An Expressive Formal Model of the Web Infrastructure Von der Fakult¨at5 (Informatik, Elektrotechnik und Informationstechnik) der Universit¨at Stuttgart zur Erlangung der W¨urdeeines Doktors der Naturwissenschaften (Dr. rer. nat.) genehmigte Abhandlung Vorgelegt von Daniel Fett aus Mons, Belgien Hauptberichter: Prof. Dr. Ralf K¨usters Mitberichter: Dr. Karthikeyan Bhargavan Tag der m¨undlichen Pr¨ufung: 19.10.2018 Institut f¨urInformationssicherheit (SEC) der Universit¨atStuttgart 2018 2 Acknowledgements I would like to express my deepest gratitude to my advisor Ralf K¨ustersfor his continuous motivation, support, and patience. His excellent advice and keen attention to detail were invaluable for my work. I could not have imagined having a better advisor and mentor. I would like to thank my friends and colleagues who accompanied me during my PhD studies in Trier and Stuttgart, and who were always in for a game of darts. I thank Guido, with whom I devised and developed not only many parts of this work, but also Pi and More, for his friendship and help, and many fun days spent travelling. Thanks are also due to the Studienstiftung des Deutschen Volkes (German National Academic Foundation), the Stipendienstiftung Rheinland-Pfalz, and the Deutsche Forschungsgemeinschaft (Grant KU 1434/10-1) for their financial support. Finally, I am indebted to Janett and my family who never stopped encouraging me. This dissertation would not have been possible without their endless support and love. 3 Contents Acknowledgements 3 List of Figures 11 List of Tables 13 List of Algorithms 15 List of Abbreviations and Glossary 17 Abstract 21 Kurzzusammenfassung 23 1 Introduction 25 1.1 Contributions of this Thesis.............................. 28 1.1.1 The Web Infrastructure Model........................ 28 1.1.2 Formal Analysis of OAuth 2.0 ........................ 29 1.1.3 Formal Analysis of OpenID Connect..................... 31 1.2 Structure of this Thesis ................................ 32 1.3 Publications....................................... 32 1.4 Related Work...................................... 34 1.4.1 Formal Web Security Analysis........................ 34 1.4.2 Security Analysis of OAuth 2.0........................ 35 1.4.3 Security Analysis of OpenID Connect.................... 36 2 The Web Infrastructure Model 37 2.1 Building a Model of the Web Infrastructure..................... 37 2.2 Architecture....................................... 39 2.3 Terms, Messages, and Events ............................. 40 2.4 Dolev-Yao Processes.................................. 41 2.5 Attackers ........................................ 42 2.6 Scripts.......................................... 42 2.7 Systems and Web Systems............................... 44 2.8 HTTP and HTTPS Messages............................. 44 5 2.9 Name Resolution.................................... 46 2.10 Web Browsers...................................... 47 2.10.1 Browsers and Users.............................. 48 2.10.2 Two Types of Corruption........................... 48 2.10.3 Windows and Documents........................... 49 2.10.4 Cookies and Web Storage........................... 50 2.10.5 HTTP(S) Message Dispatching........................ 52 2.10.6 WebSockets .................................. 53 2.10.7 Strict Transport Security........................... 54 2.10.8 WebMessaging................................. 55 2.10.9 Message Processing .............................. 55 2.10.10 Executing a Script............................... 59 2.11 Generic HTTPS Servers................................ 61 2.12 Extension: WebRTC.................................. 62 2.12.1 WebRTC and the WebRTC Model...................... 62 2.12.2 New Script Commands for WebRTC..................... 65 3 Analysis of OAuth 2.0 67 3.1 OAuth 2.0 Basic Concepts............................... 67 3.1.1 Token Types.................................. 68 3.1.2 Endpoints ................................... 68 3.1.3 Client Registration at the OAP ....................... 69 3.1.4 Login Sessions and State ........................... 69 3.1.5 Tracking User Intention............................ 70 3.1.6 Further Recommendations and Options................... 70 3.2 OAuth 2.0 Grant Types................................ 70 3.2.1 Authorization Code Grant .......................... 71 3.2.2 Implicit Grant................................. 73 3.2.3 Resource Owner Password Credentials Grant................ 74 3.2.4 Client Credentials Grant ........................... 75 3.3 New Attacks on OAuth ................................ 76 3.3.1 307 Redirect Attack.............................. 76 3.3.2 AS Mix-Up Attack .............................. 77 3.3.3 State Leak Attack............................... 