Please use this identifier to cite or link to this item:
https://doi.org/10.1109/SP.2012.10
Title: | A framework to eliminate backdoors from response-computable authentication | Authors: | Dai, S. Wei, T. Zhang, C. Wang, T. Ding, Y. Liang, Z. Zou, W. |
Issue Date: | 2012 | Citation: | Dai, S., Wei, T., Zhang, C., Wang, T., Ding, Y., Liang, Z., Zou, W. (2012). A framework to eliminate backdoors from response-computable authentication. Proceedings - IEEE Symposium on Security and Privacy : 3-17. ScholarBank@NUS Repository. https://doi.org/10.1109/SP.2012.10 | Abstract: | Response-computable authentication (RCA) is a two-party authentication model widely adopted by authentication systems, where an authentication system independently computes the expected user response and authenticates a user if the actual user response matches the expected value. Such authentication systems have long been threatened by malicious developers who can plant backdoors to bypass normal authentication, which is often seen in insider-related incidents. A malicious developer can plant backdoors by hiding logic in source code, by planting delicate vulnerabilities, or even by using weak cryptographic algorithms. Because of the common usage of cryptographic techniques and code protection in authentication modules, it is very difficult to detect and eliminate backdoors from login systems. In this paper, we propose a framework for RCA systems to ensure that the authentication process is not affected by backdoors. Our approach decomposes the authentication module into components. Components with simple logic are verified by code analysis for correctness, components with cryptographic/ obfuscated logic are sand boxed and verified through testing. The key component of our approach is NaPu, a native sandbox to ensure pure functions, which protects the complex and backdoor-prone part of a login module. We also use a testing-based process to either detect backdoors in the sand boxed component or verify that the component has no backdoors that can be used practically. We demonstrated the effectiveness of our approach in real-world applications by porting and verifying several popular login modules into this framework. © 2012 IEEE. | Source Title: | Proceedings - IEEE Symposium on Security and Privacy | URI: | http://scholarbank.nus.edu.sg/handle/10635/77954 | ISBN: | 9780769546810 | ISSN: | 10816011 | DOI: | 10.1109/SP.2012.10 |
Appears in Collections: | Staff Publications |
Show full item record
Files in This Item:
There are no files associated with this item.
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.