San-Tsai Sun


Email:
santsais@ece.ubc.ca

Phone: (778) 896-7738

Current Status (as Nov. 14th, 2012) and Research Focus

 

I am currently a PhD. candidate (planning to graduate in Jan. 2013) in the Department of Electrical and Computer Engineering, at the University of British Columbia, supervisor Prof. Konstantin Beznosov. My research interests include web application security and distributed access control architectures. My PhD research focuses on improving the security and usability of OpenID and OAuth-based web single sign-on  (SSO) systems; both protocols have been adopted by high-pro
file identity providers (IdPs), such as Facebook, Google, Microsoft and Yahoo, and millions of relying party (RP) websites. My dissertation research conducts several works to further the understanding and improvements of the security and usability of these two mainstream web SSO solutions.

First, I conducted a systematic analysis of the OpenID 2.0 protocol using both formal model checking and an empirical evaluation of 132 popular RP websites. The formal analysis identified three weaknesses in the protocol, and based on the attack traces from the model checking, six exploits and a semi-automated vulnerability assessment tool were designed to evaluate how prevalent those weaknesses are in the real-world RP implementations. Two countermeasures are proposed and evaluated for RPs to mitigate the uncovered weaknesses in the protocol.

Second, I examined the OAuth 2.0 implementations of three major IdPs (Facebook, Microsoft, and Google) and RP websites listed on the Google Top 1000 Websites that support using Facebook account for login. The analysis results uncovered several critical vulnerabilities that allow an attacker to gain unauthorized access to the victim user's profile and social graph, and impersonate the victim on the RP website. Closer examination reveals that these vulnerabilities are caused by a set of design decisions that trade security for implementation simplicity. Ten simple and practical design and implementation improvements were suggested for IdPs and RPs that can be adopted gradually by individual sites.

Third, I proposed and evaluated an approach for RPs and IdPs to retrofit their existing web applications with run-time protection against known as well as unseen SQL injection attacks (SQLIAs).  The precision of the proposed approach is also enhanced with a method for reducing the rate of false positives in the SQLIA detection logic, via runtime discovery of the developers' intention for individual SQL statements made by web applications. The proposed approach offers the protection to the existing web applications against SQLIAs where source code, qualified developers, or security development processes might not be available or practical.

Finally, through several iterations of a usability study, I investigated user's perceptions of web SSO. The user study examined what users’ mental models are formed when using web SSO for authentication, and how the gaps between the system model and those mental models influence users' security and privacy perceptions, as well as adopt intentions. In addition, an identity-enabled browser was designed to explore possible improvements. Our study found several behaviors, concerns, and misconceptions that hinder our participants' adoption intentions, from inadequate mental models of web SSO, to the reluctance of having their personal profile information released, and the reduction of perceived web SSO value due to the employment of password management practices. Informed by our findings, I introduced a web SSO technology acceptance model, and suggested design improvements for RP and IdP websites.

 

 

 

Post-Secondary Education

 

 PhD (Electrical and Computer Engineering)

·     University of British Columbia, BC, Canada

·     Dissertation Title: “Towards Improving the Security and Usability of Web Single Sign-On Systems”

Fall 2007 Present

Master of Computer Science

·     Fairleigh Dickinson University, NJ, USA

Fall 1992 – Spring 1994

Bachelor of Mechanical Engineering

·     Ming-Chi Institute of Technology, Taipei, Taiwan

Fall 1984 – Spring 1989

 

Publications

 

Refereed Journal Papers

·     San-Tsai Sun, Kirstie Hawkey, and Konstantin Beznosov. Investigating user’s perspective of web single sign-on: Conceptual gaps, alternative design and acceptance model. Manuscript submitted to ACM Transactions on Internet Technology on January 9th, 2012. Received minor revision decision on October 31th, 2012.

·     San-Tsai Sun, Kirstie Hawkey, and Konstantin Beznosov. Systematically breaking and fixing OpenID security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures. Computers & Security, volume 31, issue 4, pages 465-483, June 2012.

·     San-Tsai Sun and Konstantin Beznosov. Retrofitting existing web applications with effective dynamic protection against SQL injection attacks. International Journal of Secure Software Engineering, pages 20-40, January 2010.  

 

Refereed Conference & Workshop Publications

·     San-Tsai Sun and Konstantin Beznosov. The devil is in the (implementation) details: An empirical security analysis of OAuth SSO systems. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS'12), pages 378-390, October 2012. Acceptance rates 81/426 (19%).

·     San-Tsai Sun, Eric Pospisil, Ildar Muslukhov, Nuray Dindar, Kirstie Hawkey, and Konstantin Beznosov. What makes users refuse web single sign-on? An empirical investigation of OpenID. In Proceedings of the 7th Symposium on Usable Privacy and Security (SOUPS’11), pages 1-20, July 11th, 2011.

·     San-Tsai Sun, Eric Pospisil, Ildar Muslukhov, Nuray Dindar, Kirstie Hawkey, Konstantin Beznosov. OpenID-Enabled Browser: Towards Usable and Secure Web Single Sign-On. In Proceedings of the 29th International Conference Extended Abstracts on Human Factors in Computing Systems (CHI '11), pages 1291-1296, May 7th, 2011.

