title | titleAddon | startDate | endDate | funding | people | peopleOrder | |||
---|---|---|---|---|---|---|---|---|---|
SIAM |
Automated Security Analysis of Identity and Access Management Systems |
2010-04-01 |
2013-08-01 |
Provincia Autonoma di Trento |
|
surname |
SIAM (Automated Security Analysis of Identity and Access Management Systems) is funded by Provincia Autonoma di Trento in the context of the "team 2009 - Incoming" COFUND action of the European Commission (FP7).
Identity and Access Management Systems (IAMS for short) ensure that the right people access the right services by centralizing identities and rights management, thereby greatly simplifying the design and implementation of complex distributed applications. So, IAMS implement the most security critical aspects of applications and any vulnerability in a IAMS may result in severe security breaches that make identity theft and other attacks possible to the whole system.
The goal of the project is to develop automated analysis techniques and tools for the security of IAMS. These will be used in several phases of the development cycle of IAMS, including design and deployment, thereby contributing to significantly ameliorate the security of such systems and the applications using them. The project will focus on developing automated security analysis techniques for the most critical aspects of IAMS: web protocols for the Single Sign-On (SSO) and access control policies.
The design and analysis of these components is usually so complex that often severe vulnerabilities are present even after intensive use of traditional verification techniques, such as manual inspection or testing. This is witnessed, for example, by vulnerabilities found in various SSO protocols, such as SAML SSO, MS Passport/CardSpace and the SAML-based SSO for Google Apps, even after years from their publication, implementation, and usage.
Achieving the goals of the project will result in significant advances of the state-of-the-art in the security analysis of IAMS. Today, there are no specific tools devoted to the security analysis of standard web-browser or for the automated analysis of access control policies of practical relevance.