Protecting Third-Party Web Service Integrations with Service Automata


Nowadays, web applications often integrate third-party web services, 
such as single-sign-on services from Facebook or Google, and checkout 
services from PayPal or Amazon. Recent studies have shown real-world 
exploitations of logic vulnerabilities within these critical three-party 
communications and a first centralized prototype has been shown to 
prevent these types of attacks. Service Automata, a decentralized and 
dynamic security policy enforcement mechanism, takes the latest 
countermeasures a step further onto distributed systems and we present 
an evaluation on the efficiency of various configurations of this 
approach.