control-flow integrity
DESCRIPTION
Control-flow integrity refers to enforcing web application flow, such that a user cannot skip or entirely omit any step in a multi-page process. The talk draws on three research papers, which are cited in the slides.TRANSCRIPT
![Page 1: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/1.jpg)
Bil Corry
Control-Flow Integrity
![Page 2: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/2.jpg)
![Page 3: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/3.jpg)
![Page 4: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/4.jpg)
http://research.microsoft.com/pubs/145858/caas-oakland-final.pdf
![Page 5: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/5.jpg)
![Page 6: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/6.jpg)
![Page 7: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/7.jpg)
PayPal
• Collects Payment
![Page 8: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/8.jpg)
PayPal
• Collects Payment
Store
• Session = PAID
![Page 9: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/9.jpg)
PayPal
• Collects Payment
Store
• Session = PAID
PayPal
• Returns Buyer to store
![Page 10: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/10.jpg)
PayPal
• Collects Payment
Store
• Session = PAID
PayPal
• Returns Buyer to store
Store
• Signs Order ID
![Page 11: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/11.jpg)
PayPal
• Collects Payment
Store
• Session = PAID
PayPal
• Returns Buyer to store
Store
• Signs Order ID
Store
• Validates session and Order ID
![Page 12: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/12.jpg)
PayPal
• Collects Payment
Store
• Session = PAID
PayPal
• Returns Buyer to store
Store
• Signs Order ID
Store
• Validates session and Order ID Skips PayPal
![Page 13: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/13.jpg)
PayPal
• Collects Payment
Store
• Session = PAID
PayPal
• Returns Buyer to store
Store
• Signs Order ID
Store
• Validates session and Order ID Skips PayPal
Collects
signed
Order ID
![Page 14: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/14.jpg)
PayPal
• Collects Payment
Store
• Session = PAID
PayPal
• Returns Buyer to store
Store
• Signs Order ID
Store
• Validates session and Order ID
Attacker
buys low-
cost item
![Page 15: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/15.jpg)
PayPal
• Collects Payment
Store
• Session = PAID
PayPal
• Returns Buyer to store
Store
• Signs Order ID
Store
• Validates session and Order ID
Attacker
buys low-
cost item
Attacker
substitutes
High-Cost
Order ID
![Page 16: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/16.jpg)
PayPal
• Collects Payment
Store
• Session = PAID
PayPal
• Returns Buyer to store
Store
• Signs Order ID
Store
• Validates session and Order ID
Attacker
buys low-
cost item
Attacker
substitutes
High-Cost
Order ID
Repeat
![Page 17: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/17.jpg)
PayPal
• Collects Payment
Store
• Session = PAID
PayPal
• Returns Buyer to store
Store
• Signs Order ID
Store
• Validates session and Order ID
Attacker
buys low-
cost item
Attacker
substitute
s High-
Cost
Order ID
Repeat
Store
verifies
the Order
ID
matches
the
session
![Page 18: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/18.jpg)
![Page 19: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/19.jpg)
![Page 20: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/20.jpg)
PayPal
• Collects Payment
![Page 21: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/21.jpg)
PayPal
• Collects Payment
Store
• Token = PAID
![Page 22: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/22.jpg)
PayPal
• Collects Payment
Store
• Token = PAID
PayPal
• Returns Buyer to store
![Page 23: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/23.jpg)
PayPal
• Collects Payment
Store
• Token = PAID
PayPal
• Returns Buyer to store
Store
• Confirms token PAID
![Page 24: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/24.jpg)
PayPal
• Collects Payment
Store
• Token = PAID
PayPal
• Returns Buyer to store
Store
• Confirms token PAID
Attacker
buys first
item
![Page 25: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/25.jpg)
PayPal
• Collects Payment
Store
• Token = PAID
PayPal
• Returns Buyer to store
Store
• Confirms token PAID
Attacker
copies
token
value
Attacker
buys first
item
![Page 26: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/26.jpg)
PayPal
• Collects Payment
Store
• Token = PAID
PayPal
• Returns Buyer to store
Store
• Confirms token PAID Skips PayPal
![Page 27: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/27.jpg)
PayPal
• Collects Payment
Store
• Token = PAID
PayPal
• Returns Buyer to store
Store
• Confirms token PAID Skips PayPal
Attacker
uses PAID
token
