Control-flow integrity refers to enforcing web application flow, such that a user cannot skip or entirely omit any step in a multi-page process. The talk draws on three research papers, which are cited in the slides.
13. PayPal
• Collects
Payment
Store
• Session
= PAID
PayPal
• Returns
Buyer to
store
Store
• Signs
Order ID
Store
• Validates
session
and
Order IDSkips PayPal
Collects
signed
Order ID
15. PayPal
• Collects
Payment
Store
• Session
= PAID
PayPal
• Returns
Buyer to
store
Store
• Signs
Order ID
Store
• Validates
session
and
Order ID
Attacker
buys low-
cost item
Attacker
substitutes
High-Cost
Order ID
16. PayPal
• Collects
Payment
Store
• Session
= PAID
PayPal
• Returns
Buyer to
store
Store
• Signs
Order ID
Store
• Validates
session
and
Order ID
Attacker
buys low-
cost item
Attacker
substitutes
High-Cost
Order ID
Repeat
17. PayPal
• Collects
Payment
Store
• Session
= PAID
PayPal
• Returns
Buyer to
store
Store
• Signs
Order ID
Store
• Validates
session
and
Order ID
Attacker
buys low-
cost item
Attacker
substitute
s High-
Cost
Order ID
Repeat
Store
verifies
the Order
ID
matches
the
session
25. PayPal
• Collects
Payment
Store
• Token =
PAID
PayPal
• Returns
Buyer to
store
Store
• Confirms
token
PAID
Attacker
copies
token
value
Attacker
buys first
item
29. PayPal
• Collects
Payment
Store
• Token =
PAID
PayPal
• Returns
Buyer to
store
Store
• Confirms
token
PAIDSkips PayPal
Attacker
uses PAID
token
Repeat
Store
limits
token to
one time
use
38. Root Cause
• Developer expects users to follow
paved path through application
• No enforcement if they don’t
• Sometimes see it show up when a
user bookmarks a deep-link
40. Integration
• Enforcement must be placed in
place where every request passes
through it
• Easiest with MVC-type apps
• Otherwise, called first for each
request
41. Protection Goals
• Back button support
• Multi-tab support
• Race condition prevention
• Parameter validation
• Omit protection for public pages
• Enforce flow sequence
42. Back Button Support
• Detect back button was used by
looking at currently requested step
and determining if it was the step
just previous to the last one
43. Multi-Tab Support
• Implement JavaScript handler
• XHR (aka AJAX) request when
tab open, closed or tab-switch
• Each tab assigned unique tab ID
• Enforce CFI on per-tab basis
44. Race Condition
Prevention
• Implement lock using session ID
• Lock is for all tabs with same
session ID
• Lock is for specific resource
• Other sessions are not affected
• Other resources are not affected
45. Param Validation
• Define data type and enforce
• Optionally mark as WORM (write
once, read many)
• Blacklist of params to exclude
49. Flow Sequence
Example
• Buyer adds items to cart
• Buyer navigates to checkout and
is presented with totoal
• Buyer opens another tab, adds
more items to shopping cart
• Buyer returns to payment tab and
pays