·     San-Tsai Sun, Kirstie Hawkey, and Konstantin Beznosov. OpenIDemail enabled browser: Towards fixing the broken web single sign-on triangle. In Proceedings of the 6th ACM Workshop on Digital Identity Management (DIM’10), pages 49-58, October 8th, 2010.

·     San-Tsai Sun, Yazan Boshmaf, Kirstie Hawkey, and Konstantin Beznosov. A billion keys, but few locks: The crisis of web single sign-on. In Proceedings of the 20th New Security Paradigms Workshop (NSPW’10), pages 61-72, September 20th, 2010.

·     San-Tsai Sun, Kirstie Hawkey, and Konstantin Beznosov. Secure Web 2.0 content sharing beyond walled gardens. In Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC’09), pages 409-418, December 7th, 2009.

·     San-Tsai Sun, Kirstie Hawkey, and Konstantin Beznosov. Towards enabling Web 2.0 content sharing beyond walled gardens. In Proceedings of the Workshop on Security and Privacy in Online Social Networking (SPOSN’09), pages 979-984, August 29th, 2009.

·     San-Tsai Sun and Konstantin Beznosov. Open problems in Web 2.0 user content sharing. In Proceedings of the iNetSec Workshop, pages 37-51, Zurich, Switzerland, April 23th, 2009.

 

Books

·     San-Tsai Sun and Vivid Hsu. Mastering C# and .NET Framework Programming (in Traditional Chinese). ISBN: 986 986-7961-54-4, 2003.

·     San-Tsai Sun and Vivid Hsu. Mastering C# and ASP .NET Programming (in Traditional Chinese). ISBN: 986-7961-49-8, 2002.

 

Work Experiences  

 

Research Assistant

Sep. 2007 - Present

University of British Columbia

 Department of Electrical and Computer Engineering

·     Phone: 1-604-822-2872, Address: 5500 - 2332 Main Mall, Vancouver, BC V6T 1Z4

Microsoft and Sun Java Certified Software Design Instructor

Apr. 1997 - Jul. 2007

Systex UCOM IT training Center

·     Phone: 886-2-25149191, Address: 14F, No. 99, Fu Shing N. Rd. Taipei, Taiwan

System Analyst

Oct. 1994 - Mar. 1997

Computer Square Inc.

·     Phone: 1-732-346-0200, Address: 330 Mac Lane Keasbey, NJ 08832 USA

Software Developer

Apr. 1992 - Oct. 1994

PaperClip Imaging Software Inc.

·     Phone: 1- 201-478-3505, Address: Continental Plaza 1 401 Hackensack Avenue, Hackensack, NJ 07601 USA

 

Awards

 

·     ACM Computer and Communications Security Student Grant, 2012

·     New Security Paradigm Workshop Student Grant, 2010

·     USENIX Student Grant, 2009

·     PhD Tuition Fee Award, University of British Columbia, 2007-2011

·     Microsoft Most Valuable Professional, 2005-2007

·     Regional Director (Taiwan) of Microsoft Development Network, 2000-2001

Certifications

 

·     MCT: Microsoft Certified Trainer

·     MCSD: Microsoft Certified Solution Developer .NET

·     MCAD: Microsoft Certified Application Developer .NET

·     MCP: Microsoft Certified Professional

·     SCT: Sun Certified Trainer

·     SCJP: Sun Certified Java Programmer

·     SCWCD: Sun Certified Web Component Developer

·     SCBCD: Sun Certified Business Component Developer

 

 

 

 

Academic Teaching/Supervising Experiences

 

·     Teaching assistant: Winter 2008 - 2010

o  Course UBC EECE 412: “Introduction to Computer Security”

o  Assignment and quiz preparation and marking, student mentoring during online discussion and office hours

·     Lecture modules for course UBC EECE 412: “Introduction to Computer Security”

o  Module: “Principles of Designing Secure Systems”, Winter 2012

o  Module: “Introduction to Cryptography”, Winter 2011

o  Module: “Symmetric Cryptography”, Winter 2011

o  Module: “Web Security”, Winter 2010

·     Lecture module for UBC EECE 310: “Software Engineering”

o  Module: “Java Programming using Eclips

·     UBC EECE 496 Project Supervision, Implementation of Web 2.0 Personal Content Sharing Application, Karl Campbell, May – Aug. 2010

·     UBC EECE 496 Project Supervision, Implementation of Alternative Web SSO Protocol, Derek Gourlay and Myles Archer, May – Aug.  2010

·     UBC EECE 496 Project Supervision, Functional Improvements to CERN’s CDS Invenio digital library, Ngong Daniel Kur, May – Aug.  2010

·     NERC Undergraduate Student Researcher Supervision, Implementation of RT inference engine,  Levi Stoddard, Jun. – Sep. 2009

·     Exchange Student Researcher Supervision, Creation and Evaluation of SQL Injection Security Tools, Jun. – Sep.  2008

