Cerberus: Query-driven Scalable Vulnerability Detection in OAuth Service Provider Implementations

TL;DR

Cerberus is an automated static analysis tool that uses a query-driven approach to detect logical flaws and vulnerabilities in OAuth service provider libraries, significantly improving security assessment of widely used implementations.

Contribution

This paper introduces Cerberus, a novel query-driven static analyzer for OAuth libraries, capable of identifying both known and unknown vulnerabilities at scale.

Findings

Identified 47 vulnerabilities in popular OAuth libraries

Discovered 24 previously unknown logical flaws

Received developer acknowledgments and CVE assignments

Abstract

OAuth protocols have been widely adopted to simplify user authentication and service authorization for third-party applications. However, little effort has been devoted to automatically checking the security of the libraries that service providers widely use. In this paper, we formalize the OAuth specifications and security best practices, and design Cerberus, an automated static analyzer, to find logical flaws and identify vulnerabilities in the implementation of OAuth service provider libraries. To efficiently detect security violations in a large codebase of service provider implementation, Cerberus employs a query-driven algorithm for answering queries about OAuth specifications. We demonstrate the effectiveness of Cerberus by evaluating it on datasets of popular OAuth libraries with millions of downloads. Among these high-profile libraries, Cerberus has identified 47 vulnerabilities from ten classes of logical flaws, 24 of which were previously unknown. We got acknowledged by the developers of eight libraries and had three accepted CVEs.