Vetting Single Sign-On SDK Implementations via Symbolic Reasoning
Refereed conference paper presented and published in conference proceedings


Other information
AbstractEncouraged by the rapid adoption of Single Sign-On (SSO) technology in web services, mainstream identity providers, such as Facebook and Google, have developed Software Development Kits (SDKs) to facilitate the implementation of SSO for 3rd-party application developers. These SDKs have become a critical foundation for web services. Despite its importance, little effort has been devoted to a systematic testing on the implementations of SSO SDKs, especially in the public domain. In this paper, we design and implement S3KVetter (Single-Sign-on SdK Vetter), an automated, efficient testing tool, to check the logical correctness and identify vulnerabilities of SSO SDKs. To demonstrate the efficacy of S3KVetter, we apply it to test ten popular SSO SDKs which enjoy millions of downloads by application developers. Among these carefully engineered SDKs, S3KVetter has surprisingly discovered 7 classes of logic flaws, 4 of which were previously unknown. These vulnerabilities can lead to severe consequences, ranging from the sniffing of user activities to the hijacking of user accounts.
Acceptance Date28/06/2018
All Author(s) ListRonghai Yang, Wing Cheong Lau, Jiongyi Chen, Kehuan Zhang
Name of Conference27th USENIX Security Symposium
Start Date of Conference15/08/2018
End Date of Conference17/08/2018
Place of ConferenceBaltimore, Maryland
Country/Region of ConferenceUnited States of America
Proceedings Title27th USENIX Security Symposium
Year2018
Month8
PublisherUSENIX Association
Place of PublicationU.S.A..
LanguagesEnglish-United States

Last updated on 2018-21-12 at 11:17