Security protocols are specified in natural language, are highly-configurable, and may not match the internal requirements of the development company. As a result, developers may misunderstand the specifications, may not grasp the security implications of configurations, and may deviate from the specifications introducing flaws. However, none of the existing security testing techniques provides the features, scalability, and usability to support developers in assessing the security of protocol configurations and deviations. This paper presents a tool that leverages on existing design verification and security testing techniques, and extends them to support developers in analyzing security protocols. We used the tool for the analysis of prominent security protocols (i.e., SAML SSO, OpenID, OAuth2), and of six industrial-size implementations.
A tool for supporting developers in analyzing the security of web-based security protocols
ICTSS 2013, 25th IFIP International Conference on Testing Software and Systems, November 13-15, 2013, Istanbul, Turkey / Also published in LNCS, Volume 8254/2013
Type:
Conférence
City:
Istanbul
Date:
2013-11-13
Department:
Sécurité numérique
Eurecom Ref:
4183
Copyright:
© Springer. Personal use of this material is permitted. The definitive version of this paper was published in ICTSS 2013, 25th IFIP International Conference on Testing Software and Systems, November 13-15, 2013, Istanbul, Turkey / Also published in LNCS, Volume 8254/2013 and is available at : http://dx.doi.org/10.1007/978-3-642-41707-8_19
See also:
PERMALINK : https://www.eurecom.fr/publication/4183
