seclab
play

seclab Impersonation Attacks through a Dedicated Bi-directional - PowerPoint PPT Presentation

May 31, 2023 •242 likes •704 views

Protecting Web-based Single Sign-on Protocols against Relying Party seclab Impersonation Attacks through a Dedicated Bi-directional Authenticated Channel THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA Yinzhi Cao

  1. Protecting Web-based Single Sign-on Protocols against Relying Party seclab Impersonation Attacks through a Dedicated Bi-directional Authenticated Channel THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA Yinzhi Cao yinzhi.cao@eecs.northwestern.edu yans@cs.ucsb.edu Yan Shoshitaishvili kevinbo@cs.ucsb.edu Kevin Borgolte Christopher Kruegel chris@cs.ucsb.edu Giovanni Vigna vigna@cs.ucsb.edu Yan Chen ychen@cs.northwestern.edu University of California, Santa Barbara Northwestern University � September 17th, 2014 � RAID 2014 — Authentication & Privacy

  2. seclab Roadmap • Single Sign-on • Threat Model • Problems with Existing Designs • Our Design • Evaluation Kevin Borgolte WebSSO - Protecting SSO against RPI Attacks 2

  3. seclab Single Sign-on (SSO) (1) • Idea: log in to a website with your Facebook, Google, etc. account Kevin Borgolte WebSSO - Protecting SSO against RPI Attacks 3

  4. seclab Single Sign-on (SSO) (1) • Idea: log in to a website with your Facebook, Google, etc. account Kevin Borgolte WebSSO - Protecting SSO against RPI Attacks 3

  5. seclab Single Sign-on (SSO) (1) • Idea: log in to a website with your Facebook, Google, etc. account Kevin Borgolte WebSSO - Protecting SSO against RPI Attacks 3

  6. seclab Single Sign-on (SSO) (1) • Idea: log in to a website with your Facebook, Google, etc. account Kevin Borgolte WebSSO - Protecting SSO against RPI Attacks 3

  7. seclab Single Sign-on (SSO) (1) • Idea: log in to a website with your Facebook, Google, etc. account Kevin Borgolte WebSSO - Protecting SSO against RPI Attacks 3

  8. seclab Single Sign-on (SSO) (2) Image by Mutually Human, via http://www.mutuallyhuman.com/blog/2013/05/09/choosing-an-sso-strategy-saml-vs-oauth2/. Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 4

  9. seclab Problems • SSO vulnerabilities mean • User impersonation • Data/privacy leaks 
 Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 5

  10. seclab Problems • SSO vulnerabilities mean • User impersonation • Data/privacy leaks 
 • Vulnerabilities are prolific • Wang et al. identified five vulnerabilities in which an attacker can impersonate a user [Oakland ’12]. • Sun et al. show that 6.5% of relying parties are vulnerable to impersonation attacks [CCS ’12]. Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 5

  11. seclab Threat Model - Concepts • Identity provider (IdP) • A centralized identification service • Trusted and benign 
 • Relying party (RP) • A third party using the IdP to authenticate users • Potentially malicious 
 • User • Wants to use the RP’s service • Trusted and benign Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 6

  12. seclab Threat Model - Attacks (1) Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 7

  13. seclab Threat Model - Attacks (1) • In-scope • Benign RP initiates request, malicious RP receives response Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 7

  14. seclab Threat Model - Attacks (1) • In-scope • Benign RP initiates request, malicious RP receives response GET https://www.idp.com/login? app_id=****&redirection_url=https://www.idp.com/granter? next_url=https://www.rp.com/login � Host: www.idp.com � Referer: https://www.rp.com/login � Cookie: **** Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 7

  15. seclab Threat Model - Attacks (1) • In-scope • Benign RP initiates request, malicious RP receives response GET https://www.idp.com/login? app_id=****&redirection_url=https://www.idp.com/granter? next_url=https://www.rp.com/login � Host: www.idp.com � Referer: https://www.rp.com/login � Cookie: **** Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 7

  16. seclab Threat Model - Attacks (1) • In-scope • Benign RP initiates request, malicious RP receives response • Malicious RP initiates the attack GET https://www.idp.com/login? app_id=****&redirection_url=https://www.idp.com/granter? next_url=https://www.rp.com/login � Host: www.idp.com � Referer: https://www.rp.com/login � Cookie: **** Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 7

