Your Soft­ware at my Ser­vice

Vla­dis­lav Mla­de­nov, Chris­ti­an Main­ka, Flo­ri­an Feld­mann, Ju­li­an Kraut­wald, Jörg Schwenk

ACM CCSW 2014 in con­junc­tion with the ACM Con­fe­rence on Com­pu­ter and Com­mu­ni­ca­ti­ons Se­cu­ri­ty (CCS) No­vem­ber 7, 2014, The Scotts­da­le Plaza Re­sort, Scotts­da­le, Ari­zo­na, USA.


Ab­stract

Soft­ware-as-a-Ser­vice (SaaS) is ty­pi­cal­ly de­fined as a ren­tal model for using a com­plex soft­ware pro­duct, run­ning on a cen­tra­li­zed com­pu­ting plat­form, using a thin cli­ent (most fre­quent­ly a web brow­ser). As such, it is one of the major ca­te­go­ries of Cloud Com- pu­ting, be­si­des IaaS and PaaS. While there are many eco­no­mic be­ne­fits in using SaaS, each com­pa­ny must ne­ver­the­l­ess en­force con­trol over its own data pro- ces­sed in the Cloud. One of the most im­portant buil­ding blocks of such an en­force­ment sche­me is Iden­ti­ty Ma­nage­ment (IdM), whe­re­at the in­dus­try stan­dard for IdM is SAML, the Se­cu­ri­ty As- ser­ti­on Mar­kup Lan­gua­ge. In this paper, we study the se­cu­ri­ty of the SAML im­ple­men­ta- tions of 22 SaaS Cloud Pro­vi­ders (SaaS-CPs) and show that 90% of them can be bro­ken, re­sul­ting in com­pa­ny data ex­po­su­re to at- ta­ckers on the In­ter­net. The de­tec­ted vul­nerabi­li­ties are ex­ploi­ted by a wide va­rie­ty of at­tack tech­ni­ques, ran­ging from clas­si­cal web at­tacks to pro­blems spe­ci­fic to XML pro­ces­sing.

The di­stri­bu­ted do­cu­ment has been pro­vi­ded by the cont­ri­bu­ting aut­hors as a means to en­su­re ti­me­ly dis­se­mi­na­ti­on of scho­lar­ly and tech­ni­cal work on a non­com­mer­ci­al basis. Co­py­right and all rights the­r­ein are main­tained by the aut­hors or by other co­py­right hol­ders, not­wi­th­stan­ding that they have of­fe­red their works here elec­tro­ni­cal­ly. It is un­ders­tood that all per­sons co­py­ing this in­for­ma­ti­on will ad­he­re to the terms and cons­traints in­vo­ked by each aut­hor's co­py­right. These works may not be re­pos­ted wi­thout the ex­pli­cit per­mis­si­on of the co­py­right hol­der.

[paper]

Tags: Au­then­ti­ca­ti­on Se­cu­ri­ty Flaws, Cloud Se­cu­ri­ty, SAML, Soft­ware-as-a-Ser­vice (Saas)