Reference Monitors for Security and Interoperability in OAuth 2.0

被引：1

作者：

Cherrueau, Ronan-Alexandre ^{[1
]}

Douence, Remi ^{[1
]}

Royer, Jean-Claude ^{[1
]}

Sudholt, Mario ^{[1
]}

de Oliveira, Anderson Santana ^{[2
]}

Roudier, Yves ^{[3
]}

Dell'Amico, Matteo ^{[3
]}

机构：

[1] Ecole Mines Nantes, Nantes, France

[2] SAP Appl Res, Mougins, France

[3] EURECOM, Sophia Antipolis, France

来源：

DATA PRIVACY MANAGEMENT AND AUTONOMOUS SPONTANEOUS SECURITY, DPM 2013 | 2014年 / 8247卷

关键词：

Aspect oriented programming; Interoperability; OAuth protocol; Reference monitor; Security; Type system;

D O I：

10.1007/978-3-642-54568-9_15

中图分类号：

TP [自动化技术、计算机技术];

学科分类号：

0812 ;

摘要：

OAuth 2.0 is a recent IETF standard devoted to providing authorization to clients requiring access to specific resources over HTTP. It has been pointed out that this framework is potentially subject to security issues, as well as difficulties concerning the interoperability between protocol participants and application evolution. As we show in this paper, there are indeed multiple reasons that make this protocol hard to implement and impede interoperability in the presence of different kinds of client. Our main contribution consists in a framework that harnesses a type-based policy language and aspect-based support for protocol adaptation through flexible reference monitors in order to handle security, interoperability and evolution issues of OAuth 2.0. We apply our framework in the context of three scenarios that make explicit variations in the protocol and show how to handle those issues.

引用

页码：235 / 249

页数：15

共 50 条

[1] Security Interoperability in Heterogeneous IoT Platforms: Threat Model of the Interoperable OAuth 2.0 Framework
Oh, Se-Ra
Koo, Jahoon
Kim, Young-Gab
[J]. 37TH ANNUAL ACM SYMPOSIUM ON APPLIED COMPUTING, 2022, : 22 - 31
[2] Security evaluation of the OAuth 2.0 framework
Ferry, Eugene
Raw, John O.
Curran, Kevin
[J]. INFORMATION AND COMPUTER SECURITY, 2015, 23 (01) : 73 - 101
[3] A Comprehensive Formal Security Analysis of OAuth 2.0
Fett, Daniel
Kuesters, Ralf
Schmitz, Guido
[J]. CCS'16: PROCEEDINGS OF THE 2016 ACM SIGSAC CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY, 2016, : 1204 - 1215
[4] OAUCH: Exploring Security Compliance in the OAuth 2.0 Ecosystem
Philippaerts, Pieter
Preuveneers, Davy
Joosen, Wouter
[J]. PROCEEDINGS OF 25TH INTERNATIONAL SYMPOSIUM ON RESEARCH IN ATTACKS, INTRUSIONS AND DEFENSES, RAID 2022, 2022, : 460 - 481
[5] OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect
Li, Wanpeng
Mitchell, Chris J.
Chen, Thomas
[J]. PROCEEDINGS OF THE 5TH ACM WORKSHOP ON SECURITY STANDARDISATION RESEARCH WORKSHOP (SSR '19), 2019, : 35 - 44
[6] OAuth 2.0: Architectural design augmentation for mitigation of common security vulnerabilities
Singh, Jaimandeep
Chaudhary, Naveen Kumar
[J]. Journal of Information Security and Applications, 2022, 65
[7] OAuth 2.0: Architectural design augmentation for mitigation of common security vulnerabilities
Singh, Jaimandeep
Chaudhary, Naveen Kumar
[J]. JOURNAL OF INFORMATION SECURITY AND APPLICATIONS, 2022, 65
[8] Modular Security Analysis of OAuth 2.0 in the Three-Party Setting
Li, Xinyu
Xu, Jing
Zhang, Zhenfeng
Lan, Xiao
Wang, Yuchen
[J]. 2020 5TH IEEE EUROPEAN SYMPOSIUM ON SECURITY AND PRIVACY (EUROS&P 2020), 2020, : 276 - 293
[9] Teaching the Security Mindset with Reference Monitors
Cappos, Justin
Weiss, Richard
[J]. PROCEEDINGS OF THE 45TH ACM TECHNICAL SYMPOSIUM ON COMPUTER SCIENCE EDUCATION (SIGCSE'14), 2014, : 523 - 528
[10] Model-based Security Testing: an Empirical Study on OAuth 2.0 Implementations
Yang, Ronghai
Li, Guanchen
Lau, Wing Cheong
Zhang, Kehuan
Hu, Pili
[J]. ASIA CCS'16: PROCEEDINGS OF THE 11TH ACM ASIA CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY, 2016, : 651 - 662

← 1 2 3 4 5 →