28 August 2018

CUHK Engineering Team Discovers Vulnerabilities of Single Sign-On Code
First Asian Team to Win Facebook’s Internet Defense Prize



A team of the Department of Information Engineering at The Chinese University of Hong Kong (CUHK) has recently won the third place of the 2018 Internet Defense Prize and a research grant of US$40,000 funded by Facebook at the 27th USENIX Security Symposium held in the US. Their award was for their contribution to the critical analysis of the security of Single Sign-On (SSO) Software Development Kits (SDKs) deployed in practice. The team comprised of Dr. Ronghai Yang, Prof. Wing Cheong Lau, Mr. Jiongyi Chen, and Prof. Kehuan Zhang of the Department of Information Engineering, CUHK. This is the first time for researchers from an Asian institution to receive this international award.

The CUHK team developed S3KVetter to test SSO Software Development Kits

The winning paper authored by the CUHK team was titled Vetting Single Sign-On SDK Implementations via Symbolic Reasoning. SSO provides a partial solution to the Internet’s over-reliance on passwords. It enables users to use their Online Social Networking accounts/ credentials (such as those from Facebook, Google, Sina, Tencent and Baidu), to log into other third-party applications/ websites (such as OpenRice and IMDb) and thus providing a more convenient way for users to sign up and access different online services and applications. Since SSO has been serving hundreds of millions of Internet users every day, the security of related software development kits (SDKs) is of critical importance to online security.

SSO involves cooperation and coordination between ID providers, users and third-party applications/websites. The technology is complicated and poses many challenges in analysing the security of SSO SDKs. The CUHK research team designed and implemented S3KVetter (Single-Sign-On SDK Vetter), an automated, efficient testing tool, to check the logical correctness and identify vulnerabilities of SSO SDKs in practice. To demonstrate the efficacy of S3KVetter, the team applied S3KVetter to test ten popular SSO SDKs which have been downloaded for millions of times by web-service/ application developers.

Serious logic vulnerabilities found and could put users at risk

Among the SSO SDKs examined, S3KVetter has discovered 7 classes of logic flaws, 4 of which were previously unknown. The new vulnerabilities can lead to severe consequences, ranging from the sniffing of user activities to the hijacking of user accounts.

The team was thrilled with their work. Dr. Ronghai Yang, an alumnus of CUHK Department of Information Engineering said, “We have discovered multiple zero-day exploits among several popular SSO SDKs in practice. Until the vulnerabilities are mitigated, hackers can exploit them to cause severe breaches of the security and privacy of online users world-wide. This is an important issue that the industry must address.”

“Internet communications and cybersecurity have long been two of the key research areas of the CUHK Engineering Faculty. The award is a great encouragement to our team and a recognition of CUHK’s strength in cybersecurity research. We will scale new heights in our ongoing work on applied cryptography, security and privacy in cyber systems, with the aim of making the cyberworld a safer place,” said Prof. Lau Wing Cheong of the Department of Information Engineering, CUHK.

For more details of the paper, please go to www.usenix.org/system/files/conference/usenixsecurity18/sec18-yang.pdf

About the Internet Defense Prize

Created in 2014, the Internet Defense Prize is funded by Facebook and offered in partnership with USENIX. It aims to celebrate technical contributions to the protection and defense of the Internet.

(From right) Associate Professor Wing Cheong LAU, PhD candidate Jiongyi CHEN, PhD graduate Ronghai YANG and Assistant Professor Kehuan ZHANG, Department of Information Engineering, Faculty of Engineering, CUHK.
(From right) Associate Professor Wing Cheong LAU, PhD candidate Jiongyi CHEN, PhD graduate Ronghai YANG and Assistant Professor Kehuan ZHANG, Department of Information Engineering, Faculty of Engineering, CUHK.

(From right) Dr. Nektarios Leontiadis, Research Scientist of Facebook, Mr. Jiongyi Chen and Prof. Wing Cheong Lau.
(From right) Dr. Nektarios Leontiadis, Research Scientist of Facebook, Mr. Jiongyi Chen and Prof. Wing Cheong Lau.