Embed Size (px)
DESCRIPTION
Control-flow integrity refers to enforcing web application flow, such that a user cannot skip or entirely omit any step in a multi-page process. The talk draws on three research papers, which are cited in the slides.
Citation preview
Bil Corry
Control-Flow Integrity
http://research.microsoft.com/pubs/145858/caas-oakland-final.pdf
PayPal
• Collects Payment
PayPal
• Collects Payment
Store
• Session = PAID
PayPal
• Collects Payment
Store
• Session = PAID
PayPal
• Returns Buyer to store
PayPal
• Collects Payment
Store
• Session = PAID
PayPal
• Returns Buyer to store
Store
• Signs Order ID
PayPal
• Collects Payment
Store
• Session = PAID
PayPal
• Returns Buyer to store
Store
• Signs Order ID
Store
• Validates session and Order ID
PayPal
• Collects Payment
Store
• Session = PAID
PayPal
• Returns Buyer to store
Store
• Signs Order ID
Store
• Validates session and Order ID Skips PayPal
PayPal
• Collects Payment
Store
• Session = PAID
PayPal
• Returns Buyer to store
Store
• Signs Order ID
Store
• Validates session and Order ID Skips PayPal
Collects
signed
Order ID
PayPal
• Collects Payment
Store
• Session = PAID
PayPal
• Returns Buyer to store
Store
• Signs Order ID
Store
• Validates session and Order ID
Attacker
buys low-
cost item
PayPal
• Collects Payment
Store
• Session = PAID
PayPal
• Returns Buyer to store
Store
• Signs Order ID
Store
• Validates session and Order ID
Attacker
buys low-
cost item
Attacker
substitutes
High-Cost
Order ID
PayPal
• Collects Payment
Store
• Session = PAID
PayPal
• Returns Buyer to store
Store
• Signs Order ID
Store
• Validates session and Order ID
Attacker
buys low-
cost item
Attacker
substitutes
High-Cost
Order ID
Repeat
PayPal
• Collects Payment
Store
• Session = PAID
PayPal
• Returns Buyer to store
Store
• Signs Order ID
Store
• Validates session and Order ID
Attacker
buys low-
cost item
Attacker
substitute
s High-
Cost
Order ID
Repeat
Store
verifies
the Order
ID
matches
the
session
PayPal
• Collects Payment
PayPal
• Collects Payment
Store
• Token = PAID
PayPal
• Collects Payment
Store
• Token = PAID
PayPal
• Returns Buyer to store
PayPal
• Collects Payment
Store
• Token = PAID
PayPal
• Returns Buyer to store
Store
• Confirms token PAID
PayPal
• Collects Payment
Store
• Token = PAID
PayPal
• Returns Buyer to store
Store
• Confirms token PAID
Attacker
buys first
item
PayPal
• Collects Payment
Store
• Token = PAID
PayPal
• Returns Buyer to store
Store
• Confirms token PAID
Attacker
copies
token
value
Attacker
buys first
item
PayPal
• Collects Payment
Store
• Token = PAID
PayPal
• Returns Buyer to store
Store
• Confirms token PAID Skips PayPal
PayPal
• Collects Payment
Store
• Token = PAID
PayPal
• Returns Buyer to store
Store
• Confirms token PAID Skips PayPal
Attacker
uses PAID
token
PayPal
• Collects Payment
Store
• Token = PAID
PayPal
• Returns Buyer to store
Store
• Confirms token PAID Skips PayPal
Attacker
uses PAID
token
Repeat
PayPal
• Collects Payment
Store
• Token = PAID
PayPal
• Returns Buyer to store
Store
• Confirms token PAID Skips PayPal
Attacker
uses PAID
token
Repeat
Store
limits
token to
one time
use
http://web.sec.uni-passau.de/members/bastian/index.php
Framework Survey
CFI Attacks • Unsolicited Request Sequences
• Compromising Use of the “Back” Button
• Race Conditions
• HTTP Parameter Manipulation
Unsolicited Request
Sequences • Follow arbitrary sequence in flow
• Single session
• Cross-session
• Omit steps in flow
Back Button • Re-do last action
• Follow another path
Race Conditions • Actions initiated by attacker
simultaneously
• Multi-tab (single session)
• Multi-browser (multiple session)
• (Buy.com example)
Param Manipulation • Manipulated values
• Predicted values
• Cross-session tampering
• Unexpected input
Root Cause • Developer expects users to follow
paved path through application
• No enforcement if they don’t
• Sometimes see it show up when a user bookmarks a deep-link
Enforcing
Control Flow
Integrity
Integration • Enforcement must be placed in
place where every request passes through it
• Easiest with MVC-type apps
• Otherwise, called first for each request
Protection Goals • Back button support
• Multi-tab support
• Race condition prevention
• Parameter validation
• Omit protection for public pages
• Enforce flow sequence
Back Button Support • Detect back button was used by
looking at currently requested step and determining if it was the step just previous to the last one
Multi-Tab Support • Implement JavaScript handler
• XHR (aka AJAX) request when tab open, closed or tab-switch
• Each tab assigned unique tab ID
• Enforce CFI on per-tab basis
Race Condition
Prevention • Implement lock using session ID
• Lock is for all tabs with same session ID
• Lock is for specific resource
• Other sessions are not affected
• Other resources are not affected
Param Validation
• Define data type and enforce
• Optionally mark as WORM (write once, read many)
• Blacklist of params to exclude
Omit Protection
• Designate portions of site that don’t need CFI protection.
Enforce Flow
Sequence • All flows must be defined
• Page names and corresponding URLs must be determined
• pg1 = /step1
• pg2 = /step1?tos=1
Flow Sequence
Language • flow1 -> flow2
• flow1 -> (flow2 | flow3)
• ?flow1 (allow back button)
• !flow1 (enable race protection)
• @flow1 (repeatable step)
Flow Sequence
Example • Buyer adds items to cart
• Buyer navigates to checkout and is presented with totoal
• Buyer opens another tab, adds more items to shopping cart
• Buyer returns to payment tab and pays
Flow Sequence
Example
Checkout.logIn
-> Payment.chooseMethod
-> Payment.validateStatus
-> Checkout.completeOrder
Performance
Thank You!
![[CB16] COFI break – Breaking exploits with Processor trace and Practical control flow integrity by Ron Shina & Shlomi Oberman](https://img.pdfslide.us/doc/110x75/587756e61a28ab84388b77d5/cb16-cofi-break-breaking-exploits-with-processor-trace-and-practical.jpg)
![On the Effectiveness of Type-based Control Flow Integrity · Control Flow Integrity (CFI) [6] is an example of such a defense that has received significant attention in the community](https://img.pdfslide.us/doc/110x75/5f16963fea28275573224bc7/on-the-effectiveness-of-type-based-control-flow-integrity-control-flow-integrity.jpg)
