Kavli Affiliate: Feng Yuan
| First 5 Authors: Tamjid Al Rahat, Yu Feng, Yuan Tian, ,
| Summary:
OAuth protocols have been widely adopted to simplify user authentication and
service authorization for third-party applications. However, little effort has
been devoted to automatically checking the security of libraries that are
widely used by service providers. In this paper, we formalize the OAuth
specifications and security best practices, and design OAuthShield, an
automated static analyzer, to find logical flaws and identify vulnerabilities
in the implementation of OAuth authorization server libraries. To efficiently
detect OAuth violations in a large codebase, OAuthShield employs a
demand-driven algorithm for answering queries about OAuth specifications. To
demonstrate the effectiveness of OAuthShield, we evaluate it on ten popular
OAuth libraries that have millions of downloads. Among these high-profile
libraries, OAuthShield has identified 47 vulnerabilities from ten classes of
logical flaws, 24 of which were previously unknown. We got acknowledged by the
developers of six libraries and had three accepted CVEs.
| Search Query: ArXiv Query: search_query=au:”Feng Yuan”&id_list=&start=0&max_results=10