Control-flow integrity (CFI) is a promising technique to mitigate control-flow hijacking attacks. In the past decade, dozens of CFI mechanisms have been proposed by researchers. Despite the claims made by themselves, the security promises of these mechanisms have not been carefully evaluated, and thus are questionable.
In this paper, we present a solution to measure the gap between the practical security and the claimed theoretical security. First,we propose CScan to precisely measure runtime feasible targets of indirect control transfer (ICT) instructions protected by CFI,by enumerating all potential code addresses and testing whether ICTs are allowed to jump to them. Second, we propose CBench as a sanity check for verifying CFI solutions’ effectiveness against typical attacks, by exploiting a comprehensive set of vulnerable programs protected by CFI and verifying the recognized feasible targets.
We evaluated 12 most recent open-source CFI mechanisms and discovered 10 flaws in most CFI mechanisms or implementations.For some CFIs, their security policies or protected ICT sets do not match what they claimed. Some CFIs even expand the attack surface (e.g. introducing unintended targets). To facilitate a deeper understanding of CFI, we summarize the flaws into 7 common pitfalls which cover the whole lifetime of CFI mechanisms, and reveal issues that affect CFI mechanisms in practical security.