Abstract
Security protocols are specified in natural language, are highly-configurable, and may not match the internal requirements of the development company. As a result, developers may misunderstand the specifications, may not grasp the security implications of configurations, and may deviate from the specifications introducing flaws. However, none of the existing security testing techniques provides the features, scalability, and usability to support developers in assessing the security of protocol configurations and deviations. This paper presents a tool that leverages on existing design verification and security testing techniques, and extends them to support developers in analyzing security protocols. We used the tool for the analysis of prominent security protocols (i.e., SAML SSO, OpenID, OAuth2), and of six industrial-size implementations.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This work has been partially supported by the FP7-ICT Project SPaCIoS (no. 257876).
Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
Armando, A., et al.: The AVANTSSAR Platform for the Automated Validation of Trust and Security of SOA. In: Flanagan, C., König, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 267–282. Springer, Heidelberg (2012)
Armando, A., Carbone, R., Compagna, L.: Ltl model checking for security protocols. In: 20th IEEE CSF 2007 (July 2007)
Armando, A., Carbone, R., Compagna, L., Cuellar, J., Abad, L.T.: Formal Analysis of SAML 2.0 Web Browser Single Sign-On: Breaking the SAML-based Single Sign-On for Google Apps. In: Proc. of ACM FMSE 2008 (2008)
Armando, A., Carbone, R., Compagna, L., Cuéllar, J., Pellegrino, G., Sorniotti, A.: An authentication flaw in browser-based single sign-on protocols: Impact and remediations. Computers and Security 33 (2013)
Armando, A., Carbone, R., Compagna, L., Pellegrino, G.: Automatic security analysis of SAML-based single sign-on protocols. In: Digital Identity and Access Management: Technologies and Framework, ch. 10 (2011)
Armando, A., Pellegrino, G., Carbone, R., Merlo, A., Balzarotti, D.: From model-checking to automated testing of security protocols: Bridging the gap. In: Brucker, A.D., Julliand, J. (eds.) TAP 2012. LNCS, vol. 7305, pp. 3–18. Springer, Heidelberg (2012)
Büchler, M., Oudinet, J., Pretschner, A.: Semi-automatic security testing of web applications from a secure model. In: SERE 2012 (2012)
Doupé, A., Cova, M., Vigna, G.: Why johnny can’t pentest: An analysis of black-box web vulnerability scanners. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 111–131. Springer, Heidelberg (2010)
Guangdong, B., Guozhu, M., Jike, L., Sai, S.V., Prateek, S., Jun, S., Yang, L., Jinsong, D.: Authscan: Automatic extraction of web authentication protocols from implementations
Jovanovic, N., Krügel, C., Kirda, E.: Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In: IEEE Symposium on Security and Privacy, pp. 258–263. IEEE Computer Society (2006)
Mödersheim, S., Viganò, L.: The open-source fixed-point model checker for symbolic analysis of security protocols. In: Aldini, A., Barthe, G., Gorrieri, R. (eds.) FOSAD 2009. LNCS, vol. 5705, pp. 166–194. Springer, Heidelberg (2009)
OASIS Consortium. Security Assertion Markup Language V2.0 Tech. Overview (March 2008), http://wiki.oasis-open.org/security/Saml2TechOverview
Shmatikov, V., Mitchell, J.C.: Finite-state analysis of two contract signing protocols. Theoretical Computer Science 283(2), 419–450 (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Pellegrino, G., Compagna, L., Morreggia, T. (2013). A Tool for Supporting Developers in Analyzing the Security of Web-Based Security Protocols. In: Yenigün, H., Yilmaz, C., Ulrich, A. (eds) Testing Software and Systems. ICTSS 2013. Lecture Notes in Computer Science, vol 8254. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41707-8_19
Download citation
DOI: https://doi.org/10.1007/978-3-642-41707-8_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-41706-1
Online ISBN: 978-3-642-41707-8
eBook Packages: Computer ScienceComputer Science (R0)