Online citations, reference lists, and bibliographies.

A Tool For Supporting Developers In Analyzing The Security Of Web-Based Security Protocols

G. Pellegrino, L. Compagna, Thomas Morreggia
Published 2013 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
Share
Security protocols are specified in natural language, are highly-configurable, and may not match the internal requirements of the development company. As a result, developers may misunderstand the specifications, may not grasp the security implications of configurations, and may deviate from the specifications introducing flaws. However, none of the existing security testing techniques provides the features, scalability, and usability to support developers in assessing the security of protocol configurations and deviations. This paper presents a tool that leverages on existing design verification and security testing techniques, and extends them to support developers in analyzing security protocols. We used the tool for the analysis of prominent security protocols (i.e., SAML SSO, OpenID, OAuth2), and of six industrial-size implementations.
This paper references
10.1109/SERE.2012.38
Semi-Automatic Security Testing of Web Applications from a Secure Model
Matthias Büchler (2012)
SPaCIoS Secure Provision and Consumption in the Internet of Services, http://spacios
10.1109/SP.2006.29
Pixy: a static analysis tool for detecting Web application vulnerabilities
N. Jovanovic (2006)
10.1145/1456396.1456397
Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps
A. Armando (2008)
10.1007/978-3-642-14215-4_7
Why Johnny Can't Pentest: An Analysis of Black-Box Web Vulnerability Scanners
A. Doupé (2010)
10.3166/jancl.19.403-429
LTL model checking for security protocols
A. Armando (2009)
10.1007/978-3-540-24730-2_35
A Temporal Logic of Nested Calls and Returns
R. Alur (2004)
10.1016/S0304-3975(01)00141-4
Finite-state analysis of two contract signing protocols
Vitaly Shmatikov (2002)
AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations
Guangdong Bai (2013)
10.1007/978-3-642-03829-7_6
The Open-Source Fixed-Point Model Checker for Symbolic Analysis of Security Protocols
S. Mödersheim (2009)
10.1007/11790754
Detection of Intrusions and Malware, and Vulnerability Assessment
Roland Büschkes (2008)
10.1007/978-3-642-30473-6_3
From Model-Checking to Automated Testing of Security Protocols: Bridging the Gap
Alessandro Armando (2012)
10.4018/978-1-61350-498-7.CH010
Automatic Security Analysis of SAML-Based Single Sign-On Protocols
Alessandro Armando (2011)
10.1016/j.cose.2012.08.007
An authentication flaw in browser-based Single Sign-On protocols: Impact and remediations
Alessandro Armando (2013)
Security Assertion Markup Language V2.0 Tech. Overview. http://wiki.oasis-open.org/security/Saml2TechOverview
Oasis Consortium (2008)
10.1007/978-3-642-28756-5_19
The AVANTSSAR Platform for the Automated Validation of Trust and Security of Service-Oriented Architectures
A. Armando (2012)



This paper is referenced by
Semantic Scholar Logo Some data provided by SemanticScholar