84 3.3.4 Na¨ıve Client Session Integrity Attack .................... 85 3.3.5 Across-AS State Reuse Attack........................ 85 3.4 Other Attacks on OAuth................................ 86 3.4.1 Code/Token/State Leakage.......................... 86 3.4.2 CSRF Protection ............................... 87 3.4.3 Third-Party Resources ............................ 87 6 3.4.4 Open Redirectors ............................... 87 3.4.5 Session Handling................................ 88 3.4.6 Access Token Introspection Client ID.................... 88 3.5 Formal Analysis of OAuth 2.0............................. 88 3.5.1 Model: Design, Concepts, Limitations.................... 89 3.5.2 Model: Web Systems ............................. 90 3.5.3 Security Properties .............................. 92 3.5.4 The OAuth Security Theorem ........................ 93 3.5.5 Proof of the OAuth Security Theorem: Outline .............. 93 3.5.6 Discussion of Results ............................. 94 4 Analysis of OpenID Connect 97 4.1 OpenID Connect Basic Concepts........................... 97 4.1.1 Relationship to OAuth 2.0 .......................... 97 4.1.2 Authentication, ID Tokens, and Issuer Identifiers.............. 98 4.2 Discovery and Dynamic Registration Extensions .................. 98 4.2.1 OpenID Connect Discovery.......................... 99 4.2.2 OpenID Connect Dynamic Client Registration . 100 4.3 OpenID Connect Flows ................................101 4.3.1 Authorization Code Flow...........................101 4.3.2 Implicit Flow..................................102 4.3.3 Hybrid Flow..................................103 4.4 Attacks on OpenID Connect..............................104 4.4.1 AS Mix-Up Attacks..............................105 4.4.2 Attacks on the State Parameter .......................109 4.4.3 307 Redirect Attack..............................109 4.4.4 Server-Side Request Forgery .........................109 4.4.5 CSRF Attacks and Third-Party Login Initiation . 110 4.5 Formal Analysis of OpenID Connect.........................111 4.5.1 Model......................................111 4.5.2 Main Security Properties...........................112 4.5.3 Secondary Security Properties ........................116 4.5.4 The OpenID Connect Security Theorem ..................118 4.5.5 Proof of the OpenID Connect Security Theorem: Outline . 118 4.5.6 Discussion of Results .............................119 5 Impact 121 5.1 Verification .......................................121 5.2 Disclosure........................................121 5.3 Follow-Up........................................122 7 6 Conclusion and Future Work 123 A The Web Infrastructure Model 125 A.1 Communication Model.................................125 A.1.1 Terms, Messages and Events.........................125 A.1.2 Notations....................................126 A.1.3 Atomic Processes, Systems and Runs ....................128 A.1.4 Atomic Dolev-Yao Processes.........................130 A.2 Scripts..........................................131 A.3 Web System.......................................131 A.4 Message and Data Formats ..............................132 A.4.1 URLs......................................132 A.4.2 Origins.....................................133 A.4.3 Cookies.....................................133 A.4.4 HTTP Messages................................133 A.4.5 DNS Messages.................................135 A.4.6 WebSocket Messages .............................135 A.4.7 WebRTC Messages ..............................136 A.5 DNS Server Model...................................136 A.6 Web Browser Model ..................................136 A.6.1 Windows, Documents, and Related Notations . 136 A.6.2 Web Browser States Zwebbrowser . 137 A.6.3 Web Browser Relation Rwebbrowser . 139 A.6.4 Definition of Web Browsers..........................148 A.7 Generic HTTPS Server Model.............................152 B Analysis of OAuth 2.0 155 B.1 Formal Model of OAuth with a Network Attacker..................155 B.1.1 Outline.....................................155 B.1.2 Addresses and Domain Names........................157 B.1.3 Keys and Secrets ...............................157 B.1.4 Identities, Passwords, and Protected Resources . 157 B.1.5 Corruption...................................159 B.1.6 Processes in W (Overview)..........................159 B.1.7 Network Attacker ...............................160 B.1.8 Browsers....................................160 B.1.9 Clients .....................................160 B.1.10 OAuth Providers................................164 B.2 Formal Security Properties ..............................173 B.2.1 Authorization .................................173 8 B.2.2 Authentication.................................173 B.2.3