An Expressive Model for the Web Infrastructure: Definition and Application to the BrowserID SSO System

The web constitutes a complex infrastructure and as demonstrated by numerous attacks, rigorous analysis of standards and web applications is indispensable. Inspired by successful prior work, in particular the work by Akhawe et al. as well as Bansal et al., in this work we propose a formal model for the web infrastructure. While unlike prior works, which aim at automatic analysis, our model so far is not directly amenable to automation, it is much more comprehensive and accurate with respect to the standards and specifications. As such, it can serve as a solid basis for the analysis of a broad range of standards and applications. As a case study and another important contribution of our work, we use our model to carry out the first rigorous analysis of the BrowserID system (a.k.a. Mozilla Persona), a recently developed complex real-world single sign-on system that employs technologies such as AJAX, cross-document messaging, and HTML5 web storage. Our analysis revealed a number of very critical flaws that could not have been captured in prior models. We propose fixes for the flaws, formally state relevant security properties, and prove that the fixed system in a setting with a so-called secondary identity provider satisfies these security properties in our model. The fixes for the most critical flaws have already been adopted by Mozilla and our findings have been rewarded by the Mozilla Security Bug Bounty Program.Comment: An abridged version appears in S&P 201

The Web SSO Standard OpenID Connect: In-Depth Formal Security Analysis and Security Guidelines

Web-based single sign-on (SSO) services such as Google Sign-In and Log In with Paypal are based on the OpenID Connect protocol. This protocol enables so-called relying parties to delegate user authentication to so-called identity providers. OpenID Connect is one of the newest and most widely deployed single sign-on protocols on the web. Despite its importance, it has not received much attention from security researchers so far, and in particular, has not undergone any rigorous security analysis. In this paper, we carry out the first in-depth security analysis of OpenID Connect. To this end, we use a comprehensive generic model of the web to develop a detailed formal model of OpenID Connect. Based on this model, we then precisely formalize and prove central security properties for OpenID Connect, including authentication, authorization, and session integrity properties. In our modeling of OpenID Connect, we employ security measures in order to avoid attacks on OpenID Connect that have been discovered previously and new attack variants that we document for the first time in this paper. Based on these security measures, we propose security guidelines for implementors of OpenID Connect. Our formal analysis demonstrates that these guidelines are in fact effective and sufficient.Comment: An abridged version appears in CSF 2017. Parts of this work extend the web model presented in arXiv:1411.7210, arXiv:1403.1866, arXiv:1508.01719, and arXiv:1601.0122

Analyzing the BrowserID SSO System with Primary Identity Providers Using an Expressive Model of the Web

BrowserID is a complex, real-world Single Sign-On (SSO) System for web applications recently developed by Mozilla. It employs new HTML5 features (such as web messaging and web storage) and cryptographic assertions to provide decentralized login, with the intent to respect users' privacy. It can operate in a primary and a secondary identity provider mode. While in the primary mode BrowserID runs with arbitrary identity providers (IdPs), in the secondary mode there is one IdP only, namely Mozilla's default IdP. We recently proposed an expressive general model for the web infrastructure and, based on this web model, analyzed the security of the secondary IdP mode of BrowserID. The analysis revealed several severe vulnerabilities. In this paper, we complement our prior work by analyzing the even more complex primary IdP mode of BrowserID. We do not only study authentication properties as before, but also privacy properties. During our analysis we discovered new and practical attacks that do not apply to the secondary mode: an identity injection attack, which violates a central authentication property of SSO systems, and attacks that break an important privacy promise of BrowserID and which do not seem to be fixable without a major redesign of the system. Some of our attacks on privacy make use of a browser side channel that has not gained a lot of attention so far. For the authentication bug, we propose a fix and formally prove in a slight extension of our general web model that the fixed system satisfies all the requirements we consider. This constitutes the most complex formal analysis of a web application based on an expressive model of the web infrastructure so far. As another contribution, we identify and prove important security properties of generic web features in the extended web model to facilitate future analysis efforts of web standards and web applications.Comment: arXiv admin note: substantial text overlap with arXiv:1403.186

Information, Intelligence and Negotiation: The Atlantic European Diplomatic World, 1558-1585

