Clarification of Ambiguity for the Simple Authentication and Security Layer

  • Farah Al-ShareefiEmail author
  • Alexei Lisitsa
  • Clare Dixon
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10817)


The Simple Authentication and Security Layer (SASL) is a framework for enabling application protocols to support authentication, integrity and confidentiality services. The SASL was originally specified in RFC 2222, and later updated in RFC 4422, using natural language. However, due to the richness of natural language this involves ambiguities and imprecision. Whilst there is an Oracle implementation of SASL, its documentation also contains informal descriptions and under-defined specifications of the RFCs. This paper provides clarification of ambiguity in SASL using Abstract State Machines (ASMs). This clarification is based on two ASM essential notions: a ground model to capture the intended SASL behavior in an understandable way, and a refinement notion to accurately explicate the ambiguous parts of the behavior. We also show some differences between RFCs and the description of the Oracle implementation. We believe our work can serve as a basis for further implementation and for formal analysis.


Ambiguity Simple Authentication and Security Layer Abstract State Machines 



The third author was partially supported by the EPSRC funded RAI Hub FAIR-SPACE (EP/R026092/1).


  1. 1.
    The CoreASM Project.
  2. 2.
    Al-Shareefi, F., Lisitsa, A., Dixon, C.: Abstract state machines and system theoretic process analysis for safety-critical systems. In: Cavalheiro, S., Fiadeiro, J. (eds.) SBMF 2017. LNCS, vol. 10623, pp. 15–32. Springer, Cham (2017). Scholar
  3. 3.
    Arcaini, P., Holom, R.M., Riccobene, E.: ASM-based formal design of an adaptivity component for a Cloud system. Formal Aspects Comput. 28(4), 567–595 (2016)MathSciNetCrossRefGoogle Scholar
  4. 4.
    Bella, G., Riccobene, E.: Formal analysis of the Kerberos authentication system. J. Univers. Comput. Sci. 3(12), 1337–1381 (1997)zbMATHGoogle Scholar
  5. 5.
    Bishop, S., Fairbairn, M., Norrish, M., Sewell, P., Smith, M., Wansbrough, K.: Engineering with logic: HOL specification and symbolic-evaluation testing for TCP implementations, pp. 55–66. ACM Press (2006)CrossRefGoogle Scholar
  6. 6.
    Börger, E., Stärk, R.: Abstract State Machines: A Method for High-Level System Design and Analysis. Springer, Heidelberg (2003). Scholar
  7. 7.
    Chelemen, R.M.: Modeling a web application for cloud content adaptation with ASMs. In: International Conference on Cloud Computing and Big Data (CloudCom-Asia), pp. 44–55. IEEE (2013)Google Scholar
  8. 8.
    Froome, P., Monahan, B.: The role of mathematically formal methods in the development and assessment of safety-critical systems. Microprocess. Microsyst. 12(10), 539–546 (1988)CrossRefGoogle Scholar
  9. 9.
    Gargantini, A., Riccobene, E., Scandurra, P.: Model-driven language engineering: the ASMETA case study. In: The Third International Conference on Software Engineering Advances, ICSEA, pp. 373–378. IEEE (2008)Google Scholar
  10. 10.
    Gargantini, A.M., Riccobene, E., Scandurra, P.: A metamodel-based language and a simulation engine for abstract state machines. J. Univ. Comput. Sci. 14(12), 1949–1983 (2008)Google Scholar
  11. 11.
    Gurevich, Y.: Evolving algebras 1993: Lipari guide. In: Specification and Validation Methods, pp. 9–36. Oxford University Press (1995)Google Scholar
  12. 12.
    Leach, P., Newman, C.: Using Digest Authentication as a SASL Mechanism. RFC 2831 (2000)Google Scholar
  13. 13.
    Melnikov, A., Zeilenga, K.: Simple Authentication and Security Layer (SASL). RFC 4422 (2006)Google Scholar
  14. 14.
    Myers, J.: Simple Authentication and Security Layer (SASL). RFC 2222 (1997)Google Scholar
  15. 15.
    Oracle: Writing applications that use SASL. In: Developer’s Guide to Oracle Solaris®11 Security, Chap. 7, pp. 126–148. Oracle (2012)Google Scholar
  16. 16.
    Oracle: Java SASL API Programming and Deployment Guide. In: Java Platform, Standard Edition Security Developers Guide, Chap. 10, pp. 21–28. Oracle (2016)Google Scholar
  17. 17.
    Rosenzweig, D., Runje, D., Slani, N.: Privacy, abstract encryption and protocols: an ASM model - part I. In: Börger, E., Gargantini, A., Riccobene, E. (eds.) ASM 2003. LNCS, vol. 2589, pp. 372–390. Springer, Heidelberg (2003). Scholar
  18. 18.
    Siemborski, R., Gulbrandsen, A.: IMAP Extension for Simple Authentication and Security Layer (SASL) Initial Client Response. RFC 4959 (2007)Google Scholar
  19. 19.
    Siemborski, R., Melnikov, A.: SMTP Service Extension for Authentication Initial Client Response. RFC 4954 (2007)Google Scholar
  20. 20.
    Zeilenga, K.: The PLAIN Simple Authentication and Security Layer (SASL) Mechanism. RFC 4616 (2006)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Farah Al-Shareefi
    • 1
    Email author
  • Alexei Lisitsa
    • 1
  • Clare Dixon
    • 1
  1. 1.Department of Computer ScienceUniversity of LiverpoolLiverpoolUK

Personalised recommendations