San-Tsai
Sun |
Phone:
(778) 896-7738 |
||||||
Current Status (as
Nov. 14th, 2012) and Research Focus
|
|||||||
|
I am currently a PhD. candidate (planning to graduate in Jan. 2013) in the Department of Electrical and Computer
Engineering, at the University of British Columbia, supervisor Prof. Konstantin Beznosov. My research interests include web application security and
distributed access control architectures. My PhD research focuses on
improving the security and usability of OpenID and OAuth-based web single
sign-on (SSO) systems; both protocols have
been adopted by high-pro First, I conducted a systematic analysis of the OpenID 2.0
protocol using both formal model checking and an empirical evaluation of 132
popular RP websites. The formal analysis identified three weaknesses in the
protocol, and based on the attack traces from the model checking, six
exploits and a semi-automated vulnerability assessment tool were designed to
evaluate how prevalent those weaknesses are in the real-world RP
implementations. Two countermeasures are proposed and evaluated for RPs to
mitigate the uncovered weaknesses in the protocol. Second, I examined the OAuth 2.0 implementations of three major
IdPs (Facebook, Microsoft, and Google) and RP websites listed on the Google
Top 1000 Websites that support using Facebook account for login. The analysis
results uncovered several critical vulnerabilities that allow an attacker to
gain unauthorized access to the victim user's profile and social graph, and
impersonate the victim on the RP website. Closer examination reveals that
these vulnerabilities are caused by a set of design decisions that trade
security for implementation simplicity. Ten simple and practical design and
implementation improvements were suggested for IdPs and RPs that can be
adopted gradually by individual sites. Third, I proposed and evaluated an approach for RPs and IdPs to
retrofit their existing web applications with run-time protection against
known as well as unseen SQL injection attacks (SQLIAs). The precision of the proposed approach is
also enhanced with a method for reducing the rate of false positives in the
SQLIA detection logic, via runtime discovery of the developers' intention for
individual SQL statements made by web applications. The proposed approach
offers the protection to the existing web applications against SQLIAs where
source code, qualified developers, or security development processes might
not be available or practical. Finally, through several iterations of a usability study, I
investigated user's perceptions of web SSO. The user study examined what users’
mental models are formed when using web SSO for authentication, and how the
gaps between the system model and those mental models influence users'
security and privacy perceptions, as well as adopt intentions. In addition,
an identity-enabled browser was designed to explore possible improvements. Our
study found several behaviors, concerns, and misconceptions that hinder our
participants' adoption intentions, from inadequate mental models of web SSO,
to the reluctance of having their personal profile information released, and
the reduction of perceived web SSO value due to the employment of password
management practices. Informed by our findings, I introduced a web SSO technology
acceptance model, and suggested design improvements for RP and IdP websites. |
||||||
Post-Secondary
Education
|
|||||||
|
PhD (Electrical
and Computer Engineering) ·
University of British Columbia, BC,
Canada ·
Dissertation Title: “Towards
Improving the Security and Usability of Web Single Sign-On Systems” |
Fall 2007 – Present
|
|||||
Master of
Computer Science ·
Fairleigh Dickinson University, NJ, USA |
Fall 1992 – Spring 1994
|
||||||
Bachelor
of Mechanical Engineering ·
Ming-Chi Institute of Technology, Taipei,
Taiwan |
Fall
1984 – Spring 1989 |
||||||
Publications
|
|||||||
|
Refereed Journal
Papers ·
San-Tsai
Sun,
Kirstie Hawkey, and Konstantin Beznosov. Investigating user’s
perspective of web single sign-on: Conceptual gaps, alternative design and acceptance
model. Manuscript submitted to ACM Transactions on
Internet Technology on January 9th, 2012. Received minor revision decision on
October 31th, 2012. ·
San-Tsai
Sun,
Kirstie Hawkey, and Konstantin Beznosov. Systematically breaking and fixing OpenID
security: Formal analysis, semi-automated empirical evaluation, and practical
countermeasures. Computers & Security, volume 31, issue
4, pages 465-483, June 2012. ·
San-Tsai
Sun
and Konstantin Beznosov. Retrofitting existing web applications with
effective dynamic protection against SQL injection attacks.