  17. seclab Threat Model - Attacks (1) • In-scope • Benign RP initiates request, malicious RP receives response • Malicious RP initiates the attack ⇒ Information leakage or user impersonation! Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 7

  18. seclab Threat Model - Attacks (2) • Out-of-scope • Social engineering • Compromised or vulnerable RP • Malicious user (browser) • Implementation issues • Privacy leaks Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 8

  19. seclab Revisit - Identities • Existing identities • IdP, usually web origin (<scheme, host, port>) • RP, unique identifier, depending on protocol, app_id or AppName • User, unique identifier like username or email address Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 9

  20. seclab Revisit - Identities • Existing identities • IdP, usually web origin (<scheme, host, port>) • RP, unique identifier, depending on protocol, app_id or AppName • User, unique identifier like username or email address Main issue: RP identifier can be forged. Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 9

  21. seclab Revisit - Communication • Communication between RP and IdP Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 10

  22. seclab Revisit - Communication • Communication between RP and IdP • HTTP(s) redirection to 3rd party server (1-way channel) Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 10

  23. seclab Revisit - Communication • Communication between RP and IdP • HTTP(s) redirection to 3rd party server (1-way channel) • In-browser communication channel (no authentication) Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 10

  24. seclab Identity Provider Deployment (1) • Clean-slate design, replaces existing protocols • Identity • Web origin for RP and IdP: <scheme, host, port> • Communication channel • Dedicated • Bi-directional • Authenticated • Secure Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 11

  25. seclab Identity Provider Deployment (2) • Establishing the channel: handshake Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 12

  26. seclab Identity Provider Deployment (2) • Establishing the channel: handshake • Sending messages Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 12

  27. seclab Identity Provider Deployment (2) • Establishing the channel: handshake • Sending messages • Receiving messages Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 12

  28. seclab Identity Provider Deployment (2) • Establishing the channel: handshake • Sending messages • Receiving messages • Terminating the connection: releasing resources Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 12

  29. seclab Relying Party / Proxy Deployment • Allows smooth transition to more secure protocol • Does not require you to replace existing protocol • Proxy communicates with legacy IdP • RPs communicate with proxy Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 13

  30. seclab Relying Party / Proxy Deployment • Allows smooth transition to more secure protocol • Does not require you to replace existing protocol • Proxy communicates with legacy IdP • RPs communicate with proxy Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 13

  31. seclab Implementation • Prototype implementation • Clean-slate / IdP deployment • Two protocols: OpenID-like and OAuth-like • 252 LOC JavaScript, 264 LOC HTML, 243 LOC PHP • External libraries: JavaScript Cryptography Toolkit + Stanford JavaScript Crypto Library • Proxy / RP deployment • Based on a Facebook application Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 14

  32. seclab Evaluation - Formal Verification • Formally verified design with ProVerif • Channel verification • Attacker: passive (sniffing), active (sending messages) • Result: an attacker cannot obtain the plain text message • Protocol verification • Attacker: network (passive) and web attackers (active) • Result: an attacker cannot obtain any useful information • Proxy verification • Attacker: passive (sniffing), active (sending messages) • Result: an attacker can obtain and modify the messages sent over the insecure communication channel between proxy and legacy IdP Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 15

  33. seclab Evaluation - Security Analysis • Our protocol prevents all impersonation attacks identified by Wang et al. [Oakland ’12]: • Facebook and New York Times • Facebook and Zoho • Facebook Legacy Canvas Auth • JanRain wrapping GoogleID • JanRain wrapping Facebook Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 16

  34. seclab Evaluation - Performance Channel operation Operation Delay [ms] 164±12 Establishing the channel Sending a message 32±2 Destroying a channel 70±3 Kevin Borgolte WebSSO - Protecting Web-based SSO against RPI Attacks 17

Recommend

seclab Detecting Website Defacements through Image-based Object Recognition THE COMPUTER

seclab Detecting Website Defacements through Image-based Object Recognition THE COMPUTER

M EERKAT seclab Detecting Website Defacements through Image-based Object Recognition THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA Kevin Borgolte kevinbo@cs.ucsb.edu Christopher Kruegel chris@cs.ucsb.edu Giovanni Vigna

329 views • 17 slides
Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD

Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD

Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD Student Independent InfoSec Consultant/Contractor Overview Typical Java Reversing Talk o Decompile Code o Make Changes o Recompile and Win?

