Guar­di­ans of the Clouds: When Iden­ti­ty Pro­vi­ders Fail

An­dre­as Mayer, Mar­cus Nie­mietz, Vla­dis­lav Mla­de­nov, Jörg Schwenk

ACM CCSW 2014 in con­junc­tion with the ACM Con­fe­rence on Com­pu­ter and Com­mu­ni­ca­ti­ons Se­cu­ri­ty (CCS) No­vem­ber 7, 2014, The Scotts­da­le Plaza Re­sort, Scotts­da­le, Ari­zo­na, USA.

Ab­stract

Many cloud-ba­sed ser­vices offer in­ter­faces to Sin­gle Sign-On (SSO) sys­tems. This helps com­pa­nies and In­ter­net users to keep con­trol over their data: By using an Iden­ti­ty Pro­vi­der (IdP), they are able to en­force va­rious ac­cess con­trol stra­te­gies (e.g., RBAC) on data pro­ces­sed in the cloud.

On the other hand, IdPs pro­vi­de a va­luable sin­gle point of at­tack: If the IdP can be com­pro­mi­sed, all cloud ser­vices are af­fec­ted, in­clu­ding well-pro­tec­ted ap­p­li­ca­ti­ons such as Goog­le Apps and Sa­les­force. This in­crea­ses the im­pact of the at­tack by se­ver­al or­ders of ma­gni­tu­de.

In this paper, we ana­ly­ze the se­cu­ri­ty of six re­al-world SAML-ba­sed IdPs (One­Lo­gin, Okta, WSO2 Stra­tos, Cloudse­al, SSO­Cir­cle, and Bi­ti­um) which are used to pro­tect cloud ser­vices. We pre­sent a novel at­tack tech­ni­que (ACS Spoo­fing), which al­lows the ad­versa­ry to suc­cess­ful­ly im­per­so­na­te the victim in four of these SSO sys­tems. To com­ple­te our sur­vey on IdP se­cu­ri­ty, we ad­di­tio­nal­ly eva­lua­ted the se­cu­ri­ty of these six IdPs against well-known web at­tacks, and we were suc­cess­ful against four of them. In sum­ma­ry, we were able to break all six SSO sys­tems.

We pre­sent a on­line pe­ne­tra­ti­on test tool, ACS­Scan­ner, which is able to de­tect ACS Spoo­fing vul­nerabi­li­ties on ar­bi­tra­ry IdPs. Ad­di­tio­nal­ly, we di­s­cuss se­ver­al coun­ter­me­a­su­res for each at­tack type, ran­ging from sim­ple whi­te­lis­ting to the si­gning of au­then­ti­ca­ti­on re­quests, and from an­ti-CS­RF to­kens and HTTP-On­ly cook­ies to cook­ie-TLS-bin­dings. We have im­ple­men­ted a com­bi­na­ti­on of two ad­van­ced coun­ter­me­a­su­res.

The di­stri­bu­ted do­cu­ment has been pro­vi­ded by the cont­ri­bu­ting aut­hors as a means to en­su­re ti­me­ly dis­se­mi­na­ti­on of scho­lar­ly and tech­ni­cal work on a non­com­mer­ci­al basis. Co­py­right and all rights the­r­ein are main­tained by the aut­hors or by other co­py­right hol­ders, not­wi­th­stan­ding that they have of­fe­red their works here elec­tro­ni­cal­ly. It is un­ders­tood that all per­sons co­py­ing this in­for­ma­ti­on will ad­he­re to the terms and cons­traints in­vo­ked by each aut­hor's co­py­right. These works may not be re­pos­ted wi­thout the ex­pli­cit per­mis­si­on of the co­py­right hol­der.

Tags: Cloud, idp, sso, ui-re­dres­sing, XSS