Professional Teaching Experiences (2000-2007)

 

Microsoft Curriculums

·     Best Practices of ASP. NET application development

·     Best Practices of J2EE application development

·     Best Practices of  Web application security engineering

·     Microsoft Certified Technology Specialist (MCTS)

o  Microsoft .NET framework- Application Development Foundation

o  Microsoft .NET framework- Distributed Application Development

o  Microsoft ASP.NET

Sun Java Curriculums

·     Sun Certified Java Programmer (SCJP)

o  Java Programming Language

·     Sun Certified Web Component Developer for J2EE platform (SCWCD)

o  Web Component Development (Servlet and JSP)

Projects (participated as Team Lead, Senior Developer or Architect)

 

IT Training ERP System (ASP.NET/MS SQL)

·     Systex Corporation

1999 – Present

TCSE Certification Exam (PHP/MySQL)

·     Trend Micro

2005 – present

Sales Management System (J2EE/MS SQL)

·     Systex Corporation

2003 – 2007

Human Resource Management System (ASP/MS SQL)

·     China Trust Bank

1999 – 2000

Banking Branch System (C++/DCOM)

·     Chunghwa Post Bank

1998 – 2000

Online Catalog and Ordering System (C++/Lotus Note)

·     AAEON Technology

1995 – 1997

Selected Presentations/Talks

 

·     The 19th ACM Conference on Computer and Communications Security (CCS October 20): The devil is in the (implementation) details: An empirical security analysis of OAuth SSO systems.

·     OWASP Chapter Meeting (May, 2012): An Empirical Analysis of OAuth SSO Systems

·     The 7th Symposium on Usable Privacy and Security (SOUPS 2011):  An Empirical Investigation of Web Single Sign-On from User's Perspectives

·     OWASP Chapter Meeting (Oct., 2010): OpenID Security Analysis and Evaluation

·     The 6th ACM Workshop on Digital Identity Management (DIM 2010): OpenIDemail Enabled Browser: Towards Fixing the Broken Web Single Sign-On Triangle

·     The 19th New Security Paradigms Workshop (NSPW 2010): A Billion Keys, but Few Locks: The Crisis of Web Single Sign-On

·     The 25th Annual Computer Security Applications Conference (ACSAC 2009): Secure Web 2.0 Content Sharing Beyond Walled Gardens

·     IEEE Workshop on Security and Privacy in Online Social Networking (SPOSN 2009): Towards Enabling Web 2.0 Content Sharing Beyond Walled Gardens

·     Sun JavaTwo (2005): Web Application Hacking and Defense

·     Sun JavaTwo (2004): Web Farm Design and Implementation

·     Sun JavaTwo (2003): Successful JSP Web Project How To

·     Microsoft TechEd (2003): ASP.NET Web OLTP Design

·     Microsoft TechEd (2002): .NET Remoting

·     Microsoft TechEd (2001): XML Web Service

·     Microsoft TechEd (2000): Object Oriented Programming in .NET

·     Microsoft DevDays (2000): Architecting a Web-Enabled Solution

·     Microsoft DevDays (1999): Windows Distributed N-Tier Architecture (DNA)

·     Microsoft DevDays (1998): N-Tier Application Development

·     Microsoft PDC (1998): OLAP- Microsoft Decision Support Service

·     Microsoft PDC (1997): Cross Platform Development

·     Microsoft TechEd (1997): Microsoft Transaction Server

 

 

Services

 

·     Program committee member: NSERC ISSNET Workshop, 2012

·     Sub-reviewer:

o  Computer and Communication Security (CCS) 2012 , 3 reviews

o  SecureComm 2012: 1 review

o  Network & Distributed System Security Symposium (NDSS) 2011: 3 reviews

o  Symposium On Usable Privacy and Security (SOUPS) 2011, 2 reviews

o  Financial Crypto (FC) 2011: 2 reviews

o  Computer and Security Journal 2011: 1 review

o  Network & Distributed System Security Symposium (NDSS) 2010: 2 reviews

o  Annual Computer Security Applications Conference (ACSAC) 2009: 5 reviews

o  Network & Distributed System Security Symposium (NDSS) 2009: 3 reviews

o  WEB 2.0 Security & Privacy Workshop (W2SP) 2009: 1 review

o  Symposium on Access Control Models and Technologies (SACMAT) 2009: 1 review

Open Source Projects

 

·     SQLPrevent: An effective and efficient tool in Java for detecting and preventing known as well as unseen SQL injection attacks, 2009.

·     WebDOSForm: A JavaScript AJAX library that simulates traditional DOS form input, 2004.

·     ASPWizard: A web-based ASP.NET code generator, 2004.

·     JSPWidget: A JSP framework that provides event-driven, view state-retained, server-side GUI controls to make JSP development as intuitive as in traditional client forms, 2003.

·     DocLib: A Web-based document management system implemented in ASP.NET, 2003.

·     ASPNETWatchDog: A suite of .NET components/services that enables administrators to log ASP.NET HTTP responses and watch them online or play back, 2003.