Bug in confused deputy threats

[mike1813]

Confused deputy threats to data flows involve a malicious client or an imposter accessing a service as this client, to inject/request data the service accesses on behalf of some other client.

In a confused deputy attack, the attacker must craft the service request so that the service accesses the data anyway, even though they wouldn't normally do that for the malicious/impersonated client. In some cases this can be done by passing an argument referring to a specific back-end service not normally used on behalf of this client. In others, it may be necessary to exploit a sofware vulnerability before the service can be induced to access such an endpoint.

In the current domain model, all such attacks involve data flows. The idea is that the attacker seeks to read data supplied by the back-end service, or inject data used by the back-end service (e.g., transfer $10,000 to account number XYZ).

In principle, end-to-end data flow encryption controls should prevent confused deputy attacks, since the authorized client and back-end service will have a pre-shared key not available to the malicious/impersonated client. At present, confused deputy threats are not blocked by this control strategy, which constitutes a bug in the threat which should be fixed.

See issue #112 for the interpretation of encryption controls on data flows. Note that if, as a result of issue #112, the current interpretation changes such that end-to-end data flow encryption does not imply the use of pre-shared keys, those control strategies would need to be removed from these threats.

[mike1813]

Now addressed in branch 85, which has been merged with branch 6a.