in Symbolic Analysis Yan Shoshitaishvili yans@cs.ucsb.edu 2014 Who am I? My

SimuVEX Using VEX in Symbolic Analysis Yan Shoshitaishvili yans@cs.ucsb.edu 2014 Who am I? My name is Yan Shoshitaishvili, and I am a PhD student in the Seclab at UC Santa Barbara. Email: yans@cs.ucsb.edu Twitter: @Zardus Github:

918 views • 36 slides
Factoring as a Service Luke Valenta, Shaanan Cohney, Alex Liao, Joshua Fried, Satya Bodduluri,

Factoring as a Service Luke Valenta, Shaanan Cohney, Alex Liao, Joshua Fried, Satya Bodduluri,

Factoring as a Service Luke Valenta, Shaanan Cohney, Alex Liao, Joshua Fried, Satya Bodduluri, Nadia Heninger University of Pennsylvania seclab.upenn.edu/projects/faas Textbook RSA [Rivest Shamir Adleman 1977] Public Key Private Key N = pq

401 views • 39 slides
Automatic Network Protocol Analysis Gilbert Wondracek, Paolo Milani Comparetti, Christopher

Automatic Network Protocol Analysis Gilbert Wondracek, Paolo Milani Comparetti, Christopher

Secure Systems Lab Technical University Vienna Automatic Network Protocol Analysis Gilbert Wondracek, Paolo Milani Comparetti, Christopher Kruegel and Engin Kirda pmilani@ sssup.it gilbert@ seclab.tuwien.ac.at chris@ cs.ucsb.edu engin.kirda@

606 views • 28 slides
DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina,

DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina,

DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina, Nick Stephens, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara USENIX Security 2017 seclab THE COMPUTER SECURITY

995 views • 66 slides
Static Enforcement of Web Application Integrity William Robertson and Giovanni Vigna { wkr,vigna

Static Enforcement of Web Application Integrity William Robertson and Giovanni Vigna { wkr,vigna

Static Enforcement of Web Application Integrity William Robertson and Giovanni Vigna { wkr,vigna } @cs.ucsb.edu Computer Security Group UC Santa Barbara 13 August 2009 (UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 1 / 28

433 views • 42 slides
Ranking and classifying the VUS for family counseling: Using a model from cancer researchers

Ranking and classifying the VUS for family counseling: Using a model from cancer researchers

Ranking and classifying the VUS for family counseling: Using a model from cancer researchers Martin Tristani-Firouzi, MD Division of Pediatric Cardiology Nora Eccles Harrison CVRTI University of Utah School of Medicine Disclosure The speaker

883 views • 33 slides
Adaptive Routing in Dragonfly Networks Peyman Faizian , ShafayatRahman Scott Pakin AtiqulMollah,

Adaptive Routing in Dragonfly Networks Peyman Faizian , ShafayatRahman Scott Pakin AtiqulMollah,

Traffic Pattern-based C Adaptive Routing in Dragonfly Networks Peyman Faizian , ShafayatRahman Scott Pakin AtiqulMollah, Xin Yuan Mike Lang Florida State University Los Alamos National Laboratory Motivation Dragonfly has been known as a

491 views • 33 slides
SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun,

SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun,

SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun, Zhiqiang Li, Qiben Yan, Witawas Srisa-an and Yu Pan Department of Computer Science and Engineering University of Nebraska Lincoln Presenters: Yu

999 views • 24 slides
Scotch: Combining Software Guard Extensions and System Management Mode to Monitor Cloud Resource

Scotch: Combining Software Guard Extensions and System Management Mode to Monitor Cloud Resource

Scotch: Combining Software Guard Extensions and System Management Mode to Monitor Cloud Resource Usage Kevin Leach 1 , Fengwei Zhang 2 , and Westley Weimer 1 1 University of Michigan, 2 Wayne State University Leach, Zhang, &amp; Weimer 1 / 19

704 views • 47 slides
The Evolution of Global Inequalities: the impact on politics and the economy Professor Branko

The Evolution of Global Inequalities: the impact on politics and the economy Professor Branko

Hosted by the International Inequalities Institute The Evolution of Global Inequalities: the impact on politics and the economy Professor Branko Milanovic Senior Scholar, Luxembourg Income Study Centre Visiting Presidential Professor, Graduate

909 views • 79 slides
S YBIL F USE : Combining Local Attributes with Global Structure to Perform Robust Sybil Detection

S YBIL F USE : Combining Local Attributes with Global Structure to Perform Robust Sybil Detection

S YBIL F USE : Combining Local Attributes with Global Structure to Perform Robust Sybil Detection Peng Gao 1 Binghui Wang 2 Neil Zhenqiang Gong 2 Sanjeev R. Kulkarni 1 Kurt Thomas 3 Prateek Mittal 1 1 Princeton University 2 Iowa State University 3

575 views • 45 slides
PlatPal: Detecting Malicious Documents with Platform Diversity Meng Xu and Taesoo Kim Georgia

PlatPal: Detecting Malicious Documents with Platform Diversity Meng Xu and Taesoo Kim Georgia

PlatPal: Detecting Malicious Documents with Platform Diversity Meng Xu and Taesoo Kim Georgia Institute of Technology 1 Malicious Documents On the Rise 2 3 4 Adobe Components Exploited Element parser JavaScript engine 137 CVEs in 2015

883 views • 62 slides
On evasion attacks against machine learning in practical settings Lujo Bauer Professor,

On evasion attacks against machine learning in practical settings Lujo Bauer Professor,

On evasion attacks against machine learning in practical settings Lujo Bauer Professor, Electrical &amp; Computer Engineering + Computer Science Director, Cyber Autonomy Research Center Collaborators: Mahmood Sharif, Sruti Bhagavatula, Mike

754 views • 31 slides
WEKA Machine Learning Use Case Breast Cancer Stephan Mgaya TERNET Tanzania

WEKA Machine Learning Use Case Breast Cancer Stephan Mgaya TERNET Tanzania

WEKA Machine Learning Use Case Breast Cancer Stephan Mgaya TERNET Tanzania smgayanath@gmail.com e-Research Summer Hackfest Catania (Italy) This project has received funding from the European Unions Horizon 2020 research and

291 views • 8 slides
Science Overview - 1 ! GSFC Astrophysics on the International Space Station &quot;

Science Overview - 1 ! GSFC Astrophysics on the International Space Station &quot;

Science Overview - 1 ! GSFC Astrophysics on the International Space Station &quot; Understanding ultra-dense matter through soft X-ray timing ! Science: A proposed International Space Station (ISS) payload dedicated to the study of neutron

235 views • 12 slides
A Bestiary of Ugly Malware A non-scientific survey of current day malicious software, as seen in

A Bestiary of Ugly Malware A non-scientific survey of current day malicious software, as seen in

A Bestiary of Ugly Malware A non-scientific survey of current day malicious software, as seen in the wild Marion Marschalek | marion@0x1338.at | @pinkflawd Software that steals your data Software that destroys your data Software that abuses

472 views • 23 slides
Improving the Security of Quantum Protocols via Commit&amp;Open Ivan Damgrd (Aarhus University,

Improving the Security of Quantum Protocols via Commit&amp;Open Ivan Damgrd (Aarhus University,

Improving the Security of Quantum Protocols via Commit&amp;Open Ivan Damgrd (Aarhus University, DK) Serge Fehr (CWI, NL) Carolin Lunemann (Aarhus University, DK) Louis Salvail (Universit de Montral, CA) Christian Schaffner (CWI, NL) CRYPTO

255 views • 23 slides

More recommend