Kavli Affiliate: Feng Yuan
| First 5 Authors: Tamjid Al Rahat, Yu Feng, Yuan Tian, ,
| Summary:
OAuth protocols have been widely adopted to simplify user authentication and
service authorization for third-party applications. However, little effort has
been devoted to automatically checking the security of the libraries that
service providers widely use. In this paper, we formalize the OAuth
specifications and security best practices, and design Cerberus, an automated
static analyzer, to find logical flaws and identify vulnerabilities in the
implementation of OAuth service provider libraries. To efficiently detect
security violations in a large codebase of service provider implementation,
Cerberus employs a query-driven algorithm for answering queries about OAuth
specifications. We demonstrate the effectiveness of Cerberus by evaluating it
on datasets of popular OAuth libraries with millions of downloads. Among these
high-profile libraries, Cerberus has identified 47 vulnerabilities from ten
classes of logical flaws, 24 of which were previously unknown. We got
acknowledged by the developers of eight libraries and had three accepted CVEs.
| Search Query: ArXiv Query: search_query=au:”Feng Yuan”&id_list=&start=0&max_results=3