International Journal of Secure Software Engineering, pages 20-40, January
2010. Refereed Conference
& Workshop Publications ·
San-Tsai
Sun
and Konstantin Beznosov. The devil is in the (implementation) details:
An empirical security analysis of OAuth SSO systems. In
Proceedings of the 19th ACM Conference on Computer and Communications
Security (CCS'12), pages 378-390, October 2012. Acceptance rates 81/426
(19%). ·
San-Tsai
Sun,
Eric Pospisil, Ildar Muslukhov, Nuray Dindar, Kirstie Hawkey, and Konstantin Beznosov. What makes users
refuse web single sign-on? An empirical investigation of OpenID. In
Proceedings of the 7th Symposium on Usable Privacy and Security
(SOUPS’11), pages 1-20, July 11th, 2011. · San-Tsai Sun, Eric Pospisil, Ildar Muslukhov, Nuray Dindar, Kirstie Hawkey, Konstantin Beznosov. OpenID-Enabled Browser: Towards Usable and Secure Web Single Sign-On. In Proceedings of the 29th International Conference Extended Abstracts on Human Factors in Computing Systems (CHI '11), pages 1291-1296, May 7th, 2011. ·
San-Tsai
Sun,
Kirstie Hawkey, and Konstantin Beznosov. OpenIDemail enabled browser:
Towards fixing the broken web single sign-on triangle. In
Proceedings of the 6th ACM Workshop on Digital Identity Management (DIM’10),
pages 49-58, October 8th, 2010. ·
San-Tsai
Sun,
Yazan Boshmaf, Kirstie
Hawkey, and Konstantin Beznosov. A billion keys, but few locks: The crisis
of web single sign-on. In Proceedings of the 20th New
Security Paradigms Workshop (NSPW’10), pages 61-72, September 20th, 2010. ·
San-Tsai
Sun,
Kirstie Hawkey, and Konstantin Beznosov. Secure Web 2.0 content sharing beyond
walled gardens. In Proceedings of the 25th Annual
Computer Security Applications Conference (ACSAC’09), pages 409-418, December
7th, 2009. ·
San-Tsai
Sun, Kirstie Hawkey, and Konstantin
Beznosov. Towards enabling
Web 2.0 content sharing beyond walled gardens.
In Proceedings of the Workshop on Security and Privacy in Online Social
Networking (SPOSN’09), pages 979-984, August 29th, 2009. ·
San-Tsai
Sun and Konstantin Beznosov. Open
problems in Web 2.0 user content sharing.
In Proceedings of the iNetSec Workshop, pages 37-51, Zurich, Switzerland,
April 23th, 2009. Books ·
San-Tsai
Sun and Vivid Hsu. Mastering C# and
.NET Framework Programming (in Traditional Chinese). ISBN: 986 986-7961-54-4, 2003. ·
San-Tsai
Sun and Vivid Hsu. Mastering C# and
ASP .NET Programming (in Traditional Chinese). ISBN: 986-7961-49-8, 2002. |
||||||
Work Experiences
|
|||||||
|
Research
Assistant |
Sep.
2007 - Present |
|||||
University of
British Columbia Department of Electrical and Computer
Engineering ·
Phone: 1-604-822-2872, Address: 5500 -
2332 Main Mall, Vancouver, BC V6T 1Z4 |
|||||||
Microsoft
and Sun Java Certified Software Design Instructor |
Apr.
