Microsoft’s Identity services encompass all consumer and commercial identity entities in relation to all aspects of user, device, application and services. To this end research into vulnerabilities, improvements, privacy, security, function, fraud and abuse are all critical to our desire to protect our customers using these services to authenticate and access their resources. The Microsoft Security Grant Project program invites researchers across the globe to explore security aspects which align to Microsoft’s ongoing mission to empower every person and organization on the planet to achieve more – safely and securely.

GRANT RECIPIENTS

 

Research Project

Project Outline

Researcher Bio

Identifying Novel Attacks on Single Sign-On by Extending Cross-Site Request Forgery Attacks to Desktop and Mobile Applications

Single Sign-On (SSO) protocols have become an integral part of the authentication process of the modern web. Past research has shown that the incorrect design and implementation of SSO protocols can have serious consequences on the security and privacy of web users.

 

Cross-Site Request Forgery (CSRF) attacks are a major threat to web applications. CSRF attacks affecting SSO can have serious consequences such as complete account takeover. Prior work on CSRF focuses only on the browser-to-website communication model. In this project, we deviate from this trend and explore the possibility of leveraging the browser-to-app and app-to-app communication models for mounting CSRF-like attacks on the SSO scenarios within mobile and desktop applications.

Avinash Sudhodanan is from Kerala, India. He specializes in designing tools and techniques for automatically testing the security of web applications and web browsers.

 

Currently he is a Security Researcher at White Ops Inc. Previously, he was a postdoctoral researcher at IMDEA Software Institute in Spain. He obtained his PhD in Information and Communication Technology from University of Trento in Italy.

 

During his PhD, he worked at Fondazione Bruno Kessler in Italy and also spent 18 months at SAP Labs in France.

 

Avinash has spoken at top academic and industrial security conferences including OWASP AppSec EU, NDSS, and IEEE Euro S&P.

Developing Post-Quantum Secure Identity Services

Identity services are a vital part of our internet infrastructure today as the way users authenticate to online services and applications moves away from the classic “one-username-and-password-per-site” setting towards unified approaches. The security of modern identity solutions critically relies on public key cryptography. Unfortunately, the inevitable advent of scalable quantum computing promises to render exactly these widely-used building blocks insecure.


In anticipation of the traditionally long transition times to new algorithms and protocol versions, we will conduct a timely analysis of widely-deployed identity service protocols with respect to their post-quantum security. In a second step, we design provably-secure hybrid solutions that aid a smooth transition to the post-quantum world while maintaining efficiency, backwards compatibility, and standardization requirements.

Jacqueline Brendel is currently a postdoctoral researcher with Prof. Dr. Cas Cremers at the CISPA Helmholtz Center for Information Security in Saarbrücken, Germany.


Her main research is on the cryptographic analysis of real-world protocols and primitives, with a special focus on post-quantum security.


In 2019, she defended her Ph.D. thesis titled “Future-proofing Key Exchange Protocols” with Prof. Dr. Marc Fischlin at the Technische Universität Darmstadt, Germany.

APPLICATIONS ARE NOW CLOSED

The Microsoft Security Response Center (MSRC) invites researchers to submit proposals that explore the security of the Identity solutions for both Consumers (Microsoft Account) and Enterprise (Azure Active Directory) in new ways.

Proposals should align with our ongoing areas of interest, which include but are not limited to the following:

Project Category

Identity Research Project Ideas

Protocol Design & Implementation

Identify security vulnerabilities and/or propose solutions to strengthen the design of protocols and standards (proprietary or open source) used by Microsoft’s Identity services (e.g. OAuth 2.0).

 

Identify security vulnerabilities and/or propose solutions to strengthen the implementations of standards and protocols used by Microsoft’s Identity services.

Security and User Perception

Research towards identifying and/or bridging potential gaps between the security guarantees provided by Microsoft’s Identity services and users’ understanding of these services, especially where this may have security consequences.

Application Security

Research into novel vulnerabilities and mitigations within individual Microsoft specific software, features, and offerings relating to Identity.

PII and Private Data Leakage

Research into highly used 1st or 3rd party applications that may be unintentionally or intentionally misrepresenting their functionality to leak or steal PII.

Threat Actors, Architectures and Trends

Research into actors, architectures, and trends of malicious or abusive actors and applications specifically targeting identities and services built on Microsoft services.
Project information:
  • Proposals can be made by individuals or small collaborative teams.
  • Projects must be no more than 12 months in duration, with a preference for shorter periods.
  • Proposals may request funding up to $75,000 USD, depending on the specific requirements.
  • Successful awardees will be listed on the MSRC website and permitted to publish findings/insights from their work, though we request coordinated disclosure if your findings would reveal otherwise unresolved vulnerabilities.
To apply:

We ask applicants to submit a 2–3 page proposal which should include:

  • A research question and a clear statement of work.
  • A summary of the project (1–2 pages) specifying the area of focus, a description of the project, relevant prior work, and a timeline with milestones for deliverables and expected outcomes.
  • A draft budget description (max 1 page) including an approximate cost of the award and explanation of how funds would be spent.
  • Name(s) of the personnel involved in the proposed project, with links to all relevant CVs.
  • Indication of any previous or current connections/collaborations with Microsoft, Microsoft Research and/or MSRC vulnerability reports.
Timing and dates:
  • Applications are now closed. We have selected the research grant recipients for the January 9, 2020 - March 6, 2020 call for proposals period. 
  • If you have any questions, please reach out to us at MSRCResearcherGrant@microsoft.com.
Eligibility:
  • Applicants may submit one proposal per solicitation.
  • Applicant(s) must be the primary researcher on any resulting grant.
  • Researchers must be eligible as outlined in the “PROGRAM ELIGIBILITY” subsection of the MSRC Bounty Terms.
Terms and Conditions:
  • In-Scope vulnerabilities found during an active research grant can be reported here.
  • Grant proposals submitted to Microsoft will not be returned. Microsoft cannot assume responsibility for the confidentiality of information in submitted grant proposals. Therefore, proposals should not contain information that is confidential, restricted, or sensitive.
  • Incomplete grant proposals will not be considered.
  • Due to the volume of submissions, MSRC cannot provide feedback to individuals who propose, but do not receive, a grant.
  • All research must comply with the MSRC Code of Conduct.
REVISION HISTORY
  • January 9, 2020: Program launched
  • March 6, 2020: Call for proposals closed
  • April 9, 2020: Grant recipients announced