Researchers circumvent industry-standard online security

Researchers from Ruhr-Universität Bochum succeeded in identifying significant vulnerabilities in online security by circumventing industry standard digital signatures. The team successfully impersonated users and even system administrators before contacting the affected companies to make them aware of their online security vulnerabilities. All of the vulnerabilities that were identified have now been fixed.

Single Sign-On (SSO) systems, which are built around Security Assertion Markup Language (SAML), are useful as they allow users to avoid having to input identification information numerous times after their initial login. However, under the guidance of Professor Dr Jörg Schwenk, a Bochum-based team of PhD students were able circumvent 12 out of 14 Security Assertion Markup Language (SAML) systems.

I spoke to Professor Schwenk to find out more about the vulnerabilities that he and his team had identified, and to ask how online security systems might be improved…

How easy was it for your team to circumvent the digital signatures?
The basic attack principle was published in 2005, so the problem is now seven years old. It seems that our group is one of the few that has been consistently investigating this topic. We released some low-level publications and refined the attack. The attacks on the SAML systems were conducted by two PhD students. The bulk of their work involved setting up the framework to generate these assertions. They had to install the software libraries and get them running before having a closer look at the assertions issued by the applications. As far as I understand, it proved fairly straightforward to circumvent most of the frameworks.

What differentiated the SAML systems that you were unable to circumvent from the others?
Our team carried out black-box testing. We modified the assertions, sent them to the other parties and waited to see whether or not they were accepted. When our submissions were accepted, it showed us that there was a vulnerability and it showed us exactly where it was. However, in the two cases where they were not accepted, we couldn’t say for sure which counter measures were preventing us from bypassing the security systems. Even though the companies had implemented the recommended security standards, our attempts were successful in over 80 per cent of cases. It seems that the two cases in which we were unsuccessful, the companies had implemented something beyond the industry standard. We don’t know how these extra measures work. Whilst there might be another way to circumvent these systems, we couldn’t find it.

Were the affected companies surprised to hear that you had succeeded in bypassing their security systems?
The reactions we received were quite varied. Some companies were nice and thanked us. Others did not respond. We informed the companies almost a year ago and some didn’t react to our e-mails. Even so, at the 21^st USENIX Security Symposium in Bellevue, Washington – where we presented our findings – some of the companies complained that they hadn’t been informed.

It can be difficult for a company to deal with this kind of attack. Typically, they will be informed about issues such as buffer overflows, and it is easy to determine who is responsible for fixing this flow. For security issues, however, it is more difficult. The companies have implemented the recommended standards. They haven’t made any mistakes but nevertheless, their systems are vulnerable.

Is there anything more that companies can do to improve their online security systems?
The structures of SAML assertions are fixed. In order to bypass these systems, we had to extend these structures. Essentially, we were inputting information in places where there should be no information. It is possible for companies to detect this type of suspicious behaviour, so this might be one way for them to tighten their security.