Abstract
Over the past few years, OAuth has become an open authorization standard that is being adopted by a growing number of sites such as Twitter, Facebook and Google. It allows users to grant a third-party application access to restricted resources without providing their credentials. However, ensuring the correctness of implementations of OAuth in applications brings multiple concerns. Therefore, it is crucial to verify OAuth with an exhaustive examination by utilizing formal methods. In this paper, we first formalize OAuth with ASLan++ on the AVANTSSAR platform and propose several fundamental security properties on it which are specified using extended Linear Temporal Logic (LTL) formulas. In a second step, we use a SAT-based Model-Checker (SATMC) to verify whether OAuth violates these properties. As a result, we reveal three attacks which steal and falsify users' critical information.
| Original language | English |
|---|---|
| Article number | 7027417 |
| Pages (from-to) | 76-84 |
| Number of pages | 9 |
| Journal | Proceedings of IEEE International Symposium on High Assurance Systems Engineering |
| Volume | 2015-January |
| Issue number | January |
| DOIs | |
| State | Published - 29 Jan 2015 |
| Event | 16th IEEE International Symposium on High Assurance Systems Engineering, HASE 2015 - Daytona Beach, United States Duration: 8 Jan 2015 → 10 Jan 2015 |
Keywords
- ASLan++
- Modeling
- Oauth
- SATMC
- Verification