Control-Flow Integrity

1,354 views

Published on

Control-flow integrity refers to enforcing web application flow, such that a user cannot skip or entirely omit any step in a multi-page process. The talk draws on three research papers, which are cited in the slides.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Control-Flow Integrity

  1. 1. Bil Corry Control-Flow Integrity
  2. 2. http://research.microsoft.com/pubs/145858/caas-oakland-final.pdf
  3. 3. PayPal • Collects Payment
  4. 4. PayPal • Collects Payment Store • Session = PAID
  5. 5. PayPal • Collects Payment Store • Session = PAID PayPal • Returns Buyer to store
  6. 6. PayPal • Collects Payment Store • Session = PAID PayPal • Returns Buyer to store Store • Signs Order ID
  7. 7. PayPal • Collects Payment Store • Session = PAID PayPal • Returns Buyer to store Store • Signs Order ID Store • Validates session and Order ID
  8. 8. PayPal • Collects Payment Store • Session = PAID PayPal • Returns Buyer to store Store • Signs Order ID Store • Validates session and Order IDSkips PayPal
  9. 9. PayPal • Collects Payment Store • Session = PAID PayPal • Returns Buyer to store Store • Signs Order ID Store • Validates session and Order IDSkips PayPal Collects signed Order ID
  10. 10. PayPal • Collects Payment Store • Session = PAID PayPal • Returns Buyer to store Store • Signs Order ID Store • Validates session and Order ID Attacker buys low- cost item
  11. 11. PayPal • Collects Payment Store • Session = PAID PayPal • Returns Buyer to store Store • Signs Order ID Store • Validates session and Order ID Attacker buys low- cost item Attacker substitutes High-Cost Order ID
  12. 12. PayPal • Collects Payment Store • Session = PAID PayPal • Returns Buyer to store Store • Signs Order ID Store • Validates session and Order ID Attacker buys low- cost item Attacker substitutes High-Cost Order ID Repeat
  13. 13. PayPal • Collects Payment Store • Session = PAID PayPal • Returns Buyer to store Store • Signs Order ID Store • Validates session and Order ID Attacker buys low- cost item Attacker substitute s High- Cost Order ID Repeat Store verifies the Order ID matches the session
  14. 14. PayPal • Collects Payment
  15. 15. PayPal • Collects Payment Store • Token = PAID
  16. 16. PayPal • Collects Payment Store • Token = PAID PayPal • Returns Buyer to store
  17. 17. PayPal • Collects Payment Store • Token = PAID PayPal • Returns Buyer to store Store • Confirms token PAID
  18. 18. PayPal • Collects Payment Store • Token = PAID PayPal • Returns Buyer to store Store • Confirms token PAID Attacker buys first item
  19. 19. PayPal • Collects Payment Store • Token = PAID PayPal • Returns Buyer to store Store • Confirms token PAID Attacker copies token value Attacker buys first item
  20. 20. PayPal • Collects Payment Store • Token = PAID PayPal • Returns Buyer to store Store • Confirms token PAIDSkips PayPal
  21. 21. PayPal • Collects Payment Store • Token = PAID PayPal • Returns Buyer to store Store • Confirms token PAIDSkips PayPal Attacker uses PAID token
  22. 22. PayPal • Collects Payment Store • Token = PAID PayPal • Returns Buyer to store Store • Confirms token PAIDSkips PayPal Attacker uses PAID token Repeat
  23. 23. PayPal • Collects Payment Store • Token = PAID PayPal • Returns Buyer to store Store • Confirms token PAIDSkips PayPal Attacker uses PAID token Repeat Store limits token to one time use
  24. 24. http://web.sec.uni-passau.de/members/bastian/index.php
  25. 25. Framework Survey
  26. 26. CFI Attacks • Unsolicited Request Sequences • Compromising Use of the “Back” Button • Race Conditions • HTTP Parameter Manipulation
  27. 27. Unsolicited Request Sequences • Follow arbitrary sequence in flow • Single session • Cross-session • Omit steps in flow
  28. 28. Back Button • Re-do last action • Follow another path
  29. 29. Race Conditions • Actions initiated by attacker simultaneously • Multi-tab (single session) • Multi-browser (multiple session) • (Buy.com example)
  30. 30. Param Manipulation • Manipulated values • Predicted values • Cross-session tampering • Unexpected input
  31. 31. Root Cause • Developer expects users to follow paved path through application • No enforcement if they don’t • Sometimes see it show up when a user bookmarks a deep-link
  32. 32. Enforcing Control Flow Integrity
  33. 33. Integration • Enforcement must be placed in place where every request passes through it • Easiest with MVC-type apps • Otherwise, called first for each request
  34. 34. Protection Goals • Back button support • Multi-tab support • Race condition prevention • Parameter validation • Omit protection for public pages • Enforce flow sequence
  35. 35. Back Button Support • Detect back button was used by looking at currently requested step and determining if it was the step just previous to the last one
  36. 36. Multi-Tab Support • Implement JavaScript handler • XHR (aka AJAX) request when tab open, closed or tab-switch • Each tab assigned unique tab ID • Enforce CFI on per-tab basis
  37. 37. Race Condition Prevention • Implement lock using session ID • Lock is for all tabs with same session ID • Lock is for specific resource • Other sessions are not affected • Other resources are not affected
  38. 38. Param Validation • Define data type and enforce • Optionally mark as WORM (write once, read many) • Blacklist of params to exclude
  39. 39. Omit Protection • Designate portions of site that don’t need CFI protection.
  40. 40. Enforce Flow Sequence • All flows must be defined • Page names and corresponding URLs must be determined • pg1 = /step1 • pg2 = /step1?tos=1
  41. 41. Flow Sequence Language • flow1 -> flow2 • flow1 -> (flow2 | flow3) • ?flow1 (allow back button) • !flow1 (enable race protection) • @flow1 (repeatable step)
  42. 42. Flow Sequence Example • Buyer adds items to cart • Buyer navigates to checkout and is presented with totoal • Buyer opens another tab, adds more items to shopping cart • Buyer returns to payment tab and pays
  43. 43. Flow Sequence Example Checkout.logIn -> Payment.chooseMethod -> Payment.validateStatus -> Checkout.completeOrder
  44. 44. Performance
  45. 45. Thank You!

×