868 views • 66 slides
fuzzing &amp; exploiting wireless device drivers Vienna, 23 November 2007 Sylvester Keil

fuzzing &amp; exploiting wireless device drivers Vienna, 23 November 2007 Sylvester Keil

fuzzing &amp; exploiting wireless device drivers Vienna, 23 November 2007 Sylvester Keil Clemens Kolbitsch sk (at) seclab (dot) tuwien (dot) ac (dot) at ck (at) seclab (dot) tuwien (dot) ac (dot) at Agenda 802.11 fundamentals 802.11

820 views • 79 slides
Stateful Fuzzing of Wireless Device Drivers in an Emulated Environment Tokyo 25 October 2007

Stateful Fuzzing of Wireless Device Drivers in an Emulated Environment Tokyo 25 October 2007

Stateful Fuzzing of Wireless Device Drivers in an Emulated Environment Tokyo 25 October 2007 Sylvester Keil sk [at] seclab [dot] tuwien [dot] ac [dot] at Clemens Kolbitsch ck [at] seclab [dot] tuwien [dot] ac [dot] at About us We are

589 views • 45 slides
seclab THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA

seclab THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA

seclab THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA

969 views • 70 slides
Architecture in Practice: Chrome Reid Holmes Chrome Online content is insecure and can

Architecture in Practice: Chrome Reid Holmes Chrome Online content is insecure and can

Material and some slide content from: Taylor et. al. http://queue.acm.org/detail.cfm?id=1556050 http://seclab.stanford.edu/websec/chromium/chromium-security-architecture.pdf OS-Level Sandbox OS/Runtime OS/Runtime Exploit Barriers Exploit

415 views • 3 slides
Binary Analysis with angr Or: VEX was a good idea Who am I? Who are we? Who cares? Researchers

Binary Analysis with angr Or: VEX was a good idea Who am I? Who are we? Who cares? Researchers

Binary Analysis with angr Or: VEX was a good idea Who am I? Who are we? Who cares? Researchers at the University of California Santa Barbara Seclab People interested in finding bugs in software People interested in publishing papers

626 views • 36 slides
SimuVEX Using VEX in Symbolic Analysis Yan Shoshitaishvili yans@cs.ucsb.edu 2014 Who am I? My

SimuVEX Using VEX in Symbolic Analysis Yan Shoshitaishvili yans@cs.ucsb.edu 2014 Who am I? My

SimuVEX Using VEX in Symbolic Analysis Yan Shoshitaishvili yans@cs.ucsb.edu 2014 Who am I? My name is Yan Shoshitaishvili, and I am a PhD student in the Seclab at UC Santa Barbara. Email: yans@cs.ucsb.edu Twitter: @Zardus Github:

918 views • 36 slides
Factoring as a Service Luke Valenta, Shaanan Cohney, Alex Liao, Joshua Fried, Satya Bodduluri,

Factoring as a Service Luke Valenta, Shaanan Cohney, Alex Liao, Joshua Fried, Satya Bodduluri,

Factoring as a Service Luke Valenta, Shaanan Cohney, Alex Liao, Joshua Fried, Satya Bodduluri, Nadia Heninger University of Pennsylvania seclab.upenn.edu/projects/faas Textbook RSA [Rivest Shamir Adleman 1977] Public Key Private Key N = pq

401 views • 39 slides
Automatic Network Protocol Analysis Gilbert Wondracek, Paolo Milani Comparetti, Christopher

Automatic Network Protocol Analysis Gilbert Wondracek, Paolo Milani Comparetti, Christopher

Secure Systems Lab Technical University Vienna Automatic Network Protocol Analysis Gilbert Wondracek, Paolo Milani Comparetti, Christopher Kruegel and Engin Kirda pmilani@ sssup.it gilbert@ seclab.tuwien.ac.at chris@ cs.ucsb.edu engin.kirda@

606 views • 28 slides
DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina,

DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina,

DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina, Nick Stephens, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara USENIX Security 2017 seclab THE COMPUTER SECURITY

995 views • 66 slides
Static Enforcement of Web Application Integrity William Robertson and Giovanni Vigna { wkr,vigna

Static Enforcement of Web Application Integrity William Robertson and Giovanni Vigna { wkr,vigna

Static Enforcement of Web Application Integrity William Robertson and Giovanni Vigna { wkr,vigna } @cs.ucsb.edu Computer Security Group UC Santa Barbara 13 August 2009 (UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 1 / 28

433 views • 42 slides

More recommend