1997 - Jul. 2007 |
||||||
Systex UCOM IT training
Center ·
Phone: 886-2-25149191, Address: 14F,
No. 99, Fu Shing N. Rd. Taipei, Taiwan |
|||||||
System Analyst |
Oct. 1994 - Mar. 1997 |
||||||
Computer Square Inc. ·
Phone: 1-732-346-0200, Address: 330
Mac Lane Keasbey, NJ 08832 USA |
|||||||
Software Developer |
Apr. 1992 - Oct. 1994 |
||||||
PaperClip Imaging Software Inc. ·
Phone: 1- 201-478-3505,
Address: Continental Plaza 1 401 Hackensack Avenue,
Hackensack, NJ 07601 USA |
|||||||
Awards |
|||||||
|
·
ACM Computer
and Communications Security Student Grant, 2012 ·
New Security
Paradigm Workshop Student Grant, 2010 ·
USENIX
Student Grant, 2009 ·
PhD Tuition
Fee Award, University of British Columbia, 2007-2011 ·
Microsoft Most
Valuable Professional, 2005-2007 ·
Regional Director (Taiwan) of Microsoft
Development Network, 2000-2001 |
||||||
Certifications
|
|||||||
|
·
MCT: Microsoft
Certified Trainer ·
MCSD: Microsoft
Certified Solution Developer .NET ·
MCAD: Microsoft
Certified Application Developer .NET ·
MCP: Microsoft
Certified Professional ·
SCT: Sun
Certified Trainer ·
SCJP: Sun Certified Java Programmer ·
SCWCD: Sun
Certified Web Component Developer ·
SCBCD: Sun
Certified Business Component Developer |
||||||
Academic
Teaching/Supervising Experiences |
|||||||
|
·
Teaching assistant: Winter 2008 - 2010 o
Course UBC EECE 412: “Introduction to
Computer Security” o
Assignment and quiz preparation and marking,
student mentoring during online discussion and office hours ·
Lecture modules for course UBC EECE 412:
“Introduction to Computer Security” o
Module: “Principles of Designing Secure
Systems”, Winter 2012 o
Module: “Introduction to Cryptography”,
Winter 2011 o
Module: “Symmetric Cryptography”, Winter
2011 o
Module: “Web Security”, Winter 2010 ·
Lecture module for UBC EECE 310: “Software
Engineering” o
Module: “Java Programming using Eclips” ·
UBC EECE 496 Project Supervision,
Implementation of Web 2.0 Personal Content Sharing Application, Karl
Campbell, May – Aug. 2010 ·
UBC EECE 496 Project Supervision,
Implementation of Alternative Web SSO Protocol, Derek Gourlay
and Myles Archer, May – Aug. 2010 · UBC EECE 496 Project Supervision, Functional Improvements to CERN’s CDS Invenio digital library, Ngong Daniel Kur, May – Aug. 2010 · NERC Undergraduate Student Researcher Supervision, Implementation of RT inference engine, Levi Stoddard, Jun. – Sep. 2009 · Exchange Student Researcher Supervision, Creation and Evaluation of SQL Injection Security Tools, Jun. – Sep. 2008 |
||||||
Professional
Teaching Experiences (2000-2007) |
|||||||
|
Microsoft
Curriculums ·
Best Practices
of ASP. NET application development ·
Best Practices
of J2EE application development ·
Best
Practices of Web application security engineering ·
Microsoft
Certified Technology Specialist (MCTS) o Microsoft
.NET framework- Application Development Foundation o Microsoft .NET framework- Distributed
Application Development o
Microsoft ASP.NET Sun
Java Curriculums · Sun Certified Java Programmer (SCJP) o Java Programming Language · Sun Certified Web Component Developer for J2EE platform (SCWCD) o Web Component Development (Servlet and JSP) |
||||||
Projects (participated
as Team Lead, Senior Developer or Architect)
|
|||||||
|
IT Training ERP
System (ASP.NET/MS
SQL) · Systex Corporation |
1999
– Present |
|||||
TCSE
Certification Exam (PHP/MySQL) |
2005 – present |
||||||
Sales Management System (J2EE/MS SQL) · Systex Corporation |
2003
– 2007 |
||||||
