Vetting Single Sign-On SDK Implementations via Symbolic Reasoning


Ronghai Yang, The Chinese University of Hong Kong, Sangfor Technologies Inc.; Wing Cheong Lau, Jiongyi Chen, and Kehuan Zhang, The Chinese University of Hong Kong
2018 Internet Defense Prize Second Runner Up


Encouraged by the rapid adoption of Single Sign-On (SSO) technology in web services, mainstream identity providers, such as Facebook and Google, have developed Software Development Kits (SDKs) to facilitate the implementation of SSO for 3rd-party application developers. These SDKs have become a critical foundation for web services. Despite its importance, little effort has been devoted to a systematic testing on the implementations of SSO SDKs, especially in the public domain. In this paper, we design and implement S3KVetter (Single-Sign-on SdK Vetter), an automated, efficient testing tool, to check the logical correctness and identify vulnerabilities of SSO SDKs. To demonstrate the efficacy of S3KVetter, we apply it to test ten popular SSO SDKs which enjoy millions of downloads by application developers. Among these carefully engineered SDKs, S3KVetter has surprisingly discovered 7 classes of logic flaws, 4 of which were previously unknown. These vulnerabilities can lead to severe consequences, ranging from the sniffing of user activities to the hijacking of user accounts.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {217601,
author = {Ronghai Yang and Wing Cheong Lau and Jiongyi Chen and Kehuan Zhang},
title = {Vetting Single {Sign-On} {SDK} Implementations via Symbolic Reasoning},
booktitle = {27th USENIX Security Symposium (USENIX Security 18)},
year = {2018},
isbn = {978-1-939133-04-5},
address = {Baltimore, MD},
pages = {1459--1474},
url = {},
publisher = {USENIX Association},
month = aug

Presentation Video 

Presentation Audio