OAuth protocols have been widely adopted to simplify user authentication and service authorization for third-party applications. However, little effort has been devoted to automatically checking the security of the libraries that service providers widely use. In this paper, we formalize the OAuth specifications and security best practices, and design Cerberus, an automated static analyzer, to find logical flaws and identify vulnerabilities in the implementation of OAuth service provider libraries. To efficiently detect security violations in a large codebase of service provider implementation, Cerberus employs a query-driven algorithm for answering queries about OAuth specifications. We demonstrate the effectiveness of Cerberus by evaluating it on datasets of popular OAuth libraries with millions of downloads. Among these high-profile libraries, Cerberus has identified 47 vulnerabilities from ten classes of logical flaws, 24 of which were previously unknown. We got acknowledged by the developers of eight libraries and had three accepted CVEs.
翻译:OAuth协议已被广泛采用,以简化第三方应用程序的用户认证和服务授权。然而,目前几乎没有研究工作致力于自动检查服务提供者广泛使用的库的安全性。本文形式化了OAuth规范和安全最佳实践,并设计了自动化静态分析工具Cerberus,用于发现OAuth服务提供者库实现中的逻辑缺陷并识别漏洞。为了高效检测服务提供者大规模代码库中的安全违规行为,Cerberus采用了一种查询驱动算法来回答关于OAuth规范的查询。我们通过在下载量达数百万的流行OAuth库数据集上进行评估,展示了Cerberus的有效性。在这些知名库中,Cerberus识别出涉及十类逻辑缺陷的47个漏洞,其中24个此前未被发现。我们已获得八个库开发者的致谢,并有三项漏洞被授予CVE编号。