![Page 28: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/28.jpg)
PayPal
• Collects Payment
Store
• Token = PAID
PayPal
• Returns Buyer to store
Store
• Confirms token PAID Skips PayPal
Attacker
uses PAID
token
Repeat
![Page 29: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/29.jpg)
PayPal
• Collects Payment
Store
• Token = PAID
PayPal
• Returns Buyer to store
Store
• Confirms token PAID Skips PayPal
Attacker
uses PAID
token
Repeat
Store
limits
token to
one time
use
![Page 30: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/30.jpg)
![Page 31: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/31.jpg)
http://web.sec.uni-passau.de/members/bastian/index.php
![Page 32: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/32.jpg)
Framework Survey
![Page 33: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/33.jpg)
CFI Attacks • Unsolicited Request Sequences
• Compromising Use of the “Back” Button
• Race Conditions
• HTTP Parameter Manipulation
![Page 34: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/34.jpg)
Unsolicited Request
Sequences • Follow arbitrary sequence in flow
• Single session
• Cross-session
• Omit steps in flow
![Page 35: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/35.jpg)
Back Button • Re-do last action
• Follow another path
![Page 36: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/36.jpg)
Race Conditions • Actions initiated by attacker
simultaneously
• Multi-tab (single session)
• Multi-browser (multiple session)
• (Buy.com example)
![Page 37: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/37.jpg)
Param Manipulation • Manipulated values
• Predicted values
• Cross-session tampering
• Unexpected input
![Page 38: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/38.jpg)
Root Cause • Developer expects users to follow
paved path through application
• No enforcement if they don’t
• Sometimes see it show up when a user bookmarks a deep-link
![Page 39: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/39.jpg)
Enforcing
Control Flow
Integrity
![Page 40: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/40.jpg)
Integration • Enforcement must be placed in
place where every request passes through it
• Easiest with MVC-type apps
• Otherwise, called first for each request
![Page 41: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/41.jpg)
Protection Goals • Back button support
• Multi-tab support
• Race condition prevention
• Parameter validation
• Omit protection for public pages
• Enforce flow sequence
![Page 42: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/42.jpg)
Back Button Support • Detect back button was used by
looking at currently requested step and determining if it was the step just previous to the last one
![Page 43: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/43.jpg)
Multi-Tab Support • Implement JavaScript handler
• XHR (aka AJAX) request when tab open, closed or tab-switch
• Each tab assigned unique tab ID
• Enforce CFI on per-tab basis
![Page 44: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/44.jpg)
Race Condition
Prevention • Implement lock using session ID
• Lock is for all tabs with same session ID
• Lock is for specific resource
• Other sessions are not affected
• Other resources are not affected
![Page 45: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/45.jpg)
Param Validation
• Define data type and enforce
• Optionally mark as WORM (write once, read many)
• Blacklist of params to exclude
![Page 46: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/46.jpg)
Omit Protection
• Designate portions of site that don’t need CFI protection.
![Page 47: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/47.jpg)
Enforce Flow
Sequence • All flows must be defined
• Page names and corresponding URLs must be determined
• pg1 = /step1
• pg2 = /step1?tos=1
![Page 48: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/48.jpg)
Flow Sequence
Language • flow1 -> flow2
• flow1 -> (flow2 | flow3)
• ?flow1 (allow back button)
• !flow1 (enable race protection)
• @flow1 (repeatable step)
![Page 49: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/49.jpg)
Flow Sequence
Example • Buyer adds items to cart
• Buyer navigates to checkout and is presented with totoal
• Buyer opens another tab, adds more items to shopping cart
• Buyer returns to payment tab and pays
![Page 50: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/50.jpg)
Flow Sequence
Example
Checkout.logIn
-> Payment.chooseMethod
-> Payment.validateStatus
-> Checkout.completeOrder
![Page 51: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/51.jpg)
Performance
![Page 52: Control-Flow Integrity](https://reader033.vdocument.in/reader033/viewer/2022060109/55550539b4c905c35e8b4ca0/html5/thumbnails/52.jpg)
Thank You!