Mershon Center for International Security Studies Graduate Student Research 2007-08In a September 1561 dispatch sent from Madrid to English Secretary of State Sir William Cecil, ambassador Sir Thomas Chaloner noted that he had remained so long without letters or contact from England that he could not fulfill his duties as an ambassador to Spain. Chaloner could not effectively negotiate with King Phillip II of Spain about English policy decisions, trade strategies, or positions on foreign affairs, simply because he lacked the necessary information. His predicament reflects the importance of reliable communications networks to develop, transmit, and implement foreign policy initiatives. Denice Fett examines the development of a diplomatic communications system that depended on gathering and transmitting information and intelligence during the late 16th century. While some scholars have explored international diplomacy from the perspective of a single nation, Fett's dissertation draws from archival sources in five different countries and five different languages

Stress Intensity Factors - T-Stresses - Weight Functions

Failure of cracked components is governed by the stresses in the vicinity of the crack tip. The singular stress contribution is characterised by the stress intensity factor K, the first regular stress term is represented by the so-called T-stress. Sufficient information about the stress state is available, if these two parameters are known Results for K and T are compiled in form of figures, tables, and approximate relations

An In-depth Investigation of the Divine Ratio

The interesting thing about mathematical concepts is that we can trace their development or discoveries throughout history. Most cultures of the ancient world had some form of mathematics, and these basic skills developed into what we now call modern mathematics. The divine ratio is similar in that it was used in many different sections of history. The divine ratio, sometimes called the golden ratio or golden section, has been found in very diverse areas. The mathematical concepts of the golden ration have been found throughout nature, in architecture, music as well as in art. Phi is an astonishing number because it has inspired thinkers in many disciplines, more-so than any other number has in the history of mathematics. This paper investigates how the golden ratio has influenced civilizations throughout history and has intrigued mathematicians and others by its prevalence

Stress Intensity Factors - T-Stresses - Weight Functions. Supplement Volume

Stresses in the vicinity of the crack tips are responsible for failure of crack-containing components. The singular stress contribution is characterised by the stress intensity factor K, the first regular stress term is represented by the so-called T-stress. Whereas in the main volume, IKM 50, predominantly one-dimensional cracks were considered in homogeneous materials, this supplement volume compiles new results on one-dimensional and two-dimensional cracks

Implementing a Screening Pathway for Identifying Patients at Risk for Obstructive Sleep Apnea in Primary Care

Obstructive sleep apnea (OSA) is emerging as a significant health problem largely underrecognized by health care providers in the primary care setting (Pagel, 2008). The intent of this practice innovation project was to change and reduce the variation in practice for OSA screening that did not follow what is known about best practices. In this study, a preexperimental one-group pretest-posttest design was carried out to evaluate the outcomes associated with implementing an evidence-based screening pathway into practice for OSA based on the recommendations set forth in a clinical practice guideline recently published by the American Academy of Sleep Medicine (Epstein et al., 2009). The intervention consisted of providing education and training to primary care providers and staff for accurately identifying and screening eligible patients according to the pathway. Those individuals who were identified as having symptoms of OSA were referred on for a sleep study. Comparison data consisted of sleep study referral rates over a two month period prior to the intervention and were compared to sleep study referral rates over a two month period after the intervention was implemented into practice. The analysis indicates that there is not a statistically significant difference between the two groups (X2 = 1.091, p = 0.148). However, among the sub-group of patients identified as eligible for screening through chart review, significantly more patients were referred on for a sleep study during the post-intervention period compared to the pre-intervention period (X2 = 7.815, p = 0.003). Of the 227 patients identified as eligible for screening post-intervention, six were referred on for a sleep study. This result suggests with 95% certainty that the intervention (education and training for the implementation of a screening pathway) led to a statistically significant increase in the number of patients referred on for a sleep study. The majority of patients who were categorized as eligible for screening were White, male, age 50 years or younger, and indicated for screening due to their body mass index (\u3e35 kg/m2). Results of this study demonstrate a small but clinically significant increase in the number of sleep study referrals after the pathway was implemented into practice. Despite the relatively few successful screenings that were performed in this study, there is still a need for ongoing screening in the primary care setting due to the increasing prevalence and debilitating conditions associated with OSA (Chai-Coetzer et al., 2013a). High patient volumes, time restraints, and neglecting to offer screening to every adult patient were identified as the major barriers to successfully implementing this project. Continued efforts are needed in educating providers about the importance of screening for OSA in the primary care setting. With the increasing prevalence of OSA, there is hope for earlier detection and prompter treatment with the advent of routine screening in the primary care setting