Self-Verifying Authentication – A Framework for Safer Integrations of Single-Sign-On Services

Presented at Black Hat Europe 2017, Dec. 6, 2017, 3:30 p.m. (60 minutes)

<p>SSO (single-sign-on) services, such as those provided by Facebook, Google and Microsoft Azure, are integrated into tens of millions of apps, websites and cloud services, just like the front door lock for every home. However, the integration practice is very ad-hoc: on one hand, protocol documentation and usage guides of SSO libraries are written by experts, who are like experienced “locksmiths”; one the other hand, most app/website programmers are not “locksmiths”, and inevitably fall into many pitfalls due to misunderstandings of such informal documentation. Security bugs in SSO integrations are continuously discovered in the field, which leave the front door of the cloud wide-open for attackers. SSO bugs are the primary example when the Cloud Security Alliance ranked API integration bugs as the No. 4 top security threat. They have become a familiar theme in major security conferences, including BlackHat USA 2016 and BlackHat Europe 2016. </p><p>We are working on an open-source project, called SVAuth, to provide every website with a safer SSO integration, supported by formal program verification. SVAuth is ready for real-world adoption: (1) it is language independent, so it works with web apps in any language, such as PHP, ASP.NET, Python; (2) the default solution requires only a drop-in installation of an executable, without any library integration effort; (3) a programmer can customize the default solution for his/her special requirement. The customized solution will enjoy the same correctness assurance as the default one; (4) the SVAuth framework can accommodate all SSO services.</p><p>The main innovation underlying SVAuth is a program verification technology called SVX (or Self-Verifying Execution). It turns every SSO-protocol execution into a process of proving its own logic correctness: every time when a “lock” is being opened (i.e., a user is signing in), a “locksmith” (i.e., a program verifier) is always watching to assert whether it is a logically-sound normal procedure or a lock-picking attempt. In other words, executing protocol code becomes inseparable from verifying it. SVX has two other attributes which are magical: (1) the runtime overhead for verification is near zero; (2) the self-verifying capability only needs to be built once into abstract classes of a protocol, and all concrete implementations derived from the protocol will automatically inherit the capability. Thus, the one-time verification effort in the protocol level is scaled up to all concrete implementations.</p><p>In this talk, we will first show and explain a number of SSO bugs that we discovered. They pinpoint the natural gaps between the perspectives of a protocol designer, an SDK provider and a regular website programmer. None of them can be called a “stupid bug”. Then, we explain how SVX performs code verification, as well as the architecture of the SVAuth code. Finally, we give demos about real-world web apps using SVAuth.<br><br>The talk is based on two published papers, but contains many new contents reflecting our latest development.</p><p>[1] Securing Multiparty Online Services via Certification of Symbolic Transactions. In IEEE Symposium on Security and Privacy (S&P) 2015. <a href="https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/CST.pdf" data-mce-href="https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/CST.pdf">https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/CST.pdf<br></a>[2] Self-Verifying Execution. In IEEE Cybersecurity Development Conference (SecDev) 2016. <a href="https://www.microsoft.com/en-us/research/wp-content/uploads/2016/09/Self-Verifying-Execution.pdf" data-mce-href="https://www.microsoft.com/en-us/research/wp-content/uploads/2016/09/Self-Verifying-Execution.pdf">https://www.microsoft.com/en-us/research/wp-content/uploads/2016/09/Self-Verifying-Execution.pdf</a></p>

Presenters:

• Shuo Chen - Senior Researcher, Microsoft Research
  Shuo Chen is a senior researcher at Microsoft Research Redmond. His interest is on studying real-world operational systems to understand their security challenges and flaws. Specifically, he spends significant time studying problems about software-as-a-service, browser, web privacy/security and memory-based issues. He served on the program committees for IEEE S&P, USENIX Security, ACM CCS, WWW, etc. His work resulted in discoveries of many real-world vulnerabilities, including those that compromised HTTPS on all browsers, bypassed payment services of e-commerce and bypassed single-sign-on authentications. These discoveries led to numerous security fixes made by Microsoft, Google, Facebook and other major companies. He won a best practical paper award in IEEE S&P. His research was covered by the news media, including CNN, CNET, Ars Technica, etc. A study about OAuth security that he and a CMU group did was presented in BlackHat USA 2016. Shuo obtained his Ph.D. degree in computer science from University of Illinois at Urbana-Champaign. He obtained his master's and bachelor's degree from Tsinghua University and Peking University, both in computer science.
• Shaz Qadeer - Principal Researcher, Microsoft
  Shaz Qadeer is Principal Researcher at Microsoft. He is interested in building correct and secure distributed systems. To achieve this goal, he has developed techniques for reasoning about asynchronous, concurrent, and fault-tolerant systems. He is currently trying to build a secure, available, and scalable Blockchain service atop Microsoft Azure.
• Ravishankar Iyer - George and Ann Fisher Distinguished Professor of Engineering, University of Illinois at Urbana-Champaign
  Ravishankar Iyer is the George and Ann Fisher Distinguished Professor of Engineering at the University of Illinois at Urbana-Champaign. He holds joint appointments in the Department of Electrical and Computer Engineering, the Coordinated Science Laboratory (CSL), and the Department of Computer Science. He serves as Chief Scientist of the Information Trust Institute and as a Research Affiliate of the Mayo Clinic, he is affiliate faculty of the National Center for Supercomputing Applications (NCSA) and the Carl R. Woese Institute for Genomic Biology at Illinois. Iyer has led several large successful projects funded by the National Aeronautics and Space Administration (NASA), Defense Advanced Research Projects Agency (DARPA), National Science Foundation (NSF), and industry. He currently co-leads the CompGen Initiative at Illinois. Funded by NSF and partnering with industry leaders, hospitals, and research laboratories, CompGen aims to build a new computational platform to address both accuracy and performance issues for a range of genomics applications. Professor Iyer is a Fellow of the American Association for the Advancement of Science, the Institute of Electrical and Electronics Engineers (IEEE), and the Association for Computing Machinery (ACM). He has received several awards, including the American Institute of Aeronautics and Astronautics (AIAA) Information Systems Award, the IEEE Emanuel R. Piore Award, and the 2011 Outstanding Contributions award by the Association of Computing Machinery—Special Interest Group on Security for his fundamental and far-reaching contributions in secure and dependable computing. Professor Iyer is also the recipient of the degree of Doctor Honaris Causa from Toulouse Sabatier University in France.
• Phuong Cao - PhD Candidate, University of Illinois at Urbana-Champaign
  Phuong Cao is an ECE PhD Candidate at the University of Illinois at Urbana-Champaign (UIUC). His research interests are design and evaluation of resilient cyber-physical systems, using probabilistic graphical models and formal verification techniques. He co-authored a best paper award in IEEE International Conference on Dependable Systems and Networks (DSN). Phuong earned his Master's degree from UIUC and Bachelor's degree from Hanoi University of Science and Technology, both in computer science.
• Matt McCutchen - PhD Student, Massachusetts Institute of Technology
  Matt McCutchen is a fourth-year Ph.D. student at the Massachusetts Institute of Technology. He's interested in a range of topics across programming languages, software engineering, and security with an eye toward the most fundamental problems; his graduate research is on fully integrating structured data into the spreadsheet paradigm to make data-centric applications easier to develop. Relating to security, in addition to his work on SVAuth with Shuo Chen, he has contributed to technologies of interest to him as a hobby, notably Qubes OS and the DANE protocol for DNSSEC-based designation of TLS server certificates.

Links:

• https://www.blackhat.com/eu-17/briefings/schedule/#self-verifying-authentication--a-framework-for-safer-integrations-of-single-sign-on-services-8290
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2017/videos/Self-Verifying Authentication - A Framework For Safer Integrations of Single-Sign-On Services.mp4
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2017/videos/Self-Verifying Authentication - A Framework For Safer Integrations of Single-Sign-On Services.eng.srt (subtitles)
• https://www.youtube.com/watch?v=DTc_z1k0uWc

Similar Presentations:

• VB2018 / Artificial intelligence to assist with ransomware cryptanalysis
• DEF CON 29 (2021) / Don't Dare to Exploit - An Attack Surface Tour of SharePoint Server