通过加密网络分析验证OAuth实现

Proceedings of the 24th ACM Symposium on Access Control Models and Technologies Pub Date : 2019-05-28 DOI:10.1145/3322431.3326449

Josh Talkington, R. Dantu, Kirill Morozov

{"title":"通过加密网络分析验证OAuth实现","authors":"Josh Talkington, R. Dantu, Kirill Morozov","doi":"10.1145/3322431.3326449","DOIUrl":null,"url":null,"abstract":"Verifying protocol implementations via application analysis can be cumbersome. Rapid development cycles of both the protocol and applications that use it can hinder up-to-date analysis. A better approach is to use formal models to characterize the applications platform and then verify the protocol through analysis of the network traffic tied to the models. To test this method, the popular protocol OAuth is considered. Currently, formal models of OAuth do not take into consideration the mobile environment, and implementation verification is largely based on code analysis. Our preliminary results are two fold; we sketch an extension to a formal model that incorporates the specifics of the Android platform and classify OAuth device types using machine learning on encrypted VPN traffic.","PeriodicalId":435953,"journal":{"name":"Proceedings of the 24th ACM Symposium on Access Control Models and Technologies","volume":"62 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-05-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"Verifying OAuth Implementations Through Encrypted Network Analysis\",\"authors\":\"Josh Talkington, R. Dantu, Kirill Morozov\",\"doi\":\"10.1145/3322431.3326449\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Verifying protocol implementations via application analysis can be cumbersome. Rapid development cycles of both the protocol and applications that use it can hinder up-to-date analysis. A better approach is to use formal models to characterize the applications platform and then verify the protocol through analysis of the network traffic tied to the models. To test this method, the popular protocol OAuth is considered. Currently, formal models of OAuth do not take into consideration the mobile environment, and implementation verification is largely based on code analysis. Our preliminary results are two fold; we sketch an extension to a formal model that incorporates the specifics of the Android platform and classify OAuth device types using machine learning on encrypted VPN traffic.\",\"PeriodicalId\":435953,\"journal\":{\"name\":\"Proceedings of the 24th ACM Symposium on Access Control Models and Technologies\",\"volume\":\"62 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2019-05-28\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 24th ACM Symposium on Access Control Models and Technologies\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3322431.3326449\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 24th ACM Symposium on Access Control Models and Technologies","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3322431.3326449","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

摘要

通过应用程序分析验证协议实现可能很麻烦。协议和使用它的应用程序的快速开发周期可能会妨碍最新的分析。更好的方法是使用正式模型来描述应用程序平台，然后通过分析与模型绑定的网络流量来验证协议。为了测试这种方法，我们考虑了流行的OAuth协议。目前，OAuth的正式模型没有考虑到移动环境，实现验证主要基于代码分析。我们的初步结果是双重的;我们草拟了一个正式模型的扩展，该模型结合了Android平台的细节，并在加密的VPN流量上使用机器学习对OAuth设备类型进行分类。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Verifying OAuth Implementations Through Encrypted Network Analysis

Verifying protocol implementations via application analysis can be cumbersome. Rapid development cycles of both the protocol and applications that use it can hinder up-to-date analysis. A better approach is to use formal models to characterize the applications platform and then verify the protocol through analysis of the network traffic tied to the models. To test this method, the popular protocol OAuth is considered. Currently, formal models of OAuth do not take into consideration the mobile environment, and implementation verification is largely based on code analysis. Our preliminary results are two fold; we sketch an extension to a formal model that incorporates the specifics of the Android platform and classify OAuth device types using machine learning on encrypted VPN traffic.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Proceedings of the 24th ACM Symposium on Access Control Models and Technologies

自引率

0.00%

发文量