A team of the Department of Information Engineering has recently won the third place of the 2018 Internet Defense Prize and a research grant of US$40,000 funded by Facebook at the 27th USENIX Security Symposium held in the US. Their award was for their contribution to the critical analysis of the security of Single Sign-On (SSO) Software Development Kits (SDKs) deployed in practice. The team comprised of Dr. Ronghai Yang, Prof. Wing Cheong Lau, Mr. Jiongyi Chen, and Prof. Kehuan Zhang of the Department of Information Engineering. This is the first time for researchers from an Asian institution to receive this international award.
The winning paper was titled Vetting Single Sign-On SDK Implementations via Symbolic Reasoning. SSO provides a partial solution to the Internet's over-reliance on passwords. It enables users to use their Online Social Networking accounts/ credentials (such as those from Facebook, Google, Sina, Tencent and Baidu), to log into other third-party applications/ websites (such as OpenRice and IMDb) and thus providing a more convenient way for users to sign up and access different online services and applications. Since SSO has been serving hundreds of millions of Internet users every day, the security of related software development kits (SDKs) is of critical importance to online security.
SSO involves cooperation and coordination between ID providers, users and third-party applications/websites. The technology is complicated and poses many challenges in analysing the security of SSO SDKs. The CUHK research team designed and implemented S3KVetter (Single-Sign-On SDK Vetter), an automated, efficient testing tool, to check the logical correctness and identify vulnerabilities of SSO SDKs in practice. To demonstrate the efficacy of S3KVetter, the team applied S3KVetter to test ten popular SSO SDKs which have been downloaded for millions of times by web-service/ application developers.
Among the SSO SDKs examined, S3KVetter has discovered 7 classes of logic flaws, 4 of which were previously unknown. The new vulnerabilities can lead to severe consequences, ranging from the sniffing of user activities to the hijacking of user accounts.
The team was thrilled with their work. Dr. Ronghai Yang, an alumnus of Department of Information Engineering said, "We have discovered multiple zero-day exploits among several popular SSO SDKs in practice. Until the vulnerabilities are mitigated, hackers can exploit them to cause severe breaches of the security and privacy of online users world-wide. This is an important issue that the industry must address."
"Internet communications and cybersecurity have long been two of the key research areas of the CUHK Engineering Faculty. The award is a great encouragement to our team and a recognition of CUHK's strength in cybersecurity research. We will scale new heights in our ongoing work on applied cryptography, security and privacy in cyber systems, with the aim of making the cyberworld a safer place," said Prof. Lau Wing Cheong of the Department of Information Engineering, CUHK.
For more details of the paper, please go to www.usenix.org/system/files/conference/usenixsecurity18/sec18-yang.pdf
About the Internet Defense Prize
Created in 2014, the Internet Defense Prize is funded by Facebook and offered in partnership with USENIX. It aims to celebrate technical contributions to the protection and defense of the Internet.