报告题目: Mobile OAuth的一千种死法
演讲人: 田园 卡内基梅隆大学 博士生
时间:12月23日(周五)上午10:00~11:00
地点:清华大学FIT楼 3-225
报告摘要:
OAuth是一种在业界非常流行的安全协议。然而,当此协议被广泛应用于移动应用领域以及认证服务时,会带来很多严重的安全问题,导致用户账号及信息的泄漏。我们对当前移动领域的OAuth应用进行了系统深入的研究,发现近60%的移动应用都存在至少一种OAuth安全问题。我们的研究得到了厂家的广泛认可。此次演讲将对典型的移动OAuth安全问题进行案例分析,并且提供相应的安全建议。
演讲人简介:
田园是卡内基梅隆大学博士生,她的研究兴趣在于系统安全和安全可用性。她目前的研究专注于移动安全和物联网安全。 她的安全研究曾发表于Oakland、CCS、NDSS等会议上, 并被多家业界公司采用,比如谷歌,脸书,三星, Dropbox等。她曾获得美国电子与计算机领域2016年度学术新星, IBM奖学金等荣誉。她曾在微软研究院,脸书,三星研究院等实习,并曾是清华大学网络与信息安全实验室的一员。
Speaker: Yuan Tian, Ph.D. candidate in Carnegie Mellon University
Title: 1000 Ways to Die in Mobile OAuth
Abstract:
OAuth has become a highly influential protocol due to its swift and wide adoption in the industry. The initial objective of the protocol was specific: it serves the authorization needs for websites. However, the protocol is repurposed for mobile applications and authentication in practice. We conduct an in-depth about OAuth for mobile application, and the result is really worrisome: among the 149 applications that use OAuth, 89 of them (59.7%) were incorrectly implemented and thus vulnerable. Our study is acknowledged by many companies, including Facebook and Dropbox. In this talk, I’ll show several representative cases to concretely explain how real implementations fell into these pitfalls, and also pinpoint the key portions in each OAuth protocol flow that are security critical.
Bio:
Yuan is a Ph.D candidate at Carnegie Mellon University. Her research interests involve security and privacy and its interactions with system, networking, and human-computer interaction. Her current research focuses on developing new technologies for protecting user privacy, particularly in the areas of mobile systems and Internet of Things. Her previous work about mobile and web security and privacy have been adopted by Google, Facebook, Microsoft, Samsung, Dropbox and others. She interned at Microsoft Research, Facebook, and Samsung Research, and NISL at Tsinghua University. She was awarded as Rising Stars in EECS 2016, Black Hat Future Female Leaders 2015. She was a recipient of IBM Fellowship and in the final list of Microsoft Research Fellowship and Qualcomm Innovation Fellowship.