Human Resource Management System (ASP/MS SQL) |
1999
– 2000 |
||||||
Banking Branch System (C++/DCOM) |
1998
– 2000 |
||||||
Online Catalog and Ordering System (C++/Lotus Note) |
1995
– 1997 |
||||||
Selected Presentations/Talks |
|||||||
|
·
The 19th ACM
Conference on Computer and Communications Security (CCS October 20): The
devil is in the (implementation) details: An empirical security analysis of
OAuth SSO systems. ·
OWASP Chapter Meeting (May, 2012): An
Empirical Analysis of OAuth SSO Systems ·
The 7th Symposium
on Usable Privacy and Security (SOUPS 2011):
An Empirical Investigation of Web Single Sign-On from User's
Perspectives ·
OWASP Chapter Meeting (Oct., 2010): OpenID
Security Analysis and Evaluation ·
The 6th ACM Workshop on Digital Identity
Management (DIM 2010): OpenIDemail Enabled Browser: Towards Fixing the Broken
Web Single Sign-On Triangle ·
The 19th New Security Paradigms Workshop (NSPW
2010): A Billion Keys, but Few Locks: The Crisis of Web Single Sign-On ·
The 25th Annual Computer Security
Applications Conference (ACSAC 2009): Secure Web 2.0 Content Sharing Beyond
Walled Gardens ·
IEEE Workshop on Security and Privacy in
Online Social Networking (SPOSN 2009): Towards Enabling Web 2.0 Content
Sharing Beyond Walled Gardens ·
Sun JavaTwo
(2005): Web Application Hacking and Defense ·
Sun JavaTwo (2004):
Web Farm Design and Implementation ·
Sun JavaTwo
(2003): Successful JSP Web Project How To ·
Microsoft TechEd (2003):
ASP.NET Web OLTP Design ·
Microsoft TechEd (2002):
.NET Remoting ·
Microsoft TechEd (2001):
XML Web Service ·
Microsoft TechEd (2000):
Object Oriented Programming in .NET ·
Microsoft DevDays
(2000): Architecting a Web-Enabled Solution ·
Microsoft DevDays
(1999): Windows Distributed N-Tier Architecture (DNA) ·
Microsoft DevDays
(1998): N-Tier Application Development ·
Microsoft PDC (1998): OLAP- Microsoft
Decision Support Service ·
Microsoft PDC (1997): Cross Platform
Development ·
Microsoft TechEd (1997):
Microsoft Transaction Server |
||||||
Services |
|||||||
|
·
Program committee member: NSERC ISSNET
Workshop, 2012 ·
Sub-reviewer: o
Computer and Communication Security (CCS)
2012 , 3 reviews o
SecureComm 2012: 1
review o
Network & Distributed System Security
Symposium (NDSS) 2011: 3 reviews o
Symposium On Usable Privacy and Security
(SOUPS) 2011, 2 reviews o
Financial Crypto (FC) 2011: 2 reviews o
Computer and Security Journal 2011: 1
review o
Network & Distributed System Security
Symposium (NDSS) 2010: 2 reviews o
Annual Computer Security Applications
Conference (ACSAC) 2009: 5 reviews o
Network & Distributed System Security
Symposium (NDSS) 2009: 3 reviews o
WEB 2.0 Security & Privacy Workshop
(W2SP) 2009: 1 review o
Symposium on Access Control Models and
Technologies (SACMAT) 2009: 1 review |
||||||
Open Source Projects |
|||||||
|
·
SQLPrevent:
An effective and efficient tool in Java for detecting and preventing known as
well as unseen SQL injection attacks, 2009. ·
WebDOSForm:
A JavaScript AJAX library that simulates traditional DOS form input, 2004. ·
ASPWizard:
A web-based ASP.NET code generator, 2004. ·
JSPWidget:
A JSP framework that provides event-driven, view state-retained, server-side
GUI controls to make JSP development as intuitive as in traditional client
forms, 2003. ·
DocLib:
A Web-based document management system implemented in ASP.NET, 2003. ·
ASPNETWatchDog:
A suite of .NET components/services that enables administrators to log
ASP.NET HTTP responses and watch them online or play back, 2003. |
||||||