基本信息
浏览量:56
职业迁徙
个人简介
First, I conducted a systematic analysis of the OpenID 2.0 protocol using both formal model checking and an empirical evaluation of 132 popular RP websites. The formal analysis identified three weaknesses in the protocol, and based on the attack traces from the model checking, six exploits and a semi-automated vulnerability assessment tool were designed to evaluate how prevalent those weaknesses are in the real-world RP implementations. Two countermeasures are proposed and evaluated for RPs to mitigate the uncovered weaknesses in the protocol.
Second, I examined the OAuth 2.0 implementations of three major IdPs (Facebook, Microsoft, and Google) and RP websites listed on the Google Top 1000 Websites that support using Facebook account for login. The analysis results uncovered several critical vulnerabilities that allow an attacker to gain unauthorized access to the victim user's profile and social graph, and impersonate the victim on the RP website. Closer examination reveals that these vulnerabilities are caused by a set of design decisions that trade security for implementation simplicity. Ten simple and practical design and implementation improvements were suggested for IdPs and RPs that can be adopted gradually by individual sites.
Third, I proposed and evaluated an approach for RPs and IdPs to retrofit their existing web applications with run-time protection against known as well as unseen SQL injection attacks (SQLIAs). The precision of the proposed approach is also enhanced with a method for reducing the rate of false positives in the SQLIA detection logic, via runtime discovery of the developers' intention for individual SQL statements made by web applications. The proposed approach offers the protection to the existing web applications against SQLIAs where source code, qualified developers, or security development processes might not be available or practical.
Finally, through several iterations of a usability study, I investigated user's perceptions of web SSO. The user study examined what users’ mental models are formed when using web SSO for authentication, and how the gaps between the system model and those mental models influence users' security and privacy perceptions, as well as adopt intentions. In addition, an identity-enabled browser was designed to explore possible improvements. Our study found several behaviors, concerns, and misconceptions that hinder our participants' adoption intentions, from inadequate mental models of web SSO, to the reluctance of having their personal profile information released, and the reduction of perceived web SSO value due to the employment of password management practices. Informed by our findings, I introduced a web SSO technology acceptance model, and suggested design improvements for RP and IdP websites.
Second, I examined the OAuth 2.0 implementations of three major IdPs (Facebook, Microsoft, and Google) and RP websites listed on the Google Top 1000 Websites that support using Facebook account for login. The analysis results uncovered several critical vulnerabilities that allow an attacker to gain unauthorized access to the victim user's profile and social graph, and impersonate the victim on the RP website. Closer examination reveals that these vulnerabilities are caused by a set of design decisions that trade security for implementation simplicity. Ten simple and practical design and implementation improvements were suggested for IdPs and RPs that can be adopted gradually by individual sites.
Third, I proposed and evaluated an approach for RPs and IdPs to retrofit their existing web applications with run-time protection against known as well as unseen SQL injection attacks (SQLIAs). The precision of the proposed approach is also enhanced with a method for reducing the rate of false positives in the SQLIA detection logic, via runtime discovery of the developers' intention for individual SQL statements made by web applications. The proposed approach offers the protection to the existing web applications against SQLIAs where source code, qualified developers, or security development processes might not be available or practical.
Finally, through several iterations of a usability study, I investigated user's perceptions of web SSO. The user study examined what users’ mental models are formed when using web SSO for authentication, and how the gaps between the system model and those mental models influence users' security and privacy perceptions, as well as adopt intentions. In addition, an identity-enabled browser was designed to explore possible improvements. Our study found several behaviors, concerns, and misconceptions that hinder our participants' adoption intentions, from inadequate mental models of web SSO, to the reluctance of having their personal profile information released, and the reduction of perceived web SSO value due to the employment of password management practices. Informed by our findings, I introduced a web SSO technology acceptance model, and suggested design improvements for RP and IdP websites.
研究兴趣
论文共 30 篇作者统计合作学者相似作者
按年份排序按引用量排序主题筛选期刊级别筛选合作者筛选合作机构筛选
时间
引用量
主题
期刊级别
合作者
合作机构
Pervasive and Mobile Computing (2016): 26-34
CCSpp.3-14, (2015)
Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (2015)
CCSpp.378-390, (2012)
Proceedings of the 2012 ACM conference on Computer and communications security - CCS '12 (2012)
semanticscholar(2012)
引用1浏览0引用
1
0
semanticscholar(2012)
引用1浏览0引用
1
0
加载更多
作者统计
合作学者
合作机构
D-Core
- 合作者
- 学生
- 导师
数据免责声明
页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果,我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问,可以通过电子邮件方式联系我们:report@aminer.cn